[Samba] Samba 3.2.4 not locking accounts?
dmarkey at comp.dit.ie
dmarkey at comp.dit.ie
Wed Nov 5 22:55:57 GMT 2008
I can confirm that 3.0.32 does lock out accounts, I'll be going back to
that until the issue is fixed in 3.2.x
> yeap! i saw your post while googling for the problem, just before
> posting.
>
> thanks!
>
> Victor Medina
>
> El mié, 05-11-2008 a las 17:01 +0000, David Markey escribió:
>> https://bugzilla.samba.org/show_bug.cgi?id=5825
>>
>>
>>
>> I raised this bug a while ago experiencing what you are.Nobody seems to
>> have done much about it.
>>
>>
>>
>>
>> Victor Medina wrote:
>> > Hello guys!
>> >
>> > I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
>> >
>> > I am building a PDC with LDAP support (i am attaching my config
>> files),
>> > I'm also using ldapsam:trusted and ldapsam:editposix.
>> >
>> > Although I am setting the account lock after 3 failed tries in usrmgr,
>> > and verified that the parameters are actually set in the LDAP, no
>> > locking occurs.
>> >
>> > I started thinking that it was my fault, since i generate my own ldif
>> > from a small app i created that reads a Windows AD and creates/fills
>> an
>> > OpenLDAP with the relevant info that Linux (posix account information)
>> > and Samba needs, just like my "own" "net vampire", just that mine
>> reads
>> > a native AD and migrates to Samba, it just defaults passwords to 1-8.
>> >
>> > cool! eh? ;)
>> >
>> > Since everything seems to worked OK except for the account locking, i
>> > rebuild the server from scratch using "net sam provision" and created
>> > and extra account, joined a machine, but stills it seems account
>> locking
>> > is not working on samba 3.2.4.
>> >
>> > any ideas/suggestions are welcome?
>> >
>> > Victor Medina
>> >
>> >
>> >
>> > **************
>> > Some relevant steps i did to set it up
>> > **************
>> >
>> >
>> > smbpasswd -w 12345678
>> > net idmap secret DEFAULT 12345678
>> > net idmap secret alloc 12345678
>> > rcwinbind restart
>> > net sam provision
>> > smbpasswd administrator
>> > net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
>> > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
>> > SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
>> >
>> > rcsmb start && rcnmb start && rcwinbind start
>> >
>> >
>> >
>> >
>> > ***********************************
>> > SMB.conf (global)
>> > ***********************************
>> >
>> > [global]
>> > workgroup = C1.VE
>> > netbios name = PDC-EPA1
>> > security = user
>> > guest account = Invitado
>> > map to guest = Bad User
>> > enable privileges = yes
>> > server string =
>> > time server = yes
>> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> > domain logons = yes
>> > domain master = yes
>> > os level = 65
>> > preferred master = yes
>> > wins support = yes
>> > deadtime = 20
>> > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>> > encrypt passwords = yes
>> > passdb backend = ldapsam:ldap://127.0.0.1
>> > ldap admin dn = cn=Administrador,dc=xxxx
>> > ldap suffix = dc=c1,c=ve,dc=xxx
>> > ldap user suffix = ou=people
>> > ldap group suffix = ou=group
>> > ldap machine suffix = ou=people
>> > ldap delete dn = yes
>> > ldap passwd sync = yes
>> >
>> >
>> > ldapsam:trusted = yes
>> > ldapsam:editposix = yes
>> >
>> > idmap domains = DEFAULT
>> > idmap config DEFAULT:backend = ldap
>> > idmap config DEFAULT:readonly = no
>> > idmap config DEFAULT:default = yes
>> > idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
>> > idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
>> > idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>> > idmap config DEFAULT:range = 10000-100000
>> >
>> > idmap alloc backend = ldap
>> > idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
>> > idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
>> > idmap alloc config:ldap_url = ldap://127.0.0.1
>> > idmap alloc config:range = 10000-100000
>> >
>> >
>> >
>> >
>> > printing = cups
>> > printcap name = cups
>> > show add printer wizard = yes
>> > load printers = yes
>> >
>> >
>> > create mask = 0640
>> > directory mask = 0750
>> > force create mode = 0640
>> > force directory mode = 0750
>> > preserve case = yes
>> > short preserve case = yes
>> > case sensitive = no
>> > mangling method = hash2
>> > Dos charset = 850
>> > Unix charset = ISO8859-1
>> > nt acl support = yes
>> >
>> >
>> >
>> >
>> >
>> >
>> > ***********************
>> > slapd.conf
>> > ***********************
>> >
>> > modulepath /usr/lib/openldap/modules
>> > include /etc/openldap/schema/core.schema
>> > include /etc/openldap/schema/cosine.schema
>> > include /etc/openldap/schema/inetorgperson.schema
>> > include /etc/openldap/schema/nis.schema
>> > include /etc/openldap/schema/samba3.schema
>> >
>> > pidfile /var/run/slapd/slapd.pid
>> > argsfile /var/run/slapd/slapd.args
>> >
>> > access to dn.base=""
>> > by * read
>> >
>> > access to dn.base="cn=Subschema"
>> > by * read
>> >
>> > access to attrs=userPassword,userPKCS12
>> > by self write
>> > by * auth
>> >
>> > access to attrs=shadowLastChange
>> > by self write
>> > by * read
>> >
>> > access to *
>> > by * read
>> >
>> > loglevel -1
>> >
>> > database bdb
>> > suffix "dc=xxx"
>> > rootdn "cn=Administrador,dc=xxx"
>> > rootpw "{SSHA}xxx"
>> > directory /var/lib/ldap/
>> >
>> > checkpoint 1024 5
>> > cachesize 10000
