diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2008-08-26 16:26:08 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2008-08-26 16:26:08 +1000 |
| commit | f08786686c0bf2440e35ce29b8e0b1a2f116fe3a (patch) | |
| tree | fd7ac6f7cd8528c550952731347f03397c70df77 /source4/ntp_signd/ntp_signd.c | |
| parent | b5a3f45f645204bcc3d6caa47993b7839c8e4c99 (diff) | |
| parent | 4eba234a7352094e1640e8ff9d80a20f8d4705a3 (diff) | |
| download | samba-f08786686c0bf2440e35ce29b8e0b1a2f116fe3a.tar.gz samba-f08786686c0bf2440e35ce29b8e0b1a2f116fe3a.tar.bz2 samba-f08786686c0bf2440e35ce29b8e0b1a2f116fe3a.zip | |
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify
(This used to be commit b706708210a05d6f10474a3cd2bbc550704d4356)
Diffstat (limited to 'source4/ntp_signd/ntp_signd.c')
| -rw-r--r-- | source4/ntp_signd/ntp_signd.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c index c1ac7dbcf4..546743e4e6 100644 --- a/source4/ntp_signd/ntp_signd.c +++ b/source4/ntp_signd/ntp_signd.c @@ -123,7 +123,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) struct signed_reply signed_reply; enum ndr_err_code ndr_err; struct ldb_result *res; - const char *attrs[] = { "unicodePwd", "userAccountControl", NULL }; + const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL }; struct MD5Context ctx; struct samr_Password *nt_hash; uint32_t user_account_control; @@ -168,7 +168,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) ret = ldb_search_exp_fmt(ntp_signdconn->ntp_signd->samdb, tmp_ctx, &res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb), - LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=computer))", + LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=user))", dom_sid_string(tmp_ctx, sid)); if (ret != LDB_SUCCESS) { DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: %s\n", dom_sid_string(tmp_ctx, sid), @@ -188,7 +188,13 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0); if (user_account_control & UF_ACCOUNTDISABLE) { - DEBUG(1, ("Account for SID [%s] is disabled\n", dom_sid_string(tmp_ctx, sid))); + DEBUG(1, ("Account %s for SID [%s] is disabled\n", ldb_dn_get_linearized(res->msgs[0]->dn), dom_sid_string(tmp_ctx, sid))); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + + if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) { + DEBUG(1, ("Account %s for SID [%s] is not a trust account\n", ldb_dn_get_linearized(res->msgs[0]->dn), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_ACCESS_DENIED; } |