[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Wed Dec 4 17:36:07 UTC 2019
On 04/12/2019 16:36, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>
>> If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm
>> It says:
> So, seems to me that 'Lockout-Duration' is an 'unused option'...
>
From my understanding, it is supposed to work in the way you think it
does, the account gets locked out (for whatever reason) and
'lockoutTime' gets set to the time it was locked out, but
'lockoutDuration' isn't set where you seem to think it is ;-)
You have:
ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep
"^lockoutDuration: " | cut -d ' ' -f 2-
It should be:
ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=domain)(lockoutDuration=*))" lockoutDuration | grep
"^lockoutDuration: " | cut -d ' ' -f 2-
As I said, if 'lockoutTime' isn't set or it is set to '0', then the user
isn't locked out, anything else and it is, but I do not believe that you
can set it to anything else but '0' manually, only the system can do this.
This is where 'lockoutDuration' comes in, the account should be unlocked
when 'lockoutTime' + 'lockoutDuration' = NOW.
However, you want to script (presumably when someone contacts you and
screams 'I cannot log in') a way to unlock the user, the only way to do
this is to set 'lockoutTime' to '0' regardless of what it is set to now.
Rowland
More information about the samba
mailing list