I meant to send this to the list, but my phone had other ideas:

Ah you are right that it means LOCKOUT. I didn't notice that the
article skipped 4 for some reason and went straight to 8. That makes
much more sense. If samba-tool does not currently support toggling
that bit it should be very easy to enhance based on the disable/enable
code, but I am convinced the Windows tools will be able to do it too.

On 12 February 2013 18:30, Thomas Simmons <twsn...@gmail.com> wrote:

> The way I understand it, 512 is "normal account" (my account is set to
> this and is fine). 16 is "locked out". 512+16=528, so 528 is a normal
> account, that is locked out. 2 is "disabled" and if I disable my account,
> it adds 2 (514). The real problem is that I cannot find a way to change
> this back to 512 without manually altering the value in LDAP. I believe
> this may be a bug - there should be some way to do this via RSAT or
> samba-tool (preferably both). I just ran an ldapsearch and see I have 4
> accounts out of ~300 that have this attribute set to 528 - possibly
> something left over from S3 or the migration process? I also had a few
> accounts with values other than 512. A few were 6XXXXX - which appears to
> be correct as these accounts are set to "never expire". In any event, thank
> you.
> On Tue, Feb 12, 2013 at 11:16 AM, Michael Wood <esiot...@gmail.com> wrote:
>> Hi
>> On 12 February 2013 16:03, Thomas Simmons <twsn...@gmail.com> wrote:
>> > Hello Ricky,
>> >
>> > These do not seem to work. samba-tool user setexpiry alters the
>> > "accountExpires" attribute. samba-tool user enable/disable's behavior is
>> > odd. disable appears to add 2 to the current value and enable subtracts
>> 2
>> > from the updated value (only if it's been disabled). Like this:
>> >
>> > Running the following on my account, in this order:
>> > initial = 512
>> > enable =  512
>> > disable = 514
>> > disable = 514
>> > enable = 512
>> > enable = 512
>> >
>> > If I manually set this value to 516 (don't know if that's valid) and run
>> > disable, it gets set to 518.
>> >
>> > The account that is set to 528 gets set to 530 when I disable. Enable
>> sets
>> > it back to 528.
>> I'm sure it's a bitmask and disable/enable just set/clear the second bit:
>> 512 = 0000001000000000
>> 514 = 0000001000000010
>> 516 = 0000001000000100
>> 518 = 0000001000000110
>> 528 = 0000001000010000
>> 530 = 0000001000010010
>> So you have the 5th bit set.  I don't know what that means, but
>> clearly that's the problem.
>> A google search for "userAccountControl bitmask" turns up this:
>> http://support.microsoft.com/kb/305144
>> which says that bit means PASSWD_NOTREQD.  (The other one is
>> I'm not sure why that should cause a problem though.
>> > On Tue, Feb 12, 2013 at 8:27 AM, Ricky Nance <
>> > ricky.na...@weaubleau.k12.mo.us> wrote:
>> >
>> >> You should be able to use samba-tool user enable Testuser2 or possibly
>> >> samba-tool user setexpiry (add a --help for more info on how to use
>> it).
>> >>
>> >> Good luck,
>> >> Ricky
>> >>
>> >>
>> >> On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons <twsn...@gmail.com>
>> wrote:
>> >>
>> >>> On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsn...@gmail.com>
>> >>> wrote:
>> >>>
>> >>> > I have come across a few accounts (out of 300+) that seem to be
>> locked
>> >>> > that will not unlock. These accounts were migrated from S3. Can
>> someone
>> >>> > advise - what am I missing here?
>> >>> >
>> >>> > I've reset the password several times via RSAT, checking the "Unlock
>> >>> > Account" checkbox, which has not helped. Resetting the user's
