s3-passdb: Try to unlock the account if it is locked out
Andrew Bartlett
abartlet at samba.org
Wed Sep 8 17:33:44 MDT 2010
On Thu, 2010-09-02 at 19:37 -0400, simo wrote:
> On Fri, 2010-09-03 at 07:51 +1000, Andrew Bartlett wrote:
> > On Thu, 2010-09-02 at 17:38 -0400, simo wrote:
> > > On Fri, 2010-09-03 at 07:09 +1000, Andrew Bartlett wrote:
> > > > On Thu, 2010-09-02 at 17:34 +0200, Andreas Schneider wrote:
> > > > > On Thursday 02 September 2010 00:53:53 Andrew Bartlett wrote:
> > > > > > On Wed, 2010-09-01 at 10:01 +0200, Andreas Schneider wrote:
> > > >
> > > > > > > Microsoft doesn't document this in the samr or netlogon function and I
> > > > > > > don't think that they have implemented it there. It is for sure deeper
> > > > > > > in the code which would be passdb in Samba. That's the reason I've
> > > > > > > implemented it there.
> > > > > >
> > > > > > I think there is another approach, which would not change the database
> > > > > > on read operations and explain why you don't see this documented.
> > > > > >
> > > > > > Instead of 'trying to unlock' the account on read operations, the read
> > > > > > should simply return the calculated value of the ACB flags and
> > > > > > ACB_AUTOLOCK if the account is locked (based on the same criteria that
> > > > > > you use the 'unlock' the account automatically).
> > > > >
> > > > > This means that you want to calculate the flags at the most places where you
> > > > > call get_sampw{nam,sid}. And only reset the flags at certain places?
> > > >
> > > > Yes. I'm not sure you should reset it at all actually, but if we need
> > > > to (for example to aid non-Samba readers of our LDAP schema) it should
> > > > be clear and deliberate, not a side-effect.
> > >
> > > It is clear and deliberate AFAIK.
> > > Not sure why you claim it is a side effect.
> >
> > A 'get' routine such as getsampwnam() should *never* make modifications
> > to the database. If it does, then it's a side effect as far as a caller
> > is concerned.
>
> I don't see nay problem in this case, passdb is opaque to callers and
> does many things client don't know anything about.
>
> In any case I don't think anyone here is attached to this solution, if
> you have a better patch to make it behave like a Windows Server feel
> free to push it.
I would be happy if 2ab0b63bd89d2d833695dc33aecec7a63ccbab0c were
changed to remove these lines:
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
We could then revert 20e7b4ec744dead1544a4b7625dc3fcb5d802418 so that
something does eventually change the DB to record that it is permanently
unlocked after a login.
That would give the behaviour I suggest.
What do you think?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100909/7c441189/attachment.pgp>
More information about the samba-technical
mailing list