[Samba] accounts disabled after 3.0.2 upgrade

Mark gmane at tippingmar.com
Tue Feb 17 18:25:56 GMT 2004


Just a heads up to anyone upgrading to 3.0.2.  In our case we used the new
Fedora Core updates (the ones from the Fedora team, not the ones on the
samba website) to update a samba PDC from 3.0.0.

As stated in the release notes for 3.02a (which I read on the samba
website):

Beginning with Samba 3.0.2, passwords for accounts with a last
change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
ldapsam, etc...) of zero (0) will be regarded as uninitialized
strings.  This will cause authentication to fail for such
accounts.  If you have valid passwords that meet this criteria,
you must update the last change time to a non-zero value.

This occured in our smbpasswd file.  But in addition, a few other user
accounts were also disabled, even though they had valid LCT times!  I
couldn't find a pattern except that these were accounts created with
relatively recent versions of samba (maybe 2.2.8 and later) whereas the
other accounts have been in the system since the early 2.2 days.  So I
suggest that:

1. Before you upgrade, have a look through your user accounts and revise any
that don't have a valid LCT.  The simplest thing to do may be to change the
password once.  Even changing it to itself will probably work.  I'm not sure
how accounts end up with LCT-0, but we had a bunch of them, and these users
could not log on after the upgrade.

2. After upgrading, look again and see if any other accounts were disabled,
so you can fix those too.  Look for accounts where the flags in the
smbpasswd file are set to [ux         ].  Replace the "x" with a space
character.  By the way, the smbpasswd(5) man page, which describes the
layout of the smbpasswd file, does not explain this "x" character, but
removing it does work.

Hope this saves someone the pressure of searching for a solution while users
look over your shoulder.

Mark





More information about the samba mailing list