[Samba] Samba 3.0.28a integration with 2003 AD and password lockout
policy?
Braebaum, Neil
Neil.Braebaum at shopdirect.com
Wed Aug 13 13:28:31 GMT 2008
I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3)
for user authentication on Linux, to 2003 Active Directory.
The password policy dictated by AD should lock accounts after 6
incorrect login attempts within a 30 minute period. However, it seems to
halve that when logging in to these Linux boxes via ssh - so after 3
incorrect login attempts, the AD account gets locked.
Looking in log.wb-<Domain Name> seems to show double attempts /
authentication failures when submitting the login with an incorrect
password (to test this).
I have noted password level in smb.conf (it's not set in my smb.conf),
but as I'm using encrypt passwords = yes, I thought it was irrelevant.
It would appear that two submissions are being made, though, is that a
Samba version thing, something I may have not got spot on with my pam
configuration, or an issue with the Samba version?
testparm output follows:-
Load smb config files from /usr/lib/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = XXXXXX
realm = XXXXXXXXXX
server string = Linux AD authentication
security = ADS
auth methods = winbind, sam
allow trusted domains = No
obey pam restrictions = Yes
use kerberos keytab = Yes
server signing = auto
socket options = IPTOS_LOWDELAY TCP_NODELAY
load printers = No
printcap cache time = 0
printcap name = /dev/null
disable spoolss = Yes
preferred master = No
local master = No
domain master = No
idmap domains = XXXXXX
template shell = /bin/ksh
winbind separator = +
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap config XXXXXX:backend = rid
idmap config XXXXXX:range = 10000-2000000
Neil
*****************************************************************************
This email and its attachments are confidential to the intended recipient. If this has come to you in error, please notify the sender immediately and delete this email from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation. Please note that email communications may be monitored. The registered office of Shop Direct Limited is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered number 04730752.
Subsidiary companies within Shop Direct Limited include:
Shop Direct Financial Services Limited (SDFS), Shop Direct Group Financial Services Limited (SDGFS) and Littlewoods Finance Company Limited (LFCo). The registered office of SDFS, SDGFS and LFCo is Aintree Innovation Centre, Park Lane, Netherton, Bootle, L30 1SL, registered numbers 04730706 (SDFS), 5200103 (SDGFS) and 04660974 (LFCo). SDFS and LFCo are authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only.
Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited (SDHS). The registered office of SDCC and SDHS is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC), 04663281 (SDHS).
All companies registered in England.
*****************************************************************************
This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com
More information about the samba
mailing list