From: Günther Deschner <gd@samba.org>
Date: Thu, 7 May 2009 21:54:58 +0000 (+0200)
Subject: s3-samr: disable check for ACB_DISABLED in check_oem_password().
X-Git-Tag: tdb-1.1.5~679
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c400fc1e1e9a0c3db82c9a96e9684c8debfb3b74;p=thirdparty%2Fsamba.git

s3-samr: disable check for ACB_DISABLED in check_oem_password().

It is a bad idea to just tell everyone that an account is disabled without
really having checked the password first.

Found by torture test.

Guenther
---

diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 5e89b6c80c4..dd1864e08b2 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -860,12 +860,15 @@ static NTSTATUS check_oem_password(const char *user,
 	bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
 
 	acct_ctrl = pdb_get_acct_ctrl(sampass);
+#if 0
+	/* I am convinced this check here is wrong, it is valid to
+	 * change a password of a user that has a disabled account - gd */
 
 	if (acct_ctrl & ACB_DISABLED) {
 		DEBUG(2,("check_lanman_password: account %s disabled.\n", user));
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
-
+#endif
 	if ((acct_ctrl & ACB_PWNOTREQ) && lp_null_passwords()) {
 		/* construct a null password (in case one is needed */
 		no_pw[0] = 0;