samldb_user_account_control_change
Matthieu Patou
mat at samba.org
Sat May 21 05:02:49 MDT 2011
On 19/05/2011 19:50, Matthias Dieter Wallnöfer wrote:
> Hi ekacnet,
>
> regarding
> htp://git.samba.org/?p=mat/samba.git;a=commitdiff;h=3cfdedd9d6a4be8f229d0030900f808289effe29:
> please don't sort out these things since the plan is to end up in
> common LDB add and modify triggers code at some point.
>
Ok didn't know it, looked like some leftover, but it's more a start ...
> Second question: is the sam.py code still passing with your second
> change?
>
Not quite, I changed the code to just do not change the primaryGroupID
if you are a user because, in this case you can't get the flags
UF_SERVER_TRUST_ACCOUNT or UF_WORKSTATION_TRUST_ACCOUNT that determine
that you are a workstation or a (RO)DC and have an influence on your group.
In other case it's authorized as you will change group if you get the
flag UF_SERVER_TRUST_ACCOUNT.
I added a unit test as well.
I guess it's pretty good now at:
http://git.samba.org/?p=mat/samba.git;a=shortlog;h=refs/heads/miscsamdb
Any comments ?
Matthieu.
> Cheers,
> Matthias
>
> Matthieu Patou wrote:
>> Hello Mathias,
>>
>> I faced some strange behavior with net setpassword and I'm pretty
>> sure that's it's linked to samldb_user_account_control_change.
>>
>> Are you sure that this function should be called on modify ? At least
>> I'm sure that primaryGroupID should not be set.
>>
>> I made a try with a user with primaryGroupID set to 513, I locked the
>> user, when I unlock the user, Windows XP sends to a W2k8R2 DC a
>> modify on userAccountControl but this didn't imply modifying the
>> primaryGroupID.
>>
>> I have the feeling that the group calculation should be done only on
>> add not on modify.
>>
>> So I pushed 2 patches here:
>>
>> http://git.samba.org/?p=mat/samba.git;a=shortlog;h=refs/heads/miscsamdb
>>
>> Matthieu.
>>
>
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba-technical
mailing list