Hello Ricky, These do not seem to work. samba-tool user setexpiry alters the "accountExpires" attribute. samba-tool user enable/disable's behavior is odd. disable appears to add 2 to the current value and enable subtracts 2 from the updated value (only if it's been disabled). Like this:
Running the following on my account, in this order: initial = 512 enable = 512 disable = 514 disable = 514 enable = 512 enable = 512 If I manually set this value to 516 (don't know if that's valid) and run disable, it gets set to 518. The account that is set to 528 gets set to 530 when I disable. Enable sets it back to 528. On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance < [email protected]> wrote: > You should be able to use samba-tool user enable Testuser2 or possibly > samba-tool user setexpiry (add a --help for more info on how to use it). > > Good luck, > Ricky > > > On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <[email protected]> wrote: > >> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <[email protected]> >> wrote: >> >> > I have come across a few accounts (out of 300+) that seem to be locked >> > that will not unlock. These accounts were migrated from S3. Can someone >> > advise - what am I missing here? >> > >> > I've reset the password several times via RSAT, checking the "Unlock >> > Account" checkbox, which has not helped. Resetting the user's password >> via >> > smbpasswd gives me: >> > >> > pdb_try_account_unlock: Account dmscott administratively locked out with >> > no bad password time. Leaving locked out. >> > >> > When attempting to login to WinXP, Windows states the account is locked >> > out and log.samba shows: >> > >> > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using >> > arcfour-hmac-md5 >> > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) >> > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN >> > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) >> > authsam_account_ok: Account for user dmscott@DOMAIN was locked out. >> > >> > Here is an ldapsearch output. I'm not seeing where/why this account is >> > locked. >> > >> > # extended LDIF >> > # >> > # LDAPv3 >> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree >> > # filter: sAMAccountName=dmscott >> > # requesting: ALL >> > # >> > >> > # Duser M. Scott, Users, internal.domain.com >> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com >> > instanceType: 4 >> > whenCreated: 20121229150147.0Z >> > uSNCreated: 4317 >> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== >> > badPwdCount: 0 >> > codePage: 0 >> > countryCode: 0 >> > badPasswordTime: 0 >> > lastLogoff: 0 >> > lastLogon: 0 >> > primaryGroupID: 513 >> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== >> > logonCount: 0 >> > sAMAccountName: dmscott >> > sAMAccountType: 805306368 >> > objectCategory: >> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC >> > =com >> > logonHours:: //////////////////////////// >> > uidNumber: 1436 >> > objectClass: top >> > objectClass: posixAccount >> > objectClass: person >> > objectClass: organizationalPerson >> > objectClass: user >> > unixHomeDirectory: /home/dmscott >> > gidNumber: 513 >> > msSFU30NisDomain: domain >> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com >> > mail: [email protected] >> > userPrincipalName: [email protected] >> > givenName: Duser >> > initials: M >> > sn: Scott >> > displayName: Duser M. Scott >> > cn: Duser M. Scott >> > name: Duser M. Scott >> > scriptPath: GCS.cmd >> > lockoutTime: 0 >> > loginShell: /bin/bash >> > msDS-SupportedEncryptionTypes: 0 >> > userAccountControl: 528 >> > accountExpires: 0 >> > pwdLastSet: 130050989060000000 >> > userParameters: >> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC >> > >> > >> >> AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA >> > >> > >> >> BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA >> > >> > >> >> YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A >> > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= >> > whenChanged: 20130211233014.0Z >> > uSNChanged: 8816 >> > distinguishedName: CN=Duser M. >> Scott,CN=Users,DC=internal,DC=domain,DC=com >> > >> > # search result >> > search: 2 >> > result: 0 Success >> > >> > # numResponses: 2 >> > # numEntries: 1 >> > >> >> It seems that the problem for this user is the userAccountControl >> attribute >> having a value of 528 locks the account. Changing it to 512 (what most >> users are set to) unlocks the account. Is there any way to do this without >> directly modifying the LDAP entry? >> > > > > -- > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
