[Samba] Samba accounts disabled

Anthony Hess tonyh at engr.arizona.edu
Thu Jun 16 19:58:11 GMT 2005 

Hello,

We have been running Samba 2.2.x/Sun ONE LDAP on a particular machine for
about 3 years now and I recently upgraded it to 3.0.14a with ldapsam
compatibility (I can mess with the directory later if necessary).

Now when users try to connect to the server their accounts get disabled
unless I have specifically enabled them using smbpasswd -e username (which
is kind of tough because I have to enter their passwords at that point).  Im
not quite sure why its getting disabled, but I think it may be related to
some 0 values in pwdcanchange, pwdlastset, or a lack of a value in
pwdmustchange (that attribute is not stored in LDAP at all on the accounts
that get locked, or so it appears).  The strange thing is that going in and
setting these values and removing the D in AcctFlags (and adding a trailing
space to keep it the same number of characters) doesn't do me any good.  Is
there something else Im missing?

Worst case, is there any way I can re-enable these disabled accounts without
having to enter their password?  Once I enable them they stay that way
(which is how I didn't catch this in testing - I had run the -e on my
account a long time ago during some earlier testing).

Here is a pdbedit -Lv of a working account versus a non working one:

WORKS:

Unix username:        tonyh
NT username:          tonyh
Account Flags:        [UX         ]
User SID:             S-1-5-21-279200155-2930073459-3006489438-5097
Primary Group SID:    S-1-5-21-279200155-2930073459-3006489438-1003
Full Name:            Anthony Hess
Home Directory:       \\engr.arizona.edu\tonyh
HomeDir Drive:        H:
Logon Script:      
Profile Path:         \\fugazi.engr.arizona.edu\Profiles\%u
Domain:               FUGAZI
Account desc:      
Workstations:      
Munged dial:       
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    Tue, 20 Jan 2004 13:41:10 MST
Password can change:  Tue, 20 Jan 2004 13:41:10 MST
Password must change: Mon, 18 Jan 2038 20:14:07 MST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


NO WORK:

Unix username:        mpoulton
NT username:          mpoulton
Account Flags:        [DUX        ]
User SID:             S-1-5-21-279200155-2930073459-3006489438-6576
Primary Group SID:    S-1-5-21-279200155-2930073459-3006489438-513
Full Name:            Mary Poulton
Home Directory:       \\fugazi.engr.arizona.edu\mpoulton
HomeDir Drive:        H:
Logon Script:      
Profile Path:         \\fugazi.engr.arizona.edu\Profiles\%u
Domain:               FUGAZI
Account desc:      
Workstations:      
Munged dial:       
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    0
Password can change:  0
Password must change: Mon, 18 Jan 2038 20:14:07 MST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


Thanks for any help,

Tony

More information about the samba mailing list