Can you look at the LDAP entries for each user? Can you disable the "password must change" date entry? I don't know if you can do that via pdbedit. You may be able to clear it out in LDAP. I think samba calculates that field based on the password policy and when the user last changed his or her password. I found password expiration in LDAP tripped me up once because pdbedit did not reset stuff the way I thought it should.
On 06/06/12 15:31, Shawn Dakin wrote: > So after another day of investigation I have discovered it may be a LAM issue. > If I create a new user using smbldap-useradd the new user can login to > my win7 workstations. However, if I create the new user in LAM the new > user receives the error "group policy client service failed the logon. > Access denied" > > Any one have an idea what LAM is doing to the user accounts? > > Here is a quick comparison. > > yo.littledog (GOOD ACCOUNT) > I know the home dir and profile path are wrong. > SAMBA1:/var/log/samba # pdbedit -Lv yo.littledog > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))] > StartTLS issued: using a TLS connection > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > init_sam_from_ldap: Entry found for user: yo.littledog > init_group_from_ldap: Entry found for group: 513 > Unix username: yo.littledog > NT username: yo.littledog > Account Flags: [U ] > User SID: S-1-5-21-1545272169-3882205488-3325164475-1328 > Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513 > Full Name: yo.littledog > Home Directory: \\PDC-SRV\yo.littledog > HomeDir Drive: H: > Logon Script: logon.bat > Profile Path: \\PDC-SRV\profiles\yo.littledog > Domain: NEVSD > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Mon, 18 Jan 2038 22:14:07 EST > Kickoff time: Mon, 18 Jan 2038 22:14:07 EST > Password last set: Wed, 06 Jun 2012 14:52:39 EDT > Password can change: Wed, 06 Jun 2012 14:52:39 EDT > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > > > yo.dog (BAD ACCOUNT) > SAMBA1:/var/log/samba # pdbedit -Lv yo.dog > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))] > StartTLS issued: using a TLS connection > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > init_sam_from_ldap: Entry found for user: yo.dog > init_group_from_ldap: Entry found for group: 513 > Unix username: yo.dog > NT username: yo.dog > Account Flags: [UX ] > User SID: S-1-5-21-1545272169-3882205488-3325164475-21006 > Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513 > Full Name: Yo Dog > Home Directory: \\SAMBA1\yo.dog > HomeDir Drive: H: > Logon Script: > Profile Path: \\samba1\profiles\yo.dog > Domain: NEVSD > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: never > Kickoff time: Mon, 31 Dec 2029 19:00:00 EST > Password last set: Wed, 06 Jun 2012 15:19:40 EDT > Password can change: Wed, 06 Jun 2012 15:19:40 EDT > Password must change: Mon, 18 Jan 2038 22:14:07 EST > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
