Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: m.sus on December 03, 2020, 02:22:42 pm

Title: Domain Controller - how to check what causes if account User AD is locked
Post by: m.sus on December 03, 2020, 02:22:42 pm

Hi,
Where can I find what causes User AD his account is locked (from which ip, computer name, application,...). Zentyal 6.1

I'm looking for /var/log/samba/samba.log - but I can't find anything about user AD lock account

Best Regards
Mark

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: badapple7 on December 09, 2020, 04:11:07 am

Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...

***edit1;

Quote

   Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

----

Some command pdbedit or wbinfo can great utilities!!

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: doncamilo on December 09, 2020, 06:12:44 pm

 :)

There are several ways to check if the account is enabled. For instance, in my lab server:

Code: [Select]

# An enabled user account
root@orthanc:~# pdbedit -v -u jesus.quesada | egrep '^Account\sFlags:'
Account Flags:        [U          ]
# A disabled user account
root@orthanc:~# pdbedit -v -u eldelas.bermudas | egrep '^Account\sFlags:'
Account Flags:        [DU         ]

About the account flags: man pdbedit

Code: [Select]

Possible flags
           are listed below.

                  ·   N: No password required

                  ·   D: Account disabled

                  ·   H: Home directory required

                  ·   T: Temporary duplicate of other account

                  ·   U: Regular user account

                  ·   M: MNS logon user account

                  ·   W: Workstation Trust Account

                  ·   S: Server Trust Account

                  ·   L: Automatic Locking

                  ·   X: Password does not expire

                  ·   I: Domain Trust Account


You can use ldbsearch and this table https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties (https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) to check the user account control parameter:

Code: [Select]

root@orthanc:~# ldbsearch -H /var/lib/samba/private/sam.ldb 'userAccountControl=*' samaccountname useraccountcontrol

The flags are like octal Unix permissions. It's easy to write a script to know the disabled accounts.

Cheers!

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: m.sus on December 18, 2020, 08:10:24 am

Quote from: badapple7 on December 09, 2020, 04:11:07 am

Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...

***edit1;

Quote

   Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

----

Some command pdbedit or wbinfo can great utilities!!

Hi
How to modify file smb.conf because after restart any changes are destroyed ?

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: doncamilo on December 18, 2020, 09:41:16 am

Hi
How to modify file smb.conf because after restart any changes are destroyed ?
[/quote]

 :)

https://doc.zentyal.org/en/appendix-c.html#stubs (https://doc.zentyal.org/en/appendix-c.html#stubs)

Cheers!

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: m.sus on December 18, 2020, 10:27:26 am

Thanks!

Do You know why after fail login attempt (client windows 10 pro) - user get message - Your account is disabled. It should be - Your account is locked.

Cheers

Title: Re: Domain Controller - how to check what causes if account User AD is locked
Post by: badapple7 on December 26, 2020, 03:43:08 am

To display the current configuration use for example the command samba-tool domain passwordsettings show

You can modify the Samba configuration with various parameters and options:

    samba-tool domain passwordsettings set --account-lockout-threshold=5
    Defines the number of attempts users have to log in (here: 5). Thereafter the account will be locked.
    samba-tool domain passwordsettings set --account-lockout-duration=3
    Sets the amount of minutes to lock up after the users have entered an incorrect password too many times.
    samba-tool domain passwordsettings set --reset-account-lockout-after=5
    Configures the amount of minutes until the counter is reset.

If an account is automatically unlocked after the configured duration, the counter will not be reset. In consequence, the account remains under surveillance for a while. After the end of the lockout and before the counter is finally reset, a new failed attempt will lead to a lockout of the account immediately.