Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Hi Andrew, please have a look at the two top-most patches in my master branch. Matthias Andrew Bartlett schrieb: On Wed, 2013-06-05 at 13:16 +0800, Tide wrote: Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! Thanks, that's in master now. Matthias, Can you look into the 0x80 bit? Thanks, Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Sun, 2013-06-09 at 11:41 +0200, Matthias Dieter Wallnöfer wrote: Hi Andrew, please have a look at the two top-most patches in my master branch. Matthias These look good, I'm autobuilding these now! Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote:
Hi Andrew,
please have a look at my uac branch - in particular to commit
b357e9377c698a20989c339d1459ed00a342cf2b.
Thanks, I'll autobuild those!
Tide,
Just to be doubly sure, can you confirm the attached patches fix your
issue?
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
From fc062bce1d9d2a011e30b5a9a906bd0bdf9e9eab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= m...@samba.org
Date: Sat, 21 Apr 2012 17:20:24 +0200
Subject: [PATCH 1/2] s4:samldb LDB module - userAccountControl = 0 means
UF_NORMAL_ACCOUNT on add
Windows Server 2008 has changed semantics in comparison to Server 2003.
Reviewed-by: Andrew Bartlett abart...@samba.org
---
source4/dsdb/samdb/ldb_modules/samldb.c | 14 ---
source4/dsdb/tests/python/sam.py| 44 +++--
2 files changed, 37 insertions(+), 21 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index da9c966..cd13900 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
switch(ac-type) {
case SAMLDB_TYPE_USER: {
- bool uac_generated = false;
+ bool uac_generated = false, uac_add_flags = false;
/* Step 1.2: Default values */
ret = samdb_find_or_add_attribute(ldb, ac-msg,
@@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
return ret;
}
uac_generated = true;
+ uac_add_flags = true;
}
el = ldb_msg_find_element(ac-msg, userAccountControl);
@@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
user_account_control = ldb_msg_find_attr_as_uint(ac-msg,
userAccountControl,
0);
+ /* userAccountControl = 0 means UF_NORMAL_ACCOUNT */
+ if (user_account_control == 0) {
+user_account_control = UF_NORMAL_ACCOUNT;
+uac_generated = true;
+ }
/* Temporary duplicate accounts aren't allowed */
if ((user_account_control UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
@@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
* has been generated here (tested against Windows
* Server) */
if (uac_generated) {
-user_account_control |= UF_ACCOUNTDISABLE;
-user_account_control |= UF_PASSWD_NOTREQD;
+if (uac_add_flags) {
+ user_account_control |= UF_ACCOUNTDISABLE;
+ user_account_control |= UF_PASSWD_NOTREQD;
+}
ret = samdb_msg_set_uint(ldb, ac-msg, ac-msg,
userAccountControl,
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index c5727cd..df1915a 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
-# Invalid attribute
-try:
-ldb.add({
-dn: cn=ldaptestuser,cn=users, + self.base_dn,
-objectclass: user,
-userAccountControl: 0})
-self.fail()
-except LdbError, (num, _):
-self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ldb.add({
+dn: cn=ldaptestuser,cn=users, + self.base_dn,
+objectclass: user,
+userAccountControl: 0})
+
+res1 = ldb.search(cn=ldaptestuser,cn=users, + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=[sAMAccountType, userAccountControl])
+self.assertTrue(len(res1) == 1)
+self.assertEquals(int(res1[0][sAMAccountType][0]),
+ ATYPE_NORMAL_ACCOUNT)
+self.assertTrue(int(res1[0][userAccountControl][0]) UF_ACCOUNTDISABLE == 0)
+self.assertTrue(int(res1[0][userAccountControl][0]) UF_PASSWD_NOTREQD == 0)
delete_force(self.ldb, cn=ldaptestuser,cn=users, + self.base_dn)
# This has to wait until s4 supports it (needs a password module change)
@@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
-# Invalid attribute
-try:
-ldb.add({
-dn: cn=ldaptestcomputer,cn=computers, + self.base_dn,
-objectclass: computer,
-userAccountControl: 0})
-self.fail()
-except LdbError, (num, _):
-self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ldb.add({
+dn: cn=ldaptestcomputer,cn=computers, + self.base_dn,
+objectclass: computer,
+userAccountControl: 0})
+
+res1 = ldb.search(cn=ldaptestcomputer,cn=computers, + self.base_dn,
+
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! -- Original -- From: Andrew Bartlettabart...@samba.org; Date: Wed, Jun 5, 2013 07:34 AM To: Matthias Dieter Wallnöfem...@samba.org; Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; samba-technicalsamba-techni...@samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote: Hi Andrew, please have a look at my uac branch - in particular to commit b357e9377c698a20989c339d1459ed00a342cf2b. Thanks, I'll autobuild those! Tide, Just to be doubly sure, can you confirm the attached patches fix your issue? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Wed, 2013-06-05 at 13:16 +0800, Tide wrote: Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! Thanks, that's in master now. Matthias, Can you look into the 0x80 bit? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Hi Andrew, please have a look at my uac branch - in particular to commit b357e9377c698a20989c339d1459ed00a342cf2b. Thanks, Matthias Andrew Bartlett schrieb: Matthias, Any chance you can look into this for me? Thanks, On Tue, 2013-05-28 at 15:56 +0800, Tide wrote: the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Matthias, Any chance you can look into this for me? Thanks, On Tue, 2013-05-28 at 15:56 +0800, Tide wrote: the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
