The branch, v4-0-test has been updated via d28f2cb678b334086f601505c88e56b9c1ee559d (commit) via 6a98e5a7aa0cdbb61358901df50162b5b914ee5c (commit) via 2b6b4e5a1611744eea5dd9ec17c416916d7edab4 (commit) via 7ce5575a3a40cca4a45ec179a153f7e909065a87 (commit) via be47cc7fdfa3cae0508e564f38b793aa27b6eb92 (commit) from d66b6c3823f003875e3b7cdf63617a894cceadf9 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit d28f2cb678b334086f601505c88e56b9c1ee559d Author: Andrew Kroeger <[EMAIL PROTECTED]> Date: Fri Mar 7 05:56:04 2008 -0600 Treat maxPwdAge == 0 as passwords never expire. commit 6a98e5a7aa0cdbb61358901df50162b5b914ee5c Author: Andrew Kroeger <[EMAIL PROTECTED]> Date: Thu Mar 6 06:08:32 2008 -0600 Enhance mappings of NTSTATUS to KRB5KDC errors. The enhanced mappings allow the Windows client to determine whether a user's password needs to be changed (and allows them to change it), or if they cannot logon at all. Changes still need to be made to allow additional data to be returned. Windows uses that additional data to display more detailed dialogs to the user. The additional information is returned in an e-data struct of type PA-PW-SALT that contains the more-detailed NTSTATUS error code. commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4 Author: Andrew Kroeger <[EMAIL PROTECTED]> Date: Thu Mar 6 06:07:28 2008 -0600 Update account expiration to use new samdb_result_account_expires() function. commit 7ce5575a3a40cca4a45ec179a153f7e909065a87 Author: Andrew Kroeger <[EMAIL PROTECTED]> Date: Thu Mar 6 06:02:46 2008 -0600 Add samdb_result_account_expires() function. Windows uses 2 different values to indicate an account doesn't expire: 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL). This function looks up the value of the accountExpires attribute and if the value is either value indicating the account doesn't expire, 0x7FFFFFFFFFFFFFFFULL is returned. This simplifies the tests for account expiration. There is no need to check elsewhere in the code for both values, therefore a simple greater-than expression can be used. commit be47cc7fdfa3cae0508e564f38b793aa27b6eb92 Author: Andrew Kroeger <[EMAIL PROTECTED]> Date: Thu Mar 6 05:56:49 2008 -0600 accountExpires: Windows default is 9223372036854775807, not -1. ----------------------------------------------------------------------- Summary of changes: source/auth/sam.c | 4 +- source/dsdb/common/util.c | 26 +++++++++++++++++++- source/kdc/hdb-ldb.c | 5 +-- source/kdc/pac-glue.c | 21 +++++++++++++++- .../ldb/tests/schema-tests/schema-add-test.ldif | 2 +- source/setup/provision_templates.ldif | 4 +- source/setup/provision_users.ldif | 2 +- 7 files changed, 53 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/source/auth/sam.c b/source/auth/sam.c index 9a8045f..8821963 100644 --- a/source/auth/sam.c +++ b/source/auth/sam.c @@ -157,7 +157,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); - acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + acct_expiry = samdb_result_account_expires(msg, 0); /* Check for when we must change this password, taking the * userAccountControl flags into account */ @@ -351,7 +351,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0); - server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + server_info->acct_expiry = samdb_result_account_expires(msg, 0); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); diff --git a/source/dsdb/common/util.c b/source/dsdb/common/util.c index ace5e0e..88c8afd 100644 --- a/source/dsdb/common/util.c +++ b/source/dsdb/common/util.c @@ -434,6 +434,30 @@ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME def } /* + * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to + * indicate an account doesn't expire. + * + * When Windows initially creates an account, it sets + * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However, + * when changing from an account having a specific expiration date to + * that account never expiring, it sets accountExpires = 0. + * + * Consolidate that logic here to allow clearer logic for account expiry in + * the rest of the code. + */ +NTTIME samdb_result_account_expires(struct ldb_message *msg, + NTTIME default_value) +{ + NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires", + default_value); + + if (ret == (NTTIME)0) + ret = 0x7FFFFFFFFFFFFFFFULL; + + return ret; +} + +/* pull a uint64_t from a result set. */ uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value) @@ -493,7 +517,7 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL); if (maxPwdAge == 0) { - return 0; + return 0x7FFFFFFFFFFFFFFFULL; } else { attr_time -= maxPwdAge; } diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c index 9a17e58..bc5a45a 100644 --- a/source/kdc/hdb-ldb.c +++ b/source/kdc/hdb-ldb.c @@ -510,9 +510,8 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.valid_start = NULL; - acct_expiry = samdb_result_nttime(msg, "accountExpires", (NTTIME)-1); - if ((acct_expiry == (NTTIME)-1) || - (acct_expiry == 0x7FFFFFFFFFFFFFFFULL)) { + acct_expiry = samdb_result_account_expires(msg, 0); + if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) { entry_ex->entry.valid_end = NULL; } else { entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end)); diff --git a/source/kdc/pac-glue.c b/source/kdc/pac-glue.c index a99cf6d..66f36af 100644 --- a/source/kdc/pac-glue.c +++ b/source/kdc/pac-glue.c @@ -276,9 +276,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv, /* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */ - if (!NT_STATUS_IS_OK(nt_status)) { + /* TODO: Also need to add the appropriate e-data struct of type + * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows + * the information it needs to display the appropriate dialog. */ + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) + return KRB5KDC_ERR_KEY_EXPIRED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) + return KRB5KDC_ERR_KEY_EXPIRED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED)) + return KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) + return KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS)) + return KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) + return KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION)) + return KRB5KDC_ERR_POLICY; + else if (!NT_STATUS_IS_OK(nt_status)) { return KRB5KDC_ERR_POLICY; } + return 0; } diff --git a/source/lib/ldb/tests/schema-tests/schema-add-test.ldif b/source/lib/ldb/tests/schema-tests/schema-add-test.ldif index 997b801..472ab48 100644 --- a/source/lib/ldb/tests/schema-tests/schema-add-test.ldif +++ b/source/lib/ldb/tests/schema-tests/schema-add-test.ldif @@ -46,7 +46,7 @@ pwdLastSet: 0 primaryGroupID: 513 objectSid: S-1-5-21-43662522-77495566-38969261-500 adminCount: 1 -accountExpires: -1 +accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 0x30000000 diff --git a/source/setup/provision_templates.ldif b/source/setup/provision_templates.ldif index cc0ab21..8f4ed08 100644 --- a/source/setup/provision_templates.ldif +++ b/source/setup/provision_templates.ldif @@ -27,7 +27,7 @@ lastLogoff: 0 lastLogon: 0 pwdLastSet: 0 primaryGroupID: 513 -accountExpires: -1 +accountExpires: 9223372036854775807 logonCount: 0 dn: CN=TemplateTrustingDomain,CN=Templates @@ -39,7 +39,7 @@ badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 -accountExpires: -1 +accountExpires: 9223372036854775807 logonCount: 0 dn: CN=TemplateGroup,CN=Templates diff --git a/source/setup/provision_users.ldif b/source/setup/provision_users.ldif index 4b053d9..5a24e07 100644 --- a/source/setup/provision_users.ldif +++ b/source/setup/provision_users.ldif @@ -5,7 +5,7 @@ description: Built-in account for administering the computer/domain userAccountControl: 66048 objectSid: ${DOMAINSID}-500 adminCount: 1 -accountExpires: -1 +accountExpires: 9223372036854775807 sAMAccountName: Administrator isCriticalSystemObject: TRUE sambaPassword:: ${ADMINPASS_B64} -- Samba Shared Repository