modification of userAccountControl according to MS-SAMR 3.1.1.8.1.

Kamen Mazdrashki kamenim at samba.org
Thu Jan 13 16:56:49 MST 2011 

Ah Matthias, sorry. I wasn't quite correct (I am clearly not thinking
very well these days. Perhaps I've lost my mind in 2010)

We are passing 66080, which is 0x10220.
So, we have UF_PASSWD_NOTREQD already set.

I think what is wrong with the code you've posted is that we are
checking _current_ value of userAccountControl.
While docs state that we should check _previous_ value for
userAccountControl.
When we are adding new record, we have no previous state, so I think
we should assume prev-userAccountControl = 0.

I've never read MS-SAMR document (shame on me), so I wanted to
read it first, rather than proposing a patch for something I don't understand.

-- 
CU,
Kamen Mazdrashki
Samba Team                                            http://samba.org
http://gitweb.samba.org/?p=kamenim/samba.git;a=summary


On Fri, Jan 14, 2011 at 01:01, Kamen Mazdrashki <kamenim at samba.org> wrote:
> On Thu, Jan 13, 2011 at 22:25, Matthias Dieter Wallnöfer <mdw at samba.org> wrote:
>> Well, the related code part located in samldb.c line 920 is as follows:
>>>
>>>                        /* Step 1.5: Add additional flags when needed */
>>>                        if ((user_account_control & UF_NORMAL_ACCOUNT) &&
>>>                            (ldb_request_get_control(ac->req,
>>> LDB_CONTROL_RELAX_OID) == NULL)) {
>>>                                user_account_control |= UF_ACCOUNTDISABLE;
>>>                                user_account_control |= UF_PASSWD_NOTREQD;
>>>
>>>                                ret = samdb_msg_set_uint(ldb, ac->msg,
>>> ac->msg,
>>>
>>> "userAccountControl",
>>>
>>> user_account_control);
>>>                                if (ret != LDB_SUCCESS) {
>>>                                        return ret;
>>>                                }
>>>                        }
>>
> Yep, this is the code that introduces this behavior.
>
>> Okay, you both Anatoliy and Kamen speak about the UF_ACCOUNTDISABLE flag.
>> Now the next interesting question: and the UF_PASSWD_NOTREQD flag? Is this
>> also not added if "userAccountControl" is specified on add operations?
>>
> yes.
> As I stated earlier, we pass "66080" and this is exactly the value after Add op
> has passed. Neither UF_ACCOUNTDISABLE nor UF_PASSWD_NOTREQD is
> specified during ldap-add.
>
> As Andrew suggested, I will try to come back with a patch.
> And I will be happy to discuss it with you.
>
> --
> CU,
> Kamen Mazdrashki
> Samba Team                                            http://samba.org
> http://gitweb.samba.org/?p=kamenim/samba.git;a=summary
>

More information about the samba-technical mailing list