[Samba] Re: Samba PDC autolocking domain administrator account
Stefan Oberwahrenbrock
oberwahrenbrock at transdata.net
Wed Jun 17 13:08:30 GMT 2009
Stefan Oberwahrenbrock <oberwahrenbrock at transdata.net> wrote in
news:Xns9C26809018CB9oberwahrenbrocktrans at 80.91.229.13:
Hello!
It turned out, that after all there were differences in the setup of the
test and production system - I just was not aware of them at first:
The test system was built installing a plain default NT PDC. The default
NT PDC installation does not make use of a "lockout after bad login
attempts" policy at all - if you want to use such policy, you have to
enable and configure it. The production system was configurered to use
this policy with defaults (LogoutThreshold 5). During migration of both
systems thesettings were also correctly migrated...
Thus, with e. g. disabed account policy "bad lockout attempt" (pdbedit),
the domain-administrator does not get locked any more.
Nevertheless, Samba locking down the administrator is unexpected and
unwanted - in my eyes. With NT the administrator account is not affected
by the automatic locking mechanism. I think especially for users with
migration background (NT 4.0 -> Samba), it would be nice, to have the
same behaviour with Samba PDC.
In our case, the problem ist not, that the admins do not remember the
password of the domain-admin. Instead, some users have the password for
the local administrator on their local PC. If they logon as local
administrator and try to connect to a share on some other machine, the
Samba PDC obviously tries to authenticate the password(hash) of the
local-admin-session against the domain-administrator account. With "bad
lockout attempt" set to 5, the result is a lockeddown domain-
administrator account (Password of local and domain administrator differ
of course!). The only workaround I know, is do disable "bad lockout
attempt" completely or to set it the a relativ high value (e. g. 15).
With these settings, the local-admin-users users trying to connect to a
share do get a new window where they can provide a correct login, after
windows noticed, that the first "automatical" connect attempts did not
work.
Does anyone know, if the special handling of the domain-administrator-
account is a topic for future releases of Samba? Is there someone else,
who sees the problem like I do (Or am I still just to NT4.0-affected ;-))
Greetings,
Stefan
More information about the samba
mailing list