summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth_sam.c4
-rw-r--r--source4/auth/sam.c36
-rw-r--r--source4/cluster/ctdb/opendb_ctdb.c29
-rw-r--r--source4/dsdb/common/util.c34
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c135
-rw-r--r--source4/lib/ldb/modules/rdn_name.c3
-rw-r--r--source4/libnet/libnet_user.c2
-rw-r--r--source4/libnet/libnet_user.h8
-rw-r--r--source4/librpc/idl/unixinfo.idl4
-rw-r--r--source4/ntvfs/common/opendb.c10
-rw-r--r--source4/ntvfs/common/opendb.h6
-rw-r--r--source4/ntvfs/common/opendb_tdb.c31
-rw-r--r--source4/ntvfs/posix/pvfs_open.c91
-rw-r--r--source4/ntvfs/posix/pvfs_qfileinfo.c6
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c22
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c42
-rw-r--r--source4/scripting/python/samba/provision.py2
-rw-r--r--source4/setup/provision_self_join.ldif2
-rw-r--r--source4/setup/provision_templates.ldif26
-rw-r--r--source4/setup/provision_users.ldif20
-rw-r--r--source4/torture/libnet/libnet_user.c17
-rw-r--r--source4/torture/libnet/userman.c2
-rw-r--r--source4/torture/rpc/samr.c45
23 files changed, 337 insertions, 240 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 9189640150..4cb8d2b304 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -226,7 +226,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
{
struct samr_Password *lm_pwd, *nt_pwd;
NTSTATUS nt_status;
- uint16_t acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+ struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msgs_domain_ref[0], "nCName", NULL);
+
+ uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msgs[0], domain_dn);
/* Quit if the account was locked out. */
if (acct_flags & ACB_AUTOLOCK) {
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index fdd7de7c71..abcb72f292 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -156,7 +156,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
NTTIME now;
DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
- acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
+ acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
@@ -186,22 +186,20 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCOUNT_EXPIRED;
}
- if (!(acct_flags & ACB_PWNOEXP)) {
- /* check for immediate expiry "must change at next logon" */
- if (must_change_time == 0 && last_set_time != 0) {
- DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n",
- name_for_logs));
- return NT_STATUS_PASSWORD_MUST_CHANGE;
- }
+ /* check for immediate expiry "must change at next logon" */
+ if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) {
+ DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n",
+ name_for_logs));
+ return NT_STATUS_PASSWORD_MUST_CHANGE;
+ }
- /* check for expired password */
- if ((must_change_time != 0) && (must_change_time < now)) {
- DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n",
- name_for_logs));
- DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n",
- nt_time_string(mem_ctx, must_change_time)));
- return NT_STATUS_PASSWORD_EXPIRED;
- }
+ /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */
+ if (acct_flags & ACB_PW_EXPIRED) {
+ DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n",
+ name_for_logs));
+ DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n",
+ nt_time_string(mem_ctx, must_change_time)));
+ return NT_STATUS_PASSWORD_EXPIRED;
}
/* Test workstation. Workstation list is comma separated. */
@@ -267,6 +265,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
struct dom_sid **groupSIDs = NULL;
struct dom_sid *account_sid;
struct dom_sid *primary_group_sid;
+ struct ldb_dn *domain_dn;
const char *str;
struct ldb_dn *ncname;
int i;
@@ -368,7 +367,10 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
- server_info->acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
+ domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL);
+
+ server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
+ msg, domain_dn);
server_info->user_session_key = user_sess_key;
server_info->lm_session_key = lm_sess_key;
diff --git a/source4/cluster/ctdb/opendb_ctdb.c b/source4/cluster/ctdb/opendb_ctdb.c
index 3dfc6819b7..3d67162d6d 100644
--- a/source4/cluster/ctdb/opendb_ctdb.c
+++ b/source4/cluster/ctdb/opendb_ctdb.c
@@ -409,10 +409,12 @@ static NTSTATUS odb_ctdb_open_file_pending(struct odb_lock *lck, void *private)
/*
remove a opendb entry
*/
-static NTSTATUS odb_ctdb_close_file(struct odb_lock *lck, void *file_handle)
+static NTSTATUS odb_ctdb_close_file(struct odb_lock *lck, void *file_handle,
+ const char **_delete_path)
{
struct odb_context *odb = lck->odb;
struct opendb_file file;
+ const char *delete_path = NULL;
int i;
NTSTATUS status;
@@ -448,6 +450,15 @@ static NTSTATUS odb_ctdb_close_file(struct odb_lock *lck, void *file_handle)
file.num_pending = 0;
file.num_entries--;
+
+ if (file.num_entries == 0 && file.delete_on_close) {
+ delete_path = talloc_strdup(lck, file.path);
+ NT_STATUS_HAVE_NO_MEMORY(delete_path);
+ }
+
+ if (_delete_path) {
+ *_delete_path = delete_path;
+ }
return odb_push_record(lck, &file);
}
@@ -552,20 +563,20 @@ static NTSTATUS odb_ctdb_set_delete_on_close(struct odb_lock *lck, bool del_on_c
people still have the file open
*/
static NTSTATUS odb_ctdb_get_delete_on_close(struct odb_context *odb,
- DATA_BLOB *key, bool *del_on_close,
- int *open_count, char **path)
+ DATA_BLOB *key, bool *del_on_close)
{
NTSTATUS status;
struct opendb_file file;
struct odb_lock *lck;
+ (*del_on_close) = false;
+
lck = odb_lock(odb, odb, key);
NT_STATUS_HAVE_NO_MEMORY(lck);
status = odb_pull_record(lck, &file);
if (NT_STATUS_EQUAL(NT_STATUS_OBJECT_NAME_NOT_FOUND, status)) {
talloc_free(lck);
- (*del_on_close) = false;
return NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(status)) {
@@ -574,16 +585,6 @@ static NTSTATUS odb_ctdb_get_delete_on_close(struct odb_context *odb,
}
(*del_on_close) = file.delete_on_close;
- if (open_count != NULL) {
- (*open_count) = file.num_entries;
- }
- if (path != NULL) {
- *path = talloc_strdup(odb, file.path);
- NT_STATUS_HAVE_NO_MEMORY(*path);
- if (file.num_entries == 1 && file.entries[0].delete_on_close) {
- (*del_on_close) = true;
- }
- }
talloc_free(lck);
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index bee1eac480..c9c0285604 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -596,11 +596,37 @@ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_
/*
pull a set of account_flags from a result set.
+
+ This requires that the attributes:
+ pwdLastSet
+ userAccountControl
+ be included in 'msg'
*/
-uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
-{
- uint_t userAccountControl = ldb_msg_find_attr_as_uint(msg, attr, 0);
- return samdb_uf2acb(userAccountControl);
+uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg, struct ldb_dn *domain_dn)
+{
+ uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ uint32_t acct_flags = samdb_uf2acb(userAccountControl);
+ if ((userAccountControl & UF_NORMAL_ACCOUNT) && !(userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
+ NTTIME must_change_time;
+ NTTIME pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
+ if (pwdLastSet == 0) {
+ acct_flags |= ACB_PW_EXPIRED;
+ } else {
+ NTTIME now;
+
+ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
+ domain_dn, msg);
+
+ /* Test account expire time */
+ unix_to_nt_time(&now, time(NULL));
+ /* check for expired password */
+ if ((must_change_time != 0) && (must_change_time < now)) {
+ acct_flags |= ACB_PW_EXPIRED;
+ }
+ }
+ }
+ return acct_flags;
}
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 178149a886..905cd4a995 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -396,6 +396,7 @@ static int samldb_fill_group_object(struct ldb_module *module, const struct ldb_
struct ldb_message **ret_msg)
{
int ret;
+ unsigned int group_type;
char *name;
struct ldb_message *msg2;
struct ldb_dn *dom_dn;
@@ -452,6 +453,26 @@ static int samldb_fill_group_object(struct ldb_module *module, const struct ldb_
}
}
+ if (ldb_msg_find_element(msg2, "sAMAccountType") != NULL) {
+ ldb_asprintf_errstring(module->ldb, "sAMAccountType must not be specified");
+ talloc_free(mem_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ group_type = samdb_result_uint(msg2, "groupType", 0);
+ if (group_type == 0) {
+ ldb_asprintf_errstring(module->ldb, "groupType invalid");
+ talloc_free(mem_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ } else {
+ unsigned int account_type = samdb_gtype2atype(group_type);
+ ret = samdb_msg_add_uint(module->ldb, msg2, msg2,
+ "sAMAccountType",
+ account_type);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
/* Manage SID allocation, conflicts etc */
ret = samldb_handle_sid(module, mem_ctx, msg2, dom_dn);
@@ -473,6 +494,7 @@ static int samldb_fill_user_or_computer_object(struct ldb_module *module, const
const char *rdn_name;
TALLOC_CTX *mem_ctx = talloc_new(msg);
const char *errstr;
+ unsigned int user_account_control;
if (!mem_ctx) {
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -485,36 +507,15 @@ static int samldb_fill_user_or_computer_object(struct ldb_module *module, const
return LDB_ERR_OPERATIONS_ERROR;
}
- if (samdb_find_attribute(module->ldb, msg, "objectclass", "computer") != NULL) {
-
- ret = samdb_copy_template(module->ldb, msg2,
- "computer",
- &errstr);
- if (ret) {
- ldb_asprintf_errstring(module->ldb,
- "samldb_fill_user_or_computer_object: "
- "Error copying computer template: %s",
- errstr);
- talloc_free(mem_ctx);
- return ret;
- }
- } else {
- ret = samdb_copy_template(module->ldb, msg2,
- "user",
- &errstr);
- if (ret) {
- ldb_asprintf_errstring(module->ldb,
- "samldb_fill_user_or_computer_object: Error copying user template: %s\n",
- errstr);
- talloc_free(mem_ctx);
- return ret;
- }
- /* readd user objectclass */
- ret = samdb_find_or_add_value(module->ldb, msg2, "objectclass", "user");
- if (ret) {
- talloc_free(mem_ctx);
- return ret;
- }
+ ret = samdb_copy_template(module->ldb, msg2,
+ "user",
+ &errstr);
+ if (ret) {
+ ldb_asprintf_errstring(module->ldb,
+ "samldb_fill_user_or_computer_object: Error copying user template: %s\n",
+ errstr);
+ talloc_free(mem_ctx);
+ return ret;
}
rdn_name = ldb_dn_get_rdn_name(msg2->dn);
@@ -545,14 +546,30 @@ static int samldb_fill_user_or_computer_object(struct ldb_module *module, const
}
}
- /*
- TODO: useraccountcontrol: setting value 0 gives 0x200 for users
- */
+ if (ldb_msg_find_element(msg2, "sAMAccountType") != NULL) {
+ ldb_asprintf_errstring(module->ldb, "sAMAccountType must not be specified");
+ talloc_free(mem_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ user_account_control = samdb_result_uint(msg2, "userAccountControl", 0);
+ if (user_account_control == 0) {
+ ldb_asprintf_errstring(module->ldb, "userAccountControl invalid");
+ talloc_free(mem_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ } else {
+ unsigned int account_type = samdb_uf2atype(user_account_control);
+ ret = samdb_msg_add_uint(module->ldb, msg2, msg2,
+ "sAMAccountType",
+ account_type);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
/* Manage SID allocation, conflicts etc */
ret = samldb_handle_sid(module, mem_ctx, msg2, dom_dn);
- /* TODO: objectCategory, userAccountControl, badPwdCount, codePage, countryCode, badPasswordTime, lastLogoff, lastLogon, pwdLastSet, primaryGroupID, accountExpires, logonCount */
+ /* TODO: userAccountControl, badPwdCount, codePage, countryCode, badPasswordTime, lastLogoff, lastLogon, pwdLastSet, primaryGroupID, accountExpires, logonCount */
if (ret == 0) {
*ret_msg = msg2;
@@ -689,7 +706,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
}
/* is user or computer? */
- if ((samdb_find_attribute(module->ldb, msg, "objectclass", "user") != NULL) ||
+ if ((samdb_find_attribute(module->ldb, msg, "objectclass", "user") != NULL) ||
(samdb_find_attribute(module->ldb, msg, "objectclass", "computer") != NULL)) {
/* add all relevant missing objects */
ret = samldb_fill_user_or_computer_object(module, msg, &msg2);
@@ -745,6 +762,53 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
return ret;
}
+/* modify */
+static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_message *msg;
+ struct ldb_message_element *el, *el2;
+ int ret;
+ unsigned int group_type, user_account_control, account_type;
+ if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
+ ldb_asprintf_errstring(module->ldb, "sAMAccountType must not be specified");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
+ el = ldb_msg_find_element(req->op.mod.message, "groupType");
+ if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
+ req->op.mod.message = msg = ldb_msg_copy_shallow(req, req->op.mod.message);
+
+ group_type = strtoul((const char *)el->values[0].data, NULL, 0);
+ account_type = samdb_gtype2atype(group_type);
+ ret = samdb_msg_add_uint(module->ldb, msg, msg,
+ "sAMAccountType",
+ account_type);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el2 = ldb_msg_find_element(msg, "sAMAccountType");
+ el2->flags = LDB_FLAG_MOD_REPLACE;
+ }
+
+ el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
+ if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
+ req->op.mod.message = msg = ldb_msg_copy_shallow(req, req->op.mod.message);
+
+ user_account_control = strtoul((const char *)el->values[0].data, NULL, 0);
+ account_type = samdb_uf2atype(user_account_control);
+ ret = samdb_msg_add_uint(module->ldb, msg, msg,
+ "sAMAccountType",
+ account_type);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el2 = ldb_msg_find_element(msg, "sAMAccountType");
+ el2->flags = LDB_FLAG_MOD_REPLACE;
+ }
+ return ldb_next_request(module, req);
+}
+
+
static int samldb_init(struct ldb_module *module)
{
return ldb_next_init(module);
@@ -754,4 +818,5 @@ _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = {
.name = "samldb",
.init_context = samldb_init,
.add = samldb_add,
+ .modify = samldb_modify
};
diff --git a/source4/lib/ldb/modules/rdn_name.c b/source4/lib/ldb/modules/rdn_name.c
index c4de8e8da8..65c044c0f4 100644
--- a/source4/lib/ldb/modules/rdn_name.c
+++ b/source4/lib/ldb/modules/rdn_name.c
@@ -119,7 +119,8 @@ static int rdn_name_add(struct ldb_module *module, struct ldb_request *req)
"RDN mismatch on %s: %s (%s)",
ldb_dn_get_linearized(msg->dn), rdn_name, rdn_val.data);
talloc_free(down_req);
- return LDB_ERR_OPERATIONS_ERROR;
+ /* Match AD's error here */
+ return LDB_ERR_INVALID_DN_SYNTAX;
}
}
diff --git a/source4/libnet/libnet_user.c b/source4/libnet/libnet_user.c
index d5ccf34a57..678c7a226e 100644
--- a/source4/libnet/libnet_user.c
+++ b/source4/libnet/libnet_user.c
@@ -534,7 +534,7 @@ static NTSTATUS set_user_changes(TALLOC_CTX *mem_ctx, struct usermod_change *mod
SET_FIELD_NTTIME(r->in, user, mod, acct_expiry, USERMOD_FIELD_ACCT_EXPIRY);
/* account flags change */
- SET_FIELD_UINT32(r->in, user, mod, acct_flags, USERMOD_FIELD_ACCT_FLAGS);
+ SET_FIELD_ACCT_FLAGS(r->in, user, mod, acct_flags, USERMOD_FIELD_ACCT_FLAGS);
return NT_STATUS_OK;
}
diff --git a/source4/libnet/libnet_user.h b/source4/libnet/libnet_user.h
index ece06f08fc..94aa38464f 100644
--- a/source4/libnet/libnet_user.h
+++ b/source4/libnet/libnet_user.h
@@ -91,6 +91,14 @@ struct libnet_ModifyUser {
mod->fields |= flag; \
}
+#define SET_FIELD_ACCT_FLAGS(new, current, mod, field, flag) \
+ if (new.field) { \
+ if (current->field != new.field) { \
+ mod->field = new.field; \
+ mod->fields |= flag; \
+ } \
+ }
+
struct libnet_UserInfo {
struct {
diff --git a/source4/librpc/idl/unixinfo.idl b/source4/librpc/idl/unixinfo.idl
index 48bc565fff..6929e86e61 100644
--- a/source4/librpc/idl/unixinfo.idl
+++ b/source4/librpc/idl/unixinfo.idl
@@ -42,8 +42,8 @@ import "security.idl";
typedef struct {
NTSTATUS status;
- utf8string homedir;
- utf8string shell;
+ [charset(UTF8),string] uint8 homedir[];
+ [charset(UTF8),string] uint8 shell[];
} unixinfo_GetPWUidInfo;
/******************/
diff --git a/source4/ntvfs/common/opendb.c b/source4/ntvfs/common/opendb.c
index 36144d0406..d8cb67686b 100644
--- a/source4/ntvfs/common/opendb.c
+++ b/source4/ntvfs/common/opendb.c
@@ -118,9 +118,10 @@ _PUBLIC_ NTSTATUS odb_open_file_pending(struct odb_lock *lck, void *private)
/*
remove a opendb entry
*/
-_PUBLIC_ NTSTATUS odb_close_file(struct odb_lock *lck, void *file_handle)
+_PUBLIC_ NTSTATUS odb_close_file(struct odb_lock *lck, void *file_handle,
+ const char **delete_path)
{
- return ops->odb_close_file(lck, file_handle);
+ return ops->odb_close_file(lck, file_handle, delete_path);
}
@@ -154,10 +155,9 @@ _PUBLIC_ NTSTATUS odb_set_delete_on_close(struct odb_lock *lck, bool del_on_clos
people still have the file open
*/
_PUBLIC_ NTSTATUS odb_get_delete_on_close(struct odb_context *odb,
- DATA_BLOB *key, bool *del_on_close,
- int *open_count, char **path)
+ DATA_BLOB *key, bool *del_on_close)
{
- return ops->odb_get_delete_on_close(odb, key, del_on_close, open_count, path);
+ return ops->odb_get_delete_on_close(odb, key, del_on_close);
}
diff --git a/source4/ntvfs/common/opendb.h b/source4/ntvfs/common/opendb.h
index 9591bcf6b9..33f2e1c88d 100644
--- a/source4/ntvfs/common/opendb.h
+++ b/source4/ntvfs/common/opendb.h
@@ -32,13 +32,13 @@ struct opendb_ops {
uint32_t open_disposition, bool break_to_none,
uint32_t oplock_level, uint32_t *oplock_granted);
NTSTATUS (*odb_open_file_pending)(struct odb_lock *lck, void *private);
- NTSTATUS (*odb_close_file)(struct odb_lock *lck, void *file_handle);
+ NTSTATUS (*odb_close_file)(struct odb_lock *lck, void *file_handle,
+ const char **delete_path);
