Hi everyone, I'm unable to make the account lockout to work properly. & this is driving me mad.
I am running samba Version 3.0.23c-1.fc5 as a PDC with openldap 2.3.19 on a fc5 (all packages from yum). I was running a 3.0.21 with the same issue. I'm using as well the Idealx script to manage the LDAP. The fact: I have a very strange behavior. The domain policy have been setup with the pdbedit tool (even tried the export to ldap). Accounts are created with the Idealx script. I have tested account creation before & after the account policy setup. When a user is entering a wrong password for the first time, the pdbedit command returns the "Bad password count" to 1. LDAP field is not incremented. After the second attempt, nothing at all is incremented. "Bad password count", won't be reset before a pdbedit -z <login>. Thanks in advance for your help. Regards Herve Debug 1 - fist attempt [2006/10/26 18:45:12, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user hr [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2006/10/26 18:45:12, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(107) : conn_ctx_stack_ndx = 0 [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/10/26 18:45:12, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2006/10/26 18:45:12, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/10/26 18:45:12, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)], scope => [0] [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2006/10/26 18:45:12, 9] passdb/passdb.c:pdb_update_autolock_flag(1413) pdb_update_autolock_flag: Account hr not autolocked, no check needed [2006/10/26 18:45:12, 9] passdb/passdb.c:pdb_update_bad_password_count(1373) No bad password attempts. [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2006/10/26 18:45:12, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(107) : conn_ctx_stack_ndx = 0 [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/10/26 18:45:12, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2006/10/26 18:45:12, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/10/26 18:45:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) ldapsam_update_sam_account: user hr to be modified has dn: uid=hr,ou=People,dc=bcn,dc=teamlog,dc=com [2006/10/26 18:45:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: hr [2006/10/26 18:45:12, 3] passdb/pdb_ldap.c:init_ldap_from_sam(1212) updating bad password fields, policy=3, count=1, time=1161881112 [2006/10/26 18:45:12, 7] passdb/pdb_ldap.c:init_ldap_from_sam(1246) Updating bad password count and time in login cache [2006/10/26 18:45:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1790) ldapsam_update_sam_account: mods is empty: nothing to update for user: hr [2006/10/26 18:45:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2006/10/26 18:45:12, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: sam authentication for user [hr] FAILED with error NT_STATUS_WRONG_PASSWORD [2006/10/26 18:45:12, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [TLG] was for this SAM. [2006/10/26 18:45:12, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [hr] -> [hr] FAILED with error NT_STATUS_WRONG_PASSWORD [2006/10/26 18:45:12, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2006/10/26 18:45:12, 5] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934) _net_sam_logon: check_password returned status NT_STATUS_WRONG_PASSWORD Debug 2 - a second attempt [2006/10/26 18:37:30, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user hr [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2006/10/26 18:37:30, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(103) : conn_ctx_stack_ndx = 0 [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/10/26 18:37:30, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2006/10/26 18:37:30, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)], scope => [0] [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2006/10/26 18:37:30, 9] passdb/passdb.c:pdb_update_autolock_flag(1413) pdb_update_autolock_flag: Account hr not autolocked, no check needed [2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com], filter => [(objectclass=*)], scope => [0] [2006/10/26 18:37:30, 0] lib/smbldap.c:smbldap_open(1009) smbldap_open: cannot access LDAP when not root.. [2006/10/26 18:37:30, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn => [sambaDomainName=TLG,dc=bcn,dc=teamlog,dc=com] [2006/10/26 18:37:30, 0] lib/smbldap.c:smbldap_open(1009) smbldap_open: cannot access LDAP when not root.. [2006/10/26 18:37:30, 0] passdb/passdb.c:pdb_update_bad_password_count(1378) pdb_update_bad_password_count: pdb_get_account_policy failed. [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2006/10/26 18:37:30, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(103) : conn_ctx_stack_ndx = 0 [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/10/26 18:37:30, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2006/10/26 18:37:30, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/10/26 18:37:30, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) ldapsam_update_sam_account: user hr to be modified has dn: uid=hr,ou=People,dc=bcn,dc=teamlog,dc=com [2006/10/26 18:37:30, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: hr [2006/10/26 18:37:30, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1790) ldapsam_update_sam_account: mods is empty: nothing to update for user: hr [2006/10/26 18:37:30, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2006/10/26 18:37:30, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: sam authentication for user [hr] FAILED with error NT_STATUS_WRONG_PASSWORD [2006/10/26 18:37:30, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [TLG] was for this SAM. [2006/10/26 18:37:30, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [hr] -> [hr] FAILED with error NT_STATUS_WRONG_PASSWORD [2006/10/26 18:37:30, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2006/10/26 18:37:30, 5] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934) _net_sam_logon: check_password returned status NT_STATUS_WRONG_PASSWORD Testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Processing section "[Shared]" Processing section "[Doc]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] unix charset = UTF8 workgroup = TLG netbios name = TLGSRV server string = TLG Files Server password server = localhost passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes username map = /etc/samba/smbusers password level = 8 log level = 9 log file = /var/log/samba/%m.log max log size = 500 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -a -i -m "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = startup.bat logon path = domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=bcn,dc=teamlog,dc=com ldap delete dn = Yes ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=bcn,dc=teamlog,dc=com ldap user suffix = ou=People remote announce = 10.150.1.255 10.150.4.255 remote browse sync = 10.150.1.1 10.150.4.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes hosts allow = 10.150.1., 10.150.4., 127. [homes] comment = Home Directories valid users = %U read only = No create mask = 0600 directory mask = 0700 inherit owner = Yes browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = No [Shared] path = /home/shared read only = No create mask = 0666 directory mask = 0777 inherit permissions = Yes inherit acls = Yes inherit owner = Yes [Doc] path = /home/doc read only = No create mask = 0660 directory mask = 0770 inherit permissions = Yes inherit acls = Yes inherit owner = Yes guest ok = Yes pdbedit [EMAIL PROTECTED] ~]# pdbedit -Lv hr INFO: Current debug levels: all: True/9 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 doing parameter workgroup = TLG doing parameter netbios name = TLGSRV handle_netbios_name: set global_myname to: TLGSRV doing parameter enable privileges = yes doing parameter server string = TLG Files Server doing parameter hosts allow = 10.150.1. 10.150.4. 127. doing parameter load printers = no doing parameter log file = /var/log/samba/%m.log doing parameter max log size = 500 doing parameter security = user doing parameter password server = localhost doing parameter password level = 8 doing parameter pam password change = yes doing parameter username map = /etc/samba/smbusers doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter remote browse sync = 10.150.1.1 10.150.4.1 doing parameter remote announce = 10.150.1.255 10.150.4.255 doing parameter local master = yes doing parameter os level = 33 doing parameter domain master = yes doing parameter preferred master = yes doing parameter domain logons = yes doing parameter logon script = startup.bat doing parameter logon path = doing parameter name resolve order = wins lmhosts bcast doing parameter wins support = yes doing parameter wins proxy = no doing parameter dns proxy = no doing parameter idmap uid = 10000-20000 doing parameter idmap gid = 10000-20000 doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter ldap passwd sync = Yes doing parameter passdb backend = ldapsam:ldap://127.0.0.1/ doing parameter ldap admin dn = cn=Manager,dc=bcn,dc=teamlog,dc=com doing parameter ldap suffix = dc=bcn,dc=teamlog,dc=com doing parameter ldap group suffix = ou=Group doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u" doing parameter add user script = /usr/sbin/smbldap-useradd -a -i -m "%u" doing parameter ldap delete dn = Yes doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u" doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g" doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" doing parameter set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" doing parameter Dos charset = CP850 doing parameter Unix charset = UTF8 Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE doing parameter template shell = /bin/false doing parameter winbind use default domain = false pm_process() returned Yes lp_servicenumber: couldn't find homes Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TLG))] smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=TLG))], scope => [2] The connection to the LDAP server was closed smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected pdb backend ldapsam:ldap://127.0.0.1/ has a valid init Netbios name list:- my_netbios_names[0]="TLGSRV" Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TLG))] smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=TLG))], scope => [2] The connection to the LDAP server was closed smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected pdb backend ldapsam:ldap://127.0.0.1/ has a valid init smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter => [(&(uid=hr)(objectclass=sambaSamAccount))], scope => [2] init_sam_from_ldap: Entry found for user: hr Opening cache file at /var/cache/samba/login_cache.tdb Looking up login cache for user hr Found login cache entry: timestamp 1161796734, flags 0x23a30010, count 1, time 1161796734 ldap time is 1161729143, cache time is 1161796734, bad time = 1161796734 Unix username: hr NT username: hr Account Flags: [U ] User SID: S-1-5-21-3454558961-4160617652-613799516-3048 smbldap_search_ext: base => [ou=Group,dc=bcn,dc=teamlog,dc=com], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=512))], scope => [2] init_group_from_ldap: Entry found for group: 512 lookup_global_sam_rid: looking up RID 512. smbldap_search_ext: base => [dc=bcn,dc=teamlog,dc=com], filter => [(&(sambaSID=S-1-5-21-3454558961-4160617652-613799516-512)(objectclass=samba SamAccount))], scope => [2] ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-3454558961-4160617652-613799516-512] count=0 smbldap_search_ext: base => [ou=Group,dc=bcn,dc=teamlog,dc=com], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-3454558961-4160617652-6 13799516-512))], scope => [2] init_group_from_ldap: Entry found for group: 512 lookup_rids: Domain Admins:2 Primary Group SID: S-1-5-21-3454558961-4160617652-613799516-512 Full Name: VeV Home Directory: \\TLGSRV\hr HomeDir Drive: H: Logon Script: startup.bat Profile Path: Domain: TLG Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 04:14:07 CET Kickoff time: Tue, 19 Jan 2038 04:14:07 CET Password last set: Fri, 20 Oct 2006 19:14:15 CEST Password can change: Mon, 12 Jun 2006 15:12:54 CEST Password must change: Thu, 18 Jan 2007 18:14:15 CET Last bad password : Wed, 25 Oct 2006 19:18:54 CEST Bad password count : 1 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba