Bug 8960 - domain account policy is reset after a few minutes
domain account policy is reset after a few minutes
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control
3.5.10
x64 Linux
: P5 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-29 15:09 UTC by Vinicius Bones Silva
Modified: 2012-05-29 15:09 UTC (History)
0 users

See Also:


Attachments
smb.conf used on pdc server. (3.47 KB, application/x-binary)
2012-05-29 15:09 UTC, Vinicius Bones Silva
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vinicius Bones Silva 2012-05-29 15:09:19 UTC
Created attachment 7604 [details]
smb.conf used on pdc server.

Hello,

We have a samba domain running on 3 samba 3.5.10 servers (all centos5 with default samba3x packages). The samba domain stores its information on an ldap server (openldap-servers-2.3.43-25.el5).

We use pdbedit -P -C to set the domain account policies, but they are reset to the default values after a few minutes. The policies we set are:

Account policy "bad lockout attempt" value was: 0
Account policy "bad lockout attempt" value is now: 5
Account policy "maximum password age" value was: -1
Account policy "maximum password age" value is now: 10368000
Account policy "min password length" value was: 5
Account policy "min password length" value is now: 12
Account policy "password history" value was: 0
Account policy "password history" value is now: 13
Account policy "user must logon to change password" value was: 0
Account policy "user must logon to change password" value is now: 2

Seeing at the ldap server:

[vbs@woody ~]$ ldapsearch -x -D"cn=ldap-root,dc=e-trust,dc=com,dc=br" -W sambadomainname=etrust
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: sambadomainname=etrust
# requesting: ALL
#

# ETRUST, e-trust.com.br
dn: sambaDomainName=ETRUST,dc=e-trust,dc=com,dc=br
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: ETRUST
sambaSID: S-1-5-21-XXX-XXX-XXX
sambaNextGroupRid: 61012
sambaNextUserRid: 61108
sambaNextRid: 61156
uidNumber: 61492
gidNumber: 61180
sambaMinPwdAge: 0
sambaRefuseMachinePwdChange: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 5
sambaMaxPwdAge: 10368000
sambaMinPwdLength: 12
sambaPwdHistoryLength: 13
sambaLogonToChgPwd: 2

And then, after a few minutes they go back:

pdbedit -P "maximum password age"
account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 4294967295

[vbs@woody ~]$ ldapsearch -x -D"cn=ldap-root,dc=e-trust,dc=com,dc=br" -W sambadomainname=etrust
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: sambadomainname=etrust
# requesting: ALL
#

# ETRUST, e-trust.com.br
dn: sambaDomainName=ETRUST,dc=e-trust,dc=com,dc=br
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: ETRUST
sambaSID: S-1-5-21-XXX-XXX-XXX
sambaNextGroupRid: 61012
sambaNextUserRid: 61108
sambaNextRid: 61156
uidNumber: 61492
gidNumber: 61180
sambaMinPwdAge: 0
sambaRefuseMachinePwdChange: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaMinPwdLength: 12
sambaLogonToChgPwd: 2
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1


We're trying to find out why. Any suggestions on debugs we can make ?