John Dickinson wrote: > > On 30 Oct 2008, at 16:00, Rich Megginson <rmeggins at redhat.com> wrote: > >> John Dickinson wrote: >>> Hi, >>> >>> I am testing what happens when you create a new user and sync it to >>> AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. >>> >>> If I use the console to create a new user and tick the Enable NT User >>> Attributes, Create New NT Account etc the new user appears in AD but >>> is disabled. >>> >>> Looking at the code it seems that send_accountcontrol_modify() gets >>> the userAccountControl settings from AD adds 0x0200 (Normal Account) >>> and sends it back. >>> >>> Looking at the traffic between Fedora DS and AD it appears that Fedora >>> DS is getting ACCOUNTDISABLE in userAccountControl from AD. >>> >>> Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be >>> setting it in the first place? If it is a problem with AD then can >>> anyone point me to where I tell it to do the right thing? >> Does AD have some sort of setting that tells it to disable new >> accounts? > > Not that I know about. But I am no windows expert. > >> What happens if you create new accounts directly in AD? > > When you create a new user in windows there is a tick box to disable > the account but it is not ticked by default and the user is created in > an enabled state. > > I see the following when: > - Both Windows and Fedora DS set to enforce no password complexity > constraints > - Windows sync agreement and password sync working > - When creating a user in AD only one option is selected by default - > user must change password at next login. > - The following options are not ticked by default: > -- User cannot change password > -- Password never expires > -- Account is disabled > > create user in AD userAccountControl: 512 (Normal) > create user in Fedora DS (console) userAccountControl: 546 (Normal + > PASSWD_NOTREQ + ACCOUNTDISABLE) > > Would there be anything wrong with Fedora DS just forcing > userAccountControl = 512? Or are more options needed in the user > creation dialog? I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way it works now is this: add new AD entry over LDAP - no userAccountControl attribute is present, so it must use some sort of AD default value read the new AD entry - get the userAccountControl value set AD entry userAccountControl |= 0x200 # 512 == normal account) So you might try a simple test - add a new AD entry over LDAP outside of windows sync - see what the default userAccountControl value is - I'm guessing that adding a new AD entry without specifying userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE > > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
