Unlock user account in Samba Active Directory
User account can get locked out after a number of failed login attempts.
$ samba-tool domain passwordsettings show
Password information for domain 'DC=octocat,DC=lab' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 0 Maximum password age (days): 180 Account lockout duration (mins): 30 Account lockout threshold (attempts): 10 Reset account lockout after (mins): 30
You can easily identify this issue when badPwdCount
reached its threshold and there is a defined lockoutTime
attribute for a particular user object.
$ samba-tool user show octo
dn: CN=Octo Cat,CN=Users,DC=octocat,DC=lab objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Octo Cat sn: Cat givenName: Octo instanceType: 4 whenCreated: 20210930172444.0Z displayName: Octo Cat uSNCreated: 4081 name: Octo Cat objectGUID: dd9ba879-0d63-4eb8-8180-2ee00439d9fc codePage: 0 countryCode: 0 homeDirectory: /home/octocat lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-3581266272-3984212215-1130392956-1107 sAMAccountName: octo sAMAccountType: 805306368 userPrincipalName: octo@octocat.lab objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=octocat,DC=lab uid: octo uidNumber: 10000 gidNumber: 10000 gecos: Octo Cat loginShell: /bin/bash unixHomeDirectory: /home/octocat msSFU30NisDomain: OCTOCAT msSFU30Name: octo unixUserPassword: ABCD!efgh12345$67890 memberOf: CN=cats,CN=Users,DC=octocat,DC=lab lastLogonTimestamp: 132774975168875680 userAccountControl: 66048 accountExpires: 0 pwdLastSet: 132774980453954180 lastLogon: 132778590603423500 logonCount: 42 badPwdCount: 10 badPasswordTime: 132778600638427360 lockoutTime: 132778600638427360 whenChanged: 20211004222743.0Z uSNChanged: 4253 distinguishedName: CN=Octo Cat,CN=Users,DC=octocat,DC=lab
You can reset user password, but this will not unlock the user account.
$ samba-tool user setpassword octo
New Password: ************** Retype Password: ************** Changed password OK
To unlock user edit user account object to set lockoutTime
attribute to ``.
$ samba-tool user edit octo
dn: CN=Octo Cat,CN=Users,DC=octocat,DC=lab objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Octo Cat sn: Cat givenName: Octo instanceType: 4 whenCreated: 20210930172444.0Z displayName: Octo Cat uSNCreated: 4081 name: Octo Cat objectGUID: dd9ba879-0d63-4eb8-8180-2ee00439d9fc codePage: 0 countryCode: 0 homeDirectory: /home/octocat lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-3581266272-3984212215-1130392956-1107 sAMAccountName: octo sAMAccountType: 805306368 userPrincipalName: octo@octocat.lab objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=octocat,DC=lab uid: octo uidNumber: 10000 gidNumber: 10000 gecos: Octo Cat loginShell: /bin/bash unixHomeDirectory: /home/octocat msSFU30NisDomain: OCTOCAT msSFU30Name: octo unixUserPassword: ABCD!efgh12345$67890 memberOf: CN=cats,CN=Users,DC=octocat,DC=lab lastLogonTimestamp: 132774975168875680 userAccountControl: 66048 accountExpires: 0 pwdLastSet: 132774980453954180 lastLogon: 132778590603423500 logonCount: 42 badPwdCount: 10 badPasswordTime: 132778600638427360 lockoutTime: 132778600638427360 whenChanged: 20211004222743.0Z uSNChanged: 4253 distinguishedName: CN=Octo Cat,CN=Users,DC=octocat,DC=lab
Do not delete this attribute as you will get an error.
ERROR(ldb): Failed to modify user 'octo': - 00002077: samldb: 'lockoutTime' can't be deleted!
After that user should log in again.