>> password
>> >>> via
>> >>> > smbpasswd gives me:
>> >>> >
>> >>> > pdb_try_account_unlock: Account dmscott administratively locked out
>> with
>> >>> > no bad password time. Leaving locked out.
>> >>> >
>> >>> > When attempting to login to WinXP, Windows states the account is
>> locked
>> >>> > out and log.samba shows:
>> >>> >
>> >>> >   Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAINusing
>> >>> > arcfour-hmac-md5
>> >>> > [2013/02/11 18:37:40,  4]
>> ../source4/auth/sam.c:170(authsam_account_ok)
>> >>> >   authsam_account_ok: Checking SMB password for user dmscott@DOMAIN
>> >>> > [2013/02/11 18:37:40,  2]
>> ../source4/auth/sam.c:191(authsam_account_ok)
>> >>> >   authsam_account_ok: Account for user dmscott@DOMAIN was locked
>> out.
>> >>> >
>> >>> > Here is an ldapsearch output. I'm not seeing where/why this account
>> is
>> >>> > locked.
>> >>> >
>> >>> > # extended LDIF
>> >>> > #
>> >>> > # LDAPv3
>> >>> > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree
>> >>> > # filter: sAMAccountName=dmscott
>> >>> > # requesting: ALL
>> >>> > #
>> >>> >
>> >>> > # Duser M. Scott, Users, internal.domain.com
>> >>> > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
>> >>> > instanceType: 4
>> >>> > whenCreated: 20121229150147.0Z
>> >>> > uSNCreated: 4317
>> >>> > objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
>> >>> > badPwdCount: 0
>> >>> > codePage: 0
>> >>> > countryCode: 0
>> >>> > badPasswordTime: 0
>> >>> > lastLogoff: 0
>> >>> > lastLogon: 0
>> >>> > primaryGroupID: 513
>> >>> > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA==
>> >>> > logonCount: 0
>> >>> > sAMAccountName: dmscott
>> >>> > sAMAccountType: 805306368
>> >>> > objectCategory:
>> >>> > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
>> >>> >  =com
>> >>> > logonHours:: ////////////////////////////
>> >>> > uidNumber: 1436
>> >>> > objectClass: top
>> >>> > objectClass: posixAccount
>> >>> > objectClass: person
>> >>> > objectClass: organizationalPerson
>> >>> > objectClass: user
>> >>> > unixHomeDirectory: /home/dmscott
>> >>> > gidNumber: 513
>> >>> > msSFU30NisDomain: domain
>> >>> > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
>> >>> > mail: duser.m.sc...@domain.com
>> >>> > userPrincipalName: dmsc...@internal.domain.com
>> >>> > givenName: Duser
>> >>> > initials: M
>> >>> > sn: Scott
>> >>> > displayName: Duser M. Scott
>> >>> > cn: Duser M. Scott
>> >>> > name: Duser M. Scott
>> >>> > scriptPath: GCS.cmd
>> >>> > lockoutTime: 0
>> >>> > loginShell: /bin/bash
>> >>> > msDS-SupportedEncryptionTypes: 0
>> >>> > userAccountControl: 528
>> >>> > accountExpires: 0
>> >>> > pwdLastSet: 130050989060000000
>> >>> > userParameters:
>> >>> >
>> >>> >
>> >>>
>> >>> >
>> >>> >
>> >>>
>> >>> >
>> >>> >
>> >>>
>> >>> > whenChanged: 20130211233014.0Z
>> >>> > uSNChanged: 8816
>> >>> > distinguishedName: CN=Duser M.
>> >>> Scott,CN=Users,DC=internal,DC=domain,DC=com
>> >>> >
>> >>> > # search result
>> >>> > search: 2
>> >>> > result: 0 Success
>> >>> >
>> >>> > # numResponses: 2
>> >>> > # numEntries: 1
>> >>> >
>> >>>
>> >>> It seems that the problem for this user is the userAccountControl
>> >>> attribute
>> >>> having a value of 528 locks the account. Changing it to 512 (what most
>> >>> users are set to) unlocks the account. Is there any way to do this
>> without
>> >>> directly modifying the LDAP entry?
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >>
>> --
>> Michael Wood <esiot...@gmail.com>

Michael Wood <esiot...@gmail.com>
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to