[PATCH] Patch to implement AD password lockout in Samba's AD DC

[Andrew Bartlett]

G'Day,

Attached is a patch set I've been working on for a while, which
implements domain password lockout support in our AD DC code.  

As many of you know, there is no support for domain password lockout
support in our AD DC - we just never got to implementing that bit.  As
the attached patch shows, it's a bit trickier than just simple a counter
- because lockouts and bad password attempts have a timeout, but finally
this is now handled.  

It does patch our in-tree Heimdal, so we are going to have to coordinate
with upstream Heimdal and Debian when this gets in, so ensure we don't
break things there.  It also adds new options to the samba-tool domain
passwordsettings tool. 

I'm sorry for not posting it previously, all I can say is that I've been a
bit swamped, and it slipped off my list.  I know it needs more tests,
and to pass the tests we already have, but at this point I would prefer
it out, and folks able to use it (manually patching it onto master),
than to keep it to myself forever. 

I wish to thank Univention and my employer Catalyst IT for their support of
this important work.

Thoughts and feedback most welcome.  My hope is to somehow get the tests
written and this in time for 4.2, and some positive feedback would
really help with that.

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: s4-badPwdCount-02.patch
Type: text/x-patch
Size: 182128 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140211/cbd9ecb5/attachment-0001.bin>