[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

Matthias Dieter Wallnöfer mdw at samba.org
Wed May 29 14:23:47 MDT 2013 

Hi Andrew,

please have a look at my "uac" branch - in particular to commit 
b357e9377c698a20989c339d1459ed00a342cf2b.

Thanks,
Matthias

Andrew Bartlett schrieb:
> Matthias,
>
> Any chance you can look into this for me?
>
> Thanks,
>
> On Tue, 2013-05-28 at 15:56 +0800, Tide wrote:
>> the userAccountControl value becomes 0x202 (514) after 0x800002 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied.
>>
>> ---------------- Original ------------------
>> From:  "Andrew Bartlett"<abartlet at samba.org>;
>> Date:  Tue, May 28, 2013 10:50 AM
>> To:  "Tide"<lovetide at qq.com>;
>> Cc:  "samba"<samba at lists.samba.org>;
>> Subject:  Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
>>
>>
>> On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:
>>> We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003.
>>>
>>> When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error.
>>>
>>> Is this expected behaviour or a possible bug?
>>>
>>> # test from command line
>>> ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl
>>> # then change userAccountControl to 8388610, save, quit editor
>> If it works against Windows and doesn't work against Samba, it's a bug.
>> We need to know what the value becomes after you do this against
>> windows, then then we need the tests updated to cover this case.
>>
>> Presumably the UF_NORMAL_ACCOUNT flag is implied.
>>
>> Once that's done, it shouldn't be too hard to also imply it.
>>
>> Any chance you can look into this for us?
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>> -- 
>> Andrew Bartlett                                http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list