Univention Bugzilla – Bug 52913
Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP
Last modified: 2021-05-07 10:38:54 CEST
Password lockout in Samba/AD is currently synchonized to OpenLDAP as "L" flag in sambaAccountFlags but the locked bit (17) is not set in krb5KDCFlags. I guess this is a problem in Domains that have Samba/AD on a Primary Domain Controller but not on a Slave. Our Heimdal patch 0098-s4-badPwdCount-02-part1.quilt only checks that flag. In that case, authentication via Kerberos would probably not be locked on the DC Slave that runs a Heimdal KDC with OpenLDAP backend.