Hello, This is great information. I have been using tbdsam as a backend and I have been unable to get the pdbedit -P "bad lockout attempt" -C XXX to be enforced. When I set the attribute it seems that I can try to login as many times as I want. Any help out there?
> Hi, > > Samba-3 with LDAP backend is capable in this. I'm using it and it works. > All you have to do, is to use LDAP and set proper account policies: > > $ pdbedit -P "bad lockout attempt" -C 5 > (after 5 wrong password, user account will be locked out - samba sets > password hashes to ***NOPASSWORD*** and user is unable to logon). > > $ pdbedit -P "min password length" -C 9 > > # password age 90 days > $ pdbedit -P "maximum password age" -C 7776000 > Samba takes age in seconds, so 60*60*24*90, is what you need. > Remember, that the user has to change his/her password from workstation > once, then policy takes effect. Another way is to manually change users > "sambaPwdMustChange" value to "0", so user is forced to change password on > next logon. After password change, new "sambaPwdMustChange" will be set, > with timestamp 90 days forward. > > $ pdbedit -P "password history" -C 3 > Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store > password history... I don't know how it should be done, but it would be > very > nice to have it. > > regards, > > Rauno Tuul > >> On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: >> >> > Recently we were audited and as part of that they looked at >> our systems >> > and policies etc and produced a report. >> > >> > As part of that report they mentioned about forcing users to change >> > thier >> > passwords every 90 days or so. >> > They also mentioned about disabling accounts after 3 login attempts. >> > >> > Im pretty sure both can be done on NT, but id rather stick >> with rh and >> > samba thanks ever so much. >> > Can samba does these things? even if its a tinkering kind of job? > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
