search for: lockouttime

...d. But: > yes, Provided you use the right attribute to search on ;-) > Something like this will give you if/when the account was locked out: > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' > See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 following the link here the code: user_is_locked () { # We folow spec, if zero, is n...

...executed the command in two scenarios. > > Account 'user1' unlocked: > > root at gteste2:~# > root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > "dc=testead,dc=gsurfnet,dc=com" -s sub > '(&(objectclass=user)(samaccountname=user1))' lockoutTime > # record 1 > dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com > lockoutTime: 0 > > # Referral > ref: ldap:// > testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com > > # Referral > ref: ldap:// > testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,...

Mandi! Rowland penny via samba In chel di` si favelave... > I think you are over thinking this ;-) I'm simply applying the policy... ;-) https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime say at the bottom: This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration to this time and compare t...

...think it is better to use msDS-User-Account-Control- > > Computed > > value in script, instead or trying to replicate the behaviour. > > > > > > Thanks to all! > > > > It is your script, but I personally still think it is easier to > check > 'lockoutTime' (which you can filter on). If it isn't there or is set > to > '0' then the account isn't locked. If it is set to anything but '0', > then the account is locked. > > Rowland The reason we strongly encourage the use of the computed attributes is that no...

On 04/12/2019 11:21, Marco Gaiarin via samba wrote: > Mandi! Rowland penny via samba > In chel di` si favelave... > >> I think you are over thinking this ;-) > I'm simply applying the policy... ;-) > > https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime > > say at the bottom: > > This attribute value is only reset when the account is logged onto successfully. > This means that this value may be non zero, yet the account is not locked out. > To accurately determine if the account is locked out, you must add the Lockout-Durat...

Mandi! Rowland penny via samba In chel di` si favelave... > As I said, if 'lockoutTime' isn't set or it is set to '0', then the user > isn't locked out, anything else and it is, but I do not believe that you can > set it to anything else but '0' manually, only the system can do this. > This is where 'lockoutDuration' comes in, the account...

...hink it boils down to an attribute being created with the time the account was locked. Can you try running the following on your Samba DC: ldbsearch -H /usr/local/samba/private/sam.ldb -b "dc=samdom,dc=example,dc=com" -s sub '(&(objectclass=user)(samaccountname=rowland))' lockoutTime You may have to install ldb-tools, you also will probably have to change the paths etc. If you get any output, can you please post the result. Rowland

...;> yes, Provided you use the right attribute to search on ;-) >> Something like this will give you if/when the account was locked out: >> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' >> See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 > following the link here the code: > > user_is_locked () { > > #...

Mandi! Rowland penny via samba In chel di` si favelave... > If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm > It says: So, seems to me that 'Lockout-Duration' is an 'unused option'... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via

On 05/12/2019 09:15, Andrew Bartlett via samba wrote: > On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote: >> Mandi! Rowland penny via samba >> In chel di` si favelave... >> >>> As I said, if 'lockoutTime' isn't set or it is set to '0', then the user >>> isn't locked out, anything else and it is, but I do not believe that you can >>> set it to anything else but '0' manually, only the system can do this. >>> This is where 'lockoutDuration'...

...owland penny via samba wrote: > On 05/12/2019 09:15, Andrew Bartlett via samba wrote: >> On Thu, 2019-12-05 at 09:44 +0100, Marco Gaiarin via samba wrote: >>> Mandi! Rowland penny via samba >>> ?? In chel di` si favelave... >>> >>>> As I said, if 'lockoutTime' isn't set or it is set to '0', then the >>>> user >>>> isn't locked out, anything else and it is, but I do not believe >>>> that you can >>>> set it to anything else but '0' manually, only the system can do this. >&gt...

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

Mandi! Rowland penny via samba In chel di` si favelave... > You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search. I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn:

...scenarios. >> >> Account 'user1' unlocked: >> >> root at gteste2:~# >> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b >> "dc=testead,dc=gsurfnet,dc=com" -s sub >> '(&(objectclass=user)(samaccountname=user1))' lockoutTime >> # record 1 >> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com >> lockoutTime: 0 >> >> # Referral >> ref: ldap:// >> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com >> >> # Referral >> ref: ldap:// >> testea...

I executed the command in two scenarios. Account 'user1' unlocked: root at gteste2:~# root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=testead,dc=gsurfnet,dc=com" -s sub '(&(objectclass=user)(samaccountname=user1))' lockoutTime # record 1 dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com lockoutTime: 0 # Referral ref: ldap:// testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com # Referral ref: ldap:// testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com # Referral ref: ldap:// testead.g...

...y it like this: res=$(user_is_locked gaio) >> change all 'return' to 'echo' >> Then check what "$res" is > I've runm the script manually with 'bash -x', and so i've seen that LOT > is non zero, while LOD is zero. > > But clearly 'LockoutTime' is in the past, and with a duration of > zero... it is still in the past. ;-) > > > So, i restate the question: how can i determine if account is locked > with an LDAP query?! > > > Thanks. > I think you are over thinking this ;-) By default, a user object doesn'...

...http://www.selfadsi.org/extended-ad/user-unlock.htm >> It says: > So, seems to me that 'Lockout-Duration' is an 'unused option'... > From my understanding, it is supposed to work in the way you think it does, the account gets locked out (for whatever reason) and 'lockoutTime' gets set to the time it was locked out, but 'lockoutDuration' isn't set where you seem to think it is ;-) You have: ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" lockoutDuration | grep "^lockoutDuration: " | c...

...; > Thanks. > yes, Provided you use the right attribute to search on ;-) Something like this will give you if/when the account was locked out: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))' lockoutTime | grep 'lockoutTime' | awk '{print $NF}' See here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/eb73820d-907a-49a5-a6f3-1847f86629b4 Rowland

...ser_is_locked gaio > try it like this: res=$(user_is_locked gaio) > change all 'return' to 'echo' > Then check what "$res" is I've runm the script manually with 'bash -x', and so i've seen that LOT is non zero, while LOD is zero. But clearly 'LockoutTime' is in the past, and with a duration of zero... it is still in the past. ;-) So, i restate the question: how can i determine if account is locked with an LDAP query?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' ht...

...ber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: Duser.m.scott at domain.com userPrincipalName: dmscott at internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 130050989060000000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4...