summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-05-07 23:54:58 +0200
committerGünther Deschner <gd@samba.org>2009-05-08 00:43:24 +0200
commitc400fc1e1e9a0c3db82c9a96e9684c8debfb3b74 (patch)
tree4b6e9a86c31dc43c3b3259e419d5752ec7118bc6 /source3
parentb9fa8285f77a8748b815f6ca6eaaf77767223bff (diff)
downloadsamba-c400fc1e1e9a0c3db82c9a96e9684c8debfb3b74.tar.gz
samba-c400fc1e1e9a0c3db82c9a96e9684c8debfb3b74.tar.bz2
samba-c400fc1e1e9a0c3db82c9a96e9684c8debfb3b74.zip
s3-samr: disable check for ACB_DISABLED in check_oem_password().
It is a bad idea to just tell everyone that an account is disabled without really having checked the password first. Found by torture test. Guenther
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/chgpasswd.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 5e89b6c80c..dd1864e08b 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -860,12 +860,15 @@ static NTSTATUS check_oem_password(const char *user,
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
acct_ctrl = pdb_get_acct_ctrl(sampass);
+#if 0
+ /* I am convinced this check here is wrong, it is valid to
+ * change a password of a user that has a disabled account - gd */
if (acct_ctrl & ACB_DISABLED) {
DEBUG(2,("check_lanman_password: account %s disabled.\n", user));
return NT_STATUS_ACCOUNT_DISABLED;
}
-
+#endif
if ((acct_ctrl & ACB_PWNOTREQ) && lp_null_passwords()) {
/* construct a null password (in case one is needed */
no_pw[0] = 0;