Bug 35072 - Unlock user in the domain
Unlock user in the domain
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 enhancement (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Arvid Requate
Depends on: 32014
Blocks: 45554
  Show dependency treegraph
Reported: 2014-06-06 09:51 CEST by Michel Smidt
Modified: 2017-10-18 12:02 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Usability
Max CVSS v3 score:
oyen: Patch_Available+

Script to unlock a samba account (4.59 KB, text/x-python)
2016-09-13 09:37 CEST, Lukas Oyen
Testscript for `univention-samba-unlock` (1.61 KB, application/x-shellscript)
2016-09-13 09:38 CEST, Lukas Oyen

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt univentionstaff 2014-06-06 09:51:54 CEST
By customer request.

Since UCS 3.2 erratum 85 samba supports the domain account lockout with the command: samba-tool domain passwordsettings

The customer would like to get a possibility to unlock user in the domain.
Comment 1 Lukas Oyen univentionstaff 2016-09-13 09:37:21 CEST
Created attachment 8000 [details]
Script to unlock a samba account

Script to unlock a Samba account by setting lockoutTime = 0 via ldbmodify. This does not include a convenience authentication wrapper as univention-s4search provides for ldbsearch.

It may be a good idea to write a generic univention-ldb-tools wrapper that handles authentication detection and use it to wrap ldb{search,modify,..}. With that univention-samba-unlock could be simplified and merged with the tool from bug 35071.
Comment 2 Lukas Oyen univentionstaff 2016-09-13 09:38:39 CEST
Created attachment 8001 [details]
Testscript for `univention-samba-unlock`
Comment 3 Stefan Gohmann univentionstaff 2016-12-13 08:10:43 CET
The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.
Comment 4 Lukas Oyen univentionstaff 2017-09-19 16:11:47 CEST
Committed in 679b140, YAML 11d064b.
Comment 5 Arvid Requate univentionstaff 2017-10-17 15:00:17 CEST
The script is a bit awkward to use, because it requires authentication as Administrator but doesn't properly handle the interactive password prompt/input of samba-tool. As a workaround this works:

root@master10:~# kinit Administrator
Administrator@AR41I1.QA's Password: 

root@master10:~# /usr/sbin/univention-samba-unlock -k yes user1

I've opened Bug 45554 to address that.

Otherwise the script works.
Comment 6 Arvid Requate univentionstaff 2017-10-17 15:03:04 CEST
Obviously this unsafe usage works too:

univention-samba-unlock user1 -U Administrator%univention
Comment 7 Arvid Requate univentionstaff 2017-10-18 12:02:40 CEST