[Samba] Samba4 Domain Account Lockout

Chris Stoneburner 200406274 at panthers.greenville.edu
Fri Jan 11 20:54:34 MST 2013

First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with!

I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems.  I've got the default password settings set using the "samba-tool domain passwordsettings" command and I have all the GPOs configured as I need them for clients.  However, I would like to configure how the account lockout functions for the domain accounts.  I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible.

To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built "zentyal-samba" package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version)

What I've tried thus far:
1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout
2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected.  For example, when I use the "samba-tool domain passwordsettings set --min-pwd-age=5" command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect.  Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level?  The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is...

My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and "lock" the account once a certain threshold has been reached and if so how is that configured?

Thanks so much for any information you can provide!
-Chris Stoneburner

More information about the samba mailing list