Stefan Oberwahrenbrock <oberwahrenbr...@transdata.net> wrote in news:xns9c26809018cb9oberwahrenbrocktr...@80.91.229.13:
Hello! It turned out, that after all there were differences in the setup of the test and production system - I just was not aware of them at first: The test system was built installing a plain default NT PDC. The default NT PDC installation does not make use of a "lockout after bad login attempts" policy at all - if you want to use such policy, you have to enable and configure it. The production system was configurered to use this policy with defaults (LogoutThreshold 5). During migration of both systems thesettings were also correctly migrated... Thus, with e. g. disabed account policy "bad lockout attempt" (pdbedit), the domain-administrator does not get locked any more. Nevertheless, Samba locking down the administrator is unexpected and unwanted - in my eyes. With NT the administrator account is not affected by the automatic locking mechanism. I think especially for users with migration background (NT 4.0 -> Samba), it would be nice, to have the same behaviour with Samba PDC. In our case, the problem ist not, that the admins do not remember the password of the domain-admin. Instead, some users have the password for the local administrator on their local PC. If they logon as local administrator and try to connect to a share on some other machine, the Samba PDC obviously tries to authenticate the password(hash) of the local-admin-session against the domain-administrator account. With "bad lockout attempt" set to 5, the result is a lockeddown domain- administrator account (Password of local and domain administrator differ of course!). The only workaround I know, is do disable "bad lockout attempt" completely or to set it the a relativ high value (e. g. 15). With these settings, the local-admin-users users trying to connect to a share do get a new window where they can provide a correct login, after windows noticed, that the first "automatical" connect attempts did not work. Does anyone know, if the special handling of the domain-administrator- account is a topic for future releases of Samba? Is there someone else, who sees the problem like I do (Or am I still just to NT4.0-affected ;-)) Greetings, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba