> > On Sat, 3 Jul 2004, Tilo Lutz wrote: > > > None of my acounts in ldap have set sambaPwdLastSet, even those > > > acounts which became disabled. If I have understand you right, > > > samba should not disable account if the attribute sambaPwdLastSet > > > is not defined in ldap?> On Mon, 2004-07-05 at 06:56, Gerald (Jerry) Carter wrote: > > If the attribute is not defined smbd gives it an implicit value of 0.> Andrew Bartlet wrote: > If that's what caused the issue, then there is a bug (which I'm happy to > look into and fix). > > /* only reset a password if the last set time has been > explicitly been set to zero. A default last set time > is ignored */ > > if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT) > && (pdb_get_pass_last_set_time(pass) == 0) ) > { > > The intention of the logic was that if the value was undefined in LDAP, > the flags would be set to PDB_DEFAULT and it would not be treated as > 'defined as zero' for this test.I take a closer look at my users: Heres a ldap record (without password hashes) of saturday: dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de userPassword:: e0NSWVBUfTE3NnUxQzA0ZDhCbG8shadowLastChange: 11947 sambaPwdLastSet: 1 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: top objectClass: sambaSamAccount cn: alexander-cristea sn: alexander-cristea uid: alexander-cristea homeDirectory: /home/kl-1g3/alexander-cristea gecos: "kl-1g3" loginShell: /bin/sh shadowMin: 1 shadowMax: 99999 shadowWarning: 14 sambaPwdMustChange: 1800000000 gidNumber: 112 sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225 uidNumber: 5248 sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496 sambaProfilePath: \\WILMA2\profile sambaAcctFlags: [UX ] The same user monday morning: # alexander-cristea, kl-1g3, people, wms-hn.de dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: top objectClass: sambaSamAccount cn: alexander-cristea sn: alexander-cristea uid: alexander-cristea homeDirectory: /home/kl-1g3/alexander-cristea gecos: "kl-1g3" loginShell: /bin/sh shadowMin: 1 shadowMax: 99999 shadowWarning: 14 sambaPwdMustChange: 1800000000 gidNumber: 112 sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225 uidNumber: 5248 sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496 sambaProfilePath: \\WILMA2\profile sambaAcctFlags: [DUX ] Again there's no logentrie in log.smbd (loglevel 2). As you can see the account was disabled and sambaPwdLastSet was removed. Anything I can do to find the problem? Which loglevel should I use? Tilo
Tilo Lutz ?????:>>>On Sat, 3 Jul 2004, Tilo Lutz wrote: >>> >>>>None of my acounts in ldap have set sambaPwdLastSet, even those >>>>acounts which became disabled. If I have understand you right, >>>>samba should not disable account if the attribute sambaPwdLastSet >>>>is not defined in ldap? > > >>On Mon, 2004-07-05 at 06:56, Gerald (Jerry) Carter wrote: >> >>>If the attribute is not defined smbd gives it an implicit value of 0. > > >>Andrew Bartlet wrote: >>If that's what caused the issue, then there is a bug (which I'm happy to >>look into and fix). >> >> /* only reset a password if the last set time has been >> explicitly been set to zero. A default last set time >> is ignored */ >> >> if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT) >> && (pdb_get_pass_last_set_time(pass) == 0) ) >> { >> >>The intention of the logic was that if the value was undefined in LDAP, >>the flags would be set to PDB_DEFAULT and it would not be treated as >>'defined as zero' for this test. > > > I take a closer look at my users: > Heres a ldap record (without password hashes) of saturday: > dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de > userPassword:: e0NSWVBUfTE3NnUxQzA0ZDhCbG8> shadowLastChange: 11947 > sambaPwdLastSet: 1 > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: top > objectClass: sambaSamAccount > cn: alexander-cristea > sn: alexander-cristea > uid: alexander-cristea > homeDirectory: /home/kl-1g3/alexander-cristea > gecos: "kl-1g3" > loginShell: /bin/sh > shadowMin: 1 > shadowMax: 99999 > shadowWarning: 14 > sambaPwdMustChange: 1800000000 > gidNumber: 112 > sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225 > uidNumber: 5248 > sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496 > sambaProfilePath: \\WILMA2\profile > sambaAcctFlags: [UX ] > > The same user monday morning: > # alexander-cristea, kl-1g3, people, wms-hn.de > dn: uid=alexander-cristea,ou=kl-1g3,ou=people,dc=wms-hn,dc=de > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: top > objectClass: sambaSamAccount > cn: alexander-cristea > sn: alexander-cristea > uid: alexander-cristea > homeDirectory: /home/kl-1g3/alexander-cristea > gecos: "kl-1g3" > loginShell: /bin/sh > shadowMin: 1 > shadowMax: 99999 > shadowWarning: 14 > sambaPwdMustChange: 1800000000 > gidNumber: 112 > sambaPrimaryGroupSID: S-1-5-21-3371203057-3264423045-2392767973-1225 > uidNumber: 5248 > sambaSID: S-1-5-21-3371203057-3264423045-2392767973-11496 > sambaProfilePath: \\WILMA2\profile > sambaAcctFlags: [DUX ] > > Again there's no logentrie in log.smbd (loglevel 2). > As you can see the account was disabled and sambaPwdLastSet was > removed. > > Anything I can do to find the problem? Which loglevel should I > use? > > Tilo > > >Hi! I'd experienced such a problem after I migrated from samba 2.2.8a to samba 3.0.4 with ldap backend. I'd found out that if sambaPwdLastSet = 0 upon user connection account got disabled. The workaround is to manually set sambaPwdLastSet to some real date for all users. New created users shouldn't have the problem.