[Samba] Windows and Linux account locking with an LDAP backend

[Kevin Taylor]

I thought I would ask here to see if anyone has had a similar situation and a solution.

We've got a SunOne Directory Server set up to authenticate our users on Linux. To get shared authentication with Windows, we set up Samba (2.0.33 as ships with CentOS 5) and the smbldap-tools.

What we need to do is get account locking to work across the board...such that if a user fails 5 times on a Windows machine, they will be locked out on the Linux systems as well....and vice versa.

Here's what I'm seeing:

On windows, failing authentication updates the "Bad Password Count" in Samba, additionally it adds a "pwdfailuretime" to the LDAP server. This is good, and is what we would like to see.

Fail 2, similar
Fail 3, similar
Fail 4, similar

On Fail 5, what seems to be happening is that the LDAP server puts in its 5th pwdfailuretime item, thereby locking the account, and essentially preventing Windows/samba from updating the final sambabadpasswordcount number....so Windows is eternally stuck at 4 failures. Entering a bad password on the Windows side says "There is a problem with the account", but entering the correct password lets the user right in.

That's problem one. I can clarify any of this if needed.

The other thing we want to be able to do is that if a user fails 5 times on Linux that it will lock out the Windows accounts. Any idea how to do that?

Thanks for any hints or conversations we can start about this. :)