From c400fc1e1e9a0c3db82c9a96e9684c8debfb3b74 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Thu, 7 May 2009 23:54:58 +0200
Subject: s3-samr: disable check for ACB_DISABLED in check_oem_password().

It is a bad idea to just tell everyone that an account is disabled without
really having checked the password first.

Found by torture test.

Guenther
---
 source3/smbd/chgpasswd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'source3')

diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 5e89b6c80c..dd1864e08b 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -860,12 +860,15 @@ static NTSTATUS check_oem_password(const char *user,
 	bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
 
 	acct_ctrl = pdb_get_acct_ctrl(sampass);
+#if 0
+	/* I am convinced this check here is wrong, it is valid to
+	 * change a password of a user that has a disabled account - gd */
 
 	if (acct_ctrl & ACB_DISABLED) {
 		DEBUG(2,("check_lanman_password: account %s disabled.\n", user));
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
-
+#endif
 	if ((acct_ctrl & ACB_PWNOTREQ) && lp_null_passwords()) {
 		/* construct a null password (in case one is needed */
 		no_pw[0] = 0;
-- 
cgit