s3-passdb: Try to unlock the account if it is locked out

Andrew Bartlett abartlet at samba.org
Thu Sep 2 15:51:44 MDT 2010 

On Thu, 2010-09-02 at 17:38 -0400, simo wrote:
> On Fri, 2010-09-03 at 07:09 +1000, Andrew Bartlett wrote:
> > On Thu, 2010-09-02 at 17:34 +0200, Andreas Schneider wrote:
> > > On Thursday 02 September 2010 00:53:53 Andrew Bartlett wrote:
> > > > On Wed, 2010-09-01 at 10:01 +0200, Andreas Schneider wrote:
> > 
> > > > > Microsoft doesn't document this in the samr or netlogon function and I
> > > > > don't think that they have implemented it there. It is for sure deeper
> > > > > in the code which would be passdb in Samba. That's the reason I've
> > > > > implemented it there.
> > > > 
> > > > I think there is another approach, which would not change the database
> > > > on read operations and explain why you don't see this documented.
> > > > 
> > > > Instead of 'trying to unlock' the account on read operations, the read
> > > > should simply return the calculated value of the ACB flags and
> > > > ACB_AUTOLOCK if the account is locked (based on the same criteria that
> > > > you use the 'unlock' the account automatically).
> > > 
> > > This means that you want to calculate the flags at the most places where you 
> > > call get_sampw{nam,sid}. And only reset the flags at certain places?
> > 
> > Yes.  I'm not sure you should reset it at all actually, but if we need
> > to (for example to aid non-Samba readers of our LDAP schema) it should
> > be clear and deliberate, not a side-effect.
> 
> It is clear and deliberate AFAIK.
> Not sure why you claim it is a side effect.

A 'get' routine such as getsampwnam() should *never* make modifications
to the database.  If it does, then it's a side effect as far as a caller
is concerned. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100903/f6d13075/attachment.pgp>

More information about the samba-technical mailing list