S4 Cannot Unlock Account
Michael Wood
esiotrot at gmail.com
Tue Feb 12 09:16:20 MST 2013
Hi
On 12 February 2013 16:03, Thomas Simmons <twsnnva at gmail.com> wrote:
> Hello Ricky,
>
> These do not seem to work. samba-tool user setexpiry alters the
> "accountExpires" attribute. samba-tool user enable/disable's behavior is
> odd. disable appears to add 2 to the current value and enable subtracts 2
> from the updated value (only if it's been disabled). Like this:
>
> Running the following on my account, in this order:
> initial = 512
> enable = 512
> disable = 514
> disable = 514
> enable = 512
> enable = 512
>
> If I manually set this value to 516 (don't know if that's valid) and run
> disable, it gets set to 518.
>
> The account that is set to 528 gets set to 530 when I disable. Enable sets
> it back to 528.
I'm sure it's a bitmask and disable/enable just set/clear the second bit:
512 = 0000001000000000
514 = 0000001000000010
516 = 0000001000000100
518 = 0000001000000110
528 = 0000001000010000
530 = 0000001000010010
So you have the 5th bit set. I don't know what that means, but
clearly that's the problem.
A google search for "userAccountControl bitmask" turns up this:
http://support.microsoft.com/kb/305144
which says that bit means PASSWD_NOTREQD. (The other one is NORMAL_ACCOUNT).
I'm not sure why that should cause a problem though.
> On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
> ricky.nance at weaubleau.k12.mo.us> wrote:
>
>> You should be able to use samba-tool user enable Testuser2 or possibly
>> samba-tool user setexpiry (add a --help for more info on how to use it).
>>
>> Good luck,
>> Ricky
>>
>>
>> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsnnva at gmail.com> wrote:
>>
>>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com>
>>> wrote:
>>>
>>> > I have come across a few accounts (out of 300+) that seem to be locked
>>> > that will not unlock. These accounts were migrated from S3. Can someone
>>> > advise - what am I missing here?
>>> >
>>> > I've reset the password several times via RSAT, checking the "Unlock
>>> > Account" checkbox, which has not helped. Resetting the user's password
>>> via
>>> > smbpasswd gives me:
>>> >
>>> > pdb_try_account_unlock: Account dmscott administratively locked out with
>>> > no bad password time. Leaving locked out.
>>> >
>>> > When attempting to login to WinXP, Windows states the account is locked
>>> > out and log.samba shows:
>>> >
>>> > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using
>>> > arcfour-hmac-md5
>>> > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok)
>>> > authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
>>> > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok)
>>> > authsam_account_ok: Account for user dmscott at DOMAIN was locked out.
>>> >
>>> > Here is an ldapsearch output. I'm not seeing where/why this account is
>>> > locked.
>>> >
>>> > # extended LDIF
>>> > #
>>> > # LDAPv3
>>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
>>> > # filter: sAMAccountName=dmscott
>>> > # requesting: ALL
>>> > #
>>> >
>>> > # Duser M. Scott, Users, internal.domain.com
>>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
>>> > instanceType: 4
>>> > whenCreated: 20121229150147.0Z
>>> > uSNCreated: 4317
>>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
>>> > badPwdCount: 0
>>> > codePage: 0
>>> > countryCode: 0
>>> > badPasswordTime: 0
>>> > lastLogoff: 0
>>> > lastLogon: 0
>>> > primaryGroupID: 513
>>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
>>> > logonCount: 0
>>> > sAMAccountName: dmscott
>>> > sAMAccountType: 805306368
>>> > objectCategory:
>>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
>>> > =com
>>> > logonHours:: ////////////////////////////
>>> > uidNumber: 1436
>>> > objectClass: top
>>> > objectClass: posixAccount
>>> > objectClass: person
>>> > objectClass: organizationalPerson
>>> > objectClass: user
>>> > unixHomeDirectory: /home/dmscott
>>> > gidNumber: 513
>>> > msSFU30NisDomain: domain
>>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
>>> > mail: Duser.m.scott at domain.com
>>> > userPrincipalName: dmscott at internal.domain.com
>>> > givenName: Duser
>>> > initials: M
>>> > sn: Scott
>>> > displayName: Duser M. Scott
>>> > cn: Duser M. Scott
>>> > name: Duser M. Scott
>>> > scriptPath: GCS.cmd
>>> > lockoutTime: 0
>>> > loginShell: /bin/bash
>>> > msDS-SupportedEncryptionTypes: 0
>>> > userAccountControl: 528
>>> > accountExpires: 0
>>> > pwdLastSet: 130050989060000000
>>> > userParameters:
>>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
>>> >
>>> >
>>> AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
>>> >
>>> >
>>> BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
>>> >
>>> >
>>> YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
>>> > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
>>> > whenChanged: 20130211233014.0Z
>>> > uSNChanged: 8816
>>> > distinguishedName: CN=Duser M.
>>> Scott,CN=Users,DC=internal,DC=domain,DC=com
>>> >
>>> > # search result
>>> > search: 2
>>> > result: 0 Success
>>> >
>>> > # numResponses: 2
>>> > # numEntries: 1
>>> >
>>>
>>> It seems that the problem for this user is the userAccountControl
>>> attribute
>>> having a value of 528 locks the account. Changing it to 512 (what most
>>> users are set to) unlocks the account. Is there any way to do this without
>>> directly modifying the LDAP entry?
>>>
>>
>>
>>
>> --
>>
>>
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list