On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <[email protected]> wrote:
> I have come across a few accounts (out of 300+) that seem to be locked > that will not unlock. These accounts were migrated from S3. Can someone > advise - what am I missing here? > > I've reset the password several times via RSAT, checking the "Unlock > Account" checkbox, which has not helped. Resetting the user's password via > smbpasswd gives me: > > pdb_try_account_unlock: Account dmscott administratively locked out with > no bad password time. Leaving locked out. > > When attempting to login to WinXP, Windows states the account is locked > out and log.samba shows: > > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using > arcfour-hmac-md5 > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) > authsam_account_ok: Account for user dmscott@DOMAIN was locked out. > > Here is an ldapsearch output. I'm not seeing where/why this account is > locked. > > # extended LDIF > # > # LDAPv3 > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree > # filter: sAMAccountName=dmscott > # requesting: ALL > # > > # Duser M. Scott, Users, internal.domain.com > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > instanceType: 4 > whenCreated: 20121229150147.0Z > uSNCreated: 4317 > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== > logonCount: 0 > sAMAccountName: dmscott > sAMAccountType: 805306368 > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC > =com > logonHours:: //////////////////////////// > uidNumber: 1436 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/dmscott > gidNumber: 513 > msSFU30NisDomain: domain > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com > mail: [email protected] > userPrincipalName: [email protected] > givenName: Duser > initials: M > sn: Scott > displayName: Duser M. Scott > cn: Duser M. Scott > name: Duser M. Scott > scriptPath: GCS.cmd > lockoutTime: 0 > loginShell: /bin/bash > msDS-SupportedEncryptionTypes: 0 > userAccountControl: 528 > accountExpires: 0 > pwdLastSet: 130050989060000000 > userParameters: > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC > > AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA > > BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA > > YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= > whenChanged: 20130211233014.0Z > uSNChanged: 8816 > distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > It seems that the problem for this user is the userAccountControl attribute having a value of 528 locks the account. Changing it to 512 (what most users are set to) unlocks the account. Is there any way to do this without directly modifying the LDAP entry? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
