Marco Gaiarin
2019-Dec-05 08:44 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > isn't locked out, anything else and it is, but I do not believe that you can > set it to anything else but '0' manually, only the system can do this. > This is where 'lockoutDuration' comes in, the account should be unlocked > when 'lockoutTime' + 'lockoutDuration' = NOW. > However, you want to script (presumably when someone contacts you and > screams 'I cannot log in') a way to unlock the user, the only way to do this > is to set 'lockoutTime' to '0' regardless of what it is set to now.Exactly. The function now appear as: user_is_locked () { local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then return 1 fi local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) if [ -z "${LOD}" ] || [ ${LOD} -eq 0 ]; then return 0 fi TMPF=$(w2u "$((${LOT} + ${LOD}))") if [ ${TMPF} -gt ${NOW} ]; then return 0 fi return 1 } And finally seems to work. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Andrew Bartlett
2019-Dec-05 09:15 UTC
[Samba] Account locked and delayed user data propagation...
On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > > > As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > > isn't locked out, anything else and it is, but I do not believe that you can > > set it to anything else but '0' manually, only the system can do this. > > This is where 'lockoutDuration' comes in, the account should be unlocked > > when 'lockoutTime' + 'lockoutDuration' = NOW. > > However, you want to script (presumably when someone contacts you and > > screams 'I cannot log in') a way to unlock the user, the only way to do this > > is to set 'lockoutTime' to '0' regardless of what it is set to now. > > Exactly. The function now appear as: > > > And finally seems to work. ;-)Also have a look at the msDS-User-Account-Control-Computed attribute. that will avoid you encoding this logic in your shell scripts as it is what Samba uses internally. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Marco Gaiarin
2019-Dec-05 10:05 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Andrew Bartlett via samba In chel di` si favelave...> Also have a look at the msDS-User-Account-Control-Computed attribute. > that will avoid you encoding this logic in your shell scripts as it is > what Samba uses internally.A-HA! Seems strange to me there's no such field... https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-user-account-control-computed so, i need to check for 'UF_LOCKOUT', i suppose... Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-05 10:36 UTC
[Samba] Account locked and delayed user data propagation...
On 05/12/2019 09:15, Andrew Bartlett via samba wrote:> On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote: >> Mandi! Rowland penny via samba >> In chel di` si favelave... >> >>> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user >>> isn't locked out, anything else and it is, but I do not believe that you can >>> set it to anything else but '0' manually, only the system can do this. >>> This is where 'lockoutDuration' comes in, the account should be unlocked >>> when 'lockoutTime' + 'lockoutDuration' = NOW. >>> However, you want to script (presumably when someone contacts you and >>> screams 'I cannot log in') a way to unlock the user, the only way to do this >>> is to set 'lockoutTime' to '0' regardless of what it is set to now. >> Exactly. The function now appear as: >> >> >> And finally seems to work. ;-) > Also have a look at the msDS-User-Account-Control-Computed attribute. > that will avoid you encoding this logic in your shell scripts as it is > what Samba uses internally. > > Andrew Bartlett >It might be using it internally, but you cannot obtain it with an ldap search, it is system computed and as such isn't actually saved anywhere in AD. Rowland