From 1279d5e863d51fb03d84bfec51e9dc6a632fabd4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 6 Jan 2015 16:47:36 +1300
Subject: [PATCH] dsdb-samldb: Clarify that accounts really do fall back to
 UF_NORMAL_ACCOUNT if no account set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index f89e6814afe..c80d5595005 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1048,7 +1048,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
 			user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
 									 "userAccountControl",
 									 0);
-			/* "userAccountControl" = 0 or missing one of the types means "UF_NORMAL_ACCOUNT" */
+			/*
+			 * "userAccountControl" = 0 or missing one of
+			 * the types means "UF_NORMAL_ACCOUNT".  See
+			 * MS-SAMR 3.1.1.8.10 point 8
+			 */
 			if ((user_account_control & UF_ACCOUNT_TYPE_MASK) == 0) {
 				user_account_control = UF_NORMAL_ACCOUNT | user_account_control;
 				uac_generated = true;
@@ -1871,8 +1875,9 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
 	new_ufa = new_uac & UF_ACCOUNT_TYPE_MASK;
 	if (new_ufa == 0) {
 		/*
-		 * When there is no account type embedded in "userAccountControl"
-		 * fall back to UF_NORMAL_ACCOUNT.
+		 * "userAccountControl" = 0 or missing one of the
+		 * types means "UF_NORMAL_ACCOUNT".  See MS-SAMR
+		 * 3.1.1.8.10 point 8
 		 */
 		new_ufa = UF_NORMAL_ACCOUNT;
 		new_uac |= new_ufa;
-- 
2.11.4.GIT