[Samba] Samba4 Domain Account Lockout

Chris Stoneburner 200406274 at panthers.greenville.edu
Mon Jan 14 11:47:42 MST 2013

Any thoughts on the quoted email below?

On Fri, Jan 11, 2013 at 10:54 PM, Chris Stoneburner <
200406274 at panthers.greenville.edu> wrote:

> First off, I apologize if this is a duplicate - I had some issues with the
> first email I tried to join this list with!
> I'm currently using samba4 as an AD DC (domain and forest are both
> configured with the samba-tool command to be at the 2008_R2 functional
> level) for both Windows and Linux systems.  I've got the default password
> settings set using the "samba-tool domain passwordsettings" command and I
> have all the GPOs configured as I need them for clients.  However, I would
> like to configure how the account lockout functions for the domain
> accounts.  I read in the archive for this list that there isn't currently
> support for server side GPOs, so I'm not certain how to configure this, or
> if its even possible.
> To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which
> has a pre-built "zentyal-samba" package installed but from what I can tell
> it's just samba4.0 (that's what it tells me when I use samba --version)
> What I've tried thus far:
> 1. Use testparm -v to get a complete list of all possible smb.conf values
> - didn't see much in there that looked like account lockout
> 2. Manually edit the account_policy.tdb database within the samba folder
> identified in the current smb.conf file with tdbtool - it looks like there
> ARE settings here that might apply, but for some reason changes aren't
> being reflected.  For example, when I use the "samba-tool domain
> passwordsettings set --min-pwd-age=5" command the account_policy.tdb key
> corresponding to pass min age does NOT get updated, but I have validated
> that the changes DO take immediate effect.  Maybe the account_policy.tdb
> file is legacy and not used when the active role is DC with a 2008_R2
> functional level?  The password policy, and I'm presuming all account
> related policy, is clearly being stored and enforced somewhere - I just
> haven't figured out what all it includes and where it is...
> My question with respect to samba is two fold: is it even POSSIBLE to have
> samba detect multiple failed login attempts to a domain account (e.g., the
> default domain administrator) and "lock" the account once a certain
> threshold has been reached and if so how is that configured?
> Thanks so much for any information you can provide!
> -Chris Stoneburner

More information about the samba mailing list