From b335618d1743599588902cfd2be4ae37150b239d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 25 May 2009 15:23:54 +1000 Subject: fixed interpretation of ACB_PWNOTREQ This bit actually means that we should ignore the minimum password length field for this user. It doesn't mean that the password should be seen as empty --- source4/auth/ntlm/auth_sam.c | 14 -------------- source4/dsdb/common/util.c | 7 ++++++- 2 files changed, 6 insertions(+), 15 deletions(-) (limited to 'source4') diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 2b9b92812c..e99d0e1f51 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -152,20 +152,6 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, { NTSTATUS status; - if (acct_flags & ACB_PWNOTREQ) { - if (lp_null_passwords(auth_context->lp_ctx)) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", - user_info->mapped.account_name)); - *lm_sess_key = data_blob(NULL, 0); - *user_sess_key = data_blob(NULL, 0); - return NT_STATUS_OK; - } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", - user_info->mapped.account_name)); - return NT_STATUS_LOGON_FAILURE; - } - } - switch (user_info->password_state) { case AUTH_PASSWORD_PLAIN: { diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 19eb3433a9..b9aceab836 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1658,6 +1658,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0); minPwdAge = samdb_result_int64(res[0], "minPwdAge", 0); + if (userAccountControl & UF_PASSWD_NOTREQD) { + /* see [MS-ADTS] 2.2.15 */ + minPwdLength = 0; + } + if (_dominfo) { struct samr_DomInfo1 *dominfo; /* on failure we need to fill in the reject reasons */ @@ -1697,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* possibly check password complexity */ - if (restrictions && pwdProperties & DOMAIN_PASSWORD_COMPLEX && + if (restrictions && (pwdProperties & DOMAIN_PASSWORD_COMPLEX) && !samdb_password_complexity_ok(new_pass)) { if (reject_reason) { *reject_reason = SAMR_REJECT_COMPLEXITY; -- cgit