Re: [Samba] Accounts are getting dsiabled
On Mon, 2004-07-05 at 06:56, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 3 Jul 2004, Tilo Lutz wrote: None of my acounts in ldap have set sambaPwdLastSet, even those acounts which became disabled. If I have understand you right, samba should not disable account if the attribute sambaPwdLastSet is not defined in ldap? If the attribute is not defined smbd gives it an implicit value of 0. If that's what caused the issue, then there is a bug (which I'm happy to look into and fix). /* only reset a password if the last set time has been explicitly been set to zero. A default last set time is ignored */ if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT) (pdb_get_pass_last_set_time(pass) == 0) ) { The intention of the logic was that if the value was undefined in LDAP, the flags would be set to PDB_DEFAULT and it would not be treated as 'defined as zero' for this test. Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accounts are getting dsiabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Bartlett wrote: | If that's what caused the issue, then there is a bug | (which I'm happy to look into and fix). | The intention of the logic was that if the value was | undefined in LDAP, the flags would be set to PDB_DEFAULT and it | would not be treated as 'defined as zero' for this test. I'll eat crow but that means you get tagged to track down the real root cause then :-) cheers, jerry - -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ...a hundred billion castaways looking for a home. --- Sting -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA6K5fIR7qMdg1EfYRAlIOAJwJREDDz95Sx8HpzohgnuAcFscs7wCgw3wL oEA+vpv5dsX+ImK+IIrDvHU= =hkrl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accounts are getting dsiabled
Hi TL I have a problem with samba 3.0.5pre1. TL Many of my users are disabled by samba TL and I can't find the reason why. Hmm, not shure, did you look at the eventlog from your win box ?? i had something alike, (before 304) and the win log showed that the password change was corrupt (was a bug before 304).. The problem is still there with samba 3.0.5pre1. Samba disbales some accounts by setting the AcctFlag to D. It is also _deleting_ sambaNTPassword and sambaLMPassword in my ldap database!. in log.smbd (loglevel 2) I can only find some messages the password of the disbaled users are wrong, not the password is disabled. I can't find any messages why samba has disbaled the accounts itself. Any idea how I can track the problem? Tilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accounts are getting dsiabled
On Sat, 2004-07-03 at 18:15, Tilo Lutz wrote: Hi TL I have a problem with samba 3.0.5pre1. TL Many of my users are disabled by samba TL and I can't find the reason why. Hmm, not shure, did you look at the eventlog from your win box ?? i had something alike, (before 304) and the win log showed that the password change was corrupt (was a bug before 304).. The problem is still there with samba 3.0.5pre1. Samba disbales some accounts by setting the AcctFlag to D. It is also _deleting_ sambaNTPassword and sambaLMPassword in my ldap database!. in log.smbd (loglevel 2) I can only find some messages the password of the disbaled users are wrong, not the password is disabled. I can't find any messages why samba has disbaled the accounts itself. This is by design. As per the Samba 3.0.2a release notes: *** Attention! Achtung! Kree! * Beginning with Samba 3.0.2, passwords for accounts with a last change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in ldapsam, etc...) of zero (0) will be regarded as uninitialized strings. This will cause authentication to fail for such accounts. If you have valid passwords that meet this criteria, you must update the last change time to a non-zero value. If you do not, then 'pdbedit --force-initialized-passwords' will disable these accounts and reset the password hashes to a string of X's. *** Attention! Achtung! Kree! * So, either remove the 'last set time' from the record, or make it accurate. (Your users did not last set their password in 1970). Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accounts are getting dsiabled
Hi TL I have a problem with samba 3.0.5pre1. TL Many of my users are disabled by samba TL and I can't find the reason why. Hmm, not shure, did you look at the eventlog from your win box ?? i had something alike, (before 304) and the win log showed that the password change was corrupt (was a bug before 304).. On Sat, 2004-07-03 at 18:15, Tilo Lutz wrote: The problem is still there with samba 3.0.5pre1. Samba disbales some accounts by setting the AcctFlag to D. It is also _deleting_ sambaNTPassword and sambaLMPassword in my ldap database!. in log.smbd (loglevel 2) I can only find some messages the password of the disbaled users are wrong, not the password is disabled. I can't find any messages why samba has disbaled the accounts itself. Andrew Bartlett wrote: This is by design. As per the Samba 3.0.2a release notes: *** Attention! Achtung! Kree! * Beginning with Samba 3.0.2, passwords for accounts with a last change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in ldapsam, etc...) of zero (0) will be regarded as uninitialized strings. This will cause authentication to fail for such accounts. If you have valid passwords that meet this criteria, you must update the last change time to a non-zero value. If you do not, then 'pdbedit --force-initialized-passwords' will disable these accounts and reset the password hashes to a string of X's. *** Attention! Achtung! Kree! * So, either remove the 'last set time' from the record, or make it accurate. (Your users did not last set their password in 1970). None of my acounts in ldap have set sambaPwdLastSet, even those acounts which became disabled. If I have understand you right, samba should not disable account if the attribute sambaPwdLastSet is not defined in ldap? Tilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accounts are getting dsiabled
Hmm, not shure, did you look at the eventlog from your win box ?? i had something alike, (before 304) and the win log showed that the password change was corrupt (was a bug before 304).. there might be some debug info there.. for the rest, i dunno.. - Collen Blijenberg (Montessori Lyceum Herman Jordan) Tuesday, June 29, 2004, 10:10:56 AM, you wrote: TL Hi TL I have a problem with samba 3.0.5pre1. TL Many of my users are disabled by samba TL and I can't find the reason why. TL Here is an example of an user disbled by samba: TL Unix username:christ TL NT username: christ TL Account Flags:[DU ] TL User SID: TL S-1-5-21-3371203057-3264423045-2392767973-4030 TL Primary Group SID: TL S-1-5-21-3371203057-3264423045-2392767973-1213 TL Full Name:Lehrer Karlo Christ TL Home Directory: \{}\{}wilma2\{}christ\{}profile TL HomeDir Drive:Z: TL Logon Script: 0.0.0.0.bat TL Profile Path: \\WILMA2\profile TL Domain: WMS-NET TL Account desc: TL Workstations: TL Munged dial: TL Logon time: 0 TL Logoff time: Fre, 13 Dez 1901 21:45:51 GMT TL Kickoff time: Fre, 13 Dez 1901 21:45:51 GMT TL Password last set:Mit, 16 Jun 2004 14:31:37 GMT TL Password can change: Mit, 01 Jan 2003 00:00:01 GMT TL Password must change: Fre, 15 Jan 2027 00:00:09 GMT TL Last bad password : 0 TL Bad password count : 0 TL In log-files I can only find a massage the account is disabled when the TL user tries to login. (LogLevel 2). TL I also found two messages with a wrong password before. TL Can anybody help my why samba is disabling many of my users? TL Regards, Tilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba