[Samba] SERIOUS PROBLEM - Root Account Locked

Jonathan Johnson jon at sutinen.com
Wed Aug 8 20:27:42 GMT 2007


Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password?

Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com

Jason Baker wrote:
> My root account keeps getting locked out automatically. I am running 
> Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
> accounts set to lock after 8 un-successful login attempts. I zeroed 
> out the bad password count, and then in less than a few seconds the 
> account gets locked again and a /pdbedit -Lv -u root /yields the 
> following:
> Unix username:        root
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Wed, 01 Jan 1969 03:00:00 EST
> Password can change:  Wed, 08 Jan 1969 03:00:00 EST
> Password must change: never
> Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
> Bad password count  : 8
>
> If I enter w on the command line, it only shows that two (authorized) 
> users are logged into the server. So I'm confident that no one from 
> the outside is attempting to log in as root. Below is my conf file. If 
> I go into LDAP Account Manager and unlock the account, it will stay 
> unlocked for a few minutes (or seconds), then it is locked out again. 
> With the account lock I cannot join machines to the domain, nor change 
> domain permissions for users and groups. Any suggestions would be 
> helpful.
>
> [global]
>        unix charset = LOCALE
>        workgroup = glastendernet
>        netbios name = aster
>        server string = Glastender Domain Controller running %v
>        interfaces = eth1, lo, tun+
>        bind interfaces only = yes
>        os level = 255
>        preferred master = yes
>        local master = yes
>        domain master = yes
>        security = user
>        time server = yes
>        username map = /etc/samba/smbusers
>        wins support = yes
>        encrypt passwords = yes
>        pam password change = yes
>        name resolve order = wins bcast hosts
>        winbind nested groups = no
>        passdb backend = ldapsam:ldap://aster.glastender.com
>        ldap passwd sync = Yes
>        ldap suffix = dc=glastender,dc=com
>        ldap admin dn = cn=Manager,dc=glastender,dc=com
>        ldap ssl = no
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=People
>        ldap machine suffix = ou=People
>        ldap idmap suffix = ou=Idmap
>        idmap backend = ldap:ldap://aster.glastender.com
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        map acl inherit = yes
>        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
>        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
>        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
> "%u" "%g"
>        delete user from group script = 
> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
> "%g" "%u"
>        domain logons = yes
>        log file = /var/log/samba/log.%m
>        log level = 0
>        syslog = 0
>        max log size = 50
>        #smb ports = 139 445
>        smb ports = 139
>        hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
> 192.168.100.0/255.255.255.0
>        # User profiles and home directories
>        logon drive = U:
>        logon path = \\%L\profiles\%U
>        logon script = %U.bat
>        large readwrite = no
>        read raw = no
>        write raw = no
>        printcap name = /etc/printcap
>        load printers = no
>        printing =
>       template shell = /bin/false
>       winbind use default domain = yes
>
>


More information about the samba mailing list