Univention Bugzilla – Bug 37416
Samba ADDC: badPwdCount not reset directly after unlock
Last modified: 2017-04-24 13:33:53 CEST
Created attachment 6561 [details] check_samba4_badPwdCount.sh The attached script shows that the behaviour of the automatic password unlock in Samba AD DC is a little bit unexpected: When a bad password lockout policy has been configured e.g. via samba-tool domain passwordsettings set \ --account-lockout-duration=1 \ --account-lockout-threshold=3 a user account gets locked after three logon failures. After the lockout duration the user may try again. If he then logs on successfully, the badPwdCount of his account gets reset to 0. This works. The unexpected behaviour is this: If the user doesn't enter a valid password after the lockout duration has passed then the account gets locked immediately again, after just a single failed attempt, and the account is locked again for the lockout duration. This could lead to the impression that the automatic unlock does not work at all. We should check how AD works in this situation.
The few AD documents I found until now leave room for interpretation. IMHO it would be more consistent to reset the badPwdCount to the value 1 at the first new logon failure after the lockout duration has passed..