From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 26 May 2024 23:30:29 +0000 (+1200)
Subject: provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts... 
X-Git-Tag: tdb-1.4.11~398
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2854ef29b82d89fb5b5c9d8414227988783120b9;p=thirdparty%2Fsamba.git

provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default

We do this by telling the Domain Functional Level upgrade code that
this is a new install.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/python/samba/domain_update.py b/python/samba/domain_update.py
index e91bdf40dbb..2277cc10c18 100644
--- a/python/samba/domain_update.py
+++ b/python/samba/domain_update.py
@@ -92,15 +92,18 @@ class DomainUpdate(object):
     """Check and update a SAM database for domain updates"""
 
     def __init__(self, samdb, fix=False,
+                 new_install=False,
                  add_update_container=True):
         """
         :param samdb: LDB database
         :param fix: Apply the update if the container is missing
+        :param new_install: Apply the update as per a new install (see op 88)
         :param add_update_container: Add the container at the end of the change
         :raise DomainUpdateException:
         """
         self.samdb = samdb
         self.fix = fix
+        self.new_install = new_install
         self.add_update_container = add_update_container
         # TODO: In future we should check for inconsistencies when it claims it has been done
         self.check_update_applied = False
@@ -521,19 +524,29 @@ otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:%s
     ## Operation 88: {434bb40d-dbc9-4fe7-81d4-d57229f7b080}
     ##
     ## Add "msDS-ExpirePasswordsOnSmartCardOnlyAccounts" on the domain NC object
-    ## and set default value to FALSE
+    ## and set default value to FALSE (upgrades) or TRUE (new installs)
+    ##
+    ## See
+    ## https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2016#rolling-public-key-only-users-ntlm-secrets
+    ## for justification of the observed behaviour that new installs
+    ## have this set to TRUE
     ##
     def operation_88(self, op):
         if self.update_exists(op):
             return
         self.raise_if_not_fix(op)
 
-        ldif = """
-dn: %s
+        if self.new_install:
+            expire_value = "TRUE"
+        else:
+            expire_value = "FALSE"
+
+        ldif = f"""
+dn: {self.domain_dn}
 changetype: modify
 add: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
-msDS-ExpirePasswordsOnSmartCardOnlyAccounts: FALSE
-""" % str(self.domain_dn)
+msDS-ExpirePasswordsOnSmartCardOnlyAccounts: {expire_value}
+"""
 
         self.samdb.modify_ldif(ldif)
 
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 80684c47522..dea50aa364e 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -2392,7 +2392,9 @@ def provision(logger, session_info, smbconf=None,
                 try:
                     from samba.domain_update import DomainUpdate
 
-                    DomainUpdate(samdb, fix=True).check_updates_functional_level(
+                    DomainUpdate(samdb,
+                                 new_install=True,
+                                 fix=True).check_updates_functional_level(
                         adprep_level,
                         DS_DOMAIN_FUNCTION_2008,
                         update_revision=True,
diff --git a/selftest/knownfail.d/smartcard_expire b/selftest/knownfail.d/smartcard_expire
deleted file mode 100644
index ac3821b94c4..00000000000
--- a/selftest/knownfail.d/smartcard_expire
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_dsdb_smartcard_expire_set
\ No newline at end of file