Let me try asking something different.
The field 'sambaKickoffTime' in LDAP (if set to a correct time) will prevent a user from logging into a windows system. The time format for 'pwdaccountlockedtime' is acceptable for the sambaKickoffTime field as well. If I modify the samba source, source3/lib/smbldap.c and change the 'sambaKickoffTime' items to 'pwdaccountlockedtime' and rebuild, everything works the way I would like....so samba is now looking at the same field in the LDAP server that the linux side is. yay. However....does anyone know of a way to accomplish the same thing without a code recompile? Can /etc/ldap.conf nss_map_attributes work for the same thing? (I didn't get this to work, but I may not have done it right)...or is there an obscure setting in the schema that I can use to have samba look at the other attribute? Thanks. > Date: Fri, 14 Jan 2011 03:56:29 +0900 > Subject: Re: [Samba] another question about account locking > From: mo...@monyo.com > To: groucho.64...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/14 Kevin Taylor <groucho.64...@hotmail.com>: > > > I did give it a try with no luck. However, I'm not sure that the way the > > pam rules I have set out would cause that to trip anyway. > > > > On most of our linux machines, we'd have the system-auth looking like this > > (what is the default generated by system-config-authentication) > > > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > So, if the LDAP lookup of whatever authentication information fails, then > > the user will be denied. That's fine...but in practice, once the LDAP > > server locks out the account, samba still is able to read what it needs > > from the sambantpassword field, and thus approves the connection. > > Sorry, auth section will not work with Samba, as described in smb.conf(5). > I put pam_deny.so into account section. For example, > /etc/pam.d/common-account on > my lenny box: > > ----- > account required pam_unix.so > account required pam_deny.so > ----- > > This means always FAIL at account section. > > To check if an account is disabled is usually done at account section, I > think. > > --- > TAKAHASHI Motonobu <mo...@samba.gr.jp> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba