[Samba] Account lockout - Bad password count
Roux, Herve
herve.roux at hp.com
Thu Oct 26 16:54:54 GMT 2006
Hi everyone,
I'm unable to make the account lockout to work properly. & this is driving
me mad.
I am running samba Version 3.0.23c-1.fc5 as a PDC with openldap 2.3.19 on a
fc5 (all packages from yum). I was running a 3.0.21 with the same issue. I'm
using as well the Idealx script to manage the LDAP.
The fact:
I have a very strange behavior. The domain policy have been setup with the
pdbedit tool (even tried the export to ldap). Accounts are created with the
Idealx script. I have tested account creation before & after the account
policy setup.
When a user is entering a wrong password for the first time, the pdbedit
command returns the "Bad password count" to 1. LDAP field is not
incremented.
After the second attempt, nothing at all is incremented. "Bad password
count", won't be reset before a pdbedit -z <login>.
Thanks in advance for your help.
Regards
Herve
Debug 1 - fist attempt
[2006/10/26 18:45:12, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
ntlm_password_check: Interactive logon: NT password check failed for user
hr
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2006/10/26 18:45:12, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(107) : conn_ctx_stack_ndx = 0
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/10/26 18:45:12, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/10/26 18:45:12, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/10/26 18:45:12, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base =>
[sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)],
scope => [0]
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2006/10/26 18:45:12, 9] passdb/passdb.c:pdb_update_autolock_flag(1413)
pdb_update_autolock_flag: Account hr not autolocked, no check needed
[2006/10/26 18:45:12, 9] passdb/passdb.c:pdb_update_bad_password_count(1373)
No bad password attempts.
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2006/10/26 18:45:12, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(107) : conn_ctx_stack_ndx = 0
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/10/26 18:45:12, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/10/26 18:45:12, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/10/26 18:45:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
ldapsam_update_sam_account: user hr to be modified has dn:
uid=hr,ou=People,dc=bcn,dc=teamlog,dc=com
[2006/10/26 18:45:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
init_ldap_from_sam: Setting entry for user: hr
[2006/10/26 18:45:12, 3] passdb/pdb_ldap.c:init_ldap_from_sam(1212)
updating bad password fields, policy=3, count=1, time=1161881112
[2006/10/26 18:45:12, 7] passdb/pdb_ldap.c:init_ldap_from_sam(1246)
Updating bad password count and time in login cache
[2006/10/26 18:45:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1790)
ldapsam_update_sam_account: mods is empty: nothing to update for user: hr
[2006/10/26 18:45:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2006/10/26 18:45:12, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: sam authentication for user [hr] FAILED with error
NT_STATUS_WRONG_PASSWORD
[2006/10/26 18:45:12, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TLG] was for
this SAM.
[2006/10/26 18:45:12, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [hr] -> [hr] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2006/10/26 18:45:12, 5] auth/auth_util.c:free_user_info(1866)
attempting to free (and zero) a user_info structure
[2006/10/26 18:45:12, 5]
rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
_net_sam_logon: check_password returned status NT_STATUS_WRONG_PASSWORD
Debug 2 - a second attempt
[2006/10/26 18:37:30, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
ntlm_password_check: Interactive logon: NT password check failed for user
hr
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2006/10/26 18:37:30, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(103) : conn_ctx_stack_ndx = 0
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/10/26 18:37:30, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/10/26 18:37:30, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base =>
[sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)],
scope => [0]
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2006/10/26 18:37:30, 9] passdb/passdb.c:pdb_update_autolock_flag(1413)
pdb_update_autolock_flag: Account hr not autolocked, no check needed
[2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base =>
[sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)],
scope => [0]
[2006/10/26 18:37:30, 0] lib/smbldap.c:smbldap_open(1009)
smbldap_open: cannot access LDAP when not root..
[2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_modify(1363)
smbldap_modify: dn => [sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com]
[2006/10/26 18:37:30, 0] lib/smbldap.c:smbldap_open(1009)
smbldap_open: cannot access LDAP when not root..
[2006/10/26 18:37:30, 0] passdb/passdb.c:pdb_update_bad_password_count(1378)
pdb_update_bad_password_count: pdb_get_account_policy failed.
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2006/10/26 18:37:30, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(103) : conn_ctx_stack_ndx = 0
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/10/26 18:37:30, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/10/26 18:37:30, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/10/26 18:37:30, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
ldapsam_update_sam_account: user hr to be modified has dn:
uid=hr,ou=People,dc=bcn,dc=teamlog,dc=com
[2006/10/26 18:37:30, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
init_ldap_from_sam: Setting entry for user: hr
[2006/10/26 18:37:30, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1790)
ldapsam_update_sam_account: mods is empty: nothing to update for user: hr
[2006/10/26 18:37:30, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2006/10/26 18:37:30, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: sam authentication for user [hr] FAILED with error
NT_STATUS_WRONG_PASSWORD
[2006/10/26 18:37:30, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TLG] was for
this SAM.
