[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Wed Oct 13 11:32:01 MDT 2010


The branch, master has been updated
       via  bf657db s4:sam.py - tests for "userAccountControl" attribute
       via  3411e71 s4:samldb LDB module - deny creation of temporary duplicate accounts
       via  ed68189 s4:samldb LDB module - proof the account type also on LDB modify operations
      from  18ea6c5 ldb: Only build LIBLDB_MAIN when building ldb itself.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit bf657db3c45def4a5418a783dfad08e0247d1349
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Wed Oct 13 16:41:54 2010 +0200

    s4:sam.py - tests for "userAccountControl" attribute
    
    Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
    Autobuild-Date: Wed Oct 13 17:31:29 UTC 2010 on sn-devel-104

commit 3411e71c76dd01ae505c0c87fa43b794e63c4091
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Wed Oct 13 17:06:28 2010 +0200

    s4:samldb LDB module - deny creation of temporary duplicate accounts

commit ed68189c5f6c39d075d4c08a92994acf5e5a9a51
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Wed Oct 13 16:32:50 2010 +0200

    s4:samldb LDB module - proof the account type also on LDB modify operations

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/samldb.c |   20 ++
 source4/dsdb/tests/python/sam.py        |  451 ++++++++++++++++++++++++++++++-
 2 files changed, 468 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index f35a56a..4d7b8a1 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -830,6 +830,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
 			/* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */
 			user_account_control = strtoul((const char *)el->values[0].data,
 						       NULL, 0);
+
+			/* Temporary duplicate accounts aren't allowed */
+			if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+				return LDB_ERR_OTHER;
+			}
+
 			account_type = ds_uf2atype(user_account_control);
 			if (account_type == 0) {
 				ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
@@ -1346,6 +1352,10 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 		}
 
 		account_type =  ds_gtype2atype(group_type);
+		if (account_type == 0) {
+			ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
 		ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
 					 "sAMAccountType",
 					 account_type);
@@ -1382,7 +1392,17 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 		user_account_control = strtoul((const char *)el->values[0].data,
 			NULL, 0);
+
+		/* Temporary duplicate accounts aren't allowed */
+		if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+			return LDB_ERR_OTHER;
+		}
+
 		account_type = ds_uf2atype(user_account_control);
+		if (account_type == 0) {
+			ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
 		ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
 					 "sAMAccountType",
 					 account_type);
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index fc5967c..1970673 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -23,13 +23,13 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
 from ldb import ERR_NO_SUCH_ATTRIBUTE
 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
-from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
+from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE, ERR_INSUFFICIENT_ACCESS_RIGHTS
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
 from samba import Ldb
 from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT,
     UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
-    UF_PARTIAL_SECRETS_ACCOUNT,
+    UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
     UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
     GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
     GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
@@ -96,6 +96,7 @@ class SamTests(unittest.TestCase):
         print "baseDN: %s\n" % self.base_dn
 
         self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=users," + self.base_dn)
         self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
         self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
 
@@ -571,7 +572,7 @@ class SamTests(unittest.TestCase):
         self.assertFalse("objectClass" in res1[0])
         self.assertTrue("canonicalName" in res1[0])
 
-        res1 = ldb.search("cn=users,"+self.base_dn,
+        res1 = ldb.search("cn=users," + self.base_dn,
                           scope=SCOPE_BASE, attrs=["primaryGroupToken"])
         self.assertTrue(len(res1) == 1)
         self.assertFalse("primaryGroupToken" in res1[0])
@@ -1237,6 +1238,450 @@ class SamTests(unittest.TestCase):
 
