Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

99 views
Skip to first unread message

Tide

unread,
May 27, 2013, 10:50:02 PM5/27/13
to
We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003.

When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error.

Is this expected behaviour or a possible bug?

# test from command line
ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl
# then change userAccountControl to 8388610, save, quit editor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
May 27, 2013, 11:00:02 PM5/27/13
to
On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:
> We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003.
>
> When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error.
>
> Is this expected behaviour or a possible bug?
>
> # test from command line
> ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl
> # then change userAccountControl to 8388610, save, quit editor

If it works against Windows and doesn't work against Samba, it's a bug.
We need to know what the value becomes after you do this against
windows, then then we need the tests updated to cover this case.

Presumably the UF_NORMAL_ACCOUNT flag is implied.

Once that's done, it shouldn't be too hard to also imply it.

Any chance you can look into this for us?

Thanks,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

Tide

unread,
May 28, 2013, 4:10:01 AM5/28/13
to
the userAccountControl value becomes 0x202 (514) after 0x800002 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied.

---------------- Original ------------------
From: "Andrew Bartlett"<abar...@samba.org>;
Date: Tue, May 28, 2013 10:50 AM
To: "Tide"<love...@qq.com>;
Cc: "samba"<sa...@lists.samba.org>;
Subject: Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

Andrew Bartlett

unread,
May 28, 2013, 7:50:02 PM5/28/13
to
Matthias,

Any chance you can look into this for me?

Thanks,

Matthias Dieter Wallnöfer

unread,
Jun 2, 2013, 8:40:01 PM6/2/13
to
Hi Andrew,

please have a look at my "uac" branch - in particular to commit
b357e9377c698a20989c339d1459ed00a342cf2b.

Thanks,
Matthias

Andrew Bartlett schrieb:

Andrew Bartlett

unread,
Jun 4, 2013, 7:40:02 PM6/4/13
to
On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
>
> please have a look at my "uac" branch - in particular to commit
> b357e9377c698a20989c339d1459ed00a342cf2b.

Thanks, I'll autobuild those!

Tide,

Just to be doubly sure, can you confirm the attached patches fix your
issue?
0001-s4-samldb-LDB-module-userAccountControl-0-means-UF_N.patch
0002-s4-samldb-LDB-module-permit-userAccountControl-modif.patch

Tide

unread,
Jun 5, 2013, 1:20:02 AM6/5/13
to
Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x800002 -> 0x202 in AD, 0x800002 -> 0x800202 in current patch) ).

Thank you guys!

------------------ Original ------------------
From: "Andrew Bartlett"<abar...@samba.org>;
Date: Wed, Jun 5, 2013 07:34 AM
To: "Matthias Dieter Wallnöfe"<m...@samba.org>; "Tide"<love...@qq.com>;
Cc: "samba"<sa...@lists.samba.org>; "samba-technical"<samba-t...@samba.org>;
Subject: Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"


Andrew Bartlett

unread,
Jun 5, 2013, 1:30:01 AM6/5/13
to
On Wed, 2013-06-05 at 13:16 +0800, Tide wrote:
> Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x800002 -> 0x202 in AD, 0x800002 -> 0x800202 in current patch) ).
>
> Thank you guys!

Thanks, that's in master now.

Matthias,

Can you look into the 0x800000 bit?

Matthias Dieter Wallnöfer

unread,
Jun 9, 2013, 5:10:02 PM6/9/13
to
Hi Andrew,

please have a look at the two top-most patches in my "master" branch.

Matthias

Andrew Bartlett schrieb:
> On Wed, 2013-06-05 at 13:16 +0800, Tide wrote:
>> Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x800002 -> 0x202 in AD, 0x800002 -> 0x800202 in current patch) ).
>>
>> Thank you guys!
> Thanks, that's in master now.
>
> Matthias,
>
> Can you look into the 0x800000 bit?
>
> Thanks,
>
> Andrew Bartlett
>

--

Andrew Bartlett

unread,
Jun 10, 2013, 12:00:02 AM6/10/13
to
On Sun, 2013-06-09 at 11:41 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
>
> please have a look at the two top-most patches in my "master" branch.
>
> Matthias

These look good, I'm autobuilding these now!

Thanks,

Andrew Bartlett


--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

0 new messages