samba - Aug 2016 - Unlock domain user

On 01/08/16 20:29, Anderson Hoffmann do Carmo wrote:
> I executed the command in two scenarios.
>
> Account 'user1' unlocked:
>
> root at gteste2:~#
> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "dc=testead,dc=gsurfnet,dc=com" -s sub
> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
> # record 1
> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
> lockoutTime: 0
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>
> # returned 4 records
> # 1 entries
> # 3 referrals
> root at gteste2:~#
>
> Account 'user1' locked by wrong password:
>
>
> root at gteste2:~#
> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "dc=testead,dc=gsurfnet,dc=com" -s sub
> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
> # record 1
> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
> lockoutTime: 131145529963563450
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>
> # Referral
> ref: ldap://
> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>
> # returned 4 records
> # 1 entries
> # 3 referrals
> root at gteste2:~#
>
>
>
 From what I understand, to unlock the second user (user1) the contents 
of 'lockoutTime' needs to be set to '0'

Can you test this ? either with ldbmodify or ldbedit

Rowland

I will test this!

Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |



2016-08-01 16:39 GMT-03:00 Rowland penny <rpenny at samba.org>:
> On 01/08/16 20:29, Anderson Hoffmann do Carmo wrote:
>
>> I executed the command in two scenarios.
>>
>> Account 'user1' unlocked:
>>
>> root at gteste2:~#
>> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> "dc=testead,dc=gsurfnet,dc=com" -s sub
>> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
>> # record 1
>> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
>> lockoutTime: 0
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>> root at gteste2:~#
>>
>> Account 'user1' locked by wrong password:
>>
>>
>> root at gteste2:~#
>> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> "dc=testead,dc=gsurfnet,dc=com" -s sub
>> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
>> # record 1
>> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
>> lockoutTime: 131145529963563450
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>> root at gteste2:~#
>>
>>
>>
>>
> From what I understand, to unlock the second user (user1) the contents of
> 'lockoutTime' needs to be set to '0'
>
> Can you test this ? either with ldbmodify or ldbedit
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Back in Samba3.x (NT-domain), I used to unlock with "pdbedit
-c='[]'
<user>", essentially wiping out all Account flags shown by pdbedit -l
<user>.  I don't know if it works under AD.

Hi

I can unlock domain user account successfully with command below. Test OK!

pdbedit -c='[]' --user=USERNAME


Reference: https://lists.samba.org/archive/samba/2004-April/084774.html


Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |



2016-08-01 16:39 GMT-03:00 Rowland penny <rpenny at samba.org>:
> On 01/08/16 20:29, Anderson Hoffmann do Carmo wrote:
>
>> I executed the command in two scenarios.
>>
>> Account 'user1' unlocked:
>>
>> root at gteste2:~#
>> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> "dc=testead,dc=gsurfnet,dc=com" -s sub
>> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
>> # record 1
>> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
>> lockoutTime: 0
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>> root at gteste2:~#
>>
>> Account 'user1' locked by wrong password:
>>
>>
>> root at gteste2:~#
>> root at gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> "dc=testead,dc=gsurfnet,dc=com" -s sub
>> '(&(objectclass=user)(samaccountname=user1))' lockoutTime
>> # record 1
>> dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
>> lockoutTime: 131145529963563450
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # Referral
>> ref: ldap://
>> testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>> root at gteste2:~#
>>
>>
>>
>>
> From what I understand, to unlock the second user (user1) the contents of
> 'lockoutTime' needs to be set to '0'
>
> Can you test this ? either with ldbmodify or ldbedit
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>