s3-passdb: Try to unlock the account if it is locked out

Andrew Bartlett abartlet at samba.org
Thu Sep 2 15:09:18 MDT 2010

On Thu, 2010-09-02 at 17:34 +0200, Andreas Schneider wrote:
> On Thursday 02 September 2010 00:53:53 Andrew Bartlett wrote:
> > On Wed, 2010-09-01 at 10:01 +0200, Andreas Schneider wrote:

> > > Microsoft doesn't document this in the samr or netlogon function and I
> > > don't think that they have implemented it there. It is for sure deeper
> > > in the code which would be passdb in Samba. That's the reason I've
> > > implemented it there.
> > 
> > I think there is another approach, which would not change the database
> > on read operations and explain why you don't see this documented.
> > 
> > Instead of 'trying to unlock' the account on read operations, the read
> > should simply return the calculated value of the ACB flags and
> > ACB_AUTOLOCK if the account is locked (based on the same criteria that
> > you use the 'unlock' the account automatically).
> This means that you want to calculate the flags at the most places where you 
> call get_sampw{nam,sid}. And only reset the flags at certain places?

Yes.  I'm not sure you should reset it at all actually, but if we need
to (for example to aid non-Samba readers of our LDAP schema) it should
be clear and deliberate, not a side-effect.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100903/c46e1a79/attachment.pgp>

More information about the samba-technical mailing list