diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-05-25 15:23:54 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-05-25 15:23:54 +1000 |
commit | b335618d1743599588902cfd2be4ae37150b239d (patch) | |
tree | e2981301d61704362023589a47eadc6288f7419f | |
parent | 4dcc058ea1d98e40f59f2726c4dd37a98401b258 (diff) | |
download | samba-b335618d1743599588902cfd2be4ae37150b239d.tar.gz samba-b335618d1743599588902cfd2be4ae37150b239d.tar.bz2 samba-b335618d1743599588902cfd2be4ae37150b239d.zip |
fixed interpretation of ACB_PWNOTREQ
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 14 | ||||
-rw-r--r-- | source4/dsdb/common/util.c | 7 |
2 files changed, 6 insertions, 15 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 2b9b92812c..e99d0e1f51 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -152,20 +152,6 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, { NTSTATUS status; - if (acct_flags & ACB_PWNOTREQ) { - if (lp_null_passwords(auth_context->lp_ctx)) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", - user_info->mapped.account_name)); - *lm_sess_key = data_blob(NULL, 0); - *user_sess_key = data_blob(NULL, 0); - return NT_STATUS_OK; - } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", - user_info->mapped.account_name)); - return NT_STATUS_LOGON_FAILURE; - } - } - switch (user_info->password_state) { case AUTH_PASSWORD_PLAIN: { diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 19eb3433a9..b9aceab836 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1658,6 +1658,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0); minPwdAge = samdb_result_int64(res[0], "minPwdAge", 0); + if (userAccountControl & UF_PASSWD_NOTREQD) { + /* see [MS-ADTS] 2.2.15 */ + minPwdLength = 0; + } + if (_dominfo) { struct samr_DomInfo1 *dominfo; /* on failure we need to fill in the reject reasons */ @@ -1697,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* possibly check password complexity */ - if (restrictions && pwdProperties & DOMAIN_PASSWORD_COMPLEX && + if (restrictions && (pwdProperties & DOMAIN_PASSWORD_COMPLEX) && !samdb_password_complexity_ok(new_pass)) { if (reject_reason) { *reject_reason = SAMR_REJECT_COMPLEXITY; |