[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)

Ole Traupe ole.traupe at tu-berlin.de
Wed Dec 9 10:32:05 UTC 2015

I can do some playing around:

a) I have set a GPO for lockout at '10' invalid attempts (the rest of 
the password options set as on Samba DC), forced the 'gpupdate', and 
left the Samba rules set to '5' (checked on both DCs). But still I get 
locked out after 3 invalid attempts.

b) I have set the Samba rules to '10' (or '15') invalid attempts and get 
locked out after 6 (or 8) now. So:

Setting '5': locked out after 3
Setting '10': locked out after 6
Setting '15': locked out after 8

Seems that Samba doubles the count and looses one.

No big deal, however, was just curious as I had locked out myself once 
too early.


Am 09.12.2015 um 07:32 schrieb Andrew Bartlett:
> On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:
>> Hi,
>> here on the wiki
>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci
>> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>> I read this:
>>      "Is it possible to set user specific password policies in Samba4
>> (e.
>>      g. on a OU-base)?
>> Samba can't handle GPO restrictions. You have to use 'samba-tool
>> domain
>> passwordsettings' to change password policies. But this only applies
>> on
>> domain level."
>> So, I have set my account lockout policy on the Samba4 DC to '5'
>> incorrect attempts. However, on a Windows 7 client it needs only 3
>> invalid attempts to get the account locked out (tested on 3 different
>> machines). And on domain join it seems only to need 1 invalid
>> attempt.
>> What is the full story here?
> We don't know why we lock out faster than we expect to.  Some careful
> code tracing to follow the updates to the bad password count (and even
> better, a comparison with Windows) is needed.
> Sorry,
> Andrew Bartlett

More information about the samba mailing list