[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha2-1236-gd28f2cb

Andrew Kroeger andrew at sprocks.gotdns.com
Fri Mar 7 12:35:24 GMT 2008 

The branch, v4-0-test has been updated
       via  d28f2cb678b334086f601505c88e56b9c1ee559d (commit)
       via  6a98e5a7aa0cdbb61358901df50162b5b914ee5c (commit)
       via  2b6b4e5a1611744eea5dd9ec17c416916d7edab4 (commit)
       via  7ce5575a3a40cca4a45ec179a153f7e909065a87 (commit)
       via  be47cc7fdfa3cae0508e564f38b793aa27b6eb92 (commit)
      from  d66b6c3823f003875e3b7cdf63617a894cceadf9 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit d28f2cb678b334086f601505c88e56b9c1ee559d
Author: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date:   Fri Mar 7 05:56:04 2008 -0600

    Treat maxPwdAge == 0 as passwords never expire.

commit 6a98e5a7aa0cdbb61358901df50162b5b914ee5c
Author: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date:   Thu Mar 6 06:08:32 2008 -0600

    Enhance mappings of NTSTATUS to KRB5KDC errors.
    
    The enhanced mappings allow the Windows client to determine whether a user's
    password needs to be changed (and allows them to change it), or if they cannot
    logon at all.
    
    Changes still need to be made to allow additional data to be returned.  Windows
    uses that additional data to display more detailed dialogs to the user.  The
    additional information is returned in an e-data struct of type PA-PW-SALT that
    contains the more-detailed NTSTATUS error code.

commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4
Author: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date:   Thu Mar 6 06:07:28 2008 -0600

    Update account expiration to use new samdb_result_account_expires() function.

commit 7ce5575a3a40cca4a45ec179a153f7e909065a87
Author: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date:   Thu Mar 6 06:02:46 2008 -0600

    Add samdb_result_account_expires() function.
    
    Windows uses 2 different values to indicate an account doesn't expire: 0 and
    9223372036854775807 (0x7FFFFFFFFFFFFFFFULL).
    
    This function looks up the value of the accountExpires attribute and if the
    value is either value indicating the account doesn't expire,
    0x7FFFFFFFFFFFFFFFULL is returned.
    
    This simplifies the tests for account expiration.  There is no need to check
    elsewhere in the code for both values, therefore a simple greater-than
    expression can be used.

commit be47cc7fdfa3cae0508e564f38b793aa27b6eb92
Author: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date:   Thu Mar 6 05:56:49 2008 -0600

    accountExpires: Windows default is 9223372036854775807, not -1.

-----------------------------------------------------------------------

Summary of changes:
 source/auth/sam.c                                  |    4 +-
 source/dsdb/common/util.c                          |   26 +++++++++++++++++++-
 source/kdc/hdb-ldb.c                               |    5 +--
 source/kdc/pac-glue.c                              |   21 +++++++++++++++-
 .../ldb/tests/schema-tests/schema-add-test.ldif    |    2 +-
 source/setup/provision_templates.ldif              |    4 +-
 source/setup/provision_users.ldif                  |    2 +-
 7 files changed, 53 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/auth/sam.c b/source/auth/sam.c
index 9a8045f..8821963 100644
--- a/source/auth/sam.c
+++ b/source/auth/sam.c
@@ -157,7 +157,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 
 	acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
 	
-	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
+	acct_expiry = samdb_result_account_expires(msg, 0);
 
 	/* Check for when we must change this password, taking the
 	 * userAccountControl flags into account */
@@ -351,7 +351,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
 
 	server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
 	server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0);
-	server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
+	server_info->acct_expiry = samdb_result_account_expires(msg, 0);
 	server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
 
 	ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL);
diff --git a/source/dsdb/common/util.c b/source/dsdb/common/util.c
index ace5e0e..88c8afd 100644
--- a/source/dsdb/common/util.c
+++ b/source/dsdb/common/util.c
@@ -434,6 +434,30 @@ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME def
 }
 
