[Samba] LDAP logonHours problem

[Peter Molnar]

Hi!

I have a problem according to the logonHours setting in my Samba Domain.

Users are in LDAP, and everyone has a logonHours attribute, which could be:

- login is possible at any time
- login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24
hours format, I'm going to use 24h format here in this post.

Samba manual states than logonHours is a 168 bit mask, starting with
Sunday 0h-1h, each bit represents an hour of the week, converted into
Hex.

Therefore:

For 'any time' login, I'm using
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" This works, users who
have this in logonHours, can log in at any time.

For logins limited to 7h-24h, I'm using:
01FFFF01FFFF01FFFF01FFFF01FFFF01FFFF01FFFF

Here comes the problem, the limited users cannot log in before 10h,
they get the error "out of login time". Samba log says the same, and
the timestamp there is correct.

Saturday in the morning, i've tried setting different logonHours
attributes on my own account, to see which one shold be 1 to let me
log in at that time (between 7h and 8h)

Surprisingly, I got this: "000000000000000000000000000000000000400000"

Well, it's 6 hours earier than I expected, but OK, let's try this
mask: "7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0"

It worked in the morning but in the afternoon, it didn't.

What could be the problem? My calculations are bad, or timezone
problem (Hungary, central european time, UTC+1)? Can anyone please
send me a working logonHours string, or calculate the correct string
for logins 7h-24h.

Until we figure out what's wrong, can I override the LDAP logonHours
attributes from smb.conf, to allow everyone to log in, at any time?

Regards,
Peter