[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

Matthias Dieter Wallnöfer mdw at samba.org
Wed May 29 14:23:47 MDT 2013

Hi Andrew,

please have a look at my "uac" branch - in particular to commit 


Andrew Bartlett schrieb:
> Matthias,
> Any chance you can look into this for me?
> Thanks,
> On Tue, 2013-05-28 at 15:56 +0800, Tide wrote:
>> the userAccountControl value becomes 0x202 (514) after 0x800002 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied.
>> ---------------- Original ------------------
>> From:  "Andrew Bartlett"<abartlet at samba.org>;
>> Date:  Tue, May 28, 2013 10:50 AM
>> To:  "Tide"<lovetide at qq.com>;
>> Cc:  "samba"<samba at lists.samba.org>;
>> Subject:  Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
>> On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:
>>> We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003.
>>> When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error.
>>> Is this expected behaviour or a possible bug?
>>> # test from command line
>>> ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl
>>> # then change userAccountControl to 8388610, save, quit editor
>> If it works against Windows and doesn't work against Samba, it's a bug.
>> We need to know what the value becomes after you do this against
>> windows, then then we need the tests updated to cover this case.
>> Presumably the UF_NORMAL_ACCOUNT flag is implied.
>> Once that's done, it shouldn't be too hard to also imply it.
>> Any chance you can look into this for us?
>> Thanks,
>> Andrew Bartlett
>> -- 
>> Andrew Bartlett                                http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list