Author Topic: Zentyal 5.0 with Server 2016 BDC  (Read 1155 times)

icsy7867

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Zentyal 5.0 with Server 2016 BDC
« on: February 15, 2018, 07:04:09 pm »
I have been playing around with some configurations and I have been having trouble getting account lockout policies to work.

I thought that I could mess around with spinning up a Windows Server 2016 VM and joining it to the zentyal domain as a BDC but this does not seem to want to work.

Has anyone been able to do this?  I really like having Zentyal as a PDC or BDC because I use LDAP authentication with Zentyal's openvpn configuration, and it's nice to use "LDAP://localhost:389" as I dont have to send passwords in plaintext over the network.

Just curious if anyone has gotten this to work, or if this just simply is not possible.

icsy7867

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0 with Server 2016 BDC
« Reply #1 on: February 16, 2018, 05:42:22 pm »
I thought that Server 2016 might be a little too extreme for a Samba based DC, so I have installed a 2008 R2 VM and I have also tried with this.

I get an RPC Service is Unavailable. I have turned off windows firewall to ensure this was not the case, and I do not believe Zentyal blocks any internal communication.  Has anyone had any experience with this?

basselope

  • Zen Monk
  • **
  • Posts: 56
  • Karma: +15/-0
    • View Profile
Re: Zentyal 5.0 with Server 2016 BDC
« Reply #2 on: February 19, 2018, 12:55:16 pm »
No SysVOL replication? GPOs not synced maybe? Just an idea...

icsy7867

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0 with Server 2016 BDC
« Reply #3 on: February 19, 2018, 03:30:00 pm »
I might be mistaken,

But after digging into the issue, I believe the account lockouts wont be handled by GPO, as the servers handling the bad login attempts would be zentyal itself.

I have set the account lockout threshold to 5 using the samba-tool, I will test and see how this works shortly.

Code: [Select]
samba-tool domain passwordsettings set --account-lockout-threshold=5
*EDIT*

Yep this worked! I was able to monitor some bad passwords using Microsoft's account login status:
https://www.microsoft.com/en-us/download/details.aspx?id=15201

After 5 bad attempts the account successfully locked out in AD Users & Computers.  Now if I can just get LDAPS working, I will be happy :D
« Last Edit: February 19, 2018, 03:42:38 pm by icsy7867 »