Re: [Samba] Enabling account lockouts
On Wed, Jul 14, 2004 at 08:41:19AM -0400, Dunn, Drew A. wrote: > I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows > 2000 clients. I would like to enable an account lockout policy. I set the > number of bad password attempts using pdbedit by issuing, > > # pdbedit -P "bad lockout attempt" -C 3 > > and recieved confirmation that this was correct. I then tried to enable > locking by issuing > > # pdbedit -u username -c "[L]" > > However pdbedit -Lv does not show any change to the account flags. I have > been able to set other flags like "Password does not expire", "account > disabled", etc. When setting these I receive confirmation that the flag has > been set but go not receive any confirmation when trying to set the lockout. > > Any suggestions? Is there something else I need to turn on for this to > work? Ok, try this patch - should fix the problem (it does here). Jeremy. Index: utils/pdbedit.c === --- utils/pdbedit.c (revision 1535) +++ utils/pdbedit.c (working copy) @@ -202,7 +202,6 @@ { SAM_ACCOUNT *sam_pwent=NULL; BOOL ret; - BOOL updated_autolock = False, updated_badpw = False; if (!NT_STATUS_IS_OK(pdb_init_sam (&sam_pwent))) { return -1; @@ -216,19 +215,6 @@ return -1; } - if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) - DEBUG(2,("pdb_update_autolock_flag failed.\n")); - - if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) - DEBUG(2,("pdb_update_bad_password_count failed.\n")); - - if (updated_autolock || updated_badpw) { - become_root(); - if(!pdb_update_sam_account(sam_pwent)) - DEBUG(1, ("Failed to modify entry.\n")); - unbecome_root(); - } - ret=print_sam_info (sam_pwent, verbosity, smbpwdstyle); pdb_free_sam(&sam_pwent); @@ -310,6 +296,7 @@ const char *user_sid, const char *group_sid, const BOOL badpw) { + BOOL updated_autolock = False, updated_badpw = False; SAM_ACCOUNT *sam_pwent=NULL; BOOL ret; @@ -322,6 +309,14 @@ return -1; } + if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) { + DEBUG(2,("pdb_update_autolock_flag failed.\n")); + } + + if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) { + DEBUG(2,("pdb_update_bad_password_count failed.\n")); + } + if (fullname) pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED); if (homedir) @@ -384,7 +379,7 @@ pdb_set_bad_password_count(sam_pwent, 0, PDB_CHANGED); pdb_set_bad_password_time(sam_pwent, 0, PDB_CHANGED); } - + if (NT_STATUS_IS_OK(in->pdb_update_sam_account (in, sam_pwent))) print_user_info (in, username, True, False); else { -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enabling account lockouts
On Wed, Jul 14, 2004 at 08:41:19AM -0400, Dunn, Drew A. wrote: > I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows > 2000 clients. I would like to enable an account lockout policy. I set the > number of bad password attempts using pdbedit by issuing, > > # pdbedit -P "bad lockout attempt" -C 3 > > and recieved confirmation that this was correct. I then tried to enable > locking by issuing > > # pdbedit -u username -c "[L]" > > However pdbedit -Lv does not show any change to the account flags. I have > been able to set other flags like "Password does not expire", "account > disabled", etc. When setting these I receive confirmation that the flag has > been set but go not receive any confirmation when trying to set the lockout. > > Any suggestions? Is there something else I need to turn on for this to > work? No, this is a bug in that pdbedit when printing out a user account info checks the current time and turns off/on the locked out flag L based on if the account has timed out. pdbedit shouldn't be doing that when printing an account - only when modifying. I'll fix it. Thanks for the report. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Enabling account lockouts
I'm running Samba 3.0.4 (using a tdb backend) as the PDC for several windows 2000 clients. I would like to enable an account lockout policy. I set the number of bad password attempts using pdbedit by issuing, # pdbedit -P "bad lockout attempt" -C 3 and recieved confirmation that this was correct. I then tried to enable locking by issuing # pdbedit -u username -c "[L]" However pdbedit -Lv does not show any change to the account flags. I have been able to set other flags like "Password does not expire", "account disabled", etc. When setting these I receive confirmation that the flag has been set but go not receive any confirmation when trying to set the lockout. Any suggestions? Is there something else I need to turn on for this to work? Drew > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Dunn, Drew A. > Sent: Tuesday, July 13, 2004 8:34 AM > To: '[EMAIL PROTECTED]' > Subject: [Samba] Enabling account lockouts > > > The release notes indicate support for bad password lockout > policy starting with version 3.0.3 but I can't figure out how > to enable it. I didn't see anything in the docs about > turning it on. I also tried looking through all the options > by using swat in advanced mode. How do I enable bad password > lockout policy? > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Enabling account lockouts
The release notes indicate support for bad password lockout policy starting with version 3.0.3 but I can't figure out how to enable it. I didn't see anything in the docs about turning it on. I also tried looking through all the options by using swat in advanced mode. How do I enable bad password lockout policy? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba