[Samba] Account locked and delayed user data propagation...

Marco Gaiarin gaio at sv.lnf.it
Tue Dec 3 14:40:10 UTC 2019 

Mandi! Rowland penny via samba
  In chel di` si favelave...

I came back on this, because still some glitches happen.


Yesterday I'm locked out.

'pdbedit -vL gaio' say me that account IS locked. But:

> yes, Provided you use the right attribute to search on ;-)
> Something like this will give you if/when the account was locked out:
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}'
> See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4

following the link here the code:

 user_is_locked () {

        # We folow spec, if zero, is not locked.
        local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-)
        if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then
                return 1
        fi

        # If non-zero, we take into account also the expiration time (lockoutTime is resettet at successful logon)
        local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-)
        if [ -z "${LOD}" ]; then
                LOD=0
        fi
        TMPF=$(w2u "$((${LOT} + ${LOD}))")
        if [ ${TMPF} -gt ${NOW} ]; then
                return 0
        fi

        # by default, is unlocked.
        return 1
 }

(w2u is a function that convert from windows timestamp to unix timestamp)

return '1', particulary the lockoutTime is >0, while lockoutDuration is
0, and so lockoutTime + lockoutDuration is >0 but anyway < of 'now'.


What i'm doing wrong? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list