Fwd: S4 Cannot Unlock Account

Thomas Simmons twsnnva at gmail.com
Tue Feb 12 03:55:39 MST 2013

I'm forwarding this to the technical list. I can fix this by deleting and
recreating the account, however I'd like to understand why this is

I have come across a few accounts (out of 300+) that seem to be locked that
will not unlock. These accounts were migrated from S3. Can someone advise -
what am I missing here?

I've reset the password several times via RSAT, checking the "Unlock
Account" checkbox, which has not helped. Resetting the user's password via
smbpasswd gives me:

pdb_try_account_unlock: Account dmscott administratively locked out with no
bad password time. Leaving locked out.

When attempting to login to WinXP, Windows states the account is locked out
and log.samba shows:

  Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using
[2013/02/11 18:37:40,  4] ../source4/auth/sam.c:170(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
[2013/02/11 18:37:40,  2] ../source4/auth/sam.c:191(authsam_account_ok)
  authsam_account_ok: Account for user dmscott at DOMAIN was locked out.

Here is an ldapsearch output. I'm not seeing where/why this account is

# extended LDIF
# LDAPv3
# base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
# filter: sAMAccountName=dmscott
# requesting: ALL

# Duser M. Scott, Users, internal.domain.com
dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
instanceType: 4
whenCreated: 20121229150147.0Z
uSNCreated: 4317
objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
logonCount: 0
sAMAccountName: dmscott
sAMAccountType: 805306368
logonHours:: ////////////////////////////
uidNumber: 1436
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/dmscott
gidNumber: 513
msSFU30NisDomain: domain
memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
mail: Duser.m.scott at domain.com
userPrincipalName: dmscott at internal.domain.com
givenName: Duser
initials: M
sn: Scott
displayName: Duser M. Scott
cn: Duser M. Scott
name: Duser M. Scott
scriptPath: GCS.cmd
lockoutTime: 0
loginShell: /bin/bash
msDS-SupportedEncryptionTypes: 0
userAccountControl: 528
accountExpires: 0
pwdLastSet: 130050989060000000
whenChanged: 20130211233014.0Z
uSNChanged: 8816
distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

More information about the samba-technical mailing list