From: Simo Sorce Date: Tue, 3 Jul 2007 13:07:56 +0000 (+0000) Subject: r23682: Old patch I forgot in one of my 3.0.25 trees. X-Git-Tag: samba-4.0.0alpha6~801^2~5490 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b85bfd50663bbec07313d626ad3845f2a9fcfd3c;p=thirdparty%2Fsamba.git r23682: Old patch I forgot in one of my 3.0.25 trees. Make sure we honour the directive not to allow machine password changes. (This used to be commit 436555f05ceae34d8df2356d1066b6b5e0a07c41) --- diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 8146d6d1377..1227163c224 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1019,6 +1019,7 @@ static BOOL check_passwd_history(struct samu *sampass, const char *plaintext) NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason) { uint32 min_len; + uint32 refuse; struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); @@ -1036,6 +1037,21 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw return NT_STATUS_ACCOUNT_RESTRICTION; } + /* check to see if it is a Machine account and if the policy + * denies machines to change the password. * + * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */ + if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) { + if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) { + DEBUG(1, ("Machine %s cannot change password now, " + "denied by Refuse Machine Password Change policy\n", + username)); + if (samr_reject_reason) { + *samr_reject_reason = REJECT_REASON_OTHER; + } + return NT_STATUS_ACCOUNT_RESTRICTION; + } + } + /* removed calculation here, becuase passdb now calculates based on policy. jmcd */ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {