[Samba] Samba PDC autolocking domain administrator account

[Stefan Oberwahrenbrock]

Hello!

Some days ago we migrated our production domain from Windows NT 4.0 to 
Samba 3.3.4 (Yes - such migrations still happen these days :-)). After 
migration we noticed, that from time to time the domain adminstrator 
account gets locked - pdbedit shows the flags [UXL]. It is easy to 
activated the account again, but nevertheless it unexpected and unwanted. 
To my knowledge, the domain administrator is not affected by the automatic 
locking mechanism which comes into effect following repeated login attempts 
using an incorrect password. In addition, the behaviour is not 
reproduceable in a seperated test-network, that was cleanly built up from 
scratch and uses the same software versions (Operating system, smbldap-
tools, slapd from Debian 5.0.1, Sernet-Samba-3.3.4).

Since production and test network are both LDAP-based I compared the ldifs 
of both accounts. Differences found so far: The account in the test system 
has the attributes sambaBadPasswordCount and sambaBadPasswordTime unset 
while in production system they have a value of 0. Adopting the values does 
not change the behaviour.

Does anyone know, what other criteria/attributes/circumstances might 
dispose Samba to autolock the account?

Thanks and greetings from Biefeld,
Stefan Oberwahrenbrock