NTSTATUS (*odb_remove_pending)(struct odb_lock *lck, void *private);
NTSTATUS (*odb_rename)(struct odb_lock *lck, const char *path);
NTSTATUS (*odb_set_delete_on_close)(struct odb_lock *lck, bool del_on_close);
NTSTATUS (*odb_get_delete_on_close)(struct odb_context *odb,
- DATA_BLOB *key, bool *del_on_close,
- int *open_count, char **path);
+ DATA_BLOB *key, bool *del_on_close);
NTSTATUS (*odb_can_open)(struct odb_lock *lck,
uint32_t stream_id, uint32_t share_access,
uint32_t access_mask, bool delete_on_close,
diff --git a/source4/ntvfs/common/opendb_tdb.c b/source4/ntvfs/common/opendb_tdb.c
index a51c823a63..37c1c0850b 100644
--- a/source4/ntvfs/common/opendb_tdb.c
+++ b/source4/ntvfs/common/opendb_tdb.c
@@ -527,10 +527,12 @@ static NTSTATUS odb_tdb_open_file_pending(struct odb_lock *lck, void *private)
/*
remove a opendb entry
*/
-static NTSTATUS odb_tdb_close_file(struct odb_lock *lck, void *file_handle)
+static NTSTATUS odb_tdb_close_file(struct odb_lock *lck, void *file_handle,
+ const char **_delete_path)
{
struct odb_context *odb = lck->odb;
struct opendb_file file;
+ const char *delete_path = NULL;
int i;
NTSTATUS status;
@@ -566,7 +568,16 @@ static NTSTATUS odb_tdb_close_file(struct odb_lock *lck, void *file_handle)
file.num_pending = 0;
file.num_entries--;
-
+
+ if (file.num_entries == 0 && file.delete_on_close) {
+ delete_path = talloc_strdup(lck, file.path);
+ NT_STATUS_HAVE_NO_MEMORY(delete_path);
+ }
+
+ if (_delete_path) {
+ *_delete_path = delete_path;
+ }
+
return odb_push_record(lck, &file);
}
@@ -723,20 +734,20 @@ static NTSTATUS odb_tdb_set_delete_on_close(struct odb_lock *lck, bool del_on_cl
people still have the file open
*/
static NTSTATUS odb_tdb_get_delete_on_close(struct odb_context *odb,
- DATA_BLOB *key, bool *del_on_close,
- int *open_count, char **path)
+ DATA_BLOB *key, bool *del_on_close)
{
NTSTATUS status;
struct opendb_file file;
struct odb_lock *lck;
+ (*del_on_close) = false;
+
lck = odb_lock(odb, odb, key);
NT_STATUS_HAVE_NO_MEMORY(lck);
status = odb_pull_record(lck, &file);
if (NT_STATUS_EQUAL(NT_STATUS_OBJECT_NAME_NOT_FOUND, status)) {
talloc_free(lck);
- (*del_on_close) = false;
return NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(status)) {
@@ -745,16 +756,6 @@ static NTSTATUS odb_tdb_get_delete_on_close(struct odb_context *odb,
}
(*del_on_close) = file.delete_on_close;
- if (open_count != NULL) {
- (*open_count) = file.num_entries;
- }
- if (path != NULL) {
- *path = talloc_strdup(odb, file.path);
- NT_STATUS_HAVE_NO_MEMORY(*path);
- if (file.num_entries == 1 && file.entries[0].delete_on_close) {
- (*del_on_close) = true;
- }
- }
talloc_free(lck);
diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c
index a01352f60c..740a0a9d13 100644
--- a/source4/ntvfs/posix/pvfs_open.c
+++ b/source4/ntvfs/posix/pvfs_open.c
@@ -50,29 +50,10 @@ struct pvfs_file *pvfs_find_fd(struct pvfs_state *pvfs,
*/
static int pvfs_dir_handle_destructor(struct pvfs_file_handle *h)
{
- int open_count;
- char *path = NULL;
-
- if (h->name->stream_name == NULL &&
- pvfs_delete_on_close_set(h->pvfs, h, &open_count, &path) &&
- open_count == 1) {
- NTSTATUS status;
- status = pvfs_xattr_unlink_hook(h->pvfs, path);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Warning: xattr unlink hook failed for '%s' - %s\n",
- path, nt_errstr(status)));
- }
- if (rmdir(path) != 0) {
- DEBUG(0,("pvfs_dir_handle_destructor: failed to rmdir '%s' - %s\n",
- path, strerror(errno)));
- }
- }
-
- talloc_free(path);
-
if (h->have_opendb_entry) {
struct odb_lock *lck;
NTSTATUS status;
+ const char *delete_path = NULL;
lck = odb_lock(h, h->pvfs->odb_context, &h->odb_locking_key);
if (lck == NULL) {
@@ -80,12 +61,24 @@ static int pvfs_dir_handle_destructor(struct pvfs_file_handle *h)
return 0;
}
- status = odb_close_file(lck, h);
+ status = odb_close_file(lck, h, &delete_path);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Unable to remove opendb entry for '%s' - %s\n",
+ DEBUG(0,("Unable to remove opendb entry for '%s' - %s\n",
h->name->full_name, nt_errstr(status)));
}
+ if (h->name->stream_name == NULL && delete_path) {
+ status = pvfs_xattr_unlink_hook(h->pvfs, delete_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Warning: xattr unlink hook failed for '%s' - %s\n",
+ delete_path, nt_errstr(status)));
+ }
+ if (rmdir(delete_path) != 0) {
+ DEBUG(0,("pvfs_dir_handle_destructor: failed to rmdir '%s' - %s\n",
+ delete_path, strerror(errno)));
+ }
+ }
+
talloc_free(lck);
}
@@ -410,9 +403,6 @@ cleanup_delete:
*/
static int pvfs_handle_destructor(struct pvfs_file_handle *h)
{
- int open_count;
- char *path = NULL;
-
/* the write time is no longer sticky */
if (h->sticky_write_time) {
NTSTATUS status;
@@ -441,32 +431,10 @@ static int pvfs_handle_destructor(struct pvfs_file_handle *h)
h->fd = -1;
}
- if (h->name->stream_name == NULL &&
- h->open_completed &&
- pvfs_delete_on_close_set(h->pvfs, h, &open_count, &path) &&
- open_count == 1) {
- NTSTATUS status;
- status = pvfs_xattr_unlink_hook(h->pvfs, path);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Warning: xattr unlink hook failed for '%s' - %s\n",
- path, nt_errstr(status)));
- }
- if (unlink(path) != 0) {
- DEBUG(0,("pvfs_close: failed to delete '%s' - %s\n",
- path, strerror(errno)));
- } else {
- notify_trigger(h->pvfs->notify_context,
- NOTIFY_ACTION_REMOVED,
- FILE_NOTIFY_CHANGE_FILE_NAME,
- path);
- }
- }
-
- talloc_free(path);
-
if (h->have_opendb_entry) {
struct odb_lock *lck;
NTSTATUS status;
+ const char *delete_path = NULL;
lck = odb_lock(h, h->pvfs->odb_context, &h->odb_locking_key);
if (lck == NULL) {
@@ -474,12 +442,30 @@ static int pvfs_handle_destructor(struct pvfs_file_handle *h)
return 0;
}
- status = odb_close_file(lck, h);
+ status = odb_close_file(lck, h, &delete_path);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to remove opendb entry for '%s' - %s\n",
h->name->full_name, nt_errstr(status)));
}
+ if (h->name->stream_name == NULL &&
+ h->open_completed && delete_path) {
+ status = pvfs_xattr_unlink_hook(h->pvfs, delete_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Warning: xattr unlink hook failed for '%s' - %s\n",
+ delete_path, nt_errstr(status)));
+ }
+ if (unlink(delete_path) != 0) {
+ DEBUG(0,("pvfs_close: failed to delete '%s' - %s\n",
+ delete_path, strerror(errno)));
+ } else {
+ notify_trigger(h->pvfs->notify_context,
+ NOTIFY_ACTION_REMOVED,
+ FILE_NOTIFY_CHANGE_FILE_NAME,
+ delete_path);
+ }
+ }
+
talloc_free(lck);
}
@@ -574,7 +560,7 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs,
status = pvfs_locking_key(parent, req, &locking_key);
NT_STATUS_NOT_OK_RETURN(status);
status = odb_get_delete_on_close(pvfs->odb_context, &locking_key,
- &del_on_close, NULL, NULL);
+ &del_on_close);
NT_STATUS_NOT_OK_RETURN(status);
if (del_on_close) {
return NT_STATUS_DELETE_PENDING;
@@ -1738,14 +1724,13 @@ NTSTATUS pvfs_can_stat(struct pvfs_state *pvfs,
/*
determine if delete on close is set on
*/
-bool pvfs_delete_on_close_set(struct pvfs_state *pvfs, struct pvfs_file_handle *h,
- int *open_count, char **path)
+bool pvfs_delete_on_close_set(struct pvfs_state *pvfs, struct pvfs_file_handle *h)
{
NTSTATUS status;
bool del_on_close;
status = odb_get_delete_on_close(pvfs->odb_context, &h->odb_locking_key,
- &del_on_close, open_count, path);
+ &del_on_close);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("WARNING: unable to determine delete on close status for open file\n"));
return false;
diff --git a/source4/ntvfs/posix/pvfs_qfileinfo.c b/source4/ntvfs/posix/pvfs_qfileinfo.c
index 8d23d707a4..6ed729541f 100644
--- a/source4/ntvfs/posix/pvfs_qfileinfo.c
+++ b/source4/ntvfs/posix/pvfs_qfileinfo.c
@@ -380,7 +380,7 @@ NTSTATUS pvfs_qfileinfo(struct ntvfs_module_context *ntvfs,
switch (info->generic.level) {
case RAW_FILEINFO_STANDARD_INFO:
case RAW_FILEINFO_STANDARD_INFORMATION:
- if (pvfs_delete_on_close_set(pvfs, h, NULL, NULL)) {
+ if (pvfs_delete_on_close_set(pvfs, h)) {
info->standard_info.out.delete_pending = 1;
info->standard_info.out.nlink--;
}
@@ -388,7 +388,7 @@ NTSTATUS pvfs_qfileinfo(struct ntvfs_module_context *ntvfs,
case RAW_FILEINFO_ALL_INFO:
case RAW_FILEINFO_ALL_INFORMATION:
- if (pvfs_delete_on_close_set(pvfs, h, NULL, NULL)) {
+ if (pvfs_delete_on_close_set(pvfs, h)) {
info->all_info.out.delete_pending = 1;
info->all_info.out.nlink--;
}
@@ -407,7 +407,7 @@ NTSTATUS pvfs_qfileinfo(struct ntvfs_module_context *ntvfs,
break;
case RAW_FILEINFO_SMB2_ALL_INFORMATION:
- if (pvfs_delete_on_close_set(pvfs, h, NULL, NULL)) {
+ if (pvfs_delete_on_close_set(pvfs, h)) {
info->all_info2.out.delete_pending = 1;
info->all_info2.out.nlink--;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 4d38dc069e..37e6351864 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -27,6 +27,7 @@
#include "auth/auth.h"
#include "auth/auth_sam_reply.h"
#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/flags.h"
#include "rpc_server/samr/proto.h"
#include "util/util_ldb.h"
#include "libcli/auth/libcli_auth.h"
@@ -76,7 +77,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
struct creds_CredentialState *creds;
void *sam_ctx;
struct samr_Password *mach_pwd;
- uint16_t acct_flags;
+ uint32_t user_account_control;
int num_records;
struct ldb_message **msgs;
NTSTATUS nt_status;
@@ -113,27 +114,28 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- acct_flags = samdb_result_acct_flags(msgs[0],
- "userAccountControl");
+
+ user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
- if (acct_flags & ACB_DISABLED) {
+ if (user_account_control & UF_ACCOUNTDISABLE) {
DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
return NT_STATUS_ACCESS_DENIED;
}
if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
- if (!(acct_flags & ACB_WSTRUST)) {
- DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
+ if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) {
+ DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control));
return NT_STATUS_ACCESS_DENIED;
}
} else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
- if (!(acct_flags & ACB_DOMTRUST)) {
- DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
+ if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
+ DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control));
+
return NT_STATUS_ACCESS_DENIED;
}
} else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
- if (!(acct_flags & ACB_SVRTRUST)) {
- DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
+ if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) {
+ DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control));
return NT_STATUS_ACCESS_DENIED;
}
} else {
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 760d774f2e..8193e0a882 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -56,7 +56,7 @@
#define QUERY_LHOURS(msg, field, attr) \
r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
#define QUERY_AFLAGS(msg, field, attr) \
- r->out.info->field = samdb_result_acct_flags(msg, attr);
+ r->out.info->field = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, a_state->domain_state->domain_dn);
