summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-07-08 16:00:19 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-08-17 18:45:33 +0200
commit23bd3a74176be4a1f8d6d70b148ababee397cf8c (patch)
tree7df7790d6bb51bbf54fb41f3c25f33d7390739f1
parent895a9fbbfb06f371f4dbab3174451ace50dbb2b7 (diff)
downloadsamba-23bd3a74176be4a1f8d6d70b148ababee397cf8c.tar.gz
samba-23bd3a74176be4a1f8d6d70b148ababee397cf8c.tar.bz2
samba-23bd3a74176be4a1f8d6d70b148ababee397cf8c.zip
s4:acl LDB module - support password changes over the DSDB_CONTROL_PASSWORD_CHANGE_OID control
This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set".
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 4eb27e9d1e..9965e5374b 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -779,7 +779,21 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
- if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
+
+ if (ldb_request_get_control(req,
+ DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) {
+ /* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
+ * have a user password change and not a set as the message
+ * looks like. In it's value blob it contains the NT and/or LM
+ * hash of the old password specified by the user.
+ * This control is used by the SAMR and "kpasswd" password
+ * change mechanisms. */
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
+ }
+ else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
GUID_DRS_FORCE_CHANGE_PASSWORD,
SEC_ADS_CONTROL_ACCESS,