Re: [Samba] Enabling account lockouts
On Wed, Jul 14, 2004 at 08:41:19AM -0400, Dunn, Drew A. wrote:
> I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows
> 2000 clients. I would like to enable an account lockout policy. I set the
> number of bad password attempts using pdbedit by issuing,
>
> # pdbedit -P "bad lockout attempt" -C 3
>
> and recieved confirmation that this was correct. I then tried to enable
> locking by issuing
>
> # pdbedit -u username -c "[L]"
>
> However pdbedit -Lv does not show any change to the account flags. I have
> been able to set other flags like "Password does not expire", "account
> disabled", etc. When setting these I receive confirmation that the flag has
> been set but go not receive any confirmation when trying to set the lockout.
>
> Any suggestions? Is there something else I need to turn on for this to
> work?
Ok, try this patch - should fix the problem (it does here).
Jeremy.
Index: utils/pdbedit.c
===
--- utils/pdbedit.c (revision 1535)
+++ utils/pdbedit.c (working copy)
@@ -202,7 +202,6 @@
{
SAM_ACCOUNT *sam_pwent=NULL;
BOOL ret;
- BOOL updated_autolock = False, updated_badpw = False;
if (!NT_STATUS_IS_OK(pdb_init_sam (&sam_pwent))) {
return -1;
@@ -216,19 +215,6 @@
return -1;
}
- if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock))
- DEBUG(2,("pdb_update_autolock_flag failed.\n"));
-
- if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw))
- DEBUG(2,("pdb_update_bad_password_count failed.\n"));
-
- if (updated_autolock || updated_badpw) {
- become_root();
- if(!pdb_update_sam_account(sam_pwent))
- DEBUG(1, ("Failed to modify entry.\n"));
- unbecome_root();
- }
-
ret=print_sam_info (sam_pwent, verbosity, smbpwdstyle);
pdb_free_sam(&sam_pwent);
@@ -310,6 +296,7 @@
const char *user_sid, const char *group_sid,
const BOOL badpw)
{
+ BOOL updated_autolock = False, updated_badpw = False;
SAM_ACCOUNT *sam_pwent=NULL;
BOOL ret;
@@ -322,6 +309,14 @@
return -1;
}
+ if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) {
+ DEBUG(2,("pdb_update_autolock_flag failed.\n"));
+ }
+
+ if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) {
+ DEBUG(2,("pdb_update_bad_password_count failed.\n"));
+ }
+
if (fullname)
pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
if (homedir)
@@ -384,7 +379,7 @@
pdb_set_bad_password_count(sam_pwent, 0, PDB_CHANGED);
pdb_set_bad_password_time(sam_pwent, 0, PDB_CHANGED);
}
-
+
if (NT_STATUS_IS_OK(in->pdb_update_sam_account (in, sam_pwent)))
print_user_info (in, username, True, False);
else {
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enabling account lockouts
On Wed, Jul 14, 2004 at 08:41:19AM -0400, Dunn, Drew A. wrote: > I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows > 2000 clients. I would like to enable an account lockout policy. I set the > number of bad password attempts using pdbedit by issuing, > > # pdbedit -P "bad lockout attempt" -C 3 > > and recieved confirmation that this was correct. I then tried to enable > locking by issuing > > # pdbedit -u username -c "[L]" > > However pdbedit -Lv does not show any change to the account flags. I have > been able to set other flags like "Password does not expire", "account > disabled", etc. When setting these I receive confirmation that the flag has > been set but go not receive any confirmation when trying to set the lockout. > > Any suggestions? Is there something else I need to turn on for this to > work? No, this is a bug in that pdbedit when printing out a user account info checks the current time and turns off/on the locked out flag L based on if the account has timed out. pdbedit shouldn't be doing that when printing an account - only when modifying. I'll fix it. Thanks for the report. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Enabling account lockouts
I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows 2000 clients. I would like to enable an account lockout policy. I set the number of bad password attempts using pdbedit by issuing, # pdbedit -P "bad lockout attempt" -C 3 and recieved confirmation that this was correct. I then tried to enable locking by issuing # pdbedit -u username -c "[L]" However pdbedit -Lv does not show any change to the account flags. I have been able to set other flags like "Password does not expire", "account disabled", etc. When setting these I receive confirmation that the flag has been set but go not receive any confirmation when trying to set the lockout. Any suggestions? Is there something else I need to turn on for this to work? Drew > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Dunn, Drew A. > Sent: Tuesday, July 13, 2004 8:34 AM > To: '[EMAIL PROTECTED]' > Subject: [Samba] Enabling account lockouts > > > The release notes indicate support for bad password lockout > policy starting with version 3.0.3 but I can't figure out how > to enable it. I didn't see anything in the docs about > turning it on. I also tried looking through all the options > by using swat in advanced mode. How do I enable bad password > lockout policy? > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Enabling account lockouts
The release notes indicate support for bad password lockout policy starting with version 3.0.3 but I can't figure out how to enable it. I didn't see anything in the docs about turning it on. I also tried looking through all the options by using swat in advanced mode. How do I enable bad password lockout policy? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
