The bad password count logic is not bypassed on cached offline logons, which is how windows behaves. Worse yet, the count is honored, but the duration is not, so a user who locks himself out while offline can never logon again until reconnecting with the DC.
Created attachment 6486 [details] Patch for 3.6
Created attachment 6487 [details] Patch for 3.5
I think this is a blocker. And now we have patches an easy fix before final release :-). Jeremy.
hm, in fact I exactly made it behave like that on purpose (to not allow offline password attacks like in windows).
(In reply to comment #4) > hm, in fact I exactly made it behave like that on purpose (to not allow offline > password attacks like in windows). Well, then there is one giant hole...there is no lockout duration.
As just discussed on irc with Günther: Better fix it this ways now, since we don't have a patch ready now to add the extra value that Günther intended to add... Assigning to Karolin for inclusion in 3.6.0
Pushed to v3-5-test and v3-6-test. Re-assigning to Günther to decide whether to close the bug report or not.
Lowering severity.
no longer blocking the release of 3.6.0 at least.