S4 Cannot Unlock Account

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Tue Feb 12 06:27:32 MST 2013


You should be able to use samba-tool user enable Testuser2 or possibly
samba-tool user setexpiry (add a --help for more info on how to use it).

Good luck,
Ricky


On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsnnva at gmail.com> wrote:

> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
>
> > I have come across a few accounts (out of 300+) that seem to be locked
> > that will not unlock. These accounts were migrated from S3. Can someone
> > advise - what am I missing here?
> >
> > I've reset the password several times via RSAT, checking the "Unlock
> > Account" checkbox, which has not helped. Resetting the user's password
> via
> > smbpasswd gives me:
> >
> > pdb_try_account_unlock: Account dmscott administratively locked out with
> > no bad password time. Leaving locked out.
> >
> > When attempting to login to WinXP, Windows states the account is locked
> > out and log.samba shows:
> >
> >   Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using
> > arcfour-hmac-md5
> > [2013/02/11 18:37:40,  4] ../source4/auth/sam.c:170(authsam_account_ok)
> >   authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
> > [2013/02/11 18:37:40,  2] ../source4/auth/sam.c:191(authsam_account_ok)
> >   authsam_account_ok: Account for user dmscott at DOMAIN was locked out.
> >
> > Here is an ldapsearch output. I'm not seeing where/why this account is
> > locked.
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
> > # filter: sAMAccountName=dmscott
> > # requesting: ALL
> > #
> >
> > # Duser M. Scott, Users, internal.domain.com
> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
> > instanceType: 4
> > whenCreated: 20121229150147.0Z
> > uSNCreated: 4317
> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
> > logonCount: 0
> > sAMAccountName: dmscott
> > sAMAccountType: 805306368
> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
> >  =com
> > logonHours:: ////////////////////////////
> > uidNumber: 1436
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > unixHomeDirectory: /home/dmscott
> > gidNumber: 513
> > msSFU30NisDomain: domain
> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
> > mail: Duser.m.scott at domain.com
> > userPrincipalName: dmscott at internal.domain.com
> > givenName: Duser
> > initials: M
> > sn: Scott
> > displayName: Duser M. Scott
> > cn: Duser M. Scott
> > name: Duser M. Scott
> > scriptPath: GCS.cmd
> > lockoutTime: 0
> > loginShell: /bin/bash
> > msDS-SupportedEncryptionTypes: 0
> > userAccountControl: 528
> > accountExpires: 0
> > pwdLastSet: 130050989060000000
> > userParameters:
> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
> >
> >
>  AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
> >
> >
>  BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
> >
> >
>  YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
> >  HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
> > whenChanged: 20130211233014.0Z
> > uSNChanged: 8816
> > distinguishedName: CN=Duser M.
> Scott,CN=Users,DC=internal,DC=domain,DC=com
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
>
> It seems that the problem for this user is the userAccountControl attribute
> having a value of 528 locks the account. Changing it to 512 (what most
> users are set to) unlocks the account. Is there any way to do this without
> directly modifying the LDAP entry?
>



--


More information about the samba-technical mailing list