Hi, This bug is also related to #4313, because it was found during our tests. I'm doing the same introduction just to make it easy. We are running Samba on a Debian "etch" machine (x86), four processors (Intel(R) Xeon(TM) CPU 3.00GHz) and 4GB of RAM memory. We use LDAP as a backend to manage about 200 users and computers. The version of involved softwares: * libldap2 2.1.30-13+b1 * samba 3.0.23d-2+b1 * slapd 2.3.29-1 Using the policies for password seems to work fine. But the Lockout configuration doesn't seem to be OK. In the sambaDomainName we have: sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 3 With the above configuration our idea is to have the user account locked for 30 minutes after 3 bad login attemps. We are not quite sure about how sambaLockoutObservationWindow affects the lockout, that's why we set it equal to sambaLockoutDuration. Using my account (felipe), if I mistype the password I can see the time and the number of bad tries using pdbedit, but it does not increase. If I try two or three times to login with the wrong password, the fields "Last bad password" and "Bad password count" don't change. "Last bad password" maintains the first date of the attemp and the "bad password count" remains with "1". I was expecting that both fields got update when I did a bad login attempt and after the third try it blocks my account (probably the Win clients will show a different message then). Is that a bug? A missing feature? Or a misconfiguration on my side? -- Felipe (faw)
Sorry, I forgot to add the libldap library information: * libldap-2.3-0 2.3.29-1 Kind regards, -- Felipe (faw)
So far, on 3.0.25pre1, this is working for me. I should explain that the BadPassword count won't increase on the ldap server until lockout is reached. We did this to prevent every mistyped password from being propagated throughout all replicas of an ldap tree, because that could create a massive amount of traffic. This also mimics what NT does, where the bad password count isn't replicated until the threshold is reached. We cache it locally until then. However, pdbedit should show the increase on whatever DC is processing the request, because it will reflect the contents of the local cache. So even with pdbedit you're not seeing this increase at all? The ObservationWindow is a timer after which the count is reset back to zero, so that you don't accumulate bad attempts forever. So in your case, if no bad passwords are entered in 30 minutes, the count should reset to zero next time it's accessed. Please keep in mind that the ldap tree itself isn't updated when timers expire, but rather the next time that a passdb backend accesses the entry. If you're not seeing updates in pdbedit, please post your smb.conf, and also give a little more detail about how you're testing this out.
this was a "must be root bug" which has been fixed in the 3.0.25 branch. If you want a 3.0.24d you can use the SerNet packages, which have that one fixed I think. For that reason I'll close this as fixed...