dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed

This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2013-10-29 17:30:18 +1300
committer: Stefan Metzmacher <metze@samba.org> 2014-04-02 17:12:46 +0200
commit: 6f8fb163e02579d57e731c0c09eafee5627bec62 (patch)
tree: 760a79f0d2718a0a5a696a1860a0ad247b07d582
parent: 77e4beb0e027bb49454716b86c782c98c2ed823b (diff)
download: samba-6f8fb163e02579d57e731c0c09eafee5627bec62.tar.gz
5 files changed, 36 insertions, 43 deletions
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index dee20efbf84..01e747a00fc 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -272,12 +272,12 @@ static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
 	}
 	pdb_set_user_sid(sam, sid, PDB_SET);
 
-	n = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+	n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
 	if (n == 0) {
 		DEBUG(10, ("Could not pull userAccountControl\n"));
 		goto fail;
 	}
-	pdb_set_acct_ctrl(sam, ds_uf2acb(n), PDB_SET);
+	pdb_set_acct_ctrl(sam, n, PDB_SET);
 
 	blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
 	if (blob) {
@@ -614,7 +614,8 @@ static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
 		"sAMAccountName", "displayName", "homeDirectory",
 		"homeDrive", "scriptPath", "profilePath", "description",
 		"userWorkstations", "comment", "userParameters", "objectSid",
-		"primaryGroupID", "userAccountControl", "logonHours",
+		"primaryGroupID", "userAccountControl",
+		"msDS-User-Account-Control-Computed", "logonHours",
 		"badPwdCount", "logonCount", "countryCode", "codePage",
 		"unicodePwd", "dBCSPwd", NULL };
 
@@ -1936,9 +1937,7 @@ static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
 		}
 		sid_peek_rid(sid, &e->rid);
 
-		e->acct_flags = samdb_result_acct_flags(state->ldb, tmp_ctx,
-							res->msgs[i],
-							ldb_get_default_basedn(state->ldb));
+		e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl");
 		e->account_name = ldb_msg_find_attr_as_string(
 			res->msgs[i], "samAccountName", NULL);
 		if (e->account_name == NULL) {
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index c8d6e5b19f6..664908bfea7 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -180,7 +180,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 	struct samr_Password *lm_pwd, *nt_pwd;
 	NTSTATUS nt_status;
 
-	uint16_t acct_flags = samdb_result_acct_flags(auth_context->sam_ctx, mem_ctx, msg, domain_dn);
+	uint16_t acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
 	
 	/* Quit if the account was locked out. */
 	if (acct_flags & ACB_AUTOLOCK) {
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 8729ec59bb4..1c3b81ad0c6 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -47,7 +47,8 @@
 	"dBCSPwd",				\
 	"unicodePwd",				\
 						\
-	"userAccountControl",			\
+	"userAccountControl",	                \
+	"msDS-User-Account-Control-Computed",	\
 	"objectSid",				\
 						\
 	"pwdLastSet",				\
@@ -170,7 +171,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 
 	DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 
-	acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
+	acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
 	
 	acct_expiry = samdb_result_account_expires(msg);
 
@@ -451,8 +452,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 	info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
 		0);
 
-	info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
-							  msg, domain_dn);
+	info->acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
 
 	user_info_dc->user_session_key = data_blob_talloc(user_info_dc,
 							 user_sess_key.data,
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 904ca1dcc9a..b65af66889b 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -625,28 +625,24 @@ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_
 /*
   pull a set of account_flags from a result set. 
 
-  This requires that the attributes: 
-   pwdLastSet
-   userAccountControl
-  be included in 'msg'
+  Naturally, this requires that userAccountControl and
+  (if not null) the attributes 'attr' be already
+  included in msg
 */
-uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, 
-				 struct ldb_message *msg, struct ldb_dn *domain_dn)
+uint32_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
 {
 	uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+	uint32_t attr_flags = 0;
 	uint32_t acct_flags = ds_uf2acb(userAccountControl);
-	NTTIME must_change_time;
-	NTTIME now;
-
-	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							      domain_dn, msg);
-
-	/* Test account expire time */
-	unix_to_nt_time(&now, time(NULL));
-	/* check for expired password */
-	if (must_change_time < now) {
-		acct_flags |= ACB_PW_EXPIRED;
+	if (attr) {
+		attr_flags = ldb_msg_find_attr_as_uint(msg, attr, UF_ACCOUNTDISABLE);
+		if (attr_flags == UF_ACCOUNTDISABLE) {
+			DEBUG(0, ("Attribute %s not found, disabling account %s!\n", attr,
+				  ldb_dn_get_linearized(msg->dn)));
+		}
+		acct_flags |= ds_uf2acb(attr_flags);
 	}
+
 	return acct_flags;
 }
 
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index e2f5f081b78..6877b903b22 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -60,7 +60,7 @@
 #define QUERY_LHOURS(msg, field, attr) \
 	info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
 #define QUERY_AFLAGS(msg, field, attr) \
-	info->field = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, a_state->domain_state->domain_dn);
+	info->field = samdb_result_acct_flags(msg, attr);
 #define QUERY_PARAMETERS(msg, field, attr) \
 	info->field = samdb_result_parameters(mem_ctx, msg, attr);
 
