--- freeradius-server-2.1.10-original/src/modules/rlm_mschap/rlm_mschap.c	2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10-patched/src/modules/rlm_mschap/rlm_mschap.c	2010-11-02 13:01:05.681040758 +0100
@@ -133,6 +133,7 @@
 	int require_encryption;
         int require_strong;
         int with_ntdomain_hack;	/* this should be in another module */
+	int enforce_user_flag;
 	char *passwd_file;
 	const char *xlat_name;
 	char *ntlm_auth;
@@ -530,6 +531,8 @@
 	  offsetof(rlm_mschap_t,require_strong), NULL, "no" },
 	{ "with_ntdomain_hack",     PW_TYPE_BOOLEAN,
 	  offsetof(rlm_mschap_t,with_ntdomain_hack), NULL, "no" },
+	{ "enforce_user_flag",    PW_TYPE_BOOLEAN,
+	  offsetof(rlm_mschap_t,enforce_user_flag), NULL, "yes" },
 	{ "passwd",   PW_TYPE_STRING_PTR,
 	  offsetof(rlm_mschap_t, passwd_file), NULL,  NULL },
 	{ "ntlm_auth",   PW_TYPE_STRING_PTR,
@@ -951,6 +954,7 @@
 	char *username_string;
 	int chap = 0;
 	int		do_ntlm_auth;
+	int bad_account_flags = 0;
 
 	/*
 	 *	If we have ntlm_auth configured, use it unless told
@@ -1267,14 +1271,31 @@
 	 */
 	if (smb_ctrl) {
 		/*
-		 *	Account is disabled.
+		 *	Account could be disabled or lack the right flags.
 		 *
-		 *	They're found, but they don't exist, so we
+		 *	They're found, but do not meet the requirements, so we
 		 *	return 'not found'.
 		 */
-		if (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) ||
-		    ((smb_ctrl->vp_integer & ACB_NORMAL) == 0)) {
-			RDEBUG2("SMB-Account-Ctrl says that the account is disabled, or is not a normal account.");
+		if ((smb_ctrl->vp_integer & ACB_DISABLED) != 0) {
+			RDEBUG2("SMB-Account-Ctrl says that the account is disabled. Rejecting.");
+			bad_account_flags=1;
+		} else {
+
+			if (inst->enforce_user_flag) {
+				RDEBUG2("enforce_user_flag is set, account needs to be a user account ('U' flag set)");
+				if ((smb_ctrl->vp_integer & ACB_NORMAL) == 0) {
+					RDEBUG2("SMB-Account-Ctrl says that the account is not a normal user account.");
+					bad_account_flags=1;
+				}
+			} else {
+				RDEBUG2("enforce_user_flag is not set, workstation/server trust accounts are ok as are user accounts ('W' 'S' or 'U' flag set)");
+				if (((smb_ctrl->vp_integer & ACB_WSTRUST) == 0) && ((smb_ctrl->vp_integer & ACB_SVRTRUST) == 0) && ((smb_ctrl->vp_integer & ACB_NORMAL) == 0)) {
+					RDEBUG2("SMB-Account-Ctrl says that the account is neither a workstation nor a server trust account. Rejecting.");
+					bad_account_flags=1;
+				}
+			}
+		}
+		if (bad_account_flags==1) {
 			mschap_add_reply(request, &request->reply->vps,
 					  *response->vp_octets,
 					  "MS-CHAP-Error", "E=691 R=1", 9);
--- freeradius-server-2.1.10-original/raddb/modules/mschap	2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10-patched/raddb/modules/mschap	2010-11-02 11:52:56.057045961 +0100
@@ -35,6 +35,12 @@
 	#
 	#with_ntdomain_hack = no
 
+	# If you are using machine authentication with
+	# samba and ldap you might want to set this to 
+	# "no" so the samba object for the machine does
+	# not need to have the user flag set.
+	# enforce_user_flag = yes
+
 	# The module can perform authentication itself, OR
 	# use a Windows Domain Controller.  This configuration
 	# directive tells the module to call the ntlm_auth
