From b335618d1743599588902cfd2be4ae37150b239d Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 25 May 2009 15:23:54 +1000
Subject: fixed interpretation of ACB_PWNOTREQ

This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
---
 source4/dsdb/common/util.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source4/dsdb/common/util.c')

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 19eb3433a9..b9aceab836 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1658,6 +1658,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
 	minPwdLength =     samdb_result_uint(res[0],   "minPwdLength", 0);
 	minPwdAge =        samdb_result_int64(res[0],  "minPwdAge", 0);
 
+	if (userAccountControl & UF_PASSWD_NOTREQD) {
+		/* see [MS-ADTS] 2.2.15 */
+		minPwdLength = 0;
+	}
+
 	if (_dominfo) {
 		struct samr_DomInfo1 *dominfo;
 		/* on failure we need to fill in the reject reasons */
@@ -1697,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
 			
 			
 			/* possibly check password complexity */
-			if (restrictions && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
+			if (restrictions && (pwdProperties & DOMAIN_PASSWORD_COMPLEX) &&
 			    !samdb_password_complexity_ok(new_pass)) {
 				if (reject_reason) {
 					*reject_reason = SAMR_REJECT_COMPLEXITY;
-- 
cgit