[Samba] Account Lockout

Chris Stoneburner chris.stoneburner at panthers.greenville.edu
Thu Jan 10 12:26:07 MST 2013

I'm currently using samba4 as an AD DC (domain and forest are both
configured with the samba-tool command to be at the 2008_R2 functional
level) for both Windows and Linux systems.  I've got the default password
settings set using the "samba-tool domain passwordsettings" command and I
have all the GPOs configured as I need them for clients.  However, I would
like to configure how the account lockout functions for the domain
accounts.  I read that there isn't currently support for server side GPOs,
so I'm not certain how to configure this, or if its even possible.

To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which
has a pre-built "zentyal-samba" package installed but from what I can tell
it's just samba4.0 (that's what it tells me when I use samba --version)

What I've tried thus far:
1. Use testparm -v to get a complete list of all possible smb.conf values -
didn't see much in there
2. Manually edit the account_policy.tdb database within the samba folder
identified in the current smb.conf file with tdbtool - it looks like there
ARE settings here that might apply, but for some reason changes aren't
being reflected.  For example, when I use the samba-tool domain
passwordsettings set --min-pwd-age=5 the account_policy.tdb key
corresponding to pass min age does NOT get updated, but I have validated
that the changes DO take immediate effect.  Maybe the account_policy.tdb
file is legacy and not used when the active role is DC with a 2008_R2
functional level?

My question with respect to samba is two fold: is it even POSSIBLE to have
samba detect multiple failed login attempts and "lock" an account once a
certain threshold has been reached and if so how is that configured?

Thanks so much for any information you can provide!
-Chris Stoneburner

More information about the samba mailing list