 /*
+ * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
+ * indicate an account doesn't expire.
+ *
+ * When Windows initially creates an account, it sets
+ * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF).  However,
+ * when changing from an account having a specific expiration date to
+ * that account never expiring, it sets accountExpires = 0.
+ *
+ * Consolidate that logic here to allow clearer logic for account expiry in
+ * the rest of the code.
+ */
+NTTIME samdb_result_account_expires(struct ldb_message *msg,
+				    NTTIME default_value)
+{
+	NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
+						 default_value);
+
+	if (ret == (NTTIME)0)
+		ret = 0x7FFFFFFFFFFFFFFFULL;
+
+	return ret;
+}
+
+/*
   pull a uint64_t from a result set. 
 */
 uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value)
@@ -493,7 +517,7 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
 
 	maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL);
 	if (maxPwdAge == 0) {
-		return 0;
+		return 0x7FFFFFFFFFFFFFFFULL;
 	} else {
 		attr_time -= maxPwdAge;
 	}
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 9a17e58..bc5a45a 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -510,9 +510,8 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
 
 	entry_ex->entry.valid_start = NULL;
 
-	acct_expiry = samdb_result_nttime(msg, "accountExpires", (NTTIME)-1);
-	if ((acct_expiry == (NTTIME)-1) ||
-	    (acct_expiry == 0x7FFFFFFFFFFFFFFFULL)) {
+	acct_expiry = samdb_result_account_expires(msg, 0);
+	if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
 		entry_ex->entry.valid_end = NULL;
 	} else {
 		entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
diff --git a/source/kdc/pac-glue.c b/source/kdc/pac-glue.c
index a99cf6d..66f36af 100644
--- a/source/kdc/pac-glue.c
+++ b/source/kdc/pac-glue.c
@@ -276,9 +276,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
 
 	/* TODO:  Need a more complete mapping of NTSTATUS to krb5kdc errors */
 
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	/* TODO:  Also need to add the appropriate e-data struct of type
+	 * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows
+	 * the information it needs to display the appropriate dialog. */
+
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
+		return KRB5KDC_ERR_POLICY;
+	else if (!NT_STATUS_IS_OK(nt_status)) {
 		return KRB5KDC_ERR_POLICY;
 	}
+
 	return 0;
 }
 
diff --git a/source/lib/ldb/tests/schema-tests/schema-add-test.ldif b/source/lib/ldb/tests/schema-tests/schema-add-test.ldif
index 997b801..472ab48 100644
--- a/source/lib/ldb/tests/schema-tests/schema-add-test.ldif
+++ b/source/lib/ldb/tests/schema-tests/schema-add-test.ldif
@@ -46,7 +46,7 @@ pwdLastSet: 0
 primaryGroupID: 513
 objectSid: S-1-5-21-43662522-77495566-38969261-500
 adminCount: 1
-accountExpires: -1
+accountExpires: 9223372036854775807
 logonCount: 0
 sAMAccountName: Administrator
 sAMAccountType: 0x30000000
diff --git a/source/setup/provision_templates.ldif b/source/setup/provision_templates.ldif
index cc0ab21..8f4ed08 100644
--- a/source/setup/provision_templates.ldif
+++ b/source/setup/provision_templates.ldif
@@ -27,7 +27,7 @@ lastLogoff: 0
 lastLogon: 0
 pwdLastSet: 0
 primaryGroupID: 513
-accountExpires: -1
+accountExpires: 9223372036854775807
 logonCount: 0
 
 dn: CN=TemplateTrustingDomain,CN=Templates
@@ -39,7 +39,7 @@ badPasswordTime: 0
 lastLogoff: 0
 lastLogon: 0
 primaryGroupID: 513
-accountExpires: -1
+accountExpires: 9223372036854775807
 logonCount: 0
 
 dn: CN=TemplateGroup,CN=Templates
diff --git a/source/setup/provision_users.ldif b/source/setup/provision_users.ldif
index 4b053d9..5a24e07 100644
--- a/source/setup/provision_users.ldif
+++ b/source/setup/provision_users.ldif
@@ -5,7 +5,7 @@ description: Built-in account for administering the computer/domain
 userAccountControl: 66048
 objectSid: ${DOMAINSID}-500
 adminCount: 1
-accountExpires: -1
+accountExpires: 9223372036854775807
 sAMAccountName: Administrator
 isCriticalSystemObject: TRUE
 sambaPassword:: ${ADMINPASS_B64}


-- 
Samba Shared Repository

More information about the samba-cvs mailing list