[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
Andrew Bartlett
abartlet at samba.org
Thu Dec 10 09:20:41 UTC 2015
On Wed, 2015-12-09 at 11:32 +0100, Ole Traupe wrote:
> I can do some playing around:
>
> a) I have set a GPO for lockout at '10' invalid attempts (the rest of
> the password options set as on Samba DC), forced the 'gpupdate', and
> left the Samba rules set to '5' (checked on both DCs). But still I
> get
> locked out after 3 invalid attempts.
>
> b) I have set the Samba rules to '10' (or '15') invalid attempts and
> get
> locked out after 6 (or 8) now. So:
>
> Setting '5': locked out after 3
> Setting '10': locked out after 6
> Setting '15': locked out after 8
>
> Seems that Samba doubles the count and looses one.
>
> No big deal, however, was just curious as I had locked out myself
> once
> too early.
Yes, we haven't understood why that happens. The tests (except when we
update Heimdal, which causes double-counting) work as expected, so my
suspicion is that the client does something that triggers multiple
lockouts.
I would love someone to dig into this and isolate it for us.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list