sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

dsdb-samldb: Only allow known and settable userAccountControl bits to be set

Browse Source 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2015-01-06 16:43:37 +13:00
parent ad98c0e175
commit 49485ab978
2 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libds/common/flags.h
View File

@ -67,13 +67,18 @@
UF_SERVER_TRUST_ACCOUNT \ UF_SERVER_TRUST_ACCOUNT \
) )
/*
* MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are ignored by
* clients and servers. Other flags (like UF_LOCKOUT have special
* behaviours, but are not set in the traditional sense).
*
* See the samldb module for the use of this define.
*/
#define UF_SETTABLE_BITS (\ #define UF_SETTABLE_BITS (\
UF_SCRIPT |\
UF_ACCOUNTDISABLE |\ UF_ACCOUNTDISABLE |\
UF_HOMEDIR_REQUIRED |\ UF_HOMEDIR_REQUIRED |\
UF_LOCKOUT |\
UF_PASSWD_NOTREQD |\ UF_PASSWD_NOTREQD |\
UF_PASSWD_CANT_CHANGE |\
UF_ACCOUNT_TYPE_MASK | \ UF_ACCOUNT_TYPE_MASK | \
UF_DONT_EXPIRE_PASSWD | \ UF_DONT_EXPIRE_PASSWD | \
UF_MNS_LOGON_ACCOUNT |\ UF_MNS_LOGON_ACCOUNT |\
@ -82,7 +87,11 @@
UF_TRUSTED_FOR_DELEGATION |\ UF_TRUSTED_FOR_DELEGATION |\
UF_NOT_DELEGATED |\ UF_NOT_DELEGATED |\
UF_USE_DES_KEY_ONLY |\ UF_USE_DES_KEY_ONLY |\
UF_DONT_REQUIRE_PREAUTH \ UF_DONT_REQUIRE_PREAUTH |\
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |\
UF_NO_AUTH_DATA_REQUIRED |\
UF_PARTIAL_SECRETS_ACCOUNT |\
UF_USE_AES_KEYS \
) )
/* Group flags for "groupType" */ /* Group flags for "groupType" */

13
source4/dsdb/samdb/ldb_modules/samldb.c
View File

@ -1825,12 +1825,17 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
new_acb = samdb_result_acct_flags(tmp_msg, NULL); new_acb = samdb_result_acct_flags(tmp_msg, NULL);
talloc_free(tmp_msg); talloc_free(tmp_msg);
/* /*
* UF_LOCKOUT and UF_PASSWORD_EXPIRED are only generated * UF_LOCKOUT, UF_PASSWD_CANT_CHANGE and UF_PASSWORD_EXPIRED
* and not stored. We ignore them almost completely. * are only generated and not stored. We ignore them almost
* completely, along with unknown bits and UF_SCRIPT.
* *
* The only exception is the resulting ACB_AUTOLOCK in clear_acb. * The only exception is ACB_AUTOLOCK, which features in
* clear_acb when the bit is cleared in this modify operation.
*
* MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are
* ignored by clients and servers
*/ */
new_uac = raw_uac & ~(UF_LOCKOUT|UF_PASSWORD_EXPIRED); new_uac = raw_uac & UF_SETTABLE_BITS;
/* Fetch the old "userAccountControl" and "objectClass" */ /* Fetch the old "userAccountControl" and "objectClass" */
ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs,