s3-samr: Fix SetUserInfo level 16 and 21 w.r.t. ACB_AUTOLOCK acct_flag.

It is not allowed to *set* this flag remotely if it has been not set already.

Found by torture test.

Guenther

diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c
index 8f136b12165d4846f6edc7cc5b37db699eda64a2..69daa31e9c1621892928f07fd65d26fd4598e055 100644 (file)
--- a/source3/rpc_server/srv_samr_util.c
+++ b/source3/rpc_server/srv_samr_util.c
@@ -534,6 +534,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
                DEBUG(10,("%s SAMR_FIELD_ACCT_FLAGS: %08X -> %08X\n", l,
                        pdb_get_acct_ctrl(to), from->acct_flags));
                if (from->acct_flags != pdb_get_acct_ctrl(to)) {
                DEBUG(10,("%s SAMR_FIELD_ACCT_FLAGS: %08X -> %08X\n", l,
                        pdb_get_acct_ctrl(to), from->acct_flags));
                if (from->acct_flags != pdb_get_acct_ctrl(to)) {

+
+                       /* You cannot autolock an unlocked account via
+                        * setuserinfo calls, so make sure to remove the
+                        * ACB_AUTOLOCK bit here - gd */
+
+                       if ((from->acct_flags & ACB_AUTOLOCK) &&
+                           !(pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) {
+                               from->acct_flags &= ~ACB_AUTOLOCK;
+                       }
+

                        if (!(from->acct_flags & ACB_AUTOLOCK) &&
                             (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) {
                                /* We're unlocking a previously locked user. Reset bad password counts.
                        if (!(from->acct_flags & ACB_AUTOLOCK) &&
                             (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) {
                                /* We're unlocking a previously locked user. Reset bad password counts.