Hi there,
we have a few SuSE Linux Enterprise Desktop 11 SP1 machines with Samba
3.4.3 joined to Windows Server 2003 domain. The domain has some strict
password policies, like limited password tries before account is locked
for a few minutes.
It works fine when doing online authentication against the domain
controllers.
The problem rises with cached offline logon. Offline logon works, but
when user enters bad password enough times, winbind locks him out, as if
it were enforcing the password policies of the domain even for offline
logon. But after the time set in "lockout duration" has passed, the
account remains locked (even after very long waiting), and gets unlocked
only after connecting to the network and authenticating against the
domain again.
So I'd like to ask
- if it's possible to unlock a cached domain account locally (as root,
without connection to the domain controllers)
- why doesn't the account unlock automatically after the "lockout
duration" has passed (is this functionality not implemented, or I should
check my settings?)
I tried googling hard and searched through all the relevant
documentation, but found very little info on the credentials caching in
samba/winbind. I even tried to look at the TDB databases of which I
think netsamlogon_cache.tdb holds the cached account info and the
lockout flag, to see if I could unlock the account manually in there,
but I just couldn't make out anything useful from the binary data there.
So any help would be greatly appreciated. Thank you in advance. Have a
nice day.
--
Beli - IT consultant
beli+smb at beli.sk | www.beli.sk