samba - Aug 2008 - Samba 3.0.28a integration with 2003 AD and password lockout policy?

I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3)
for user authentication on Linux, to 2003 Active Directory.

The password policy dictated by AD should lock accounts after 6
incorrect login attempts within a 30 minute period. However, it seems to
halve that when logging in to these Linux boxes via ssh - so after 3
incorrect login attempts, the AD account gets locked.

Looking in log.wb-<Domain Name> seems to show double attempts /
authentication failures when submitting the login with an incorrect
password (to test this).

I have noted password level in smb.conf (it's not set in my smb.conf),
but as I'm using encrypt passwords = yes, I thought it was irrelevant.

It would appear that two submissions are being made, though, is that a
Samba version thing, something I may have not got spot on with my pam
configuration, or an issue with the Samba version?

testparm output follows:-

Load smb config files from /usr/lib/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = XXXXXX
        realm = XXXXXXXXXX
        server string = Linux AD authentication
        security = ADS
        auth methods = winbind, sam
        allow trusted domains = No
        obey pam restrictions = Yes
        use kerberos keytab = Yes
        server signing = auto
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        load printers = No
        printcap cache time = 0
        printcap name = /dev/null
        disable spoolss = Yes
        preferred master = No
        local master = No
        domain master = No
        idmap domains = XXXXXX
        template shell = /bin/ksh
        winbind separator = +
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config XXXXXX:backend = rid
        idmap config XXXXXX:range = 10000-2000000

Neil



*****************************************************************************

This email and its attachments are confidential  to the intended recipient. If
this has come to you in error, please notify the sender immediately and delete
this email from your system. You must take no action based on this, nor must you
copy or disclose it or any part of its contents to any person or organisation. 
Please note that email communications may be monitored.  The registered office
of Shop Direct Limited is 1st Floor, Skyways House, Speke Road, Speke,
Liverpool, L70 1AB, registered number 04730752.

Subsidiary companies within Shop Direct Limited include:

Shop Direct Financial Services Limited (SDFS), Shop Direct Group Financial
Services Limited (SDGFS) and Littlewoods Finance Company Limited (LFCo). The
registered office of SDFS, SDGFS and LFCo is Aintree Innovation Centre, Park
Lane, Netherton, Bootle, L30 1SL, registered numbers 04730706 (SDFS), 5200103
(SDGFS) and 04660974 (LFCo). SDFS and LFCo are authorised and regulated by the
Financial Services Authority in respect of insurance mediation activities only.

Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited
(SDHS).  The registered office of SDCC and SDHS is 1st Floor, Skyways House,
Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC),
04663281 (SDHS).

All companies registered in England.



*****************************************************************************




This message has been scanned for viruses by BlackSpider MailControl -
www.blackspider.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Braebaum, Neil wrote:
| I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3)
| for user authentication on Linux, to 2003 Active Directory.
|
| The password policy dictated by AD should lock accounts after 6
| incorrect login attempts within a 30 minute period. However, it seems to
| halve that when logging in to these Linux boxes via ssh - so after 3
| incorrect login attempts, the AD account gets locked.
|
| Looking in log.wb-<Domain Name> seems to show double attempts /
| authentication failures when submitting the login with an incorrect
| password (to test this).
|
| I have noted password level in smb.conf (it's not set in my smb.conf),
| but as I'm using encrypt passwords = yes, I thought it was irrelevant.
|
| It would appear that two submissions are being made, though, is that a
| Samba version thing, something I may have not got spot on with my pam
| configuration, or an issue with the Samba version?

This area of code hasn't been reworked a lot since then, so, can you
please file a bug and upload your correct log.wb-* files ?

Thanks,

Guenther

- --
G?nther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner@redhat.com
Samba Team                              gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkijDEgACgkQSOk3aI7hFoi4CwCfd73W9y0elpD0+R96n/b9HbTH
lt8AnRtwoFSES/m7uvIrZfgywlCWwg8e
=oGtJ
-----END PGP SIGNATURE-----