[Samba] Account locked and delayed user data propagation...

Rowland penny rpenny at samba.org
Wed Dec 4 17:36:07 UTC 2019

On 04/12/2019 16:36, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm
>> It says:
> So, seems to me that 'Lockout-Duration' is an 'unused option'...
 From my understanding, it is supposed to work in the way you think it 
does, the account gets locked out (for whatever reason) and 
'lockoutTime' gets set to the time it was locked out, but 
'lockoutDuration' isn't set where you seem to think it is ;-)

You have:

ldbsearch ${LDB_OPTS} -b "${BASEDN}" 
"(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep 
"^lockoutDuration: " | cut -d ' ' -f 2-

It should be:

ldbsearch ${LDB_OPTS} -b "${BASEDN}" 
"(&(objectClass=domain)(lockoutDuration=*))" lockoutDuration | grep 
"^lockoutDuration: " | cut -d ' ' -f 2-

As I said, if 'lockoutTime' isn't set or it is set to '0', then the user 
isn't locked out, anything else and it is, but I do not believe that you 
can set it to anything else but '0' manually, only the system can do this.

This is where 'lockoutDuration' comes in, the account should be unlocked 
when 'lockoutTime' + 'lockoutDuration' = NOW.

However, you want to script (presumably when someone contacts you and 
screams 'I cannot log in') a way to unlock the user, the only way to do 
this is to set 'lockoutTime' to '0' regardless of what it is set to now.


More information about the samba mailing list