/* these are used to make the Set[User|Group]Info code easier to follow */
@@ -102,10 +102,25 @@
set_el = ldb_msg_find_element(msg, attr); \
set_el->flags = LDB_FLAG_MOD_REPLACE; \
} while (0)
-
+
+#define CHECK_FOR_MULTIPLES(value, flag, poss_flags) \
+ do { \
+ if ((value & flag) && ((value & flag) != (value & (poss_flags)))) { \
+ return NT_STATUS_INVALID_PARAMETER; \
+ } \
+ } while (0) \
+
+/* Set account flags, discarding flags that cannot be set with SAMR */
#define SET_AFLAGS(msg, field, attr) do { \
struct ldb_message_element *set_el; \
- if (samdb_msg_add_acct_flags(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+ if ((r->in.info->field & (ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST)) == 0) { \
+ return NT_STATUS_INVALID_PARAMETER; \
+ } \
+ CHECK_FOR_MULTIPLES(r->in.info->field, ACB_NORMAL, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \
+ CHECK_FOR_MULTIPLES(r->in.info->field, ACB_DOMTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \
+ CHECK_FOR_MULTIPLES(r->in.info->field, ACB_WSTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \
+ CHECK_FOR_MULTIPLES(r->in.info->field, ACB_SVRTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \
+ if (samdb_msg_add_acct_flags(sam_ctx, mem_ctx, msg, attr, (r->in.info->field & ~(ACB_AUTOLOCK|ACB_PW_EXPIRED))) != 0) { \
return NT_STATUS_NO_MEMORY; \
} \
set_el = ldb_msg_find_element(msg, attr); \
@@ -1484,8 +1499,8 @@ static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call,
for (i=0;i<count;i++) {
/* Check if a mask has been requested */
if (r->in.acct_flags
- && ((samdb_result_acct_flags(res[i],
- "userAccountControl") & r->in.acct_flags) == 0)) {
+ && ((samdb_result_acct_flags(d_state->sam_ctx, mem_ctx, res[i],
+ d_state->domain_dn) & r->in.acct_flags) == 0)) {
continue;
}
entries[num_filtered_entries].idx = samdb_result_rid_from_sid(mem_ctx, res[i], "objectSid", 0);
@@ -3066,7 +3081,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
}
case 16:
{
- static const char * const attrs2[] = {"userAccountControl", NULL};
+ static const char * const attrs2[] = {"userAccountControl", "pwdLastSet", NULL};
attrs = attrs2;
break;
}
@@ -3613,7 +3628,7 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
struct ldb_message **res;
int ldb_cnt, count, i;
const char * const attrs[] = { "objectSid", "sAMAccountName", "displayName",
- "description", "userAccountControl", NULL };
+ "description", "userAccountControl", "pwdLastSet", NULL };
struct samr_DispEntryFull *entriesFull = NULL;
struct samr_DispEntryFullGroup *entriesFullGroup = NULL;
struct samr_DispEntryAscii *entriesAscii = NULL;
@@ -3702,8 +3717,9 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
entriesGeneral[count].rid =
objectsid->sub_auths[objectsid->num_auths-1];
entriesGeneral[count].acct_flags =
- samdb_result_acct_flags(res[i],
- "userAccountControl");
+ samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
+ res[i],
+ d_state->domain_dn);
entriesGeneral[count].account_name.string =
samdb_result_string(res[i],
"sAMAccountName", "");
@@ -3719,8 +3735,9 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
/* No idea why we need to or in ACB_NORMAL here, but this is what Win2k3 seems to do... */
entriesFull[count].acct_flags =
- samdb_result_acct_flags(res[i],
- "userAccountControl") | ACB_NORMAL;
+ samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
+ res[i],
+ d_state->domain_dn) | ACB_NORMAL;
entriesFull[count].account_name.string =
samdb_result_string(res[i], "sAMAccountName",
"");
@@ -3731,9 +3748,6 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
entriesFullGroup[count].idx = count + 1;
entriesFullGroup[count].rid =
objectsid->sub_auths[objectsid->num_auths-1];
- entriesFullGroup[count].acct_flags =
- samdb_result_acct_flags(res[i],
- "userAccountControl");
/* We get a "7" here for groups */
entriesFullGroup[count].acct_flags
= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index e3c47ff4a2..55935b0037 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -313,9 +313,9 @@ def setup_samdb_partitions(samdb_path, setup_path, message, lp, session_info,
"server_sort",
"extended_dn",
"asq",
- "samldb",
"rdn_name",
"objectclass",
+ "samldb",
"kludge_acl",
"operational"]
tdb_modules_list = [
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index 58669660f4..503656a9bf 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -8,7 +8,6 @@ localPolicyFlags: 0
primaryGroupID: 516
accountExpires: 9223372036854775807
sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0
dNSHostName: ${DNSNAME}
@@ -33,7 +32,6 @@ description: DNS Service Account
userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
-sAMAccountType: 805306368
servicePrincipalName: DNS/${DNSDOMAIN}
isCriticalSystemObject: TRUE
sambaPassword:: ${DNSPASS_B64}
diff --git a/source4/setup/provision_templates.ldif b/source4/setup/provision_templates.ldif
index fafedc6966..cc0ab212cd 100644
--- a/source4/setup/provision_templates.ldif
+++ b/source4/setup/provision_templates.ldif
@@ -18,7 +18,7 @@ objectClass: container
description: Container for SAM account templates
dn: CN=TemplateUser,CN=Templates
-userAccountControl: 514
+userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
@@ -29,21 +29,6 @@ pwdLastSet: 0
primaryGroupID: 513
accountExpires: -1
logonCount: 0
-sAMAccountType: 805306368
-
-dn: CN=TemplateComputer,CN=Templates
-userAccountControl: 4098
-badPwdCount: 0
-codePage: 0
-countryCode: 0
-badPasswordTime: 0
-lastLogoff: 0
-lastLogon: 0
-pwdLastSet: 0
-primaryGroupID: 513
