summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2012-04-21 17:20:24 +0200
committerAndrew Bartlett <abartlet@samba.org>2013-06-05 01:36:23 +0200
commit62ee2a5caf8b8e7750a650c7ebc9729beda48a89 (patch)
tree0563e68a778559bbf0ac4fd67824fe8b5c34d577 /source4
parentad383ac8887eb5d44c2f2396e25a167c66b02ae6 (diff)
downloadsamba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.tar.gz
samba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.tar.bz2
samba-62ee2a5caf8b8e7750a650c7ebc9729beda48a89.zip
s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on add
Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c14
-rwxr-xr-xsource4/dsdb/tests/python/sam.py44
2 files changed, 37 insertions, 21 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index da9c966ddd..cd13900bf5 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
switch(ac->type) {
case SAMLDB_TYPE_USER: {
- bool uac_generated = false;
+ bool uac_generated = false, uac_add_flags = false;
/* Step 1.2: Default values */
ret = samdb_find_or_add_attribute(ldb, ac->msg,
@@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
return ret;
}
uac_generated = true;
+ uac_add_flags = true;
}
el = ldb_msg_find_element(ac->msg, "userAccountControl");
@@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
"userAccountControl",
0);
+ /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */
+ if (user_account_control == 0) {
+ user_account_control = UF_NORMAL_ACCOUNT;
+ uac_generated = true;
+ }
/* Temporary duplicate accounts aren't allowed */
if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
@@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
* has been generated here (tested against Windows
* Server) */
if (uac_generated) {
- user_account_control |= UF_ACCOUNTDISABLE;
- user_account_control |= UF_PASSWD_NOTREQD;
+ if (uac_add_flags) {
+ user_account_control |= UF_ACCOUNTDISABLE;
+ user_account_control |= UF_PASSWD_NOTREQD;
+ }
ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
"userAccountControl",
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index c5727cd080..df1915a899 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
- # Invalid attribute
- try:
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": "user",
- "userAccountControl": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": "user",
+ "userAccountControl": "0"})
+
+ res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
# This has to wait until s4 supports it (needs a password module change)
@@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase):
# password yet.
# With SYSTEM rights you can set a interdomain trust account.
- # Invalid attribute
- try:
- ldb.add({
- "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
- "objectclass": "computer",
- "userAccountControl": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ ldb.add({
+ "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+ "objectclass": "computer",
+ "userAccountControl": "0"})
+
+ res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
+ self.assertTrue(len(res1) == 1)
+ self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+ ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
# This has to wait until s4 supports it (needs a password module change)