2 files changed, 6 insertions, 15 deletions

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 2b9b92812c..e99d0e1f51 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -152,20 +152,6 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
 {
 	NTSTATUS status;
 
-	if (acct_flags & ACB_PWNOTREQ) {
-		if (lp_null_passwords(auth_context->lp_ctx)) {
-			DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", 
-				 user_info->mapped.account_name));
-			*lm_sess_key = data_blob(NULL, 0);
-			*user_sess_key = data_blob(NULL, 0);
-			return NT_STATUS_OK;
-		} else {
-			DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", 
-				 user_info->mapped.account_name));
-			return NT_STATUS_LOGON_FAILURE;
-		}		
-	}
-
 	switch (user_info->password_state) {
 	case AUTH_PASSWORD_PLAIN: 
 	{
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 19eb3433a9..b9aceab836 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1658,6 +1658,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
 	minPwdLength =     samdb_result_uint(res[0],   "minPwdLength", 0);
 	minPwdAge =        samdb_result_int64(res[0],  "minPwdAge", 0);
 
+	if (userAccountControl & UF_PASSWD_NOTREQD) {
+		/* see [MS-ADTS] 2.2.15 */
+		minPwdLength = 0;
+	}
+
 	if (_dominfo) {
 		struct samr_DomInfo1 *dominfo;
 		/* on failure we need to fill in the reject reasons */
@@ -1697,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
 			
 			
 			/* possibly check password complexity */
-			if (restrictions && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
+			if (restrictions && (pwdProperties & DOMAIN_PASSWORD_COMPLEX) &&
 			    !samdb_password_complexity_ok(new_pass)) {
 				if (reject_reason) {
 					*reject_reason = SAMR_REJECT_COMPLEXITY;