I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3) for user authentication on Linux, to 2003 Active Directory.
The password policy dictated by AD should lock accounts after 6 incorrect login attempts within a 30 minute period. However, it seems to halve that when logging in to these Linux boxes via ssh - so after 3 incorrect login attempts, the AD account gets locked. Looking in log.wb-<Domain Name> seems to show double attempts / authentication failures when submitting the login with an incorrect password (to test this). I have noted password level in smb.conf (it's not set in my smb.conf), but as I'm using encrypt passwords = yes, I thought it was irrelevant. It would appear that two submissions are being made, though, is that a Samba version thing, something I may have not got spot on with my pam configuration, or an issue with the Samba version? testparm output follows:- Load smb config files from /usr/lib/smb.conf Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = XXXXXX realm = XXXXXXXXXX server string = Linux AD authentication security = ADS auth methods = winbind, sam allow trusted domains = No obey pam restrictions = Yes use kerberos keytab = Yes server signing = auto socket options = IPTOS_LOWDELAY TCP_NODELAY load printers = No printcap cache time = 0 printcap name = /dev/null disable spoolss = Yes preferred master = No local master = No domain master = No idmap domains = XXXXXX template shell = /bin/ksh winbind separator = + winbind use default domain = Yes winbind refresh tickets = Yes idmap config XXXXXX:backend = rid idmap config XXXXXX:range = 10000-2000000 Neil ***************************************************************************** This email and its attachments are confidential to the intended recipient. If this has come to you in error, please notify the sender immediately and delete this email from your system. You must take no action based on this, nor must you copy or disclose it or any part of its contents to any person or organisation. Please note that email communications may be monitored. The registered office of Shop Direct Limited is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered number 04730752. Subsidiary companies within Shop Direct Limited include: Shop Direct Financial Services Limited (SDFS), Shop Direct Group Financial Services Limited (SDGFS) and Littlewoods Finance Company Limited (LFCo). The registered office of SDFS, SDGFS and LFCo is Aintree Innovation Centre, Park Lane, Netherton, Bootle, L30 1SL, registered numbers 04730706 (SDFS), 5200103 (SDGFS) and 04660974 (LFCo). SDFS and LFCo are authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only. Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited (SDHS). The registered office of SDCC and SDHS is 1st Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC), 04663281 (SDHS). All companies registered in England. ***************************************************************************** This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba