[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Fri Nov 15 17:38:46 UTC 2019
On 15/11/2019 16:23, Marco Gaiarin via samba wrote:
> I need to do some testing, but before to hit by head on a known wall, i
> ask here.
>
>
> My AD domain get used (via PAM/Winbind) to give access to some other
> dervice, most notably here dovecot.
> When password expire (or users change it) the MUA try the old password
> some times, then ask for a new password; users cleraly get scared,
> press randomly 'OK' or 'Cancel', but if they press 2-3 time 'OK' too
> much wrong password try get done, and account get locked.
> This policy is under revision, but for now get is as-is, this is not
> the problem.
>
>
> Account get unlocked automatically after 10 minutes, but sometime it
> urges.
>
> So i've setup a script that barely do:
>
> TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX)
> UTENTE_DN=$(get_user_dn "${UTENTE}")
> echo "dn: ${UTENTE_DN}" > $TMPLDIF
> echo "changetype: modify" >> $TMPLDIF
> echo "-" >> $TMPLDIF
> echo "replace: userAccountControl" >> $TMPLDIF
> echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF
> echo "-" >> $TMPLDIF
> echo "replace: badPwdCount" >> $TMPLDIF
> echo "badPwdCount: 0" >> $TMPLDIF
> ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null
>
> but do that if and only if account is locked, and i test that using:
>
> user_is_locked () {
> local locked="false"
> local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)
> # Prevent error conditions on query error.
> if [ -z "$UAC" ]; then
> UAC=${DEF_UAC}
> fi
> ((($UAC & 16) == 16)) && locked="true" # 0x00000010
> if [ "${locked}" = "true" ]; then
> return 0
> fi
> return 1
> }
>
>
> Seems to me (as stated, i need to do some experimentation...) that
> account get locked only into the DC where 'dovecot connect to', and userAccountControl
> get not 'propagated' to other DC.
>
> EG, if i try to connect to dovecot i get:
>
> Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
>
> but if i try to run user_is_locked() in another DC, say me 'account not
> locked'.
>
>
> There's a way to check 'globally' for account locked status?
>
>
> Thanks.
>
yes, Provided you use the right attribute to search on ;-)
Something like this will give you if/when the account was locked out:
ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
'(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))'
lockoutTime | grep 'lockoutTime' | awk '{print $NF}'
See here:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4
Rowland
More information about the samba
mailing list