The way I understand it, 512 is "normal account" (my account is set to this and is fine). 16 is "locked out". 512+16=528, so 528 is a normal account, that is locked out. 2 is "disabled" and if I disable my account, it adds 2 (514). The real problem is that I cannot find a way to change this back to 512 without manually altering the value in LDAP. I believe this may be a bug - there should be some way to do this via RSAT or samba-tool (preferably both). I just ran an ldapsearch and see I have 4 accounts out of ~300 that have this attribute set to 528 - possibly something left over from S3 or the migration process? I also had a few accounts with values other than 512. A few were 6XXXXX - which appears to be correct as these accounts are set to "never expire". In any event, thank you.
On Tue, Feb 12, 2013 at 11:16 AM, Michael Wood <[email protected]> wrote: > Hi > > On 12 February 2013 16:03, Thomas Simmons <[email protected]> wrote: > > Hello Ricky, > > > > These do not seem to work. samba-tool user setexpiry alters the > > "accountExpires" attribute. samba-tool user enable/disable's behavior is > > odd. disable appears to add 2 to the current value and enable subtracts 2 > > from the updated value (only if it's been disabled). Like this: > > > > Running the following on my account, in this order: > > initial = 512 > > enable = 512 > > disable = 514 > > disable = 514 > > enable = 512 > > enable = 512 > > > > If I manually set this value to 516 (don't know if that's valid) and run > > disable, it gets set to 518. > > > > The account that is set to 528 gets set to 530 when I disable. Enable > sets > > it back to 528. > > I'm sure it's a bitmask and disable/enable just set/clear the second bit: > > 512 = 0000001000000000 > 514 = 0000001000000010 > 516 = 0000001000000100 > 518 = 0000001000000110 > 528 = 0000001000010000 > 530 = 0000001000010010 > > So you have the 5th bit set. I don't know what that means, but > clearly that's the problem. > > A google search for "userAccountControl bitmask" turns up this: > > http://support.microsoft.com/kb/305144 > > which says that bit means PASSWD_NOTREQD. (The other one is > NORMAL_ACCOUNT). > > I'm not sure why that should cause a problem though. > > > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance < > > [email protected]> wrote: > > > >> You should be able to use samba-tool user enable Testuser2 or possibly > >> samba-tool user setexpiry (add a --help for more info on how to use it). > >> > >> Good luck, > >> Ricky > >> > >> > >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <[email protected]> > wrote: > >> > >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <[email protected]> > >>> wrote: > >>> > >>> > I have come across a few accounts (out of 300+) that seem to be > locked > >>> > that will not unlock. These accounts were migrated from S3. Can > someone > >>> > advise - what am I missing here? > >>> > > >>> > I've reset the password several times via RSAT, checking the "Unlock > >>> > Account" checkbox, which has not helped. Resetting the user's > password > >>> via > >>> > smbpasswd gives me: > >>> > > >>> > pdb_try_account_unlock: Account dmscott administratively locked out > with > >>> > no bad password time. Leaving locked out. > >>> > > >>> > When attempting to login to WinXP, Windows states the account is > locked > >>> > out and log.samba shows: > >>> > > >>> > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAINusing > >>> > arcfour-hmac-md5 > >>> > [2013/02/11 18:37:40, 4] > ../source4/auth/sam.c:170(authsam_account_ok) > >>> > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN > >>> > [2013/02/11 18:37:40, 2] > ../source4/auth/sam.c:191(authsam_account_ok) > >>> > authsam_account_ok: Account for user dmscott@DOMAIN was locked > out. > >>> > > >>> > Here is an ldapsearch output. I'm not seeing where/why this account > is > >>> > locked. > >>> > > >>> > # extended LDIF > >>> > # > >>> > # LDAPv3 > >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree > >>> > # filter: sAMAccountName=dmscott > >>> > # requesting: ALL > >>> > # > >>> > > >>> > # Duser M. Scott, Users, internal.domain.com > >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > >>> > instanceType: 4 > >>> > whenCreated: 20121229150147.0Z > >>> > uSNCreated: 4317 > >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== > >>> > badPwdCount: 0 > >>> > codePage: 0 > >>> > countryCode: 0 > >>> > badPasswordTime: 0 > >>> > lastLogoff: 0 > >>> > lastLogon: 0 > >>> > primaryGroupID: 513 > >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== > >>> > logonCount: 0 > >>> > sAMAccountName: dmscott > >>> > sAMAccountType: 805306368 > >>> > objectCategory: > >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC > >>> > =com > >>> > logonHours:: //////////////////////////// > >>> > uidNumber: 1436 > >>> > objectClass: top > >>> > objectClass: posixAccount > >>> > objectClass: person > >>> > objectClass: organizationalPerson > >>> > objectClass: user > >>> > unixHomeDirectory: /home/dmscott > >>> > gidNumber: 513 > >>> > msSFU30NisDomain: domain > >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com > >>> > mail: [email protected] > >>> > userPrincipalName: [email protected] > >>> > givenName: Duser > >>> > initials: M > >>> > sn: Scott > >>> > displayName: Duser M. Scott > >>> > cn: Duser M. Scott > >>> > name: Duser M. Scott > >>> > scriptPath: GCS.cmd > >>> > lockoutTime: 0 > >>> > loginShell: /bin/bash > >>> > msDS-SupportedEncryptionTypes: 0 > >>> > userAccountControl: 528 > >>> > accountExpires: 0 > >>> > pwdLastSet: 130050989060000000 > >>> > userParameters: > >>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC > >>> > > >>> > > >>> > AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA > >>> > > >>> > > >>> > BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA > >>> > > >>> > > >>> > YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A > >>> > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= > >>> > whenChanged: 20130211233014.0Z > >>> > uSNChanged: 8816 > >>> > distinguishedName: CN=Duser M. > >>> Scott,CN=Users,DC=internal,DC=domain,DC=com > >>> > > >>> > # search result > >>> > search: 2 > >>> > result: 0 Success > >>> > > >>> > # numResponses: 2 > >>> > # numEntries: 1 > >>> > > >>> > >>> It seems that the problem for this user is the userAccountControl > >>> attribute > >>> having a value of 528 locks the account. Changing it to 512 (what most > >>> users are set to) unlocks the account. Is there any way to do this > without > >>> directly modifying the LDAP entry? > >>> > >> > >> > >> > >> -- > >> > >> > > > > -- > Michael Wood <[email protected]> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
