Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: icsy7867 on February 15, 2018, 07:04:09 pm
-
I have been playing around with some configurations and I have been having trouble getting account lockout policies to work.
I thought that I could mess around with spinning up a Windows Server 2016 VM and joining it to the zentyal domain as a BDC but this does not seem to want to work.
Has anyone been able to do this? I really like having Zentyal as a PDC or BDC because I use LDAP authentication with Zentyal's openvpn configuration, and it's nice to use "LDAP://localhost:389" as I dont have to send passwords in plaintext over the network.
Just curious if anyone has gotten this to work, or if this just simply is not possible.
-
I thought that Server 2016 might be a little too extreme for a Samba based DC, so I have installed a 2008 R2 VM and I have also tried with this.
I get an RPC Service is Unavailable. I have turned off windows firewall to ensure this was not the case, and I do not believe Zentyal blocks any internal communication. Has anyone had any experience with this?
-
No SysVOL replication? GPOs not synced maybe? Just an idea...
-
I might be mistaken,
But after digging into the issue, I believe the account lockouts wont be handled by GPO, as the servers handling the bad login attempts would be zentyal itself.
I have set the account lockout threshold to 5 using the samba-tool, I will test and see how this works shortly.
samba-tool domain passwordsettings set --account-lockout-threshold=5
*EDIT*
Yep this worked! I was able to monitor some bad passwords using Microsoft's account login status:
https://www.microsoft.com/en-us/download/details.aspx?id=15201
After 5 bad attempts the account successfully locked out in AD Users & Computers. Now if I can just get LDAPS working, I will be happy :D