Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] S4 Cannot Unlock Account
254 views
Skip to first unread message
Thomas Simmons
Feb 11, 2013, 7:00:02 PM2/11/13
to
I have come across a few accounts (out of 300+) that seem to be locked that
will not unlock. These accounts were migrated from S3. Can someone advise -
what am I missing here?
I've reset the password several times via RSAT, checking the "Unlock
Account" checkbox, which has not helped. Resetting the user's password via
smbpasswd gives me:
pdb_try_account_unlock: Account dmscott administratively locked out with no
bad password time. Leaving locked out.
When attempting to login to WinXP, Windows states the account is locked out
and log.samba shows:
Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using
arcfour-hmac-md5
[2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok)
authsam_account_ok: Checking SMB password for user dmscott@DOMAIN
[2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok)
authsam_account_ok: Account for user dmscott@DOMAIN was locked out.
Here is an ldapsearch output. I'm not seeing where/why this account is
locked.
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
# filter: sAMAccountName=dmscott
# requesting: ALL
#
# Duser M. Scott, Users, internal.domain.com
dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
instanceType: 4
whenCreated: 20121229150147.0Z
uSNCreated: 4317
objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
logonCount: 0
sAMAccountName: dmscott
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
=com
logonHours:: ////////////////////////////
uidNumber: 1436
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/dmscott
gidNumber: 513
msSFU30NisDomain: domain
memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
mail: Duser....@domain.com
userPrincipalName: dms...@internal.domain.com
givenName: Duser
initials: M
sn: Scott
displayName: Duser M. Scott
cn: Duser M. Scott
name: Duser M. Scott
scriptPath: GCS.cmd
lockoutTime: 0
loginShell: /bin/bash
msDS-SupportedEncryptionTypes: 0
userAccountControl: 528
accountExpires: 0
pwdLastSet: 130050989060000000
userParameters:
IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
whenChanged: 20130211233014.0Z
uSNChanged: 8816
distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
will not unlock. These accounts were migrated from S3. Can someone advise -
what am I missing here?
I've reset the password several times via RSAT, checking the "Unlock
Account" checkbox, which has not helped. Resetting the user's password via
smbpasswd gives me:
pdb_try_account_unlock: Account dmscott administratively locked out with no
bad password time. Leaving locked out.
When attempting to login to WinXP, Windows states the account is locked out
and log.samba shows:
Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using
arcfour-hmac-md5
[2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok)
authsam_account_ok: Checking SMB password for user dmscott@DOMAIN
[2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok)
authsam_account_ok: Account for user dmscott@DOMAIN was locked out.
Here is an ldapsearch output. I'm not seeing where/why this account is
locked.
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
# filter: sAMAccountName=dmscott
# requesting: ALL
#
# Duser M. Scott, Users, internal.domain.com
dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
instanceType: 4
whenCreated: 20121229150147.0Z
uSNCreated: 4317
objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
logonCount: 0
sAMAccountName: dmscott
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
=com
logonHours:: ////////////////////////////
uidNumber: 1436
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/dmscott
gidNumber: 513
msSFU30NisDomain: domain
memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
mail: Duser....@domain.com
userPrincipalName: dms...@internal.domain.com
givenName: Duser
initials: M
sn: Scott
displayName: Duser M. Scott
cn: Duser M. Scott
name: Duser M. Scott
scriptPath: GCS.cmd
lockoutTime: 0
loginShell: /bin/bash
msDS-SupportedEncryptionTypes: 0
userAccountControl: 528
accountExpires: 0
pwdLastSet: 130050989060000000
userParameters:
IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
whenChanged: 20130211233014.0Z
uSNChanged: 8816
distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Simmons
Feb 12, 2013, 6:00:03 AM2/12/13
to
I'm forwarding this to the technical list. I can fix this by deleting and
recreating the account, however I'd like to understand why this is
happening.
recreating the account, however I'd like to understand why this is
happening.
Thomas Simmons
Feb 12, 2013, 8:20:03 AM2/12/13
to
having a value of 528 locks the account. Changing it to 512 (what most
users are set to) unlocks the account. Is there any way to do this without
directly modifying the LDAP entry?
Thomas Simmons
Feb 12, 2013, 9:10:02 AM2/12/13
to
Hello Ricky,
These do not seem to work. samba-tool user setexpiry alters the
"accountExpires" attribute. samba-tool user enable/disable's behavior is
odd. disable appears to add 2 to the current value and enable subtracts 2
from the updated value (only if it's been disabled). Like this:
Running the following on my account, in this order:
initial = 512
enable = 512
disable = 514
disable = 514
enable = 512
enable = 512
If I manually set this value to 516 (don't know if that's valid) and run
disable, it gets set to 518.
The account that is set to 528 gets set to 530 when I disable. Enable sets
it back to 528.
On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
ricky...@weaubleau.k12.mo.us> wrote:
> You should be able to use samba-tool user enable Testuser2 or possibly
> samba-tool user setexpiry (add a --help for more info on how to use it).
>
> Good luck,
> Ricky
These do not seem to work. samba-tool user setexpiry alters the
"accountExpires" attribute. samba-tool user enable/disable's behavior is
odd. disable appears to add 2 to the current value and enable subtracts 2
from the updated value (only if it's been disabled). Like this:
Running the following on my account, in this order:
initial = 512
enable = 512
disable = 514
disable = 514
enable = 512
enable = 512
If I manually set this value to 516 (don't know if that's valid) and run
disable, it gets set to 518.
The account that is set to 528 gets set to 530 when I disable. Enable sets
it back to 528.
On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
ricky...@weaubleau.k12.mo.us> wrote:
> You should be able to use samba-tool user enable Testuser2 or possibly
> samba-tool user setexpiry (add a --help for more info on how to use it).
>
> Good luck,
> Ricky
Michael Wood
Feb 12, 2013, 11:20:02 AM2/12/13
to
Hi
On 12 February 2013 16:03, Thomas Simmons <tws...@gmail.com> wrote:
> Hello Ricky,
>
> These do not seem to work. samba-tool user setexpiry alters the
> "accountExpires" attribute. samba-tool user enable/disable's behavior is
> odd. disable appears to add 2 to the current value and enable subtracts 2
> from the updated value (only if it's been disabled). Like this:
>
> Running the following on my account, in this order:
> initial = 512
> enable = 512
> disable = 514
> disable = 514
> enable = 512
> enable = 512
>
> If I manually set this value to 516 (don't know if that's valid) and run
> disable, it gets set to 518.
>
> The account that is set to 528 gets set to 530 when I disable. Enable sets
> it back to 528.
I'm sure it's a bitmask and disable/enable just set/clear the second bit:
512 = 0000001000000000
514 = 0000001000000010
516 = 0000001000000100
518 = 0000001000000110
528 = 0000001000010000
530 = 0000001000010010
So you have the 5th bit set. I don't know what that means, but
clearly that's the problem.
A google search for "userAccountControl bitmask" turns up this:
http://support.microsoft.com/kb/305144
which says that bit means PASSWD_NOTREQD. (The other one is NORMAL_ACCOUNT).
I'm not sure why that should cause a problem though.
Michael Wood <esio...@gmail.com>
On 12 February 2013 16:03, Thomas Simmons <tws...@gmail.com> wrote:
> Hello Ricky,
>
> These do not seem to work. samba-tool user setexpiry alters the
> "accountExpires" attribute. samba-tool user enable/disable's behavior is
> odd. disable appears to add 2 to the current value and enable subtracts 2
> from the updated value (only if it's been disabled). Like this:
>
> Running the following on my account, in this order:
> initial = 512
> enable = 512
> disable = 514
> disable = 514
> enable = 512
> enable = 512
>
> If I manually set this value to 516 (don't know if that's valid) and run
> disable, it gets set to 518.
>
> The account that is set to 528 gets set to 530 when I disable. Enable sets
> it back to 528.
512 = 0000001000000000
514 = 0000001000000010
516 = 0000001000000100
518 = 0000001000000110
528 = 0000001000010000
530 = 0000001000010010
So you have the 5th bit set. I don't know what that means, but
clearly that's the problem.
A google search for "userAccountControl bitmask" turns up this:
http://support.microsoft.com/kb/305144
which says that bit means PASSWD_NOTREQD. (The other one is NORMAL_ACCOUNT).
I'm not sure why that should cause a problem though.
Thomas Simmons
Feb 12, 2013, 11:40:03 AM2/12/13
to
The way I understand it, 512 is "normal account" (my account is set to this
and is fine). 16 is "locked out". 512+16=528, so 528 is a normal account,
that is locked out. 2 is "disabled" and if I disable my account, it adds 2
(514). The real problem is that I cannot find a way to change this back to
512 without manually altering the value in LDAP. I believe this may be a
bug - there should be some way to do this via RSAT or samba-tool
(preferably both). I just ran an ldapsearch and see I have 4 accounts out
of ~300 that have this attribute set to 528 - possibly something left over
from S3 or the migration process? I also had a few accounts with values
other than 512. A few were 6XXXXX - which appears to be correct as these
accounts are set to "never expire". In any event, thank you.
and is fine). 16 is "locked out". 512+16=528, so 528 is a normal account,
that is locked out. 2 is "disabled" and if I disable my account, it adds 2
(514). The real problem is that I cannot find a way to change this back to
512 without manually altering the value in LDAP. I believe this may be a
bug - there should be some way to do this via RSAT or samba-tool
(preferably both). I just ran an ldapsearch and see I have 4 accounts out
of ~300 that have this attribute set to 528 - possibly something left over
from S3 or the migration process? I also had a few accounts with values
other than 512. A few were 6XXXXX - which appears to be correct as these
accounts are set to "never expire". In any event, thank you.
Thomas Simmons
Feb 12, 2013, 4:10:01 PM2/12/13
to
is a problem - I'm sure checking "Unlock Account" should, well, unlock the
account. Anyhow, In RSAT, if you select "View" > "Advanced Features", you
will get an "Attribute Editor" tab in each user's properties. You can then
alter the userAccountControl attribute. It even shows 528 as (LOCKOUT |
NORMAL_ACCOUNT).
Michael Wood
Feb 13, 2013, 1:30:01 AM2/13/13
to
I meant to send this to the list, but my phone had other ideas:
Ah you are right that it means LOCKOUT. I didn't notice that the
article skipped 4 for some reason and went straight to 8. That makes
much more sense. If samba-tool does not currently support toggling
that bit it should be very easy to enhance based on the disable/enable
code, but I am convinced the Windows tools will be able to do it too.
Ah you are right that it means LOCKOUT. I didn't notice that the
article skipped 4 for some reason and went straight to 8. That makes
much more sense. If samba-tool does not currently support toggling
that bit it should be very easy to enhance based on the disable/enable
code, but I am convinced the Windows tools will be able to do it too.
Michael Wood
Feb 13, 2013, 1:30:02 AM2/13/13
to
On 12 February 2013 23:03, Thomas Simmons <tws...@gmail.com> wrote:
>
> I figured out a way to correct this via RSAT, though I still think there is
> a problem - I'm sure checking "Unlock Account" should, well, unlock the
> account. Anyhow, In RSAT, if you select "View" > "Advanced Features", you
> will get an "Attribute Editor" tab in each user's properties. You can then
> alter the userAccountControl attribute. It even shows 528 as (LOCKOUT |
> NORMAL_ACCOUNT).
If "Unlock Account" does not do the right thing you should probably
>
> I figured out a way to correct this via RSAT, though I still think there is
> a problem - I'm sure checking "Unlock Account" should, well, unlock the
> account. Anyhow, In RSAT, if you select "View" > "Advanced Features", you
> will get an "Attribute Editor" tab in each user's properties. You can then
> alter the userAccountControl attribute. It even shows 528 as (LOCKOUT |
> NORMAL_ACCOUNT).
create a bug report in bugzilla with the details.
e.g.:
* What is userAccountControl set to initially?
* Can you log in? What errors do you get?
* What you do to "unlock" the account?
* What is userAccountControl set to now?
* Can you log in? What errors do you get?
etc.
--
Michael Wood <esio...@gmail.com>
Ricky Nance
Mar 16, 2013, 12:10:02 PM3/16/13
to
You should be able to use samba-tool user enable Testuser2 or possibly
samba-tool user setexpiry (add a --help for more info on how to use it).
Good luck,
Ricky
On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <tws...@gmail.com> wrote:
samba-tool user setexpiry (add a --help for more info on how to use it).
Good luck,
Ricky
On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <tws...@gmail.com> wrote:
0 new messages