From 62ee2a5caf8b8e7750a650c7ebc9729beda48a89 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sat, 21 Apr 2012 17:20:24 +0200 Subject: s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on add Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/samldb.c | 14 ++++++++--- source4/dsdb/tests/python/sam.py | 44 +++++++++++++++++++-------------- 2 files changed, 37 insertions(+), 21 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index da9c966ddd..cd13900bf5 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -990,7 +990,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) switch(ac->type) { case SAMLDB_TYPE_USER: { - bool uac_generated = false; + bool uac_generated = false, uac_add_flags = false; /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac->msg, @@ -1032,6 +1032,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) return ret; } uac_generated = true; + uac_add_flags = true; } el = ldb_msg_find_element(ac->msg, "userAccountControl"); @@ -1042,6 +1043,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) user_account_control = ldb_msg_find_attr_as_uint(ac->msg, "userAccountControl", 0); + /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */ + if (user_account_control == 0) { + user_account_control = UF_NORMAL_ACCOUNT; + uac_generated = true; + } /* Temporary duplicate accounts aren't allowed */ if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { @@ -1124,8 +1130,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * has been generated here (tested against Windows * Server) */ if (uac_generated) { - user_account_control |= UF_ACCOUNTDISABLE; - user_account_control |= UF_PASSWD_NOTREQD; + if (uac_add_flags) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + } ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, "userAccountControl", diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index c5727cd080..df1915a899 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -1425,15 +1425,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": "user", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": "user", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) @@ -1647,15 +1651,19 @@ class SamTests(samba.tests.TestCase): # password yet. # With SYSTEM rights you can set a interdomain trust account. - # Invalid attribute - try: - ldb.add({ - "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, - "objectclass": "computer", - "userAccountControl": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": "computer", + "userAccountControl": "0"}) + + res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["sAMAccountType", "userAccountControl"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(int(res1[0]["sAMAccountType"][0]), + ATYPE_NORMAL_ACCOUNT) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0) + self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0) delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) # This has to wait until s4 supports it (needs a password module change) -- cgit