r4651: Add "refuse machine password change" policy field. This update will just

return the appropriate reg value.  Enforcement to be added soon.

Also, fix account policy tdb upgrade so it doesn't just wipe out everything
that was in there from a a previous version.
(This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)

3 files changed, 65 insertions, 16 deletions

diff --git a/source3/include/smb.h b/source3/include/smb.h
index a7db0c0a86..d15f630507 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -638,7 +638,7 @@ typedef struct {
 #define AP_RESET_COUNT_TIME		7
 #define AP_BAD_ATTEMPT_LOCKOUT		8
 #define AP_TIME_TO_LOGOUT		9
-
+#define AP_REFUSE_MACHINE_PW_CHANGE	10
 
 /*
  * Flags for local user manipulation.
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c
index aa59383258..c62396c22d 100644
--- a/source3/lib/account_pol.c
+++ b/source3/lib/account_pol.c
@@ -22,7 +22,19 @@
 #include "includes.h"
 static TDB_CONTEXT *tdb; /* used for driver files */
 
-#define DATABASE_VERSION 1
+#define DATABASE_VERSION 2
+
+/****************************************************************************
+ Set default for a field if it is empty
+****************************************************************************/
+
+static void set_default_on_empty(int field, uint32 value)
+{
+	if (account_policy_get(field, NULL))
+		return;
+	account_policy_set(field, value);
+	return;
+}
 
 /****************************************************************************
  Open the account policy tdb.
@@ -44,18 +56,38 @@ BOOL init_account_policy(void)
 	/* handle a Samba upgrade */
 	tdb_lock_bystring(tdb, vstring,0);
 	if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
-		tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
 		tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
 		
-		account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH);   /* 5 chars minimum             */
-		account_policy_set(AP_PASSWORD_HISTORY, 0);		    /* don't keep any old password */
-		account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0);	    /* don't force user to logon   */
-		account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1);        /* don't expire		   */
-		account_policy_set(AP_MIN_PASSWORD_AGE, 0);		    /* 0 days                      */
-		account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30);	    /* lockout for 30 minutes      */
-		account_policy_set(AP_RESET_COUNT_TIME, 30);		    /* reset after 30 minutes      */
-		account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0);		    /* don't lockout               */
-		account_policy_set(AP_TIME_TO_LOGOUT, -1);		    /* don't force logout          */
+		set_default_on_empty(
+			AP_MIN_PASSWORD_LEN, 
+			MINPASSWDLENGTH);/* 5 chars minimum             */
+		set_default_on_empty(
+			AP_PASSWORD_HISTORY, 
+			0);		/* don't keep any old password	*/
+		set_default_on_empty(
+			AP_USER_MUST_LOGON_TO_CHG_PASS, 
+			0);		/* don't force user to logon	*/
+		set_default_on_empty(
+			AP_MAX_PASSWORD_AGE, 
+			(uint32)-1);	/* don't expire			*/
+		set_default_on_empty(
+			AP_MIN_PASSWORD_AGE, 
+			0);		/* 0 days                      */
+		set_default_on_empty(
+			AP_LOCK_ACCOUNT_DURATION, 
+			30);		/* lockout for 30 minutes      */
+		set_default_on_empty(
+			AP_RESET_COUNT_TIME, 
+			30);		/* reset after 30 minutes      */
+		set_default_on_empty(
+			AP_BAD_ATTEMPT_LOCKOUT, 
+			0);		/* don't lockout               */
+		set_default_on_empty(
+			AP_TIME_TO_LOGOUT, 
+			-1);		/* don't force logout          */
+		set_default_on_empty(
+			AP_REFUSE_MACHINE_PW_CHANGE, 
+			0);		/* allow machine pw changes    */
 	}
 	tdb_unlock_bystring(tdb, vstring);
 
@@ -75,6 +107,7 @@ static const struct {
 	{AP_RESET_COUNT_TIME, "reset count minutes"},
 	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
 	{AP_TIME_TO_LOGOUT, "disconnect time"},
+	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
 	{0, NULL}
 };
 
@@ -138,21 +171,26 @@ int account_policy_name_to_fieldnum(const char *name)
 BOOL account_policy_get(int field, uint32 *value)
 {
 	fstring name;
+	uint32 regval;
 
 	if(!init_account_policy())return False;
 
-	*value = 0;
+	if (value)
+		*value = 0;
 
 	fstrcpy(name, decode_account_policy_name(field));
 	if (!*name) {
 		DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type!  Cannot get, returning 0.\n", field));
 		return False;
 	}
-	if (!tdb_fetch_uint32(tdb, name, value)) {
+	if (!tdb_fetch_uint32(tdb, name, &regval)) {
 		DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
 		return False;
 	}
-	DEBUG(10,("account_policy_get: %s:%d\n", name, *value));
+	if (value)
+		*value = regval;
+
+	DEBUG(10,("account_policy_get: %s:%d\n", name, regval));
 	return True;
 }
 
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index dc9db47c66..d85a066e34 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -373,11 +373,22 @@ NTSTATUS _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u)
 	/* couple of hard coded registry values */
 	
 	if ( strequal(name, "RefusePasswordChange") ) {
+		uint32 dwValue;
+
 		if ( (val = SMB_MALLOC_P(REGISTRY_VALUE)) == NULL ) {
 			DEBUG(0,("_reg_info: malloc() failed!\n"));
 			return NT_STATUS_NO_MEMORY;
 		}
-		ZERO_STRUCTP( val );
+
+		if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
+			dwValue = 0;
+		regval_ctr_addvalue(&regvals, "RefusePasswordChange", 
+				    REG_DWORD,
+				    (const char*)&dwValue, sizeof(dwValue));
+		val = dup_registry_value(
+			regval_ctr_specific_value( &regvals, 0 ) );
+ 	
+		status = NT_STATUS_OK;
 	
 		goto out;
 	}