[Samba] Samba4 Domain Account Lockout

Chris Stoneburner 200406274 at panthers.greenville.edu
Tue Jan 15 19:23:46 MST 2013

Anyone? If this is the wrong list or if no one can answer I can definitely ask a different list - just point me in the right direction?

On Jan 11, 2013, at 10:54 PM, Chris Stoneburner <200406274 at panthers.greenville.edu> wrote:

> First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with!
> I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems.  I've got the default password settings set using the "samba-tool domain passwordsettings" command and I have all the GPOs configured as I need them for clients.  However, I would like to configure how the account lockout functions for the domain accounts.  I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible.
> To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built "zentyal-samba" package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version)
> What I've tried thus far:
> 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout
> 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected.  For example, when I use the "samba-tool domain passwordsettings set --min-pwd-age=5" command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect.  Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level?  The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is...
> My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and "lock" the account once a certain threshold has been reached and if so how is that configured?
> Thanks so much for any information you can provide!
> -Chris Stoneburner

More information about the samba mailing list