https://bugzilla.samba.org/show_bug.cgi?id=5825
I raised this bug a while ago experiencing what you are.Nobody seems to have done much about it. Victor Medina wrote: > Hello guys! > > I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3. > > I am building a PDC with LDAP support (i am attaching my config files), > I'm also using ldapsam:trusted and ldapsam:editposix. > > Although I am setting the account lock after 3 failed tries in usrmgr, > and verified that the parameters are actually set in the LDAP, no > locking occurs. > > I started thinking that it was my fault, since i generate my own ldif > from a small app i created that reads a Windows AD and creates/fills an > OpenLDAP with the relevant info that Linux (posix account information) > and Samba needs, just like my "own" "net vampire", just that mine reads > a native AD and migrates to Samba, it just defaults passwords to 1-8. > > cool! eh? ;) > > Since everything seems to worked OK except for the account locking, i > rebuild the server from scratch using "net sam provision" and created > and extra account, joined a machine, but stills it seems account locking > is not working on samba 3.2.4. > > any ideas/suggestions are welcome? > > Victor Medina > > > > ************** > Some relevant steps i did to set it up > ************** > > > smbpasswd -w 12345678 > net idmap secret DEFAULT 12345678 > net idmap secret alloc 12345678 > rcwinbind restart > net sam provision > smbpasswd administrator > net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege > SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator > > rcsmb start && rcnmb start && rcwinbind start > > > > > *********************************** > SMB.conf (global) > *********************************** > > [global] > workgroup = C1.VE > netbios name = PDC-EPA1 > security = user > guest account = Invitado > map to guest = Bad User > enable privileges = yes > server string = > time server = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > domain logons = yes > domain master = yes > os level = 65 > preferred master = yes > wins support = yes > deadtime = 20 > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > encrypt passwords = yes > passdb backend = ldapsam:ldap://127.0.0.1 > ldap admin dn = cn=Administrador,dc=xxxx > ldap suffix = dc=c1,c=ve,dc=xxx > ldap user suffix = ou=people > ldap group suffix = ou=group > ldap machine suffix = ou=people > ldap delete dn = yes > ldap passwd sync = yes > > > ldapsam:trusted = yes > ldapsam:editposix = yes > > idmap domains = DEFAULT > idmap config DEFAULT:backend = ldap > idmap config DEFAULT:readonly = no > idmap config DEFAULT:default = yes > idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx > idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx > idmap config DEFAULT:ldap_url = ldap://127.0.0.1 > idmap config DEFAULT:range = 10000-100000 > > idmap alloc backend = ldap > idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx > idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx > idmap alloc config:ldap_url = ldap://127.0.0.1 > idmap alloc config:range = 10000-100000 > > > > > printing = cups > printcap name = cups > show add printer wizard = yes > load printers = yes > > > create mask = 0640 > directory mask = 0750 > force create mode = 0640 > force directory mode = 0750 > preserve case = yes > short preserve case = yes > case sensitive = no > mangling method = hash2 > Dos charset = 850 > Unix charset = ISO8859-1 > nt acl support = yes > > > > > > > *********************** > slapd.conf > *********************** > > modulepath /usr/lib/openldap/modules > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba3.schema > > pidfile /var/run/slapd/slapd.pid > argsfile /var/run/slapd/slapd.args > > access to dn.base="" > by * read > > access to dn.base="cn=Subschema" > by * read > > access to attrs=userPassword,userPKCS12 > by self write > by * auth > > access to attrs=shadowLastChange > by self write > by * read > > access to * > by * read > > loglevel -1 > > database bdb > suffix "dc=xxx" > rootdn "cn=Administrador,dc=xxx" > rootpw "{SSHA}xxx" > directory /var/lib/ldap/ > > checkpoint 1024 5 > cachesize 10000 > > > index objectClass,uidNumber,gidNumber,memberUid eq > index member,mail eq,pres > index cn,displayname,uid,sn,givenname sub,eq,pres > index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq > index default sub > > > > > > ***************************** > LDIF: > ***************************** > # This file was generated on 2008-11-05 at 11:20:00 > # from the ldap://172.16.152.200:389 (bound as > cn=Administrador,dc=xxxx) > # by Softerra LDAP Administrator v3 > [ http://www.ldapadministrator.com ] > dn: c=ve,dc=xxxx > c: ve > objectClass: top > objectClass: country > description: Infraestructura Tecnologica - Venezuela > > dn: dc=c1,c=ve,dc=xxxx > dc: c1 > objectClass: dcObject > objectClass: organizationalUnit > ou: Tienda 1 / Oficina Central xxxx / Venezuela > description: xxxx / Oficina Central EPA / Venezuela > > dn: ou=people,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > ou: people > > dn: ou=group,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > ou: group > > dn: ou=idmap,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > objectClass: sambaUnixIdPool > ou: idmap > gidNumber: 10016 > uidNumber: 10004 > > dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx > sambaDomainName: C1.VE > sambaSID: S-1-5-21-1230964018-1252349843-1944742870 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomain > sambaNextUserRid: 1000 > sambaRefuseMachinePwdChange: 0 > sambaNextRid: 1002 > sambaLockoutDuration: -1 > sambaLockoutObservationWindow: 30 > sambaLockoutThreshold: 3 > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 5 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: 7776000 > sambaMinPwdAge: 0 > sambaForceLogoff: -1 > > dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: domusers > displayName: Domain Users > gidNumber: 10000 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513 > sambaGroupType: 2 > > dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: domadmins > displayName: Domain Admins > gidNumber: 10001 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512 > sambaGroupType: 2 > > dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > uid: Administrator > cn: Administrator > displayName: Administrator > uidNumber: 10000 > gidNumber: 10001 > homeDirectory: /home/C1.VE/Administrator > loginShell: /bin/false > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500 > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > sambaPasswordHistory: > 0000000000000000000000000000000000000000000000000000000000000000 > sambaPwdLastSet: 1225815211 > sambaAcctFlags: [U ] > userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8 > sambaProfilePath:: > IA== > > dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > uid: Invitado > cn: Invitado > displayName: Invitado > uidNumber: 10001 > gidNumber: 10000 > homeDirectory: / > loginShell: /bin/false > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501 > sambaAcctFlags: [DU ] > > dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-544 > sambaGroupType: 4 > displayName: Administrators > gidNumber: 10002 > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512 > > dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-545 > sambaGroupType: 4 > displayName: Users > gidNumber: 10003 > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513 > > dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx > uid: FERRETER-PRUQ3Z$ > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001 > sambaAcctFlags: [W ] > objectClass: sambaSamAccount > objectClass: account > objectClass: posixAccount > cn: FERRETER-PRUQ3Z$ > uidNumber: 10002 > gidNumber: 10000 > homeDirectory: /home/C1.VE/SMB_workstations_home > loginShell: /bin/false > sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9 > sambaPwdLastSet: 1225815330 > > dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx > uid: test001 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002 > objectClass: sambaSamAccount > objectClass: account > objectClass: posixAccount > cn: test001 > uidNumber: 10003 > gidNumber: 10000 > homeDirectory: /home/C1.VE/test001 > loginShell: /bin/false > sambaKickoffTime: 0 > sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8 > sambaPasswordHistory: > B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000 > sambaPwdLastSet: 1225815887 > userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP > sambaProfilePath:: > IA== > sambaAcctFlags: [U ] > sambaBadPasswordTime: 0 > sambaBadPasswordCount: 0 > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
