summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c6
-rw-r--r--source4/rpc_server/samr/samr_password.c25
2 files changed, 21 insertions, 10 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9eed9eb1f3..6ef1c66714 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -389,7 +389,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
mod,
NULL, /* Don't have plaintext */
NULL, &r->in.new_password,
- False /* This is not considered a password change */,
+ False, /* This is not considered a password change */
+ False, /* don't restrict this password change (match w2k3) */
NULL);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -1097,7 +1098,8 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
msgs_domain[0]->dn,
mod, new_pass, /* we have plaintext */
NULL, NULL,
- False /* This is not considered a password change */,
+ False, /* This is not considered a password change */
+ False, /* don't restrict this password change (match w2k3) */
NULL);
ZERO_ARRAY(new_pass);
NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 0e009f7b02..085fe450ac 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -115,7 +115,9 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
status = samdb_set_password(a_state->sam_ctx, mem_ctx,
a_state->account_dn, a_state->domain_state->domain_dn,
msg, NULL, &new_lmPwdHash, &new_ntPwdHash,
- True, NULL);
+ True, /* this is a user password change */
+ True, /* run restriction tests */
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -229,7 +231,9 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
user_dn, domain_dn,
mod, new_pass,
NULL, NULL,
- True, NULL);
+ True, /* this is a user password change */
+ True, /* run restriction tests */
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -378,7 +382,9 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
user_dn, domain_dn,
mod, new_pass,
NULL, NULL,
- True, &reason);
+ True, /* this is a user password change */
+ True, /* run restriction tests */
+ &reason);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
@@ -481,6 +487,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
struct samr_Password *lmNewHash,
struct samr_Password *ntNewHash,
BOOL user_change,
+ BOOL restrict,
uint32_t *reject_reason)
{
const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory",
@@ -536,7 +543,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
if (new_pass) {
/* check the various password restrictions */
- if (minPwdLength > strlen_m(new_pass)) {
+ if (restrict && minPwdLength > strlen_m(new_pass)) {
if (reject_reason) {
*reject_reason = SAMR_REJECT_TOO_SHORT;
}
@@ -544,7 +551,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
}
/* possibly check password complexity */
- if (pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
+ if (restrict && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
!samdb_password_complexity_ok(new_pass)) {
if (reject_reason) {
*reject_reason = SAMR_REJECT_COMPLEXITY;
@@ -560,7 +567,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
ntNewHash = &local_ntNewHash;
}
- if (user_change) {
+ if (restrict && user_change) {
/* are all password changes disallowed? */
if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
if (reject_reason) {
@@ -757,7 +764,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
account_dn, domain_dn,
msg, new_pass,
NULL, NULL,
- False /* This is a password set, not change */,
+ False, /* This is a password set, not change */
+ True, /* run restriction tests */
NULL);
}
@@ -810,7 +818,8 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
account_dn, domain_dn,
msg, new_pass,
NULL, NULL,
- False,
+ False, /* This is a password set, not change */
+ True, /* run restriction tests */
NULL);
}