First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the "samba-tool domain passwordsettings" command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built "zentyal-samba" package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) What I've tried thus far: 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the "samba-tool domain passwordsettings set --min-pwd-age=5" command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is... My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and "lock" the account once a certain threshold has been reached and if so how is that configured? Thanks so much for any information you can provide! -Chris Stoneburner
Any thoughts on the quoted email below? On Fri, Jan 11, 2013 at 10:54 PM, Chris Stoneburner < 200406274 at panthers.greenville.edu> wrote:> First off, I apologize if this is a duplicate - I had some issues with the > first email I tried to join this list with! > > I'm currently using samba4 as an AD DC (domain and forest are both > configured with the samba-tool command to be at the 2008_R2 functional > level) for both Windows and Linux systems. I've got the default password > settings set using the "samba-tool domain passwordsettings" command and I > have all the GPOs configured as I need them for clients. However, I would > like to configure how the account lockout functions for the domain > accounts. I read in the archive for this list that there isn't currently > support for server side GPOs, so I'm not certain how to configure this, or > if its even possible. > > To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which > has a pre-built "zentyal-samba" package installed but from what I can tell > it's just samba4.0 (that's what it tells me when I use samba --version) > > What I've tried thus far: > 1. Use testparm -v to get a complete list of all possible smb.conf values > - didn't see much in there that looked like account lockout > 2. Manually edit the account_policy.tdb database within the samba folder > identified in the current smb.conf file with tdbtool - it looks like there > ARE settings here that might apply, but for some reason changes aren't > being reflected. For example, when I use the "samba-tool domain > passwordsettings set --min-pwd-age=5" command the account_policy.tdb key > corresponding to pass min age does NOT get updated, but I have validated > that the changes DO take immediate effect. Maybe the account_policy.tdb > file is legacy and not used when the active role is DC with a 2008_R2 > functional level? The password policy, and I'm presuming all account > related policy, is clearly being stored and enforced somewhere - I just > haven't figured out what all it includes and where it is... > > My question with respect to samba is two fold: is it even POSSIBLE to have > samba detect multiple failed login attempts to a domain account (e.g., the > default domain administrator) and "lock" the account once a certain > threshold has been reached and if so how is that configured? > > Thanks so much for any information you can provide! > -Chris Stoneburner
Anyone? If this is the wrong list or if no one can answer I can definitely ask a different list - just point me in the right direction? On Jan 11, 2013, at 10:54 PM, Chris Stoneburner <200406274 at panthers.greenville.edu> wrote:> First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! > > I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the "samba-tool domain passwordsettings" command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. > > To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built "zentyal-samba" package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) > > What I've tried thus far: > 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout > 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the "samba-tool domain passwordsettings set --min-pwd-age=5" command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is... > > My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and "lock" the account once a certain threshold has been reached and if so how is that configured? > > Thanks so much for any information you can provide! > -Chris Stoneburner
On Fri, 2013-01-11 at 22:54 -0500, Chris Stoneburner wrote:> First off, I apologize if this is a duplicate - I had some issues with > the first email I tried to join this list with! > > I'm currently using samba4 as an AD DC (domain and forest are both > configured with the samba-tool command to be at the 2008_R2 functional > level) for both Windows and Linux systems. I've got the default > password settings set using the "samba-tool domain passwordsettings" > command and I have all the GPOs configured as I need them for clients. > However, I would like to configure how the account lockout functions > for the domain accounts. I read in the archive for this list that > there isn't currently support for server side GPOs, so I'm not certain > how to configure this, or if its even possible.> My question with respect to samba is two fold: is it even POSSIBLE to > have samba detect multiple failed login attempts to a domain account > (e.g., the default domain administrator) and "lock" the account once a > certain threshold has been reached and if so how is that configured?No, this is not yet implemented in the AD DC. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org