Can you explain the samba passwordsettings
These are the samba/AD password settings for the domain. (globally)
You can also find these settings via terminal with:
samba-tool domain passwordsettings show Password informations for domain 'DC=schein,DC=ig' Password complexity: on Store plaintext passwords: off Password history length: 0 Minimum password length: 3 Minimum password age (days): 0 Maximum password age (days): 0 Account lockout duration (mins): 0 Account lockout threshold (attempts): 5 Reset account lockout after (mins): 60
Account lockout duration (mins): 1
Account lockout threshold (attempts): 5
A user account gets locked after five logon failures. After the lockout duration with 1 second the user may try again. If he then logs on successfully, the badPwdCount of his account gets reset to 0.
udm settings/sambadomain list DN: sambaDomainName=SCHEIN,cn=samba,dc=schein,dc=ig NextGroupRid: 1000 NextRid: 1000 NextUserRid: 1000 SID: S-1-5-21-2438365080-1175145288-4246282840 badLockoutAttempts: 70 disconnectTime: 13 seconds domainPasswordComplex: 1 domainPasswordStoreCleartext: 0 domainPwdProperties: 1 lockoutDuration: 8 seconds logonToChangePW: None maxPasswordAge: 30 seconds minPasswordAge: 10 seconds name: SCHEIN passwordHistory: 0 passwordLength: 3 refuseMachinePWChange: None resetCountMinutes: 6
You can have a look in this article, with explains the password concept al little bit. It is definitely worth checking out.
This is the mapping to the samba Options, and maybe a little bit more obvious.
Bad lockout attempts → sambaLockoutThreshold → Values are: 0 for never locked, or between 1 and 999
The number negative attempts a user has to type in the correct password.
Reset count minutes → sambaLockoutObservationWindow
How long will those negative password attempts be saved until the counter is reset to 0?
Lockout duration minutes →sambaLockoutDuration
How long shall accounts be locked if the password was incorrect?
Disconnect time → sambaForceLogoff
And these Options are the same ones that apply to AD
sambaForceLogoff is explained here: