Univention Bugzilla – Bug 46249
sambaLockoutDuration unset after setup, while Samba lockoutDuration == 0 (==unlimited)
Last modified: 2020-07-03 20:51:00 CEST
After setting up an UCS DC with Samba/AD, the sambaLockoutDuration value in OepnLDAP is unset, while the corresponding Active Directory attribute is set to "0" in Samba by default: ============================================================== root@master10:~# udm settings/sambadomain list lockoutDuration: None root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain sambaLockoutDuration sambaLockoutDuration: <not present, not shown> ## But Samba default is "0", i.e. "unlimited" root@master10:~# univention-s4search -s base lockoutDuration lockoutDuration: 0 ============================================================== This gives a wrong impression in the UMC / UDM because it's shown as empty instead of something indicating that it's actually set. A value of "0" in AD means permanantly / unlimted. Setting the AD default works as expected ============================================================== ## Set to native AD default "30" minutes, this is OK root@master10:~# samba-tool domain passwordsettings set --account-lockout-duration=30 ## The actual native AD default root@master10:~# univention-s4search -s base lockoutDuration lockoutDuration: -1800000000 root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain sambaLockoutDuration sambaLockoutDuration: 1800 ============================================================== And then there is a Samba bug: ============================================================== ## reset to "0", i.e. "unlimited" root@master10:~# samba-tool domain passwordsettings set --account-lockout-duration=0 root@master10:~# univention-s4search -s base lockoutDuration lockoutDuration: -9223372036854775808 root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain sambaLockoutDuration sambaLockoutDuration: 922337203685 ============================================================== After manually setting lockoutDuration to 0 in sam.ldb, the S4-Connector correctly synchromizes it as "0" to UDM: ============================================================== root@master10:~# udm settings/sambadomain list DN: sambaDomainName=AR41I1,cn=samba,dc=ar41i1,dc=qa lockoutDuration: 0 days root@master10:~# ldbedit [...] root@master10:~# univention-s4search -s base lockoutDuration lockoutDuration: 0 root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain sambaLockoutDuration sambaLockoutDuration: 0 root@master10:~# udm settings/sambadomain list DN: sambaDomainName=AR41I1,cn=samba,dc=ar41i1,dc=qa lockoutDuration: 0 days ==============================================================
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.