[Samba] Samba 3.2.4 not locking accounts?
Victor Medina
victor.medina at bws.com.ve
Wed Nov 5 17:25:08 GMT 2008
yeap! i saw your post while googling for the problem, just before
posting.
thanks!
Victor Medina
El mié, 05-11-2008 a las 17:01 +0000, David Markey escribió:
> https://bugzilla.samba.org/show_bug.cgi?id=5825
>
>
>
> I raised this bug a while ago experiencing what you are.Nobody seems to
> have done much about it.
>
>
>
>
> Victor Medina wrote:
> > Hello guys!
> >
> > I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
> >
> > I am building a PDC with LDAP support (i am attaching my config files),
> > I'm also using ldapsam:trusted and ldapsam:editposix.
> >
> > Although I am setting the account lock after 3 failed tries in usrmgr,
> > and verified that the parameters are actually set in the LDAP, no
> > locking occurs.
> >
> > I started thinking that it was my fault, since i generate my own ldif
> > from a small app i created that reads a Windows AD and creates/fills an
> > OpenLDAP with the relevant info that Linux (posix account information)
> > and Samba needs, just like my "own" "net vampire", just that mine reads
> > a native AD and migrates to Samba, it just defaults passwords to 1-8.
> >
> > cool! eh? ;)
> >
> > Since everything seems to worked OK except for the account locking, i
> > rebuild the server from scratch using "net sam provision" and created
> > and extra account, joined a machine, but stills it seems account locking
> > is not working on samba 3.2.4.
> >
> > any ideas/suggestions are welcome?
> >
> > Victor Medina
> >
> >
> >
> > **************
> > Some relevant steps i did to set it up
> > **************
> >
> >
> > smbpasswd -w 12345678
> > net idmap secret DEFAULT 12345678
> > net idmap secret alloc 12345678
> > rcwinbind restart
> > net sam provision
> > smbpasswd administrator
> > net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
> > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
> > SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
> >
> > rcsmb start && rcnmb start && rcwinbind start
> >
> >
> >
> >
> > ***********************************
> > SMB.conf (global)
> > ***********************************
> >
> > [global]
> > workgroup = C1.VE
> > netbios name = PDC-EPA1
> > security = user
> > guest account = Invitado
> > map to guest = Bad User
> > enable privileges = yes
> > server string =
> > time server = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > domain logons = yes
> > domain master = yes
> > os level = 65
> > preferred master = yes
> > wins support = yes
> > deadtime = 20
> > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> > encrypt passwords = yes
> > passdb backend = ldapsam:ldap://127.0.0.1
> > ldap admin dn = cn=Administrador,dc=xxxx
> > ldap suffix = dc=c1,c=ve,dc=xxx
> > ldap user suffix = ou=people
> > ldap group suffix = ou=group
> > ldap machine suffix = ou=people
> > ldap delete dn = yes
> > ldap passwd sync = yes
> >
> >
> > ldapsam:trusted = yes
> > ldapsam:editposix = yes
> >
> > idmap domains = DEFAULT
> > idmap config DEFAULT:backend = ldap
> > idmap config DEFAULT:readonly = no
> > idmap config DEFAULT:default = yes
> > idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
> > idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
> > idmap config DEFAULT:ldap_url = ldap://127.0.0.1
> > idmap config DEFAULT:range = 10000-100000
> >
> > idmap alloc backend = ldap
> > idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
> > idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
> > idmap alloc config:ldap_url = ldap://127.0.0.1
> > idmap alloc config:range = 10000-100000
> >
> >
> >
> >
> > printing = cups
> > printcap name = cups
> > show add printer wizard = yes
> > load printers = yes
> >
> >
> > create mask = 0640
> > directory mask = 0750
> > force create mode = 0640
> > force directory mode = 0750
> > preserve case = yes
> > short preserve case = yes
> > case sensitive = no
> > mangling method = hash2
> > Dos charset = 850
> > Unix charset = ISO8859-1
> > nt acl support = yes
> >
> >
> >
> >
> >
> >
> > ***********************
> > slapd.conf
> > ***********************
> >
> > modulepath /usr/lib/openldap/modules
> > include /etc/openldap/schema/core.schema
> > include /etc/openldap/schema/cosine.schema
> > include /etc/openldap/schema/inetorgperson.schema
> > include /etc/openldap/schema/nis.schema
> > include /etc/openldap/schema/samba3.schema
> >
> > pidfile /var/run/slapd/slapd.pid
> > argsfile /var/run/slapd/slapd.args
> >
> > access to dn.base=""
> > by * read
> >
> > access to dn.base="cn=Subschema"
> > by * read
> >
> > access to attrs=userPassword,userPKCS12
> > by self write
> > by * auth
> >
> > access to attrs=shadowLastChange
> > by self write
> > by * read
> >
> > access to *
> > by * read
> >
> > loglevel -1
> >
> > database bdb
> > suffix "dc=xxx"
> > rootdn "cn=Administrador,dc=xxx"
> > rootpw "{SSHA}xxx"
> > directory /var/lib/ldap/
> >
> > checkpoint 1024 5
> > cachesize 10000
> >
> >
> > index objectClass,uidNumber,gidNumber,memberUid eq
> > index member,mail eq,pres
> > index cn,displayname,uid,sn,givenname sub,eq,pres
> > index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> > index default sub
> >
> >
> >
> >
> >
> > *****************************
> > LDIF:
> > *****************************
> > # This file was generated on 2008-11-05 at 11:20:00
> > # from the ldap://172.16.152.200:389 (bound as
> > cn=Administrador,dc=xxxx)
> > # by Softerra LDAP Administrator v3
> > [ http://www.ldapadministrator.com ]
> > dn: c=ve,dc=xxxx
> > c: ve
> > objectClass: top
> > objectClass: country
> > description: Infraestructura Tecnologica - Venezuela
> >
> > dn: dc=c1,c=ve,dc=xxxx
> > dc: c1
> > objectClass: dcObject
> > objectClass: organizationalUnit
> > ou: Tienda 1 / Oficina Central xxxx / Venezuela
> > description: xxxx / Oficina Central EPA / Venezuela
> >
> > dn: ou=people,dc=c1,c=ve,dc=xxxx
> > objectClass: top
> > objectClass: organizationalUnit
> > ou: people
> >
> > dn: ou=group,dc=c1,c=ve,dc=xxxx
> > objectClass: top
> > objectClass: organizationalUnit
> > ou: group
> >
> > dn: ou=idmap,dc=c1,c=ve,dc=xxxx
> > objectClass: top
> > objectClass: organizationalUnit
> > objectClass: sambaUnixIdPool
> > ou: idmap
> > gidNumber: 10016
> > uidNumber: 10004
> >
> > dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
> > sambaDomainName: C1.VE
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870
> > sambaAlgorithmicRidBase: 1000
> > objectClass: sambaDomain
> > sambaNextUserRid: 1000
> > sambaRefuseMachinePwdChange: 0
> > sambaNextRid: 1002
> > sambaLockoutDuration: -1
> > sambaLockoutObservationWindow: 30
> > sambaLockoutThreshold: 3
> > sambaMinPwdLength: 5
> > sambaPwdHistoryLength: 5
> > sambaLogonToChgPwd: 0
> > sambaMaxPwdAge: 7776000
> > sambaMinPwdAge: 0
> > sambaForceLogoff: -1
> >
> > dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > cn: domusers
> > displayName: Domain Users
> > gidNumber: 10000
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
> > sambaGroupType: 2
> >
> > dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > cn: domadmins
> > displayName: Domain Admins
> > gidNumber: 10001
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
> > sambaGroupType: 2
> >
> > dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: sambaSamAccount
> > uid: Administrator
> > cn: Administrator
> > displayName: Administrator
> > uidNumber: 10000
> > gidNumber: 10001
> > homeDirectory: /home/C1.VE/Administrator
> > loginShell: /bin/false
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
> > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
> > sambaPasswordHistory:
> > 0000000000000000000000000000000000000000000000000000000000000000
> > sambaPwdLastSet: 1225815211
> > sambaAcctFlags: [U ]
> > userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
> > sambaProfilePath::
> > IA==
> >
> > dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: sambaSamAccount
> > uid: Invitado
> > cn: Invitado
> > displayName: Invitado
> > uidNumber: 10001
> > gidNumber: 10000
> > homeDirectory: /
> > loginShell: /bin/false
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
> > sambaAcctFlags: [DU ]
> >
> > dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
> > objectClass: sambaSidEntry
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-32-544
> > sambaGroupType: 4
> > displayName: Administrators
> > gidNumber: 10002
> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
> >
> > dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
> > objectClass: sambaSidEntry
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-32-545
> > sambaGroupType: 4
> > displayName: Users
> > gidNumber: 10003
> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
> >
> > dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
> > uid: FERRETER-PRUQ3Z$
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
> > sambaAcctFlags: [W ]
> > objectClass: sambaSamAccount
> > objectClass: account
> > objectClass: posixAccount
> > cn: FERRETER-PRUQ3Z$
> > uidNumber: 10002
> > gidNumber: 10000
> > homeDirectory: /home/C1.VE/SMB_workstations_home
> > loginShell: /bin/false
> > sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
> > sambaPwdLastSet: 1225815330
> >
> > dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
> > uid: test001
> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
> > objectClass: sambaSamAccount
> > objectClass: account
> > objectClass: posixAccount
> > cn: test001
> > uidNumber: 10003
> > gidNumber: 10000
> > homeDirectory: /home/C1.VE/test001
> > loginShell: /bin/false
> > sambaKickoffTime: 0
> > sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
> > sambaPasswordHistory:
> > B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
> >
> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
> >
> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
> >
> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000
> > sambaPwdLastSet: 1225815887
> > userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
> > sambaProfilePath::
> > IA==
> > sambaAcctFlags: [U ]
> > sambaBadPasswordTime: 0
> > sambaBadPasswordCount: 0
> >
> >
> >
> >
> >
>
More information about the samba
mailing list