From 0f117ac76873f569216a906c03f078973341938e Mon Sep 17 00:00:00 2001
From: Mathieu Deaudelin-Lemay <contrib@mdeaudelin.net>
Date: Fri, 20 Nov 2015 11:56:11 -0500
Subject: [PATCH 17/24] Changes to allow SSSD to be used for access control
 with a machine account belonging to a domain controller.

Resolves:
    https://fedorahosted.org/sssd/ticket/2870

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 5c129880ae10c80b4f79cb2994e9d127dc6dfbef)
(cherry picked from commit afec2ab750a453c592397f6775ec091e894d89b9)
---
 src/providers/ad/ad_gpo.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 5df9587da8153d68167cb2ec7f03cd8fb1cbf83c..8b44b5aee798751f4bbd661a38cfc03be2764c21 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -67,6 +67,7 @@
 #define AD_AT_FLAGS "flags"
 
 #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000
+#define UAC_SERVER_TRUST_ACCOUNT 0x00002000
 #define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
 #define AD_AUTHENTICATED_USERS_SID "S-1-5-11"
 
@@ -1887,7 +1888,11 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
     }
 
     /* we only support computer policy targets, not users */
-    if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT)) {
+    if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT ||
+          uac & UAC_SERVER_TRUST_ACCOUNT)) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Invalid userAccountControl (%x) value for machine account.",
+              uac);
         ret = EINVAL;
         goto done;
     }
-- 
2.7.4