S4 Cannot Unlock Account

Thomas Simmons twsnnva at gmail.com
Tue Feb 12 07:03:52 MST 2013 

Hello Ricky,

These do not seem to work. samba-tool user setexpiry alters the
"accountExpires" attribute. samba-tool user enable/disable's behavior is
odd. disable appears to add 2 to the current value and enable subtracts 2
from the updated value (only if it's been disabled). Like this:

Running the following on my account, in this order:
initial = 512
enable =  512
disable = 514
disable = 514
enable = 512
enable = 512

If I manually set this value to 516 (don't know if that's valid) and run
disable, it gets set to 518.

The account that is set to 528 gets set to 530 when I disable. Enable sets
it back to 528.



On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
ricky.nance at weaubleau.k12.mo.us> wrote:

> You should be able to use samba-tool user enable Testuser2 or possibly
> samba-tool user setexpiry (add a --help for more info on how to use it).
>
> Good luck,
> Ricky
>
>
> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsnnva at gmail.com> wrote:
>
>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com>
>> wrote:
>>
>> > I have come across a few accounts (out of 300+) that seem to be locked
>> > that will not unlock. These accounts were migrated from S3. Can someone
>> > advise - what am I missing here?
>> >
>> > I've reset the password several times via RSAT, checking the "Unlock
>> > Account" checkbox, which has not helped. Resetting the user's password
>> via
>> > smbpasswd gives me:
>> >
>> > pdb_try_account_unlock: Account dmscott administratively locked out with
>> > no bad password time. Leaving locked out.
>> >
>> > When attempting to login to WinXP, Windows states the account is locked
>> > out and log.samba shows:
>> >
>> >   Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using
>> > arcfour-hmac-md5
>> > [2013/02/11 18:37:40,  4] ../source4/auth/sam.c:170(authsam_account_ok)
>> >   authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
>> > [2013/02/11 18:37:40,  2] ../source4/auth/sam.c:191(authsam_account_ok)
>> >   authsam_account_ok: Account for user dmscott at DOMAIN was locked out.
>> >
>> > Here is an ldapsearch output. I'm not seeing where/why this account is
>> > locked.
>> >
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
>> > # filter: sAMAccountName=dmscott
>> > # requesting: ALL
>> > #
>> >
>> > # Duser M. Scott, Users, internal.domain.com
>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
>> > instanceType: 4
>> > whenCreated: 20121229150147.0Z
>> > uSNCreated: 4317
>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
>> > badPwdCount: 0
>> > codePage: 0
>> > countryCode: 0
>> > badPasswordTime: 0
>> > lastLogoff: 0
>> > lastLogon: 0
>> > primaryGroupID: 513
>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
>> > logonCount: 0
>> > sAMAccountName: dmscott
>> > sAMAccountType: 805306368
>> > objectCategory:
>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
>> >  =com
>> > logonHours:: ////////////////////////////
>> > uidNumber: 1436
>> > objectClass: top
>> > objectClass: posixAccount
>> > objectClass: person
>> > objectClass: organizationalPerson
>> > objectClass: user
>> > unixHomeDirectory: /home/dmscott
>> > gidNumber: 513
>> > msSFU30NisDomain: domain
>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
>> > mail: Duser.m.scott at domain.com
>> > userPrincipalName: dmscott at internal.domain.com
>> > givenName: Duser
>> > initials: M
>> > sn: Scott
>> > displayName: Duser M. Scott
>> > cn: Duser M. Scott
>> > name: Duser M. Scott
>> > scriptPath: GCS.cmd
>> > lockoutTime: 0
>> > loginShell: /bin/bash
>> > msDS-SupportedEncryptionTypes: 0
>> > userAccountControl: 528
>> > accountExpires: 0
>> > pwdLastSet: 130050989060000000
>> > userParameters:
>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
>> >
>> >
>>  AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
>> >
>> >
>>  BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
>> >
>> >
>>  YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
>> >  HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
>> > whenChanged: 20130211233014.0Z
>> > uSNChanged: 8816
>> > distinguishedName: CN=Duser M.
>> Scott,CN=Users,DC=internal,DC=domain,DC=com
>> >
>> > # search result
>> > search: 2
>> > result: 0 Success
>> >
>> > # numResponses: 2
>> > # numEntries: 1
>> >
>>
>> It seems that the problem for this user is the userAccountControl
>> attribute
>> having a value of 528 locks the account. Changing it to 512 (what most
>> users are set to) unlocks the account. Is there any way to do this without
>> directly modifying the LDAP entry?
>>
>
>
>
> --
>
>

More information about the samba-technical mailing list