On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote: > Hi Andrew, > > please have a look at my "uac" branch - in particular to commit > b357e9377c698a20989c339d1459ed00a342cf2b.
Thanks, I'll autobuild those! Tide, Just to be doubly sure, can you confirm the attached patches fix your issue? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
>From fc062bce1d9d2a011e30b5a9a906bd0bdf9e9eab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <m...@samba.org> Date: Sat, 21 Apr 2012 17:20:24 +0200 Subject: [PATCH 1/2] s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on add Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett <abart...@samba.org> --- source4/dsdb/samdb/ldb_modules/samldb.c | 14 ++++++++--- source4/dsdb/tests/python/sam.py | 44 +++++++++++++++++++-------------- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index da9c966..cd13900 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) switch(ac->type) { case SAMLDB_TYPE_USER: { - bool uac_generated = false; + bool uac_generated = false, uac_add_flags = false; /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac->msg, @@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) return ret; } uac_generated = true; + uac_add_flags = true; } el = ldb_msg_find_element(ac->msg, "userAccountControl"); @@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) user_account_control = ldb_msg_find_attr_as_uint(ac->msg, "userAccountControl", 0); + /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */ + if (user_account_control == 0) { + user_account_control = UF_NORMAL_ACCOUNT; + uac_generated = true; + } /* Temporary duplicate accounts aren't allowed */ if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { @@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * has been generated here (tested against Windows * Server) */ if (uac_generated) { - user_account_control |= UF_ACCOUNTDISABLE; - user_account_control |= UF_PASSWD_NOTREQD; + if (uac_add_flags) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + } ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, "userAccountControl", diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index c5727cd..df1915a 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": "user", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": "user", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) @@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, - "objectclass": "computer", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": "computer", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) -- 1.7.11.7
>From 3917a697c5292eb50d594e7427988b64d0e0c4a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <m...@samba.org> Date: Wed, 29 May 2013 22:17:35 +0200 Subject: [PATCH 2/2] s4:samldb LDB module - permit "userAccountControl" modifications without acct. type Obviously this defaults to UF_NORMAL_ACCOUNT. Some background can be found in MS-SAMR section 3.1.1.8.10. Reviewed-by: Andrew Bartlett <abart...@samba.org> --- source4/dsdb/samdb/ldb_modules/samldb.c | 28 ++++++++++++++++++++++++++-- source4/dsdb/tests/python/sam.py | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index cd13900..5bb0b61 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1517,8 +1517,32 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) account_type = ds_uf2atype(user_account_control); if (account_type == 0) { - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; + char *tempstr; + + /* + * When there is no account type embedded in "userAccountControl" + * fall back to default "UF_NORMAL_ACCOUNT". + */ + if (user_account_control == 0) { + ldb_set_errstring(ldb, + "samldb: Invalid user account control value!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + user_account_control |= UF_NORMAL_ACCOUNT; + + tempstr = talloc_asprintf(ac->msg, "%d", user_account_control); + if (tempstr == NULL) { + return ldb_module_oom(ac->module); + } + + /* Overwrite "userAccountControl" with "UF_NORMAL_ACCOUNT" added */ + el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", + ac->req->operation); + el->values[0].data = (uint8_t *) tempstr; + el->values[0].length = strlen(tempstr); + + account_type = ATYPE_NORMAL_ACCOUNT; } ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", account_type); diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index df1915a..361a108 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -1571,6 +1571,22 @@ class SamTests(samba.tests.TestCase): ATYPE_NORMAL_ACCOUNT) self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_ACCOUNTDISABLE), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) + try: m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) @@ -1791,6 +1807,22 @@ class SamTests(samba.tests.TestCase): ATYPE_NORMAL_ACCOUNT) self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_ACCOUNTDISABLE), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) + try: m = Message() m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) -- 1.7.11.7
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba