Marco Gaiarin
2019-Dec-04 16:36 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm > It says:So, seems to me that 'Lockout-Duration' is an 'unused option'... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-04 17:36 UTC
[Samba] Account locked and delayed user data propagation...
On 04/12/2019 16:36, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm >> It says: > So, seems to me that 'Lockout-Duration' is an 'unused option'... >From my understanding, it is supposed to work in the way you think it does, the account gets locked out (for whatever reason) and 'lockoutTime' gets set to the time it was locked out, but 'lockoutDuration' isn't set where you seem to think it is ;-) You have: ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2- It should be: ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=domain)(lockoutDuration=*))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2- As I said, if 'lockoutTime' isn't set or it is set to '0', then the user isn't locked out, anything else and it is, but I do not believe that you can set it to anything else but '0' manually, only the system can do this. This is where 'lockoutDuration' comes in, the account should be unlocked when 'lockoutTime' + 'lockoutDuration' = NOW. However, you want to script (presumably when someone contacts you and screams 'I cannot log in') a way to unlock the user, the only way to do this is to set 'lockoutTime' to '0' regardless of what it is set to now. Rowland
Marco Gaiarin
2019-Dec-05 08:44 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > isn't locked out, anything else and it is, but I do not believe that you can > set it to anything else but '0' manually, only the system can do this. > This is where 'lockoutDuration' comes in, the account should be unlocked > when 'lockoutTime' + 'lockoutDuration' = NOW. > However, you want to script (presumably when someone contacts you and > screams 'I cannot log in') a way to unlock the user, the only way to do this > is to set 'lockoutTime' to '0' regardless of what it is set to now.Exactly. The function now appear as: user_is_locked () { local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then return 1 fi local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) if [ -z "${LOD}" ] || [ ${LOD} -eq 0 ]; then return 0 fi TMPF=$(w2u "$((${LOT} + ${LOD}))") if [ ${TMPF} -gt ${NOW} ]; then return 0 fi return 1 } And finally seems to work. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)