samba3upgrade migration results, issues, questions

Sergey Urushkin urushkin at
Mon May 7 03:12:10 MDT 2012

Andrew Bartlett писал 07.05.2012 02:30:
> On Fri, 2012-05-04 at 15:46 +0400, Sergey Urushkin wrote:
>> Backing to the small domain... seems it's not the same bug.
>> There I have max-pwd-age=0, but the problem still exists. Using
>> ldbsearch I found that all accounts "accountExpires" attribute is 
>> set to
>> "116444735990000000" (23:59:59 - 01.01.1970).
>> Setting it to a lager value e.g. "136444735990000000" (2033y) fixes
>> account. So, I tried to view s3.0 tdb account via s3.6 pdbedit tool:
>> Unix username:        pc106
>> NT username:
>> Account Flags:        [U          ]
>> User SID:             S-1-5-21-2558268738-2209604249-3907695097-3026
>> Primary Group SID:    (NULL SID)
>> Full Name:            Samba_User &
>> Home Directory:       \\fw\pc106
>> HomeDir Drive:
>> Logon Script:
>> Profile Path:
>> Domain:               DOMAIN
>> Account desc:
>> Workstations:
>> Munged dial:
>> Logon time:           0
>> Logoff time:          9223372036854775807 seconds since the Epoch
>> Kickoff time:         9223372036854775807 seconds since the Epoch
>> Password last set:    Fri, 15 Apr 2011 10:17:59 MSK
>> Password can change:  Fri, 15 Apr 2011 10:17:59 MSK
>> Password must change: never
>> Last bad password   : 0
>> Bad password count  : 0
>> As you can see Logoff/Kickoff values are very strange and 'primary 
>> group
>> sid' is null. That's about all users.
>> It is an old-old "magic" samba 3.0.x db provisioned by another 
>> person a
>> long time ago on FreeBSD 4.4 :)
> Please let me know if this fixes it.
The problem still exists.

s4's pdbedit gives me another data, but it seems to use s4 db not s3, 
so it wouldn't help. May be some another data may help here?

Also, I have to say that I gave you a wrong suggestion in my previous 
message that this is the same bug.
The small domain problem is that all accounts are imported expired 
(accountexpires attr) and the fact they are not asked to change their 
passwords is normal, because accounts has already expired.
The big domain problem I've mentioned in my previous message is that if 
account's password expires (pwdlastset attr), it is not asked to change 
account's password via kinit and this is _not_ normal, because password 
has expired only, not account.


Best regards,
Sergey Urushkin

More information about the samba-technical mailing list