Backed into a corner

[John H Terpstra]

On Wednesday 29 June 2005 00:14, Andrew Bartlett wrote:
> On Tue, 2005-06-28 at 21:27 -0400, Douglas Sterner wrote:
> > Using Samba 3.0.14a with multiple domain controllers across WAN links I
> > discovered that account lockout policies are broke. My testing show's
> > that account lockout policies are not stored in LDAP as one would think
> > but in a local TDB file on that particular BDC or PDC. The result is I'm
> > seeing errors in my logs and users are getting locked out. There appears
> > to be no replication setup or no way to replicate this policy information
> > in a multiple DC environment. Depending on which DC handles the auth
> > request is what policy is in effect. User Manager does not have any 
> > provisions to select the BDC's to apply a consistent lockout policy. I've
> > had to disable account lockouts just to let the users keep working. Are
> > there any plans to fix this. After reviewing the source code the problem
> > seems to be the account lockout code itself.
>
> This issue has been looked at in the Samba trunk development version,
> and the version there has an experimental patch to keep account policy
> information in LDAP.
>
> The other option is to simply use the pdbedit tool on each host, or
> synchronise the account_policy.tdb files.  I realise this means you
> can't use the windows GUI, but it should at least work.

Andrew,

I have tried this but found it fails to solve the problem. I believe there is 
a bug in the current code. I have not been able to fully debug this though. 
What I saw was accounts being locked because because of excessive bad 
password counts, even though the user had never entered a bad password. If I 
am not mistaken from the logs I reviewed, the problem is exaserbated by 
delays in the response from the LDAP server. I have already spoken with Jerry 
about this and it is on the todo list. 

>
> However, it sounds like your problem is broader than that - are you
> having trouble just with synchronising the policy, or is it more?

Inconsistency in the distribution of the policy info is only a part of the 
problem. When I shut down the BDCs at a test site, I still saw spurius bad 
password counts. On a quiet network (no other users) one 1 in 5 logins 
resulted in a bad password count. On a busy network, maybe one in 5 did not.

I would love to have had the opportunity to debug this to the point of 
definitive problem isolation, but time ran out.

> I know this was discussed somewhere recently, but I can't find the
> reference.  The existing patch could be brought forward to Samba 3.0,
> but there was a preference for a different design, using simple LDAP
> attributes on the domain object.  (a simpler design than was used in the
> first patch).

I recently reported my findings at the site I was working with. Maybe that is 
where you saw this.

> From here, it is mostly an issue of developer time.

That's what Jerry and Guenther said. I believe that Guenther is looking at 
this.

- John T.