Any thoughts on the quoted email below?
On Fri, Jan 11, 2013 at 10:54 PM, Chris Stoneburner < 200406...@panthers.greenville.edu> wrote: > First off, I apologize if this is a duplicate - I had some issues with the > first email I tried to join this list with! > > I'm currently using samba4 as an AD DC (domain and forest are both > configured with the samba-tool command to be at the 2008_R2 functional > level) for both Windows and Linux systems. I've got the default password > settings set using the "samba-tool domain passwordsettings" command and I > have all the GPOs configured as I need them for clients. However, I would > like to configure how the account lockout functions for the domain > accounts. I read in the archive for this list that there isn't currently > support for server side GPOs, so I'm not certain how to configure this, or > if its even possible. > > To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which > has a pre-built "zentyal-samba" package installed but from what I can tell > it's just samba4.0 (that's what it tells me when I use samba --version) > > What I've tried thus far: > 1. Use testparm -v to get a complete list of all possible smb.conf values > - didn't see much in there that looked like account lockout > 2. Manually edit the account_policy.tdb database within the samba folder > identified in the current smb.conf file with tdbtool - it looks like there > ARE settings here that might apply, but for some reason changes aren't > being reflected. For example, when I use the "samba-tool domain > passwordsettings set --min-pwd-age=5" command the account_policy.tdb key > corresponding to pass min age does NOT get updated, but I have validated > that the changes DO take immediate effect. Maybe the account_policy.tdb > file is legacy and not used when the active role is DC with a 2008_R2 > functional level? The password policy, and I'm presuming all account > related policy, is clearly being stored and enforced somewhere - I just > haven't figured out what all it includes and where it is... > > My question with respect to samba is two fold: is it even POSSIBLE to have > samba detect multiple failed login attempts to a domain account (e.g., the > default domain administrator) and "lock" the account once a certain > threshold has been reached and if so how is that configured? > > Thanks so much for any information you can provide! > -Chris Stoneburner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba