First Last Prev Next    This bug is not in your last search results.
Bug 46249 - sambaLockoutDuration unset after setup, while Samba lockoutDuration == 0 (==unlimited)
sambaLockoutDuration unset after setup, while Samba lockoutDuration == 0 (==u...
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-08 08:45 CET by Arvid Requate
Modified: 2020-07-03 20:51 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-02-08 08:45:03 CET 
After setting up an UCS DC with Samba/AD, the sambaLockoutDuration value in OepnLDAP is unset, while the corresponding Active Directory attribute is set to "0" in Samba by default:
==============================================================
root@master10:~# udm settings/sambadomain list
  lockoutDuration: None

root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain  sambaLockoutDuration
sambaLockoutDuration: <not present, not shown>

## But Samba default is "0", i.e. "unlimited"
root@master10:~# univention-s4search -s base lockoutDuration
lockoutDuration: 0
==============================================================
This gives a wrong impression in the UMC / UDM because it's shown as empty instead of something indicating that it's actually set. A value of "0" in AD means permanantly / unlimted.


Setting the AD default works as expected
==============================================================
## Set to native AD default "30" minutes, this is OK
root@master10:~# samba-tool domain passwordsettings set --account-lockout-duration=30 ## The actual native AD default

root@master10:~# univention-s4search -s base lockoutDuration
lockoutDuration: -1800000000

root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain  sambaLockoutDuration
sambaLockoutDuration: 1800
==============================================================

And then there is a Samba bug:
==============================================================
## reset to "0", i.e. "unlimited"
root@master10:~# samba-tool domain passwordsettings set --account-lockout-duration=0

root@master10:~# univention-s4search -s base lockoutDuration
lockoutDuration: -9223372036854775808

root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain  sambaLockoutDuration
sambaLockoutDuration: 922337203685
==============================================================


After manually setting lockoutDuration to 0 in sam.ldb, the S4-Connector correctly synchromizes it as "0" to UDM:
==============================================================
root@master10:~# udm settings/sambadomain list
DN: sambaDomainName=AR41I1,cn=samba,dc=ar41i1,dc=qa
  lockoutDuration: 0 days

root@master10:~# ldbedit [...]
root@master10:~# univention-s4search -s base lockoutDuration
lockoutDuration: 0

root@master10:~# univention-ldapsearch -LLL objectclass=sambadomain  sambaLockoutDuration
sambaLockoutDuration: 0

root@master10:~# udm settings/sambadomain list
DN: sambaDomainName=AR41I1,cn=samba,dc=ar41i1,dc=qa
  lockoutDuration: 0 days
==============================================================
Comment 1 Ingo Steuwer univentionstaff 2020-07-03 20:51:00 CEST 
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.