[Samba] Sarbanes-Oxley headaches

Tony Earnshaw tonye at billy.demon.nl
Sat May 14 08:44:29 GMT 2005

fre, 13.05.2005 kl. 19.54 skrev Stuart 


> > > suppose i wanted to set up account lockout for 3 failed login attempts
> for
> > > my w2k workstations with the ability to try again in 5 minutes.  would
> these
> > > be the commands to use:
> > >
> > > pdbedit -P "bad lockout attempt" -C 3
> > > pdbedit -P "reset count minutes" -C 5
> >
> > I asked the meaning of each of these parameters on the list, but no one
> > seemed to know; at least no one replied.
> >
> > E.g., for the second of your examples, I'd rather fancy "lockout
> > duration". I tried certain things out for myself on my test system
> > (3.0.14a, ldapsam with GQ LDAP "help") and succeeded in locking user
> > Kvikk the Cat out for more ore less ever, found out what I'd done wrong,
> > remedied it but got cold feet and didn't dare touch pdbedit -P again for
> > the time being. I'd love some explanation ...

O.k., I reduced all pdbedit -P parameters to default and began again on
locking out Kvikk the Cat.

Policy: more than 3 bad login attempts and the account is locked out for
5 minutes:

1054 [root:tru] /etc/postfix # pdbedit -P "bad lockout attempt" -C 3
debug_lookup_classname(rpc): Unknown class
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 3

1057 [root:tru] /etc/postfix # pdbedit -P "lockout duration" -C 5
debug_lookup_classname(rpc): Unknown class
account policy value for lockout duration was 30
account policy value for lockout duration is now 5


> i am currently using samba version 3.0.7 with smbpasswd.
> does the account lockout feature not work with smbpasswd?

smbpasswd doesn't have anything to do with this, it's used for setting /
synchronizing passwords. Perhaps you meant smbclient; yes it works both
for Windows (XP Pro in my case) and smbclient.

For those of you with ldapsam backend and GQ to play around with, when
the above lockout policy is implemented, the two attributes
sambaBadPasswordCount and sambaBadPasswordTime are updated from zero for
both to the bad password count and the Unix time (for the Unix time
'convdate -c' can be a real handy tool). These are reset to zero on the
next successful login after the lockout.


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list