Samba project reports:
In Samba's SAMR server we neglect to ensure that attempted password changes will update the bad password count, nor set the lockout flags. This would allow a user unlimited attempts against the password by simply calling ChangePasswordUser2 repeatedly. This is available without any other authentication.
smbcacls can remove a file or directory ACL by mistake.