From 77a8f652493ec999953458b16d064bb62b450b52 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Sat, 20 Oct 2012 07:58:47 +0200 Subject: [PATCH] Don't try to update userAccountControl for precreated accounts * When auto-joining or using OTP, don't try to update userAccountControl attribute. * This attribute is not writable by the computer account itself. https://bugs.freedesktop.org/show_bug.cgi?id=56148 --- library/adenroll.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/library/adenroll.c b/library/adenroll.c index e8c6011..5c83d96 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -637,14 +637,34 @@ filter_for_necessary_updates (adcli_enroll *enroll, { LDAPMessage *entry; struct berval **vals; + adcli_login_type login; int match; int out; int in; + login = adcli_conn_get_login_type (enroll->conn); + entry = ldap_first_entry (ldap, results); for (in = 0, out = 0; mods[in] != NULL; in++) { match = 0; + /* Never update these attributes */ + if (strcasecmp (mods[in]->mod_type, "objectClass") == 0) + continue; + + /* + * If authenticating as a computer account then we don't + * need to update certain attributes. The computer account + * can't update many fields on itself. Obviously the account + * is working since we used it to log in. We expect the + * account to be preset up in this case. + */ + + if (login == ADCLI_LOGIN_COMPUTER_ACCOUNT) { + if (strcasecmp (mods[in]->mod_type, "userAccountControl") == 0) + continue; + } + /* If no entry, then no filtering */ if (entry != NULL) { vals = ldap_get_values_len (ldap, entry, mods[in]->mod_type); -- 1.7.12.1