[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)

Andrew Bartlett abartlet at samba.org
Wed Dec 9 06:32:29 UTC 2015

On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:
> Hi,
> here on the wiki
> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci
> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
> I read this:
>     "Is it possible to set user specific password policies in Samba4
> (e.
>     g. on a OU-base)?
> Samba can't handle GPO restrictions. You have to use 'samba-tool
> domain 
> passwordsettings' to change password policies. But this only applies
> on 
> domain level."
> So, I have set my account lockout policy on the Samba4 DC to '5' 
> incorrect attempts. However, on a Windows 7 client it needs only 3 
> invalid attempts to get the account locked out (tested on 3 different
> machines). And on domain join it seems only to need 1 invalid
> attempt.
> What is the full story here?

We don't know why we lock out faster than we expect to.  Some careful
code tracing to follow the updates to the bad password count (and even
better, a comparison with Windows) is needed.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list