Re: Re: Fedora-directory-users Digest, Vol 41, Issue 24

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John Dickinson wrote:


On 30 Oct 2008, at 16:00, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:


John Dickinson wrote:

Hi,

I am testing what happens when you create a new user and sync it to
AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2.

If I use the console to create a new user and tick the Enable NT User
Attributes, Create New NT Account etc the new user appears in AD but
is disabled.

Looking at the code it seems that send_accountcontrol_modify() gets
the userAccountControl settings from AD adds 0x0200 (Normal Account)
and sends it back.

Looking at the traffic between Fedora DS and AD it appears that Fedora
DS is getting ACCOUNTDISABLE in userAccountControl from AD.

Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be
setting it in the first place? If it is a problem with AD then can
anyone point me to where I tell it to do the right thing?

Does AD have some sort of setting that tells it to disable new
accounts?


Not that I know about. But I am no windows expert.


What happens if you create new accounts directly in AD?
When you create a new user in windows there is a tick box to disable the account but it is not ticked by default and the user is created in an enabled state. 

I see the following when:
- Both Windows and Fedora DS set to enforce no password complexity constraints 
- Windows sync agreement and password sync working
- When creating a user in AD only one option is selected by default - user must change password at next login. 
- The following options are not ticked by default:
-- User cannot change password
-- Password never expires
-- Account is disabled

create user in AD                    userAccountControl: 512 (Normal)
create user in Fedora DS (console) userAccountControl: 546 (Normal + PASSWD_NOTREQ + ACCOUNTDISABLE)
Would there be anything wrong with Fedora DS just forcing userAccountControl = 512? Or are more options needed in the user creation dialog?
I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way it works now is this: add new AD entry over LDAP - no userAccountControl attribute is present, so it must use some sort of AD default value 
read the new AD entry - get the userAccountControl value
set AD entry userAccountControl |= 0x200 # 512 == normal account)
So you might try a simple test - add a new AD entry over LDAP outside of windows sync - see what the default userAccountControl value is - I'm guessing that adding a new AD entry without specifying userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE 



John

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux