s4:samldb LDB module - MS-SAMR 3.1.1.8.10 "userAccountControl"

author Matthias Dieter Wallnöfer <mdw@samba.org>

Sat, 8 Jun 2013 21:45:43 +0000 (23:45 +0200)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 10 Jun 2013 05:32:35 +0000 (07:32 +0200)
author Matthias Dieter Wallnöfer <mdw@samba.org>
Sat, 8 Jun 2013 21:45:43 +0000 (23:45 +0200)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 10 Jun 2013 05:32:35 +0000 (07:32 +0200)
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c

index 5bb0b61d61a4eedba77f8c4f62a180c611a39928..603370fd6220952bdef1877890bfdb9654dc6f3e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1049,6 +1049,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
                                 uac_generated = true;
                         }
  
+                       /*
+                        * As per MS-SAMR 3.1.1.8.10 these flags have not to be set
+                        */
+                       if ((user_account_control & UF_LOCKOUT) != 0) {
+                               user_account_control &= ~UF_LOCKOUT;
+                               uac_generated = true;
+                       }
+                       if ((user_account_control & UF_PASSWORD_EXPIRED) != 0) {
+                               user_account_control &= ~UF_PASSWORD_EXPIRED;
+                               uac_generated = true;
+                       }
+
                         /* Temporary duplicate accounts aren't allowed */
                         if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
                                 return LDB_ERR_OTHER;
@@ -1442,9 +1454,10 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
         struct ldb_message *tmp_msg;
         int ret;
         struct ldb_result *res;
-       const char * const attrs[] = { "userAccountControl", "objectClass", NULL };
+       const char * const attrs[] = { "userAccountControl", "objectClass",
+                                      "lockoutTime", NULL };
         unsigned int i;
-       bool is_computer = false;
+       bool is_computer = false, uac_generated = false;
  
         el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl",
                                          ac->req->operation);
@@ -1517,8 +1530,6 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
  
         account_type = ds_uf2atype(user_account_control);
         if (account_type == 0) {
-               char *tempstr;
-
                 /*
                  * When there is no account type embedded in "userAccountControl"
                  * fall back to default "UF_NORMAL_ACCOUNT".
@@ -1530,18 +1541,7 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
                 }
  
                 user_account_control |= UF_NORMAL_ACCOUNT;
-
-               tempstr = talloc_asprintf(ac->msg, "%d", user_account_control);
-               if (tempstr == NULL) {
-                       return ldb_module_oom(ac->module);
-               }
-
-               /* Overwrite "userAccountControl" with "UF_NORMAL_ACCOUNT" added */
-               el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl",
-                                                ac->req->operation);
-               el->values[0].data = (uint8_t *) tempstr;
-               el->values[0].length = strlen(tempstr);
-
+               uac_generated = true;
                 account_type = ATYPE_NORMAL_ACCOUNT;
         }
         ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType",
@@ -1552,6 +1552,41 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
         el = ldb_msg_find_element(ac->msg, "sAMAccountType");
         el->flags = LDB_FLAG_MOD_REPLACE;
  
+       /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */
+       if ((user_account_control & UF_LOCKOUT) != 0) {
+               /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */
+               uint64_t lockout_time = ldb_msg_find_attr_as_uint64(res->msgs[0],
+                                                                   "lockoutTime",
+                                                                   0);
+               if (lockout_time != 0) {
+                       ldb_msg_remove_attr(ac->msg, "lockoutTime");
+                       ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg,
+                                                  "lockoutTime", (NTTIME)0);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
+                       el = ldb_msg_find_element(ac->msg, "lockoutTime");
+                       el->flags = LDB_FLAG_MOD_REPLACE;
+               }
+
+               user_account_control &= ~UF_LOCKOUT;
+               uac_generated = true;
+       }
+       if ((user_account_control & UF_PASSWORD_EXPIRED) != 0) {
+               /* "pwdLastSet" reset as password expiration has been forced  */
+               ldb_msg_remove_attr(ac->msg, "pwdLastSet");
+               ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "pwdLastSet",
+                                          (NTTIME)0);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+               el = ldb_msg_find_element(ac->msg, "pwdLastSet");
+               el->flags = LDB_FLAG_MOD_REPLACE;
+
+               user_account_control &= ~UF_PASSWORD_EXPIRED;
+               uac_generated = true;
+       }
+
         /* "isCriticalSystemObject" might be set/changed */
         if (user_account_control
             & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
@@ -1595,6 +1630,21 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
                 el->flags = LDB_FLAG_MOD_REPLACE;
         }
  
