John Dickinson wrote:
On 30 Oct 2008, at 16:00, Rich Megginson <rmeggins(a)redhat.com> wrote:
> John Dickinson wrote:
>> Hi,
>>
>> I am testing what happens when you create a new user and sync it to
>> AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2.
>>
>> If I use the console to create a new user and tick the Enable NT User
>> Attributes, Create New NT Account etc the new user appears in AD but
>> is disabled.
>>
>> Looking at the code it seems that send_accountcontrol_modify() gets
>> the userAccountControl settings from AD adds 0x0200 (Normal Account)
>> and sends it back.
>>
>> Looking at the traffic between Fedora DS and AD it appears that Fedora
>> DS is getting ACCOUNTDISABLE in userAccountControl from AD.
>>
>> Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be
>> setting it in the first place? If it is a problem with AD then can
>> anyone point me to where I tell it to do the right thing?
> Does AD have some sort of setting that tells it to disable new
> accounts?
Not that I know about. But I am no windows expert.
> What happens if you create new accounts directly in AD?
When you create a new user in windows there is a tick box to disable
the account but it is not ticked by default and the user is created in
an enabled state.
I see the following when:
- Both Windows and Fedora DS set to enforce no password complexity
constraints
- Windows sync agreement and password sync working
- When creating a user in AD only one option is selected by default -
user must change password at next login.
- The following options are not ticked by default:
-- User cannot change password
-- Password never expires
-- Account is disabled
create user in AD userAccountControl: 512 (Normal)
create user in Fedora DS (console) userAccountControl: 546 (Normal +
PASSWD_NOTREQ + ACCOUNTDISABLE)
Would there be anything wrong with Fedora DS just forcing
userAccountControl = 512? Or are more options needed in the user
creation dialog?
I'm not sure. 1.1.3 included a "fix" for
userAccountControl. The way
it works now is this:
add new AD entry over LDAP - no userAccountControl attribute is present,
so it must use some sort of AD default value
read the new AD entry - get the userAccountControl value
set AD entry userAccountControl |= 0x200 # 512 == normal account)
So you might try a simple test - add a new AD entry over LDAP outside of
windows sync - see what the default userAccountControl value is - I'm
guessing that adding a new AD entry without specifying
userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE
John
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users