James, I configured the account lockout policies by RSAT, GPEDIT.MSC. By GPEDIT.MSC I set the value = 10 attempts. Through the samba-tool, I used this command: # samba-tool domain passwordsettings set --account-lockout-threshold=11 INFO: Current debug levels: ... pm_process() returned Yes Module 'tombstone_reanimate' is disabled. Skip registration.lpcfg_servicenumber: couldn't find ldb schema_fsmo_init: we are master[yes] updates allowed[no] schema_fsmo_init: we are master[yes] updates allowed[no] Sorting rpmd with attid exception 1376281 rDN=DC DN=DC=domain,DC=local Account lockout threshold changed! All changes applied successfully! All desktops are Windows 10. ________________________________ De: James Crouch Are you using the "samba-tool domain passwordsettings" command to set the lockout policy, or are you using group policy? -James Crouch
I am fairly sure Samba will ignore GP password policies, but if you set the policies with the samba tool command, then it should adhere to it, unless you are running across the bug I mentioned. You would see multiple badPwdCount increases for one bad password in the logs if you are experiencing that bug. -James Crouch On Aug 19, 2016 2:26 PM, "Ricardo Pardim Claus" <ricardo.claus at yahoo.com.br> wrote:> > > James, > I configured the account lockout policies by RSAT, GPEDIT.MSC. > By GPEDIT.MSC I set the value = 10 attempts. > > Through the samba-tool, I used this command: > > # samba-tool domain passwordsettings set --account-lockout-threshold=11 > > INFO: Current debug levels: > > > ... > > pm_process() returned Yes > Module 'tombstone_reanimate' is disabled. Skip registration.lpcfg_servicenumber: > couldn't find ldb > schema_fsmo_init: we are master[yes] updates allowed[no] > schema_fsmo_init: we are master[yes] updates allowed[no] > Sorting rpmd with attid exception 1376281 rDN=DC DN=DC=domain,DC=local > Account lockout threshold changed! > All changes applied successfully! > > > > All desktops are Windows 10. > ________________________________ > > De: James Crouch > Are you using the "samba-tool domain passwordsettings" command to set the > lockout policy, or are you using group policy? > -James Crouch >
On Fri, 2016-08-19 at 14:39 -0500, James Crouch via samba wrote:> I am fairly sure Samba will ignore GP password policies, but if you > set the > policies with the samba tool command, then it should adhere to it, > unless > you are running across the bug I mentioned. You would see multiple > badPwdCount increases for one bad password in the logs if you are > experiencing that bug. > -James CrouchThis describes the situation correctly. We do wish we could honour the group policy files, but sadly the patches have not been re-worked to a point where we can include them (it is not a trivial task, even with the base of work from some GSoC students). I am glad to say we finally fixed the double-counting issue with 4.5. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba