Categories
SysOps

How to unlock user account in Samba Active Directory

Unlock user account in Samba Active Directory

User account can get locked out after a number of failed login attempts.

$ samba-tool domain passwordsettings show
Password information for domain 'DC=octocat,DC=lab'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 180
Account lockout duration (mins): 30
Account lockout threshold (attempts): 10
Reset account lockout after (mins): 30

You can easily identify this issue when badPwdCount reached its threshold and there is a defined lockoutTime attribute for a particular user object.

$ samba-tool user show octo
dn: CN=Octo Cat,CN=Users,DC=octocat,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Octo Cat
sn: Cat
givenName: Octo
instanceType: 4
whenCreated: 20210930172444.0Z
displayName: Octo Cat
uSNCreated: 4081
name: Octo Cat
objectGUID: dd9ba879-0d63-4eb8-8180-2ee00439d9fc
codePage: 0
countryCode: 0
homeDirectory: /home/octocat
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3581266272-3984212215-1130392956-1107
sAMAccountName: octo
sAMAccountType: 805306368
userPrincipalName: octo@octocat.lab
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=octocat,DC=lab
uid: octo
uidNumber: 10000
gidNumber: 10000
gecos: Octo Cat
loginShell: /bin/bash
unixHomeDirectory: /home/octocat
msSFU30NisDomain: OCTOCAT
msSFU30Name: octo
unixUserPassword: ABCD!efgh12345$67890
memberOf: CN=cats,CN=Users,DC=octocat,DC=lab
lastLogonTimestamp: 132774975168875680
userAccountControl: 66048
accountExpires: 0
pwdLastSet: 132774980453954180
lastLogon: 132778590603423500
logonCount: 42
badPwdCount: 10
badPasswordTime: 132778600638427360
lockoutTime: 132778600638427360
whenChanged: 20211004222743.0Z
uSNChanged: 4253
distinguishedName: CN=Octo Cat,CN=Users,DC=octocat,DC=lab

You can reset user password, but this will not unlock the user account.

$ samba-tool user setpassword octo
New Password:    **************
Retype Password: ************** 
Changed password OK

To unlock user edit user account object to set lockoutTime attribute to 0.

$ samba-tool user edit octo
dn: CN=Octo Cat,CN=Users,DC=octocat,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Octo Cat
sn: Cat
givenName: Octo
instanceType: 4
whenCreated: 20210930172444.0Z
displayName: Octo Cat
uSNCreated: 4081
name: Octo Cat
objectGUID: dd9ba879-0d63-4eb8-8180-2ee00439d9fc
codePage: 0
countryCode: 0
homeDirectory: /home/octocat
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3581266272-3984212215-1130392956-1107
sAMAccountName: octo
sAMAccountType: 805306368
userPrincipalName: octo@octocat.lab
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=octocat,DC=lab
uid: octo
uidNumber: 10000
gidNumber: 10000
gecos: Octo Cat
loginShell: /bin/bash
unixHomeDirectory: /home/octocat
msSFU30NisDomain: OCTOCAT
msSFU30Name: octo
unixUserPassword: ABCD!efgh12345$67890
memberOf: CN=cats,CN=Users,DC=octocat,DC=lab
lastLogonTimestamp: 132774975168875680
userAccountControl: 66048
accountExpires: 0
pwdLastSet: 132774980453954180
lastLogon: 132778590603423500
logonCount: 42
badPwdCount: 10
badPasswordTime: 132778600638427360
lockoutTime: 132778600638427360
whenChanged: 20211004222743.0Z
uSNChanged: 4253
distinguishedName: CN=Octo Cat,CN=Users,DC=octocat,DC=lab

Do not delete this attribute as you will get an error.

ERROR(ldb): Failed to modify user 'octo':  - 00002077: samldb: 'lockoutTime' can't be deleted!

After that user should log in again.