[Samba] Samba 3.2.4 not locking accounts?

Victor Medina victor.medina at bws.com.ve
Wed Nov 5 16:53:47 GMT 2008

Hello guys!

I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3. 

I am building a PDC with LDAP support (i am attaching my config files),
I'm also using ldapsam:trusted and ldapsam:editposix. 

Although I am setting the account lock after 3 failed tries in usrmgr,
and verified that the parameters are actually set in the LDAP, no
locking occurs.

I started thinking that it was my fault, since i generate my own ldif
from a small app i created that reads a Windows AD and creates/fills an
OpenLDAP with the relevant info that Linux (posix account information)
and Samba needs, just like my "own" "net vampire", just that mine reads
a native AD and  migrates to Samba, it just defaults passwords to 1-8.

cool! eh? ;)  

Since everything seems to  worked OK except for the account locking, i
rebuild the server from scratch using "net sam provision" and created
and extra account, joined a machine, but stills it seems account locking
is not working on samba 3.2.4.

any ideas/suggestions are welcome?

Victor Medina

Some relevant steps i did to set it up

smbpasswd -w 12345678
net idmap secret DEFAULT 12345678 
net idmap secret alloc 12345678
rcwinbind restart
net sam provision
smbpasswd administrator
net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege 
SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator

rcsmb start && rcnmb start && rcwinbind start

SMB.conf (global)

	workgroup       	= C1.VE 
	netbios name		= PDC-EPA1 
	security		= user
	guest account 		= Invitado 
	map to guest 		= Bad User
	enable privileges	= yes
	server string		=   
	time server 		= yes
	socket options 		= TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	domain logons 		= yes
	domain master 		= yes
	os level 		= 65
	preferred master 	= yes
	wins support 		= yes
	deadtime 		= 20
	dont descend 		= /proc,/dev,/etc,/lib,/lost+found,/initrd
	encrypt passwords 	= yes
	passdb backend		= ldapsam:ldap://	
	ldap admin dn		= cn=Administrador,dc=xxxx
	ldap suffix		= dc=c1,c=ve,dc=xxx
	ldap user suffix	= ou=people
	ldap group suffix	= ou=group
	ldap machine suffix	= ou=people
	ldap delete dn		= yes
	ldap passwd sync	= yes
	ldapsam:trusted		= yes
        ldapsam:editposix	= yes

  	idmap domains = DEFAULT
  	idmap config DEFAULT:backend = ldap
  	idmap config DEFAULT:readonly = no
  	idmap config DEFAULT:default = yes
  	idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
  	idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
  	idmap config DEFAULT:ldap_url = ldap://
  	idmap config DEFAULT:range = 10000-100000

  	idmap alloc backend = ldap
  	idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
  	idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
  	idmap alloc config:ldap_url = ldap://
  	idmap alloc config:range = 10000-100000


	printing		= cups
	printcap name 		= cups
	show add printer wizard = yes
	load printers		= yes

	create mask		= 0640
	directory mask		= 0750
	force create mode	= 0640
	force directory mode	= 0750
	preserve case		= yes
	short preserve case	= yes
	case sensitive		= no
	mangling method		= hash2
	Dos charset		= 850
	Unix charset		= ISO8859-1
	nt acl support		= yes


modulepath      /usr/lib/openldap/modules
include    /etc/openldap/schema/core.schema
include    /etc/openldap/schema/cosine.schema
include    /etc/openldap/schema/inetorgperson.schema
include    /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba3.schema

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

loglevel -1 

database	bdb
suffix		"dc=xxx"
rootdn		"cn=Administrador,dc=xxx"
rootpw		"{SSHA}xxx"
directory	/var/lib/ldap/

checkpoint 1024 5
cachesize 10000

index 	objectClass,uidNumber,gidNumber,memberUid eq
index 	member,mail eq,pres
index 	cn,displayname,uid,sn,givenname sub,eq,pres
index 	sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
index   default sub

# 	This file was generated on 2008-11-05 at 11:20:00
# 	from the ldap:// (bound as
# 	by Softerra LDAP Administrator v3
[ http://www.ldapadministrator.com ]
dn: c=ve,dc=xxxx
c: ve
objectClass: top
objectClass: country
description: Infraestructura Tecnologica - Venezuela

dn: dc=c1,c=ve,dc=xxxx
dc: c1
objectClass: dcObject
objectClass: organizationalUnit
ou: Tienda 1 / Oficina Central xxxx / Venezuela
description: xxxx / Oficina Central EPA / Venezuela

dn: ou=people,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: group

dn: ou=idmap,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: idmap
gidNumber: 10016
uidNumber: 10004

dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
sambaDomainName: C1.VE
sambaSID: S-1-5-21-1230964018-1252349843-1944742870
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1002
sambaLockoutDuration: -1
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 3
sambaMinPwdLength: 5
sambaPwdHistoryLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: 7776000
sambaMinPwdAge: 0
sambaForceLogoff: -1

dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domusers
displayName: Domain Users
gidNumber: 10000
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
sambaGroupType: 2

dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domadmins
displayName: Domain Admins
gidNumber: 10001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
sambaGroupType: 2

dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Administrator
cn: Administrator
displayName: Administrator
uidNumber: 10000
gidNumber: 10001
homeDirectory: /home/C1.VE/Administrator
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
sambaPwdLastSet: 1225815211
sambaAcctFlags: [U          ]
userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8

dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Invitado
cn: Invitado
displayName: Invitado
uidNumber: 10001
gidNumber: 10000
homeDirectory: /
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
sambaAcctFlags: [DU         ]

dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
gidNumber: 10002
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512

dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10003
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513

dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
sambaAcctFlags: [W          ]
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
uidNumber: 10002
gidNumber: 10000
homeDirectory: /home/C1.VE/SMB_workstations_home
loginShell: /bin/false
sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
sambaPwdLastSet: 1225815330

dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
uid: test001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
cn: test001
uidNumber: 10003
gidNumber: 10000
homeDirectory: /home/C1.VE/test001
loginShell: /bin/false
sambaKickoffTime: 0
sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8



sambaPwdLastSet: 1225815887
userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
sambaAcctFlags: [U          ]
sambaBadPasswordTime: 0
sambaBadPasswordCount: 0

More information about the samba mailing list