search for: ads_uf_normal_account

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

...s with 'never'. Also, if i look at 'userAccountControl' i found 512 as a value: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 512 so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). If i disable it: root at vdcsv1:~# pdbedit --account-control="[D]" gaio [...] Account Flags: [DU ] [...] root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,D...

...; Also, if i look at 'userAccountControl' i found 512 as a value: > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 512 > > so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by > https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). > > If i disable it: > root at vdcsv1:~# pdbedit --account-control="[D]" gaio > [...] > Account Flags: [DU ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samb...

...it to work (we couldn't). For the cleartext2unicodepwd script, see below. Last thing, userAccountControl. This attribute is a mask with the following possible values: ADS_UF_ACCOUNTDISABLE = 0x0002 Disable user account ADS_UF_PASSWD_NOTREQD = 0x0020 No password is required ADS_UF_NORMAL_ACCOUNT = 0x0200 Typical user account The previously created user got a value of `546' (i.e. 0x0222). I set it to `512' (0x0200): $ cat >uac.ldif dn: CN=foobar,CN=Users,DC=yoursite,DC=com changetype: modify replace: userAccountControl userAccountControl: 512 ...ldapmod...