The branch, master has been updated via bf657db s4:sam.py - tests for "userAccountControl" attribute via 3411e71 s4:samldb LDB module - deny creation of temporary duplicate accounts via ed68189 s4:samldb LDB module - proof the account type also on LDB modify operations from 18ea6c5 ldb: Only build LIBLDB_MAIN when building ldb itself.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit bf657db3c45def4a5418a783dfad08e0247d1349 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Wed Oct 13 16:41:54 2010 +0200 s4:sam.py - tests for "userAccountControl" attribute Autobuild-User: Matthias Dieter Wallnöfer <m...@samba.org> Autobuild-Date: Wed Oct 13 17:31:29 UTC 2010 on sn-devel-104 commit 3411e71c76dd01ae505c0c87fa43b794e63c4091 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Wed Oct 13 17:06:28 2010 +0200 s4:samldb LDB module - deny creation of temporary duplicate accounts commit ed68189c5f6c39d075d4c08a92994acf5e5a9a51 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Wed Oct 13 16:32:50 2010 +0200 s4:samldb LDB module - proof the account type also on LDB modify operations ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/samldb.c | 20 ++ source4/dsdb/tests/python/sam.py | 451 ++++++++++++++++++++++++++++++- 2 files changed, 468 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index f35a56a..4d7b8a1 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -830,6 +830,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */ user_account_control = strtoul((const char *)el->values[0].data, NULL, 0); + + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } + account_type = ds_uf2atype(user_account_control); if (account_type == 0) { ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); @@ -1346,6 +1352,10 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) } account_type = ds_gtype2atype(group_type); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", account_type); @@ -1382,7 +1392,17 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) user_account_control = strtoul((const char *)el->values[0].data, NULL, 0); + + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } + account_type = ds_uf2atype(user_account_control); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", account_type); diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index fc5967c..1970673 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -23,13 +23,13 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX from ldb import ERR_NO_SUCH_ATTRIBUTE from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION -from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE +from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE, ERR_INSUFFICIENT_ACCESS_RIGHTS from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba import Ldb from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, - UF_PARTIAL_SECRETS_ACCOUNT, + UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT, UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP, GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP, @@ -96,6 +96,7 @@ class SamTests(unittest.TestCase): print "baseDN: %s\n" % self.base_dn self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) @@ -571,7 +572,7 @@ class SamTests(unittest.TestCase): self.assertFalse("objectClass" in res1[0]) self.assertTrue("canonicalName" in res1[0]) - res1 = ldb.search("cn=users,"+self.base_dn, + res1 = ldb.search("cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["primaryGroupToken"]) self.assertTrue(len(res1) == 1) self.assertFalse("primaryGroupToken" in res1[0]) @@ -1237,6 +1238,450 @@ class SamTests(unittest.TestCase): self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + def test_userAccountControl(self): + """Test the userAccountControl behaviour""" + print "Testing userAccountControl behaviour\n" + + # With a user object + + # Add operation + + # As user you can only set a normal account. + # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a + # password yet. + # With SYSTEM rights you can set a interdomain trust account. + + # Invalid attribute + try: + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "userAccountControl": "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + +# This has to wait until s4 supports it (needs a password module change) +# try: +# ldb.add({ +# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, +# "objectclass": ["user", "person"], +# "userAccountControl": str(UF_NORMAL_ACCOUNT)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + try: + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + +# This isn't supported yet in s4 +# try: +# ldb.add({ +# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, +# "objectclass": ["user", "person"], +# "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) +# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) +# +# try: +# ldb.add({ +# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, +# "objectclass": ["user", "person"], +# "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)}) +# except LdbError, (num, _): +# self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) +# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + +# This isn't supported yet in s4 - needs ACL module adaption +# try: +# ldb.add({ +# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, +# "objectclass": ["user", "person"], +# "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + # Modify operation + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + # After creation we should have a normal account + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + # As user you can only switch from a normal account to a workstation + # trust account and back. + # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a + # password yet. + # With SYSTEM rights you can switch to a interdomain trust account. + + # Invalid attribute + try: + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement("0", + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + +# This has to wait until s4 supports it (needs a password module change) +# try: +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) +# m["userAccountControl"] = MessageElement( +# str(UF_NORMAL_ACCOUNT), +# FLAG_MOD_REPLACE, "userAccountControl") +# ldb.modify(m) +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + try: + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_TEMP_DUPLICATE_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + +# This isn't supported yet in s4 +# try: +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) +# m["userAccountControl"] = MessageElement( +# str(UF_SERVER_TRUST_ACCOUNT), +# FLAG_MOD_REPLACE, "userAccountControl") +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_WORKSTATION_TRUST_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_WORKSTATION_TRUST) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + +# This isn't supported yet in s4 - needs ACL module adaption +# try: +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) +# m["userAccountControl"] = MessageElement( +# str(UF_INTERDOMAIN_TRUST_ACCOUNT), +# FLAG_MOD_REPLACE, "userAccountControl") +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + + # With a computer object + + # Add operation + + # As computer you can set a normal account and a server trust account. + # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a + # password yet. + # With SYSTEM rights you can set a interdomain trust account. + + # Invalid attribute + try: + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"], + "userAccountControl": "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + +# This has to wait until s4 supports it (needs a password module change) +# try: +# ldb.add({ +# "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, +# "objectclass": ["computer"], +# "userAccountControl": str(UF_NORMAL_ACCOUNT)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +# self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"], + "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + + try: + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"], + "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"], + "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_WORKSTATION_TRUST) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + + try: + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"], + "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)}) + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + +# This isn't supported yet in s4 - needs ACL module adaption +# try: +# ldb.add({ +# "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, +# "objectclass": ["computer"], +# "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +# self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + + # Modify operation + + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": ["computer"]}) + + # After creation we should have a normal account + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + # As computer you can switch from a normal account to a workstation + # or server trust account and back (also swapping between trust + # accounts is allowed). + # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a + # password yet. + # With SYSTEM rights you can switch to a interdomain trust account. + + # Invalid attribute + try: + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement("0", + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + +# This has to wait until s4 supports it (needs a password module change) +# try: +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) +# m["userAccountControl"] = MessageElement( +# str(UF_NORMAL_ACCOUNT), +# FLAG_MOD_REPLACE, "userAccountControl") +# ldb.modify(m) +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + try: + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_TEMP_DUPLICATE_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_SERVER_TRUST_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_WORKSTATION_TRUST) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_WORKSTATION_TRUST_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_WORKSTATION_TRUST) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_SERVER_TRUST_ACCOUNT), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, attrs=["sAMAccountType"]) -- Samba Shared Repository