s4:samldb LDB module - fix "userAccountControl" handling

"UF_ACCOUNTDISABLE" is only added automatically if no "userAccountControl" flags
are set on LDAP add operations.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Jan 14 18:29:07 CET 2011 on sn-devel-104

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 5653ba17510be72c711ef115902252131195d4ad..e60f24023d1c160658c3cc7113c4e772c451358b 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -800,7 +800,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
        struct ldb_message_element *el, *el2;
        enum sid_generator sid_generator;
        struct dom_sid *sid;
-       const char *tempstr;
        int ret;
 
        /* make sure that "sAMAccountType" is not specified */
@@ -834,6 +833,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
        }
 
        if (strcmp(ac->type, "user") == 0) {
+               bool uac_generated = false;
+
                /* Step 1.2: Default values */
                ret = samdb_find_or_add_attribute(ldb, ac->msg,
                        "accountExpires", "9223372036854775807");
@@ -863,11 +864,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
                        "pwdLastSet", "0");
                if (ret != LDB_SUCCESS) return ret;
 
-               tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT);
-               if (tempstr == NULL) return ldb_operr(ldb);
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "userAccountControl", tempstr);
-               if (ret != LDB_SUCCESS) return ret;
+               /* On add operations we might need to generate a
+                * "userAccountControl" (if it isn't specified). */
+               el = ldb_msg_find_element(ac->msg, "userAccountControl");
+               if ((el == NULL) && (ac->req->operation == LDB_ADD)) {
+                       ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
+                                                "userAccountControl",
+                                                UF_NORMAL_ACCOUNT);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
+                       uac_generated = true;
+               }
 
                el = ldb_msg_find_element(ac->msg, "userAccountControl");
                if (el != NULL) {
@@ -924,8 +932,10 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
                        }
 
                        /* Step 1.5: Add additional flags when needed */
-                       if ((user_account_control & UF_NORMAL_ACCOUNT) &&
-                           (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+                       /* Obviously this is done when the "userAccountControl"
+                        * has been generated here (tested against Windows
+                        * Server) */
+                       if (uac_generated) {
                                user_account_control |= UF_ACCOUNTDISABLE;
                                user_account_control |= UF_PASSWD_NOTREQD;
 
@@ -939,6 +949,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
                }
 
        } else if (strcmp(ac->type, "group") == 0) {
+               const char *tempstr;
+
                /* Step 2.2: Default values */
                tempstr = talloc_asprintf(ac->msg, "%d",
                                          GTYPE_SECURITY_GLOBAL_GROUP);

diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 03d698408b59a9b7d1bb6f0ed501bb39a7b3fa16..69dd7570482db8f8b50984481f0cb44b7d0151e7 100755 (executable)
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -24,7 +24,7 @@ from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
 from samba.samdb import SamDB
-from samba.dsdb import (UF_NORMAL_ACCOUNT,
+from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
     UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
     UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
     UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
@@ -1453,10 +1453,12 @@ class SamTests(unittest.TestCase):
             "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
 
         res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
         try:
@@ -1508,10 +1510,12 @@ class SamTests(unittest.TestCase):
 
         # After creation we should have a normal account
         res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
 
         # As user you can only switch from a normal account to a workstation
         # trust account and back.
@@ -1548,10 +1552,12 @@ class SamTests(unittest.TestCase):
         ldb.modify(m)
 
         res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
 
         try:
             m = Message()
@@ -1651,10 +1657,12 @@ class SamTests(unittest.TestCase):
             "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
 
         res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
         try:
@@ -1707,10 +1715,12 @@ class SamTests(unittest.TestCase):
 
         # After creation we should have a normal account
         res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
 
         # As computer you can switch from a normal account to a workstation
         # or server trust account and back (also swapping between trust
@@ -1748,10 +1758,12 @@ class SamTests(unittest.TestCase):
         ldb.modify(m)
 
         res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
-                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl"])
         self.assertTrue(len(res1) == 1)
         self.assertEquals(int(res1[0]["sAMAccountType"][0]),
           ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
 
         try:
             m = Message()