-accountExpires: -1
-logonCount: 0
-sAMAccountType: 805306369
dn: CN=TemplateTrustingDomain,CN=Templates
userAccountControl: 2080
@@ -56,18 +41,9 @@ lastLogon: 0
primaryGroupID: 513
accountExpires: -1
logonCount: 0
-sAMAccountType: 805306370
dn: CN=TemplateGroup,CN=Templates
groupType: -2147483646
-sAMAccountType: 268435456
-
-# Currently this isn't used, we don't have a way to detect it different from an incoming alias
-#
-# dn: CN=TemplateAlias,CN=Templates
-# cn: TemplateAlias
-# groupType: -2147483644
-# sAMAccountType: 268435456
dn: CN=TemplateForeignSecurityPrincipal,CN=Templates
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 05fde15974..4b053d9166 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -44,7 +44,6 @@ objectSid: ${DOMAINSID}-502
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
-sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
@@ -85,7 +84,6 @@ objectClass: group
cn: Cert Publishers
description: Members of this group are permitted to publish certificates to the Active Directory
groupType: 2147483652
-sAMAccountType: 536870912
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
isCriticalSystemObject: TRUE
@@ -136,7 +134,6 @@ cn: RAS and IAS Servers
description: Servers in this group can access remote access properties of users
objectSid: ${DOMAINSID}-553
sAMAccountName: RAS and IAS Servers
-sAMAccountType: 536870912
groupType: 2147483652
isCriticalSystemObject: TRUE
@@ -151,7 +148,6 @@ member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-544
adminCount: 1
sAMAccountName: Administrators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -188,7 +184,6 @@ description: Users are prevented from making accidental or intentional system-wi
member: CN=Domain Users,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -202,7 +197,6 @@ member: CN=Domain Guests,CN=Users,${DOMAINDN}
member: CN=Guest,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-546
sAMAccountName: Guests
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -215,7 +209,6 @@ description: Members can administer domain printers
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountName: Print Operators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -231,7 +224,6 @@ description: Backup Operators can override security restrictions for the sole pu
objectSid: S-1-5-32-551
adminCount: 1
sAMAccountName: Backup Operators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -248,7 +240,6 @@ description: Supports file replication in a domain
objectSid: S-1-5-32-552
adminCount: 1
sAMAccountName: Replicator
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -260,7 +251,6 @@ cn: Remote Desktop Users
description: Members in this group are granted the right to logon remotely
objectSid: S-1-5-32-555
sAMAccountName: Remote Desktop Users
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -272,7 +262,6 @@ cn: Network Configuration Operators
description: Members in this group can have some administrative privileges to manage configuration of networking features
objectSid: S-1-5-32-556
sAMAccountName: Network Configuration Operators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -284,7 +273,6 @@ cn: Performance Monitor Users
description: Members of this group have remote access to monitor this computer
objectSid: S-1-5-32-558
sAMAccountName: Performance Monitor Users
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -296,7 +284,6 @@ cn: Performance Log Users
description: Members of this group have remote access to schedule logging of performance counters on this computer
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -309,7 +296,6 @@ description: Members can administer domain servers
objectSid: S-1-5-32-549
adminCount: 1
sAMAccountName: Server Operators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -328,7 +314,6 @@ description: Members can administer domain user and group accounts
objectSid: S-1-5-32-548
adminCount: 1
sAMAccountName: Account Operators
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -341,7 +326,6 @@ cn: Pre-Windows 2000 Compatible Access
description: A backward compatibility group which allows read access on all users and groups in the domain
objectSid: S-1-5-32-554
sAMAccountName: Pre-Windows 2000 Compatible Access
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -355,7 +339,6 @@ cn: Incoming Forest Trust Builders
description: Members of this group can create incoming, one-way trusts to this forest
objectSid: S-1-5-32-557
sAMAccountName: Incoming Forest Trust Builders
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -367,7 +350,6 @@ cn: Windows Authorization Access Group
description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
objectSid: S-1-5-32-560
sAMAccountName: Windows Authorization Access Group
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -379,7 +361,6 @@ cn: Terminal Server License Servers
description: Terminal Server License Servers
objectSid: S-1-5-32-561
sAMAccountName: Terminal Server License Servers
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
@@ -391,7 +372,6 @@ cn: Distributed COM Users
description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
objectSid: S-1-5-32-562
sAMAccountName: Distributed COM Users
-sAMAccountType: 536870912
systemFlags: 2348810240
groupType: 2147483653
isCriticalSystemObject: TRUE
diff --git a/source4/torture/libnet/libnet_user.c b/source4/torture/libnet/libnet_user.c
index 6ea670629e..31300a7937 100644
--- a/source4/torture/libnet/libnet_user.c
+++ b/source4/torture/libnet/libnet_user.c