         self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
 
+    def test_userAccountControl(self):
+        """Test the userAccountControl behaviour"""
+        print "Testing userAccountControl behaviour\n"
+
+        # With a user object
+
+        # Add operation
+
+        # As user you can only set a normal account.
+        # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
+        # password yet.
+        # With SYSTEM rights you can set a interdomain trust account.
+
+        # Invalid attribute
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+                "objectclass": ["user", "person"],
+                "userAccountControl": "0"})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+# This has to wait until s4 supports it (needs a password module change)
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+#                "objectclass": ["user", "person"],
+#                "userAccountControl": str(UF_NORMAL_ACCOUNT)})
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+#        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+        ldb.add({
+            "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+            "objectclass": ["user", "person"],
+            "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+                "objectclass": ["user", "person"],
+                "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_OTHER)
+        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+# This isn't supported yet in s4
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+#                "objectclass": ["user", "person"],
+#                "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
+#        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+#
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+#                "objectclass": ["user", "person"],
+#                "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
+#        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+# This isn't supported yet in s4 - needs ACL module adaption
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+#                "objectclass": ["user", "person"],
+#                "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+#        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+        # Modify operation
+
+        ldb.add({
+            "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+            "objectclass": ["user", "person"]})
+
+        # After creation we should have a normal account
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        # As user you can only switch from a normal account to a workstation
+        # trust account and back.
+        # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
+        # password yet.
+        # With SYSTEM rights you can switch to a interdomain trust account.
+
+        # Invalid attribute
+        try:
+            m = Message()
+            m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+            m["userAccountControl"] = MessageElement("0",
+              FLAG_MOD_REPLACE, "userAccountControl")
+            ldb.modify(m)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+# This has to wait until s4 supports it (needs a password module change)
+#        try:
+#            m = Message()
+#            m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+#            m["userAccountControl"] = MessageElement(
+#              str(UF_NORMAL_ACCOUNT),
+#              FLAG_MOD_REPLACE, "userAccountControl")
+#            ldb.modify(m)
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        try:
+            m = Message()
+            m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+            m["userAccountControl"] = MessageElement(
+              str(UF_TEMP_DUPLICATE_ACCOUNT),
+              FLAG_MOD_REPLACE, "userAccountControl")
+            ldb.modify(m)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_OTHER)
+
+# This isn't supported yet in s4
+#        try:
+#            m = Message()
+#            m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+#            m["userAccountControl"] = MessageElement(
+#              str(UF_SERVER_TRUST_ACCOUNT),
+#              FLAG_MOD_REPLACE, "userAccountControl")
+#            ldb.modify(m)
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_WORKSTATION_TRUST_ACCOUNT),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_WORKSTATION_TRUST)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+# This isn't supported yet in s4 - needs ACL module adaption
+#        try:
+#            m = Message()
+#            m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+#            m["userAccountControl"] = MessageElement(
+#              str(UF_INTERDOMAIN_TRUST_ACCOUNT),
+#              FLAG_MOD_REPLACE, "userAccountControl")
+#            ldb.modify(m)
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+
+        # With a computer object
+
+        # Add operation
+
+        # As computer you can set a normal account and a server trust account.
+        # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
+        # password yet.
+        # With SYSTEM rights you can set a interdomain trust account.
+
+        # Invalid attribute
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                "objectclass": ["computer"],
+                "userAccountControl": "0"})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+# This has to wait until s4 supports it (needs a password module change)
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+#                "objectclass": ["computer"],
+#                "userAccountControl": str(UF_NORMAL_ACCOUNT)})
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+#        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+        ldb.add({
+            "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+            "objectclass": ["computer"],
+            "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                "objectclass": ["computer"],
+                "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_OTHER)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+        ldb.add({
+            "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+            "objectclass": ["computer"],
+            "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_WORKSTATION_TRUST)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                "objectclass": ["computer"],
+                "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
+        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+# This isn't supported yet in s4 - needs ACL module adaption
+#        try:
+#            ldb.add({
+#                "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+#                "objectclass": ["computer"],
+#                "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
+#            self.fail()
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+#        self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+
+        # Modify operation
+
+        ldb.add({
+            "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+            "objectclass": ["computer"]})
+
+        # After creation we should have a normal account
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        # As computer you can switch from a normal account to a workstation
+        # or server trust account and back (also swapping between trust
+        # accounts is allowed).
+        # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
+        # password yet.
+        # With SYSTEM rights you can switch to a interdomain trust account.
+
+        # Invalid attribute
+        try:
+            m = Message()
+            m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+            m["userAccountControl"] = MessageElement("0",
+              FLAG_MOD_REPLACE, "userAccountControl")
+            ldb.modify(m)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+# This has to wait until s4 supports it (needs a password module change)
+#        try:
+#            m = Message()
+#            m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+#            m["userAccountControl"] = MessageElement(
+#              str(UF_NORMAL_ACCOUNT),
+#              FLAG_MOD_REPLACE, "userAccountControl")
+#            ldb.modify(m)
+#        except LdbError, (num, _):
+#            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        try:
+            m = Message()
+            m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+            m["userAccountControl"] = MessageElement(
+              str(UF_TEMP_DUPLICATE_ACCOUNT),
+              FLAG_MOD_REPLACE, "userAccountControl")
+            ldb.modify(m)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_OTHER)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_SERVER_TRUST_ACCOUNT),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_WORKSTATION_TRUST)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_WORKSTATION_TRUST_ACCOUNT),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_WORKSTATION_TRUST)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])
+        self.assertTrue(len(res1) == 1)
+        self.assertEquals(int(res1[0]["sAMAccountType"][0]),
+          ATYPE_NORMAL_ACCOUNT)
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(UF_SERVER_TRUST_ACCOUNT),
+          FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
+                          scope=SCOPE_BASE, attrs=["sAMAccountType"])


-- 
Samba Shared Repository


More information about the samba-cvs mailing list