summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/chgpasswd.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index dd1864e08b..2eb09d176d 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1085,6 +1085,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
{
uint32 min_len;
uint32 refuse;
+ TALLOC_CTX *tosctx = talloc_tos();
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
@@ -1122,7 +1123,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
DEBUG(1, ("user %s cannot change password now, must "
"wait until %s\n", username,
- http_timestring(talloc_tos(), can_change_time)));
+ http_timestring(tosctx, can_change_time)));
if (samr_reject_reason) {
*samr_reject_reason = SAMR_REJECT_OTHER;
}
@@ -1147,7 +1148,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
return NT_STATUS_PASSWORD_RESTRICTION;
}
- pass = Get_Pwnam_alloc(talloc_tos(), username);
+ pass = Get_Pwnam_alloc(tosctx, username);
if (!pass) {
DEBUG(1, ("change_oem_password: Username %s does not exist in system !?!\n", username));
return NT_STATUS_ACCESS_DENIED;
@@ -1156,9 +1157,16 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
/* Use external script to check password complexity */
if (lp_check_password_script() && *(lp_check_password_script())) {
int check_ret;
+ char *cmd;
- check_ret = smbrunsecret(lp_check_password_script(), new_passwd);
- DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", lp_check_password_script(), check_ret));
+ cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
+ if (!cmd) {
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+
+ check_ret = smbrunsecret(cmd, new_passwd);
+ DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret));
+ TALLOC_FREE(cmd);
if (check_ret != 0) {
DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));