[Samba] Account locked and delayed user data propagation...

Andrew Bartlett abartlet at samba.org
Sun Dec 8 19:40:06 UTC 2019


On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote:
> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> > Mandi! Rowland penny via samba
> >    In chel di` si favelave...
> > 
> > > You cannot create an ldap filter using the above, you would have
> > > to filter
> > > the result of the ldap search.
> > 
> > I can confirm:
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it
> > '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-
> > Control-Computed
> > 	# record 1
> > 	dn:
> > CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> > 	msDS-User-Account-Control-Computed: 16
> > 	[...]
> > 	# returned 4 records
> > 	# 1 entries
> > 	# 3 referrals
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account-
> > Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-
> > Control-Computed
> > 	[...]
> > 	# returned 3 records
> > 	# 0 entries
> > 	# 3 referrals
> > 
> > there's no bitwise operator.
> > 
> > Aniway, i think it is better to use msDS-User-Account-Control-
> > Computed
> > value in script, instead or trying to replicate the behaviour.
> > 
> > 
> > Thanks to all!
> > 
> 
> It is your script, but I personally still think it is easier to
> check 
> 'lockoutTime' (which you can filter on). If it isn't there or is set
> to 
> '0' then the account isn't locked. If it is set to anything but '0', 
> then the account is locked.
> 
> Rowland

The reason we strongly encourage the use of the computed attributes is
that not only do they reflect what is going on internally, but they
honour the Password Settings Objects, eg fine grained password policy.

It also avoids computing the lockout duration on the client.  The
account can be unlocked with lockoutTime set if the duration has
expired:  

>From  construct_msds_user_account_control_computed():

		int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
		if (lockoutTime != 0) {
			int64_t lockoutDuration;

			lockoutDuration = get_user_lockout_duration(module, msg,
								    parent,
								    nc_root);

			/* zero locks out until the administrator intervenes */
			if (lockoutDuration >= 0) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			} else if (lockoutTime - lockoutDuration >= now) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			}
		}

I hope this clarifies things.  If someone has time (I'm swamped) it
would be awesome of we had this stuff in a wiki so folks don't need to
reinvent the wheel.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba








More information about the samba mailing list