Backed into a corner
John H Terpstra
jht at Samba.Org
Wed Jun 29 06:35:38 GMT 2005
On Wednesday 29 June 2005 00:14, Andrew Bartlett wrote:
> On Tue, 2005-06-28 at 21:27 -0400, Douglas Sterner wrote:
> > Using Samba 3.0.14a with multiple domain controllers across WAN links I
> > discovered that account lockout policies are broke. My testing show's
> > that account lockout policies are not stored in LDAP as one would think
> > but in a local TDB file on that particular BDC or PDC. The result is I'm
> > seeing errors in my logs and users are getting locked out. There appears
> > to be no replication setup or no way to replicate this policy information
> > in a multiple DC environment. Depending on which DC handles the auth
> > request is what policy is in effect. User Manager does not have any
> > provisions to select the BDC's to apply a consistent lockout policy. I've
> > had to disable account lockouts just to let the users keep working. Are
> > there any plans to fix this. After reviewing the source code the problem
> > seems to be the account lockout code itself.
> This issue has been looked at in the Samba trunk development version,
> and the version there has an experimental patch to keep account policy
> information in LDAP.
> The other option is to simply use the pdbedit tool on each host, or
> synchronise the account_policy.tdb files. I realise this means you
> can't use the windows GUI, but it should at least work.
I have tried this but found it fails to solve the problem. I believe there is
a bug in the current code. I have not been able to fully debug this though.
What I saw was accounts being locked because because of excessive bad
password counts, even though the user had never entered a bad password. If I
am not mistaken from the logs I reviewed, the problem is exaserbated by
delays in the response from the LDAP server. I have already spoken with Jerry
about this and it is on the todo list.
> However, it sounds like your problem is broader than that - are you
> having trouble just with synchronising the policy, or is it more?
Inconsistency in the distribution of the policy info is only a part of the
problem. When I shut down the BDCs at a test site, I still saw spurius bad
password counts. On a quiet network (no other users) one 1 in 5 logins
resulted in a bad password count. On a busy network, maybe one in 5 did not.
I would love to have had the opportunity to debug this to the point of
definitive problem isolation, but time ran out.
> I know this was discussed somewhere recently, but I can't find the
> reference. The existing patch could be brought forward to Samba 3.0,
> but there was a preference for a different design, using simple LDAP
> attributes on the domain object. (a simpler design than was used in the
> first patch).
I recently reported my findings at the site I was working with. Maybe that is
where you saw this.
> From here, it is mostly an issue of developer time.
That's what Jerry and Guenther said. I believe that Guenther is looking at
- John T.
More information about the samba-technical