[Samba] LockoutTime will not reset
Kees van Vloten
keesvanvloten at gmail.com
Sat Jan 25 10:29:44 UTC 2025
Op 25-01-2025 om 10:11 schreef Rowland Penny via samba:
> On Fri, 24 Jan 2025 13:27:49 -0600
> Ham via samba <samba at lists.samba.org> wrote:
>
>> Yesterday one of my users was prompted to change his password (which
>> he did). Today he tried to login and his account was locked. I
>> first used the Active Directory Users and Computers tool on Windows
>> to unlock the account. This appeared to accept the setting but did
>> not work and when relaunching the app it still showed the account
>> locked.
>>
>> I next tried to use "samba-tool user edit username" on the DC. It
>> appeared to work and the lockoutTime showed 0 when I reopened using
>> samba-tool. But the user still received a locked out message. Upon
>> rechecking with samba-tool it showed a time different than 0.
> This would seem to suggest that something is still using the old
> password, an email client for instance, you need to find whatever this
> is and fix it.
When you have enabled audit logging on the DCs, it is quite easy to find
the cause.
You can enable it by adding "auth_json_audit:..." to the line "log
level" in smb.conf [global] on the DCs and restart the samba AD service.
log level = 3 auth_json_audit:3@/var/log/samba/audit_auth.log
- Kees.
>> I then tried to reset using:
>>
>> ldbedit -H /var/lib/samba/private/sam.ldb -R
>> "CN=username,CN=Users,DC=example,DC=com"
>>
>> But this acted the same way as using samba-tool edit.
> It would, they both work in the same way.
>
> Rowland
>
More information about the samba
mailing list