[Samba] Re: Samba PDC autolocking domain administrator account

Stefan Oberwahrenbrock oberwahrenbrock at transdata.net
Wed Jun 17 13:08:30 GMT 2009

Stefan Oberwahrenbrock <oberwahrenbrock at transdata.net> wrote in
news:Xns9C26809018CB9oberwahrenbrocktrans at 


It turned out, that after all there were differences in the setup of the 
test and production system - I just was not aware of them at first:

The test system was built installing a plain default NT PDC. The default 
NT PDC installation does not make use of a "lockout after bad login 
attempts" policy at all - if you want to use such policy, you have to 
enable and configure it. The production system was configurered to use 
this policy with defaults (LogoutThreshold 5). During migration of both 
systems thesettings were also correctly migrated...

Thus, with e. g. disabed account policy "bad lockout attempt" (pdbedit), 
the domain-administrator does not get locked any more.

Nevertheless, Samba locking down the administrator is unexpected and 
unwanted - in my eyes. With NT the administrator account is not affected 
by the automatic locking mechanism. I think especially for users with 
migration background (NT 4.0 -> Samba), it would be nice, to have the 
same behaviour with Samba PDC.
In our case, the problem ist not, that the admins do not remember the 
password of the domain-admin. Instead, some users have the password for 
the local administrator on their local PC. If they logon as local 
administrator and try to connect to a share on some other machine, the 
Samba PDC obviously tries to authenticate the password(hash) of the 
local-admin-session against the domain-administrator account. With "bad 
lockout attempt" set to 5, the result is a lockeddown domain-
administrator account (Password of local and domain administrator differ 
of course!). The only workaround I know, is do disable "bad lockout 
attempt" completely or to set it the a relativ high value (e. g. 15). 
With these settings, the local-admin-users users trying to connect to a 
share do get a new window where they can provide a correct login, after 
windows noticed, that the first "automatical" connect attempts did not 

Does anyone know, if the special handling of the domain-administrator-
account is a topic for future releases of Samba? Is there someone else, 
who sees the problem like I do (Or am I still just to NT4.0-affected ;-))


More information about the samba mailing list