[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)

Andrew Bartlett abartlet at samba.org
Thu Dec 10 09:20:41 UTC 2015

On Wed, 2015-12-09 at 11:32 +0100, Ole Traupe wrote:
> I can do some playing around:
> a) I have set a GPO for lockout at '10' invalid attempts (the rest of
> the password options set as on Samba DC), forced the 'gpupdate', and 
> left the Samba rules set to '5' (checked on both DCs). But still I
> get 
> locked out after 3 invalid attempts.
> b) I have set the Samba rules to '10' (or '15') invalid attempts and
> get 
> locked out after 6 (or 8) now. So:
> Setting '5': locked out after 3
> Setting '10': locked out after 6
> Setting '15': locked out after 8
> Seems that Samba doubles the count and looses one.
> No big deal, however, was just curious as I had locked out myself
> once 
> too early.

Yes, we haven't understood why that happens.  The tests (except when we
update Heimdal, which causes double-counting) work as expected, so my
suspicion is that the client does something that triggers multiple

I would love someone to dig into this and isolate it for us. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list