dsdb-samldb: Only allow known and settable userAccountControl bits to be set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 96709af118ebc41ffc8036c22aaadd66342e6dbc..f821e1738a169ac392e1360075069a21fda1dd8b 100644 (file)
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -67,13 +67,18 @@
                UF_SERVER_TRUST_ACCOUNT \
                 )
 
+/*
+ * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are ignored by
+ * clients and servers.  Other flags (like UF_LOCKOUT have special
+ * behaviours, but are not set in the traditional sense).
+ *
+ * See the samldb module for the use of this define.
+ */
+
 #define UF_SETTABLE_BITS (\
-               UF_SCRIPT |\
                UF_ACCOUNTDISABLE |\
                UF_HOMEDIR_REQUIRED  |\
-               UF_LOCKOUT |\
                UF_PASSWD_NOTREQD |\
-               UF_PASSWD_CANT_CHANGE |\
                UF_ACCOUNT_TYPE_MASK | \
                UF_DONT_EXPIRE_PASSWD | \
                UF_MNS_LOGON_ACCOUNT |\
@@ -82,7 +87,11 @@
                UF_TRUSTED_FOR_DELEGATION |\
                UF_NOT_DELEGATED |\
                UF_USE_DES_KEY_ONLY  |\
-               UF_DONT_REQUIRE_PREAUTH \
+               UF_DONT_REQUIRE_PREAUTH |\
+               UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |\
+               UF_NO_AUTH_DATA_REQUIRED |\
+               UF_PARTIAL_SECRETS_ACCOUNT |\
+               UF_USE_AES_KEYS \
                )
 
 /* Group flags for "groupType" */

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 8c93c6d58b4d2f63fca86cae813ac19cac607f00..f89e6814afee0ff9fc2f15e05ca57ec26c89dd98 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1825,12 +1825,17 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
        new_acb = samdb_result_acct_flags(tmp_msg, NULL);
        talloc_free(tmp_msg);
        /*
-        * UF_LOCKOUT and UF_PASSWORD_EXPIRED are only generated
-        * and not stored. We ignore them almost completely.
+        * UF_LOCKOUT, UF_PASSWD_CANT_CHANGE and UF_PASSWORD_EXPIRED
+        * are only generated and not stored. We ignore them almost
+        * completely, along with unknown bits and UF_SCRIPT.
         *
-        * The only exception is the resulting ACB_AUTOLOCK in clear_acb.
+        * The only exception is ACB_AUTOLOCK, which features in
+        * clear_acb when the bit is cleared in this modify operation.
+        *
+        * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are
+        * ignored by clients and servers
         */
-       new_uac = raw_uac & ~(UF_LOCKOUT|UF_PASSWORD_EXPIRED);
+       new_uac = raw_uac & UF_SETTABLE_BITS;
 
        /* Fetch the old "userAccountControl" and "objectClass" */
        ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs,