Dear James, Thanks for the input. Even increasing from 5 to 10, the amount of times to miss the password and lock the account (after changing, I wheeled a gpupdate / force), if you miss 3 times the account is locked. I changed smb.conf log level to 9. I tried to unlock the account using the samba-tool command line, but without success, because I can only unlock using the RSAT. I get these messages: # Samba-user tool enable erico INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 share: 9 acls: 9 locking: 9 msdfs: 9 DMAPI: 9 Registry: 9 Scavenger: 9 dns: 9 ldb: 9 tevent: 9 Processing section "[netlogon]" Processing section "[sysvol]" pm_process () returned Yes Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap open of secrets.ldb lpcfg_servicenumber: could not find ldb schema_fsmo_init: we are master [yes] updates allowed [in] schema_fsmo_init: we are master [yes] updates allowed [in] Enabled user 'erico' In "tail -f /var/log/samba/%m.log" I see these lines: [2016/08/19 15:13:27.681166, 4] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5397(replmd_extended_replicated_objects) linked_attributes_count=0 [2016/08/19 15:13:27.681922, 6] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:759(replmd_replPropertyMetaDataCtr1_sort_and_verify) Sorting rpmd with attid exception 3 rDN=CN DN=CN=Erico Joao Santos Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local [2016/08/19 15:13:27.682003, 4] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4694(replmd_replicated_apply_merge) [2016/08/19 15:13:27.683095, 4] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4696(replmd_replicated_apply_merge) DRS replication modify message: dn: CN=Erico Joao Santos Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local changetype: modify replace: whenChanged whenChanged: 20160819181321.0Z - replace: uSNChanged uSNChanged: 14351 - replace: replPropertyMetaData replPropertyMetaData:: AQAAAAAAAAAeAAAAAAAAAAAAAAABAAAAO+eADAMAAAA0cRFe3a15QqY Pt3C2QPfI/zQAAAAAAAAbEAAAAAAAAAQAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQA AAAAAAAbEAAAAAAAACoAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAA AAAAAEAAgABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAAIAAgABAA AAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAA0AAgABAAAAO+eADAMAAAA 0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAABkBAgACAAAADZiEDAMAAAA0cRFe3a15QqYP t3C2QPfIBmIAAAAAAAAbEAAAAAAAAAEACQARAAAAUpjCDQMAAADj+0WJUrcbT71MPVMCZ7NQLSIAA AAAAAAtIgAAAAAAAAgACQAFAAAAv2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDtVIBAAAAAAAbEAAAAA AAABAACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfIADUAAAAAAAAbEAAAAAAAABkACQABAAA AO+eADAMAAAA0cRFe3a15QqYPt3C2QPfIADUAAAAAAAAbEAAAAAAAADcACQAQAAAAt2WpDQMAAABG CTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAEAACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt 3C2QPfIADUAAAAAAAAbEAAAAAAAAFoACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAA AAAAAbEAAAAAAAAF4ACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAA AAGAACQAVAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAGIACQAEAAAA 5TmEDQMAAADGBIYQJPnHTpP0rJHpn8MYrrwAAAAAAAAbEAAAAAAAAH0ACQAPAAAAt2WpDQMAAABGC TrnfBiVS4Sau+xkyjfDtFIBAAAAAAAbEAAAAAAAAJIACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3 C2QPfI/zQAAAAAAAAbEAAAAAAAAJYACQABAAAADZiEDAMAAAA0cRFe3a15QqYPt3C2QPfIBmIAAAA AAAAbEAAAAAAAAJ8ACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfIADUAAAAAAAAbEAAAAAAA AKAACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAN0ACQABAAAAO +eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAC4BCQABAAAAO+eADAMAAAA0cR Fe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAJACCQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C 2QPfI/zQAAAAAAAAbEAAAAAAAAJYCCQAjAAAAQd3HDQMAAADUBnA1JNVVRYN4On+wEF1BuSMAAAAA AAAPOAAAAAAAAA4DCQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAA KAGCQAXAAAA9wvFDQMAAADj+0WJUrcbT71MPVMCZ7NQPiwAAAAAAAA+LAAAAAAAAKsHCQABAAAAv2 WpDQMAAABGCTrnfBiVS4Sau+xkyjfDtVIBAAAAAAAbEAAAAAAAAAMAAAANAAAApnSyDQMAAABGCTr nfBiVS4Sau+xkyjfDkLgBAAAAAABxEwAAAAAAAA== - replace: lockoutTime lockoutTime: 131161040016926080 - [2016/08/19 15:13:27.687552, 4] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5231(replmd_replicated_uptodate_modify) DRS replication uptodate modify message: dn: DC=domain,DC=local changetype: modify replace: replUpToDateVector replUpToDateVector:: AgAAAAAAAAALAAAAAAAAAMYEhhAk+cdOk/SskemfwxjtXgIAAAAAAPW0l g0DAAAAl8bFE0zNXEGg22QMX6cWu9IvAAAAAAAAAIA+1d6xnQHUBnA1JNVVRYN4On+wEF1BuSMAAA AAAAAAgD7V3rGdAQ4crjuNcRJNp8XYZYxANVMxEwAAAAAAAACAPtXesZ0BNHERXt2teUKmD7dwtkD 3yAMzBwAAAAAABUiADQMAAAB5CTJ76gkgQZ/R3EKh722VgBMAAAAAAAAAgD7V3rGdASU0K4OwPo5J hZeJgfvJkr/vEgAAAAAAAACAPtXesZ0BLNuomXXda0+AaGlWssQYqBsTAAAAAAAAAIA+1d6xnQEZJ DHD3GZdSJo5+MrbBGDCorgBAAAAAABl7p8NAwAAAMT1D+Gifk5LjnVt/upuUAYGEwAAAAAAAACAPt XesZ0BRgk653wYlUuEmrvsZMo3wyAxAwAAAAAA9Jy/DQMAAAA= - replace: repsFrom repsFrom:: AQAAAAAAAAAPAQAAAAAAAEfdxw0DAAAAR93HDQMAAAAAAAAA0AAAAD8AAAB0AAAAERE RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER ERERERERERERERERERERERERERERERERAAAAALkjAAAAAAAAAAAAAAAAAAC5IwAAAAAAAOwZCRo0s CtDqb1rc6O7bG3UBnA1JNVVRYN4On+wEF1BAAAAAAAAAAAAAAAAAAAAADsAAAAxYTA5MTllYy1iMD M0LTQzMmItYTliZC02YjczYTNiYjZjNmQuX21zZGNzLmxvamFjb3JyLmxvY2FsAA== - [2016/08/19 15:13:27.694897, 2] ../source4/dsdb/repl/replicated_objects.c:1008(dsdb_replicated_objects_commit) Replicated 1 objects (0 linked attributes) for DC=domain,DC=local [2016/08/19 15:13:27.816480, 6] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/08/19 15:13:27.816608, 4] ../source4/dsdb/repl/drepl_out_helpers.c:918(dreplsrv_update_refs_done) UpdateRefs OK for f192ce0f-92cf-4511-b1bb-71b0fbc2f39c._msdcs.domain.local DC=domain,DC=local [2016/08/19 15:13:27.816632, 4] ../source4/dsdb/repl/drepl_out_pull.c:178(dreplsrv_pending_op_callback) dreplsrv_op_pull_source(WERR_OK) for DC=domain,DC=local [2016/08/19 15:13:30.360979, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:35 2016 BRT [2016/08/19 15:13:32.271240, 5] ../source4/libcli/dgram/dgramsocket.c:65(dgm_socket_recv) Received dgram packet of length 201 from 172.16.16.137:138 [2016/08/19 15:13:32.271406, 4] ../source4/nbt_server/dgram/browse.c:70(nbtd_mailslot_browse_handler) Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from 172.16.16.137:138 [2016/08/19 15:13:32.271453, 5] ../source4/libcli/dgram/dgramsocket.c:65(dgm_socket_recv) Received dgram packet of length 201 from 172.16.16.137:138 [2016/08/19 15:13:32.271484, 4] ../source4/nbt_server/dgram/browse.c:70(nbtd_mailslot_browse_handler) Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from 172.16.16.137:138 [2016/08/19 15:13:35.368264, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:40 2016 BRT ________________________________> De: James Crouch > Ricardo,> I am very sure this is a bug that has a fix in the 4.5rc version of Samba. I am not having any luck finding the bug page for this though though.> You can increase the log levels to 4 (I think) or greater to see what is happening. I set my log level to 10 when I investigated this, but that generates a huge amount of info to shift > through.