samba - Dec 2019 - Account locked and delayed user data propagation...

I need to do some testing, but before to hit by head on a known wall, i
ask here.


My AD domain get used (via PAM/Winbind) to give access to some other
dervice, most notably here dovecot.
When password expire (or users change it) the MUA try the old password
some times, then ask for a new password; users cleraly get scared,
press randomly 'OK' or 'Cancel', but if they press 2-3 time
'OK' too
much wrong password try get done, and account get locked.
This policy is under revision, but for now get is as-is, this is not
the problem.


Account get unlocked automatically after 10 minutes, but sometime it
urges.

So i've setup a script that barely do:

	TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX)
	UTENTE_DN=$(get_user_dn "${UTENTE}")
	echo "dn: ${UTENTE_DN}" > $TMPLDIF
	echo "changetype: modify" >> $TMPLDIF
	echo "-" >> $TMPLDIF
	echo "replace: userAccountControl" >> $TMPLDIF
	echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF
	echo "-" >> $TMPLDIF
	echo "replace: badPwdCount" >> $TMPLDIF
	echo "badPwdCount: 0" >> $TMPLDIF
	ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null

but do that if and only if account is locked, and i test that using:

  user_is_locked () {
        local locked="false"
        local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" userAccountControl |
grep "^userAccountControl: " | cut -d ' ' -f 2-)
        # Prevent error conditions on query error.
        if [ -z "$UAC" ]; then
                UAC=${DEF_UAC}
        fi
        ((($UAC & 16) == 16)) && locked="true"          #
0x00000010
        if [ "${locked}" = "true" ]; then
                return 0
        fi
        return 1
  }


Seems to me (as stated, i need to do some experimentation...) that
account get locked only into the DC where 'dovecot connect to', and
userAccountControl
get not 'propagated' to other DC.

EG, if i try to connect to dovecot i get:

	Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS:
NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been
automatically locked because too many invalid logon attempts or password change
attempts have been requested.

but if i try to run user_is_locked() in another DC, say me 'account not
locked'.


There's a way to check 'globally' for account locked status?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 15/11/2019 16:23, Marco Gaiarin via samba wrote:
> I need to do some testing, but before to hit by head on a known wall, i
> ask here.
>
>
> My AD domain get used (via PAM/Winbind) to give access to some other
> dervice, most notably here dovecot.
> When password expire (or users change it) the MUA try the old password
> some times, then ask for a new password; users cleraly get scared,
> press randomly 'OK' or 'Cancel', but if they press 2-3 time
'OK' too
> much wrong password try get done, and account get locked.
> This policy is under revision, but for now get is as-is, this is not
> the problem.
>
>
> Account get unlocked automatically after 10 minutes, but sometime it
> urges.
>
> So i've setup a script that barely do:
>
> 	TMPLDIF=$(mktemp /tmp/smbunlock.ldif.XXXXXXXXXX)
> 	UTENTE_DN=$(get_user_dn "${UTENTE}")
> 	echo "dn: ${UTENTE_DN}" > $TMPLDIF
> 	echo "changetype: modify" >> $TMPLDIF
> 	echo "-" >> $TMPLDIF
> 	echo "replace: userAccountControl" >> $TMPLDIF
> 	echo "userAccountControl: ${NEWFLAGS}" >> $TMPLDIF
> 	echo "-" >> $TMPLDIF
> 	echo "replace: badPwdCount" >> $TMPLDIF
> 	echo "badPwdCount: 0" >> $TMPLDIF
> 	ldbmodify ${LDB_OPTS} "$TMPLDIF" > /dev/null
>
> but do that if and only if account is locked, and i test that using:
>
>    user_is_locked () {
>          local locked="false"
>          local UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" userAccountControl |
grep "^userAccountControl: " | cut -d ' ' -f 2-)
>          # Prevent error conditions on query error.
>          if [ -z "$UAC" ]; then
>                  UAC=${DEF_UAC}
>          fi
>          ((($UAC & 16) == 16)) && locked="true"      
# 0x00000010
>          if [ "${locked}" = "true" ]; then
>                  return 0
>          fi
>          return 1
>    }
>
>
> Seems to me (as stated, i need to do some experimentation...) that
> account get locked only into the DC where 'dovecot connect to', and
userAccountControl
> get not 'propagated' to other DC.
>
> EG, if i try to connect to dovecot i get:
>
> 	Nov 12 16:36:51 vdmsv1 auth: pam_winbind(dovecot:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS:
NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been
automatically locked because too many invalid logon attempts or password change
attempts have been requested.
>
> but if i try to run user_is_locked() in another DC, say me 'account not
> locked'.
>
>
> There's a way to check 'globally' for account locked status?
>
>
> Thanks.
>
yes, Provided you use the right attribute to search on ;-)

Something like this will give you if/when the account was locked out:

ldbsearch -H /var/lib/samba/private/sam.ldb -b 
'dc=samdom,dc=example,dc=com' -s sub 
'(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' 
lockoutTime | grep 'lockoutTime' | awk '{print $NF}'

See here: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> yes, Provided you use the right attribute to search on ;-)
Ah! ;-)


Just i'm here, i test three condition in account flags, eg:

	UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" userAccountControl |
grep "^userAccountControl: " | cut -d ' ' -f 2-)

	# Old 'D' flag:
	((($UAC & 2) == 2)) && enabled="false"          #
0x00000002

	# Old 'X' flag:
	((($UAC & 65536) == 65536)) && expire="true"    #
0x00010000

	# Old 'L' glag:
	((($UAC & 16) == 16)) && locked="true"          #
0x00000010

Apart for 'locked', there are better ldap fields also for disabled and
'don't expire' flags?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Mandi! Rowland penny via samba
  In chel di` si favelave...

I came back on this, because still some glitches happen.


Yesterday I'm locked out.

'pdbedit -vL gaio' say me that account IS locked. But:
> yes, Provided you use the right attribute to search on ;-)
> Something like this will give you if/when the account was locked out:
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
'(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))'
lockoutTime | grep 'lockoutTime' | awk '{print $NF}'
> See here:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4
following the link here the code:

 user_is_locked () {

        # We folow spec, if zero, is not locked.
        local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep
"^lockoutTime: " | cut -d ' ' -f 2-)
        if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then
                return 1
        fi

        # If non-zero, we take into account also the expiration time
(lockoutTime is resettet at successful logon)
        local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep
"^lockoutDuration: " | cut -d ' ' -f 2-)
        if [ -z "${LOD}" ]; then
                LOD=0
        fi
        TMPF=$(w2u "$((${LOT} + ${LOD}))")
        if [ ${TMPF} -gt ${NOW} ]; then
                return 0
        fi

        # by default, is unlocked.
        return 1
 }

(w2u is a function that convert from windows timestamp to unix timestamp)

return '1', particulary the lockoutTime is >0, while lockoutDuration
is
0, and so lockoutTime + lockoutDuration is >0 but anyway < of
'now'.


What i'm doing wrong? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)