[Samba] Account locked and delayed user data propagation...

Marco Gaiarin gaio at sv.lnf.it
Fri Nov 15 16:23:32 UTC 2019 

I need to do some testing, but before to hit by head on a known wall, i
ask here.


My AD domain get used (via PAM/Winbind) to give access to some other
dervice, most notably here dovecot.
When password expire (or users change it) the MUA try the old password
some times, then ask for a new password; users cleraly get scared,
press randomly 'OK' or 'Cancel', but if they press 2-3 time 'OK' too
much wrong password try get done, and account get locked.
This policy is under revision, but for now get is as-is, this is not
the problem.


Account get unlocked automatically after 10 minutes, but sometime it
urges.

So i've setup a script that barely do:

	TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX)
	UTENTE_DN=$(get_user_dn "${UTENTE}")
	echo "dn: ${UTENTE_DN}" > $TMPLDIF
	echo "changetype: modify" >> $TMPLDIF
	echo "-" >> $TMPLDIF
	echo "replace: userAccountControl" >> $TMPLDIF
	echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF
	echo "-" >> $TMPLDIF
	echo "replace: badPwdCount" >> $TMPLDIF
	echo "badPwdCount: 0" >> $TMPLDIF
	ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null

but do that if and only if account is locked, and i test that using:

  user_is_locked () {
        local locked="false"
        local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)
        # Prevent error conditions on query error.
        if [ -z "$UAC" ]; then
                UAC=${DEF_UAC}
        fi
        ((($UAC & 16) == 16)) && locked="true"          # 0x00000010
        if [ "${locked}" = "true" ]; then
                return 0
        fi
        return 1
  }


Seems to me (as stated, i need to do some experimentation...) that
account get locked only into the DC where 'dovecot connect to', and userAccountControl
get not 'propagated' to other DC.

EG, if i try to connect to dovecot i get:

	Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

but if i try to run user_is_locked() in another DC, say me 'account not
locked'.


There's a way to check 'globally' for account locked status?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list