Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Hi Andrew, please have a look at the two top-most patches in my master branch. Matthias Andrew Bartlett schrieb: On Wed, 2013-06-05 at 13:16 +0800, Tide wrote: Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! Thanks, that's in master now. Matthias, Can you look into the 0x80 bit? Thanks, Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Sun, 2013-06-09 at 11:41 +0200, Matthias Dieter Wallnöfer wrote: Hi Andrew, please have a look at the two top-most patches in my master branch. Matthias These look good, I'm autobuilding these now! Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote: Hi Andrew, please have a look at my uac branch - in particular to commit b357e9377c698a20989c339d1459ed00a342cf2b. Thanks, I'll autobuild those! Tide, Just to be doubly sure, can you confirm the attached patches fix your issue? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From fc062bce1d9d2a011e30b5a9a906bd0bdf9e9eab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Dieter=20Walln=C3=B6fer?= m...@samba.org Date: Sat, 21 Apr 2012 17:20:24 +0200 Subject: [PATCH 1/2] s4:samldb LDB module - userAccountControl = 0 means UF_NORMAL_ACCOUNT on add Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett abart...@samba.org --- source4/dsdb/samdb/ldb_modules/samldb.c | 14 --- source4/dsdb/tests/python/sam.py| 44 +++-- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index da9c966..cd13900 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) switch(ac-type) { case SAMLDB_TYPE_USER: { - bool uac_generated = false; + bool uac_generated = false, uac_add_flags = false; /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac-msg, @@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) return ret; } uac_generated = true; + uac_add_flags = true; } el = ldb_msg_find_element(ac-msg, userAccountControl); @@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) user_account_control = ldb_msg_find_attr_as_uint(ac-msg, userAccountControl, 0); + /* userAccountControl = 0 means UF_NORMAL_ACCOUNT */ + if (user_account_control == 0) { +user_account_control = UF_NORMAL_ACCOUNT; +uac_generated = true; + } /* Temporary duplicate accounts aren't allowed */ if ((user_account_control UF_TEMP_DUPLICATE_ACCOUNT) != 0) { @@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * has been generated here (tested against Windows * Server) */ if (uac_generated) { -user_account_control |= UF_ACCOUNTDISABLE; -user_account_control |= UF_PASSWD_NOTREQD; +if (uac_add_flags) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; +} ret = samdb_msg_set_uint(ldb, ac-msg, ac-msg, userAccountControl, diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index c5727cd..df1915a 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. -# Invalid attribute -try: -ldb.add({ -dn: cn=ldaptestuser,cn=users, + self.base_dn, -objectclass: user, -userAccountControl: 0}) -self.fail() -except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +ldb.add({ +dn: cn=ldaptestuser,cn=users, + self.base_dn, +objectclass: user, +userAccountControl: 0}) + +res1 = ldb.search(cn=ldaptestuser,cn=users, + self.base_dn, + scope=SCOPE_BASE, + attrs=[sAMAccountType, userAccountControl]) +self.assertTrue(len(res1) == 1) +self.assertEquals(int(res1[0][sAMAccountType][0]), + ATYPE_NORMAL_ACCOUNT) +self.assertTrue(int(res1[0][userAccountControl][0]) UF_ACCOUNTDISABLE == 0) +self.assertTrue(int(res1[0][userAccountControl][0]) UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, cn=ldaptestuser,cn=users, + self.base_dn) # This has to wait until s4 supports it (needs a password module change) @@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. -# Invalid attribute -try: -ldb.add({ -dn: cn=ldaptestcomputer,cn=computers, + self.base_dn, -objectclass: computer, -userAccountControl: 0}) -self.fail() -except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +ldb.add({ +dn: cn=ldaptestcomputer,cn=computers, + self.base_dn, +objectclass: computer, +userAccountControl: 0}) + +res1 = ldb.search(cn=ldaptestcomputer,cn=computers, + self.base_dn, +
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! -- Original -- From: Andrew Bartlettabart...@samba.org; Date: Wed, Jun 5, 2013 07:34 AM To: Matthias Dieter Wallnöfem...@samba.org; Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; samba-technicalsamba-techni...@samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Wed, 2013-05-29 at 22:23 +0200, Matthias Dieter Wallnöfer wrote: Hi Andrew, please have a look at my uac branch - in particular to commit b357e9377c698a20989c339d1459ed00a342cf2b. Thanks, I'll autobuild those! Tide, Just to be doubly sure, can you confirm the attached patches fix your issue? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Wed, 2013-06-05 at 13:16 +0800, Tide wrote: Yes, it fixed it, user can be disabled from mail system now ( although it does not save the same value as AD saved (0x82 - 0x202 in AD, 0x82 - 0x800202 in current patch) ). Thank you guys! Thanks, that's in master now. Matthias, Can you look into the 0x80 bit? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Hi Andrew, please have a look at my uac branch - in particular to commit b357e9377c698a20989c339d1459ed00a342cf2b. Thanks, Matthias Andrew Bartlett schrieb: Matthias, Any chance you can look into this for me? Thanks, On Tue, 2013-05-28 at 15:56 +0800, Tide wrote: the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
Matthias, Any chance you can look into this for me? Thanks, On Tue, 2013-05-28 at 15:56 +0800, Tide wrote: the userAccountControl value becomes 0x202 (514) after 0x82 was written to active directory of windows server 2003, so it looks like UF_NORMAL_ACCOUNT (0x200) is really implied. Original -- From: Andrew Bartlettabart...@samba.org; Date: Tue, May 28, 2013 10:50 AM To: Tidelovet...@qq.com; Cc: sambasamba@lists.samba.org; Subject: Re: [Samba] userAccountControl can't be set to 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):samldb: Unrecognized account type
On Tue, 2013-05-28 at 10:32 +0800, Tide wrote: We have a third party mail system which can write/read accounts to/from AD using ldaps protocol, it works fine with active directory of windows server 2003. When I test the mail system with samba4 DC, I can't disable user from the mail system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb returns Unrecognized account type error. Is this expected behaviour or a possible bug? # test from command line ldbedit --show-binary -H /usr/local/samba/private/sam.ldb sAMAccountName=YOUR_ACCOUNT userAccountControl # then change userAccountControl to 8388610, save, quit editor If it works against Windows and doesn't work against Samba, it's a bug. We need to know what the value becomes after you do this against windows, then then we need the tests updated to cover this case. Presumably the UF_NORMAL_ACCOUNT flag is implied. Once that's done, it shouldn't be too hard to also imply it. Any chance you can look into this for us? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba