summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-08-22 04:28:15 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:02:23 -0500
commitd7f84b51f96c2e1b48a38de823329f2e4ea86e55 (patch)
tree7c542a304bf3da5d2eaad177b8ac400ee6d5da44 /source4/dsdb/samdb
parentbd93ed4680b3a86348b0d84a93d20f3daafbe8ad (diff)
downloadsamba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.gz
samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.bz2
samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.zip
r24611: Following up on the re-opening of bug 4817 is it pretty clear that
machine accounts are not subject to password policy in Win2k3 R2 (at least in terms of password quality). In testing this, I found that Win2k3 R2 has changed the way the old ChangePassword RPC call is handled - the 'cross-checks' between new LM and NT passwords are not required. Andrew Bartlett (This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/samdb.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 148be88532..7a20ea8665 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -1515,7 +1515,6 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
struct samr_Password *lmNewHash,
struct samr_Password *ntNewHash,
BOOL user_change,
- BOOL restrictions,
enum samr_RejectReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
@@ -1536,6 +1535,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
int sambaLMPwdHistory_len, sambaNTPwdHistory_len;
struct dom_sid *domain_sid;
struct ldb_message **res;
+ BOOL restrictions;
int count;
time_t now = time(NULL);
NTTIME now_nt;
@@ -1558,6 +1558,13 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
ntPwdHash = samdb_result_hash(mem_ctx, res[0], "unicodePwd");
pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0);
+ /* Only non-trust accounts have restrictions (possibly this
+ * test is the wrong way around, but I like to be restrictive
+ * if possible */
+ restrictions = !(userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT
+ |UF_WORKSTATION_TRUST_ACCOUNT
+ |UF_SERVER_TRUST_ACCOUNT));
+
if (domain_dn) {
/* pull the domain parameters */
count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs);
@@ -1605,7 +1612,8 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
*_dominfo = dominfo;
}
- if (new_pass) {
+ if (restrictions && new_pass) {
+
/* check the various password restrictions */
if (restrictions && minPwdLength > strlen_m(new_pass)) {
if (reject_reason) {
@@ -1637,7 +1645,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
ntNewHash = &local_ntNewHash;
}
- if (restrictions && user_change) {
+ if (user_change) {
/* are all password changes disallowed? */
if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
if (reject_reason) {
@@ -1745,7 +1753,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me
struct samr_Password *lmNewHash,
struct samr_Password *ntNewHash,
BOOL user_change,
- BOOL restrictions,
enum samr_RejectReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
@@ -1787,7 +1794,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me
msg, new_pass,
lmNewHash, ntNewHash,
user_change, /* This is a password set, not change */
- restrictions, /* run restriction tests */
reject_reason, _dominfo);
if (!NT_STATUS_IS_OK(nt_status)) {
ldb_transaction_cancel(ctx);