Marco Gaiarin
2019-Dec-05 08:44 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > isn't locked out, anything else and it is, but I do not believe that you can > set it to anything else but '0' manually, only the system can do this. > This is where 'lockoutDuration' comes in, the account should be unlocked > when 'lockoutTime' + 'lockoutDuration' = NOW. > However, you want to script (presumably when someone contacts you and > screams 'I cannot log in') a way to unlock the user, the only way to do this > is to set 'lockoutTime' to '0' regardless of what it is set to now.Exactly. The function now appear as: user_is_locked () { local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep "^lockoutTime: " | cut -d ' ' -f 2-) if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then return 1 fi local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | cut -d ' ' -f 2-) if [ -z "${LOD}" ] || [ ${LOD} -eq 0 ]; then return 0 fi TMPF=$(w2u "$((${LOT} + ${LOD}))") if [ ${TMPF} -gt ${NOW} ]; then return 0 fi return 1 } And finally seems to work. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Andrew Bartlett
2019-Dec-05 09:15 UTC
[Samba] Account locked and delayed user data propagation...
On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > > > As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > > isn't locked out, anything else and it is, but I do not believe that you can > > set it to anything else but '0' manually, only the system can do this. > > This is where 'lockoutDuration' comes in, the account should be unlocked > > when 'lockoutTime' + 'lockoutDuration' = NOW. > > However, you want to script (presumably when someone contacts you and > > screams 'I cannot log in') a way to unlock the user, the only way to do this > > is to set 'lockoutTime' to '0' regardless of what it is set to now. > > Exactly. The function now appear as: > > > And finally seems to work. ;-)Also have a look at the msDS-User-Account-Control-Computed attribute. that will avoid you encoding this logic in your shell scripts as it is what Samba uses internally. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Marco Gaiarin
2019-Dec-05 10:05 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Andrew Bartlett via samba In chel di` si favelave...> Also have a look at the msDS-User-Account-Control-Computed attribute. > that will avoid you encoding this logic in your shell scripts as it is > what Samba uses internally.A-HA! Seems strange to me there's no such field... https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-user-account-control-computed so, i need to check for 'UF_LOCKOUT', i suppose... Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-05 10:36 UTC
[Samba] Account locked and delayed user data propagation...
On 05/12/2019 09:15, Andrew Bartlett via samba wrote:> On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote: >> Mandi! Rowland penny via samba >> In chel di` si favelave... >> >>> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user >>> isn't locked out, anything else and it is, but I do not believe that you can >>> set it to anything else but '0' manually, only the system can do this. >>> This is where 'lockoutDuration' comes in, the account should be unlocked >>> when 'lockoutTime' + 'lockoutDuration' = NOW. >>> However, you want to script (presumably when someone contacts you and >>> screams 'I cannot log in') a way to unlock the user, the only way to do this >>> is to set 'lockoutTime' to '0' regardless of what it is set to now. >> Exactly. The function now appear as: >> >> >> And finally seems to work. ;-) > Also have a look at the msDS-User-Account-Control-Computed attribute. > that will avoid you encoding this logic in your shell scripts as it is > what Samba uses internally. > > Andrew Bartlett >It might be using it internally, but you cannot obtain it with an ldap search, it is system computed and as such isn't actually saved anywhere in AD. Rowland
Possibly Parallel Threads
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...
- Account locked and delayed user data propagation...