Marco Gaiarin
2019-Nov-15 16:23 UTC
[Samba] Account locked and delayed user data propagation...
I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3 time 'OK' too much wrong password try get done, and account get locked. This policy is under revision, but for now get is as-is, this is not the problem. Account get unlocked automatically after 10 minutes, but sometime it urges. So i've setup a script that barely do: TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX) UTENTE_DN=$(get_user_dn "${UTENTE}") echo "dn: ${UTENTE_DN}" > $TMPLDIF echo "changetype: modify" >> $TMPLDIF echo "-" >> $TMPLDIF echo "replace: userAccountControl" >> $TMPLDIF echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF echo "-" >> $TMPLDIF echo "replace: badPwdCount" >> $TMPLDIF echo "badPwdCount: 0" >> $TMPLDIF ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null but do that if and only if account is locked, and i test that using: user_is_locked () { local locked="false" local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-) # Prevent error conditions on query error. if [ -z "$UAC" ]; then UAC=${DEF_UAC} fi ((($UAC & 16) == 16)) && locked="true" # 0x00000010 if [ "${locked}" = "true" ]; then return 0 fi return 1 } Seems to me (as stated, i need to do some experimentation...) that account get locked only into the DC where 'dovecot connect to', and userAccountControl get not 'propagated' to other DC. EG, if i try to connect to dovecot i get: Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. but if i try to run user_is_locked() in another DC, say me 'account not locked'. There's a way to check 'globally' for account locked status? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Nov-15 17:38 UTC
[Samba] Account locked and delayed user data propagation...
On 15/11/2019 16:23, Marco Gaiarin via samba wrote:> I need to do some testing, but before to hit by head on a known wall, i > ask here. > > > My AD domain get used (via PAM/Winbind) to give access to some other > dervice, most notably here dovecot. > When password expire (or users change it) the MUA try the old password > some times, then ask for a new password; users cleraly get scared, > press randomly 'OK' or 'Cancel', but if they press 2-3 time 'OK' too > much wrong password try get done, and account get locked. > This policy is under revision, but for now get is as-is, this is not > the problem. > > > Account get unlocked automatically after 10 minutes, but sometime it > urges. > > So i've setup a script that barely do: > > TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX) > UTENTE_DN=$(get_user_dn "${UTENTE}") > echo "dn: ${UTENTE_DN}" > $TMPLDIF > echo "changetype: modify" >> $TMPLDIF > echo "-" >> $TMPLDIF > echo "replace: userAccountControl" >> $TMPLDIF > echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF > echo "-" >> $TMPLDIF > echo "replace: badPwdCount" >> $TMPLDIF > echo "badPwdCount: 0" >> $TMPLDIF > ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null > > but do that if and only if account is locked, and i test that using: > > user_is_locked () { > local locked="false" > local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-) > # Prevent error conditions on query error. > if [ -z "$UAC" ]; then > UAC=${DEF_UAC} > fi > ((($UAC & 16) == 16)) && locked="true" # 0x00000010 > if [ "${locked}" = "true" ]; then > return 0 > fi > return 1 > } > > > Seems to me (as stated, i need to do some experimentation...) that > account get locked only into the DC where 'dovecot connect to', and userAccountControl > get not 'propagated' to other DC. > > EG, if i try to connect to dovecot i get: > > Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. > > but if i try to run user_is_locked() in another DC, say me 'account not > locked'. > > > There's a way to check 'globally' for account locked status? > > > Thanks. >yes, Provided you use the right attribute to search on ;-) Something like this will give you if/when the account was locked out: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 Rowland
Marco Gaiarin
2019-Nov-18 11:57 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> yes, Provided you use the right attribute to search on ;-)Ah! ;-) Just i'm here, i test three condition in account flags, eg: UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-) # Old 'D' flag: ((($UAC & 2) == 2)) && enabled="false" # 0x00000002 # Old 'X' flag: ((($UAC & 65536) == 65536)) && expire="true" # 0x00010000 # Old 'L' glag: ((($UAC & 16) == 16)) && locked="true" # 0x00000010 Apart for 'locked', there are better ldap fields also for disabled and 'don't expire' flags? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2019-Dec-03 14:40 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave... I came back on this, because still some glitches happen. Yesterday I'm locked out. 'pdbedit -vL gaio' say me that account IS locked. But:> yes, Provided you use the right attribute to search on ;-) > Something like this will give you if/when the account was locked out: > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' > See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4following the link here the code: user_is_locked () { # We folow spec, if zero, is not locked. local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then return 1 fi # If non-zero, we take into account also the expiration time (lockoutTime is resettet at successful logon) local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) if [ -z "${LOD}" ]; then LOD=0 fi TMPF=$(w2u "$((${LOT} + ${LOD}))") if [ ${TMPF} -gt ${NOW} ]; then return 0 fi # by default, is unlocked. return 1 } (w2u is a function that convert from windows timestamp to unix timestamp) return '1', particulary the lockoutTime is >0, while lockoutDuration is 0, and so lockoutTime + lockoutDuration is >0 but anyway < of 'now'. What i'm doing wrong? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Apparently Analagous Threads
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...