Does anyone have any experience with the “Permitted times for Windows Logins” feature? I am trying to limit login hours for one user, but they are able to log in at any time. Attached is a screenshot of the configured section.
the corresponding LDAP attribute
sambaLogonHours is not synchronized to the Samba 4 LDAP directory by default. I’m not sure why that is — there is a bug open about this (in German), but it doesn’t state why it’s still uncommented by default. There’s another, older bug referring to an endless loop in the S4 connector component when handling that field; maybe that’s (part of) the reason.
If you’re feeling luck, you can comment in the corresponding four lines dealing with
sambaLogonHours in the template file
/etc/univention/connector/s4/mapping (not in the
.py file, that’s auto-generated from the template file!). Be careful about the indentation: that template file gets turned into Python code, and correct indentation is paramount in Python! Just remove the
# characters without changing anything else.
Afterwards restart the S4 connector with
systemctl restart univention-s4-connector.service and modify the logon hours somehow. Observe
/var/log/univention/connector-s4.log for any error during the sync.
addendum: alternatively you can just use the RSAT’s “Active Directory Users and Groups” tool and manage the logon hours with it. That way they still won’t be synchronized between the Samba 4 LDAP and the OpenLDAP directory and you won’t see them in the UMC unless you make that aforementioned modification to the connector, but it’s… less dangerous, I suppose.