[Samba] Accounts are getting dsiabled

[Tilo Lutz]

Hi

> > > TL> I have a problem with samba 3.0.5pre1.
> > > TL> Many of my users are disabled by samba
> > > TL> and I can't find the reason why.
> > > Hmm, not shure, did you look at the eventlog from your win box ??
> > > i had something alike, (before 304) and the win log showed that
> > > the password change was corrupt (was a bug before 304)..

> On Sat, 2004-07-03 at 18:15, Tilo Lutz wrote:
> > The problem is still there with samba 3.0.5pre1.
> > Samba disbales some accounts by setting the AcctFlag to "D".
> > It is also _deleting_ sambaNTPassword and sambaLMPassword in
> > my ldap database!.
> > in log.smbd (loglevel 2) I can only find some messages the
> > password of the disbaled users are wrong, not the password
> > is disabled.
> > I can't find any messages why samba has disbaled the accounts
> > itself.

Andrew Bartlett wrote:
> This is by design.  As per the Samba 3.0.2a release notes:
> 
> ******************* Attention! Achtung! Kree! *********************
> 
> Beginning with Samba 3.0.2, passwords for accounts with a last 
> change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
> ldapsam, etc...) of zero (0) will be regarded as uninitialized 
> strings.  This will cause authentication to fail for such
> accounts.  If you have valid passwords that meet this criteria, 
> you must update the last change time to a non-zero value.  If you 
> do not, then  'pdbedit --force-initialized-passwords' will disable 
> these accounts and reset the password hashes to a string of X's.
> 
> ******************* Attention! Achtung! Kree! *********************
> 
> So, either remove the 'last set time' from the record, or make it
> accurate.  (Your users did not last set their password in 1970).

None of my acounts in ldap have set sambaPwdLastSet, even those
acounts which became disabled. If I have understand you right,
samba should not disable account if the attribute sambaPwdLastSet
is not defined in ldap?

Tilo