Hi there, With the new scrutinization by auditors on account policies and auditing, how can Samba be SOX compliant? Using 3.0.14a-sernet on Suse 9.1 - ldapsam Specifically, a couple of things seem to be lacking: 1) Logon/Logoff times are not being recorded The last logon time recorded in my ldap entries are pre-nt4 migration. 2) Do the Audit Policy values in user manager have any effect? Are they implemented? Can they be syslogged? 3) How can I get a hook into logons? Without turning up the debug values, how can I tell if an account has had repeated login failures? Thanks, Rob
tor, 12.05.2005 kl. 18.54 skrev Robert Kelly:> With the new scrutinization by auditors on account policies and > auditing, how can Samba be SOX compliant? > Using 3.0.14a-sernet on Suse 9.1 - ldapsam > > Specifically, a couple of things seem to be lacking: > > 1) Logon/Logoff times are not being recorded > The last logon time recorded in my ldap entries are pre-nt4 migration.Bad luck?> 2) Do the Audit Policy values in user manager have any effect? > Are they implemented? > Can they be syslogged?No to both, please read the official Samba HOWTOs. Experiment. Like we all have to.> 3) How can I get a hook into logons? > Without turning up the debug values, how can I tell if an account has > had repeated login failures?Try 'man pdbedit' and search for "-P". I have never understood why people complain about any item of software's supposed limitations until they have read and thoroughly understand all aspects of all the documentation. Perhaps they aspire toward posthumous beatification, attaining al martyrs' brigade status or whatever.> Thanks,*Wake up* and at least make *some effort* to read the docs and follow the threads and experiment for yourself as 1001 others on this list, including the undersigned choose to do. Hanging yourself out is not to your own advantage. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: tonye@billy.demon.nl http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ...
fre, 13.05.2005 kl. 19.54 skrev Stuart [...]> > > suppose i wanted to set up account lockout for 3 failed login attempts > for > > > my w2k workstations with the ability to try again in 5 minutes. would > these > > > be the commands to use: > > > > > > pdbedit -P "bad lockout attempt" -C 3 > > > pdbedit -P "reset count minutes" -C 5 > > > > I asked the meaning of each of these parameters on the list, but no one > > seemed to know; at least no one replied. > > > > E.g., for the second of your examples, I'd rather fancy "lockout > > duration". I tried certain things out for myself on my test system > > (3.0.14a, ldapsam with GQ LDAP "help") and succeeded in locking user > > Kvikk the Cat out for more ore less ever, found out what I'd done wrong, > > remedied it but got cold feet and didn't dare touch pdbedit -P again for > > the time being. I'd love some explanation ...O.k., I reduced all pdbedit -P parameters to default and began again on locking out Kvikk the Cat. Policy: more than 3 bad login attempts and the account is locked out for 5 minutes: 1054 [root:tru] /etc/postfix # pdbedit -P "bad lockout attempt" -C 3 debug_lookup_classname(rpc): Unknown class account policy value for bad lockout attempt was 0 account policy value for bad lockout attempt is now 3 1057 [root:tru] /etc/postfix # pdbedit -P "lockout duration" -C 5 debug_lookup_classname(rpc): Unknown class account policy value for lockout duration was 30 account policy value for lockout duration is now 5 [...]> i am currently using samba version 3.0.7 with smbpasswd. > > does the account lockout feature not work with smbpasswd?smbpasswd doesn't have anything to do with this, it's used for setting / synchronizing passwords. Perhaps you meant smbclient; yes it works both for Windows (XP Pro in my case) and smbclient. For those of you with ldapsam backend and GQ to play around with, when the above lockout policy is implemented, the two attributes sambaBadPasswordCount and sambaBadPasswordTime are updated from zero for both to the bad password count and the Unix time (for the Unix time 'convdate -c' can be a real handy tool). These are reset to zero on the next successful login after the lockout. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: tonye@billy.demon.nl http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ...
----- Original Message ----- From: "John H Terpstra" <jht@Samba.Org> To: <samba@lists.samba.org> Sent: Monday, May 16, 2005 9:17 AM Subject: Re: [Samba] Sarbanes-Oxley headaches> On Monday 16 May 2005 07:50, Stuart Highlander wrote: > > > I gather that OP would be better served by using a tdb or ldapbackend.> > > > i am not the original poster, but did ask the question regarding account > > lockout and reset using the smbpasswd backend. > > > > i agree that moving to ldap or tdb would better suit my needs but i donot> > have the test environment nor the time to move and adequately test my > > production environment to one or the other right now. > > > > since i am using the smbpasswd for the foreseeable future, are theaccount> > lockout and reset features applicable to using the smbpasswd backend?if> > not, it is ok. my guess is that they are not, but cannot find > > documentation to verify this. > > > > as for sox, i found a free program that enables window$ boxes to logevent> > logs to a remote syslog server, found here: > > > > http://www.netadmintools.com/art284.html > > The advanced Windows account facilities are available only with the tdbsamor> ldapsam backends. It is very easy to migrate to tdbsam. Here are thesteps:> > 1. Edit smb.conf to include this line: > passdb backend = tdbsam > 2. Migrate your smbpasswd file to tdbsam: > pdbedit -i smbpasswd -e tdbsam > > Done. >thank you for the information on converting to tdbsam. where in the docs would it discuss changing passwords? stu