s4:libnet Allow 'net password change' to work on expired passwords

We need to pass down flags to the DCE/RPC layer to allow fallback to
anonymous connections, as we can't log in with an expired password.

The anonymous connection can then change the password with SAMR.

Andrew Bartlett

2 files changed, 4 insertions, 2 deletions

diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 7f573f0e84..ea92bcc93a 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -142,6 +142,8 @@ struct dcerpc_pipe {
 
 #define DCERPC_SCHANNEL                (1<<9)
 
+#define DCERPC_ANON_FALLBACK           (1<<10)
+
 /* use a 128 bit session key */
 #define DCERPC_SCHANNEL_128            (1<<12)
 
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 0f9fbe0abc..1b1f039004 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -130,10 +130,10 @@ static struct composite_context *dcerpc_pipe_connect_ncacn_np_smb_send(TALLOC_CT
 	 * provide proper credentials - user supplied, but allow a
 	 * fallback to anonymous if this is an schannel connection
 	 * (might be NT4 not allowing machine logins at session
-	 * setup).
+	 * setup) or if asked to do so by the caller (perhaps a SAMR password change?)
 	 */
 	s->conn.in.credentials = s->io.creds;
-	if (s->io.binding->flags & DCERPC_SCHANNEL) {
+	if (s->io.binding->flags & (DCERPC_SCHANNEL|DCERPC_ANON_FALLBACK)) {
 		conn->in.fallback_to_anonymous  = true;
 	} else {
 		conn->in.fallback_to_anonymous  = false;