Hi On 12 February 2013 16:03, Thomas Simmons <[email protected]> wrote: > Hello Ricky, > > These do not seem to work. samba-tool user setexpiry alters the > "accountExpires" attribute. samba-tool user enable/disable's behavior is > odd. disable appears to add 2 to the current value and enable subtracts 2 > from the updated value (only if it's been disabled). Like this: > > Running the following on my account, in this order: > initial = 512 > enable = 512 > disable = 514 > disable = 514 > enable = 512 > enable = 512 > > If I manually set this value to 516 (don't know if that's valid) and run > disable, it gets set to 518. > > The account that is set to 528 gets set to 530 when I disable. Enable sets > it back to 528.
I'm sure it's a bitmask and disable/enable just set/clear the second bit: 512 = 0000001000000000 514 = 0000001000000010 516 = 0000001000000100 518 = 0000001000000110 528 = 0000001000010000 530 = 0000001000010010 So you have the 5th bit set. I don't know what that means, but clearly that's the problem. A google search for "userAccountControl bitmask" turns up this: http://support.microsoft.com/kb/305144 which says that bit means PASSWD_NOTREQD. (The other one is NORMAL_ACCOUNT). I'm not sure why that should cause a problem though. > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance < > [email protected]> wrote: > >> You should be able to use samba-tool user enable Testuser2 or possibly >> samba-tool user setexpiry (add a --help for more info on how to use it). >> >> Good luck, >> Ricky >> >> >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <[email protected]> wrote: >> >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <[email protected]> >>> wrote: >>> >>> > I have come across a few accounts (out of 300+) that seem to be locked >>> > that will not unlock. These accounts were migrated from S3. Can someone >>> > advise - what am I missing here? >>> > >>> > I've reset the password several times via RSAT, checking the "Unlock >>> > Account" checkbox, which has not helped. Resetting the user's password >>> via >>> > smbpasswd gives me: >>> > >>> > pdb_try_account_unlock: Account dmscott administratively locked out with >>> > no bad password time. Leaving locked out. >>> > >>> > When attempting to login to WinXP, Windows states the account is locked >>> > out and log.samba shows: >>> > >>> > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using >>> > arcfour-hmac-md5 >>> > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) >>> > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN >>> > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) >>> > authsam_account_ok: Account for user dmscott@DOMAIN was locked out. >>> > >>> > Here is an ldapsearch output. I'm not seeing where/why this account is >>> > locked. >>> > >>> > # extended LDIF >>> > # >>> > # LDAPv3 >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree >>> > # filter: sAMAccountName=dmscott >>> > # requesting: ALL >>> > # >>> > >>> > # Duser M. Scott, Users, internal.domain.com >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com >>> > instanceType: 4 >>> > whenCreated: 20121229150147.0Z >>> > uSNCreated: 4317 >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== >>> > badPwdCount: 0 >>> > codePage: 0 >>> > countryCode: 0 >>> > badPasswordTime: 0 >>> > lastLogoff: 0 >>> > lastLogon: 0 >>> > primaryGroupID: 513 >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== >>> > logonCount: 0 >>> > sAMAccountName: dmscott >>> > sAMAccountType: 805306368 >>> > objectCategory: >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC >>> > =com >>> > logonHours:: //////////////////////////// >>> > uidNumber: 1436 >>> > objectClass: top >>> > objectClass: posixAccount >>> > objectClass: person >>> > objectClass: organizationalPerson >>> > objectClass: user >>> > unixHomeDirectory: /home/dmscott >>> > gidNumber: 513 >>> > msSFU30NisDomain: domain >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com >>> > mail: [email protected] >>> > userPrincipalName: [email protected] >>> > givenName: Duser >>> > initials: M >>> > sn: Scott >>> > displayName: Duser M. Scott >>> > cn: Duser M. Scott >>> > name: Duser M. Scott >>> > scriptPath: GCS.cmd >>> > lockoutTime: 0 >>> > loginShell: /bin/bash >>> > msDS-SupportedEncryptionTypes: 0 >>> > userAccountControl: 528 >>> > accountExpires: 0 >>> > pwdLastSet: 130050989060000000 >>> > userParameters: >>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC >>> > >>> > >>> >>> AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA >>> > >>> > >>> >>> BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA >>> > >>> > >>> >>> YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A >>> > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= >>> > whenChanged: 20130211233014.0Z >>> > uSNChanged: 8816 >>> > distinguishedName: CN=Duser M. >>> Scott,CN=Users,DC=internal,DC=domain,DC=com >>> > >>> > # search result >>> > search: 2 >>> > result: 0 Success >>> > >>> > # numResponses: 2 >>> > # numEntries: 1 >>> > >>> >>> It seems that the problem for this user is the userAccountControl >>> attribute >>> having a value of 528 locks the account. Changing it to 512 (what most >>> users are set to) unlocks the account. Is there any way to do this without >>> directly modifying the LDAP entry? >>> >> >> >> >> -- >> >> -- Michael Wood <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
