[Samba] Unlock domain user

Anderson Hoffmann do Carmo

unread,

Aug 1, 2016, 12:50:03 PM8/1/16

to

Rowland penny

unread,

Aug 1, 2016, 1:00:03 PM8/1/16

to

Try 'samba-tool user enable <username>'

Rowland

Anderson Hoffmann do Carmo

unread,

Aug 1, 2016, 1:10:03 PM8/1/16

to

Hi Rowland.

The command (samba-tool user enable 'user') is used to enable a user
account that has been disabled in AD, but it is not functional to unlock a
user account that has been locked by wrong password.

Rowland penny

unread,

Aug 1, 2016, 1:40:03 PM8/1/16

to

On 01/08/16 18:04, Anderson Hoffmann do Carmo wrote:
> Hi Rowland.
>
> The command (samba-tool user enable 'user') is used to enable a user
> account that has been disabled in AD, but it is not functional to unlock a
> user account that has been locked by wrong password.
>
>
>

I sort of thought it wouldn't, having never had to unlock a user for
this, I hoped it would, let me look into this and get back to you.

Rowland penny

unread,

Aug 1, 2016, 3:00:03 PM8/1/16

to

On 01/08/16 18:27, Rowland penny wrote:
> On 01/08/16 18:04, Anderson Hoffmann do Carmo wrote:
>> Hi Rowland.
>>
>> The command (samba-tool user enable 'user') is used to enable a user
>> account that has been disabled in AD, but it is not functional to
>> unlock a
>> user account that has been locked by wrong password.
>>
>>
>>
>
> I sort of thought it wouldn't, having never had to unlock a user for
> this, I hoped it would, let me look into this and get back to you.
>
>
> Rowland
>
>
>

OK, this is a bit more complex than I thought, but I think it boils down
to an attribute being created with the time the account was locked.

Can you try running the following on your Samba DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
"dc=samdom,dc=example,dc=com" -s sub
'(&(objectclass=user)(samaccountname=rowland))' lockoutTime

You may have to install ldb-tools, you also will probably have to change
the paths etc.

If you get any output, can you please post the result.

Dante F. B. Colò

unread,

Aug 1, 2016, 3:30:02 PM8/1/16

to

Type the command pdbedit -Lvu username , what does it show on the Account Flags field?

Anderson Hoffmann do Carmo

unread,

Aug 1, 2016, 3:40:02 PM8/1/16

to

Hi Dante!

Command Output: (the user1 is locked at this moment)

root@gteste2:~#
root@gteste2:~# pdbedit -Lvu user1
Unix username: user1
NT username:
Account Flags: [UL ]
User SID: S-1-5-21-4156723526-836881587-1255597539-1106
Primary Group SID: S-1-5-21-4156723526-836881587-1255597539-513
Full Name: user1
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: Mon, 01 Aug 2016 15:26:06 BRT
Logoff time: never
Kickoff time: Wed, 13 Sep 30828 23:48:05 BRT
Password last set: Mon, 01 Aug 2016 15:25:54 BRT
Password can change: Mon, 01 Aug 2016 15:25:54 BRT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root@gteste2:~#

Anderson Hoffmann do Carmo

unread,

Aug 1, 2016, 3:40:03 PM8/1/16

to

I executed the command in two scenarios.

Account 'user1' unlocked:

root@gteste2:~#
root@gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 0

# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com

# returned 4 records
# 1 entries
# 3 referrals
root@gteste2:~#

Account 'user1' locked by wrong password:

root@gteste2:~#
root@gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 131145529963563450

# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com

# returned 4 records
# 1 entries
# 3 referrals
root@gteste2:~#

Rowland penny

unread,

Aug 1, 2016, 3:50:03 PM8/1/16

to

From what I understand, to unlock the second user (user1) the contents
of 'lockoutTime' needs to be set to '0'

Can you test this ? either with ldbmodify or ldbedit

Anderson Hoffmann do Carmo

unread,

Aug 1, 2016, 4:00:02 PM8/1/16

to

I will test this!

Kris Lou

unread,

Aug 1, 2016, 4:30:04 PM8/1/16

to

Back in Samba3.x (NT-domain), I used to unlock with "pdbedit -c='[]'
<user>", essentially wiping out all Account flags shown by pdbedit -l
<user>. I don't know if it works under AD.

mathias dufresne

unread,

Aug 2, 2016, 5:50:03 AM8/2/16

to

Plop,

I would have a look on "userAccountControl" LDAP attribute using ldbedit
rather than pdbedit.

2016-08-01 23:14 GMT+02:00 Miguel Medalha <meda...@sapo.pt>:

> samba-tool user enable [username]

Anderson Hoffmann do Carmo

unread,

Aug 2, 2016, 8:00:05 AM8/2/16

to

Hi

I can unlock domain user account successfully with command below. Test OK!

pdbedit -c='[]' --user=USERNAME

Reference: https://lists.samba.org/archive/samba/2004-April/084774.html