Braebaum, Neil
2008-Aug-13 14:09 UTC
[Samba] Samba 3.0.28a integration with 2003 AD and password lockout policy?
I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3) for user authentication on Linux, to 2003 Active Directory. The password policy dictated by AD should lock accounts after 6 incorrect login attempts within a 30 minute period. However, it seems to halve that when logging in to these Linux boxes via ssh - so after 3 incorrect login attempts, the AD account gets locked. Looking in log.wb-<Domain Name> seems to show double attempts / authentication failures when submitting the login with an incorrect password (to test this). I have noted password level in smb.conf (it's not set in my smb.conf), but as I'm using encrypt passwords = yes, I thought it was irrelevant. It would appear that two submissions are being made, though, is that a Samba version thing, something I may have not got spot on with my pam configuration, or an issue with the Samba version? testparm output follows:- Load smb config files from /usr/lib/smb.conf Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = XXXXXX realm = XXXXXXXXXX server string = Linux AD authentication security = ADS auth methods = winbind, sam allow trusted domains = No obey pam restrictions = Yes use kerberos keytab = Yes server signing = auto socket options = IPTOS_LOWDELAY TCP_NODELAY load printers = No printcap cache time = 0 printcap name = /dev/null disable spoolss = Yes preferred master = No local master = No domain master = No idmap domains = XXXXXX template shell = /bin/ksh winbind separator = + winbind use default domain = Yes winbind refresh tickets = Yes idmap config XXXXXX:backend = rid idmap config XXXXXX:range = 10000-2000000 Neil ***************************************************************************** This email and its attachments are confidential to the intended recipient. If this has come to you in error, please notify the sender immediately and delete this email from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation. Please note that email communications may be monitored. The registered office of Shop Direct Limited is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered number 04730752. Subsidiary companies within Shop Direct Limited include: Shop Direct Financial Services Limited (SDFS), Shop Direct Group Financial Services Limited (SDGFS) and Littlewoods Finance Company Limited (LFCo). The registered office of SDFS, SDGFS and LFCo is Aintree Innovation Centre, Park Lane, Netherton, Bootle, L30 1SL, registered numbers 04730706 (SDFS), 5200103 (SDGFS) and 04660974 (LFCo). SDFS and LFCo are authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only. Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited (SDHS). The registered office of SDCC and SDHS is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC), 04663281 (SDHS). All companies registered in England. ***************************************************************************** This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com
Guenther Deschner
2008-Aug-13 16:31 UTC
[Samba] Samba 3.0.28a integration with 2003 AD and password lockout policy?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Braebaum, Neil wrote: | I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3) | for user authentication on Linux, to 2003 Active Directory. | | The password policy dictated by AD should lock accounts after 6 | incorrect login attempts within a 30 minute period. However, it seems to | halve that when logging in to these Linux boxes via ssh - so after 3 | incorrect login attempts, the AD account gets locked. | | Looking in log.wb-<Domain Name> seems to show double attempts / | authentication failures when submitting the login with an incorrect | password (to test this). | | I have noted password level in smb.conf (it's not set in my smb.conf), | but as I'm using encrypt passwords = yes, I thought it was irrelevant. | | It would appear that two submissions are being made, though, is that a | Samba version thing, something I may have not got spot on with my pam | configuration, or an issue with the Samba version? This area of code hasn't been reworked a lot since then, so, can you please file a bug and upload your correct log.wb-* files ? Thanks, Guenther - -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkijDEgACgkQSOk3aI7hFoi4CwCfd73W9y0elpD0+R96n/b9HbTH lt8AnRtwoFSES/m7uvIrZfgywlCWwg8e =oGtJ -----END PGP SIGNATURE-----