Samba4 - Account lock out / GPO
Brian C. Huffman
bhuffman at etinternational.com
Wed Dec 12 13:04:14 MST 2012
This is a good document (lots of information), but unfortunately doesn't
completely answer my question and raises a few more.
For Full disclosure: I'm using Kerio Mail server authenticating to Samba
4 via Kerberos. For the most part this has been working well. However
when a user types their password wrong in Thunderbird (mail client), I
can see entries in Kerio's log that says invalid password. After some
number of these (haven't quite figured out since Thunderbird seems to
send a bad password 3 times in a row before notifying the user), if the
user then types the correct password, I see "Attempt to IMAP login to
locked account <username>"
At this point, if I go to the Windows "Active Directory Users and
Computers" tool and go into the user's properties and select "Unlock
account" and then apply, it seems to resolve itself eventually (albeit
not immediately - another concern).
The document you linked to says:
You can configure the account lockout policy settings in the following
location within the Group Policy Object Editor:
Computer Configuration\Windows Settings\Account Policies\Account
Unfortunately there's no "Account Policies" listed under Windows
Settings in my Group Policy Management Editor (v 184.108.40.206, MMC 3.0, v6.1)
For the Default Domain Policy, under Computer Configuration, I'm seeing
"Policies" and "Preferences" as my options (not even mentioned in this
article). If I click Policies (seems right), I see Windows Settings,
but there's no "Account Policies" listed under it.
So, a few more questions - is there a way to see and/or set this from
the command line? Samba-tool?
Also, while Kerio is saying that the account is locked, since the unlock
doesn't immediately do anything (takes a few minutes - haven't been able
to nail it down), is there a way that I can truly verify that it's
locked. I tried using ADSI Edit (In Windows) to look at the user and I
don't see any parameter that would indicate that the account is locked.
Stumped. Any advice?
On 12/12/2012 12:09 PM, Ricky Nance wrote:
> I think you are looking for this...
> On Wed, Dec 12, 2012 at 9:49 AM, Brian C. Huffman
> <bhuffman at etinternational.com <mailto:bhuffman at etinternational.com>>
> I've noticed that Samba4 by default locks the user account after
> "x" number of failed logins.
> How can that be changed? It would be good to know if it can be
> turned off completely (although I rather like the concept) and
> also how to change the number "x" of failed logins required to lock.
> I imagine it could be done in the Group Policy editor but I can't
> seem to find the option. I'm using the tools for Windows 7.
> I'd certainly be comfortable with command-line options as well.
More information about the samba-technical