From 49485ab9782b7abc32581f29c35d862bb9a7058c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Jan 2015 16:43:37 +1300 Subject: [PATCH] dsdb-samldb: Only allow known and settable userAccountControl bits to be set Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett Signed-off-by: Garming Sam Pair-programmed-with: Garming Sam Reviewed-by: Stefan Metzmacher --- libds/common/flags.h | 17 +++++++++++++---- source4/dsdb/samdb/ldb_modules/samldb.c | 13 +++++++++---- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/libds/common/flags.h b/libds/common/flags.h index 96709af118e..f821e1738a1 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -67,13 +67,18 @@ UF_SERVER_TRUST_ACCOUNT \ ) +/* + * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are ignored by + * clients and servers. Other flags (like UF_LOCKOUT have special + * behaviours, but are not set in the traditional sense). + * + * See the samldb module for the use of this define. + */ + #define UF_SETTABLE_BITS (\ - UF_SCRIPT |\ UF_ACCOUNTDISABLE |\ UF_HOMEDIR_REQUIRED |\ - UF_LOCKOUT |\ UF_PASSWD_NOTREQD |\ - UF_PASSWD_CANT_CHANGE |\ UF_ACCOUNT_TYPE_MASK | \ UF_DONT_EXPIRE_PASSWD | \ UF_MNS_LOGON_ACCOUNT |\ @@ -82,7 +87,11 @@ UF_TRUSTED_FOR_DELEGATION |\ UF_NOT_DELEGATED |\ UF_USE_DES_KEY_ONLY |\ - UF_DONT_REQUIRE_PREAUTH \ + UF_DONT_REQUIRE_PREAUTH |\ + UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |\ + UF_NO_AUTH_DATA_REQUIRED |\ + UF_PARTIAL_SECRETS_ACCOUNT |\ + UF_USE_AES_KEYS \ ) /* Group flags for "groupType" */ diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 8c93c6d58b4..f89e6814afe 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1825,12 +1825,17 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) new_acb = samdb_result_acct_flags(tmp_msg, NULL); talloc_free(tmp_msg); /* - * UF_LOCKOUT and UF_PASSWORD_EXPIRED are only generated - * and not stored. We ignore them almost completely. + * UF_LOCKOUT, UF_PASSWD_CANT_CHANGE and UF_PASSWORD_EXPIRED + * are only generated and not stored. We ignore them almost + * completely, along with unknown bits and UF_SCRIPT. * - * The only exception is the resulting ACB_AUTOLOCK in clear_acb. + * The only exception is ACB_AUTOLOCK, which features in + * clear_acb when the bit is cleared in this modify operation. + * + * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are + * ignored by clients and servers */ - new_uac = raw_uac & ~(UF_LOCKOUT|UF_PASSWORD_EXPIRED); + new_uac = raw_uac & UF_SETTABLE_BITS; /* Fetch the old "userAccountControl" and "objectClass" */ ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, -- 2.11.4.GIT