I have recently been tasked with overseeing the administration of a small (<25 users) network that employs both Windows and Linux machines. The domain controller is a RHEL 6.4 machine running Samba 4.1.0 as an ADDC. So far, so good.
One of my tasks has been to create a policy that locks out user accounts if they enter their password incorrectly 5 times. Management insists that this functionality used to work, but hasn't for a few months. After doing some research, I see that pdbedit should be able to do what I want. Running pdbedit -P "bad logon attempts" -C 5 seems to run correctly and inform me that the value has changed to 5. However, I reboot the domain controller and try to lock out my test domain account and it still allows me to enter as many erroneous passwords as I want and still let me log in.
Some more googling and I chance upon a samba-tool that seems to do many of the same things that pdbedit does. Running samba-tool domain passwordsettings show shows a few password settings that I can manipulate, such as minimum password length and maximum password age but nothing about a lockout policy. I change the maximum password age attribute from 60 to 90 days just to see if the changes manifest themselves, and they do. Logging into a linux box prompts me to change my password in 30 more days than before I made the change. So it seems that the domain is respecting password settings from samba-tool but not pdbedit.
Now I know that both of these utilities are "pointing" at the same database. Running samba-tool user list and pdbedit -L both show the same users, and adding a user with one utility causes it to show up in the other.
I have been banging my head against a wall for 2 days trying to get this lockout policy working. I am a developer so I am not very well versed in samba and system administration in general. Can anyone point me in the right direction?
My smb.conf, in case it helps...
[global]
workgroup = LAB
realm = LAB.MY.COMPANY.NAME
# security = ads
netbios name = HOSTNAME
server role = active directory domain controller
idmap_ldp:use rfc2307 = yes
kerberos method = system keytab
name resolve order = host wins bcast
template shell = /bin/bash
dns forwarder = MY.DNS.IP.ADDRESS
log file = log.%m
log level = 1
winbind use default domain = yes
acl:search = no
client use spnego = no
passdb backend = tdbsam
idmap config * : range = 1000000-1999999
idmap config LAB : range = 100000000-199999999
idmap config LAB : default = yes
idmap config LAB : backend = rid
create mask = 0660
directory mask = 0770
force create mode = 0660
[all]
[my]
[shares]
I'm guessing you just need a newer version of samba. I run 4.5.12 and have the lockout option from samba-tool.