@@ -1309,8 +1309,7 @@ static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call,
 	for (i=0;i<ldb_cnt;i++) {
 		/* Check if a mask has been requested */
 		if (r->in.acct_flags
-		    && ((samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
-						 res[i], d_state->domain_dn) & r->in.acct_flags) == 0)) {
+		    && ((samdb_result_acct_flags(res[i], NULL) & r->in.acct_flags) == 0)) {
 			continue;
 		}
 		entries[count].idx = samdb_result_rid_from_sid(mem_ctx, res[i],
@@ -2750,6 +2749,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 						      "badPwdCount",
 						      "logonCount",
 						      "userAccountControl",
+						      "msDS-User-Account-Control-Computed",
 						      NULL};
 		attrs = attrs2;
 		break;
@@ -2781,6 +2781,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 						      "pwdLastSet",
 						      "accountExpires",
 						      "userAccountControl",
+						      "msDS-User-Account-Control-Computed",
 						      NULL};
 		attrs = attrs2;
 		break;
@@ -2853,6 +2854,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 	case 16:
 	{
 		static const char * const attrs2[] = {"userAccountControl",
+						      "msDS-User-Account-Control-Computed",
 						      "pwdLastSet",
 						      NULL};
 		attrs = attrs2;
@@ -2895,6 +2897,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 						      "objectSid",
 						      "primaryGroupID",
 						      "userAccountControl",
+						      "msDS-User-Account-Control-Computed",
 						      "logonHours",
 						      "badPwdCount",
 						      "logonCount",
@@ -2968,7 +2971,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 		QUERY_LHOURS(msg, info3.logon_hours,           "logonHours");
 		QUERY_UINT  (msg, info3.bad_password_count,    "badPwdCount");
 		QUERY_UINT  (msg, info3.logon_count,           "logonCount");
-		QUERY_AFLAGS(msg, info3.acct_flags,            "userAccountControl");
+		QUERY_AFLAGS(msg, info3.acct_flags,            "msDS-User-Account-Control-Computed");
 		break;
 
 	case 4:
@@ -2993,7 +2996,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 		QUERY_UINT  (msg, info5.logon_count,           "logonCount");
 		QUERY_UINT64(msg, info5.last_password_change,  "pwdLastSet");
 		QUERY_UINT64(msg, info5.acct_expiry,           "accountExpires");
-		QUERY_AFLAGS(msg, info5.acct_flags,            "userAccountControl");
+		QUERY_AFLAGS(msg, info5.acct_flags,            "msDS-User-Account-Control-Computed");
 		break;
 
 	case 6:
@@ -3035,7 +3038,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 		break;
 
 	case 16:
-		QUERY_AFLAGS(msg, info16.acct_flags,    "userAccountControl");
+		QUERY_AFLAGS(msg, info16.acct_flags,    "msDS-User-Account-Control-Computed");
 		break;
 
 	case 17:
@@ -3065,7 +3068,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA
 		QUERY_PARAMETERS(msg, info21.parameters,       "userParameters");
 		QUERY_RID   (msg, info21.rid,                  "objectSid");
 		QUERY_UINT  (msg, info21.primary_gid,          "primaryGroupID");
-		QUERY_AFLAGS(msg, info21.acct_flags,           "userAccountControl");
+		QUERY_AFLAGS(msg, info21.acct_flags,           "msDS-User-Account-Control-Computed");
 		info->info21.fields_present = 0x08FFFFFF;
 		QUERY_LHOURS(msg, info21.logon_hours,          "logonHours");
 		QUERY_UINT  (msg, info21.bad_password_count,   "badPwdCount");
@@ -3725,10 +3728,7 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
 			entriesGeneral[count].rid =
 				objectsid->sub_auths[objectsid->num_auths-1];
 			entriesGeneral[count].acct_flags =
-				samdb_result_acct_flags(d_state->sam_ctx,
-							mem_ctx,
-							res->msgs[i],
-							d_state->domain_dn);
+				samdb_result_acct_flags(res->msgs[i], NULL);
 			entriesGeneral[count].account_name.string =
 				ldb_msg_find_attr_as_string(res->msgs[i],
 							    "sAMAccountName", "");
@@ -3746,10 +3746,8 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
 
 			/* No idea why we need to or in ACB_NORMAL here, but this is what Win2k3 seems to do... */
 			entriesFull[count].acct_flags =
-				samdb_result_acct_flags(d_state->sam_ctx,
-							mem_ctx,
-							res->msgs[i],
-							d_state->domain_dn) | ACB_NORMAL;
+				samdb_result_acct_flags(res->msgs[i],
+							NULL) | ACB_NORMAL;
 			entriesFull[count].account_name.string =
 				ldb_msg_find_attr_as_string(res->msgs[i],
 							    "sAMAccountName", "");
author	Andrew Bartlett <abartlet@samba.org>	2013-10-29 17:30:18 +1300
committer	Stefan Metzmacher <metze@samba.org>	2014-04-02 17:12:46 +0200
commit	6f8fb163e02579d57e731c0c09eafee5627bec62 (patch)
tree	760a79f0d2718a0a5a696a1860a0ad247b07d582
parent	77e4beb0e027bb49454716b86c782c98c2ed823b (diff)
download	samba-6f8fb163e02579d57e731c0c09eafee5627bec62.tar.gz