[Samba] Account locked and delayed user data propagation...

Rowland penny rpenny at samba.org
Sun Dec 8 20:26:03 UTC 2019 

On 08/12/2019 19:40, Andrew Bartlett wrote:
> On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote:
>> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
>>> Mandi! Rowland penny via samba
>>>     In chel di` si favelave...
>>>
>>>> You cannot create an ldap filter using the above, you would have
>>>> to filter
>>>> the result of the ldap search.
>>> I can confirm:
>>>
>>> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> DC=ad,DC=fvg,DC=lnf,DC=it
>>> '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-
>>> Control-Computed
>>> 	# record 1
>>> 	dn:
>>> CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
>>> 	msDS-User-Account-Control-Computed: 16
>>> 	[...]
>>> 	# returned 4 records
>>> 	# 1 entries
>>> 	# 3 referrals
>>>
>>> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account-
>>> Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-
>>> Control-Computed
>>> 	[...]
>>> 	# returned 3 records
>>> 	# 0 entries
>>> 	# 3 referrals
>>>
>>> there's no bitwise operator.
>>>
>>> Aniway, i think it is better to use msDS-User-Account-Control-
>>> Computed
>>> value in script, instead or trying to replicate the behaviour.
>>>
>>>
>>> Thanks to all!
>>>
>> It is your script, but I personally still think it is easier to
>> check
>> 'lockoutTime' (which you can filter on). If it isn't there or is set
>> to
>> '0' then the account isn't locked. If it is set to anything but '0',
>> then the account is locked.
>>
>> Rowland
> The reason we strongly encourage the use of the computed attributes is
> that not only do they reflect what is going on internally, but they
> honour the Password Settings Objects, eg fine grained password policy.
>
> It also avoids computing the lockout duration on the client.  The
> account can be unlocked with lockoutTime set if the duration has
> expired:
>
>  From  construct_msds_user_account_control_computed():
>
> 		int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
> 		if (lockoutTime != 0) {
> 			int64_t lockoutDuration;
>
> 			lockoutDuration = get_user_lockout_duration(module, msg,
> 								    parent,
> 								    nc_root);
>
> 			/* zero locks out until the administrator intervenes */
> 			if (lockoutDuration >= 0) {
> 				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
> 			} else if (lockoutTime - lockoutDuration >= now) {
> 				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
> 			}
> 		}
>
> I hope this clarifies things.  If someone has time (I'm swamped) it
> would be awesome of we had this stuff in a wiki so folks don't need to
> reinvent the wheel.
>
> Andrew Bartlett

Well, yes if you want to know if the account is locked and when the user 
will be able to log in again, which will unlock the account.

However, if you have a user screaming down the phone at you, you will 
probably just want to unlock the user, the quickest way is to search for 
the the user using 'lockoutTime'  and if it is set and set to anything 
but '0', then set it to '0', the user should then be able to login, 
provided they use the correct password. Alternatively, you could just 
reset the users password, which will also reset 'lockoutTime' to '0'

If you want, I could write you a script to use the computed attribute, 
but it will undoubtedly require a lot more lines than the one I have 
that uses 'lockoutTime'.

Rowland

More information about the samba mailing list