[Samba] Samba 3.2.4 not locking accounts?

dmarkey at comp.dit.ie dmarkey at comp.dit.ie
Wed Nov 5 22:55:57 GMT 2008


I can confirm that 3.0.32 does lock out accounts, I'll be going back to
that until the issue is fixed in 3.2.x



> yeap! i saw your post while googling for the problem, just before
> posting.
>
> thanks!
>
> Victor Medina
>
> El mié, 05-11-2008 a las 17:01 +0000, David Markey escribió:
>> https://bugzilla.samba.org/show_bug.cgi?id=5825
>>
>>
>>
>> I raised this bug a while ago experiencing what you are.Nobody seems to
>> have done much about it.
>>
>>
>>
>>
>> Victor Medina wrote:
>> > Hello guys!
>> >
>> > I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
>> >
>> > I am building a PDC with LDAP support (i am attaching my config
>> files),
>> > I'm also using ldapsam:trusted and ldapsam:editposix.
>> >
>> > Although I am setting the account lock after 3 failed tries in usrmgr,
>> > and verified that the parameters are actually set in the LDAP, no
>> > locking occurs.
>> >
>> > I started thinking that it was my fault, since i generate my own ldif
>> > from a small app i created that reads a Windows AD and creates/fills
>> an
>> > OpenLDAP with the relevant info that Linux (posix account information)
>> > and Samba needs, just like my "own" "net vampire", just that mine
>> reads
>> > a native AD and  migrates to Samba, it just defaults passwords to 1-8.
>> >
>> > cool! eh? ;)
>> >
>> > Since everything seems to  worked OK except for the account locking, i
>> > rebuild the server from scratch using "net sam provision" and created
>> > and extra account, joined a machine, but stills it seems account
>> locking
>> > is not working on samba 3.2.4.
>> >
>> > any ideas/suggestions are welcome?
>> >
>> > Victor Medina
>> >
>> >
>> >
>> > **************
>> > Some relevant steps i did to set it up
>> > **************
>> >
>> >
>> > smbpasswd -w 12345678
>> > net idmap secret DEFAULT 12345678
>> > net idmap secret alloc 12345678
>> > rcwinbind restart
>> > net sam provision
>> > smbpasswd administrator
>> > net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
>> > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
>> > SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
>> >
>> > rcsmb start && rcnmb start && rcwinbind start
>> >
>> >
>> >
>> >
>> > ***********************************
>> > SMB.conf (global)
>> > ***********************************
>> >
>> > [global]
>> > 	workgroup       	= C1.VE
>> > 	netbios name		= PDC-EPA1
>> > 	security		= user
>> > 	guest account 		= Invitado
>> > 	map to guest 		= Bad User
>> > 	enable privileges	= yes
>> > 	server string		=
>> > 	time server 		= yes
>> > 	socket options 		= TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> > 	domain logons 		= yes
>> > 	domain master 		= yes
>> > 	os level 		= 65
>> > 	preferred master 	= yes
>> > 	wins support 		= yes
>> > 	deadtime 		= 20
>> > 	dont descend 		= /proc,/dev,/etc,/lib,/lost+found,/initrd
>> > 	encrypt passwords 	= yes
>> > 	passdb backend		= ldapsam:ldap://127.0.0.1
>> > 	ldap admin dn		= cn=Administrador,dc=xxxx
>> > 	ldap suffix		= dc=c1,c=ve,dc=xxx
>> > 	ldap user suffix	= ou=people
>> > 	ldap group suffix	= ou=group
>> > 	ldap machine suffix	= ou=people
>> > 	ldap delete dn		= yes
>> > 	ldap passwd sync	= yes
>> >
>> >
>> > 	ldapsam:trusted		= yes
>> >         ldapsam:editposix	= yes
>> >
>> >   	idmap domains = DEFAULT
>> >   	idmap config DEFAULT:backend = ldap
>> >   	idmap config DEFAULT:readonly = no
>> >   	idmap config DEFAULT:default = yes
>> >   	idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
>> >   	idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
>> >   	idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>> >   	idmap config DEFAULT:range = 10000-100000
>> >
>> >   	idmap alloc backend = ldap
>> >   	idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
>> >   	idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
>> >   	idmap alloc config:ldap_url = ldap://127.0.0.1
>> >   	idmap alloc config:range = 10000-100000
>> >
>> >
>> >
>> >
>> > 	printing		= cups
>> > 	printcap name 		= cups
>> > 	show add printer wizard = yes
>> > 	load printers		= yes
>> >
>> >
>> > 	create mask		= 0640
>> > 	directory mask		= 0750
>> > 	force create mode	= 0640
>> > 	force directory mode	= 0750
>> > 	preserve case		= yes
>> > 	short preserve case	= yes
>> > 	case sensitive		= no
>> > 	mangling method		= hash2
>> > 	Dos charset		= 850
>> > 	Unix charset		= ISO8859-1
>> > 	nt acl support		= yes
>> >
>> >
>> >
>> >
>> >
>> >
>> > ***********************
>> > slapd.conf
>> > ***********************
>> >
>> > modulepath      /usr/lib/openldap/modules
>> > include    /etc/openldap/schema/core.schema
>> > include    /etc/openldap/schema/cosine.schema
>> > include    /etc/openldap/schema/inetorgperson.schema
>> > include    /etc/openldap/schema/nis.schema
>> > include         /etc/openldap/schema/samba3.schema
>> >
>> > pidfile		/var/run/slapd/slapd.pid
>> > argsfile	/var/run/slapd/slapd.args
>> >
>> > access to dn.base=""
>> >         by * read
>> >
>> > access to dn.base="cn=Subschema"
>> >         by * read
>> >
>> > access to attrs=userPassword,userPKCS12
>> >         by self write
>> >         by * auth
>> >
>> > access to attrs=shadowLastChange
>> >         by self write
>> >         by * read
>> >
>> > access to *
>> >         by * read
>> >
>> > loglevel -1
>> >
>> > database	bdb
>> > suffix		"dc=xxx"
>> > rootdn		"cn=Administrador,dc=xxx"
>> > rootpw		"{SSHA}xxx"
>> > directory	/var/lib/ldap/
>> >
>> > checkpoint 1024 5
>> > cachesize 10000
>> >
>> >
>> > index 	objectClass,uidNumber,gidNumber,memberUid eq
>> > index 	member,mail eq,pres
>> > index 	cn,displayname,uid,sn,givenname sub,eq,pres
>> > index 	sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
>> > index   default sub
>> >
>> >
>> >
>> >
>> >
>> > *****************************
>> > LDIF:
>> > *****************************
>> > # 	This file was generated on 2008-11-05 at 11:20:00
>> > # 	from the ldap://172.16.152.200:389 (bound as
>> > cn=Administrador,dc=xxxx)
>> > # 	by Softerra LDAP Administrator v3
>> > [ http://www.ldapadministrator.com ]
>> > dn: c=ve,dc=xxxx
>> > c: ve
>> > objectClass: top
>> > objectClass: country
>> > description: Infraestructura Tecnologica - Venezuela
>> >
>> > dn: dc=c1,c=ve,dc=xxxx
>> > dc: c1
>> > objectClass: dcObject
>> > objectClass: organizationalUnit
>> > ou: Tienda 1 / Oficina Central xxxx / Venezuela
>> > description: xxxx / Oficina Central EPA / Venezuela
>> >
>> > dn: ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > ou: people
>> >
>> > dn: ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > ou: group
>> >
>> > dn: ou=idmap,dc=c1,c=ve,dc=xxxx
>> > objectClass: top
>> > objectClass: organizationalUnit
>> > objectClass: sambaUnixIdPool
>> > ou: idmap
>> > gidNumber: 10016
>> > uidNumber: 10004
>> >
>> > dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
>> > sambaDomainName: C1.VE
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870
>> > sambaAlgorithmicRidBase: 1000
>> > objectClass: sambaDomain
>> > sambaNextUserRid: 1000
>> > sambaRefuseMachinePwdChange: 0
>> > sambaNextRid: 1002
>> > sambaLockoutDuration: -1
>> > sambaLockoutObservationWindow: 30
>> > sambaLockoutThreshold: 3
>> > sambaMinPwdLength: 5
>> > sambaPwdHistoryLength: 5
>> > sambaLogonToChgPwd: 0
>> > sambaMaxPwdAge: 7776000
>> > sambaMinPwdAge: 0
>> > sambaForceLogoff: -1
>> >
>> > dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: posixGroup
>> > objectClass: sambaGroupMapping
>> > cn: domusers
>> > displayName: Domain Users
>> > gidNumber: 10000
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
>> > sambaGroupType: 2
>> >
>> > dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: posixGroup
>> > objectClass: sambaGroupMapping
>> > cn: domadmins
>> > displayName: Domain Admins
>> > gidNumber: 10001
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
>> > sambaGroupType: 2
>> >
>> > dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: account
>> > objectClass: posixAccount
>> > objectClass: sambaSamAccount
>> > uid: Administrator
>> > cn: Administrator
>> > displayName: Administrator
>> > uidNumber: 10000
>> > gidNumber: 10001
>> > homeDirectory: /home/C1.VE/Administrator
>> > loginShell: /bin/false
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
>> > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
>> > sambaPasswordHistory:
>> > 0000000000000000000000000000000000000000000000000000000000000000
>> > sambaPwdLastSet: 1225815211
>> > sambaAcctFlags: [U          ]
>> > userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
>> > sambaProfilePath::
>> >  IA==
>> >
>> > dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
>> > objectClass: account
>> > objectClass: posixAccount
>> > objectClass: sambaSamAccount
>> > uid: Invitado
>> > cn: Invitado
>> > displayName: Invitado
>> > uidNumber: 10001
>> > gidNumber: 10000
>> > homeDirectory: /
>> > loginShell: /bin/false
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
>> > sambaAcctFlags: [DU         ]
>> >
>> > dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: sambaSidEntry
>> > objectClass: sambaGroupMapping
>> > sambaSID: S-1-5-32-544
>> > sambaGroupType: 4
>> > displayName: Administrators
>> > gidNumber: 10002
>> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
>> >
>> > dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
>> > objectClass: sambaSidEntry
>> > objectClass: sambaGroupMapping
>> > sambaSID: S-1-5-32-545
>> > sambaGroupType: 4
>> > displayName: Users
>> > gidNumber: 10003
>> > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
>> >
>> > dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
>> > uid: FERRETER-PRUQ3Z$
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
>> > sambaAcctFlags: [W          ]
>> > objectClass: sambaSamAccount
>> > objectClass: account
>> > objectClass: posixAccount
>> > cn: FERRETER-PRUQ3Z$
>> > uidNumber: 10002
>> > gidNumber: 10000
>> > homeDirectory: /home/C1.VE/SMB_workstations_home
>> > loginShell: /bin/false
>> > sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
>> > sambaPwdLastSet: 1225815330
>> >
>> > dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
>> > uid: test001
>> > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
>> > objectClass: sambaSamAccount
>> > objectClass: account
>> > objectClass: posixAccount
>> > cn: test001
>> > uidNumber: 10003
>> > gidNumber: 10000
>> > homeDirectory: /home/C1.VE/test001
>> > loginShell: /bin/false
>> > sambaKickoffTime: 0
>> > sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
>> > sambaPasswordHistory:
>> > B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> >
>> > 0000000000000000000000000000000000000000000000000000000000000000000000000000
>> >  0000000000000000
>> > sambaPwdLastSet: 1225815887
>> > userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
>> > sambaProfilePath::
>> >  IA==
>> > sambaAcctFlags: [U          ]
>> > sambaBadPasswordTime: 0
>> > sambaBadPasswordCount: 0
>> >
>> >
>> >
>> >
>> >
>>
>
>




More information about the samba mailing list