diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2012-04-21 17:20:24 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2013-06-05 01:36:23 +0200 |
commit | 62ee2a5caf8b8e7750a650c7ebc9729beda48a89 (patch) | |
tree | 0563e68a778559bbf0ac4fd67824fe8b5c34d577 | |
parent | ad383ac8887eb5d44c2f2396e25a167c66b02ae6 (diff) | |
download | samba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.tar.gz samba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.tar.bz2 samba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.zip |
s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on add
Windows Server 2008 has changed semantics in comparison to Server 2003.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 14 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/sam.py | 44 |
2 files changed, 37 insertions, 21 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index da9c966ddd..cd13900bf5 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) switch(ac->type) { case SAMLDB_TYPE_USER: { - bool uac_generated = false; + bool uac_generated = false, uac_add_flags = false; /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac->msg, @@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) return ret; } uac_generated = true; + uac_add_flags = true; } el = ldb_msg_find_element(ac->msg, "userAccountControl"); @@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) user_account_control = ldb_msg_find_attr_as_uint(ac->msg, "userAccountControl", 0); + /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */ + if (user_account_control == 0) { + user_account_control = UF_NORMAL_ACCOUNT; + uac_generated = true; + } /* Temporary duplicate accounts aren't allowed */ if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { @@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * has been generated here (tested against Windows * Server) */ if (uac_generated) { - user_account_control |= UF_ACCOUNTDISABLE; - user_account_control |= UF_PASSWD_NOTREQD; + if (uac_add_flags) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + } ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, "userAccountControl", diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index c5727cd080..df1915a899 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": "user", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": "user", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) @@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, - "objectclass": "computer", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": "computer", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) |