S4 Cannot Unlock Account

Thomas Simmons twsnnva at gmail.com
Tue Feb 12 14:03:35 MST 2013


On Tue, Feb 12, 2013 at 11:30 AM, Thomas Simmons <twsnnva at gmail.com> wrote:

> The way I understand it, 512 is "normal account" (my account is set to
> this and is fine). 16 is "locked out". 512+16=528, so 528 is a normal
> account, that is locked out. 2 is "disabled" and if I disable my account,
> it adds 2 (514). The real problem is that I cannot find a way to change
> this back to 512 without manually altering the value in LDAP. I believe
> this may be a bug - there should be some way to do this via RSAT or
> samba-tool (preferably both). I just ran an ldapsearch and see I have 4
> accounts out of ~300 that have this attribute set to 528 - possibly
> something left over from S3 or the migration process? I also had a few
> accounts with values other than 512. A few were 6XXXXX - which appears to
> be correct as these accounts are set to "never expire". In any event, thank
> you.
>
>
> On Tue, Feb 12, 2013 at 11:16 AM, Michael Wood <esiotrot at gmail.com> wrote:
>
>> Hi
>>
>> On 12 February 2013 16:03, Thomas Simmons <twsnnva at gmail.com> wrote:
>> > Hello Ricky,
>> >
>> > These do not seem to work. samba-tool user setexpiry alters the
>> > "accountExpires" attribute. samba-tool user enable/disable's behavior is
>> > odd. disable appears to add 2 to the current value and enable subtracts
>> 2
>> > from the updated value (only if it's been disabled). Like this:
>> >
>> > Running the following on my account, in this order:
>> > initial = 512
>> > enable =  512
>> > disable = 514
>> > disable = 514
>> > enable = 512
>> > enable = 512
>> >
>> > If I manually set this value to 516 (don't know if that's valid) and run
>> > disable, it gets set to 518.
>> >
>> > The account that is set to 528 gets set to 530 when I disable. Enable
>> sets
>> > it back to 528.
>>
>> I'm sure it's a bitmask and disable/enable just set/clear the second bit:
>>
>> 512 = 0000001000000000
>> 514 = 0000001000000010
>> 516 = 0000001000000100
>> 518 = 0000001000000110
>> 528 = 0000001000010000
>> 530 = 0000001000010010
>>
>> So you have the 5th bit set.  I don't know what that means, but
>> clearly that's the problem.
>>
>> A google search for "userAccountControl bitmask" turns up this:
>>
>> http://support.microsoft.com/kb/305144
>>
>> which says that bit means PASSWD_NOTREQD.  (The other one is
>> NORMAL_ACCOUNT).
>>
>> I'm not sure why that should cause a problem though.
>>
>> > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
>> > ricky.nance at weaubleau.k12.mo.us> wrote:
>> >
>> >> You should be able to use samba-tool user enable Testuser2 or possibly
>> >> samba-tool user setexpiry (add a --help for more info on how to use
>> it).
>> >>
>> >> Good luck,
>> >> Ricky
>> >>
>> >>
>> >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsnnva at gmail.com>
>> wrote:
>> >>
>> >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com>
>> >>> wrote:
>> >>>
>> >>> > I have come across a few accounts (out of 300+) that seem to be
>> locked
>> >>> > that will not unlock. These accounts were migrated from S3. Can
>> someone
>> >>> > advise - what am I missing here?
>> >>> >
>> >>> > I've reset the password several times via RSAT, checking the "Unlock
>> >>> > Account" checkbox, which has not helped. Resetting the user's
>> password
>> >>> via
>> >>> > smbpasswd gives me:
>> >>> >
>> >>> > pdb_try_account_unlock: Account dmscott administratively locked out
>> with
>> >>> > no bad password time. Leaving locked out.
>> >>> >
>> >>> > When attempting to login to WinXP, Windows states the account is
>> locked
>> >>> > out and log.samba shows:
>> >>> >
>> >>> >   Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAINusing
>> >>> > arcfour-hmac-md5
