s4:dsdb: Do not set lockoutTime for trust accounts

This matches the behaviour of Windows.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/gmsa b/selftest/knownfail.d/gmsa
index 5fc73e60af41378e11cae989d5887217f7d2b348..d0a058e6bace5bf461500803e32b69d6506df54f 100644 (file)
--- a/selftest/knownfail.d/gmsa
+++ b/selftest/knownfail.d/gmsa
@@ -1,5 +1,3 @@
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_gensec_ntlmssp\(ad_dc:local\)$
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_ldap_authentication\(ad_dc:local\)$
 # The unencrypted simple bind fails because the ad_dc environment sets ‘ldap
 # server require strong auth = yes’.
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_password_after_unencrypted_simple_bind\(ad_dc:local\)$

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 12528256f2cffc06bc9ca58894fe63fd2f36115d..04bae6186aadd794c327d8a91758d8d2d912e8ac 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -6541,7 +6541,9 @@ NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (badPwdCount >= lockoutThreshold) {
+       if (dsdb_account_is_trust(user_msg)) {
+               /* Trust accounts cannot be locked out. */
+       } else if (badPwdCount >= lockoutThreshold) {
                ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "lockoutTime", now);
                if (ret != LDB_SUCCESS) {
                        TALLOC_FREE(mod_msg);