From 0f117ac76873f569216a906c03f078973341938e Mon Sep 17 00:00:00 2001 From: Mathieu Deaudelin-Lemay <contrib@mdeaudelin.net> Date: Fri, 20 Nov 2015 11:56:11 -0500 Subject: [PATCH 17/24] Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller. Resolves: https://fedorahosted.org/sssd/ticket/2870 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 5c129880ae10c80b4f79cb2994e9d127dc6dfbef) (cherry picked from commit afec2ab750a453c592397f6775ec091e894d89b9) --- src/providers/ad/ad_gpo.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 5df9587da8153d68167cb2ec7f03cd8fb1cbf83c..8b44b5aee798751f4bbd661a38cfc03be2764c21 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -67,6 +67,7 @@ #define AD_AT_FLAGS "flags" #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 +#define UAC_SERVER_TRUST_ACCOUNT 0x00002000 #define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939" #define AD_AUTHENTICATED_USERS_SID "S-1-5-11" @@ -1887,7 +1888,11 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) } /* we only support computer policy targets, not users */ - if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT)) { + if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT || + uac & UAC_SERVER_TRUST_ACCOUNT)) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid userAccountControl (%x) value for machine account.", + uac); ret = EINVAL; goto done; } -- 2.7.4