samba - Dec 2019 - Account locked and delayed user data propagation...

Mandi! Rowland penny via samba
  In chel di` si favelave...
> As I said, if 'lockoutTime' isn't set or it is set to
'0', then the user
> isn't locked out, anything else and it is, but I do not believe that
you can
> set it to anything else but '0' manually, only the system can do
this.
> This is where 'lockoutDuration' comes in, the account should be
unlocked
> when 'lockoutTime' + 'lockoutDuration' = NOW.
> However, you want to script (presumably when someone contacts you and
> screams 'I cannot log in') a way to unlock the user, the only way
to do this
> is to set 'lockoutTime' to '0' regardless of what it is set
to now.
Exactly. The function now appear as:

 user_is_locked () {

        local LOT=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" lockoutTime | grep
"^lockoutTime: " | cut -d ' ' -f 2-)
        if [ -z "${LOT}" ] || [ ${LOT} -eq 0 ]; then
                return 1
        fi

        local LOD=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}"
"(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep
"^lockoutDuration: " | cut -d ' ' -f 2-)
        if [ -z "${LOD}" ] || [ ${LOD} -eq 0 ]; then
                return 0
        fi

        TMPF=$(w2u "$((${LOT} + ${LOD}))")
        if [ ${TMPF} -gt ${NOW} ]; then
                return 0
        fi

        return 1
 }

And finally seems to work. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Rowland penny via samba
>   In chel di` si favelave...
> 
> > As I said, if 'lockoutTime' isn't set or it is set to
'0', then the user
> > isn't locked out, anything else and it is, but I do not believe
that you can
> > set it to anything else but '0' manually, only the system can
do this.
> > This is where 'lockoutDuration' comes in, the account should
be unlocked
> > when 'lockoutTime' + 'lockoutDuration' = NOW.
> > However, you want to script (presumably when someone contacts you and
> > screams 'I cannot log in') a way to unlock the user, the only
way to do this
> > is to set 'lockoutTime' to '0' regardless of what it
is set to now.
> 
> Exactly. The function now appear as:
> 
> 
> And finally seems to work. ;-)
Also have a look at the msDS-User-Account-Control-Computed attribute. 
that will avoid you encoding this logic in your shell scripts as it is
what Samba uses internally.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> Also have a look at the msDS-User-Account-Control-Computed attribute. 
> that will avoid you encoding this logic in your shell scripts as it is
> what Samba uses internally.
A-HA! Seems strange to me there's no such field...

	https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-user-account-control-computed

so, i need to check for 'UF_LOCKOUT', i suppose...


Thanks!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 05/12/2019 09:15, Andrew Bartlett via samba wrote:
> On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote:
>> Mandi! Rowland penny via samba
>>    In chel di` si favelave...
>>
>>> As I said, if 'lockoutTime' isn't set or it is set to
'0', then the user
>>> isn't locked out, anything else and it is, but I do not believe
that you can
>>> set it to anything else but '0' manually, only the system
can do this.
>>> This is where 'lockoutDuration' comes in, the account
should be unlocked
>>> when 'lockoutTime' + 'lockoutDuration' = NOW.
>>> However, you want to script (presumably when someone contacts you
and
>>> screams 'I cannot log in') a way to unlock the user, the
only way to do this
>>> is to set 'lockoutTime' to '0' regardless of what
it is set to now.
>> Exactly. The function now appear as:
>>
>>
>> And finally seems to work. ;-)
> Also have a look at the msDS-User-Account-Control-Computed attribute.
> that will avoid you encoding this logic in your shell scripts as it is
> what Samba uses internally.
>
> Andrew Bartlett
>
It might be using it internally, but you cannot obtain it with an ldap 
search, it is system computed and as such isn't actually saved anywhere 
in AD.

Rowland