diff options
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 28 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/sam.py | 26 |
2 files changed, 39 insertions, 15 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 5653ba1751..e60f24023d 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -800,7 +800,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) struct ldb_message_element *el, *el2; enum sid_generator sid_generator; struct dom_sid *sid; - const char *tempstr; int ret; /* make sure that "sAMAccountType" is not specified */ @@ -834,6 +833,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) } if (strcmp(ac->type, "user") == 0) { + bool uac_generated = false; + /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac->msg, "accountExpires", "9223372036854775807"); @@ -863,11 +864,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) "pwdLastSet", "0"); if (ret != LDB_SUCCESS) return ret; - tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT); - if (tempstr == NULL) return ldb_operr(ldb); - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "userAccountControl", tempstr); - if (ret != LDB_SUCCESS) return ret; + /* On add operations we might need to generate a + * "userAccountControl" (if it isn't specified). */ + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if ((el == NULL) && (ac->req->operation == LDB_ADD)) { + ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, + "userAccountControl", + UF_NORMAL_ACCOUNT); + if (ret != LDB_SUCCESS) { + return ret; + } + uac_generated = true; + } el = ldb_msg_find_element(ac->msg, "userAccountControl"); if (el != NULL) { @@ -924,8 +932,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) } /* Step 1.5: Add additional flags when needed */ - if ((user_account_control & UF_NORMAL_ACCOUNT) && - (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { + /* Obviously this is done when the "userAccountControl" + * has been generated here (tested against Windows + * Server) */ + if (uac_generated) { user_account_control |= UF_ACCOUNTDISABLE; user_account_control |= UF_PASSWD_NOTREQD; @@ -939,6 +949,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) } } else if (strcmp(ac->type, "group") == 0) { + const char *tempstr; + /* Step 2.2: Default values */ tempstr = talloc_asprintf(ac->msg, "%d", GTYPE_SECURITY_GLOBAL_GROUP); diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index 03d698408b..69dd757048 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -24,7 +24,7 @@ from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba.samdb import SamDB -from samba.dsdb import (UF_NORMAL_ACCOUNT, +from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE, UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT, UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT, @@ -1453,10 +1453,12 @@ class SamTests(unittest.TestCase): "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)}) res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) try: @@ -1508,10 +1510,12 @@ class SamTests(unittest.TestCase): # After creation we should have a normal account res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) # As user you can only switch from a normal account to a workstation # trust account and back. @@ -1548,10 +1552,12 @@ class SamTests(unittest.TestCase): ldb.modify(m) res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) try: m = Message() @@ -1651,10 +1657,12 @@ class SamTests(unittest.TestCase): "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)}) res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) try: @@ -1707,10 +1715,12 @@ class SamTests(unittest.TestCase): # After creation we should have a normal account res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0) # As computer you can switch from a normal account to a workstation # or server trust account and back (also swapping between trust @@ -1748,10 +1758,12 @@ class SamTests(unittest.TestCase): ldb.modify(m) res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, - scope=SCOPE_BASE, attrs=["sAMAccountType"]) + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) self.assertTrue(len(res1) == 1) self.assertEquals(int(res1[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) try: m = Message() |