samba - Dec 2019 - Account locked and delayed user data propagation...

On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba
wrote:
> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
> > Mandi! Rowland penny via samba
> >    In chel di` si favelave...
> > 
> > > You cannot create an ldap filter using the above, you would have
> > > to filter
> > > the result of the ldap search.
> > 
> > I can confirm:
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it
> > '(&(objectClass=user)(sAMAccountName=gaio))'
msDS-User-Account-
> > Control-Computed
> > 	# record 1
> > 	dn:
> > CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> > 	msDS-User-Account-Control-Computed: 16
> > 	[...]
> > 	# returned 4 records
> > 	# 1 entries
> > 	# 3 referrals
> > 
> > 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(msDS-User-Account-
> > Control-Computed:1.2.840.113556.1.4.803:=16))' msDS-User-Account-
> > Control-Computed
> > 	[...]
> > 	# returned 3 records
> > 	# 0 entries
> > 	# 3 referrals
> > 
> > there's no bitwise operator.
> > 
> > Aniway, i think it is better to use msDS-User-Account-Control-
> > Computed
> > value in script, instead or trying to replicate the behaviour.
> > 
> > 
> > Thanks to all!
> > 
> 
> It is your script, but I personally still think it is easier to
> check 
> 'lockoutTime' (which you can filter on). If it isn't there or
is set
> to 
> '0' then the account isn't locked. If it is set to anything but
'0',
> then the account is locked.
> 
> Rowland
The reason we strongly encourage the use of the computed attributes is
that not only do they reflect what is going on internally, but they
honour the Password Settings Objects, eg fine grained password policy.

It also avoids computing the lockout duration on the client.  The
account can be unlocked with lockoutTime set if the duration has
expired:  
>From  construct_msds_user_account_control_computed():
		int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime",
0);
		if (lockoutTime != 0) {
			int64_t lockoutDuration;

			lockoutDuration = get_user_lockout_duration(module, msg,
								    parent,
								    nc_root);

			/* zero locks out until the administrator intervenes */
			if (lockoutDuration >= 0) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			} else if (lockoutTime - lockoutDuration >= now) {
				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
			}
		}

I hope this clarifies things.  If someone has time (I'm swamped) it
would be awesome of we had this stuff in a wiki so folks don't need to
reinvent the wheel.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

On 08/12/2019 19:40, Andrew Bartlett wrote:
> On Fri, 2019-12-06 at 12:22 +0000, Rowland penny via samba wrote:
>> On 06/12/2019 11:47, Marco Gaiarin via samba wrote:
>>> Mandi! Rowland penny via samba
>>>     In chel di` si favelave...
>>>
>>>> You cannot create an ldap filter using the above, you would
have
>>>> to filter
>>>> the result of the ldap search.
>>> I can confirm:
>>>
>>> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> DC=ad,DC=fvg,DC=lnf,DC=it
>>> '(&(objectClass=user)(sAMAccountName=gaio))'
msDS-User-Account-
>>> Control-Computed
>>> 	# record 1
>>> 	dn:
>>> CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
>>> 	msDS-User-Account-Control-Computed: 16
>>> 	[...]
>>> 	# returned 4 records
>>> 	# 1 entries
>>> 	# 3 referrals
>>>
>>> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> DC=ad,DC=fvg,DC=lnf,DC=it
'(&(objectClass=user)(msDS-User-Account-
>>> Control-Computed:1.2.840.113556.1.4.803:=16))'
msDS-User-Account-
>>> Control-Computed
>>> 	[...]
>>> 	# returned 3 records
>>> 	# 0 entries
>>> 	# 3 referrals
>>>
>>> there's no bitwise operator.
>>>
>>> Aniway, i think it is better to use msDS-User-Account-Control-
>>> Computed
>>> value in script, instead or trying to replicate the behaviour.
>>>
>>>
>>> Thanks to all!
>>>
>> It is your script, but I personally still think it is easier to
>> check
>> 'lockoutTime' (which you can filter on). If it isn't there
or is set
>> to
>> '0' then the account isn't locked. If it is set to anything
but '0',
>> then the account is locked.
>>
>> Rowland
> The reason we strongly encourage the use of the computed attributes is
> that not only do they reflect what is going on internally, but they
> honour the Password Settings Objects, eg fine grained password policy.
>
> It also avoids computing the lockout duration on the client.  The
> account can be unlocked with lockoutTime set if the duration has
> expired:
>
>  From  construct_msds_user_account_control_computed():
>
> 		int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg,
"lockoutTime", 0);
> 		if (lockoutTime != 0) {
> 			int64_t lockoutDuration;
>
> 			lockoutDuration = get_user_lockout_duration(module, msg,
> 								    parent,
> 								    nc_root);
>
> 			/* zero locks out until the administrator intervenes */
> 			if (lockoutDuration >= 0) {
> 				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
> 			} else if (lockoutTime - lockoutDuration >= now) {
> 				msDS_User_Account_Control_Computed |= UF_LOCKOUT;
> 			}
> 		}
>
> I hope this clarifies things.  If someone has time (I'm swamped) it
> would be awesome of we had this stuff in a wiki so folks don't need to
> reinvent the wheel.
>
> Andrew Bartlett
Well, yes if you want to know if the account is locked and when the user 
will be able to log in again, which will unlock the account.

However, if you have a user screaming down the phone at you, you will 
probably just want to unlock the user, the quickest way is to search for 
the the user using 'lockoutTime'? and if it is set and set to anything 
but '0', then set it to '0', the user should then be able to
login,
provided they use the correct password. Alternatively, you could just 
reset the users password, which will also reset 'lockoutTime' to
'0'

If you want, I could write you a script to use the computed attribute, 
but it will undoubtedly require a lot more lines than the one I have 
that uses 'lockoutTime'.

Rowland

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> I hope this clarifies things.  If someone has time (I'm swamped) it
> would be awesome of we had this stuff in a wiki so folks don't need to
> reinvent the wheel.
I could try it. I've just sent a message tu 'contributing@' to ask
for
the token to be able to create the account.


But... where i can insert such info? Looking at current pages a good
starting point would be:

	https://wiki.samba.org/index.php/Account_Management_Tools
or
	https://wiki.samba.org/index.php/LDB

probably the second link is a best choice, eg adding under 'Hidden
Attributes' a chapter 'Computed attributes'.

Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 09/12/2019 09:46, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>    In chel di` si favelave...
>
>> I hope this clarifies things.  If someone has time (I'm swamped) it
>> would be awesome of we had this stuff in a wiki so folks don't need
to
>> reinvent the wheel.
> I could try it. I've just sent a message tu 'contributing@' to
ask for
> the token to be able to create the account.
>
>
> But... where i can insert such info? Looking at current pages a good
> starting point would be:
>
> 	https://wiki.samba.org/index.php/Account_Management_Tools
> or
> 	https://wiki.samba.org/index.php/LDB
>
> probably the second link is a best choice, eg adding under 'Hidden
> Attributes' a chapter 'Computed attributes'.
>
> Thanks.
>
I would go with the second link, what you are proposing isn't really an 
account management tool like the others.

Rowland