[Samba] accounts disabled after 3.0.2 upgrade

Andrew Bartlett abartlet at samba.org
Tue Feb 17 22:00:13 GMT 2004 

On Wed, 2004-02-18 at 05:25, Mark wrote:
> Just a heads up to anyone upgrading to 3.0.2.  In our case we used the new
> Fedora Core updates (the ones from the Fedora team, not the ones on the
> samba website) to update a samba PDC from 3.0.0.
> 
> As stated in the release notes for 3.02a (which I read on the samba
> website):
> 
> Beginning with Samba 3.0.2, passwords for accounts with a last
> change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
> ldapsam, etc...) of zero (0) will be regarded as uninitialized
> strings.  This will cause authentication to fail for such
> accounts.  If you have valid passwords that meet this criteria,
> you must update the last change time to a non-zero value.
> 
> This occured in our smbpasswd file.  But in addition, a few other user
> accounts were also disabled, even though they had valid LCT times!  I
> couldn't find a pattern except that these were accounts created with
> relatively recent versions of samba (maybe 2.2.8 and later) whereas the
> other accounts have been in the system since the early 2.2 days.  So I
> suggest that:
> 
> 1. Before you upgrade, have a look through your user accounts and revise any
> that don't have a valid LCT.  The simplest thing to do may be to change the
> password once.  Even changing it to itself will probably work.  I'm not sure
> how accounts end up with LCT-0, but we had a bunch of them, and these users
> could not log on after the upgrade.

Certain accounts added with certain versions of Samba 2.2's smbpasswd
might be in this state.

You can either edit the file, or change the password.  In LDAP you may
simply delete the attribute.

> 2. After upgrading, look again and see if any other accounts were disabled,
> so you can fix those too.  Look for accounts where the flags in the
> smbpasswd file are set to [ux         ].  Replace the "x" with a space
> character.  By the way, the smbpasswd(5) man page, which describes the
> layout of the smbpasswd file, does not explain this "x" character, but
> removing it does work.

X means 'password does not eXpire'.  D is for Disabled.  Changing 'X'
should not make a difference.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040218/08fa6275/attachment.bin

More information about the samba mailing list