From 6b53b10b12551baae5ee69118156b464964a2655 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 8 Sep 2005 23:23:43 +0000 Subject: Adding info regarding account flags. (This used to be commit 78672e59a8c8a9911864d478c7335b082a17880c) --- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 191 +++++++++++++++++++++++++++++++++++ 1 file changed, 191 insertions(+) diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index d739af15de..54ec949caf 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -1269,6 +1269,38 @@ frodo$:1008:15891DC6B843ECA41249940C814E316B: marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3: C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4 +login id +UID +LanManger password +NT password +Account Flags +LCTlast change time + The account information that was returned by this command in order from left to right + consists of the following colon separated data: + + + + Login ID. + UNIX UID. + + Microsoft LanManager password hash (password converted to upper-case then hashed. + + Microsoft NT password hash (hash of the case-preserved password). + Samba SAM Account Flags. + The LCT data (password last change time). + + + +Account Flags +pdbedit + The Account Flags parameters are documented in the pdbedit man page, and are + briefly documented in the Account Flags Management section. + + + +last change time + The LCT data consists of 8 hexadecimal characters representing the time since January 1, 1970, of + the time when the password was last changed. @@ -1428,6 +1460,165 @@ Password must change: Fri, 01 Jan 2010 00:00:00 GMT management. + + Account Flags Management + + +Samba SAM account flags +account control blockACB +account encode_bits +account control flags + The Samba SAM account flags are properly called the ACB (account control block) within + the Samba source code. In some parts of the Samba source code they are referred to as the + account encode_bits, and also as the account control flags. + + + +pdbedit +user account +machine account +trust account +damaged data + The manual adjustment of user, machine (workstation or server) or an inter-domain trust + account account flgas should not be necessary under normal conditions of use of Samba. On the other hand, + where this information becomes corrupted for some reason, the ability to correct the damaged data is certainly + useful. The tool of choice by which such correction can be affected is the pdbedit utility. + + + +account flags +LDAP directory + There have been a few requests for information regarding the account flags from developers + who are creating their own Samba management tools. An example of a need for information regarding + the proper management of the account flags is evident when developing scripts that will be used + to manage an LDAP directory. + + + +pdbedit +account flag order + The account flag field can contain up to 16 characters. Presently, only 11 are in use. + These are listed in Samba SAM Account Control Block Flags. + The order in which the flags are specified to the pdbedit command is not important. + In fact, they can be set without problem in any order in the SambaAcctFlags record in the LDAP directory. + + + + Samba SAM Account Control Block Flags + + + FlagDescription + + + + D + Account is disabled. + + + H + A home directory is required. + + + I + An inter-domain trust account. + + + L + Account has been auto-locked. + + + M + An MNS (Microsoft network service) logon account. + + + N + Password not required. + + + S + A server trust account. + + + T + Temporary duplicate account entry. + + + U + A normal user account. + + + W + A workstation trust account. + + + X + Password does not expire. + + + +
+ + +pdbedit +account control flags + An example of use of the pdbedit utility to set the account control flags + is shown here: + +&rootprompt; pdbedit -r -c "[DLX]" jra +Unix username: jht +NT username: jht +Account Flags: [DHULX ] +User SID: S-1-5-21-729263-4123605-1186429-3000 +Primary Group SID: S-1-5-21-729263-4123605-1186429-513 +Full Name: John H Terpstra,Utah Office +Home Directory: \\aurora\jht +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\aurora\profiles\jht +Domain: MIDEARTH +Account desc: BluntObject +Workstations: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: 0 +Password last set: Sun, 03 Jul 2005 23:19:18 GMT +Password can change: Sun, 03 Jul 2005 23:19:18 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + +default settings + The flags can be reset to the default settings by executing: + +&rootprompt; pdbedit -r -c "[]" jra +Unix username: jht +NT username: jht +Account Flags: [U ] +User SID: S-1-5-21-729263-4123605-1186429-3000 +Primary Group SID: S-1-5-21-729263-4123605-1186429-513 +Full Name: John H Terpstra,Utah Office +Home Directory: \\aurora\jht +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\aurora\profiles\jht +Domain: MIDEARTH +Account desc: BluntObject +Workstations: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: 0 +Password last set: Sun, 03 Jul 2005 23:19:18 GMT +Password can change: Sun, 03 Jul 2005 23:19:18 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + + + + + -- cgit