[Samba] Samba 3.0.28a integration with 2003 AD and password lockout policy?

Braebaum, Neil Neil.Braebaum at shopdirect.com
Wed Aug 13 13:28:31 GMT 2008

I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3)
for user authentication on Linux, to 2003 Active Directory.

The password policy dictated by AD should lock accounts after 6
incorrect login attempts within a 30 minute period. However, it seems to
halve that when logging in to these Linux boxes via ssh - so after 3
incorrect login attempts, the AD account gets locked.

Looking in log.wb-<Domain Name> seems to show double attempts /
authentication failures when submitting the login with an incorrect
password (to test this).

I have noted password level in smb.conf (it's not set in my smb.conf),
but as I'm using encrypt passwords = yes, I thought it was irrelevant.

It would appear that two submissions are being made, though, is that a
Samba version thing, something I may have not got spot on with my pam
configuration, or an issue with the Samba version?

testparm output follows:-

Load smb config files from /usr/lib/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Press enter to see a dump of your service definitions

        workgroup = XXXXXX
        realm = XXXXXXXXXX
        server string = Linux AD authentication
        security = ADS
        auth methods = winbind, sam
        allow trusted domains = No
        obey pam restrictions = Yes
        use kerberos keytab = Yes
        server signing = auto
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        load printers = No
        printcap cache time = 0
        printcap name = /dev/null
        disable spoolss = Yes
        preferred master = No
        local master = No
        domain master = No
        idmap domains = XXXXXX
        template shell = /bin/ksh
        winbind separator = +
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config XXXXXX:backend = rid
        idmap config XXXXXX:range = 10000-2000000



This email and its attachments are confidential  to the intended recipient. If this has come to you in error, please notify the sender immediately and delete this email from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation.  Please note that email communications may be monitored.  The registered office of Shop Direct Limited is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered number 04730752.

Subsidiary companies within Shop Direct Limited include:

Shop Direct Financial Services Limited (SDFS), Shop Direct Group Financial Services Limited (SDGFS) and Littlewoods Finance Company Limited (LFCo). The registered office of SDFS, SDGFS and LFCo is Aintree Innovation Centre, Park Lane, Netherton, Bootle, L30 1SL, registered numbers 04730706 (SDFS), 5200103 (SDGFS) and 04660974 (LFCo). SDFS and LFCo are authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only.

Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited (SDHS).  The registered office of SDCC and SDHS is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC), 04663281 (SDHS).

All companies registered in England.


This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com

More information about the samba mailing list