Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: m.sus on December 03, 2020, 02:22:42 pm
-
Hi,
Where can I find what causes User AD his account is locked (from which ip, computer name, application,...). Zentyal 6.1
I'm looking for /var/log/samba/samba.log - but I can't find anything about user AD lock account
Best Regards
Mark
-
Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...
***edit1;
Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.
https://wiki.samba.org/index.php/Setting_up_Audit_Logging
----
Some command pdbedit or wbinfo can great utilities!!
-
:)
There are several ways to check if the account is enabled. For instance, in my lab server:
# An enabled user account
root@orthanc:~# pdbedit -v -u jesus.quesada | egrep '^Account\sFlags:'
Account Flags: [U ]
# A disabled user account
root@orthanc:~# pdbedit -v -u eldelas.bermudas | egrep '^Account\sFlags:'
Account Flags: [DU ]
About the account flags: man pdbedit
Possible flags
are listed below.
· N: No password required
· D: Account disabled
· H: Home directory required
· T: Temporary duplicate of other account
· U: Regular user account
· M: MNS logon user account
· W: Workstation Trust Account
· S: Server Trust Account
· L: Automatic Locking
· X: Password does not expire
· I: Domain Trust Account
You can use ldbsearch and this table https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties (https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) to check the user account control parameter:
root@orthanc:~# ldbsearch -H /var/lib/samba/private/sam.ldb 'userAccountControl=*' samaccountname useraccountcontrol
The flags are like octal Unix permissions. It's easy to write a script to know the disabled accounts.
Cheers!
-
Hi! I need more info... please.. the user locked is lock on only computer or all compuerts is locked for this user? used roaming profiles? much question could create now only for reason, butr one solution fast is delete the user (before, create files user back-up ) and create again this username, this dont resolve your problem but is generate other gid for username. this usermane is probally havent more problems...
***edit1;
Samba supports logging of successful authorization events but not unsuccessful authorization events. It can log both successful and unsuccessful authentication events.
https://wiki.samba.org/index.php/Setting_up_Audit_Logging
----
Some command pdbedit or wbinfo can great utilities!!
Hi
How to modify file smb.conf because after restart any changes are destroyed ?
-
Hi
How to modify file smb.conf because after restart any changes are destroyed ?
[/quote]
:)
https://doc.zentyal.org/en/appendix-c.html#stubs (https://doc.zentyal.org/en/appendix-c.html#stubs)
Cheers!
-
Thanks!
Do You know why after fail login attempt (client windows 10 pro) - user get message - Your account is disabled. It should be - Your account is locked.
Cheers
-
To display the current configuration use for example the command samba-tool domain passwordsettings show
You can modify the Samba configuration with various parameters and options:
samba-tool domain passwordsettings set --account-lockout-threshold=5
Defines the number of attempts users have to log in (here: 5). Thereafter the account will be locked.
samba-tool domain passwordsettings set --account-lockout-duration=3
Sets the amount of minutes to lock up after the users have entered an incorrect password too many times.
samba-tool domain passwordsettings set --reset-account-lockout-after=5
Configures the amount of minutes until the counter is reset.
If an account is automatically unlocked after the configured duration, the counter will not be reset. In consequence, the account remains under surveillance for a while. After the end of the lockout and before the counter is finally reset, a new failed attempt will lead to a lockout of the account immediately.