summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2007-07-03 13:07:56 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:23:45 -0500
commitb85bfd50663bbec07313d626ad3845f2a9fcfd3c (patch)
treef640ebfbead4071262e0391b9e34a3653d375426
parent56f6f58df2bae009e10352a0435ba4d70c5cacb7 (diff)
downloadsamba-b85bfd50663bbec07313d626ad3845f2a9fcfd3c.tar.gz
samba-b85bfd50663bbec07313d626ad3845f2a9fcfd3c.tar.bz2
samba-b85bfd50663bbec07313d626ad3845f2a9fcfd3c.zip
r23682: Old patch I forgot in one of my 3.0.25 trees.
Make sure we honour the directive not to allow machine password changes. (This used to be commit 436555f05ceae34d8df2356d1066b6b5e0a07c41)
-rw-r--r--source3/smbd/chgpasswd.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 8146d6d137..1227163c22 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1019,6 +1019,7 @@ static BOOL check_passwd_history(struct samu *sampass, const char *plaintext)
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason)
{
uint32 min_len;
+ uint32 refuse;
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
@@ -1036,6 +1037,21 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
return NT_STATUS_ACCOUNT_RESTRICTION;
}
+ /* check to see if it is a Machine account and if the policy
+ * denies machines to change the password. *
+ * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */
+ if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) {
+ if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) {
+ DEBUG(1, ("Machine %s cannot change password now, "
+ "denied by Refuse Machine Password Change policy\n",
+ username));
+ if (samr_reject_reason) {
+ *samr_reject_reason = REJECT_REASON_OTHER;
+ }
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+ }
+
/* removed calculation here, becuase passdb now calculates
based on policy. jmcd */
if ((can_change_time != 0) && (time(NULL) < can_change_time)) {