[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Fri Dec 6 12:22:12 UTC 2019
On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>
>> You cannot create an ldap filter using the above, you would have to filter
>> the result of the ldap search.
> I can confirm:
>
> root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed
> # record 1
> dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> msDS-User-Account-Control-Computed: 16
> [...]
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-Control-Computed
> [...]
> # returned 3 records
> # 0 entries
> # 3 referrals
>
> there's no bitwise operator.
>
> Aniway, i think it is better to use msDS-User-Account-Control-Computed
> value in script, instead or trying to replicate the behaviour.
>
>
> Thanks to all!
>
It is your script, but I personally still think it is easier to check
'lockoutTime' (which you can filter on). If it isn't there or is set to
'0' then the account isn't locked. If it is set to anything but '0',
then the account is locked.
Rowland
More information about the samba
mailing list