Marco Gaiarin
2019-Dec-06 11:47 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search.I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it msDS-User-Account-Control-Computed: 16 [...] # returned 4 records # 1 entries # 3 referrals root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-Control-Computed [...] # returned 3 records # 0 entries # 3 referrals there's no bitwise operator. Aniway, i think it is better to use msDS-User-Account-Control-Computed value in script, instead or trying to replicate the behaviour. Thanks to all! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-06 12:22 UTC
[Samba] Account locked and delayed user data propagation...
On 06/12/2019 11:47, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> You cannot create an ldap filter using the above, you would have to filter >> the result of the ldap search. > I can confirm: > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed > # record 1 > dn: CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it > msDS-User-Account-Control-Computed: 16 > [...] > # returned 4 records > # 1 entries > # 3 referrals > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-Control-Computed > [...] > # returned 3 records > # 0 entries > # 3 referrals > > there's no bitwise operator. > > Aniway, i think it is better to use msDS-User-Account-Control-Computed > value in script, instead or trying to replicate the behaviour. > > > Thanks to all! >It is your script, but I personally still think it is easier to check 'lockoutTime' (which you can filter on). If it isn't there or is set to '0' then the account isn't locked. If it is set to anything but '0', then the account is locked. Rowland
Andrew Bartlett
2019-Dec-08 19:40 UTC
[Samba] Account locked and delayed user data propagation...
On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote:> On 06/12/2019 11:47, Marco Gaiarin via samba wrote: > > Mandi! Rowland penny via samba > > In chel di` si favelave... > > > > > You cannot create an ldap filter using the above, you would have > > > to filter > > > the result of the ldap search. > > > > I can confirm: > > > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > > DC=ad,DC=fvg,DC=lnf,DC=it > > '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account- > > Control-Computed > > # record 1 > > dn: > > CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it > > msDS-User-Account-Control-Computed: 16 > > [...] > > # returned 4 records > > # 1 entries > > # 3 referrals > > > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > > DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(msDS-User-Account- > > Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account- > > Control-Computed > > [...] > > # returned 3 records > > # 0 entries > > # 3 referrals > > > > there's no bitwise operator. > > > > Aniway, i think it is better to use msDS-User-Account-Control- > > Computed > > value in script, instead or trying to replicate the behaviour. > > > > > > Thanks to all! > > > > It is your script, but I personally still think it is easier to > check > 'lockoutTime' (which you can filter on). If it isn't there or is set > to > '0' then the account isn't locked. If it is set to anything but '0', > then the account is locked. > > RowlandThe reason we strongly encourage the use of the computed attributes is that not only do they reflect what is going on internally, but they honour the Password Settings Objects, eg fine grained password policy. It also avoids computing the lockout duration on the client. The account can be unlocked with lockoutTime set if the duration has expired:>From construct_msds_user_account_control_computed():int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0); if (lockoutTime != 0) { int64_t lockoutDuration; lockoutDuration = get_user_lockout_duration(module, msg, parent, nc_root); /* zero locks out until the administrator intervenes */ if (lockoutDuration >= 0) { msDS_User_Account_Control_Computed |= UF_LOCKOUT; } else if (lockoutTime - lockoutDuration >= now) { msDS_User_Account_Control_Computed |= UF_LOCKOUT; } } I hope this clarifies things. If someone has time (I'm swamped) it would be awesome of we had this stuff in a wiki so folks don't need to reinvent the wheel. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba