Discussion:
[Samba] Unlock domain user
Anderson Hoffmann do Carmo
2016-08-01 16:40:37 UTC
Permalink
Hi for all!

It's a simple question, but I did not find the answer!
How unlock domain user after the account blocked by wrong password?
How to do this by samba-tool or any other tool in Linux_AD?
Or is this possible only by Windows RSAT_Tool?


Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Anderson Hoffmann do Carmo
2016-08-01 17:04:48 UTC
Permalink
Hi Rowland.

The command (samba-tool user enable 'user') is used to enable a user
account that has been disabled in AD, but it is not functional to unlock a
user account that has been locked by wrong password.


Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
Hi for all!
It's a simple question, but I did not find the answer!
How unlock domain user after the account blocked by wrong password?
How to do this by samba-tool or any other tool in Linux_AD?
Or is this possible only by Windows RSAT_Tool?
Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Try 'samba-tool user enable <username>'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dante F. B. Colò
2016-08-01 19:20:52 UTC
Permalink
Type the command pdbedit -Lvu username , what does it show on the Account Flags field?



----- Original Message -----
From: "Anderson Hoffmann do Carmo" <***@gsurfnet.com>
To: "samba" <***@lists.samba.org>
Sent: Monday, August 1, 2016 2:04:48 PM
Subject: Re: [Samba] Unlock domain user

Hi Rowland.

The command (samba-tool user enable 'user') is used to enable a user
account that has been disabled in AD, but it is not functional to unlock a
user account that has been locked by wrong password.


Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
Hi for all!
It's a simple question, but I did not find the answer!
How unlock domain user after the account blocked by wrong password?
How to do this by samba-tool or any other tool in Linux_AD?
Or is this possible only by Windows RSAT_Tool?
Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Try 'samba-tool user enable <username>'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Anderson Hoffmann do Carmo
2016-08-01 19:35:38 UTC
Permalink
Hi Dante!

Command Output: (the user1 is locked at this moment)

***@gteste2:~#
***@gteste2:~# pdbedit -Lvu user1
Unix username: user1
NT username:
Account Flags: [UL ]
User SID: S-1-5-21-4156723526-836881587-1255597539-1106
Primary Group SID: S-1-5-21-4156723526-836881587-1255597539-513
Full Name: user1
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: Mon, 01 Aug 2016 15:26:06 BRT
Logoff time: never
Kickoff time: Wed, 13 Sep 30828 23:48:05 BRT
Password last set: Mon, 01 Aug 2016 15:25:54 BRT
Password can change: Mon, 01 Aug 2016 15:25:54 BRT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
***@gteste2:~#




Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Dante F. B. Colò
Type the command pdbedit -Lvu username , what does it show on the Account Flags field?
----- Original Message -----
Sent: Monday, August 1, 2016 2:04:48 PM
Subject: Re: [Samba] Unlock domain user
Hi Rowland.
The command (samba-tool user enable 'user') is used to enable a user
account that has been disabled in AD, but it is not functional to unlock a
user account that has been locked by wrong password.
Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
Hi for all!
It's a simple question, but I did not find the answer!
How unlock domain user after the account blocked by wrong password?
How to do this by samba-tool or any other tool in Linux_AD?
Or is this possible only by Windows RSAT_Tool?
Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Try 'samba-tool user enable <username>'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Anderson Hoffmann do Carmo
2016-08-01 19:29:37 UTC
Permalink
I executed the command in two scenarios.

Account 'user1' unlocked:

***@gteste2:~#
***@gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 0

# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com

# returned 4 records
# 1 entries
# 3 referrals
***@gteste2:~#

Account 'user1' locked by wrong password:


***@gteste2:~#
***@gteste2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 131145529963563450

# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com

# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com

# returned 4 records
# 1 entries
# 3 referrals
***@gteste2:~#



Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
Hi Rowland.
The command (samba-tool user enable 'user') is used to enable a user
account that has been disabled in AD, but it is not functional to unlock a
user account that has been locked by wrong password.
I sort of thought it wouldn't, having never had to unlock a user for
this, I hoped it would, let me look into this and get back to you.
Rowland
OK, this is a bit more complex than I thought, but I think it boils down
to an attribute being created with the time the account was locked.
ldbsearch -H /usr/local/samba/private/sam.ldb -b
"dc=samdom,dc=example,dc=com" -s sub
'(&(objectclass=user)(samaccountname=rowland))' lockoutTime
You may have to install ldb-tools, you also will probably have to change
the paths etc.
If you get any output, can you please post the result.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Anderson Hoffmann do Carmo
2016-08-01 19:49:06 UTC
Permalink
I will test this!

Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
I executed the command in two scenarios.
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 0
# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
# returned 4 records
# 1 entries
# 3 referrals
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 131145529963563450
# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
# returned 4 records
# 1 entries
# 3 referrals
From what I understand, to unlock the second user (user1) the contents of
'lockoutTime' needs to be set to '0'
Can you test this ? either with ldbmodify or ldbedit
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kris Lou
2016-08-01 20:27:00 UTC
Permalink
Back in Samba3.x (NT-domain), I used to unlock with "pdbedit -c='[]'
<user>", essentially wiping out all Account flags shown by pdbedit -l
<user>. I don't know if it works under AD.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Anderson Hoffmann do Carmo
2016-08-02 11:54:46 UTC
Permalink
Hi

I can unlock domain user account successfully with command below. Test OK!

pdbedit -c='[]' --user=USERNAME


Reference: https://lists.samba.org/archive/samba/2004-April/084774.html


Anderson Hoffmann do Carmo
MCP | MTA | MCDST | MCTS | MCSA | MS | MOS |
ITIL-F | ISFS | CLOUDF | CI-SCS | VCA-DCV |
Post by Anderson Hoffmann do Carmo
I executed the command in two scenarios.
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 0
# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
# returned 4 records
# 1 entries
# 3 referrals
"dc=testead,dc=gsurfnet,dc=com" -s sub
'(&(objectclass=user)(samaccountname=user1))' lockoutTime
# record 1
dn: CN=user1,OU=TESTE,DC=testead,DC=gsurfnet,DC=com
lockoutTime: 131145529963563450
# Referral
ref: ldap://
testead.gsurfnet.com/CN=Configuration,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=DomainDnsZones,DC=testead,DC=gsurfnet,DC=com
# Referral
ref: ldap://
testead.gsurfnet.com/DC=ForestDnsZones,DC=testead,DC=gsurfnet,DC=com
# returned 4 records
# 1 entries
# 3 referrals
From what I understand, to unlock the second user (user1) the contents of
'lockoutTime' needs to be set to '0'
Can you test this ? either with ldbmodify or ldbedit
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Miguel Medalha
2016-08-01 21:14:51 UTC
Permalink
samba-tool user enable [username]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-08-02 09:37:38 UTC
Permalink
Plop,

I would have a look on "userAccountControl" LDAP attribute using ldbedit
rather than pdbedit.
Post by Miguel Medalha
samba-tool user enable [username]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...