2 files changed, 52 insertions, 4 deletions

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 0f2efcc1da..48fd7cbe24 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -28,6 +28,8 @@
 extern int DEBUGLEVEL;
 extern int Protocol;
 
+BOOL global_machine_pasword_needs_changing;
+
 /* users from session setup */
 static pstring session_users="";
 
@@ -1972,8 +1974,6 @@ BOOL domain_client_validate( char *user, char *domain,
     }
   }
 
-  become_root(False);
-
   /*
    * Get the machine account password.
    */
@@ -1992,13 +1992,14 @@ machine %s in domain %s.\n", global_myname, global_myworkgroup ));
 
   trust_password_unlock();
 
-  unbecome_root(False);
-
   /* 
    * Here we should check the last change time to see if the machine
    * password needs changing..... TODO... JRA. 
    */
 
+  if(time(NULL) > lct + lp_machine_password_timeout())
+    global_machine_pasword_needs_changing = True;
+
   /*
    * At this point, smb_apasswd points to the lanman response to
    * the challenge in local_challenge, and smb_ntpasswd points to
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 2b2ebb5304..408d5cd068 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -50,6 +50,7 @@ extern BOOL use_mangled_map;
 extern BOOL short_case_preserve;
 extern BOOL case_mangle;
 time_t smb_last_time=(time_t)0;
+extern BOOL global_machine_pasword_needs_changing;
 
 extern int smb_read_error;
 
@@ -4950,6 +4951,52 @@ static void process(void)
         DEBUG(2,("%s Closing idle connection 2\n",timestring()));
         return;
       }
+
+      if(global_machine_pasword_needs_changing)
+      {
+        unsigned char trust_passwd_hash[16];
+        time_t lct;
+        pstring remote_machine_list;
+
+        /*
+         * We're in domain level security, and the code that
+         * read the machine password flagged that the machine
+         * password needs changing.
+         */
+
+        /*
+         * First, open the machine password file with an exclusive lock.
+         */
+
+        if(!trust_password_lock( global_myworkgroup, global_myname, True)) {
+          DEBUG(0,("process: unable to open the machine account password file for \
+machine %s in domain %s.\n", global_myname, global_myworkgroup ));
+          continue;
+        }
+
+        if(!get_trust_account_password( trust_passwd_hash, &lct)) {
+          DEBUG(0,("process: unable to read the machine account password for \
+machine %s in domain %s.\n", global_myname, global_myworkgroup ));
+          trust_password_unlock();
+          continue;
+        }
+
+        /*
+         * Make sure someone else hasn't already done this.
+         */
+
+        if(t < lct + lp_machine_password_timeout()) {
+          trust_password_unlock();
+          global_machine_pasword_needs_changing = False;
+          continue;
+        }
+
+        pstrcpy(remote_machine_list, lp_passwordserver());
+
+        change_trust_account_password( global_myworkgroup, remote_machine_list);
+        trust_password_unlock();
+        global_machine_pasword_needs_changing = False;
+      }
     }
 
     if(got_smb)