I'm forwarding this to the technical list. I can fix this by deleting and recreating the account, however I'd like to understand why this is happening.
I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the "Unlock Account" checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott administratively locked out with no bad password time. Leaving locked out. When attempting to login to WinXP, Windows states the account is locked out and log.samba shows: Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using arcfour-hmac-md5 [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) authsam_account_ok: Checking SMB password for user dmscott@DOMAIN [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) authsam_account_ok: Account for user dmscott@DOMAIN was locked out. Here is an ldapsearch output. I'm not seeing where/why this account is locked. # extended LDIF # # LDAPv3 # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree # filter: sAMAccountName=dmscott # requesting: ALL # # Duser M. Scott, Users, internal.domain.com dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com instanceType: 4 whenCreated: 20121229150147.0Z uSNCreated: 4317 objectGUID:: sQU6/um9x0+gN2VOHTpmbw== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA== logonCount: 0 sAMAccountName: dmscott sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC =com logonHours:: //////////////////////////// uidNumber: 1436 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/dmscott gidNumber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: duser.m.sc...@domain.com userPrincipalName: dmsc...@internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 130050989060000000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= whenChanged: 20130211233014.0Z uSNChanged: 8816 distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba