UF_SERVER_TRUST_ACCOUNT \
)
+/*
+ * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are ignored by
+ * clients and servers. Other flags (like UF_LOCKOUT have special
+ * behaviours, but are not set in the traditional sense).
+ *
+ * See the samldb module for the use of this define.
+ */
+
#define UF_SETTABLE_BITS (\
- UF_SCRIPT |\
UF_ACCOUNTDISABLE |\
UF_HOMEDIR_REQUIRED |\
- UF_LOCKOUT |\
UF_PASSWD_NOTREQD |\
- UF_PASSWD_CANT_CHANGE |\
UF_ACCOUNT_TYPE_MASK | \
UF_DONT_EXPIRE_PASSWD | \
UF_MNS_LOGON_ACCOUNT |\
UF_TRUSTED_FOR_DELEGATION |\
UF_NOT_DELEGATED |\
UF_USE_DES_KEY_ONLY |\
- UF_DONT_REQUIRE_PREAUTH \
+ UF_DONT_REQUIRE_PREAUTH |\
+ UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |\
+ UF_NO_AUTH_DATA_REQUIRED |\
+ UF_PARTIAL_SECRETS_ACCOUNT |\
+ UF_USE_AES_KEYS \
)
/* Group flags for "groupType" */
new_acb = samdb_result_acct_flags(tmp_msg, NULL);
talloc_free(tmp_msg);
/*
- * UF_LOCKOUT and UF_PASSWORD_EXPIRED are only generated
- * and not stored. We ignore them almost completely.
+ * UF_LOCKOUT, UF_PASSWD_CANT_CHANGE and UF_PASSWORD_EXPIRED
+ * are only generated and not stored. We ignore them almost
+ * completely, along with unknown bits and UF_SCRIPT.
*
- * The only exception is the resulting ACB_AUTOLOCK in clear_acb.
+ * The only exception is ACB_AUTOLOCK, which features in
+ * clear_acb when the bit is cleared in this modify operation.
+ *
+ * MS-SAMR 2.2.1.13 UF_FLAG Codes states that some bits are
+ * ignored by clients and servers
*/
- new_uac = raw_uac & ~(UF_LOCKOUT|UF_PASSWORD_EXPIRED);
+ new_uac = raw_uac & UF_SETTABLE_BITS;
/* Fetch the old "userAccountControl" and "objectClass" */
ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs,