password-lockout: Allow RODC to ensure lockout and lockout reset

Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index bd3268e4bebb94eaff5a70e9db5878e45a7820f8..2cc9c70f1d60224714cf27e67e29f15a5d7bcaa1 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -329,4 +329,3 @@
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
 ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
-^samba4.ldap.rodc_rwdc.python\(rodc\).__main__.RodcRwdcTests.test_login_lockout_.*

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 8e84e3e4e6d8a63a3a4ffdbdc9f4e3aa3628cc60..9b0f0618bae258a7c11babe15fb6dea8e081519c 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -702,13 +702,36 @@ NTSTATUS authsam_update_bad_pwd_count(struct ldb_context *sam_ctx,
        }
 
        if (msg_mod != NULL) {
-               ret = dsdb_modify(sam_ctx, msg_mod, 0);
+               struct ldb_request *req;
+
+               ret = ldb_build_mod_req(&req, sam_ctx, sam_ctx,
+                                       msg_mod,
+                                       NULL,
+                                       NULL,
+                                       ldb_op_default_callback,
+                                       NULL);
                if (ret != LDB_SUCCESS) {
-                       DEBUG(0, ("Failed to update badPwdCount, badPasswordTime or set lockoutTime on %s: %s\n",
-                                 ldb_dn_get_linearized(msg_mod->dn), ldb_errstring(sam_ctx)));
-                       TALLOC_FREE(mem_ctx);
-                       return NT_STATUS_INTERNAL_ERROR;
+                       goto done;
+               }
+
+               ret = ldb_request_add_control(req,
+                                             DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE,
+                                             false, NULL);
+               if (ret != LDB_SUCCESS) {
+                       talloc_free(req);
+                       goto done;
                }
+
+               ret = dsdb_autotransaction_request(sam_ctx, req);
+               talloc_free(req);
+       }
+
+done:
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0, ("Failed to update badPwdCount, badPasswordTime or set lockoutTime on %s: %s\n",
+                         ldb_dn_get_linearized(msg_mod->dn), ldb_errstring(sam_ctx)));
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_INTERNAL_ERROR;
        }
 
        TALLOC_FREE(mem_ctx);
@@ -930,17 +953,47 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
        }
 
        if (msg_mod->num_elements > 0) {
-               ret = dsdb_replace(sam_ctx, msg_mod, 0);
+               unsigned int i;
+               struct ldb_request *req;
+
+               /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
+               for (i=0;i<msg_mod->num_elements;i++) {
+                       msg_mod->elements[i].flags = LDB_FLAG_MOD_REPLACE;
+               }
+
+               ret = ldb_build_mod_req(&req, sam_ctx, sam_ctx,
+                                       msg_mod,
+                                       NULL,
+                                       NULL,
+                                       ldb_op_default_callback,
+                                       NULL);
                if (ret != LDB_SUCCESS) {
-                       DEBUG(0, ("Failed to set badPwdCount and lockoutTime "
-                                 "to 0 and/or  lastlogon to now (%lld) "
-                                 "%s: %s\n", (long long int)now,
-                                 ldb_dn_get_linearized(msg_mod->dn),
-                                 ldb_errstring(sam_ctx)));
-                       TALLOC_FREE(mem_ctx);
-                       return NT_STATUS_INTERNAL_ERROR;
+                       goto done;
+               }
+
+               ret = ldb_request_add_control(req,
+                                             DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE,
+                                             false, NULL);
+               if (ret != LDB_SUCCESS) {
+                       talloc_free(req);
+                       goto done;
                }
+
+               ret = dsdb_autotransaction_request(sam_ctx, req);
+               talloc_free(req);
        }
+
+done:
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0, ("Failed to set badPwdCount and lockoutTime "
+                         "to 0 and/or  lastlogon to now (%lld) "
+                         "%s: %s\n", (long long int)now,
+                         ldb_dn_get_linearized(msg_mod->dn),
+                         ldb_errstring(sam_ctx)));
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        TALLOC_FREE(mem_ctx);
        return NT_STATUS_OK;
 }