[PATCH] Patch to implement AD password lockout in Samba's AD DC

Andrew Bartlett abartlet at samba.org
Mon Feb 17 19:03:41 MST 2014

On Tue, 2014-02-11 at 12:55 +1300, Andrew Bartlett wrote:
> On Tue, 2014-02-11 at 09:50 +1300, Andrew Bartlett wrote:
> > G'Day,
> > 
> > Attached is a patch set I've been working on for a while, which
> > implements domain password lockout support in our AD DC code.  
> > 
> > As many of you know, there is no support for domain password lockout
> > support in our AD DC - we just never got to implementing that bit.  As
> > the attached patch shows, it's a bit trickier than just simple a counter
> > - because lockouts and bad password attempts have a timeout, but finally
> > this is now handled.  
> > 
> > It does patch our in-tree Heimdal, so we are going to have to coordinate
> > with upstream Heimdal and Debian when this gets in, so ensure we don't
> > break things there.  It also adds new options to the samba-tool domain
> > passwordsettings tool. 
> > 
> > I'm sorry for not posting it previously, all I can say is that I've been a
> > bit swamped, and it slipped off my list.  I know it needs more tests,
> > and to pass the tests we already have, but at this point I would prefer
> > it out, and folks able to use it (manually patching it onto master),
> > than to keep it to myself forever. 
> > 
> > I wish to thank Univention and my employer Catalyst IT for their support of
> > this important work.
> > 
> > Thoughts and feedback most welcome.  My hope is to somehow get the tests
> > written and this in time for 4.2, and some positive feedback would
> > really help with that.
> > 
> > Andrew Bartlett
> While I wait for the above to get past moderation, here is the git url:
> git://git.samba.org/abartlet/samba.git s4-badPwdCount-01
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-01

I've updated the branch at 

git://git.samba.org/abartlet/samba.git s4-badPwdCount-02


I have also uploaded these to gerrit at

With the tests now finished, these changes are now ready for master.

I will separately co-ordinate with the Heimdal team and work out how we
can detect the correct Heimdal version, and look at updating our
internal Heimdal.  (The reality is that only Debian builds against a
system Heimdal, and we already have another special patch to cope with
using a modern heimdal). 

Please review/push.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list