[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Thu Dec 5 11:15:46 UTC 2019
On 05/12/2019 10:36, Rowland penny via samba wrote:
> On 05/12/2019 09:15, Andrew Bartlett via samba wrote:
>> On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote:
>>> Mandi! Rowland penny via samba
>>> In chel di` si favelave...
>>>
>>>> As I said, if 'lockoutTime' isn't set or it is set to '0', then the
>>>> user
>>>> isn't locked out, anything else and it is, but I do not believe
>>>> that you can
>>>> set it to anything else but '0' manually, only the system can do this.
>>>> This is where 'lockoutDuration' comes in, the account should be
>>>> unlocked
>>>> when 'lockoutTime' + 'lockoutDuration' = NOW.
>>>> However, you want to script (presumably when someone contacts you and
>>>> screams 'I cannot log in') a way to unlock the user, the only way
>>>> to do this
>>>> is to set 'lockoutTime' to '0' regardless of what it is set to now.
>>> Exactly. The function now appear as:
>>>
>>>
>>> And finally seems to work. ;-)
>> Also have a look at the msDS-User-Account-Control-Computed attribute.
>> that will avoid you encoding this logic in your shell scripts as it is
>> what Samba uses internally.
>>
>> Andrew Bartlett
>>
> It might be using it internally, but you cannot obtain it with an ldap
> search, it is system computed and as such isn't actually saved
> anywhere in AD.
>
> Rowland
>
>
>
OK, I take that back, you can find it by asking for it explicitly, but
it doesn't really get you any further than just checking if
'lockoutTime' is not set or set to '0'. It doesn't return a time, it
returns something like '0' or '8388624' or '8388608'
'0' == the account never expires
'8388608' == the account is OK
'8388624' == the account is locked
You cannot create an ldap filter using the above, you would have to
filter the result of the ldap search.
You can create an ldap filter using 'lockoutTime':
"(&(objectClass=user)(sAMAccountName=$1)(lockoutTime>=1))"
By piping the output through grep, you can obtain the objects DN
You can then use the DN to create an ldif to to reset the users
'lockoutTime' to '0'
Rowland
More information about the samba
mailing list