On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
>
> please have a look at my "uac" branch - in particular to commit
> b357e9377c698a20989c339d1459ed00a342cf2b.
Thanks, I'll autobuild those!
Tide,
Just to be doubly sure, can you confirm the attached patches fix your
issue?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From fc062bce1d9d2a011e30b5a9a906bd0bdf9e9eab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <m...@samba.org>
Date: Sat, 21 Apr 2012 17:20:24 +0200
Subject: [PATCH 1/2] s4:samldb LDB module - "userAccountControl" = 0 means
UF_NORMAL_ACCOUNT on add
Windows Server 2008 has changed semantics in comparison to Server 2003.
Reviewed-by: Andrew Bartlett <abart...@samba.org>
---
source4/dsdb/samdb/ldb_modules/samldb.c | 14 ++++++++---
source4/dsdb/tests/python/sam.py | 44 +++++++++++++++++++--------------
2 files changed, 37 insertions(+), 21 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index da9c966..cd13900 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
switch(ac->type) {
case SAMLDB_TYPE_USER: {
- bool uac_generated = false;
+ bool uac_generated = false, uac_add_flags = false;
/* Step 1.2: Default values */
ret = samdb_find_or_add_attribute(ldb, ac->msg,
@@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
return ret;
}
uac_generated = true;
+ uac_add_flags = true;
}
el = ldb_msg_find_element(ac->msg, "userAccountControl");
@@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
"userAccountControl",
0);
+ /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */
+ if (user_account_control == 0) {
+ user_account_control = UF_NORMAL_ACCOUNT;
+ uac_generated = true;
+ }
/* Temporary duplicate accounts aren't allowed */
if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
@@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
* has been generated here (tested against Windows
* Server) */
if (uac_generated) {
- user_account_control |= UF_ACCOUNTDISABLE;
- user_account_control |= UF_PASSWD_NOTREQD;
+ if (uac_add_flags) {
+ user_account_control |= UF_ACCOUNTDISABLE;
+ user_account_control |= UF_PASSWD_NOTREQD;
+ }
ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
"userAccountControl",
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index c5727cd..df1915a 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
- # Invalid attribute
- try:
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": "user",
- "userAccountControl": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": "user",
+ "userAccountControl": "0"})
+
+ res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
# This has to wait until s4 supports it (needs a password module change)
@@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
- # Invalid attribute
- try:
- ldb.add({
- "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
- "objectclass": "computer",
- "userAccountControl": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ ldb.add({
+ "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+ "objectclass": "computer",
+ "userAccountControl": "0"})
+
+ res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
# This has to wait until s4 supports it (needs a password module change)
--
1.7.11.7
>From 3917a697c5292eb50d594e7427988b64d0e0c4a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <m...@samba.org>
Date: Wed, 29 May 2013 22:17:35 +0200
Subject: [PATCH 2/2] s4:samldb LDB module - permit "userAccountControl"
modifications without acct. type
Obviously this defaults to UF_NORMAL_ACCOUNT. Some background can be found in
MS-SAMR section 3.1.1.8.10.
Reviewed-by: Andrew Bartlett <abart...@samba.org>
---
source4/dsdb/samdb/ldb_modules/samldb.c | 28 ++++++++++++++++++++++++++--
source4/dsdb/tests/python/sam.py | 32 ++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+), 2 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index cd13900..5bb0b61 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1517,8 +1517,32 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
account_type = ds_uf2atype(user_account_control);
if (account_type == 0) {
- ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
+ char *tempstr;
+
+ /*
+ * When there is no account type embedded in "userAccountControl"
+ * fall back to default "UF_NORMAL_ACCOUNT".
+ */
+ if (user_account_control == 0) {
+ ldb_set_errstring(ldb,
+ "samldb: Invalid user account control value!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
+ user_account_control |= UF_NORMAL_ACCOUNT;
+
+ tempstr = talloc_asprintf(ac->msg, "%d", user_account_control);
+ if (tempstr == NULL) {
+ return ldb_module_oom(ac->module);
+ }
+
+ /* Overwrite "userAccountControl" with "UF_NORMAL_ACCOUNT" added */
+ el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl",
+ ac->req->operation);
+ el->values[0].data = (uint8_t *) tempstr;
+ el->values[0].length = strlen(tempstr);
+
+ account_type = ATYPE_NORMAL_ACCOUNT;
}
ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType",
account_type);
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index df1915a..361a108 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -1571,6 +1571,22 @@ class SamTests(samba.tests.TestCase):
ATYPE_NORMAL_ACCOUNT)
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["userAccountControl"] = MessageElement(
+ str(UF_ACCOUNTDISABLE),
+ FLAG_MOD_REPLACE, "userAccountControl")
+ ldb.modify(m)
+
+ res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
+
try:
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
@@ -1791,6 +1807,22 @@ class SamTests(samba.tests.TestCase):
ATYPE_NORMAL_ACCOUNT)
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+ m["userAccountControl"] = MessageElement(
+ str(UF_ACCOUNTDISABLE),
+ FLAG_MOD_REPLACE, "userAccountControl")
+ ldb.modify(m)
+
+ res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
+
try:
m = Message()
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
