Solved

lockout duration policy on samba

Posted on 2010-11-19
12
1,524 Views
Last Modified: 2012-05-10
Hi all,
I have a problem with my Samba server:
I've installed Samba 3.2.5 on a debian 5.0.6 distribution and I've configured samba as a PDC with roaming profiles: I want to set some policies like "bad lockout attempt = 3" or "lockout duration = 30", but when I put the command via linux shell and reload or restart the samba service, the latter doesn't apply the new policy that I have set up, and if i put a bad password on my user account more than 3 times, my account continues to be unlocked.
It can be a problem of the password database that I use (smbpasswd instead of tdbsam)?
I attach my smb.conf file.
Someone know how I can resolve this issue and can help me?
Thanks in advance
R.
#======================= Global Settings =======================



[global]



        netbios name = samba

        workgroup = PDC

        server string = FileServer(Samba)

        wins support = no

        dns proxy = no

        domain logons = yes

        preferred master = yes

        local master = yes

        domain master = yes

        logon home = \\%L\%U\.profile

        logon path = \\%L\profiles\%U

        logon drive = H:

        hosts allow = 127.0.0.1 10.0.0.0/255.255.255.0

        log level = 2

        log file = /var/log/samba/log.%m

        max log size = 1000

        syslog = 0

        panic action = /usr/share/samba/panic-action %d

        encrypt passwords = true

        smb passwd file = /etc/samba/smbpasswd

        obey pam restrictions = yes

        passwd program = /usr/bin/passwd %u

        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192





#======================= Share Definitions =======================



[homes]

        path = /mnt/samba/homes/%u

        comment = Home Directory

        browseable = no

        writeable = yes

        printable = no

        create mode = 0755

        directory mode = 0755

        valid users = %S

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = No

        recycle:versions = No

        recycle:touch = Yes



[profiles]

        path = /mnt/samba/profiles

        writeable = yes

        browseable = no

        create mask = 0600

        directory mask = 0700

        store dos attributes = yes

        guest ok = no

        printable = no



[netlogon]

        path = /mnt/samba/netlogon

        read only = yes

        write list = @admin

        browseable = no

        printable = no



[share1]

        path = /mnt/samba/share1

        writable = yes

        printable = no

        create mask = 0775

        directory mask = 0775

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = Yes

        recycle:versions = No

        recycle:touch = Yes



[share2]

        path = /mnt/samba/share2

        valid users = user2

        writable = yes

        printable = no

        vfs object = recycle:recycle

        recycle:repository = .recycle/%U

        recycle:keeptree = Yes

        recycle:versions = No

        recycle:touch = Yes

Open in new window

0
Comment
Question by:kaoma
12 Comments
 
LVL 5

Expert Comment

by:Moose Mclinn
ID: 34175892
It maybe in  the wrong mode. But user mode doesn't support lockouts it seems.

Samba Security Modes

A good understanding of how Samba implements security is essential for proper deployment of a Samba server. Windows NT/2000/2003 SMB (CIFS) only implements two security levels, user-level and share-level security, Samba provides more flexibility by extending Windows-based SMB/CIFS security through its Security Modes. Samba security modes are configured through the smb.conf parameter:

security = <mode>

The available modes are:

share:: In this mode, client must authenticate against each share. In a Windows world, the share password is set on the share itself. This means that client does not have to pass the username along with the connection request. Samba always uses the username/password combination, provided through the underlying Linux authentication method - /etc/passwd or /etc/nsswitch.conf. For this mode the smb.conf entry is:

security = share

user:: This is Samba's default security mode. In this mode, authentication is based on the username/password combination. When a client makes a request for a shared resource, the Samba server doesn't "know" which share an authenticating client is allowed to access. For this mode the smb.conf entry is:

security = user

server:: Although still valid, the server security mode is a "legacy" mode, a leftover from times when the Samba software was not able to become a domain member server. This mode allows a Samba server to authenticate connecting clients against the Windows NT-style PDC. There are many shortcomings, the possibility of "account lockout" on the Windows PDC, no assurance that the PDC is the actual machine specified, no support for winbindd/remote user profiles, etc. In this mode, Samba appears to be in a user security mode to the clients, while actually passing all the authentication to the PDC. For server security mode to work, two additional parameters must be specified in an smb.conf file:
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34176981
1.Go to Microsoft's Windows 2000 home page here - http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=1001aaf1-749f-49f4-8010-297bd6ca33a0 
2.Download the Service Pack 4 Network Installation file.
3.Once Downloaded, extract the files with the command "W2kSP4_EN.EXE /x"
4.Launch the file "adminpack.msi" to install the server tools
5.Run "poledit.exe"

Note : It is very important that you install the System Policy Editor (SPE) on a machine based on the same Operating System as the machines you want to control.

Once you get the System Policy Editor, you will only have basic templates installed. You can get additional templates from Microsoft's website, or you can create your own custom templates that you can use.

Basically what the System Policy Editor is used for is to create a single file that contains all of the policies for your network. This file is downloaded by your client computers every time a user logs into the server.

Once you create your Policy File, you must save it as "NTConfig.POL", then copy it to the "NETLOGON" share on your samba server.

To create a NETLOGON Share on a Samba Domain Controller, simply create a directory on your server, such as "/srv/samba/netlogon", change the permissions so that everyone has read-only rights (chmod o-wx or chmod o+r) then add the following to your shares section of your smb.conf file.

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes
browseable = No
# If you have problems, try adding the following line
# acl check permissions = no

thats it
best of luck
0
 
LVL 6

Expert Comment

by:tty2
ID: 34178839
It is not clear, which command you put via linux shell. I hope, it is pdbedit.