[2006/10/26 18:37:30, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [hr] -> [hr] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2006/10/26 18:37:30, 5] auth/auth_util.c:free_user_info(1866)
attempting to free (and zero) a user_info structure
[2006/10/26 18:37:30, 5]
rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
_net_sam_logon: check_password returned status NT_STATUS_WRONG_PASSWORD
Testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[Shared]"
Processing section "[Doc]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
unix charset = UTF8
workgroup = TLG
netbios name = TLGSRV
server string = TLG Files Server
password server = localhost
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
username map = /etc/samba/smbusers
password level = 8
log level = 9
log file = /var/log/samba/%m.log
max log size = 500
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add user script = /usr/sbin/smbldap-useradd -a -i -m "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = startup.bat
logon path =
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=bcn,dc=teamlog,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=bcn,dc=teamlog,dc=com
ldap user suffix = ou=People
remote announce = 10.150.1.255 10.150.4.255
remote browse sync = 10.150.1.1 10.150.4.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
hosts allow = 10.150.1., 10.150.4., 127.
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
inherit owner = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
browseable = No
[Shared]
path = /home/shared
read only = No
create mask = 0666
directory mask = 0777
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
[Doc]
path = /home/doc
read only = No
create mask = 0660
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
guest ok = Yes
pdbedit
[root at bcnprd ~]# pdbedit -Lv hr
INFO: Current debug levels:
all: True/9
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
doing parameter workgroup = TLG
doing parameter netbios name = TLGSRV
handle_netbios_name: set global_myname to: TLGSRV
doing parameter enable privileges = yes
doing parameter server string = TLG Files Server
doing parameter hosts allow = 10.150.1. 10.150.4. 127.
doing parameter load printers = no
doing parameter log file = /var/log/samba/%m.log
doing parameter max log size = 500
doing parameter security = user
doing parameter password server = localhost
doing parameter password level = 8
doing parameter pam password change = yes
doing parameter username map = /etc/samba/smbusers
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter remote browse sync = 10.150.1.1 10.150.4.1
doing parameter remote announce = 10.150.1.255 10.150.4.255
doing parameter local master = yes
doing parameter os level = 33
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter domain logons = yes
doing parameter logon script = startup.bat
doing parameter logon path =
doing parameter name resolve order = wins lmhosts bcast
doing parameter wins support = yes
doing parameter wins proxy = no
doing parameter dns proxy = no
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter ldap passwd sync = Yes
doing parameter passdb backend = ldapsam:ldap://127.0.0.1/
doing parameter ldap admin dn = cn=Manager,dc=bcn,dc=teamlog,dc=com
doing parameter ldap suffix = dc=bcn,dc=teamlog,dc=com
doing parameter ldap group suffix = ou=Group
doing parameter ldap user suffix = ou=People
doing parameter ldap machine suffix = ou=Computers
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -a -i -m "%u"
doing parameter ldap delete dn = Yes
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod
-x "%u" "%g"
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
doing parameter Dos charset = CP850
doing parameter Unix charset = UTF8
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
doing parameter template shell = /bin/false
doing parameter winbind use default domain = false
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/
(ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=TLG))]
smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=TLG))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Netbios name list:-
my_netbios_names[0]="TLGSRV"
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/
(ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=TLG))]
smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=TLG))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter =>
[(&(uid=hr)(objectclass=sambaSamAccount))], scope => [2]
init_sam_from_ldap: Entry found for user: hr
Opening cache file at /var/cache/samba/login_cache.tdb
Looking up login cache for user hr
Found login cache entry: timestamp 1161796734, flags 0x23a30010, count 1,
time 1161796734
ldap time is 1161729143, cache time is 1161796734, bad time = 1161796734
Unix username: hr
NT username: hr
Account Flags: [U ]
User SID: S-1-5-21-3454558961-4160617652-613799516-3048
smbldap_search_ext: base => [ou=Group,dc=bcn,dc=teamlog,dc=com], filter =>
[(&(objectClass=sambaGroupMapping)(gidNumber=512))], scope => [2]
init_group_from_ldap: Entry found for group: 512
lookup_global_sam_rid: looking up RID 512.
smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter =>
[(&(sambaSID=S-1-5-21-3454558961-4160617652-613799516-512)(objectclass=samba
SamAccount))], scope => [2]
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-3454558961-4160617652-613799516-512] count=0
smbldap_search_ext: base => [ou=Group,dc=bcn,dc=teamlog,dc=com], filter =>
[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-3454558961-4160617652-6
13799516-512))], scope => [2]
init_group_from_ldap: Entry found for group: 512
lookup_rids: Domain Admins:2
Primary Group SID: S-1-5-21-3454558961-4160617652-613799516-512
Full Name: VeV
Home Directory: \\TLGSRV\hr
HomeDir Drive: H:
Logon Script: startup.bat
Profile Path:
Domain: TLG
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Fri, 20 Oct 2006 19:14:15 CEST
Password can change: Mon, 12 Jun 2006 15:12:54 CEST
Password must change: Thu, 18 Jan 2007 18:14:15 CET
Last bad password : Wed, 25 Oct 2006 19:18:54 CEST
Bad password count : 1
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
More information about the samba
mailing list