samba - Dec 2019 - Account locked and delayed user data propagation...

Mandi! Rowland penny via samba
  In chel di` si favelave...
> You cannot create an ldap filter using the above, you would have to filter
> the result of the ldap search.
I can confirm:

	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(sAMAccountName=gaio))'
msDS-User-Account-Control-Computed
	# record 1
	dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
	msDS-User-Account-Control-Computed: 16
	[...]
	# returned 4 records
	# 1 entries
	# 3 referrals

	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16))'
msDS-User-Account-Control-Computed
	[...]
	# returned 3 records
	# 0 entries
	# 3 referrals

there's no bitwise operator.

Aniway, i think it is better to use msDS-User-Account-Control-Computed
value in script, instead or trying to replicate the behaviour.


Thanks to all!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> You cannot create an ldap filter using the above, you would have to
filter
>> the result of the ldap search.
> I can confirm:
>
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(sAMAccountName=gaio))'
msDS-User-Account-Control-Computed
> 	# record 1
> 	dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> 	msDS-User-Account-Control-Computed: 16
> 	[...]
> 	# returned 4 records
> 	# 1 entries
> 	# 3 referrals
>
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16))'
msDS-User-Account-Control-Computed
> 	[...]
> 	# returned 3 records
> 	# 0 entries
> 	# 3 referrals
>
> there's no bitwise operator.
>
> Aniway, i think it is better to use msDS-User-Account-Control-Computed
> value in script, instead or trying to replicate the behaviour.
>
>
> Thanks to all!
>
It is your script, but I personally still think it is easier to check 
'lockoutTime' (which you can filter on). If it isn't there or is set
to
'0' then the account isn't locked. If it is set to anything but
'0',
then the account is locked.

Rowland

On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba
wrote:
> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> > Mandi! Rowland penny via samba
> >    In chel di` si favelave...
> > 
> > > You cannot create an ldap filter using the above, you would have
> > > to filter
> > > the result of the ldap search.
> > 
> > I can confirm:
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it
> > '(&(objectClass=user)(sAMAccountName=gaio))'
msDS-User-Account-
> > Control-Computed
> > 	# record 1
> > 	dn:
> > CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> > 	msDS-User-Account-Control-Computed: 16
> > 	[...]
> > 	# returned 4 records
> > 	# 1 entries
> > 	# 3 referrals
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(msDS-User-Account-
> > Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-
> > Control-Computed
> > 	[...]
> > 	# returned 3 records
> > 	# 0 entries
> > 	# 3 referrals
> > 
> > there's no bitwise operator.
> > 
> > Aniway, i think it is better to use msDS-User-Account-Control-
> > Computed
> > value in script, instead or trying to replicate the behaviour.
> > 
> > 
> > Thanks to all!
> > 
> 
> It is your script, but I personally still think it is easier to
> check 
> 'lockoutTime' (which you can filter on). If it isn't there or
is set
> to 
> '0' then the account isn't locked. If it is set to anything but
'0',
> then the account is locked.
> 
> Rowland
The reason we strongly encourage the use of the computed attributes is
that not only do they reflect what is going on internally, but they
honour the Password Settings Objects, eg fine grained password policy.

It also avoids computing the lockout duration on the client.  The
account can be unlocked with lockoutTime set if the duration has
expired:  
>From  construct_msds_user_account_control_computed():
		int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime",
0);
		if (lockoutTime != 0) {
			int64_t lockoutDuration;

			lockoutDuration = get_user_lockout_duration(module, msg,
								    parent,
								    nc_root);

			/* zero locks out until the administrator intervenes */
			if (lockoutDuration >= 0) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			} else if (lockoutTime - lockoutDuration >= now) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			}
		}

I hope this clarifies things.  If someone has time (I'm swamped) it
would be awesome of we had this stuff in a wiki so folks don't need to
reinvent the wheel.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba