Hi, im trying to setup a password policy with samba and openldap. while lockout works perfect on openldap it looks like it does not work with my samba. Ive set "sambaLockoutThreshold" to 3 and "sambaLockoutDuration" to -1 (lockout forever) within the Domain-Object in LDAP. So i expect whenever a windows user does 3 false logon attemps his samba account will be LOCKED forever, until reseted by an admin. If i peek those parameters with "pdbedit -P" it will confirm my konfiguration. so it looks fine. I also found the "sambaBadPasswordCount" Attribute in every User-Object in the LDAP tree. Default is 0 Now i do several false login attempts from my windows xp workstation (usualy 5 attempts) and recheck that "sambaBadPasswordCount" Attribute in that specific userobject. STILL showing 0 !! btw: the "admin" object that is configured in smb.conf has all the permissions to access and write ALL attributes of any object in my DIT. Does anyone knows this Problem ?!? im lost! i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap.
NOBODY ?? Noone here with successfull experience on User Lockout using Samba+LDAP ?? i cant believe this. Am 12.02.2009 16:24, Axel Werner schrieb:> Hi, > > im trying to setup a password policy with samba and openldap. while > lockout works perfect on openldap it looks like it does not work with > my samba. > > Ive set "sambaLockoutThreshold" to 3 and "sambaLockoutDuration" to -1 > (lockout forever) within the Domain-Object in LDAP. So i expect > whenever a windows user does 3 false logon attemps his samba account > will be LOCKED forever, until reseted by an admin. > If i peek those parameters with "pdbedit -P" it will confirm my > konfiguration. so it looks fine. > I also found the "sambaBadPasswordCount" Attribute in every > User-Object in the LDAP tree. Default is 0 > Now i do several false login attempts from my windows xp workstation > (usualy 5 attempts) and recheck that "sambaBadPasswordCount" Attribute > in that specific userobject. STILL showing 0 !! > btw: the "admin" object that is configured in smb.conf has all the > permissions to access and write ALL attributes of any object in my DIT. > > Does anyone knows this Problem ?!? im lost! > > i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. > > > >
Christian Rost
2009-Feb-13 08:56 UTC
[Samba] Samba 3.0.24 + LDAP - User Lockout not working
Hi, not all Samba-LDAP attributes that are listed in the Samba3-LDAP-Schema are working yet. IMHO the only source that mentions it clearly is the Samba HOWTO. Please refer to "http://de3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2582136" and search for "LDAP Special Attributes for sambaSamAccounts". Cheers, Christian ==========================================================Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 L?nen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de --------Axel Werner <mail@awerner.homeip.net> wrote-------- Subject: [Samba] Samba 3.0.24 + LDAP - User Lockout not working Date: 12.02.2009 16:30>Hi, > >im trying to setup a password policy with samba and openldap. while >lockout works perfect on openldap it looks like it does not work with my >samba. > >Ive set "sambaLockoutThreshold" to 3 and "sambaLockoutDuration" to -1 >(lockout forever) within the Domain-Object in LDAP. So i expect whenever >a windows user does 3 false logon attemps his samba account will be >LOCKED forever, until reseted by an admin. >If i peek those parameters with "pdbedit -P" it will confirm my >konfiguration. so it looks fine. >I also found the "sambaBadPasswordCount" Attribute in every User-Object >in the LDAP tree. Default is 0 >Now i do several false login attempts from my windows xp workstation >(usualy 5 attempts) and recheck that "sambaBadPasswordCount" Attribute >in that specific userobject. STILL showing 0 !! >btw: the "admin" object that is configured in smb.conf has all the >permissions to access and write ALL attributes of any object in my DIT. > >Does anyone knows this Problem ?!? im lost! > >i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Hi Christian, thanks fer Answer. Is yours an OFFICIAL Answer to this problem ?? I cannot find ANY documents telling about not used or not implemented functionality on user lockout or those ldap attributes neither. So its hard to believe that those things are "spare" or "unused" even after YEARS. I found some realy old mailinglist postsing from 2004 with exactly the same problem. So it seems this isnt realy new stuff. http://lists.samba.org/archive/samba/2004-July/089429.html Whats going on here ?! thanks fer help regards Axel Am 13.02.2009 09:50, Christian Rost schrieb:> Hi, > > not all Samba-LDAP attributes that are listed in the Samba3-LDAP-Schema are working yet. IMHO the only source that mentions it clearly is the Samba HOWTO. > > Please refer to "http://de3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2582136" and search for "LDAP Special Attributes for sambaSamAccounts". > > Cheers, > > Christian > > > > > ==========================================================> Christian Rost > roCon - Informationstechnologie > Glatzer Weg 4 > > 44534 L?nen > > fon: +49 (0) 2306 910 658 > fax: +49 (0) 2306 910 664 > url: http://www.rocon-it.de > > > > --------Axel Werner <mail@awerner.homeip.net> wrote-------- > Subject: [Samba] Samba 3.0.24 + LDAP - User Lockout not working > Date: 12.02.2009 16:30 > > >> Hi, >> >> im trying to setup a password policy with samba and openldap. while >> lockout works perfect on openldap it looks like it does not work with my >> samba. >> >> Ive set "sambaLockoutThreshold" to 3 and "sambaLockoutDuration" to -1 >> (lockout forever) within the Domain-Object in LDAP. So i expect whenever >> a windows user does 3 false logon attemps his samba account will be >> LOCKED forever, until reseted by an admin. >> If i peek those parameters with "pdbedit -P" it will confirm my >> konfiguration. so it looks fine. >> I also found the "sambaBadPasswordCount" Attribute in every User-Object >> in the LDAP tree. Default is 0 >> Now i do several false login attempts from my windows xp workstation >> (usualy 5 attempts) and recheck that "sambaBadPasswordCount" Attribute >> in that specific userobject. STILL showing 0 !! >> btw: the "admin" object that is configured in smb.conf has all the >> permissions to access and write ALL attributes of any object in my DIT. >> >> Does anyone knows this Problem ?!? im lost! >> >> i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
Volker Lendecke
2009-Feb-13 09:43 UTC
[Samba] Samba 3.0.24 + LDAP - User Lockout not working
On Fri, Feb 13, 2009 at 10:33:03AM +0100, Axel Werner wrote:> Is yours an OFFICIAL Answer to this problem ?? I cannot find ANY > documents telling about not used or not implemented functionality on > user lockout or those ldap attributes neither. So its hard to believe > that those things are "spare" or "unused" even after YEARS. > > I found some realy old mailinglist postsing from 2004 with exactly the > same problem. So it seems this isnt realy new stuff. > http://lists.samba.org/archive/samba/2004-July/089429.html > > Whats going on here ?!Please take a look at https://bugzilla.samba.org/show_bug.cgi?id=5825 There is at least one user for whom it finally worked, even in a PDC/BDC scenario. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090213/a48fc072/attachment.bin