[Samba] winbind cache / lockout

[Ben Kim]

Dear list,

I'm using winbind (samba-2.2.9) on Solaris to authenticate my users
against a Windows 2000 Active Directory server.

Sometimes my users get locked out for various reasons (virus, etc.) and I
want to prevent that.

Is it possible to cache the windows password on unix server so that it
doesn't have to query windows server every time? Would increasing the
"winbind cache time" to a very large value (like 1 day?) alleviate the
problem?

          " When a item
          in  the cache is older than this time winbindd will ask
          the domain controller for the sequence  number  of  the
          server's  account  database. If the sequence number has
          not changed .... 	Otherwise the
          item is fetched from the server. "


On the other hand, in this case I'll need to worry about the mandatory
password change on the windows side. If a user changes the windows
password, I want the cache to be expired immediately. 

If the winbind cache also includes password or equivalent, and if the
cache is made to expire after a long time, is there a way to force a cache
expiry and fetch the information from the server again when the user's
password is wrong, rather than rejecting the database based on the cache?

If anyone's using winbind from samba 3, do you think samba 3 is different?
Could you share your experience about account lockout / password caching,
etc?

Would an ldap server help?

Any pointer would be appreciated.


Regards,

Ben Kim
Database Developer/Systems Administrator
College of Education 
Texas A&M University