NT_STATUS_ACCOUNT_EXPIRED

TL:DR: Check that your system clock is set correctly …and use pdbedit -u accountname -K 0 to disable expiry for the account if that’s what it’s supposed to be in the first place.

…because I just spent an hour tearing my hair out before realizing the solution.

If you’ve just created an account named accountname with sudo smbpasswd -a accountname, under what should be the default Ubuntu settings for Samba, and you can’t log into your shares, and sudo pdbedit -vu accountname looks like this…

Unix username:        accountname
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-4147919797-2373757126-213116460-1000
Primary Group SID:    S-1-5-21-4147919797-2373757126-213116460-513
Full Name:            Your Name
Home Directory:       \\YOURPC\accountname
HomeDir Drive:        
Logon Script:         
Profile Path:         \\YOURPC\accountname\profile
Domain:               YOURPC
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 15:06:39 UTC
Kickoff time:         Wed, 06 Feb 2036 15:06:39 UTC
Password last set:    Tue, 28 Sep 2088 08:03:11 UTC
Password can change:  Tue, 28 Sep 2088 08:03:11 UTC
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

…and smbclient --user=accountname '\\YOURPC\sharename' is saying NT_STATUS_ACCOUNT_EXPIRED, do two things:

First, figure out why the heck your system clock thinks the year is 2088. Second, if you don’t want the account to ever expire, actually ask for it:

sudo pdbedit -u accountname -K 0

I was so fixated on the assumption that I had NTP time synchronization set up properly that I didn’t notice the date in this log line and went straight to investigating check_samsec.c:206:

[2088/09/28 08:31:20.028105,  1] ../../source3/auth/check_samsec.c:206(sam_account_ok)
  sam_account_ok: Account for user 'ssokolow' has expired.

…of course, it really didn’t help that, when I actually tried some suggested ways to list expired accounts, nothing showed up.

Today I learned about a weird quirk of using the “try it out without installing” mode of a Lubuntu Linux LiveUSB stick as a hacky way to turn a small form factor PC with only one hard drive bay into a temporary network-attached external drive housing.

CC BY-SA 4.0 NT_STATUS_ACCOUNT_EXPIRED by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

This entry was posted in Geek Stuff. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.

All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.