modification of userAccountControl according to MS-SAMR 3.1.1.8.1.
Andrew Bartlett
abartlet at samba.org
Thu Jan 13 13:14:06 MST 2011
On Thu, 2011-01-13 at 19:46 +0200, Kamen Mazdrashki wrote:
> >
> > Is this based just on a reading of the docs, or a specific test? If
> > it's a test, can you give some more detail on what you have tested?
> >
> This is based on what we were observing while testing our internal tool.
> Account created is disabled on Samba, but not disabled on w2k3-r2.
>
> ----------------------------------------------------------------------------
> I am writing here after testing it and it proofs we have a bug in Samba.
> I've used this simple record for creating a user record:
> {'dn': 'CN=test_736,CN=Users,DC=samba,DC=devel',
> 'objectClass': 'user',
> 'userAccountControl': '66080',
> 'sAMAccountName': 'test_736'}
>
> Against w2k8-r2 after adding the record, userAccountControl = '66080'
> Against Samba4 after adding the record, userAccountControl = '66082'
>
> So I think Anatoliy's statement holds true and we have a bug.
> I will work on Samba implementation to come with a patch, if
> Matthias is ok with this?
I think part of the confusion comes from your approach in asking.
Instead of asking for abstract permission to change some aspect of
behaviour, ask instead if you can get review of a patch for a test and
fix. If we differ in behaviour against Windows, then it is a bug.
Of course that review is still important, as often the simple fix isn't
the right one, but this is best discussed in the context of a supplied
patch (both of which really shouldn't take much longer than this e-mail
exchange).
BTW, watch out for the implications on MS-SAMR, which does need to set
userAccountControl, but also needs the account still disabled when
created.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list