From d7f84b51f96c2e1b48a38de823329f2e4ea86e55 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Aug 2007 04:28:15 +0000 Subject: r24611: Following up on the re-opening of bug 4817 is it pretty clear that machine accounts are not subject to password policy in Win2k3 R2 (at least in terms of password quality). In testing this, I found that Win2k3 R2 has changed the way the old ChangePassword RPC call is handled - the 'cross-checks' between new LM and NT passwords are not required. Andrew Bartlett (This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d) --- source4/dsdb/samdb/samdb.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 148be88532..7a20ea8665 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -1515,7 +1515,6 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, BOOL user_change, - BOOL restrictions, enum samr_RejectReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -1536,6 +1535,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct int sambaLMPwdHistory_len, sambaNTPwdHistory_len; struct dom_sid *domain_sid; struct ldb_message **res; + BOOL restrictions; int count; time_t now = time(NULL); NTTIME now_nt; @@ -1558,6 +1558,13 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct ntPwdHash = samdb_result_hash(mem_ctx, res[0], "unicodePwd"); pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0); + /* Only non-trust accounts have restrictions (possibly this + * test is the wrong way around, but I like to be restrictive + * if possible */ + restrictions = !(userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT + |UF_WORKSTATION_TRUST_ACCOUNT + |UF_SERVER_TRUST_ACCOUNT)); + if (domain_dn) { /* pull the domain parameters */ count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs); @@ -1605,7 +1612,8 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct *_dominfo = dominfo; } - if (new_pass) { + if (restrictions && new_pass) { + /* check the various password restrictions */ if (restrictions && minPwdLength > strlen_m(new_pass)) { if (reject_reason) { @@ -1637,7 +1645,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct ntNewHash = &local_ntNewHash; } - if (restrictions && user_change) { + if (user_change) { /* are all password changes disallowed? */ if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) { if (reject_reason) { @@ -1745,7 +1753,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, BOOL user_change, - BOOL restrictions, enum samr_RejectReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -1787,7 +1794,6 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me msg, new_pass, lmNewHash, ntNewHash, user_change, /* This is a password set, not change */ - restrictions, /* run restriction tests */ reject_reason, _dominfo); if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ctx); -- cgit