summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-05-25 15:23:54 +1000
committerAndrew Tridgell <tridge@samba.org>2009-05-25 15:23:54 +1000
commitb335618d1743599588902cfd2be4ae37150b239d (patch)
treee2981301d61704362023589a47eadc6288f7419f
parent4dcc058ea1d98e40f59f2726c4dd37a98401b258 (diff)
downloadsamba-b335618d1743599588902cfd2be4ae37150b239d.tar.gz
samba-b335618d1743599588902cfd2be4ae37150b239d.tar.bz2
samba-b335618d1743599588902cfd2be4ae37150b239d.zip
fixed interpretation of ACB_PWNOTREQ
This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty
-rw-r--r--source4/auth/ntlm/auth_sam.c14
-rw-r--r--source4/dsdb/common/util.c7
2 files changed, 6 insertions, 15 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 2b9b92812c..e99d0e1f51 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -152,20 +152,6 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
{
NTSTATUS status;
- if (acct_flags & ACB_PWNOTREQ) {
- if (lp_null_passwords(auth_context->lp_ctx)) {
- DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n",
- user_info->mapped.account_name));
- *lm_sess_key = data_blob(NULL, 0);
- *user_sess_key = data_blob(NULL, 0);
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n",
- user_info->mapped.account_name));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
-
switch (user_info->password_state) {
case AUTH_PASSWORD_PLAIN:
{
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 19eb3433a9..b9aceab836 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1658,6 +1658,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0);
minPwdAge = samdb_result_int64(res[0], "minPwdAge", 0);
+ if (userAccountControl & UF_PASSWD_NOTREQD) {
+ /* see [MS-ADTS] 2.2.15 */
+ minPwdLength = 0;
+ }
+
if (_dominfo) {
struct samr_DomInfo1 *dominfo;
/* on failure we need to fill in the reject reasons */
@@ -1697,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
/* possibly check password complexity */
- if (restrictions && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
+ if (restrictions && (pwdProperties & DOMAIN_PASSWORD_COMPLEX) &&
!samdb_password_complexity_ok(new_pass)) {
if (reject_reason) {
*reject_reason = SAMR_REJECT_COMPLEXITY;