[Samba] SERIOUS PROBLEM - Root Account Locked
Jonathan Johnson
jon at sutinen.com
Wed Aug 8 20:27:42 GMT 2007
Do you have a process (like a service or scheduled task) running on a
client machine as user 'root' with an incorrect cached password?
Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com
Jason Baker wrote:
> My root account keeps getting locked out automatically. I am running
> Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have
> accounts set to lock after 8 un-successful login attempts. I zeroed
> out the bad password count, and then in less than a few seconds the
> account gets locked again and a /pdbedit -Lv -u root /yields the
> following:
> Unix username: root
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Wed, 01 Jan 1969 03:00:00 EST
> Password can change: Wed, 08 Jan 1969 03:00:00 EST
> Password must change: never
> Last bad password : Wed, 08 Aug 2007 13:51:14 EDT
> Bad password count : 8
>
> If I enter w on the command line, it only shows that two (authorized)
> users are logged into the server. So I'm confident that no one from
> the outside is attempting to log in as root. Below is my conf file. If
> I go into LDAP Account Manager and unlock the account, it will stay
> unlocked for a few minutes (or seconds), then it is locked out again.
> With the account lock I cannot join machines to the domain, nor change
> domain permissions for users and groups. Any suggestions would be
> helpful.
>
> [global]
> unix charset = LOCALE
> workgroup = glastendernet
> netbios name = aster
> server string = Glastender Domain Controller running %v
> interfaces = eth1, lo, tun+
> bind interfaces only = yes
> os level = 255
> preferred master = yes
> local master = yes
> domain master = yes
> security = user
> time server = yes
> username map = /etc/samba/smbusers
> wins support = yes
> encrypt passwords = yes
> pam password change = yes
> name resolve order = wins bcast hosts
> winbind nested groups = no
> passdb backend = ldapsam:ldap://aster.glastender.com
> ldap passwd sync = Yes
> ldap suffix = dc=glastender,dc=com
> ldap admin dn = cn=Manager,dc=glastender,dc=com
> ldap ssl = no
> ldap group suffix = ou=Groups
> ldap user suffix = ou=People
> ldap machine suffix = ou=People
> ldap idmap suffix = ou=Idmap
> idmap backend = ldap:ldap://aster.glastender.com
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> map acl inherit = yes
> add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
> #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
> add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
> add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
> #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
> add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
> "%u" "%g"
> delete user from group script =
> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
> "%g" "%u"
> domain logons = yes
> log file = /var/log/samba/log.%m
> log level = 0
> syslog = 0
> max log size = 50
> #smb ports = 139 445
> smb ports = 139
> hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0
> 192.168.100.0/255.255.255.0
> # User profiles and home directories
> logon drive = U:
> logon path = \\%L\profiles\%U
> logon script = %U.bat
> large readwrite = no
> read raw = no
> write raw = no
> printcap name = /etc/printcap
> load printers = no
> printing =
> template shell = /bin/false
> winbind use default domain = yes
>
>
More information about the samba
mailing list