From 0f117ac76873f569216a906c03f078973341938e Mon Sep 17 00:00:00 2001
From: Mathieu Deaudelin-Lemay <contrib@mdeaudelin.net>
Date: Fri, 20 Nov 2015 11:56:11 -0500
Subject: [PATCH 17/24] Changes to allow SSSD to be used for access control
with a machine account belonging to a domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2870
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 5c129880ae10c80b4f79cb2994e9d127dc6dfbef)
(cherry picked from commit afec2ab750a453c592397f6775ec091e894d89b9)
---
src/providers/ad/ad_gpo.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 5df9587da8153d68167cb2ec7f03cd8fb1cbf83c..8b44b5aee798751f4bbd661a38cfc03be2764c21 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -67,6 +67,7 @@
#define AD_AT_FLAGS "flags"
#define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000
+#define UAC_SERVER_TRUST_ACCOUNT 0x00002000
#define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
#define AD_AUTHENTICATED_USERS_SID "S-1-5-11"
@@ -1887,7 +1888,11 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
}
/* we only support computer policy targets, not users */
- if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT)) {
+ if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT ||
+ uac & UAC_SERVER_TRUST_ACCOUNT)) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Invalid userAccountControl (%x) value for machine account.",
+ uac);
ret = EINVAL;
goto done;
}
--
2.7.4