samba - Sep 2011 - pdb_increment_bad_password_count

After moving from Redhat AS4 to RHEL 5.5 we started noticing these error
messages in the messages log.  Upgrade procedure was to build new machine with
updated OS, install new samba, duplicate existing ldap server connections, and
then shutdown the old box and put new one in place.  Messages were not seen on
AS4 box and smb.conf file is identical on new box.  I am wondering if there was
a change in samba/ldap connectivity between versions where a field or fields in
our samba ldap schema need to have values entered now where they didn't
before.  I have provided some information and can provide more if needed. 
Authentication is successful if correct password is given.  If password is
incorrect the error message appears.  LDAP server has had no changes to it, or
its schema.
/var/log/messages:
Sep 15 12:51:39 xxx301 smbd[22218]: [2011/09/15 12:51:39, 0]
passdb/passdb.c:pdb_increment_bad_password_count(1477)
Sep 15 12:51:39 xxx301 smbd[22218]:   pdb_increment_bad_password_count:
pdb_get_account_policy failed.
Sep 15 12:51:53 xxx301 smbd[22218]: [2011/09/15 12:51:53, 0]
lib/util_sock.c:read_data(540)
Sep 15 12:51:53 xxx301 smbd[22218]:   read_data: read failure for 4 bytes to
client 192.168.x.x. Error = Connection
Old system:
samba-common-3.0.10-1.4E.6
samba-client-3.0.10-1.4E.6
samba-3.0.10-1.4E.6
New system
samba-common-3.0.33-3.29.el5_6.2
samba-3.0.33-3.29.el5_6.2
Relevant parts of smb.conf
passdb backend = ldapsam:ldap://172.x.x.x
ldap suffix = dc=prod,dc=xxx,dc=yyy
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=root,dc=prod,dc=xxx,dc=yyy
obey pam restrictions = yes
Thanks for any suggestions....

David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson at datatrak.net<mailto:david.hoskinson at datatrak.net> |
www.datatrak.net<http://www.datatrak.net/>

From: David Hoskinson <david.hoskinson at datatrak.net>
Date: Thu, 15 Sep 2011 08:18:22 -0500
> After moving from Redhat AS4 to RHEL 5.5 we started noticing these
> error messages in the messages log.
(snip)
> LDAP server has had no changes to it, or its schema.
> /var/log/messages:
> Sep 15 12:51:39 xxx301 smbd[22218]: [2011/09/15 12:51:39, 0]
passdb/passdb.c:pdb_increment_bad_password_count(1477)
> Sep 15 12:51:39 xxx301 smbd[22218]:   pdb_increment_bad_password_count:
pdb_get_account_policy failed.
> Sep 15 12:51:53 xxx301 smbd[22218]: [2011/09/15 12:51:53, 0]
lib/util_sock.c:read_data(540)
> Sep 15 12:51:53 xxx301 smbd[22218]:   read_data: read failure for 4 bytes
to client 192.168.x.x. Error = Connection
> Old system:
> samba-common-3.0.10-1.4E.6
> samba-client-3.0.10-1.4E.6
> samba-3.0.10-1.4E.6
> New system
> samba-common-3.0.33-3.29.el5_6.2
> samba-3.0.33-3.29.el5_6.2
After Samba 3.0.21, the information for account policy became stored
in LDAP, instead of local tdb file if using LDAP as passdb backend.

So you have to set LDAP attributes about account policy in your LDAP
directory correctly.

In my env, here is settings about accont policy and other domain
specific attributes:

# ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=sambadom,dc=local
'(sambaDomainName=SAMBADOM)'

(snip)

# SAMBADOM, sambadom.local
dn: sambaDomainName=SAMBADOM,dc=sambadom,dc=local
sambaDomainName: SAMBADOM
sambaSID: S-1-5-21-1179644376-2526199691-xxxxxxxxxx
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaRefuseMachinePwdChange: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaMinPwdLength: 7
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 1
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaForceLogoff: -1
sambaNextRid: 1021

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>