Author Topic: Domain Controller - how to check what causes if account User AD is locked  (Read 492 times)

m.sus

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hi,
Where can I find what causes User AD his account is locked (from which ip, computer name, application,...). Zentyal 6.1

I'm looking for /var/log/samba/samba.log - but I can't find anything about user AD lock account

Best Regards
Mark
« Last Edit: December 03, 2020, 03:56:39 pm by m.sus »

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...

***edit1;
Quote
   Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

----

Some command pdbedit or wbinfo can great utilities!!
« Last Edit: December 09, 2020, 04:32:21 am by badapple7 »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
 :)

There are several ways to check if the account is enabled. For instance, in my lab server:

Code: [Select]
# An enabled user account
root@orthanc:~# pdbedit -v -u jesus.quesada | egrep '^Account\sFlags:'
Account Flags:        [U          ]
# A disabled user account
root@orthanc:~# pdbedit -v -u eldelas.bermudas | egrep '^Account\sFlags:'
Account Flags:        [DU         ]

About the account flags: man pdbedit

Code: [Select]
Possible flags
           are listed below.

                  ·   N: No password required

                  ·   D: Account disabled

                  ·   H: Home directory required

                  ·   T: Temporary duplicate of other account

                  ·   U: Regular user account

                  ·   M: MNS logon user account

                  ·   W: Workstation Trust Account

                  ·   S: Server Trust Account

                  ·   L: Automatic Locking

                  ·   X: Password does not expire

                  ·   I: Domain Trust Account


You can use ldbsearch and this table https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties to check the user account control parameter:

Code: [Select]
root@orthanc:~# ldbsearch -H /var/lib/samba/private/sam.ldb 'userAccountControl=*' samaccountname useraccountcontrol

The flags are like octal Unix permissions. It's easy to write a script to know the disabled accounts.

Cheers!

« Last Edit: December 09, 2020, 06:31:35 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

m.sus

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...

***edit1;
Quote
   Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

----

Some command pdbedit or wbinfo can great utilities!!

Hi
How to modify file smb.conf because after restart any changes are destroyed ?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile


Hi
How to modify file smb.conf because after restart any changes are destroyed ?
[/quote]

 :)

https://doc.zentyal.org/en/appendix-c.html#stubs

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

m.sus

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Thanks!

Do You know why after fail login attempt (client windows 10 pro) - user get message - Your account is disabled. It should be - Your account is locked.

Cheers

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
To display the current configuration use for example the command samba-tool domain passwordsettings show

You can modify the Samba configuration with various parameters and options:

    samba-tool domain passwordsettings set --account-lockout-threshold=5
    Defines the number of attempts users have to log in (here: 5). Thereafter the account will be locked.
    samba-tool domain passwordsettings set --account-lockout-duration=3
    Sets the amount of minutes to lock up after the users have entered an incorrect password too many times.
    samba-tool domain passwordsettings set --reset-account-lockout-after=5
    Configures the amount of minutes until the counter is reset.

If an account is automatically unlocked after the configured duration, the counter will not be reset. In consequence, the account remains under surveillance for a while. After the end of the lockout and before the counter is finally reset, a new failed attempt will lead to a lockout of the account immediately.