[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
abartlet at samba.org
Wed Dec 9 06:32:29 UTC 2015
On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:
> here on the wiki
> I read this:
> "Is it possible to set user specific password policies in Samba4
> g. on a OU-base)?
> Samba can't handle GPO restrictions. You have to use 'samba-tool
> passwordsettings' to change password policies. But this only applies
> domain level."
> So, I have set my account lockout policy on the Samba4 DC to '5'
> incorrect attempts. However, on a Windows 7 client it needs only 3
> invalid attempts to get the account locked out (tested on 3 different
> machines). And on domain join it seems only to need 1 invalid
> What is the full story here?
We don't know why we lock out faster than we expect to. Some careful
code tracing to follow the updates to the bad password count (and even
better, a comparison with Windows) is needed.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba