[Samba] DO script IF User-Account got locked

Axel Werner mail at awerner.homeip.net
Fri Feb 20 09:58:57 GMT 2009

Hi and thanks fer reply.

Are u talking about completly droping LDAP Authentication and only 
rely/authenticate against samba ??
whats pam_winbindd all about ? i read its required if my samba is member 
or some native NT or ADS domain for "somehow" mapping foreign NT Users 
to some Unix users. Is it more than that ? Are there some good 
Docs/Manuals about that a normal Human (Not a C Coder) can understand ?


Am 19.02.2009 16:42, François Legal schrieb:
> If you want to prevent the user from unlocking its samba account, you can
> probably do it with ACL on your directory (only allow modification to samba
> attributes by the bind user used by samba).
> If you want to prevent the user from logging in Linux when his account is
> locked, then you could consider using pam_winbindd instead of pam_ldap
> François
> On Thu, 19 Feb 2009 13:14:48 +0100, Axel Werner <mail at awerner.homeip.net>
> wrote:
>> Hi Gurus out there!
>> Is there a Way to have Samba start a script in some way like those 
>> addnewmachine or addnewuser scripts, that kicks in whenever a samba 
>> user-account got locked down ?? (through manual lock OR more important, 
>> through a intruder detection / x failed logon attempts )
>> My Problem is that whenever a Samba Account got locked because of 
>> exceeding max. failed logon attempts the corresponding LDAP User Object 
>> is still "unlocked". So when however the user cannot log back in to 
>> samba, he is still able to log in on linux console (through pam_ldap) 
>> and reset his password or so more nasty things. So i want to make sure 
>> that if he fucks up his samba account , his LDAP account will also be 
>> disabled.
>> Some Hook for a custom script would be fine. But is there something like 
>> that ?
>> Any other Ideas how to manage that ?
>> greetings
>> Axel

More information about the samba mailing list