Backed into a corner

Douglas Sterner douglas_sterner at
Wed Jun 29 01:27:27 GMT 2005

Within the next 90 days I must present a plan for either fixing the problem 
below or I will be faced with migrating to Windows 2003. As a result of the 
account expiration/lockout problem Sarbanes-Oxley compliance is backing me 
into a corner. I do not wish to complain but make you aware of the grave 
situation I am faced with. Our corporation is multi domain controller 
environment using LDAP and Samba/FreeRadius integration. Thru careful 
integration we have managed to duplicate many of the features of Windows 
Servers using Samba and other linux software. We are quite proud of our 
Linux environment. That now is in jeopardy as a result of this. At this time 
I can not lockout a user on my network. I would be very appreciative of the 
Samba team if you could simply respond letting me know if this problem is 
fixable perhaps using an LDAP solution. Otherwise I must start planning a 
migration to Active Directory and abandon our Linux platforms entirely. We 
must have consistent account policies across all of our DC's in the 
corporate network. No exceptions

Thank You for all your hard work.

Posting from Samba support mailing list.

Using Samba 3.0.14a with multiple domain controllers across WAN links I 
discovered that account lockout policies are broke. My testing show's that 
account lockout policies are not stored in LDAP as one would think but in a 
local TDB file on that particular BDC or PDC. The result is I'm seeing 
errors in my logs and users are getting locked out. There appears to be no 
replication setup or no way to replicate this policy information in a 
multiple DC environment. Depending on which DC handles the auth request is 
what policy is in effect. User Manager does not have any  provisions to 
select the BDC's to apply a consistent lockout policy. I've had to disable 
account lockouts just to let the users keep working. Are there any plans to 
fix this. After reviewing the source code the problem seems to be the 
account lockout code itself.

Express yourself instantly with MSN Messenger! Download today - it's FREE!

More information about the samba-technical mailing list