Let me try asking something different.
The field 'sambaKickoffTime' in LDAP (if set to a correct time) will prevent a
user from logging into a windows system. The time format for
'pwdaccountlockedtime' is acceptable for the sambaKickoffTime field as well.
If I modify the samba source, source3/lib/smbldap.c and change the
'sambaKickoffTime' items to 'pwdaccountlockedtime' and rebuild, everything
works the way I would like....so samba is now looking at the same field in the
LDAP server that the linux side is. yay.
However....does anyone know of a way to accomplish the same thing without a
code recompile? Can /etc/ldap.conf nss_map_attributes work for the same thing?
(I didn't get this to work, but I may not have done it right)...or is there an
obscure setting in the schema that I can use to have samba look at the other
attribute?
Thanks.
> Date: Fri, 14 Jan 2011 03:56:29 +0900
> Subject: Re: [Samba] another question about account locking
> From: mo...@monyo.com
> To: groucho.64...@hotmail.com
> CC: samba@lists.samba.org
>
> 2011/1/14 Kevin Taylor <groucho.64...@hotmail.com>:
>
> > I did give it a try with no luck. However, I'm not sure that the way the
> > pam rules I have set out would cause that to trip anyway.
> >
> > On most of our linux machines, we'd have the system-auth looking like this
> > (what is the default generated by system-config-authentication)
> >
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> >
> > So, if the LDAP lookup of whatever authentication information fails, then
> > the user will be denied. That's fine...but in practice, once the LDAP
> > server locks out the account, samba still is able to read what it needs
> > from the sambantpassword field, and thus approves the connection.
>
> Sorry, auth section will not work with Samba, as described in smb.conf(5).
> I put pam_deny.so into account section. For example,
> /etc/pam.d/common-account on
> my lenny box:
>
> -----
> account required pam_unix.so
> account required pam_deny.so
> -----
>
> This means always FAIL at account section.
>
> To check if an account is disabled is usually done at account section, I
> think.
>
> ---
> TAKAHASHI Motonobu <mo...@samba.gr.jp>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
