From: Tim Beale Date: Tue, 8 May 2018 03:11:30 +0000 (+1200) Subject: dsdb: PSO support for msDS-User-Account-Control-Computed X-Git-Tag: ldb-1.4.0~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5246d480b1e3aba4921b27293f2573bbee380570;p=thirdparty%2Fsamba.git dsdb: PSO support for msDS-User-Account-Control-Computed msDS-User-Account-Control-Computed uses the effective-lockoutDuration to determine if a user is locked out or not. If a PSO applies to the user, then the effective-lockoutDuration is the PSO's msDS-LockoutDuration setting. Otherwise it is the domain default lockoutDuration value. Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam --- diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 0e8eb87501f..e72ebb9415d 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -97,6 +97,11 @@ enum search_type { ACCOUNT_GROUPS }; +static int get_pso_for_user(struct ldb_module *module, + struct ldb_message *user_msg, + struct ldb_request *parent, + struct ldb_message **pso_msg); + /* construct a canonical name from a message */ @@ -769,6 +774,36 @@ static NTTIME get_msds_user_password_expiry_time_computed(struct ldb_module *mod return ret; } +/* + * Returns the Effective-LockoutDuration for a user + */ +static int64_t get_user_lockout_duration(struct ldb_module *module, + struct ldb_message *user_msg, + struct ldb_request *parent, + struct ldb_dn *nc_root) +{ + int ret; + struct ldb_message *pso = NULL; + struct ldb_context *ldb = ldb_module_get_ctx(module); + + /* if a PSO applies to the user, use its lockoutDuration */ + ret = get_pso_for_user(module, user_msg, parent, &pso); + if (ret != LDB_SUCCESS) { + + /* log the error, but fallback to the domain default */ + DBG_ERR("Error retrieving PSO for %s\n", + ldb_dn_get_linearized(user_msg->dn)); + } + + if (pso != NULL) { + return ldb_msg_find_attr_as_int64(pso, + "msDS-LockoutDuration", 0); + } + + /* otherwise return the default domain value */ + return samdb_search_int64(ldb, user_msg, 0, nc_root, "lockoutDuration", + NULL); +} /* construct msDS-User-Account-Control-Computed attr @@ -806,9 +841,13 @@ static int construct_msds_user_account_control_computed(struct ldb_module *modul int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0); if (lockoutTime != 0) { - int64_t lockoutDuration = samdb_search_int64(ldb, - msg, 0, nc_root, - "lockoutDuration", NULL); + int64_t lockoutDuration; + + lockoutDuration = get_user_lockout_duration(module, msg, + parent, + nc_root); + + /* zero locks out until the administrator intervenes */ if (lockoutDuration >= 0) { msDS_User_Account_Control_Computed |= UF_LOCKOUT; } else if (lockoutTime - lockoutDuration >= now) { @@ -953,6 +992,7 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, const char *attrs[] = { "msDS-PasswordSettingsPrecedence", "objectGUID", + "msDS-LockoutDuration", NULL }; @@ -1164,6 +1204,21 @@ struct op_attributes_replace { int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope, struct ldb_request *); }; +/* the 'extra_attrs' required for msDS-ResultantPSO */ +#define RESULTANT_PSO_COMPUTED_ATTRS \ + "msDS-PSOApplied", \ + "userAccountControl", \ + "objectSid", \ + "msDS-SecondaryKrbTgtNumber", \ + "primaryGroupID" + +/* + * any other constructed attributes that want to work out the PSO also need to + * include objectClass (this gets included via 'replace' for msDS-ResultantPSO) + */ +#define PSO_ATTR_DEPENDENCIES \ + RESULTANT_PSO_COMPUTED_ATTRS, \ + "objectClass" static const char *objectSid_attr[] = { @@ -1183,6 +1238,7 @@ static const char *user_account_control_computed_attrs[] = { "lockoutTime", "pwdLastSet", + PSO_ATTR_DEPENDENCIES, NULL }; @@ -1195,11 +1251,7 @@ static const char *user_password_expiry_time_computed_attrs[] = static const char *resultant_pso_computed_attrs[] = { - "msDS-PSOApplied", - "userAccountControl", - "objectSid", - "msDS-SecondaryKrbTgtNumber", - "primaryGroupID", + RESULTANT_PSO_COMPUTED_ATTRS, NULL };