s3-passdb: Try to unlock the account if it is locked out

[simo]

On Fri, 2010-09-03 at 07:09 +1000, Andrew Bartlett wrote:
> On Thu, 2010-09-02 at 17:34 +0200, Andreas Schneider wrote:
> > On Thursday 02 September 2010 00:53:53 Andrew Bartlett wrote:
> > > On Wed, 2010-09-01 at 10:01 +0200, Andreas Schneider wrote:
> 
> > > > Microsoft doesn't document this in the samr or netlogon function and I
> > > > don't think that they have implemented it there. It is for sure deeper
> > > > in the code which would be passdb in Samba. That's the reason I've
> > > > implemented it there.
> > > 
> > > I think there is another approach, which would not change the database
> > > on read operations and explain why you don't see this documented.
> > > 
> > > Instead of 'trying to unlock' the account on read operations, the read
> > > should simply return the calculated value of the ACB flags and
> > > ACB_AUTOLOCK if the account is locked (based on the same criteria that
> > > you use the 'unlock' the account automatically).
> > 
> > This means that you want to calculate the flags at the most places where you 
> > call get_sampw{nam,sid}. And only reset the flags at certain places?
> 
> Yes.  I'm not sure you should reset it at all actually, but if we need
> to (for example to aid non-Samba readers of our LDAP schema) it should
> be clear and deliberate, not a side-effect.

It is clear and deliberate AFAIK.
Not sure why you claim it is a side effect.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>