You should be able to use samba-tool user enable Testuser2 or possibly samba-tool user setexpiry (add a --help for more info on how to use it).
Good luck, Ricky On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <[email protected]> wrote: > On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <[email protected]> wrote: > > > I have come across a few accounts (out of 300+) that seem to be locked > > that will not unlock. These accounts were migrated from S3. Can someone > > advise - what am I missing here? > > > > I've reset the password several times via RSAT, checking the "Unlock > > Account" checkbox, which has not helped. Resetting the user's password > via > > smbpasswd gives me: > > > > pdb_try_account_unlock: Account dmscott administratively locked out with > > no bad password time. Leaving locked out. > > > > When attempting to login to WinXP, Windows states the account is locked > > out and log.samba shows: > > > > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using > > arcfour-hmac-md5 > > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) > > authsam_account_ok: Checking SMB password for user dmscott@DOMAIN > > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) > > authsam_account_ok: Account for user dmscott@DOMAIN was locked out. > > > > Here is an ldapsearch output. I'm not seeing where/why this account is > > locked. > > > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree > > # filter: sAMAccountName=dmscott > > # requesting: ALL > > # > > > > # Duser M. Scott, Users, internal.domain.com > > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > > instanceType: 4 > > whenCreated: 20121229150147.0Z > > uSNCreated: 4317 > > objectGUID:: sQU6/um9x0+gN2VOHTpmbw== > > badPwdCount: 0 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 0 > > lastLogoff: 0 > > lastLogon: 0 > > primaryGroupID: 513 > > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== > > logonCount: 0 > > sAMAccountName: dmscott > > sAMAccountType: 805306368 > > objectCategory: > > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC > > =com > > logonHours:: //////////////////////////// > > uidNumber: 1436 > > objectClass: top > > objectClass: posixAccount > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > unixHomeDirectory: /home/dmscott > > gidNumber: 513 > > msSFU30NisDomain: domain > > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com > > mail: [email protected] > > userPrincipalName: [email protected] > > givenName: Duser > > initials: M > > sn: Scott > > displayName: Duser M. Scott > > cn: Duser M. Scott > > name: Duser M. Scott > > scriptPath: GCS.cmd > > lockoutTime: 0 > > loginShell: /bin/bash > > msDS-SupportedEncryptionTypes: 0 > > userAccountControl: 528 > > accountExpires: 0 > > pwdLastSet: 130050989060000000 > > userParameters: > > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC > > > > > AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA > > > > > BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA > > > > > YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A > > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= > > whenChanged: 20130211233014.0Z > > uSNChanged: 8816 > > distinguishedName: CN=Duser M. > Scott,CN=Users,DC=internal,DC=domain,DC=com > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > It seems that the problem for this user is the userAccountControl attribute > having a value of 528 locks the account. Changing it to 512 (what most > users are set to) unlocks the account. Is there any way to do this without > directly modifying the LDAP entry? > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
