summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2006-02-02 16:38:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:06:21 -0500
commit206cbff8b72a2ccc41e52b45097976f4511bfdec (patch)
tree5ef52e90a1c91da1d05b3e6f8d2b12c72a483909 /source3
parent8b54e0b2a042b6624f8b360dc7bc9e4b691c47eb (diff)
downloadsamba-206cbff8b72a2ccc41e52b45097976f4511bfdec.tar.gz
samba-206cbff8b72a2ccc41e52b45097976f4511bfdec.tar.bz2
samba-206cbff8b72a2ccc41e52b45097976f4511bfdec.zip
r13291: NT checks the minimum password age dynamically. That means we have to ignore
the sambapwdmustchange field if we can access the corresponding account policy and calculate it dynamically based on the pwdlastset field. Volker (This used to be commit b02b1d3ef3bceec1957d025c642e306a65310d22)
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/chgpasswd.c26
1 files changed, 21 insertions, 5 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 5a179dbf47..bb30519319 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1010,15 +1010,31 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd, BOOL as_root)
{
BOOL ret;
- uint32 min_len;
+ uint32 min_len, min_age;
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
+ time_t last_change_time = pdb_get_pass_last_set_time(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
- if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
- DEBUG(1, ("user %s cannot change password now, must wait until %s\n",
- username, http_timestring(can_change_time)));
- return NT_STATUS_ACCOUNT_RESTRICTION;
+ if (pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)) {
+ /*
+ * Windows calculates the minimum password age check
+ * dynamically, it basically ignores the pwdcanchange
+ * timestamp. Do likewise.
+ */
+ if (last_change_time + min_age > time(NULL)) {
+ DEBUG(1, ("user %s cannot change password now, must "
+ "wait until %s\n", username,
+ http_timestring(last_change_time+min_age)));
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+ } else {
+ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
+ DEBUG(1, ("user %s cannot change password now, must "
+ "wait until %s\n", username,
+ http_timestring(can_change_time)));
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
}
if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {