[Samba] Account locked and delayed user data propagation...

Fri Nov 15 17:38:46 UTC 2019

On 15/11/2019 16:23, Marco Gaiarin via samba wrote:
> I need to do some testing, but before to hit by head on a known wall, i
> ask here.
>
>
> My AD domain get used (via PAM/Winbind) to give access to some other
> dervice, most notably here dovecot.
> When password expire (or users change it) the MUA try the old password
> some times, then ask for a new password; users cleraly get scared,
> press randomly 'OK' or 'Cancel', but if they press 2-3 time 'OK' too
> much wrong password try get done, and account get locked.
> This policy is under revision, but for now get is as-is, this is not
> the problem.
>
>
> Account get unlocked automatically after 10 minutes, but sometime it
> urges.
>
> So i've setup a script that barely do:
>
> 	TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX)
> 	UTENTE_DN=$(get_user_dn "${UTENTE}")
> 	echo "dn: ${UTENTE_DN}" > $TMPLDIF
> 	echo "changetype: modify" >> $TMPLDIF
> 	echo "-" >> $TMPLDIF
> 	echo "replace: userAccountControl" >> $TMPLDIF
> 	echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF
> 	echo "-" >> $TMPLDIF
> 	echo "replace: badPwdCount" >> $TMPLDIF
> 	echo "badPwdCount: 0" >> $TMPLDIF
> 	ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null
>
> but do that if and only if account is locked, and i test that using:
>
>    user_is_locked () {
>          local locked="false"
>          local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)
>          # Prevent error conditions on query error.
>          if [ -z "$UAC" ]; then
>                  UAC=${DEF_UAC}
>          fi
>          ((($UAC & 16) == 16)) && locked="true"          # 0x00000010
>          if [ "${locked}" = "true" ]; then
>                  return 0
>          fi
>          return 1
>    }
>
>
> Seems to me (as stated, i need to do some experimentation...) that
> account get locked only into the DC where 'dovecot connect to', and userAccountControl
> get not 'propagated' to other DC.
>
> EG, if i try to connect to dovecot i get:
>
> 	Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
>
> but if i try to run user_is_locked() in another DC, say me 'account not
> locked'.
>
>
> There's a way to check 'globally' for account locked status?
>
>
> Thanks.
>
yes, Provided you use the right attribute to search on ;-)

Something like this will give you if/when the account was locked out:

ldbsearch -H /var/lib/samba/private/sam.ldb -b 
'dc=samdom,dc=example,dc=com' -s sub 
'(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' 
lockoutTime | grep 'lockoutTime' | awk '{print $NF}'

See here: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4

Rowland