From a21bfc4daff9e67750021d96ffa0c1e6e4cd3472 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 9 May 2009 00:03:50 +0200 Subject: s3-samr: Fix SetUserInfo level 16 and 21 w.r.t. ACB_AUTOLOCK acct_flag. It is not allowed to *set* this flag remotely if it has been not set already. Found by torture test. Guenther --- source3/rpc_server/srv_samr_util.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source3') diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c index 8f136b1216..69daa31e9c 100644 --- a/source3/rpc_server/srv_samr_util.c +++ b/source3/rpc_server/srv_samr_util.c @@ -534,6 +534,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix, DEBUG(10,("%s SAMR_FIELD_ACCT_FLAGS: %08X -> %08X\n", l, pdb_get_acct_ctrl(to), from->acct_flags)); if (from->acct_flags != pdb_get_acct_ctrl(to)) { + + /* You cannot autolock an unlocked account via + * setuserinfo calls, so make sure to remove the + * ACB_AUTOLOCK bit here - gd */ + + if ((from->acct_flags & ACB_AUTOLOCK) && + !(pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) { + from->acct_flags &= ~ACB_AUTOLOCK; + } + if (!(from->acct_flags & ACB_AUTOLOCK) && (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) { /* We're unlocking a previously locked user. Reset bad password counts. -- cgit