The bad password count logic is not bypassed on cached offline logons, which is how windows behaves.
Worse yet, the count is honored, but the duration is not, so a user who locks himself out while offline can never logon again until reconnecting with the DC.
Created attachment 6486 [details]
Patch for 3.6
Created attachment 6487 [details]
Patch for 3.5
I think this is a blocker. And now we have patches an easy fix before final release :-).
hm, in fact I exactly made it behave like that on purpose (to not allow offline password attacks like in windows).
(In reply to comment #4)
> hm, in fact I exactly made it behave like that on purpose (to not allow offline
> password attacks like in windows).
Well, then there is one giant hole...there is no lockout duration.
As just discussed on irc with Günther:
Better fix it this ways now, since we don't have
a patch ready now to add the extra value that Günther
intended to add...
Assigning to Karolin for inclusion in 3.6.0
Pushed to v3-5-test and v3-6-test.
Re-assigning to Günther to decide whether to close the bug report or not.
no longer blocking the release of 3.6.0 at least.