[Samba] Re: Accounts are getting disabled
zergio
zergio at isma.kharkov.ua
Mon Jul 5 09:22:03 GMT 2004
Tilo Lutz ?????:
>>>On Sat, 3 Jul 2004, Tilo Lutz wrote:
>>>
>>>>None of my acounts in ldap have set sambaPwdLastSet, even those
>>>>acounts which became disabled. If I have understand you right,
>>>>samba should not disable account if the attribute sambaPwdLastSet
>>>>is not defined in ldap?
>
>
>>On Mon, 2004-07-05 at 06:56, Gerald (Jerry) Carter wrote:
>>
>>>If the attribute is not defined smbd gives it an implicit value of 0.
>
>
>>Andrew Bartlet wrote:
>>If that's what caused the issue, then there is a bug (which I'm happy to
>>look into and fix).
>>
>> /* only reset a password if the last set time has been
>> explicitly been set to zero. A default last set time
>> is ignored */
>>
>> if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT)
>> && (pdb_get_pass_last_set_time(pass) == 0) )
>> {
>>
>>The intention of the logic was that if the value was undefined in LDAP,
>>the flags would be set to PDB_DEFAULT and it would not be treated as
>>'defined as zero' for this test.
>
>
> I take a closer look at my users:
> Heres a ldap record (without password hashes) of saturday:
> dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de
> userPassword:: e0NSWVBUfTE3NnUxQzA0ZDhCbG8=
> shadowLastChange: 11947
> sambaPwdLastSet: 1
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: person
> objectClass: organizationalPerson
> objectClass: top
> objectClass: sambaSamAccount
> cn: alexander-cristea
> sn: alexander-cristea
> uid: alexander-cristea
> homeDirectory: /home/kl-1g3/alexander-cristea
> gecos: "kl-1g3"
> loginShell: /bin/sh
> shadowMin: 1
> shadowMax: 99999
> shadowWarning: 14
> sambaPwdMustChange: 1800000000
> gidNumber: 112
> sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225
> uidNumber: 5248
> sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496
> sambaProfilePath: \\WILMA2\profile
> sambaAcctFlags: [UX ]
>
> The same user monday morning:
> # alexander-cristea, kl-1g3, people, wms-hn.de
> dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: person
> objectClass: organizationalPerson
> objectClass: top
> objectClass: sambaSamAccount
> cn: alexander-cristea
> sn: alexander-cristea
> uid: alexander-cristea
> homeDirectory: /home/kl-1g3/alexander-cristea
> gecos: "kl-1g3"
> loginShell: /bin/sh
> shadowMin: 1
> shadowMax: 99999
> shadowWarning: 14
> sambaPwdMustChange: 1800000000
> gidNumber: 112
> sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225
> uidNumber: 5248
> sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496
> sambaProfilePath: \\WILMA2\profile
> sambaAcctFlags: [DUX ]
>
> Again there's no logentrie in log.smbd (loglevel 2).
> As you can see the account was disabled and sambaPwdLastSet was
> removed.
>
> Anything I can do to find the problem? Which loglevel should I
> use?
>
> Tilo
>
>
>
Hi!
I'd experienced such a problem after I migrated from samba 2.2.8a to
samba 3.0.4 with ldap backend. I'd found out that if sambaPwdLastSet = 0
upon user connection account got disabled. The workaround is to manually
set sambaPwdLastSet to some real date for all users.
New created users shouldn't have the problem.
More information about the samba
mailing list