>> >
>> >
>> > index objectClass,uidNumber,gidNumber,memberUid eq
>> > index member,mail eq,pres
>> > index cn,displayname,uid,sn,givenname sub,eq,pres
>> > index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
>> > index default sub
>> >
>> >
>> >
>> >
>> >
>> > *****************************
>> > LDIF:
>> > *****************************
>> > # This file was generated on 2008-11-05 at 11:20:00
>> > # from the ldap://172.16.152.200:389 (bound as
>> > cn=Administrador,dc=xxxx)
>> > # by Softerra LDAP Administrator v3
>> > [ http://www.ldapadministrator.com ]
>> > dn: c=ve,dc=xxxx
>> > c: ve
>> > objectClass: top
>> > objectClass: country
>> > description: Infraestructura Tecnologica - Venezuela
>> >
>> > dn: dc=c1,c=ve,dc=xxxx
>> > dc: c1
>> > objectClass: dcObject
>> > objectClass: organizationalUnit
>> > ou: Tienda 1 / Oficina Central xxxx / Venezuela
>> > description: xxxx / Oficina Central EPA / Venezuela
>> >
>> > dn: ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > ou: people
>> >
>> > dn: ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > ou: group
>> >
>> > dn: ou=idmap,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > objectClass: sambaUnixIdPool
>> > ou: idmap
>> > gidNumber: 10016
>> > uidNumber: 10004
>> >
>> > dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
>> > sambaDomainName: C1.VE
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870
>> > sambaAlgorithmicRidBase: 1000
>> > objectClass: sambaDomain
>> > sambaNextUserRid: 1000
>> > sambaRefuseMachinePwdChange: 0
>> > sambaNextRid: 1002
>> > sambaLockoutDuration: -1
>> > sambaLockoutObservationWindow: 30
>> > sambaLockoutThreshold: 3
>> > sambaMinPwdLength: 5
>> > sambaPwdHistoryLength: 5
>> > sambaLogonToChgPwd: 0
>> > sambaMaxPwdAge: 7776000
>> > sambaMinPwdAge: 0
>> > sambaForceLogoff: -1
>> >
>> > dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: posixGroup
>> > objectClass: sambaGroupMapping
>> > cn: domusers
>> > displayName: Domain Users
>> > gidNumber: 10000
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
>> > sambaGroupType: 2
>> >
>> > dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: posixGroup
>> > objectClass: sambaGroupMapping
>> > cn: domadmins
>> > displayName: Domain Admins
>> > gidNumber: 10001
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
>> > sambaGroupType: 2
>> >
>> > dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: account
>> > objectClass: posixAccount
>> > objectClass: sambaSamAccount
>> > uid: Administrator
>> > cn: Administrator
>> > displayName: Administrator
>> > uidNumber: 10000
>> > gidNumber: 10001
>> > homeDirectory: /home/C1.VE/Administrator
>> > loginShell: /bin/false
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
>> > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
>> > sambaPasswordHistory:
>> > 0000000000000000000000000000000000000000000000000000000000000000
>> > sambaPwdLastSet: 1225815211
>> > sambaAcctFlags: [U ]
>> > userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
>> > sambaProfilePath::
>> > IA==
>> >
>> > dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: account
>> > objectClass: posixAccount
>> > objectClass: sambaSamAccount
>> > uid: Invitado
>> > cn: Invitado
>> > displayName: Invitado
>> > uidNumber: 10001
>> > gidNumber: 10000
>> > homeDirectory: /
>> > loginShell: /bin/false
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
>> > sambaAcctFlags: [DU ]
>> >
>> > dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: sambaSidEntry
>> > objectClass: sambaGroupMapping
>> > sambaSID: S-1-5-32-544
>> > sambaGroupType: 4
>> > displayName: Administrators
>> > gidNumber: 10002
>> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
>> >
>> > dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: sambaSidEntry
>> > objectClass: sambaGroupMapping
>> > sambaSID: S-1-5-32-545
>> > sambaGroupType: 4
>> > displayName: Users
>> > gidNumber: 10003
>> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
>> >
>> > dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
>> > uid: FERRETER-PRUQ3Z$
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
>> > sambaAcctFlags: [W ]
>> > objectClass: sambaSamAccount
>> > objectClass: account
>> > objectClass: posixAccount
>> > cn: FERRETER-PRUQ3Z$
>> > uidNumber: 10002
>> > gidNumber: 10000
>> > homeDirectory: /home/C1.VE/SMB_workstations_home
>> > loginShell: /bin/false
>> > sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
>> > sambaPwdLastSet: 1225815330
>> >
>> > dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
>> > uid: test001
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
>> > objectClass: sambaSamAccount
>> > objectClass: account
>> > objectClass: posixAccount
>> > cn: test001
>> > uidNumber: 10003
>> > gidNumber: 10000
>> > homeDirectory: /home/C1.VE/test001
>> > loginShell: /bin/false
>> > sambaKickoffTime: 0
>> > sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
>> > sambaPasswordHistory:
>> > B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> > 0000000000000000
>> > sambaPwdLastSet: 1225815887
>> > userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
>> > sambaProfilePath::
>> > IA==
>> > sambaAcctFlags: [U ]
>> > sambaBadPasswordTime: 0
>> > sambaBadPasswordCount: 0
>> >
>> >
>> >
>> >
>> >
>>
>
>
More information about the samba
mailing list