Backed into a corner
Douglas Sterner
douglas_sterner at hotmail.com
Wed Jun 29 01:27:27 GMT 2005
Within the next 90 days I must present a plan for either fixing the problem
below or I will be faced with migrating to Windows 2003. As a result of the
account expiration/lockout problem Sarbanes-Oxley compliance is backing me
into a corner. I do not wish to complain but make you aware of the grave
situation I am faced with. Our corporation is multi domain controller
environment using LDAP and Samba/FreeRadius integration. Thru careful
integration we have managed to duplicate many of the features of Windows
Servers using Samba and other linux software. We are quite proud of our
Linux environment. That now is in jeopardy as a result of this. At this time
I can not lockout a user on my network. I would be very appreciative of the
Samba team if you could simply respond letting me know if this problem is
fixable perhaps using an LDAP solution. Otherwise I must start planning a
migration to Active Directory and abandon our Linux platforms entirely. We
must have consistent account policies across all of our DC's in the
corporate network. No exceptions
Thank You for all your hard work.
Posting from Samba support mailing list.
Using Samba 3.0.14a with multiple domain controllers across WAN links I
discovered that account lockout policies are broke. My testing show's that
account lockout policies are not stored in LDAP as one would think but in a
local TDB file on that particular BDC or PDC. The result is I'm seeing
errors in my logs and users are getting locked out. There appears to be no
replication setup or no way to replicate this policy information in a
multiple DC environment. Depending on which DC handles the auth request is
what policy is in effect. User Manager does not have any provisions to
select the BDC's to apply a consistent lockout policy. I've had to disable
account lockouts just to let the users keep working. Are there any plans to
fix this. After reviewing the source code the problem seems to be the
account lockout code itself.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the samba-technical
mailing list