diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 53b6da53dc1..fa735c968e6 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -25,6 +25,11 @@
 #include "../libcli/auth/libcli_auth.h"
 #include "passdb.h"
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
@@ -380,6 +385,22 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 	const uint8_t *lm_pw;
 	uint32_t acct_ctrl;
 
+	// XXX HACK - one process at a time through here
+	int lockf_ret;
+	int hack_fd = open("/run/lock/samba-hack", O_CREAT|O_RDWR, 0666);
+	if (hack_fd < 0)
+	{
+		DEBUG(0, ("open lock fd FAILED\n"));
+	}
+	else
+	{
+		lockf_ret = lockf(hack_fd, F_LOCK, 0);
+		if (lockf_ret < 0)
+			DEBUG(0, ("lockf lock FAILED\n"));
+		else
+			DEBUG(0, ("lockf locked\n"));
+	}
+
 	/* the returned struct gets kept on the server_info, by means
 	   of a steal further down */
 
@@ -409,6 +430,19 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 	/* Quit if the account was locked out. */
 	if (acct_ctrl & ACB_AUTOLOCK) {
 		DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
+               // XXX HACK
+		if (hack_fd >= 0)
+		{
+			if (lockf_ret == 0)
+			{
+				lockf_ret = lockf(hack_fd, F_ULOCK, 0);
+				if (lockf_ret < 0)
+					DEBUG(0, ("lockf unlock FAILED\n"));
+				else
+					DEBUG(0, ("lockf unlocked\n"));
+			}
+			close(hack_fd);
+		}
 		TALLOC_FREE(sampass);
 		return NT_STATUS_ACCOUNT_LOCKED_OUT;
 	}
@@ -507,6 +541,20 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 	(*server_info)->nss_token |= user_info->was_mapped;
 
 done:
+	// XXX HACK
+	if (hack_fd >= 0)
+	{
+		if (lockf_ret == 0)
+		{
+			lockf_ret = lockf(hack_fd, F_ULOCK, 0);
+			if (lockf_ret < 0)
+				DEBUG(0, ("lockf unlock FAILED\n"));
+			else
+				DEBUG(0, ("lockf unlocked\n"));
+		}
+		close(hack_fd);
+	}
+
 	TALLOC_FREE(sampass);
 	data_blob_free(&user_sess_key);
 	data_blob_free(&lm_sess_key);
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 64e05b346de..02e61bdad11 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2253,6 +2253,10 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
 	  and autolocking if necessary
 	*/
 
+	// XXX HACK
+	DEBUG(0, ("bad password count is %u, bad attempt lockout at %u\n",
+				pdb_get_bad_password_count(sampass), account_policy_lockout));
+
 	pdb_set_bad_password_count(sampass, 
 				   pdb_get_bad_password_count(sampass)+1,
 				   PDB_CHANGED);