+       /* Propagate eventual "userAccountControl" attribute changes */
+       if (uac_generated) {
+               char *tempstr = talloc_asprintf(ac->msg, "%d",
+                                               user_account_control);
+               if (tempstr == NULL) {
+                       return ldb_module_oom(ac->module);
+               }
+
+               /* Overwrite "userAccountControl" correctly */
+               el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl",
+                                                ac->req->operation);
+               el->values[0].data = (uint8_t *) tempstr;
+               el->values[0].length = strlen(tempstr);
+       }
+
         return LDB_SUCCESS;
  }
  
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py

index 361a10898d36131887c75dac93d03df2df7a37d4..754096a0157dddc85603df92e3cb6fe711968c55 100755 (executable)
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -27,7 +27,7 @@ from samba.samdb import SamDB
  from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
      UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
      UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
-    UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
+    UF_PASSWD_NOTREQD, UF_LOCKOUT, UF_PASSWORD_EXPIRED, ATYPE_NORMAL_ACCOUNT,
      GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
      GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
      GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
@@ -1465,6 +1465,22 @@ class SamTests(samba.tests.TestCase):
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
          delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
  
+        ldb.add({
+            "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+            "objectclass": "user",
+            "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_LOCKOUT | UF_PASSWORD_EXPIRED)})
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0)
+        self.assertFalse("lockoutTime" in res1[0])
+        self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
+        delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
          try:
              ldb.add({
                  "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -1587,6 +1603,30 @@ class SamTests(samba.tests.TestCase):
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
  
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["lockoutTime"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "lockoutTime")
+        m["pwdLastSet"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "pwdLastSet")
+        ldb.modify(m)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_LOCKOUT | UF_PASSWORD_EXPIRED),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0)
+        self.assertTrue(int(res1[0]["lockoutTime"][0]) == 0)
+        self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
+
          try:
              m = Message()
              m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
@@ -1707,6 +1747,22 @@ class SamTests(samba.tests.TestCase):
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
          delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
  
+        ldb.add({
+            "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+            "objectclass": "computer",
+            "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_LOCKOUT | UF_PASSWORD_EXPIRED)})
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0)
+        self.assertFalse("lockoutTime" in res1[0])
+        self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
+        delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
          try:
              ldb.add({
                  "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
@@ -1823,6 +1879,30 @@ class SamTests(samba.tests.TestCase):
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
          self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
  
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["lockoutTime"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "lockoutTime")
+        m["pwdLastSet"] = MessageElement(str(samba.unix2nttime(0)), FLAG_MOD_REPLACE, "pwdLastSet")
+        ldb.modify(m)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_LOCKOUT | UF_PASSWORD_EXPIRED),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["sAMAccountType", "userAccountControl", "lockoutTime", "pwdLastSet"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
+        self.assertTrue(int(res1[0]["userAccountControl"][0]) & (UF_LOCKOUT | UF_PASSWORD_EXPIRED) == 0)
+        self.assertTrue(int(res1[0]["lockoutTime"][0]) == 0)
+        self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
+
          try:
              m = Message()
              m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
author	Matthias Dieter Wallnöfer <mdw@samba.org>
	Sat, 8 Jun 2013 21:45:43 +0000 (23:45 +0200)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 10 Jun 2013 05:32:35 +0000 (07:32 +0200)
source4/dsdb/samdb/ldb_modules/samldb.c		patch \| blob \| history
source4/dsdb/tests/python/sam.py		patch \| blob \| history