From 19413c52495877d54c90c60229568d0077fda30b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 18 Jun 2009 11:08:46 +1000
Subject: s4:kdc Allow a password change when the password is expired

This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett
---
 source4/auth/auth.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source4/auth/auth.h')

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index f6d739325d..6bad017862 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -232,7 +232,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_message *msg,
 			    const char *logon_workstation,
 			    const char *name_for_logs,
-			    bool allow_domain_trust);
+			    bool allow_domain_trust,
+			    bool password_change);
 struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
 NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
 					   const char *netbios_name,
-- 
cgit