s3-passdb: Try to unlock the account if it is locked out
Andreas Schneider
asn at samba.org
Wed Sep 1 02:01:48 MDT 2010
On Tuesday 31 August 2010 23:03:38 Andrew Bartlett wrote:
> On Tue, 2010-08-31 at 11:16 -0400, Jim McDonough wrote:
> > On Mon, Aug 30, 2010 at 10:44 AM, Simo Sorce <idra at samba.org> wrote:
> > > The branch, master has been updated
> > >
> > > via 20e7b4e s3-auth: The unlock of the account is now done by
> > > the get_sampwnam call. via c5cfad1 s3-passdb: Try to unlock the
> > > account if it is locked out. via 2ab0b63 s3-passdb: Added a
> > > pdb_try_account_unlock function. via 9dd7e7f s3-auth: Use
> > > SamInfo3_for_guest to create guest server_info.
> > >
> > > from 5f419ea packaging: Build with -O3
> >
> > The account locking code is hereby yours!!!
> >
> > /me runs and hides from bmarsh
>
> I'm a little worried by these changes, because we only just finished
> removing the magic from passdb that did unexpected things behind
> ordinary-looking interfaces. (That is, the calls out to sid_to_gid() in
> the set_primary_group_id() wrapper.)
>
> Is it really the best idea for a read operation 'get_smbpwnam()' to make
> write calls to the database?
I've researched this on a Windows 2008 Server. You can login to the system
again after the lockout duration which means netr_LogonSamLogon is unlocking
the account. But a samr_QueryUserInfo doing the same, as Administrator or as
diffent user. I've first implemented it in the samr_OpenUser call, but then it
is possible that there are more functions.
Microsoft doesn't document this in the samr or netlogon function and I don't
think that they have implemented it there. It is for sure deeper in the code
which would be passdb in Samba. That's the reason I've implemented it there.
Cheers,
-- andreas
More information about the samba-technical
mailing list