Marco Gaiarin
2019-Dec-03 14:40 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave... I came back on this, because still some glitches happen. Yesterday I'm locked out. 'pdbedit -vL gaio' say me that account IS locked. But:> yes, Provided you use the right attribute to search on ;-) > Something like this will give you if/when the account was locked out: > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' > See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4following the link here the code: user_is_locked () { # We folow spec, if zero, is not locked. local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then return 1 fi # If non-zero, we take into account also the expiration time (lockoutTime is resettet at successful logon) local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) if [ -z "${LOD}" ]; then LOD=0 fi TMPF=$(w2u "$((${LOT} + ${LOD}))") if [ ${TMPF} -gt ${NOW} ]; then return 0 fi # by default, is unlocked. return 1 } (w2u is a function that convert from windows timestamp to unix timestamp) return '1', particulary the lockoutTime is >0, while lockoutDuration is 0, and so lockoutTime + lockoutDuration is >0 but anyway < of 'now'. What i'm doing wrong? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-03 15:16 UTC
[Samba] Account locked and delayed user data propagation...
On 03/12/2019 14:40, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > > I came back on this, because still some glitches happen. > > > Yesterday I'm locked out. > > 'pdbedit -vL gaio' say me that account IS locked. But: > >> yes, Provided you use the right attribute to search on ;-) >> Something like this will give you if/when the account was locked out: >> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' >> See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 > following the link here the code: > > user_is_locked () { > > # We folow spec, if zero, is not locked. > local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) > if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then > return 1 > fi > > # If non-zero, we take into account also the expiration time (lockoutTime is resettet at successful logon) > local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) > if [ -z "${LOD}" ]; then > LOD=0 > fi > TMPF=$(w2u "$((${LOT} + ${LOD}))") > if [ ${TMPF} -gt ${NOW} ]; then > return 0 > fi > > # by default, is unlocked. > return 1 > } > > (w2u is a function that convert from windows timestamp to unix timestamp) > > return '1', particulary the lockoutTime is >0, while lockoutDuration is > 0, and so lockoutTime + lockoutDuration is >0 but anyway < of 'now'. > > > What i'm doing wrong? Thanks. >Do you mean apart from '$((${LOT} + ${LOD}))' should really be '$((LOT+LOD))' ? I take it that you are calling the function like this: user_is_locked gaio try it like this: res=$(user_is_locked gaio) change all 'return' to 'echo' Then check what "$res" is Rowland
Marco Gaiarin
2019-Dec-03 16:51 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> Do you mean apart from '$((${LOT} + ${LOD}))' should really be > '$((LOT+LOD))' ?Apart bashism, this seems not the point: root at vdcsv1:~# bash -vx /tmp/test LOT=1 + LOT=1 LOD=1 + LOD=1 TMPF=$((${LOT} + ${LOD})) + TMPF=2 echo $TMPF + echo 2 2 TMPF=$((LOT+LOD)) + TMPF=2 echo $TMPF + echo 2 2> I take it that you are calling the function like this: user_is_locked gaio > try it like this: res=$(user_is_locked gaio) > change all 'return' to 'echo' > Then check what "$res" isI've runm the script manually with 'bash -x', and so i've seen that LOT is non zero, while LOD is zero. But clearly 'LockoutTime' is in the past, and with a duration of zero... it is still in the past. ;-) So, i restate the question: how can i determine if account is locked with an LDAP query?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)