Bug 4840 - User Manager: User flags
User Manager: User flags
Product: Samba 4.0
Classification: Unclassified
Component: Other
All All
: P3 enhancement
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2007-07-31 03:57 UTC by Matthias Dieter Wallnöfer
Modified: 2009-04-14 05:01 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2007-07-31 03:57:25 UTC
When I want to change or set the flags "Password never expires, Account
disabled ..." in the user properties/add dialog, this often has no effect.
(Derived from bug 4815)
Comment 1 Andrew Bartlett 2007-08-01 01:09:13 UTC
Can I have some more details on this?

I can set and unset these flags on my test setup, and at least the account disabled flag seems to do the right thing in terms of denying logon.
Comment 2 Matthias Dieter Wallnöfer 2007-08-01 02:20:32 UTC
- First option "User Must Change Password at Next Logon" seems not work. When I click on "OK", the checkmark is gone.
- Second option "User Cannot Change Password" - the same thing
Comment 3 Matthias Dieter Wallnöfer 2007-08-01 02:28:54 UTC
One time I managed also to set the "User Must Change Password at Next Logon" option in ADUC, but now I am unable to reset it (ADUC shows the option unchecked, User Manager checked). Now I am also unable to login with this user (errormessage: account restriction).
Comment 4 Matthias Dieter Wallnöfer 2007-08-25 07:00:25 UTC
Is there any progress on this bug?
Comment 5 Matthias Dieter Wallnöfer 2007-09-03 17:18:35 UTC
This should be a bit similar to 4824. I think the two flags are controlled by the attributes "pwdAllowSet" and "pwdLastSet". I couldn't write there a simple patch, because the appropriate set functions in samldb.c (I think) are missing. The get functions exist.
Comment 6 Andrew Bartlett 2007-09-03 21:20:15 UTC
I can't set the password_last_change value against AD using SAMR, and the pwdAllowSet attribute doesn't exist.  

I'll need to see how AD and usrmgr interact here, as I think this just isn't expected to work. 
Comment 7 Matthias Dieter Wallnöfer 2008-03-01 05:03:18 UTC
This problem seems to persist also with the new "acct_flags" changes in the code done by you Andrew.
Comment 8 Matthias Dieter Wallnöfer 2008-12-06 08:41:17 UTC
The flags
- "User Must Change Password at Next Logon"
- "User Cannot Change Password"
aren't fully working yet.
Comment 9 Matthias Dieter Wallnöfer 2008-12-29 13:13:08 UTC
The two flags "User Must Change Password at Next Logon" and "User Cannot Change Password" don't work in the sense that any check/uncheck operation after a "OK" is definitely lost.

I investigated this now a bit through wireshark. The involved RPC calls are LSA "QueryUserInfo" and "SetUserInfo" with the the attribute "acctFlags". Especially, the "User Manager" seems to send back the unchanged attribute.
More and more I've the opinion that this is also a "User Manager" bug and not a SAMBA 4 one (can you reproduce it on Windows Server?).
Comment 10 Matthias Dieter Wallnöfer 2009-04-14 05:01:28 UTC
My opinion is that it is a bug in the NT User Manager for Domains itself and so I close it with "INVALID".