[Samba] Yet another question about account locking

Kevin Taylor groucho.64738 at hotmail.com
Mon Jan 17 07:41:33 MST 2011

Let me try asking something different.

The field 'sambaKickoffTime' in LDAP (if set to a correct time) will prevent a user from logging into a windows system. The time format for 'pwdaccountlockedtime' is acceptable for the sambaKickoffTime field as well.

If I modify the samba source,    source3/lib/smbldap.c and change the 'sambaKickoffTime' items to 'pwdaccountlockedtime' and rebuild, everything works the way I would like....so samba is now looking at the same field in the LDAP server that the linux side is. yay.

However....does anyone know of a way to accomplish the same thing without a code recompile? Can /etc/ldap.conf nss_map_attributes work for the same thing? (I didn't get this to work, but I may not have done it right)...or is there an obscure setting in the schema that I can use to have samba look at the other attribute?


> Date: Fri, 14 Jan 2011 03:56:29 +0900
> Subject: Re: [Samba] another question about account locking
> From: monyo at monyo.com
> To: groucho.64738 at hotmail.com
> CC: samba at lists.samba.org
> 2011/1/14 Kevin Taylor <groucho.64738 at hotmail.com>:
> > I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway.
> >
> > On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication)
> >
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_ldap.so use_first_pass
> > auth        required      pam_deny.so
> >
> > So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection.
> Sorry, auth section will not work with Samba, as described in smb.conf(5).
> I put pam_deny.so into account section. For example,
> /etc/pam.d/common-account on
> my lenny box:
> -----
> account required        pam_unix.so
> account required       pam_deny.so
> -----
> This means always FAIL at account section.
> To check if an account is disabled is usually done at account section, I think.
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list