diff options
author | Mathieu Deaudelin-Lemay <contrib@mdeaudelin.net> | 2015-11-20 11:56:11 -0500 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-26 16:49:24 +0100 |
commit | 5c129880ae10c80b4f79cb2994e9d127dc6dfbef (patch) | |
tree | 66a58f02c7139725d23ba9ff8d773c58f3d633f0 | |
parent | 544a20de7667f05c1a406c4dea0706b0ab507430 (diff) | |
download | sssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.tar.gz sssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.tar.xz sssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.zip |
Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2870
Reviewed-by: Sumit Bose <sbose@redhat.com>
-rw-r--r-- | src/providers/ad/ad_gpo.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index f1e928b71..bdf2776db 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -67,6 +67,7 @@ #define AD_AT_FLAGS "flags" #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 +#define UAC_SERVER_TRUST_ACCOUNT 0x00002000 #define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939" #define AD_AUTHENTICATED_USERS_SID "S-1-5-11" @@ -1841,7 +1842,11 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) } /* we only support computer policy targets, not users */ - if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT)) { + if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT || + uac & UAC_SERVER_TRUST_ACCOUNT)) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid userAccountControl (%x) value for machine account.", + uac); ret = EINVAL; goto done; } |