diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-08-22 04:28:15 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 15:02:23 -0500 |
commit | d7f84b51f96c2e1b48a38de823329f2e4ea86e55 (patch) | |
tree | 7c542a304bf3da5d2eaad177b8ac400ee6d5da44 /source4/dsdb/samdb | |
parent | bd93ed4680b3a86348b0d84a93d20f3daafbe8ad (diff) | |
download | samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.gz samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.bz2 samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.zip |
r24611: Following up on the re-opening of bug 4817 is it pretty clear that
machine accounts are not subject to password policy in Win2k3 R2 (at
least in terms of password quality).
In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.
Andrew Bartlett
(This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 148be88532..7a20ea8665 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -1515,7 +1515,6 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, BOOL user_change, - BOOL restrictions, enum samr_RejectReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -1536,6 +1535,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct int sambaLMPwdHistory_len, sambaNTPwdHistory_len; struct dom_sid *domain_sid; struct ldb_message **res; + BOOL restrictions; int count; time_t now = time(NULL); NTTIME now_nt; @@ -1558,6 +1558,13 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct ntPwdHash = samdb_result_hash(mem_ctx, res[0], "unicodePwd"); pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0); + /* Only non-trust accounts have restrictions (possibly this + * test is the wrong way around, but I like to be restrictive + * if possible */ + restrictions = !(userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT + |UF_WORKSTATION_TRUST_ACCOUNT + |UF_SERVER_TRUST_ACCOUNT)); + if (domain_dn) { /* pull the domain parameters */ count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs); @@ -1605,7 +1612,8 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct *_dominfo = dominfo; } - if (new_pass) { + if (restrictions && new_pass) { + /* check the various password restrictions */ if (restrictions && minPwdLength > strlen_m(new_pass)) { if (reject_reason) { @@ -1637,7 +1645,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct ntNewHash = &local_ntNewHash; } - if (restrictions && user_change) { + if (user_change) { /* are all password changes disallowed? */ if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) { if (reject_reason) { @@ -1745,7 +1753,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, BOOL user_change, - BOOL restrictions, enum samr_RejectReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -1787,7 +1794,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me msg, new_pass, lmNewHash, ntNewHash, user_change, /* This is a password set, not change */ - restrictions, /* run restriction tests */ reject_reason, _dominfo); if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ctx); |