Bug 14548 - lockoutTime does not reset badPwdCount when replicated
Summary: lockoutTime does not reset badPwdCount when replicated
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-10-22 16:38 UTC by Björn Baumbach
Modified: 2022-03-14 13:57 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2020-10-22 16:38:04 UTC
The lockoutTime for a user is set when the badPwdCount has been reached the account lockout threshold. The lockoutTime will be replicated to all other DCs, which locks the user. The badPwdCount is not replicated, which is correct.

To unlock the user account, the lockoutTime needs to be set to 0. This does also reset the badPwdCount to 0 automatically. This works fine on a one Samba Samba AD DC setup.

And now the bug:
When the reseted lockoutTime (set to 0) is replicated to the other Samba AD DCs, the badPwdCount will not be set to 0.

The Windows AD DC does reset the badPwdCount to 0, when it receives the lockoutTime=0.