Hello, Quick observation after recently updating all DC's to 4.2.0 from 4.1.17. Several users received the notice "account is currently locked out" after entering their password once. I updated the policy to a minimum of 3 attempts before any user logged in initially. I opened Microsoft ADUC tool and clicked the box to unlock their account. This resulted in the user receiving "account currently disabled" message after attempting login again. Account was not disabled from what ADUC tool displayed. I attempted to disable and enable the account just to test. This resulted in the user still receiving the notice "account currently disabled". The only way I was able to resolve was to force a password change. Has anyone else observed this behavior? -- -James
Luke Bigum
2015-Mar-09 18:40 UTC
[Samba] password lockout policy issue after update to 4.2
I haven't seen your problem specifically but a few FYIs that are in your area, in case you run into them: We've observed that Win8.1 sends two auth attempts to our Samba4 AD DC for every one actual login, so accounts were being locked out twice as fast as we expected. It doesn't explain your issue, but something to be aware of with very low numbers of attempts. I have also seen the MS AD utilities not populating certain fields that Samba's backend uses, like Password Last Set, so if you lock out based on last change time then that can be a problem. -- Luke Bigum Senior Systems Engineer Information Systems ----- Original Message ----- From: "James" <lingpanda101 at gmail.com> To: samba at lists.samba.org Sent: Monday, 9 March, 2015 6:03:11 PM Subject: [Samba] password lockout policy issue after update to 4.2 Hello, Quick observation after recently updating all DC's to 4.2.0 from 4.1.17. Several users received the notice "account is currently locked out" after entering their password once. I updated the policy to a minimum of 3 attempts before any user logged in initially. I opened Microsoft ADUC tool and clicked the box to unlock their account. This resulted in the user receiving "account currently disabled" message after attempting login again. Account was not disabled from what ADUC tool displayed. I attempted to disable and enable the account just to test. This resulted in the user still receiving the notice "account currently disabled". The only way I was able to resolve was to force a password change. Has anyone else observed this behavior? -- -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ --- #1 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 (2014) Awards 2015 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards 2013 #15 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 2013 Best Overall Testing Project - The European Software Testing Awards 2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards 2013 Best Executing Venue - Forex Magnates Awards 2011 Best Trading System - Financial Sector Technology Awards 2011 Innovative Programming Framework - Oracle Duke's Choice Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the terms at http://www.lmax.com/pdf/general-disclaimers.pdf however if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088.