[Samba] Can't get password policies (bad lockout attempt) to work on Samaba 3 + OpenLDAP

Sat Jul 17 09:00:19 GMT 2004

Hi,

I have a Debian stable (woody aka 3.0) machine.  I am moving my
existing samba 2.x installation (that has users stored in smbpasswd)
to samba 3.0.4 with LDAP as the backend.  I am able to move the users
to LDAP just fine.  However, the password policy of bad lockout
attempt does not seem to work.

I installed the samba deb file from the samab.org site.  I also have
OpenLDAP slapd (2.1.30-1.backports) installed.  Since the samba.schema
that ships with the binary version of samba-doc does not have
attributes sambaBadPasswordCount and sambaBadPasswordTime, I had to
download http://us2.samba.org/samba/ftp/cvs_current/examples/LDAP/samba.schema
 When I try and run slapindex -f /etc/ldap/slapd.conf I get the
following error message:

/etc/ldap/schema/samba.schema: line 344: Duplicate attributeType:
"1.3.6.1.4.1.7165.2.1.50"
slapindex: bad configuration file!

I commented out the offending line (attributetype (
1.3.6.1.4.1.7165.2.1.50 NAME ( 'sambaPrivName' ) SUP name )) and am
able to run slapindex and restart slapd just fine.

I now imported my users from the existing smbpasswd file into ldap
(smb.conf configured properly for ldap) like so:

# pdbedit -s /etc/samba/smb.conf -i smbpasswd:/etc/samba/smbpasswd

I now set my bad lockout attempt policy like so:

# pdbedit -P "bad lockout attempt" -C 3
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 3

When I look at individual users listing using pdbedit, I can see that
the bad password attempts can be theoretically tracked.

comatsmb:~# pdbedit -Lv test1
Unix username:        test1
NT username:          test1
Account Flags:        [U          ]
User SID:             <snipped>
Primary Group SID:    <snipped>
Full Name:            ,,,
Home Directory:       \\my_domain\test1
HomeDir Drive:
Logon Script:         mt.bat
Profile Path:         \\my_domain\profile
Domain:               MYDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sat, 14 Dec 1901 02:15:51 GMT
Kickoff time:         Sat, 14 Dec 1901 02:15:51 GMT
Password last set:    Fri, 16 Jul 2004 18:58:35 GMT
Password can change:  Fri, 16 Jul 2004 18:58:35 GMT
Password must change: Sat, 14 Dec 1901 02:15:51 GMT
Last bad password   : 0
Bad password count  : 0

However, the bad password count never gets incremented when I try
logging into my domain with an incorrect password on an NT box.

I notice that when I do an ldapsearch through my entries the resulting
LDIF does not show sambaBadPasswordTime and sambaBadPasswordCount
attributes.

# ldapsearch -b "dc=mydomain,dc=com" -x

...
dn: uid=test1,ou=People,dc=comatmys,dc=com
uid: test1
sambaSID: <snipped>
sambaPrimaryGroupSID: <snipped>
displayName: ,,,
sambaPwdCanChange: 1089984515
sambaLMPassword: <snipped>
sambaNTPassword: <snipped>
sambaPwdLastSet: 1089984515
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
...

Any ideas how I can get bad lockout attempt password polcity to work? 
Also, any pointers to a good samab.schema file that includes
sambaBadPasswordCount and sambaBadPasswordTime attributes?

BTW, I download the source code of 3.0.4 of samba and I see from
source/auth/auth_sam.c and source/lib/smbldap.c that there is support
for this password policy.

Thanks a bunch.

Thaths
-- 
Slacker Without Borders