SamDB.enable_account does not work against Windows

Nadezhda Ivanova nivanova at
Thu Jun 10 05:55:09 MDT 2010

Hi Matthias,
I was trying out your tests, and found the following:
Against Windows, the SamDB.enable_account does not work if the user password
has been provided with userPassword attribute instead of unicodePwd. The
reason is that Windows treats that case as if the password has not been
actually set, and returns UNWILLING_TO_PERFORM when we attempt to unset the
ADS_UF_PASSWD_NOTREQD flag. I suspect that the reason for this is as
described in Password Modify Operations. userPassword is only
accepted if fUserPwdSupport is true in dsHeuristics, which by default it is
not. Why Windows does not return an error is another thing. So I suppose we
have 2 options here - use only unicodePwd and secure connections or set
fUserPwdSupport if we need to use userPassword. I have not tried the second
option yet, the first one I tried and it works. However then some tests in start to fail, as the userPassword attribute is no longer
present. Actually, when I run against Windows, a couple of them
fail even if I change nothing.

Since I will rely on these tests to be able to fix the ACL CAR problem, do
you think you could make a version that works as expected (e. g. uses the
newly created user rather than credentials from the command line) and passes
against windows. Send me the patch then and I will push it together with the
ACL fix. This would really help.


More information about the samba-technical mailing list