[Samba] Winbind cached account locked out

Beli beli+smb at beli.sk
Sun Apr 3 09:30:28 MDT 2011


 Hi there,

 we have a few SuSE Linux Enterprise Desktop 11 SP1 machines with Samba 
 3.4.3 joined to Windows Server 2003 domain. The domain has some strict 
 password policies, like limited password tries before account is locked 
 for a few minutes.
 It works fine when doing online authentication against the domain 
 controllers.
 The problem rises with cached offline logon. Offline logon works, but 
 when user enters bad password enough times, winbind locks him out, as if 
 it were enforcing the password policies of the domain even for offline 
 logon. But after the time set in "lockout duration" has passed, the 
 account remains locked (even after very long waiting), and gets unlocked 
 only after connecting to the network and authenticating against the 
 domain again.
 So I'd like to ask
 - if it's possible to unlock a cached domain account locally (as root, 
 without connection to the domain controllers)
 - why doesn't the account unlock automatically after the "lockout 
 duration" has passed (is this functionality not implemented, or I should 
 check my settings?)

 I tried googling hard and searched through all the relevant 
 documentation, but found very little info on the credentials caching in 
 samba/winbind. I even tried to look at the TDB databases of which I 
 think netsamlogon_cache.tdb holds the cached account info and the 
 lockout flag, to see if I could unlock the account manually in there, 
 but I just couldn't make out anything useful from the binary data there. 
 So any help would be greatly appreciated. Thank you in advance. Have a 
 nice day.

-- 
 Beli - IT consultant
 beli+smb at beli.sk | www.beli.sk



More information about the samba mailing list