I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the "Unlock Account" checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott administratively locked out with no bad password time. Leaving locked out. When attempting to login to WinXP, Windows states the account is locked out and log.samba shows: Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using arcfour-hmac-md5 [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) authsam_account_ok: Checking SMB password for user dmscott at DOMAIN [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) authsam_account_ok: Account for user dmscott at DOMAIN was locked out. Here is an ldapsearch output. I'm not seeing where/why this account is locked. # extended LDIF # # LDAPv3 # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree # filter: sAMAccountName=dmscott # requesting: ALL # # Duser M. Scott, Users, internal.domain.com dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com instanceType: 4 whenCreated: 20121229150147.0Z uSNCreated: 4317 objectGUID:: sQU6/um9x0+gN2VOHTpmbw=badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA=logonCount: 0 sAMAccountName: dmscott sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC =com logonHours:: //////////////////////////// uidNumber: 1436 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/dmscott gidNumber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: Duser.m.scott at domain.com userPrincipalName: dmscott at internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 130050989060000000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAwhenChanged: 20130211233014.0Z uSNChanged: 8816 distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
I'm forwarding this to the technical list. I can fix this by deleting and recreating the account, however I'd like to understand why this is happening. I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the "Unlock Account" checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott administratively locked out with no bad password time. Leaving locked out. When attempting to login to WinXP, Windows states the account is locked out and log.samba shows: Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using arcfour-hmac-md5 [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) authsam_account_ok: Checking SMB password for user dmscott at DOMAIN [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) authsam_account_ok: Account for user dmscott at DOMAIN was locked out. Here is an ldapsearch output. I'm not seeing where/why this account is locked. # extended LDIF # # LDAPv3 # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree # filter: sAMAccountName=dmscott # requesting: ALL # # Duser M. Scott, Users, internal.domain.com dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com instanceType: 4 whenCreated: 20121229150147.0Z uSNCreated: 4317 objectGUID:: sQU6/um9x0+gN2VOHTpmbw=badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA=logonCount: 0 sAMAccountName: dmscott sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC =com logonHours:: //////////////////////////// uidNumber: 1436 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/dmscott gidNumber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: Duser.m.scott at domain.com userPrincipalName: dmscott at internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 130050989060000000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAwhenChanged: 20130211233014.0Z uSNChanged: 8816 distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons <twsnnva at gmail.com> wrote:> I have come across a few accounts (out of 300+) that seem to be locked > that will not unlock. These accounts were migrated from S3. Can someone > advise - what am I missing here? > > I've reset the password several times via RSAT, checking the "Unlock > Account" checkbox, which has not helped. Resetting the user's password via > smbpasswd gives me: > > pdb_try_account_unlock: Account dmscott administratively locked out with > no bad password time. Leaving locked out. > > When attempting to login to WinXP, Windows states the account is locked > out and log.samba shows: > > Kerberos: ENC-TS Pre-authentication succeeded -- dmscott at DOMAIN using > arcfour-hmac-md5 > [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) > authsam_account_ok: Checking SMB password for user dmscott at DOMAIN > [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) > authsam_account_ok: Account for user dmscott at DOMAIN was locked out. > > Here is an ldapsearch output. I'm not seeing where/why this account is > locked. > > # extended LDIF > # > # LDAPv3 > # base <cn=Users,dc=internal,dc=domain,dc=com> with scope subtree > # filter: sAMAccountName=dmscott > # requesting: ALL > # > > # Duser M. Scott, Users, internal.domain.com > dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > instanceType: 4 > whenCreated: 20121229150147.0Z > uSNCreated: 4317 > objectGUID:: sQU6/um9x0+gN2VOHTpmbw=> badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAL/+1+4rRK5lRjK88/Q4AAA=> logonCount: 0 > sAMAccountName: dmscott > sAMAccountType: 805306368 > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC > =com > logonHours:: //////////////////////////// > uidNumber: 1436 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/dmscott > gidNumber: 513 > msSFU30NisDomain: domain > memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com > mail: Duser.m.scott at domain.com > userPrincipalName: dmscott at internal.domain.com > givenName: Duser > initials: M > sn: Scott > displayName: Duser M. Scott > cn: Duser M. Scott > name: Duser M. Scott > scriptPath: GCS.cmd > lockoutTime: 0 > loginShell: /bin/bash > msDS-SupportedEncryptionTypes: 0 > userAccountControl: 528 > accountExpires: 0 > pwdLastSet: 130050989060000000 > userParameters: > IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC > > AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA > > BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA > > YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A > HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA> whenChanged: 20130211233014.0Z > uSNChanged: 8816 > distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 >It seems that the problem for this user is the userAccountControl attribute having a value of 528 locks the account. Changing it to 512 (what most users are set to) unlocks the account. Is there any way to do this without directly modifying the LDAP entry?
Maybe Matching Threads
- Centos 4.3 32 bit -CIFS VFS: Send error in Close = -9
- adding AD domain users in local Linux group for acces to share
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- authentication failures
- Authentication to Secondary Domain Controller initially fails when PDC is offline