On Tue, Feb 12, 2013 at 11:30 AM, Thomas Simmons <twsn...@gmail.com> wrote:
> The way I understand it, 512 is "normal account" (my account is set to > this and is fine). 16 is "locked out". 512+16=528, so 528 is a normal > account, that is locked out. 2 is "disabled" and if I disable my account, > it adds 2 (514). The real problem is that I cannot find a way to change > this back to 512 without manually altering the value in LDAP. I believe > this may be a bug - there should be some way to do this via RSAT or > samba-tool (preferably both). I just ran an ldapsearch and see I have 4 > accounts out of ~300 that have this attribute set to 528 - possibly > something left over from S3 or the migration process? I also had a few > accounts with values other than 512. A few were 6XXXXX - which appears to > be correct as these accounts are set to "never expire". In any event, thank > you. > > > On Tue, Feb 12, 2013 at 11:16 AM, Michael Wood <esiot...@gmail.com> wrote: > >> Hi >> >> On 12 February 2013 16:03, Thomas Simmons <twsn...@gmail.com> wrote: >> > Hello Ricky, >> > >> > These do not seem to work. samba-tool user setexpiry alters the >> > "accountExpires" attribute. samba-tool user enable/disable's behavior is >> > odd. disable appears to add 2 to the current value and enable subtracts >> 2 >> > from the updated value (only if it's been disabled). Like this: >> > >> > Running the following on my account, in this order: >> > initial = 512 >> > enable = 512 >> > disable = 514 >> > disable = 514 >> > enable = 512 >> > enable = 512 >> > >> > If I manually set this value to 516 (don't know if that's valid) and run >> > disable, it gets set to 518. >> > >> > The account that is set to 528 gets set to 530 when I disable. Enable >> sets >> > it back to 528. >> >> I'm sure it's a bitmask and disable/enable just set/clear the second bit: >> >> 512 = 0000001000000000 >> 514 = 0000001000000010 >> 516 = 0000001000000100 >> 518 = 0000001000000110 >> 528 = 0000001000010000 >> 530 = 0000001000010010 >> >> So you have the 5th bit set. I don't know what that means, but >> clearly that's the problem. >> >> A google search for "userAccountControl bitmask" turns up this: >> >> http://support.microsoft.com/kb/305144 >> >> which says that bit means PASSWD_NOTREQD. (The other one is >> NORMAL_ACCOUNT). >> >> I'm not sure why that should cause a problem though. >> >> > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance < >> > ricky.na...@weaubleau.k12.mo.us> wrote: >> > >> >> You should be able to use samba-tool user enable Testuser2 or possibly >> >> samba-tool user setexpiry (add a --help for more info on how to use >> it). >> >> >> >> Good luck, >> >> Ricky >> >> >> >> >> >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsn...@gmail.com> >> wrote: >> >> >> >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsn...@gmail.com> >> >>> wrote: >> >>> >> >>> > I have come across a few accounts (out of 300+) that seem to be >> locked >> >>> > that will not unlock. These accounts were migrated from S3. Can >> someone >> >>> > advise - what am I missing here? >> >>> > >> >>> > I've reset the password several times via RSAT, checking the "Unlock >> >>> > Account" checkbox, which has not helped. Resetting the user's >> password >> >>> via >> >>> > smbpasswd gives me: >> >>> > >> >>> > pdb_try_account_unlock: Account dmscott administratively locked out >> with >> >>> > no bad password time. Leaving locked out. >> >>> > >> >>> > When attempting to login to WinXP, Windows states the account is >> locked >> >>> > out and log.samba shows: >> >>> > >> >>> > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAINusing >> >>> > arcfour-hmac-md5 >> >>> > [2013/02/11 18:37:40, 4] >> ../source4/auth/sam.c:170(authsam_account_ok) >> >>> > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN >> >>> > [2013/02/11 18:37:40, 2] >> ../source4/auth/sam.c:191(authsam_account_ok) >> >>> > authsam_account_ok: Account for user dmscott@DOMAIN was locked >> out. >> >>> > >> >>> > Here is an ldapsearch output. I'm not seeing where/why this account >> is >> >>> > locked. >> >>> > >> >>> > # extended LDIF >> >>> > # >> >>> > # LDAPv3 >> >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree >> >>> > # filter: sAMAccountName=dmscott >> >>> > # requesting: ALL >> >>> > # >> >>> > >> >>> > # Duser M. Scott, Users, internal.domain.com >> >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com >> >>> > instanceType: 4 >> >>> > whenCreated: 20121229150147.0Z >> >>> > uSNCreated: 4317 >> >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== >> >>> > badPwdCount: 0 >> >>> > codePage: 0 >> >>> > countryCode: 0 >> >>> > badPasswordTime: 0 >> >>> > lastLogoff: 0 >> >>> > lastLogon: 0 >> >>> > primaryGroupID: 513 >> >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== >> >>> > logonCount: 0 >> >>> > sAMAccountName: dmscott >> >>> > sAMAccountType: 805306368 >> >>> > objectCategory: >> >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC >> >>> > =com >> >>> > logonHours:: //////////////////////////// >> >>> > uidNumber: 1436 >> >>> > objectClass: top >> >>> > objectClass: posixAccount >> >>> > objectClass: person >> >>> > objectClass: organizationalPerson >> >>> > objectClass: user >> >>> > unixHomeDirectory: /home/dmscott >> >>> > gidNumber: 513 >> >>> > msSFU30NisDomain: domain >> >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com >> >>> > mail: duser.m.sc...@domain.com >> >>> > userPrincipalName: dmsc...@internal.domain.com >> >>> > givenName: Duser >> >>> > initials: M >> >>> > sn: Scott >> >>> > displayName: Duser M. Scott >> >>> > cn: Duser M. Scott >> >>> > name: Duser M. Scott >> >>> > scriptPath: GCS.cmd >> >>> > lockoutTime: 0 >> >>> > loginShell: /bin/bash >> >>> > msDS-SupportedEncryptionTypes: 0 >> >>> > userAccountControl: 528 >> >>> > accountExpires: 0 >> >>> > pwdLastSet: 130050989060000000 >> >>> > userParameters: >> >>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC >> >>> > >> >>> > >> >>> >> >> AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA >> >>> > >> >>> > >> >>> >> >> BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA >> >>> > >> >>> > >> >>> >> >> YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A >> >>> > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= >> >>> > whenChanged: 20130211233014.0Z >> >>> > uSNChanged: 8816 >> >>> > distinguishedName: CN=Duser M. >> >>> Scott,CN=Users,DC=internal,DC=domain,DC=com >> >>> > >> >>> > # search result >> >>> > search: 2 >> >>> > result: 0 Success >> >>> > >> >>> > # numResponses: 2 >> >>> > # numEntries: 1 >> >>> > >> >>> >> >>> It seems that the problem for this user is the userAccountControl >> >>> attribute >> >>> having a value of 528 locks the account. Changing it to 512 (what most >> >>> users are set to) unlocks the account. Is there any way to do this >> without >> >>> directly modifying the LDAP entry? >> >>> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> -- >> Michael Wood <esiot...@gmail.com> >> > > I figured out a way to correct this via RSAT, though I still think there is a problem - I'm sure checking "Unlock Account" should, well, unlock the account. Anyhow, In RSAT, if you select "View" > "Advanced Features", you will get an "Attribute Editor" tab in each user's properties. You can then alter the userAccountControl attribute. It even shows 528 as (LOCKOUT | NORMAL_ACCOUNT). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba