Bug 8960 - domain account policy is reset after a few minutes
Summary: domain account policy is reset after a few minutes
Status: NEW
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.5.10
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-29 15:09 UTC by Vinicius Bones Silva
Modified: 2012-05-29 15:09 UTC (History)
0 users

See Also:

Attachments
smb.conf used on pdc server. (3.47 KB, application/x-binary)
2012-05-29 15:09 UTC, Vinicius Bones Silva 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vinicius Bones Silva 2012-05-29 15:09:19 UTC 
Created attachment 7604 [details]
smb.conf used on pdc server.

Hello,

We have a samba domain running on 3 samba 3.5.10 servers (all centos5 with default samba3x packages). The samba domain stores its information on an ldap server (openldap-servers-2.3.43-25.el5).

We use pdbedit -P -C to set the domain account policies, but they are reset to the default values after a few minutes. The policies we set are:

Account policy "bad lockout attempt" value was: 0
Account policy "bad lockout attempt" value is now: 5
Account policy "maximum password age" value was: -1
Account policy "maximum password age" value is now: 10368000
Account policy "min password length" value was: 5
Account policy "min password length" value is now: 12
Account policy "password history" value was: 0
Account policy "password history" value is now: 13
Account policy "user must logon to change password" value was: 0
Account policy "user must logon to change password" value is now: 2

Seeing at the ldap server:

[vbs@woody ~]$ ldapsearch -x -D"cn=ldap-root,dc=e-trust,dc=com,dc=br" -W sambadomainname=etrust
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: sambadomainname=etrust
# requesting: ALL
#

# ETRUST, e-trust.com.br
dn: sambaDomainName=ETRUST,dc=e-trust,dc=com,dc=br
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: ETRUST
sambaSID: S-1-5-21-XXX-XXX-XXX
sambaNextGroupRid: 61012
sambaNextUserRid: 61108
sambaNextRid: 61156
uidNumber: 61492
gidNumber: 61180
sambaMinPwdAge: 0
sambaRefuseMachinePwdChange: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 5
sambaMaxPwdAge: 10368000
sambaMinPwdLength: 12
sambaPwdHistoryLength: 13
sambaLogonToChgPwd: 2

And then, after a few minutes they go back:

pdbedit -P "maximum password age"
account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 4294967295

[vbs@woody ~]$ ldapsearch -x -D"cn=ldap-root,dc=e-trust,dc=com,dc=br" -W sambadomainname=etrust
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: sambadomainname=etrust
# requesting: ALL
#

# ETRUST, e-trust.com.br
dn: sambaDomainName=ETRUST,dc=e-trust,dc=com,dc=br
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: ETRUST
sambaSID: S-1-5-21-XXX-XXX-XXX
sambaNextGroupRid: 61012
sambaNextUserRid: 61108
sambaNextRid: 61156
uidNumber: 61492
gidNumber: 61180
sambaMinPwdAge: 0
sambaRefuseMachinePwdChange: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaMinPwdLength: 12
sambaLogonToChgPwd: 2
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1


We're trying to find out why. Any suggestions on debugs we can make ?