Re: [Samba] Samba4 Domain Account Lockout
On Fri, 2013-01-11 at 22:54 -0500, Chris Stoneburner wrote: First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? No, this is not yet implemented in the AD DC. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Domain Account Lockout
No worries - thanks for the notice! If it's not already listed, is there a place I can recommend the feature to be implemented? Thanks again! On Wed, Jan 16, 2013 at 6:02 AM, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-01-11 at 22:54 -0500, Chris Stoneburner wrote: First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? No, this is not yet implemented in the AD DC. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Domain Account Lockout
Anyone? If this is the wrong list or if no one can answer I can definitely ask a different list - just point me in the right direction? On Jan 11, 2013, at 10:54 PM, Chris Stoneburner 200406...@panthers.greenville.edu wrote: First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built zentyal-samba package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) What I've tried thus far: 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the samba-tool domain passwordsettings set --min-pwd-age=5 command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is... My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? Thanks so much for any information you can provide! -Chris Stoneburner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Domain Account Lockout
Any thoughts on the quoted email below? On Fri, Jan 11, 2013 at 10:54 PM, Chris Stoneburner 200406...@panthers.greenville.edu wrote: First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built zentyal-samba package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) What I've tried thus far: 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the samba-tool domain passwordsettings set --min-pwd-age=5 command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is... My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? Thanks so much for any information you can provide! -Chris Stoneburner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
