Tide
2013-May-28 02:32 UTC
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor
Andrew Bartlett
2013-May-28 02:50 UTC
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:> We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. > > When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error. > > Is this expected behaviour or a possible bug? > > # test from command line > ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl > # then change userAccountControl to 8388610, save, quit editorIf it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Tide
2013-May-28 07:56 UTC
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
the userAccountControl value becomes 0x202 (514) after 0x800002 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. ---------------- Original ------------------ From: "Andrew Bartlett"<abartlet at samba.org>; Date: Tue, May 28, 2013 10:50 AM To: "Tide"<lovetide at qq.com>; Cc: "samba"<samba at lists.samba.org>; Subject: Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type" On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:> We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. > > When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns "Unrecognized account type" error. > > Is this expected behaviour or a possible bug? > > # test from command line > ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl > # then change userAccountControl to 8388610, save, quit editorIf it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Tide
2013-Jun-05 05:16 UTC
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x800002 -> 0x202 in AD, 0x800002 -> 0x800202 in current patch) ). Thank you guys! ------------------ Original ------------------ From: "Andrew Bartlett"<abartlet at samba.org>; Date: Wed, Jun 5, 2013 07:34 AM To: "Matthias Dieter Walln?fe"<mdw at samba.org>; "Tide"<lovetide at qq.com>; Cc: "samba"<samba at lists.samba.org>; "samba-technical"<samba-technical at samba.org>; Subject: Re: [Samba] userAccountControl can't be set to 0x800002 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type" On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Walln?fer wrote:> Hi Andrew, > > please have a look at my "uac" branch - in particular to commit > b357e9377c698a20989c339d1459ed00a342cf2b.Thanks, I'll autobuild those! Tide, Just to be doubly sure, can you confirm the attached patches fix your issue? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org