[Samba] S4 Cannot Unlock Account
Thomas Simmons
twsnnva at gmail.com
Tue Feb 12 06:17:50 MST 2013
On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
> I have come across a few accounts (out of 300+) that seem to be locked
> that will not unlock. These accounts were migrated from S3. Can someone
> advise - what am I missing here?
>
> I've reset the password several times via RSAT, checking the "Unlock
> Account" checkbox, which has not helped. Resetting the user's password via
> smbpasswd gives me:
>
> pdb_try_account_unlock: Account dmscott administratively locked out with
> no bad password time. Leaving locked out.
>
> When attempting to login to WinXP, Windows states the account is locked
> out and log.samba shows:
>
> Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using
> arcfour-hmac-md5
> [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user dmscott at DOMAIN
> [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok)
> authsam_account_ok: Account for user dmscott at DOMAIN was locked out.
>
> Here is an ldapsearch output. I'm not seeing where/why this account is
> locked.
>
> # extended LDIF
> #
> # LDAPv3
> # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
> # filter: sAMAccountName=dmscott
> # requesting: ALL
> #
>
> # Duser M. Scott, Users, internal.domain.com
> dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
> instanceType: 4
> whenCreated: 20121229150147.0Z
> uSNCreated: 4317
> objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
> logonCount: 0
> sAMAccountName: dmscott
> sAMAccountType: 805306368
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
> =com
> logonHours:: ////////////////////////////
> uidNumber: 1436
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> unixHomeDirectory: /home/dmscott
> gidNumber: 513
> msSFU30NisDomain: domain
> memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
> mail: Duser.m.scott at domain.com
> userPrincipalName: dmscott at internal.domain.com
> givenName: Duser
> initials: M
> sn: Scott
> displayName: Duser M. Scott
> cn: Duser M. Scott
> name: Duser M. Scott
> scriptPath: GCS.cmd
> lockoutTime: 0
> loginShell: /bin/bash
> msDS-SupportedEncryptionTypes: 0
> userAccountControl: 528
> accountExpires: 0
> pwdLastSet: 130050989060000000
> userParameters:
> IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
>
> AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
>
> BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
>
> YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
> HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
> whenChanged: 20130211233014.0Z
> uSNChanged: 8816
> distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
It seems that the problem for this user is the userAccountControl attribute
having a value of 528 locks the account. Changing it to 512 (what most
users are set to) unlocks the account. Is there any way to do this without
directly modifying the LDAP entry?
More information about the samba
mailing list