>> >>> > [2013/02/11 18:37:40,  4]
>> ../source4/auth/sam.c:170(authsam_account_ok)
>> >>> >   authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
>> >>> > [2013/02/11 18:37:40,  2]
>> ../source4/auth/sam.c:191(authsam_account_ok)
>> >>> >   authsam_account_ok: Account for user dmscott at DOMAIN was locked
>> out.
>> >>> >
>> >>> > Here is an ldapsearch output. I'm not seeing where/why this account
>> is
>> >>> > locked.
>> >>> >
>> >>> > # extended LDIF
>> >>> > #
>> >>> > # LDAPv3
>> >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
>> >>> > # filter: sAMAccountName=dmscott
>> >>> > # requesting: ALL
>> >>> > #
>> >>> >
>> >>> > # Duser M. Scott, Users, internal.domain.com
>> >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
>> >>> > instanceType: 4
>> >>> > whenCreated: 20121229150147.0Z
>> >>> > uSNCreated: 4317
>> >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
>> >>> > badPwdCount: 0
>> >>> > codePage: 0
>> >>> > countryCode: 0
>> >>> > badPasswordTime: 0
>> >>> > lastLogoff: 0
>> >>> > lastLogon: 0
>> >>> > primaryGroupID: 513
>> >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
>> >>> > logonCount: 0
>> >>> > sAMAccountName: dmscott
>> >>> > sAMAccountType: 805306368
>> >>> > objectCategory:
>> >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
>> >>> >  =com
>> >>> > logonHours:: ////////////////////////////
>> >>> > uidNumber: 1436
>> >>> > objectClass: top
>> >>> > objectClass: posixAccount
>> >>> > objectClass: person
>> >>> > objectClass: organizationalPerson
>> >>> > objectClass: user
>> >>> > unixHomeDirectory: /home/dmscott
>> >>> > gidNumber: 513
>> >>> > msSFU30NisDomain: domain
>> >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
>> >>> > mail: Duser.m.scott at domain.com
>> >>> > userPrincipalName: dmscott at internal.domain.com
>> >>> > givenName: Duser
>> >>> > initials: M
>> >>> > sn: Scott
>> >>> > displayName: Duser M. Scott
>> >>> > cn: Duser M. Scott
>> >>> > name: Duser M. Scott
>> >>> > scriptPath: GCS.cmd
>> >>> > lockoutTime: 0
>> >>> > loginShell: /bin/bash
>> >>> > msDS-SupportedEncryptionTypes: 0
>> >>> > userAccountControl: 528
>> >>> > accountExpires: 0
>> >>> > pwdLastSet: 130050989060000000
>> >>> > userParameters:
>> >>> > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
>> >>> >
>> >>> >
>> >>>
>>  AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
>> >>> >
>> >>> >
>> >>>
>>  BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
>> >>> >
>> >>> >
>> >>>
>>  YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
>> >>> >  HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
>> >>> > whenChanged: 20130211233014.0Z
>> >>> > uSNChanged: 8816
>> >>> > distinguishedName: CN=Duser M.
>> >>> Scott,CN=Users,DC=internal,DC=domain,DC=com
>> >>> >
>> >>> > # search result
>> >>> > search: 2
>> >>> > result: 0 Success
>> >>> >
>> >>> > # numResponses: 2
>> >>> > # numEntries: 1
>> >>> >
>> >>>
>> >>> It seems that the problem for this user is the userAccountControl
>> >>> attribute
>> >>> having a value of 528 locks the account. Changing it to 512 (what most
>> >>> users are set to) unlocks the account. Is there any way to do this
>> without
>> >>> directly modifying the LDAP entry?
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >>
>>
>>
>>
>> --
>> Michael Wood <esiotrot at gmail.com>
>>
>
> I figured out a way to correct this via RSAT, though I still think there
is a problem - I'm sure checking "Unlock Account" should, well, unlock the
account. Anyhow, In RSAT, if you select "View" > "Advanced Features", you
will get an "Attribute Editor" tab in each user's properties. You can then
alter the userAccountControl attribute. It even shows 528 as (LOCKOUT |
NORMAL_ACCOUNT).


More information about the samba-technical mailing list