summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-10-30 10:50:19 +1300
committerStefan Metzmacher <metze@samba.org>2014-04-02 17:12:47 +0200
commit997e120f664facfb48548b765a44063b31b96880 (patch)
tree80400197b31bdf5e64c33e23a38eb94221f83092 /source4
parent10cbd5e43092b8bd1ee8d55879a1c37b27f3fbc4 (diff)
downloadsamba-997e120f664facfb48548b765a44063b31b96880.tar.gz
kdc: Include values from msDS-User-Account-Control-Computed when checking user flags
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/kdc/db-glue.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 90d8fa9a36b..e64fae95652 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -546,6 +546,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
uint32_t userAccountControl;
+ uint32_t msDS_User_Account_Control_Computed;
unsigned int i;
krb5_error_code ret = 0;
krb5_boolean is_computer = FALSE;
@@ -604,6 +605,25 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ msDS_User_Account_Control_Computed
+ = ldb_msg_find_attr_as_uint(msg,
+ "msDS-User-Account-Control-Computed",
+ UF_ACCOUNTDISABLE);
+
+ /*
+ * This brings in the lockout flag, block the account if not
+ * found. We need the weird UF_ACCOUNTDISABLE check because
+ * we do not want to fail open if the value is not returned,
+ * but 0 is a valid value (all OK)
+ */
+ if (msDS_User_Account_Control_Computed == UF_ACCOUNTDISABLE) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "samba_kdc_message2entry: "
+ "no msDS-User-Account-Control-Computed present");
+ goto out;
+ } else {
+ userAccountControl |= msDS_User_Account_Control_Computed;
+ }
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
View Lorry Controller Status