struct ldb_message_element *el, *el2;
enum sid_generator sid_generator;
struct dom_sid *sid;
- const char *tempstr;
int ret;
/* make sure that "sAMAccountType" is not specified */
}
if (strcmp(ac->type, "user") == 0) {
+ bool uac_generated = false;
+
/* Step 1.2: Default values */
ret = samdb_find_or_add_attribute(ldb, ac->msg,
"accountExpires", "9223372036854775807");
"pwdLastSet", "0");
if (ret != LDB_SUCCESS) return ret;
- tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT);
- if (tempstr == NULL) return ldb_operr(ldb);
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "userAccountControl", tempstr);
- if (ret != LDB_SUCCESS) return ret;
+ /* On add operations we might need to generate a
+ * "userAccountControl" (if it isn't specified). */
+ el = ldb_msg_find_element(ac->msg, "userAccountControl");
+ if ((el == NULL) && (ac->req->operation == LDB_ADD)) {
+ ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
+ "userAccountControl",
+ UF_NORMAL_ACCOUNT);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ uac_generated = true;
+ }
el = ldb_msg_find_element(ac->msg, "userAccountControl");
if (el != NULL) {
}
/* Step 1.5: Add additional flags when needed */
- if ((user_account_control & UF_NORMAL_ACCOUNT) &&
- (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+ /* Obviously this is done when the "userAccountControl"
+ * has been generated here (tested against Windows
+ * Server) */
+ if (uac_generated) {
user_account_control |= UF_ACCOUNTDISABLE;
user_account_control |= UF_PASSWD_NOTREQD;
}
} else if (strcmp(ac->type, "group") == 0) {
+ const char *tempstr;
+
/* Step 2.2: Default values */
tempstr = talloc_asprintf(ac->msg, "%d",
GTYPE_SECURITY_GLOBAL_GROUP);
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba.samdb import SamDB
-from samba.dsdb import (UF_NORMAL_ACCOUNT,
+from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
try:
# After creation we should have a normal account
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
# As user you can only switch from a normal account to a workstation
# trust account and back.
ldb.modify(m)
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
try:
m = Message()
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
try:
# After creation we should have a normal account
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
# As computer you can switch from a normal account to a workstation
# or server trust account and back (also swapping between trust
ldb.modify(m)
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
- scope=SCOPE_BASE, attrs=["sAMAccountType"])
+ scope=SCOPE_BASE,
+ attrs=["sAMAccountType", "userAccountControl"])
self.assertTrue(len(res1) == 1)
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
ATYPE_NORMAL_ACCOUNT)
+ self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
try:
m = Message()