> From what I understand, after attempting to authenticate on a Windows workstation the workstation sends a authentication request to the Samba server. Windows then expects a certain reply > from the Samba server. If Windows does not see the reply it wants, then the workstation sends the request again. If there was a bad password entered during authentication request, then Samba would see multiple bad password attempts coming from the workstation and would lock the account out after it reaches the lockout threshold.>I wanted a lockout threshold of 3 on my systems, so I ended up setting this to 6 since it seems to increase the bad password count by 2 on average for each bad password attempt on my >systems. I have seen it increase the bad password count by up to 4 for a single bad password attempt though. >Thanks, >-James Crouch
Are you using the "samba-tool domain passwordsettings" command to set the lockout policy, or are you using group policy? -James Crouch On Aug 19, 2016 2:03 PM, "Ricardo Pardim Claus" <ricardo.claus at yahoo.com.br> wrote:> > > Dear James, > Thanks for the input. > > Even increasing from 5 to 10, the amount of times to miss the password and > lock the account (after changing, I wheeled a gpupdate / force), if you > miss 3 times the account is locked. > > I changed smb.conf log level to 9. > I tried to unlock the account using the samba-tool command line, but > without success, because I can only unlock using the RSAT. > I get these messages: > > # Samba-user tool enable erico > INFO: Current debug levels: > all: 9 > tdb: 9 > printdrivers: 9 > lanman: 9 > smb: 9 > rpc_parse: 9 > rpc_srv: 9 > rpc_cli: 9 > passdb: 9 > sam: 9 > auth: 9 > winbind: 9 > vfs: 9 > idmap: 9 > share: 9 > acls: 9 > locking: 9 > msdfs: 9 > DMAPI: 9 > Registry: 9 > Scavenger: 9 > dns: 9 > ldb: 9 > tevent: 9 > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process () returned Yes > Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap open > of secrets.ldb > lpcfg_servicenumber: could not find ldb > schema_fsmo_init: we are master [yes] updates allowed [in] > schema_fsmo_init: we are master [yes] updates allowed [in] > Enabled user 'erico' > > > In "tail -f /var/log/samba/%m.log" I see these lines: > > > [2016/08/19 15:13:27.681166, 4] ../source4/dsdb/samdb/ldb_ > modules/repl_meta_data.c:5397(replmd_extended_replicated_objects) > linked_attributes_count=0 > [2016/08/19 15:13:27.681922, 6] ../source4/dsdb/samdb/ldb_ > modules/repl_meta_data.c:759(replmd_replPropertyMetaDataCtr1_sort_ > and_verify) > Sorting rpmd with attid exception 3 rDN=CN DN=CN=Erico Joao Santos > Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local > [2016/08/19 15:13:27.682003, 4] ../source4/dsdb/samdb/ldb_ > modules/repl_meta_data.c:4694(replmd_replicated_apply_merge) > [2016/08/19 15:13:27.683095, 4] ../source4/dsdb/samdb/ldb_ > modules/repl_meta_data.c:4696(replmd_replicated_apply_merge) > DRS replication modify message: > dn: CN=Erico Joao Santos Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local > changetype: modify > replace: whenChanged > whenChanged: 20160819181321.0Z > - > replace: uSNChanged > uSNChanged: 14351 > - > replace: replPropertyMetaData > replPropertyMetaData:: AQAAAAAAAAAeAAAAAAAAAAAAAAABAA > AAO+eADAMAAAA0cRFe3a15QqY > Pt3C2QPfI/zQAAAAAAAAbEAAAAAAAAAQAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > /zQA > AAAAAAAbEAAAAAAAACoAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > /zQAAAAAAAAbEAAAA > AAAAAEAAgABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > /zQAAAAAAAAbEAAAAAAAAAIAAgABAA > AAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAA0AAgABAAA > AO+eADAMAAAA > 0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAABkBAgACAAA > ADZiEDAMAAAA0cRFe3a15QqYP > t3C2QPfIBmIAAAAAAAAbEAAAAAAAAAEACQARAAAAUpjCDQMAAADj+ > 0WJUrcbT71MPVMCZ7NQLSIAA > AAAAAAtIgAAAAAAAAgACQAFAAAAv2WpDQMAAABGCTrnfBiVS4Sau+ > xkyjfDtVIBAAAAAAAbEAAAAA > AAABAACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > ADUAAAAAAAAbEAAAAAAAABkACQABAAA > AO+eADAMAAAA0cRFe3a15QqYPt3C2QPfIADUAAAAAAAAbEAAAAAAAADcACQAQAA > AAt2WpDQMAAABG > CTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAEAACQABAAAAO+ > eADAMAAAA0cRFe3a15QqYPt > 3C2QPfIADUAAAAAAAAbEAAAAAAAAFoACQAQAAAAt2WpDQMAAABGCTrnfBiVS > 4Sau+xkyjfDs1IBAA > AAAAAbEAAAAAAAAF4ACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+ > xkyjfDs1IBAAAAAAAbEAAAAAA > AAGAACQAVAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAGIA > CQAEAAAA > 5TmEDQMAAADGBIYQJPnHTpP0rJHpn8MYrrwAAAAAAAAbEAAAAAAAAH0ACQAP > AAAAt2WpDQMAAABGC > TrnfBiVS4Sau+xkyjfDtFIBAAAAAAAbEAAAAAAAAJIACQABAAAAO+ > eADAMAAAA0cRFe3a15QqYPt3 > C2QPfI/zQAAAAAAAAbEAAAAAAAAJYACQABAAAADZiEDAMAAAA0cRFe3a15QqYPt3C2Q > PfIBmIAAAA > AAAAbEAAAAAAAAJ8ACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > ADUAAAAAAAAbEAAAAAAA > AKAACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAN0A > CQABAAAAO > +eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAC4BCQABAAA > AO+eADAMAAAA0cR > Fe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAJACCQABAAA > AO+eADAMAAAA0cRFe3a15QqYPt3C > 2QPfI/zQAAAAAAAAbEAAAAAAAAJYCCQAjAAAAQd3HDQMAAADUBnA1JNVVRYN4On+ > wEF1BuSMAAAAA > AAAPOAAAAAAAAA4DCQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI > /zQAAAAAAAAbEAAAAAAAA > KAGCQAXAAAA9wvFDQMAAADj+0WJUrcbT71MPVMCZ7NQPiwAAAAAAAA > +LAAAAAAAAKsHCQABAAAAv2 > WpDQMAAABGCTrnfBiVS4Sau+xkyjfDtVIBAAAAAAAbEAAAAAAAAAMA > AAANAAAApnSyDQMAAABGCTr > nfBiVS4Sau+xkyjfDkLgBAAAAAABxEwAAAAAAAA=> - > replace: lockoutTime > lockoutTime: 131161040016926080 > - > > > [2016/08/19 15:13:27.687552, 4] ../source4/dsdb/samdb/ldb_ > modules/repl_meta_data.c:5231(replmd_replicated_uptodate_modify) > DRS replication uptodate modify message: > dn: DC=domain,DC=local > changetype: modify > replace: replUpToDateVector > replUpToDateVector:: AgAAAAAAAAALAAAAAAAAAMYEhhAk+ > cdOk/SskemfwxjtXgIAAAAAAPW0l > g0DAAAAl8bFE0zNXEGg22QMX6cWu9IvAAAAAAAAAIA+1d6xnQHUBnA1JNVVRYN4On+ > wEF1BuSMAAA > AAAAAAgD7V3rGdAQ4crjuNcRJNp8XYZYxANVMxEwAAAAAAAACAPtXesZ0BNH > ERXt2teUKmD7dwtkD > 3yAMzBwAAAAAABUiADQMAAAB5CTJ76gkgQZ/R3EKh722VgBMAAAAAAAAAgD7V3rGdA > SU0K4OwPo5J > hZeJgfvJkr/vEgAAAAAAAACAPtXesZ0BLNuomXXda0+AaGlWssQYqBsTAAAAAAAAAIA+ > 1d6xnQEZJ > DHD3GZdSJo5+MrbBGDCorgBAAAAAABl7p8NAwAAAMT1D+Gifk5LjnVt/ > upuUAYGEwAAAAAAAACAPt > XesZ0BRgk653wYlUuEmrvsZMo3wyAxAwAAAAAA9Jy/DQMAAAA> - > replace: repsFrom > repsFrom:: AQAAAAAAAAAPAQAAAAAAAEfdxw0DAAAAR93HDQMAAAAAAAAA0AAAAD8AAAB0 > AAAAERE > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE > RERERERERERERERER > ERERERERERERERERERERERERERERERERAAAAALkjAAAAAAAAAAAAAAAAAAC5 > IwAAAAAAAOwZCRo0s > CtDqb1rc6O7bG3UBnA1JNVVRYN4On+wEF1BAAAAAAAAAAAAAAAAAAAAADsAA > AAxYTA5MTllYy1iMD > M0LTQzMmItYTliZC02YjczYTNiYjZjNmQuX21zZGNzLmxvamFjb3JyLmxvY2FsAA=> - > > > [2016/08/19 15:13:27.694897, 2] ../source4/dsdb/repl/ > replicated_objects.c:1008(dsdb_replicated_objects_commit) > Replicated 1 objects (0 linked attributes) for DC=domain,DC=local > [2016/08/19 15:13:27.816480, 6] ../librpc/rpc/dcerpc_util.c: > 173(dcerpc_pull_auth_trailer) > ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 > [2016/08/19 15:13:27.816608, 4] ../source4/dsdb/repl/drepl_ > out_helpers.c:918(dreplsrv_update_refs_done) > UpdateRefs OK for f192ce0f-92cf-4511-b1bb-71b0fbc2f39c._msdcs.domain.local > DC=domain,DC=local > [2016/08/19 15:13:27.816632, 4] ../source4/dsdb/repl/drepl_ > out_pull.c:178(dreplsrv_pending_op_callback) > dreplsrv_op_pull_source(WERR_OK) for DC=domain,DC=local > [2016/08/19 15:13:30.360979, 4] ../source4/dsdb/repl/drepl_ > notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:35 2016 BRT > [2016/08/19 15:13:32.271240, 5] ../source4/libcli/dgram/ > dgramsocket.c:65(dgm_socket_recv) > Received dgram packet of length 201 from 172.16.16.137:138 > [2016/08/19 15:13:32.271406, 4] ../source4/nbt_server/dgram/ > browse.c:70(nbtd_mailslot_browse_handler) > Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from > 172.16.16.137:138 > [2016/08/19 15:13:32.271453, 5] ../source4/libcli/dgram/ > dgramsocket.c:65(dgm_socket_recv) > Received dgram packet of length 201 from 172.16.16.137:138 > [2016/08/19 15:13:32.271484, 4] ../source4/nbt_server/dgram/ > browse.c:70(nbtd_mailslot_browse_handler) > Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from > 172.16.16.137:138 > [2016/08/19 15:13:35.368264, 4] ../source4/dsdb/repl/drepl_ > notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:40 2016 BRT > > > > ________________________________ > > De: James Crouch > > Ricardo, > > > I am very sure this is a bug that has a fix in the 4.5rc version of > Samba. I am not having any luck finding the bug page for this though though. > > > You can increase the log levels to 4 (I think) or greater to see what is > happening. I set my log level to 10 when I investigated this, but that > generates a huge amount of info to shift > through. > > > From what I understand, after attempting to authenticate on a Windows > workstation the workstation sends a authentication request to the Samba > server. Windows then expects a certain reply > from the Samba server. If > Windows does not see the reply it wants, then the workstation sends the > request again. If there was a bad password entered during authentication > request, then Samba would see multiple bad password attempts coming from > the workstation and would lock the account out after it reaches the lockout > threshold. > > >I wanted a lockout threshold of 3 on my systems, so I ended up setting > this to 6 since it seems to increase the bad password count by 2 on average > for each bad password attempt on my >systems. I have seen it increase the > bad password count by up to 4 for a single bad password attempt though. > >Thanks, > >-James Crouch >
James, I configured the account lockout policies by RSAT, GPEDIT.MSC. By GPEDIT.MSC I set the value = 10 attempts. Through the samba-tool, I used this command: # samba-tool domain passwordsettings set --account-lockout-threshold=11 INFO: Current debug levels: ... pm_process() returned Yes Module 'tombstone_reanimate' is disabled. Skip registration.lpcfg_servicenumber: couldn't find ldb schema_fsmo_init: we are master[yes] updates allowed[no] schema_fsmo_init: we are master[yes] updates allowed[no] Sorting rpmd with attid exception 1376281 rDN=DC DN=DC=domain,DC=local Account lockout threshold changed! All changes applied successfully! All desktops are Windows 10. ________________________________ De: James Crouch Are you using the "samba-tool domain passwordsettings" command to set the lockout policy, or are you using group policy? -James Crouch