[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Tue Dec 3 15:16:04 UTC 2019
On 03/12/2019 14:40, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>
> I came back on this, because still some glitches happen.
>
>
> Yesterday I'm locked out.
>
> 'pdbedit -vL gaio' say me that account IS locked. But:
>
>> yes, Provided you use the right attribute to search on ;-)
>> Something like this will give you if/when the account was locked out:
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}'
>> See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4
> following the link here the code:
>
> user_is_locked () {
>
> # We folow spec, if zero, is not locked.
> local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-)
> if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then
> return 1
> fi
>
> # If non-zero, we take into account also the expiration time (lockoutTime is resettet at successful logon)
> local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-)
> if [ -z "${LOD}" ]; then
> LOD=0
> fi
> TMPF=$(w2u "$((${LOT} + ${LOD}))")
> if [ ${TMPF} -gt ${NOW} ]; then
> return 0
> fi
>
> # by default, is unlocked.
> return 1
> }
>
> (w2u is a function that convert from windows timestamp to unix timestamp)
>
> return '1', particulary the lockoutTime is >0, while lockoutDuration is
> 0, and so lockoutTime + lockoutDuration is >0 but anyway < of 'now'.
>
>
> What i'm doing wrong? Thanks.
>
Do you mean apart from '$((${LOT} + ${LOD}))' should really be
'$((LOT+LOD))' ?
I take it that you are calling the function like this: user_is_locked gaio
try it like this: res=$(user_is_locked gaio)
change all 'return' to 'echo'
Then check what "$res" is
Rowland
More information about the samba
mailing list