Backed into a corner

Andrew Bartlett abartlet at
Wed Jun 29 06:51:54 GMT 2005

On Wed, 2005-06-29 at 00:35 -0600, John H Terpstra wrote:
> On Wednesday 29 June 2005 00:14, Andrew Bartlett wrote:
> > On Tue, 2005-06-28 at 21:27 -0400, Douglas Sterner wrote:
> > > Using Samba 3.0.14a with multiple domain controllers across WAN links I
> > > discovered that account lockout policies are broke. My testing show's
> > > that account lockout policies are not stored in LDAP as one would think
> > > but in a local TDB file on that particular BDC or PDC. The result is I'm
> > > seeing errors in my logs and users are getting locked out. There appears
> > > to be no replication setup or no way to replicate this policy information
> > > in a multiple DC environment. Depending on which DC handles the auth
> > > request is what policy is in effect. User Manager does not have any 
> > > provisions to select the BDC's to apply a consistent lockout policy. I've
> > > had to disable account lockouts just to let the users keep working. Are
> > > there any plans to fix this. After reviewing the source code the problem
> > > seems to be the account lockout code itself.
> >
> > This issue has been looked at in the Samba trunk development version,
> > and the version there has an experimental patch to keep account policy
> > information in LDAP.
> >
> > The other option is to simply use the pdbedit tool on each host, or
> > synchronise the account_policy.tdb files.  I realise this means you
> > can't use the windows GUI, but it should at least work.
> Andrew,
> I have tried this but found it fails to solve the problem. I believe there is 
> a bug in the current code. I have not been able to fully debug this though. 
> What I saw was accounts being locked because because of excessive bad 
> password counts, even though the user had never entered a bad password. If I 
> am not mistaken from the logs I reviewed, the problem is exaserbated by 
> delays in the response from the LDAP server. I have already spoken with Jerry 
> about this and it is on the todo list. 
> >
> > However, it sounds like your problem is broader than that - are you
> > having trouble just with synchronising the policy, or is it more?
> Inconsistency in the distribution of the policy info is only a part of the 
> problem. When I shut down the BDCs at a test site, I still saw spurius bad 
> password counts. On a quiet network (no other users) one 1 in 5 logins 
> resulted in a bad password count. On a busy network, maybe one in 5 did not.
> I would love to have had the opportunity to debug this to the point of 
> definitive problem isolation, but time ran out.

I think the 'bad password' measures need to be rebuilt around the
additions to passdb added for eDirectory.  That is, the passdb backend
should increment the bad password counter using the callback, rather
than relying on pdb_get/pdb_set requests.  

This would allow some sites to use a global bad password count (on a
very busy, central ldap server), that would always be correct, while
others could use per-server counters, as per the current design.  By
forcing the increment into the backend, we can use ldap atomic increment
requests (which might solve the load related issues).

We seem to be 'almost there', I think we just need a bit more work.  

We should also try and ensure the design is sane to use for Heimdal
Kerberos and other tools which read our LDAP schema, as more of them
come on-stream.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list