diff options
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 82 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/sam.py | 82 |
2 files changed, 147 insertions, 17 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 5bb0b61d61..603370fd62 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1049,6 +1049,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) uac_generated = true; } + /* + * As per MS-SAMR 3.1.1.8.10 these flags have not to be set + */ + if ((user_account_control & UF_LOCKOUT) != 0) { + user_account_control &= ~UF_LOCKOUT; + uac_generated = true; + } + if ((user_account_control & UF_PASSWORD_EXPIRED) != 0) { + user_account_control &= ~UF_PASSWORD_EXPIRED; + uac_generated = true; + } + /* Temporary duplicate accounts aren't allowed */ if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { return LDB_ERR_OTHER; @@ -1442,9 +1454,10 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) struct ldb_message *tmp_msg; int ret; struct ldb_result *res; - const char * const attrs[] = { "userAccountControl", "objectClass", NULL }; + const char * const attrs[] = { "userAccountControl", "objectClass", + "lockoutTime", NULL }; unsigned int i; - bool is_computer = false; + bool is_computer = false, uac_generated = false; el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", ac->req->operation); @@ -1517,8 +1530,6 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) account_type = ds_uf2atype(user_account_control); if (account_type == 0) { - char *tempstr; - /* * When there is no account type embedded in "userAccountControl" * fall back to default "UF_NORMAL_ACCOUNT". @@ -1530,18 +1541,7 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) } user_account_control |= UF_NORMAL_ACCOUNT; - - tempstr = talloc_asprintf(ac->msg, "%d", user_account_control); - if (tempstr == NULL) { - return ldb_module_oom(ac->module); - } - - /* Overwrite "userAccountControl" with "UF_NORMAL_ACCOUNT" added */ - el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", - ac->req->operation); - el->values[0].data = (uint8_t *) tempstr; - el->values[0].length = strlen(tempstr); - + uac_generated = true; account_type = ATYPE_NORMAL_ACCOUNT; } ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", @@ -1552,6 +1552,41 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) el = ldb_msg_find_element(ac->msg, "sAMAccountType"); el->flags = LDB_FLAG_MOD_REPLACE; + /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */ + if ((user_account_control & UF_LOCKOUT) != 0) { + /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */ + uint64_t lockout_time = ldb_msg_find_attr_as_uint64(res->msgs[0], + "lockoutTime", + 0); + if (lockout_time != 0) { + ldb_msg_remove_attr(ac->msg, "lockoutTime"); + ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, + "lockoutTime", (NTTIME)0); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "lockoutTime"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + user_account_control &= ~UF_LOCKOUT; + uac_generated = true; + } + if ((user_account_control & UF_PASSWORD_EXPIRED) != 0) { + /* "pwdLastSet" reset as password expiration has been forced */ + ldb_msg_remove_attr(ac->msg, "pwdLastSet"); + ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "pwdLastSet", + (NTTIME)0); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "pwdLastSet"); + el->flags = LDB_FLAG_MOD_REPLACE; + + user_account_control &= ~UF_PASSWORD_EXPIRED; + uac_generated = true; + } + /* "isCriticalSystemObject" might be set/changed */ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { @@ -1595,6 +1630,21 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) el->flags = LDB_FLAG_MOD_REPLACE; } + /* Propagate eventual "userAccountControl" attribute changes */ + if (uac_generated) { + char *tempstr = talloc_asprintf(ac->msg, "%d", + user_account_control); + if (tempstr == NULL) { + return ldb_module_oom(ac->module); + } + + /* Overwrite "userAccountControl" correctly */ + el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", + ac->req->operation); + el->values[0].data = (uint8_t *) tempstr; + el->values[0].length = strlen(tempstr); + } + return LDB_SUCCESS; } diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index 361a10898d..754096a015 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -27,7 +27,7 @@ from samba.samdb import SamDB from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE, UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT, - UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT, + UF_PASSWD_NOTREQD, UF_LOCKOUT, UF_PASSWORD_EXPIRED, ATYPE_NORMAL_ACCOUNT, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP, GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP, GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP, @@ -1465,6 +1465,22 @@ class SamTests(samba.tests.TestCase): self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": "user", + "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_LOCKOUT | UF_PASSWORD_EXPIRED)}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0) + self.assertFalse("lockoutTime" in res1[0]) + self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0) + delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + try: ldb.add({ "dn": "cn=ldaptestuser,cn=users," + self.base_dn, @@ -1587,6 +1603,30 @@ class SamTests(samba.tests.TestCase): self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["lockoutTime"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "lockoutTime") + m["pwdLastSet"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "pwdLastSet") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_LOCKOUT | UF_PASSWORD_EXPIRED), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0) + self.assertTrue(int(res1[0]["lockoutTime"][0]) == 0) + self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0) + try: m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) @@ -1707,6 +1747,22 @@ class SamTests(samba.tests.TestCase): self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": "computer", + "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_LOCKOUT | UF_PASSWORD_EXPIRED)}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0) + self.assertFalse("lockoutTime" in res1[0]) + self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0) + delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + try: ldb.add({ "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, @@ -1823,6 +1879,30 @@ class SamTests(samba.tests.TestCase): self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["lockoutTime"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "lockoutTime") + m["pwdLastSet"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "pwdLastSet") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(UF_LOCKOUT | UF_PASSWORD_EXPIRED), + FLAG_MOD_REPLACE, "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0) + self.assertTrue(int(res1[0]["lockoutTime"][0]) == 0) + self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0) + try: m = Message() m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) |