Hello guys!
I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
I am building a PDC with LDAP support (i am attaching my config files),
I'm also using ldapsam:trusted and ldapsam:editposix.
Although I am setting the account lock after 3 failed tries in usrmgr,
and verified that the parameters are actually set in the LDAP, no
locking occurs.
I started thinking that it was my fault, since i generate my own ldif
from a small app i created that reads a Windows AD and creates/fills an
OpenLDAP with the relevant info that Linux (posix account information)
and Samba needs, just like my "own" "net vampire", just that mine reads
a native AD and migrates to Samba, it just defaults passwords to 1-8.
cool! eh? ;)
Since everything seems to worked OK except for the account locking, i
rebuild the server from scratch using "net sam provision" and created
and extra account, joined a machine, but stills it seems account locking
is not working on samba 3.2.4.
any ideas/suggestions are welcome?
Victor Medina
**************
Some relevant steps i did to set it up
**************
smbpasswd -w 12345678
net idmap secret DEFAULT 12345678
net idmap secret alloc 12345678
rcwinbind restart
net sam provision
smbpasswd administrator
net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
rcsmb start && rcnmb start && rcwinbind start
***********************************
SMB.conf (global)
***********************************
[global]
workgroup = C1.VE
netbios name = PDC-EPA1
security = user
guest account = Invitado
map to guest = Bad User
enable privileges = yes
server string =
time server = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = yes
domain master = yes
os level = 65
preferred master = yes
wins support = yes
deadtime = 20
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Administrador,dc=xxxx
ldap suffix = dc=c1,c=ve,dc=xxx
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=people
ldap delete dn = yes
ldap passwd sync = yes
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap domains = DEFAULT
idmap config DEFAULT:backend = ldap
idmap config DEFAULT:readonly = no
idmap config DEFAULT:default = yes
idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
idmap config DEFAULT:ldap_url = ldap://127.0.0.1
idmap config DEFAULT:range = 10000-100000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
idmap alloc config:ldap_url = ldap://127.0.0.1
idmap alloc config:range = 10000-100000
printing = cups
printcap name = cups
show add printer wizard = yes
load printers = yes
create mask = 0640
directory mask = 0750
force create mode = 0640
force directory mode = 0750
preserve case = yes
short preserve case = yes
case sensitive = no
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
nt acl support = yes
***********************
slapd.conf
***********************
modulepath /usr/lib/openldap/modules
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
loglevel -1
database bdb
suffix "dc=xxx"
rootdn "cn=Administrador,dc=xxx"
rootpw "{SSHA}xxx"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber,memberUid eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub
*****************************
LDIF:
*****************************
# This file was generated on 2008-11-05 at 11:20:00
# from the ldap://172.16.152.200:389 (bound as
cn=Administrador,dc=xxxx)
# by Softerra LDAP Administrator v3
[ http://www.ldapadministrator.com ]
dn: c=ve,dc=xxxx
c: ve
objectClass: top
objectClass: country
description: Infraestructura Tecnologica - Venezuela
dn: dc=c1,c=ve,dc=xxxx
dc: c1
objectClass: dcObject
objectClass: organizationalUnit
ou: Tienda 1 / Oficina Central xxxx / Venezuela
description: xxxx / Oficina Central EPA / Venezuela
dn: ou=people,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=group,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: group
dn: ou=idmap,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: idmap
gidNumber: 10016
uidNumber: 10004
dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
sambaDomainName: C1.VE
sambaSID: S-1-5-21-1230964018-1252349843-1944742870
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1002
sambaLockoutDuration: -1
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 3
sambaMinPwdLength: 5
sambaPwdHistoryLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: 7776000
sambaMinPwdAge: 0
sambaForceLogoff: -1
dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domusers
displayName: Domain Users
gidNumber: 10000
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
sambaGroupType: 2
dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domadmins
displayName: Domain Admins
gidNumber: 10001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
sambaGroupType: 2
dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Administrator
cn: Administrator
displayName: Administrator
uidNumber: 10000
gidNumber: 10001
homeDirectory: /home/C1.VE/Administrator
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1225815211
sambaAcctFlags: [U ]
userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
sambaProfilePath::
IA==
dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Invitado
cn: Invitado
displayName: Invitado
uidNumber: 10001
gidNumber: 10000
homeDirectory: /
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
sambaAcctFlags: [DU ]
dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
gidNumber: 10002
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10003
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
uid: FERRETER-PRUQ3Z$
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
cn: FERRETER-PRUQ3Z$
uidNumber: 10002
gidNumber: 10000
homeDirectory: /home/C1.VE/SMB_workstations_home
loginShell: /bin/false
sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
sambaPwdLastSet: 1225815330
dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
uid: test001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
cn: test001
uidNumber: 10003
gidNumber: 10000
homeDirectory: /home/C1.VE/test001
loginShell: /bin/false
sambaKickoffTime: 0
sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
sambaPasswordHistory:
B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000
sambaPwdLastSet: 1225815887
userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
sambaProfilePath::
IA==
sambaAcctFlags: [U ]
sambaBadPasswordTime: 0
sambaBadPasswordCount: 0
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
