Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: icsy7867 on February 15, 2018, 07:04:09 pm

Title: Zentyal 5.0 with Server 2016 BDC
Post by: icsy7867 on February 15, 2018, 07:04:09 pm
I have been playing around with some configurations and I have been having trouble getting account lockout policies to work.

I thought that I could mess around with spinning up a Windows Server 2016 VM and joining it to the zentyal domain as a BDC but this does not seem to want to work.

Has anyone been able to do this?  I really like having Zentyal as a PDC or BDC because I use LDAP authentication with Zentyal's openvpn configuration, and it's nice to use "LDAP://localhost:389" as I dont have to send passwords in plaintext over the network.

Just curious if anyone has gotten this to work, or if this just simply is not possible.
Title: Re: Zentyal 5.0 with Server 2016 BDC
Post by: icsy7867 on February 16, 2018, 05:42:22 pm
I thought that Server 2016 might be a little too extreme for a Samba based DC, so I have installed a 2008 R2 VM and I have also tried with this.

I get an RPC Service is Unavailable. I have turned off windows firewall to ensure this was not the case, and I do not believe Zentyal blocks any internal communication.  Has anyone had any experience with this?
Title: Re: Zentyal 5.0 with Server 2016 BDC
Post by: basselope on February 19, 2018, 12:55:16 pm
No SysVOL replication? GPOs not synced maybe? Just an idea...
Title: Re: Zentyal 5.0 with Server 2016 BDC
Post by: icsy7867 on February 19, 2018, 03:30:00 pm
I might be mistaken,

But after digging into the issue, I believe the account lockouts wont be handled by GPO, as the servers handling the bad login attempts would be zentyal itself.

I have set the account lockout threshold to 5 using the samba-tool, I will test and see how this works shortly.

Code: [Select]
samba-tool domain passwordsettings set --account-lockout-threshold=5
*EDIT*

Yep this worked! I was able to monitor some bad passwords using Microsoft's account login status:
https://www.microsoft.com/en-us/download/details.aspx?id=15201

After 5 bad attempts the account successfully locked out in AD Users & Computers.  Now if I can just get LDAPS working, I will be happy :D