# pdbedit -P "bad lockout attempt"
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0
# pdbedit -P "bad lockout attempt" -C 3
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value was: 0
account policy "bad lockout attempt" value is now: 3
# pdbedit -P "lockout duration"
account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 30

This works without restarting/reloading samba server. After restarting the daemon previously locked account persists locked.
Yeah, it works in "security = user" on my samba server, too:
# testparm -sv | grep security
...
      security = USER
...
0
 

Author Comment

by:kaoma
ID: 34186830

It is not clear, which command you put via linux shell. I hope, it is pdbedit.

# pdbedit -P "bad lockout attempt"
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0
# pdbedit -P "bad lockout attempt" -C 3
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value was: 0
account policy "bad lockout attempt" value is now: 3
# pdbedit -P "lockout duration"
account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 30

This works without restarting/reloading samba server. After restarting the daemon previously locked account persists locked.
Yeah, it works in "security = user" on my samba server, too:
# testparm -sv | grep security
...
      security = USER
...
Hi,
I add this line (security = USER) to my smb.conf file, but it doesn't work. I tried to restart samba and to rewrite my policies via pdbedit (pdbedit -P "bad lockout attempt" -C 3 and pdbedit -P "lockout duration" - C 30), but it doesn't work too.


1.Go to Microsoft's Windows 2000 home page here - http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=1001aaf1-749f-49f4-8010-297bd6ca33a0 
2.Download the Service Pack 4 Network Installation file.
3.Once Downloaded, extract the files with the command "W2kSP4_EN.EXE /x"
4.Launch the file "adminpack.msi" to install the server tools
5.Run "poledit.exe"

Note : It is very important that you install the System Policy Editor (SPE) on a machine based on the same Operating System as the machines you want to control.

Once you get the System Policy Editor, you will only have basic templates installed. You can get additional templates from Microsoft's website, or you can create your own custom templates that you can use.

Basically what the System Policy Editor is used for is to create a single file that contains all of the policies for your network. This file is downloaded by your client computers every time a user logs into the server.

Once you create your Policy File, you must save it as "NTConfig.POL", then copy it to the "NETLOGON" share on your samba server.

To create a NETLOGON Share on a Samba Domain Controller, simply create a directory on your server, such as "/srv/samba/netlogon", change the permissions so that everyone has read-only rights (chmod o-wx or chmod o+r) then add the following to your shares section of your smb.conf file.

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes
browseable = No
# If you have problems, try adding the following line
# acl check permissions = no

I have an NTConfig.POL in another samba server, but i see that this way of passing policies to all users doesn't work properly:
Every time I put a new user in NTConfig, i need to restart samba (and all my users must be disconnected, because they all use roaming profiles). Also, i don't know how I can add new policies like "lockout duration" or "bad lockout attempt", that I didn't found into the policies that I had downloaded from microsoft site
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34187235
Policies are set on the windows machines by some registry settings. In what ever way you create your policies they will be distributed by your samba server using LDAP when any user logs in. You may read further on active directory on (http://technet.microsoft.com/en-us/library/bb742424.aspx)

For what ever policies you need to set you will need to have a template. There are lots of templates available on MS site. Any way I didn't understand why do you need to put new user in NTConfig.POL?

best of luck
0
 

Author Comment

by:kaoma
ID: 34335223
Any way I didn't understand why do you need to put new user in NTConfig.POL?
I enter each new user in the ntconfig.pol file because the group policy is not working properly so I'm setting the policy in a non-automatic way.
In this way, everything works fine, except for certain policies set by pdbedit, which are:
lockout duration policy
bad lockout attempt
password history
Other pdbedit commands working properly, and they are:
min password length
maximum password age
There is another way to activate pdbedit policies, excluding the setting of policy via the file NTConfig.POL?
Thanks
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:kaoma
ID: 34430395
Hi All,
Somebody can help me to solve this issue?
Thanks a lot
K.
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34440521
Please print the domain account access policies that may be configured, execute:
pdbedit -P ?

Does it show you in the list
bad lockout attempt (default is 0, means lockout wont happen for any number of bad attempts).
lockout duration (default is 30 min, value can range from 1 - 99998 min)

Can you get the output of
pdbedit -L
Are all the users listed??? The policies will be passed to the users listed by the command.

Regards
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34440524
I forgot to mention you have to be root to execute the commands...
0
 

Accepted Solution

by:
kaoma earned 0 total points
ID: 34515540
Hi,
I have solved this problem:
This method works only with the tdbsam passwd DB and not with the smbpasswd: If the DB used by samba is the smbpasswd, the command via shell works fine, but the policy doesn't apply correctly. To apply the policy you need to convert the DB with the command
pdbedit -i smbpasswd:/etc/samba/smbpasswd -e tdbsam:/var/lib/samba/passdb.tdb
and when the command is executed without error, the smb.conf need a modification in the directive of the passdb backend:
passdb backend = tdbsam:/var/lib/samba/passdb.tdb
After this step a restart of samba is needed: now the policy works fine
Cheers
K.
0
 

Author Comment

by:kaoma
ID: 34515549
I've checked the documentation of samba and I've solved the problem
0
 

Author Closing Comment

by:kaoma
ID: 34608889
I've checked the documentation of samba and I've solved the problem
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LINUX CENTOS + APACHE 9 65
Remove a folder in Linux 9 92
route 2 traffic streams on single NIC 6 37
Install Predefined Certificate on Ubunto 4 22
How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now