S4 Cannot Unlock Account

Thomas Simmons twsnnva at gmail.com
Tue Feb 12 09:30:19 MST 2013 

The way I understand it, 512 is "normal account" (my account is set to this
and is fine). 16 is "locked out". 512+16=528, so 528 is a normal account,
that is locked out. 2 is "disabled" and if I disable my account, it adds 2
(514). The real problem is that I cannot find a way to change this back to
512 without manually altering the value in LDAP. I believe this may be a
bug - there should be some way to do this via RSAT or samba-tool
(preferably both). I just ran an ldapsearch and see I have 4 accounts out
of ~300 that have this attribute set to 528 - possibly something left over
from S3 or the migration process? I also had a few accounts with values
other than 512. A few were 6XXXXX - which appears to be correct as these
accounts are set to "never expire". In any event, thank you.


On Tue, Feb 12, 2013 at 11:16 AM, Michael Wood <esiotrot at gmail.com> wrote:

> Hi
>
> On 12 February 2013 16:03, Thomas Simmons <twsnnva at gmail.com> wrote:
> > Hello Ricky,
> >
> > These do not seem to work. samba-tool user setexpiry alters the
> > "accountExpires" attribute. samba-tool user enable/disable's behavior is
> > odd. disable appears to add 2 to the current value and enable subtracts 2
> > from the updated value (only if it's been disabled). Like this:
> >
> > Running the following on my account, in this order:
> > initial = 512
> > enable =  512
> > disable = 514
> > disable = 514
> > enable = 512
> > enable = 512
> >
> > If I manually set this value to 516 (don't know if that's valid) and run
> > disable, it gets set to 518.
> >
> > The account that is set to 528 gets set to 530 when I disable. Enable
> sets
> > it back to 528.
>
> I'm sure it's a bitmask and disable/enable just set/clear the second bit:
>
> 512 = 0000001000000000
> 514 = 0000001000000010
> 516 = 0000001000000100
> 518 = 0000001000000110
> 528 = 0000001000010000
> 530 = 0000001000010010
>
> So you have the 5th bit set.  I don't know what that means, but
> clearly that's the problem.
>
> A google search for "userAccountControl bitmask" turns up this:
>
> http://support.microsoft.com/kb/305144
>
> which says that bit means PASSWD_NOTREQD.  (The other one is
> NORMAL_ACCOUNT).
>
> I'm not sure why that should cause a problem though.
>
> > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
> > ricky.nance at weaubleau.k12.mo.us> wrote:
> >
> >> You should be able to use samba-tool user enable Testuser2 or possibly
> >> samba-tool user setexpiry (add a --help for more info on how to use it).
> >>
> >> Good luck,
> >> Ricky
> >>
> >>
> >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsnnva at gmail.com>
> wrote:
> >>
> >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com>
> >>> wrote:
> >>>
> >>> > I have come across a few accounts (out of 300+) that seem to be
> locked
> >>> > that will not unlock. These accounts were migrated from S3. Can
> someone
> >>> > advise - what am I missing here?
> >>> >
> >>> > I've reset the password several times via RSAT, checking the "Unlock
> >>> > Account" checkbox, which has not helped. Resetting the user's
> password
> >>> via
> >>> > smbpasswd gives me:
> >>> >
> >>> > pdb_try_account_unlock: Account dmscott administratively locked out
> with
> >>> > no bad password time. Leaving locked out.
> >>> >
> >>> > When attempting to login to WinXP, Windows states the account is
> locked
> >>> > out and log.samba shows:
> >>> >
> >>> >   Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAINusing
> >>> > arcfour-hmac-md5
> >>> > [2013/02/11 18:37:40,  4]
> ../source4/auth/sam.c:170(authsam_account_ok)
> >>> >   authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
> >>> > [2013/02/11 18:37:40,  2]
> ../source4/auth/sam.c:191(authsam_account_ok)
> >>> >   authsam_account_ok: Account for user dmscott at DOMAIN was locked
> out.
> >>> >
> >>> > Here is an ldapsearch output. I'm not seeing where/why this account
> is
> >>> > locked.
> >>> >
> >>> > # extended LDIF
> >>> > #
> >>> > # LDAPv3
> >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
> >>> > # filter: sAMAccountName=dmscott
> >>> > # requesting: ALL
> >>> > #
> >>> >
> >>> > # Duser M. Scott, Users, internal.domain.com
> >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
> >>> > instanceType: 4
> >>> > whenCreated: 20121229150147.0Z
> >>> > uSNCreated: 4317
> >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
> >>> > badPwdCount: 0
> >>> > codePage: 0
> >>> > countryCode: 0
> >>> > badPasswordTime: 0
> >>> > lastLogoff: 0
> >>> > lastLogon: 0
> >>> > primaryGroupID: 513
> >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
> >>> > logonCount: 0
> >>> > sAMAccountName: dmscott
> >>> > sAMAccountType: 805306368
> >>> > objectCategory:
> >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
> >>> >  =com
> >>> > logonHours:: ////////////////////////////
> >>> > uidNumber: 1436
> >>> > objectClass: top
> >>> > objectClass: posixAccount
> >>> > objectClass: person
> >>> > objectClass: organizationalPerson
> >>> > objectClass: user
> >>> > unixHomeDirectory: /home/dmscott
> >>> > gidNumber: 513
> >>> > msSFU30NisDomain: domain
> >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
> >>> > mail: Duser.m.scott at domain.com
> >>> > userPrincipalName: dmscott at internal.domain.com
> >>> > givenName: Duser
> >>> > initials: M
> >>> > sn: Scott
> >>> > displayName: Duser M. Scott
> >>> > cn: Duser M. Scott
> >>> > name: Duser M. Scott
> >>> > scriptPath: GCS.cmd
> >>> > lockoutTime: 0
> >>> > loginShell: /bin/bash
> >>> > msDS-SupportedEncryptionTypes: 0
> >>> > userAccountControl: 528
> >>> > accountExpires: 0
> >>> > pwdLastSet: 130050989060000000
> >>> > userParameters:
> >>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
> >>> >
> >>> >
> >>>
>  AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
> >>> >
> >>> >
> >>>
>  BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
> >>> >
> >>> >
> >>>
>  YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
> >>> >  HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
> >>> > whenChanged: 20130211233014.0Z
> >>> > uSNChanged: 8816
> >>> > distinguishedName: CN=Duser M.
> >>> Scott,CN=Users,DC=internal,DC=domain,DC=com
> >>> >
> >>> > # search result
> >>> > search: 2
> >>> > result: 0 Success
> >>> >
> >>> > # numResponses: 2
> >>> > # numEntries: 1
> >>> >
> >>>
> >>> It seems that the problem for this user is the userAccountControl
> >>> attribute
> >>> having a value of 528 locks the account. Changing it to 512 (what most
> >>> users are set to) unlocks the account. Is there any way to do this
> without
> >>> directly modifying the LDAP entry?
> >>>
> >>
> >>
> >>
> >> --
> >>
> >>
>
>
>
> --
> Michael Wood <esiotrot at gmail.com>
>

More information about the samba-technical mailing list