@@ -339,12 +339,13 @@ static void set_test_changes(TALLOC_CTX *mem_ctx, struct libnet_ModifyUser *r,
const char* logon_scripts[] = { "start_login.cmd", "login.bat", "start.cmd" };
const char* home_dirs[] = { "\\\\srv\\home", "\\\\homesrv\\home\\user", "\\\\pdcsrv\\domain" };
const char* home_drives[] = { "H:", "z:", "I:", "J:", "n:" };
+ const uint32_t flags[] = { (ACB_DISABLED | ACB_NORMAL),
+ (ACB_NORMAL | ACB_PWNOEXP),
+ (ACB_NORMAL) };
const char *homedir, *homedrive, *logonscript;
struct timeval now;
int i, testfld;
- srandom((unsigned)time(NULL));
-
printf("Fields to change: [");
for (i = 0; i < num_changes && i < FIELDS_NUM; i++) {
@@ -382,14 +383,14 @@ static void set_test_changes(TALLOC_CTX *mem_ctx, struct libnet_ModifyUser *r,
case home_directory:
continue_if_field_set(r->in.home_directory);
- homedir = home_dirs[random() % (sizeof(home_dirs)/sizeof(char*))];
+ homedir = home_dirs[random() % ARRAY_SIZE(home_dirs)];
r->in.home_directory = talloc_strdup(mem_ctx, homedir);
fldname = "home_dir";
break;
case home_drive:
continue_if_field_set(r->in.home_drive);
- homedrive = home_drives[random() % (sizeof(home_drives)/sizeof(char*))];
+ homedrive = home_drives[random() % ARRAY_SIZE(home_drives)];
r->in.home_drive = talloc_strdup(mem_ctx, homedrive);
fldname = "home_drive";
break;
@@ -403,7 +404,7 @@ static void set_test_changes(TALLOC_CTX *mem_ctx, struct libnet_ModifyUser *r,
case logon_script:
continue_if_field_set(r->in.logon_script);
- logonscript = logon_scripts[random() % (sizeof(logon_scripts)/sizeof(char*))];
+ logonscript = logon_scripts[random() % ARRAY_SIZE(logon_scripts)];
r->in.logon_script = talloc_strdup(mem_ctx, logonscript);
fldname = "logon_script";
break;
@@ -422,6 +423,12 @@ static void set_test_changes(TALLOC_CTX *mem_ctx, struct libnet_ModifyUser *r,
fldname = "acct_expiry";
break;
+ case acct_flags:
+ continue_if_field_set(r->in.acct_flags);
+ r->in.acct_flags = flags[random() % ARRAY_SIZE(flags)];
+ fldname = "acct_flags";
+ break;
+
default:
fldname = "unknown_field";
}
diff --git a/source4/torture/libnet/userman.c b/source4/torture/libnet/userman.c
index 0d08284a9f..1d630e5ecd 100644
--- a/source4/torture/libnet/userman.c
+++ b/source4/torture/libnet/userman.c
@@ -189,7 +189,7 @@ static bool test_usermod(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
case acct_flags:
continue_if_field_set(mod->in.change.acct_flags);
- mod->in.change.acct_flags = flags[random() % (sizeof(flags)/sizeof(uint32_t))];
+ mod->in.change.acct_flags = flags[random() % ARRAY_SIZE(flags)];
mod->in.change.fields |= USERMOD_FIELD_ACCT_FLAGS;
fldname = "acct_flags";
break;
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 9d6c73891b..1d6ec43399 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -416,11 +416,6 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx
TEST_USERINFO_INT(21, logon_hours.bits[3], 21, logon_hours.bits[3], 4,
SAMR_FIELD_LOGON_HOURS);
- if (torture_setting_bool(tctx, "samba4", false)) {
- printf("skipping Set Account Flag tests against Samba4\n");
- return ret;
- }
-
TEST_USERINFO_INT_EXP(16, acct_flags, 5, acct_flags,
(base_acct_flags | ACB_DISABLED | ACB_HOMDIRREQ),
(base_acct_flags | ACB_DISABLED | ACB_HOMDIRREQ | user_extra_flags),
@@ -1989,9 +1984,12 @@ static bool test_user_ops(struct dcerpc_pipe *p,
const char *base_acct_name, enum torture_samr_choice which_ops)
{
char *password = NULL;
+ struct samr_QueryUserInfo q;
+ NTSTATUS status;
bool ret = true;
int i;
+ uint32_t rid;
const uint32_t password_fields[] = {
SAMR_FIELD_PASSWORD,
SAMR_FIELD_PASSWORD2,
@@ -1999,6 +1997,11 @@ static bool test_user_ops(struct dcerpc_pipe *p,
0
};
+ status = test_LookupName(p, tctx, domain_handle, base_acct_name, &rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = false;
+ }
+
switch (which_ops) {
case TORTURE_SAMR_USER_ATTRIBUTES:
if (!test_QuerySecurity(p, tctx, user_handle)) {
@@ -2091,6 +2094,29 @@ static bool test_user_ops(struct dcerpc_pipe *p,
ret = false;
}
+ q.in.user_handle = user_handle;
+ q.in.level = 5;
+
+ status = dcerpc_samr_QueryUserInfo(p, tctx, &q);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("QueryUserInfo level %u failed - %s\n",
+ q.in.level, nt_errstr(status));
+ ret = false;
+ } else {
+ uint32_t expected_flags = (base_acct_flags | ACB_PWNOTREQ | ACB_DISABLED);
+ if ((q.out.info->info5.acct_flags) != expected_flags) {
+ printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+ q.out.info->info5.acct_flags,
+ expected_flags);
+ ret = false;
+ }
+ if (q.out.info->info5.rid != rid) {
+ printf("QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
+ q.out.info->info5.rid, rid);
+
+ }
+ }
+
break;
case TORTURE_SAMR_OTHER:
/* We just need the account to exist */
@@ -2667,10 +2693,14 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
q.in.level, nt_errstr(status));
ret = false;
} else {
- if ((q.out.info->info5.acct_flags & acct_flags) != acct_flags) {
+ uint32_t expected_flags = (acct_flags | ACB_PWNOTREQ | ACB_DISABLED);
+ if (acct_flags == ACB_NORMAL) {
+ expected_flags |= ACB_PW_EXPIRED;
+ }
+ if ((q.out.info->info5.acct_flags) != expected_flags) {
printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
q.out.info->info5.acct_flags,
- acct_flags);
+ expected_flags);
ret = false;
}
switch (acct_flags) {
@@ -3887,7 +3917,6 @@ static bool test_GroupList(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
for (j=0; j<num_names; j++) {
if (names[j] == NULL)
continue;
- /* Hmm. No strequal in samba4 */
if (strequal(names[j], name)) {
names[j] = NULL;
found = true;