diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 11:08:46 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-06-18 13:49:30 +1000 |
| commit | 19413c52495877d54c90c60229568d0077fda30b (patch) | |
| tree | c148e96ba2ff28933f2d5f3714b8fc7e60957dec /source4/auth | |
| parent | 2afc6df9b49a246129acdd7c8c24448c8cf3b6ef (diff) | |
| download | samba-19413c52495877d54c90c60229568d0077fda30b.tar.gz samba-19413c52495877d54c90c60229568d0077fda30b.tar.bz2 samba-19413c52495877d54c90c60229568d0077fda30b.zip | |
s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/auth.h | 3 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth_sam.c | 2 | ||||
| -rw-r--r-- | source4/auth/sam.c | 11 |
3 files changed, 9 insertions, 7 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index f6d739325d..6bad017862 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -232,7 +232,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *logon_workstation, const char *name_for_logs, - bool allow_domain_trust); + bool allow_domain_trust, + bool password_change); struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 0bb79e234c..253ddf2286 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -175,7 +175,7 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, msg, user_info->workstation_name, user_info->mapped.account_name, - false); + false, false); return nt_status; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 68eaacf255..acbd50c3fa 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -147,7 +147,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *logon_workstation, const char *name_for_logs, - bool allow_domain_trust) + bool allow_domain_trust, + bool password_change) { uint16_t acct_flags; const char *workstation_list; @@ -189,15 +190,15 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_EXPIRED; } - /* check for immediate expiry "must change at next logon" */ - if (must_change_time == 0) { + /* check for immediate expiry "must change at next logon" (but not if this is a password change request) */ + if ((must_change_time == 0) && !password_change) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", name_for_logs)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - /* check for expired password */ - if (must_change_time < now) { + /* check for expired password (but not if this is a password change request) */ + if ((must_change_time < now) && !password_change) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", name_for_logs)); DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", |