[Samba] sambaBadPasswordCount Problems on SAMBA 3.0.4 with LDAP Backend

[Hoferer, Patrick K. (Space Systems)]

I wanted to use the sambaBadPasswordCount to limit the amount of failed logins on Windows clients within our SAMBA Domain. I created the following attributes within my ldap server:

attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
	DESC 'Bad password attempt count'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
	DESC 'Time of the last bad password attempt'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

And also added these attributes to the "may" field on the sambaSamAccount objectclass, but I cannot get the attribute to increment on failed login attempts on my Windows client. I have tried to lock the account by changing the attributes sambaBadPasswordCount=5 and sambaBadPasswordTime=2147483647, but when I run the pbedit command the SAMBA administrator account changes the values back to "0" and the user is allowed in. In addition, if I set the sambaBadPasswordCount=5 and sambaBadPasswordTime=2147483647 and I login successfully on the windows client; the  "Last bad password" and "Bad password count"  is set back to 0 by the administrator. 

Does anyone know if the 3.0.4 locking is working with an LDAP backend yet? I've got it working for a local passwd database. If there is already documentation out there to configure this setup could someone point me to it?

If not, I already have a 3.0.2 server in production and I would like to keep it instead of upgrading. Are there patches that can be applied to using failed password attempts on SAMBA domains? 

I need to write some documentation for our environment and I'd be happy to share it with the SAMBA community after completion. Any assistance would truly be appreciated. Thank you.

Patrick Hoferer