[Samba] Samba accounts disabled

[Anthony Hess]

On 6/17/05 12:34 PM, "Gerald (Jerry) Carter" <jerry at samba.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 17 Jun 2005, Anthony Hess wrote:
> 
>> So that's what is disabling it then, thanks.  Too bad the user account
>> script that we have had for the past few years sets that to zero :)  I
>> guess the behavior must have been different under 2.2.x? (didn't do much
>> with samba back then).
> 
> Always helps to read the release notes :-)  This was part of the
> security fix in Samba 3.0.2a.

Yep, suppose that's true.  I did now for that issue.

Anyway, the behavior is pretty scary it looks like - a warning beyond a note
of the behavior change in the release notes probably would have been nice
(especially using the compat mode like we are - since the behavior is
different than 2.2).  There doesn't appear to be any really easy way to fix
it once you do it.  Go back to 2.2 and restore my directory from backup
maybe :)

>> Is there any way I can easily reset all of the user accounts using
>> smbpasswd -e instead of scripting some change to the directory server
>> entries?  If I could just get it to enable the accounts without asking
>> me for a user's password I think that would do it.
> 
> If you are using an smbpasswd file, then just manually change the last
> field.

Nope, using LDAP.  Now correct me if Im wrong, but it appears that the
lockout removes the lmpassword, ntpassword, and sets acctFlags to DUX and
removes a space.  I don't see any way for me to fix the issue without having
the users enter their passwords again.  This looks like something that can
be reasonably easily fixed via a web script that the users run, but I had
hoped for some way for me to leave them out of this.  Anyone have any other
ideas?

Im sure glad its summer and very few people are using samba :),

Tony