Bug 7072 - [PATCH] Accounts can't be unlocked from ldap
[PATCH] Accounts can't be unlocked from ldap
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
3.4.3
x64 Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-27 17:59 UTC by Andy Hanton
Modified: 2010-02-04 03:12 UTC (History)
0 users

See Also:


Attachments
Fix improperly initialized field (538 bytes, patch)
2010-01-27 18:03 UTC, Andy Hanton
no flags Details
Fix for master. (2.32 KB, patch)
2010-01-27 18:24 UTC, Jeremy Allison
no flags Details
Second part of fix for bug #7072 - Accounts can't be unlocked from ldap. (534 bytes, patch)
2010-01-27 18:58 UTC, Jeremy Allison
no flags Details
git-am format patch for 3.5.0. (3.18 KB, patch)
2010-01-27 18:58 UTC, Jeremy Allison
jra: review? (gd)
vl: review+
metze: review+
Details
git-am format patch for 3.4.6. (3.18 KB, patch)
2010-01-27 19:15 UTC, Jeremy Allison
jra: review? (gd)
metze: review+
Details
git-am format patch for 3.3.11. (3.17 KB, patch)
2010-01-27 19:17 UTC, Jeremy Allison
jra: review? (gd)
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Hanton 2010-01-27 17:59:20 UTC
On my domain controller, samba does not notice changes to sambaAcctFlags, sambaBadPasswordCount, or sambaBadPasswordTime for users who are locked out.  It always uses the values from the login cache even if the ldap entry has been changed more recently.  

I believe that there is a bug in the login cache code.  time_t is a 64 bit type on x64, but the code in login_cache.c loads a 32 bit value into the cache entry timestamp without clearing the higher bits.  The garbage in the high bits of the cache timestamp ensure that it will usually be larger than the ldap timestamp.
Comment 1 Andy Hanton 2010-01-27 18:03:25 UTC
Created attachment 5229 [details]
Fix improperly initialized field
Comment 2 Jeremy Allison 2010-01-27 18:12:39 UTC
Perfect catch. The entry->bad_password_time also needs fixing.
Jeremy.
Comment 3 Jeremy Allison 2010-01-27 18:24:29 UTC
Created attachment 5230 [details]
Fix for master.

This is the correct fix I think. Deals with both time_t specified fields in the LOGIN_CACHE struct. Can you test and confirm please ?
Jeremy.
Comment 4 Jeremy Allison 2010-01-27 18:58:01 UTC
Created attachment 5231 [details]
Second part of fix for bug #7072 - Accounts can't be unlocked from ldap.
Comment 5 Jeremy Allison 2010-01-27 18:58:55 UTC
Created attachment 5232 [details]
git-am format patch for 3.5.0.

I think this might be neccessary for 3.5.0 final. Guenter, what do you think ?

Jeremy.
Comment 6 Jeremy Allison 2010-01-27 19:13:37 UTC
Comment on attachment 5232 [details]
git-am format patch for 3.5.0.

I think this might need to go into 3.5.0 final. Thoughts ?
Comment 7 Jeremy Allison 2010-01-27 19:15:20 UTC
Created attachment 5233 [details]
git-am format patch for 3.4.6.
Comment 8 Jeremy Allison 2010-01-27 19:17:53 UTC
Created attachment 5234 [details]
git-am format patch for 3.3.11.
Comment 9 Stefan Metzmacher 2010-01-28 01:27:08 UTC
Comment on attachment 5232 [details]
git-am format patch for 3.5.0.

looks good
Comment 10 Stefan Metzmacher 2010-01-28 01:39:08 UTC
Comment on attachment 5233 [details]
git-am format patch for 3.4.6.

looks good
Comment 11 Stefan Metzmacher 2010-01-28 01:39:45 UTC
Comment on attachment 5234 [details]
git-am format patch for 3.3.11.

looks good
Comment 12 Volker Lendecke 2010-01-28 01:46:52 UTC
Comment on attachment 5232 [details]
git-am format patch for 3.5.0.

Looks good
Comment 13 Jeremy Allison 2010-01-28 10:16:52 UTC
Re-assigning to Karolin for push to all branches. Karolin I think this one needs to be in 3.5.0 final.
Jeremy.
Comment 14 Andy Hanton 2010-01-29 12:03:10 UTC
The new patch works fine for me.  Thanks for the quick response. 
Comment 15 Karolin Seeger 2010-02-04 03:12:58 UTC
Pushed to all branches. 
Closing out bug report.

Thanks!