summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c28
-rwxr-xr-xsource4/dsdb/tests/python/sam.py26
2 files changed, 39 insertions, 15 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 5653ba1751..e60f24023d 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -800,7 +800,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
struct ldb_message_element *el, *el2;
enum sid_generator sid_generator;
struct dom_sid *sid;
- const char *tempstr;
int ret;
/* make sure that "sAMAccountType" is not specified */
@@ -834,6 +833,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
}
if (strcmp(ac->type, "user") == 0) {
+ bool uac_generated = false;
+
/* Step 1.2: Default values */
ret = samdb_find_or_add_attribute(ldb, ac->msg,
"accountExpires", "9223372036854775807");
@@ -863,11 +864,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
"pwdLastSet", "0");
if (ret != LDB_SUCCESS) return ret;
- tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT);
- if (tempstr == NULL) return ldb_operr(ldb);
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "userAccountControl", tempstr);
- if (ret != LDB_SUCCESS) return ret;
+ /* On add operations we might need to generate a
+ * "userAccountControl" (if it isn't specified). */
+ el = ldb_msg_find_element(ac->msg, "userAccountControl");
+ if ((el == NULL) && (ac->req->operation == LDB_ADD)) {
+ ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
+ "userAccountControl",
+ UF_NORMAL_ACCOUNT);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ uac_generated = true;
+ }
el = ldb_msg_find_element(ac->msg, "userAccountControl");
if (el != NULL) {
@@ -924,8 +932,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
}
/* Step 1.5: Add additional flags when needed */
- if ((user_account_control & UF_NORMAL_ACCOUNT) &&
- (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+ /* Obviously this is done when the "userAccountControl"
+ * has been generated here (tested against Windows
+ * Server) */
+ if (uac_generated) {
user_account_control |= UF_ACCOUNTDISABLE;
user_account_control |= UF_PASSWD_NOTREQD;
@@ -939,6 +949,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
}
} else if (strcmp(ac->type, "group") == 0) {
+ const char *tempstr;
+
/* Step 2.2: Default values */
tempstr = talloc_asprintf(ac->msg, "%d",
GTYPE_SECURITY_GLOBAL_GROUP);
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 03d698408b..69dd757048 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -24,7 +24,7 @@ from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba.samdb import SamDB
-from samba.dsdb import (UF_NORMAL_ACCOUNT,
+from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
@@ -1453,10 +1453,12 @@ class SamTests(unittest.TestCase):
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
try:
@@ -1508,10 +1510,12 @@ class SamTests(unittest.TestCase):
# After creation we should have a normal account
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
# As user you can only switch from a normal account to a workstation
# trust account and back.
@@ -1548,10 +1552,12 @@ class SamTests(unittest.TestCase):
ldb.modify(m)
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
try:
m = Message()
@@ -1651,10 +1657,12 @@ class SamTests(unittest.TestCase):
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
try:
@@ -1707,10 +1715,12 @@ class SamTests(unittest.TestCase):
# After creation we should have a normal account
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
# As computer you can switch from a normal account to a workstation
# or server trust account and back (also swapping between trust
@@ -1748,10 +1758,12 @@ class SamTests(unittest.TestCase):
ldb.modify(m)
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
try:
m = Message()