Solved

lockout duration policy on samba

Posted on 2010-11-19
12
1,507 Views
Last Modified: 2012-05-10
Hi all,
I have a problem with my Samba server:
I've installed Samba 3.2.5 on a debian 5.0.6 distribution and I've configured samba as a PDC with roaming profiles: I want to set some policies like "bad lockout attempt = 3" or "lockout duration = 30", but when I put the command via linux shell and reload or restart the samba service, the latter doesn't apply the new policy that I have set up, and if i put a bad password on my user account more than 3 times, my account continues to be unlocked.
It can be a problem of the password database that I use (smbpasswd instead of tdbsam)?
I attach my smb.conf file.
Someone know how I can resolve this issue and can help me?
Thanks in advance
R.
#======================= Global Settings =======================



[global]



        netbios name = samba

        workgroup = PDC

        server string = FileServer(Samba)

        wins support = no

        dns proxy = no

        domain logons = yes

        preferred master = yes

        local master = yes

        domain master = yes

        logon home = \\%L\%U\.profile

        logon path = \\%L\profiles\%U

        logon drive = H:

        hosts allow = 127.0.0.1 10.0.0.0/255.255.255.0

        log level = 2

        log file = /var/log/samba/log.%m

        max log size = 1000

        syslog = 0

        panic action = /usr/share/samba/panic-action %d

        encrypt passwords = true

        smb passwd file = /etc/samba/smbpasswd

        obey pam restrictions = yes

        passwd program = /usr/bin/passwd %u

        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192





#======================= Share Definitions =======================



[homes]

        path = /mnt/samba/homes/%u

        comment = Home Directory

        browseable = no

        writeable = yes

        printable = no

        create mode = 0755

        directory mode = 0755

        valid users = %S

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = No

        recycle:versions = No

        recycle:touch = Yes



[profiles]

        path = /mnt/samba/profiles

        writeable = yes

        browseable = no

        create mask = 0600

        directory mask = 0700

        store dos attributes = yes

        guest ok = no

        printable = no



[netlogon]

        path = /mnt/samba/netlogon

        read only = yes

        write list = @admin

        browseable = no

        printable = no



[share1]

        path = /mnt/samba/share1

        writable = yes

        printable = no

        create mask = 0775

        directory mask = 0775

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = Yes

        recycle:versions = No

        recycle:touch = Yes



[share2]

        path = /mnt/samba/share2

        valid users = user2

        writable = yes

        printable = no

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = Yes

        recycle:versions = No

        recycle:touch = Yes

Open in new window

0
Comment
Question by:kaoma
12 Comments
 
LVL 5

Expert Comment

by:Moose Mclinn
ID: 34175892
It maybe in  the wrong mode. But user mode doesn't support lockouts it seems.

Samba Security Modes

A good understanding of how Samba implements security is essential for proper deployment of a Samba server. Windows NT/2000/2003 SMB (CIFS) only implements two security levels, user-level and share-level security, Samba provides more flexibility by extending Windows-based SMB/CIFS security through its Security Modes. Samba security modes are configured through the smb.conf parameter:

security = <mode>

The available modes are:

share:: In this mode, client must authenticate against each share. In a Windows world, the share password is set on the share itself. This means that client does not have to pass the username along with the connection request. Samba always uses the username/password combination, provided through the underlying Linux authentication method - /etc/passwd or /etc/nsswitch.conf. For this mode the smb.conf entry is:

security = share

user:: This is Samba's default security mode. In this mode, authentication is based on the username/password combination. When a client makes a request for a shared resource, the Samba server doesn't "know" which share an authenticating client is allowed to access. For this mode the smb.conf entry is:

security = user

server:: Although still valid, the server security mode is a "legacy" mode, a leftover from times when the Samba software was not able to become a domain member server. This mode allows a Samba server to authenticate connecting clients against the Windows NT-style PDC. There are many shortcomings, the possibility of "account lockout" on the Windows PDC, no assurance that the PDC is the actual machine specified, no support for winbindd/remote user profiles, etc. In this mode, Samba appears to be in a user security mode to the clients, while actually passing all the authentication to the PDC. For server security mode to work, two additional parameters must be specified in an smb.conf file:
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34176981
1.Go to Microsoft's Windows 2000 home page here - http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=1001aaf1-749f-49f4-8010-297bd6ca33a0
2.Download the Service Pack 4 Network Installation file.
3.Once Downloaded, extract the files with the command "W2kSP4_EN.EXE /x"
4.Launch the file "adminpack.msi" to install the server tools
5.Run "poledit.exe"

Note : It is very important that you install the System Policy Editor (SPE) on a machine based on the same Operating System as the machines you want to control.

Once you get the System Policy Editor, you will only have basic templates installed. You can get additional templates from Microsoft's website, or you can create your own custom templates that you can use.

Basically what the System Policy Editor is used for is to create a single file that contains all of the policies for your network. This file is downloaded by your client computers every time a user logs into the server.

Once you create your Policy File, you must save it as "NTConfig.POL", then copy it to the "NETLOGON" share on your samba server.

To create a NETLOGON Share on a Samba Domain Controller, simply create a directory on your server, such as "/srv/samba/netlogon", change the permissions so that everyone has read-only rights (chmod o-wx or chmod o+r) then add the following to your shares section of your smb.conf file.

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes
browseable = No
# If you have problems, try adding the following line
# acl check permissions = no

thats it
best of luck
0
 
LVL 6

Expert Comment

by:tty2
ID: 34178839
It is not clear, which command you put via linux shell. I hope, it is pdbedit.

# pdbedit -P "bad lockout attempt"
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0
# pdbedit -P "bad lockout attempt" -C 3
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value was: 0
account policy "bad lockout attempt" value is now: 3
# pdbedit -P "lockout duration"
account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 30

This works without restarting/reloading samba server. After restarting the daemon previously locked account persists locked.
Yeah, it works in "security = user" on my samba server, too:
# testparm -sv | grep security
...
      security = USER
...
0
 

Author Comment

by:kaoma
ID: 34186830

It is not clear, which command you put via linux shell. I hope, it is pdbedit.

# pdbedit -P "bad lockout attempt"
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0
# pdbedit -P "bad lockout attempt" -C 3
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value was: 0
account policy "bad lockout attempt" value is now: 3
# pdbedit -P "lockout duration"
account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 30

This works without restarting/reloading samba server. After restarting the daemon previously locked account persists locked.
Yeah, it works in "security = user" on my samba server, too:
# testparm -sv | grep security
...
      security = USER
...
Hi,
I add this line (security = USER) to my smb.conf file, but it doesn't work. I tried to restart samba and to rewrite my policies via pdbedit (pdbedit -P "bad lockout attempt" -C 3 and pdbedit -P "lockout duration" - C 30), but it doesn't work too.


1.Go to Microsoft's Windows 2000 home page here - http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=1001aaf1-749f-49f4-8010-297bd6ca33a0
2.Download the Service Pack 4 Network Installation file.
3.Once Downloaded, extract the files with the command "W2kSP4_EN.EXE /x"
4.Launch the file "adminpack.msi" to install the server tools
5.Run "poledit.exe"

Note : It is very important that you install the System Policy Editor (SPE) on a machine based on the same Operating System as the machines you want to control.

Once you get the System Policy Editor, you will only have basic templates installed. You can get additional templates from Microsoft's website, or you can create your own custom templates that you can use.

Basically what the System Policy Editor is used for is to create a single file that contains all of the policies for your network. This file is downloaded by your client computers every time a user logs into the server.

Once you create your Policy File, you must save it as "NTConfig.POL", then copy it to the "NETLOGON" share on your samba server.

To create a NETLOGON Share on a Samba Domain Controller, simply create a directory on your server, such as "/srv/samba/netlogon", change the permissions so that everyone has read-only rights (chmod o-wx or chmod o+r) then add the following to your shares section of your smb.conf file.

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes
browseable = No
# If you have problems, try adding the following line
# acl check permissions = no

I have an NTConfig.POL in another samba server, but i see that this way of passing policies to all users doesn't work properly:
Every time I put a new user in NTConfig, i need to restart samba (and all my users must be disconnected, because they all use roaming profiles). Also, i don't know how I can add new policies like "lockout duration" or "bad lockout attempt", that I didn't found into the policies that I had downloaded from microsoft site
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34187235
Policies are set on the windows machines by some registry settings. In what ever way you create your policies they will be distributed by your samba server using LDAP when any user logs in. You may read further on active directory on (http://technet.microsoft.com/en-us/library/bb742424.aspx)

For what ever policies you need to set you will need to have a template. There are lots of templates available on MS site. Any way I didn't understand why do you need to put new user in NTConfig.POL?

best of luck
0
 

Author Comment

by:kaoma
ID: 34335223
Any way I didn't understand why do you need to put new user in NTConfig.POL?
I enter each new user in the ntconfig.pol file because the group policy is not working properly so I'm setting the policy in a non-automatic way.
In this way, everything works fine, except for certain policies set by pdbedit, which are:
lockout duration policy
bad lockout attempt
password history
Other pdbedit commands working properly, and they are:
min password length
maximum password age
There is another way to activate pdbedit policies, excluding the setting of policy via the file NTConfig.POL?
Thanks
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:kaoma
ID: 34430395
Hi All,
Somebody can help me to solve this issue?
Thanks a lot
K.
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34440521
Please print the domain account access policies that may be configured, execute:
pdbedit -P ?

Does it show you in the list
bad lockout attempt (default is 0, means lockout wont happen for any number of bad attempts).
lockout duration (default is 30 min, value can range from 1 - 99998 min)

Can you get the output of
pdbedit -L
Are all the users listed??? The policies will be passed to the users listed by the command.

Regards
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34440524
I forgot to mention you have to be root to execute the commands...
0
 

Accepted Solution

by:
kaoma earned 0 total points
ID: 34515540
Hi,
I have solved this problem:
This method works only with the tdbsam passwd DB and not with the smbpasswd: If the DB used by samba is the smbpasswd, the command via shell works fine, but the policy doesn't apply correctly. To apply the policy you need to convert the DB with the command
pdbedit -i smbpasswd:/etc/samba/smbpasswd -e tdbsam:/var/lib/samba/passdb.tdb
and when the command is executed without error, the smb.conf need a modification in the directive of the passdb backend:
passdb backend = tdbsam:/var/lib/samba/passdb.tdb
After this step a restart of samba is needed: now the policy works fine
Cheers
K.
0
 

Author Comment

by:kaoma
ID: 34515549
I've checked the documentation of samba and I've solved the problem
0
 

Author Closing Comment

by:kaoma
ID: 34608889
I've checked the documentation of samba and I've solved the problem
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now