On my domain controller, samba does not notice changes to sambaAcctFlags, sambaBadPasswordCount, or sambaBadPasswordTime for users who are locked out. It always uses the values from the login cache even if the ldap entry has been changed more recently. I believe that there is a bug in the login cache code. time_t is a 64 bit type on x64, but the code in login_cache.c loads a 32 bit value into the cache entry timestamp without clearing the higher bits. The garbage in the high bits of the cache timestamp ensure that it will usually be larger than the ldap timestamp.
Created attachment 5229 [details] Fix improperly initialized field
Perfect catch. The entry->bad_password_time also needs fixing. Jeremy.
Created attachment 5230 [details] Fix for master. This is the correct fix I think. Deals with both time_t specified fields in the LOGIN_CACHE struct. Can you test and confirm please ? Jeremy.
Created attachment 5231 [details] Second part of fix for bug #7072 - Accounts can't be unlocked from ldap.
Created attachment 5232 [details] git-am format patch for 3.5.0. I think this might be neccessary for 3.5.0 final. Guenter, what do you think ? Jeremy.
Comment on attachment 5232 [details] git-am format patch for 3.5.0. I think this might need to go into 3.5.0 final. Thoughts ?
Created attachment 5233 [details] git-am format patch for 3.4.6.
Created attachment 5234 [details] git-am format patch for 3.3.11.
Comment on attachment 5232 [details] git-am format patch for 3.5.0. looks good
Comment on attachment 5233 [details] git-am format patch for 3.4.6. looks good
Comment on attachment 5234 [details] git-am format patch for 3.3.11. looks good
Comment on attachment 5232 [details] git-am format patch for 3.5.0. Looks good
Re-assigning to Karolin for push to all branches. Karolin I think this one needs to be in 3.5.0 final. Jeremy.
The new patch works fine for me. Thanks for the quick response.
Pushed to all branches. Closing out bug report. Thanks!