Find source of account lockout

One of my admin accounts got locked out and I need to figure out why. Is there a log file somewhere that would tell me the reason(s). Perhaps if it was a repeated login attempt issue then it would show me the IP address of the PC from which the attempts where made.
Thank you.


the base UCS system doesn’t lock accounts after a number of failed tries. The only account locking mechanism present is the password expiration date.

Which system/program are you talking about regarding attempted logins?


There is a setting for how many failed attempts before locking the account and for how long to lock the account for. Here is the link to how to implement that.

I believe failed attempts is the cause of the locked accounts.

Oh, I didn’t know about those settings, thanks. I stand corrected.

If something along those lines is logged, it might get logged in /var/log/samba/log.samba or /var/log/auth.log. I suggest you test this with a throwaway account and see if those log files show login attempts.

If not, you can increase Samba’s log level for authentication. Place the following in /etc/samba/local.conf (create it if it doesn’t exist, and no, I do not mean local.config.conf which might also exist but is auto-generated):

log level = 3 auth_audit:5 auth_json_audit:5 auth:10 passdb:5

Then restart Samba.

I’m very new to Univention, how do I check the current level of Samba logging?