Anyone? If this is the wrong list or if no one can answer I can definitely ask a different list - just point me in the right direction?
On Jan 11, 2013, at 10:54 PM, Chris Stoneburner <200406...@panthers.greenville.edu> wrote: > First off, I apologize if this is a duplicate - I had some issues with the > first email I tried to join this list with! > > I'm currently using samba4 as an AD DC (domain and forest are both configured > with the samba-tool command to be at the 2008_R2 functional level) for both > Windows and Linux systems. I've got the default password settings set using > the "samba-tool domain passwordsettings" command and I have all the GPOs > configured as I need them for clients. However, I would like to configure > how the account lockout functions for the domain accounts. I read in the > archive for this list that there isn't currently support for server side > GPOs, so I'm not certain how to configure this, or if its even possible. > > To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has > a pre-built "zentyal-samba" package installed but from what I can tell it's > just samba4.0 (that's what it tells me when I use samba --version) > > What I've tried thus far: > 1. Use testparm -v to get a complete list of all possible smb.conf values - > didn't see much in there that looked like account lockout > 2. Manually edit the account_policy.tdb database within the samba folder > identified in the current smb.conf file with tdbtool - it looks like there > ARE settings here that might apply, but for some reason changes aren't being > reflected. For example, when I use the "samba-tool domain passwordsettings > set --min-pwd-age=5" command the account_policy.tdb key corresponding to pass > min age does NOT get updated, but I have validated that the changes DO take > immediate effect. Maybe the account_policy.tdb file is legacy and not used > when the active role is DC with a 2008_R2 functional level? The password > policy, and I'm presuming all account related policy, is clearly being stored > and enforced somewhere - I just haven't figured out what all it includes and > where it is... > > My question with respect to samba is two fold: is it even POSSIBLE to have > samba detect multiple failed login attempts to a domain account (e.g., the > default domain administrator) and "lock" the account once a certain threshold > has been reached and if so how is that configured? > > Thanks so much for any information you can provide! > -Chris Stoneburner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
