summaryrefslogtreecommitdiffstats
path: root/src/providers/ad/ad_gpo.c
diff options
context:
space:
mode:
authorMathieu Deaudelin-Lemay <contrib@mdeaudelin.net>2015-11-20 11:56:11 -0500
committerJakub Hrozek <jhrozek@redhat.com>2015-11-26 16:49:24 +0100
commit5c129880ae10c80b4f79cb2994e9d127dc6dfbef (patch)
tree66a58f02c7139725d23ba9ff8d773c58f3d633f0 /src/providers/ad/ad_gpo.c
parent544a20de7667f05c1a406c4dea0706b0ab507430 (diff)
downloadsssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.tar.gz
sssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.tar.xz
sssd-5c129880ae10c80b4f79cb2994e9d127dc6dfbef.zip
Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller.
Resolves: https://fedorahosted.org/sssd/ticket/2870 Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/ad/ad_gpo.c')
-rw-r--r--src/providers/ad/ad_gpo.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index f1e928b71..bdf2776db 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -67,6 +67,7 @@
#define AD_AT_FLAGS "flags"
#define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000
+#define UAC_SERVER_TRUST_ACCOUNT 0x00002000
#define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
#define AD_AUTHENTICATED_USERS_SID "S-1-5-11"
@@ -1841,7 +1842,11 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
}
/* we only support computer policy targets, not users */
- if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT)) {
+ if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT ||
+ uac & UAC_SERVER_TRUST_ACCOUNT)) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Invalid userAccountControl (%x) value for machine account.",
+ uac);
ret = EINVAL;
goto done;
}
generated by cgit (git 2.34.1) at 2024-06-08 20:15:57 +0000