Bad Password Lockout Problems

John H Terpstra jht at PrimaStasys.Com
Thu Jun 23 15:53:35 GMT 2005 

On Thursday 23 June 2005 02:51, Guenther Deschner wrote:
> On Thu, Jun 23, 2005 at 09:40:38AM +0200, Simo Sorce wrote:
> > On Wed, 2005-06-22 at 21:26 -0600, John H Terpstra wrote:
> > > Observations:
> > > ----------------
> > > 1. We may have a bug (not proven) in the bad password handling code.
> >
> > what kind of bug?
> > do you mean that the password history was indeed present ?
>
> John, any chance your password history is set to more then 15 passwords ?

No. It was set to 5, we tried 9. All settings had the same effect. The testing 
I put them through to diagnose this was met with resistence because the site 
needed to get users working again. I could not get network traces - something 
I repetitively asked for.

It seems that the site tested password ageing and experimented with it around 
January, then some time around the release of 3.0.13 they enabled password 
aging. I have not been able to determine when bad password lock-out was 
turned on, I was told that they have been working towards Sarbanes-Oxley 
compliance for a 'few' months.

I do not understand why the account lock-out problem has not been consistent 
since the time that bad password lockout was enabled. They claim it got 
progressively worse over the last month until yesterday - when many users 
could not work. That is when I was asked to help them to get users working 
again. The bit about it "getting worse" does not make sense.

PS: This was an exciting issue to deal with. I have not met a Sarbanes-Oxley 
compliance need before. Maybe that is because I haven't asked. :-)

>
> > > Please can someone recommend HOW we can maintain consistent domain-wide
> > > security policies where the NT4 Domain User Manager is used?
> >
> > The only way is to move policies into ldap (for ldap setups), I think I
> > already talk with Jerry about that, but I can't remember the outcome.
>
> Simo, replicated account-policies in LDAP (as part of ldapsam) are part of
> samba3-trunk since a long time already.
>
> (http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=4925&view=rev)
>
> Well, one of the well-hidden-almost-unknown features of trunk, I guess :)

That did not make it into the releases.

> It has a couple of issues (on my long list of things to fix) and will see a
> redesign to put all account-policies directly below the sambaDomainObject.
> I hope to be able to work on that next.

The solution will be welcome.

- John T.

More information about the samba-technical mailing list