Author: idra Date: 2007-07-03 13:07:56 +0000 (Tue, 03 Jul 2007) New Revision: 23682
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23682 Log: Old patch I forgot in one of my 3.0.25 trees. Make sure we honour the directive not to allow machine password changes. Modified: branches/SAMBA_3_0/source/smbd/chgpasswd.c branches/SAMBA_3_0_26/source/smbd/chgpasswd.c Changeset: Modified: branches/SAMBA_3_0/source/smbd/chgpasswd.c =================================================================== --- branches/SAMBA_3_0/source/smbd/chgpasswd.c 2007-07-03 08:22:24 UTC (rev 23681) +++ branches/SAMBA_3_0/source/smbd/chgpasswd.c 2007-07-03 13:07:56 UTC (rev 23682) @@ -1019,6 +1019,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason) { uint32 min_len; + uint32 refuse; struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); @@ -1036,6 +1037,21 @@ return NT_STATUS_ACCOUNT_RESTRICTION; } + /* check to see if it is a Machine account and if the policy + * denies machines to change the password. * + * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */ + if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) { + if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) { + DEBUG(1, ("Machine %s cannot change password now, " + "denied by Refuse Machine Password Change policy\n", + username)); + if (samr_reject_reason) { + *samr_reject_reason = REJECT_REASON_OTHER; + } + return NT_STATUS_ACCOUNT_RESTRICTION; + } + } + /* removed calculation here, becuase passdb now calculates based on policy. jmcd */ if ((can_change_time != 0) && (time(NULL) < can_change_time)) { Modified: branches/SAMBA_3_0_26/source/smbd/chgpasswd.c =================================================================== --- branches/SAMBA_3_0_26/source/smbd/chgpasswd.c 2007-07-03 08:22:24 UTC (rev 23681) +++ branches/SAMBA_3_0_26/source/smbd/chgpasswd.c 2007-07-03 13:07:56 UTC (rev 23682) @@ -1019,6 +1019,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason) { uint32 min_len; + uint32 refuse; struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); @@ -1036,6 +1037,21 @@ return NT_STATUS_ACCOUNT_RESTRICTION; } + /* check to see if it is a Machine account and if the policy + * denies machines to change the password. * + * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */ + if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) { + if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) { + DEBUG(1, ("Machine %s cannot change password now, " + "denied by Refuse Machine Password Change policy\n", + username)); + if (samr_reject_reason) { + *samr_reject_reason = REJECT_REASON_OTHER; + } + return NT_STATUS_ACCOUNT_RESTRICTION; + } + } + /* removed calculation here, becuase passdb now calculates based on policy. jmcd */ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
