s3-passdb: Try to unlock the account if it is locked out

simo idra at samba.org
Thu Sep 2 17:37:13 MDT 2010


On Fri, 2010-09-03 at 07:51 +1000, Andrew Bartlett wrote:
> On Thu, 2010-09-02 at 17:38 -0400, simo wrote:
> > On Fri, 2010-09-03 at 07:09 +1000, Andrew Bartlett wrote:
> > > On Thu, 2010-09-02 at 17:34 +0200, Andreas Schneider wrote:
> > > > On Thursday 02 September 2010 00:53:53 Andrew Bartlett wrote:
> > > > > On Wed, 2010-09-01 at 10:01 +0200, Andreas Schneider wrote:
> > > 
> > > > > > Microsoft doesn't document this in the samr or netlogon function and I
> > > > > > don't think that they have implemented it there. It is for sure deeper
> > > > > > in the code which would be passdb in Samba. That's the reason I've
> > > > > > implemented it there.
> > > > > 
> > > > > I think there is another approach, which would not change the database
> > > > > on read operations and explain why you don't see this documented.
> > > > > 
> > > > > Instead of 'trying to unlock' the account on read operations, the read
> > > > > should simply return the calculated value of the ACB flags and
> > > > > ACB_AUTOLOCK if the account is locked (based on the same criteria that
> > > > > you use the 'unlock' the account automatically).
> > > > 
> > > > This means that you want to calculate the flags at the most places where you 
> > > > call get_sampw{nam,sid}. And only reset the flags at certain places?
> > > 
> > > Yes.  I'm not sure you should reset it at all actually, but if we need
> > > to (for example to aid non-Samba readers of our LDAP schema) it should
> > > be clear and deliberate, not a side-effect.
> > 
> > It is clear and deliberate AFAIK.
> > Not sure why you claim it is a side effect.
> 
> A 'get' routine such as getsampwnam() should *never* make modifications
> to the database.  If it does, then it's a side effect as far as a caller
> is concerned. 

I don't see nay problem in this case, passdb is opaque to callers and
does many things client don't know anything about.

In any case I don't think anyone here is attached to this solution, if
you have a better patch to make it behave like a Windows Server feel
free to push it.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list