14548 – lockoutTime does not reset badPwdCount when replicated

Bug 14548 - lockoutTime does not reset badPwdCount when replicated

Summary: lockoutTime does not reset badPwdCount when replicated

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-22 16:38 UTC by Björn Baumbach
Modified:	2022-03-14 13:57 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Björn Baumbach 2020-10-22 16:38:04 UTC

The lockoutTime for a user is set when the badPwdCount has been reached the account lockout threshold. The lockoutTime will be replicated to all other DCs, which locks the user. The badPwdCount is not replicated, which is correct.

To unlock the user account, the lockoutTime needs to be set to 0. This does also reset the badPwdCount to 0 automatically. This works fine on a one Samba Samba AD DC setup.

And now the bug:
When the reseted lockoutTime (set to 0) is replicated to the other Samba AD DCs, the badPwdCount will not be set to 0.

The Windows AD DC does reset the badPwdCount to 0, when it receives the lockoutTime=0.