dsdb-samldb: Only allow known and settable userAccountControl bits to be set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 13 insertions, 4 deletions

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 96709af118e..f821e1738a1 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -67,13 +67,18 @@
 		UF_SERVER_TRUST_ACCOUNT \
                 )
 
+/*
+ * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are ignored by
+ * clients and servers.  Other flags (like UF_LOCKOUT have special
+ * behaviours, but are not set in the traditional sense).
+ *
+ * See the samldb module for the use of this define.
+ */
+
 #define UF_SETTABLE_BITS (\
-		UF_SCRIPT |\
 		UF_ACCOUNTDISABLE |\
 		UF_HOMEDIR_REQUIRED  |\
-		UF_LOCKOUT |\
 		UF_PASSWD_NOTREQD |\
-		UF_PASSWD_CANT_CHANGE |\
 		UF_ACCOUNT_TYPE_MASK | \
 		UF_DONT_EXPIRE_PASSWD | \
 		UF_MNS_LOGON_ACCOUNT |\
@@ -82,7 +87,11 @@
 		UF_TRUSTED_FOR_DELEGATION |\
 		UF_NOT_DELEGATED |\
 		UF_USE_DES_KEY_ONLY  |\
-		UF_DONT_REQUIRE_PREAUTH \
+		UF_DONT_REQUIRE_PREAUTH |\
+	        UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |\
+	        UF_NO_AUTH_DATA_REQUIRED |\
+		UF_PARTIAL_SECRETS_ACCOUNT |\
+		UF_USE_AES_KEYS \
 		)
 
 /* Group flags for "groupType" */