svn commit: samba r23682 - in branches: SAMBA_3_0/source/smbd SAMBA_3_0_26/source/smbd

[idra at samba.org]

Author: idra
Date: 2007-07-03 13:07:56 +0000 (Tue, 03 Jul 2007)
New Revision: 23682

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23682

Log:

Old patch I forgot in one of my 3.0.25 trees.
Make sure we honour the directive not to allow machine password changes.


Modified:
   branches/SAMBA_3_0/source/smbd/chgpasswd.c
   branches/SAMBA_3_0_26/source/smbd/chgpasswd.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/chgpasswd.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/chgpasswd.c	2007-07-03 08:22:24 UTC (rev 23681)
+++ branches/SAMBA_3_0/source/smbd/chgpasswd.c	2007-07-03 13:07:56 UTC (rev 23682)
@@ -1019,6 +1019,7 @@
 NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason)
 {
 	uint32 min_len;
+	uint32 refuse;
 	struct passwd *pass = NULL;
 	const char *username = pdb_get_username(hnd);
 	time_t can_change_time = pdb_get_pass_can_change_time(hnd);
@@ -1036,6 +1037,21 @@
 		return NT_STATUS_ACCOUNT_RESTRICTION;
 	}
 
+	/* check to see if it is a Machine account and if the policy
+	 * denies machines to change the password. *
+	 * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */
+	if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) {
+		if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) {
+			DEBUG(1, ("Machine %s cannot change password now, "
+				  "denied by Refuse Machine Password Change policy\n",
+				  username));
+			if (samr_reject_reason) {
+				*samr_reject_reason = REJECT_REASON_OTHER;
+			}
+			return NT_STATUS_ACCOUNT_RESTRICTION;
+		}
+	}
+
 	/* removed calculation here, becuase passdb now calculates
 	   based on policy.  jmcd */
 	if ((can_change_time != 0) && (time(NULL) < can_change_time)) {

Modified: branches/SAMBA_3_0_26/source/smbd/chgpasswd.c
===================================================================
--- branches/SAMBA_3_0_26/source/smbd/chgpasswd.c	2007-07-03 08:22:24 UTC (rev 23681)
+++ branches/SAMBA_3_0_26/source/smbd/chgpasswd.c	2007-07-03 13:07:56 UTC (rev 23682)
@@ -1019,6 +1019,7 @@
 NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason)
 {
 	uint32 min_len;
+	uint32 refuse;
 	struct passwd *pass = NULL;
 	const char *username = pdb_get_username(hnd);
 	time_t can_change_time = pdb_get_pass_can_change_time(hnd);
@@ -1036,6 +1037,21 @@
 		return NT_STATUS_ACCOUNT_RESTRICTION;
 	}
 
+	/* check to see if it is a Machine account and if the policy
+	 * denies machines to change the password. *
+	 * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */
+	if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) {
+		if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) {
+			DEBUG(1, ("Machine %s cannot change password now, "
+				  "denied by Refuse Machine Password Change policy\n",
+				  username));
+			if (samr_reject_reason) {
+				*samr_reject_reason = REJECT_REASON_OTHER;
+			}
+			return NT_STATUS_ACCOUNT_RESTRICTION;
+		}
+	}
+
 	/* removed calculation here, becuase passdb now calculates
 	   based on policy.  jmcd */
 	if ((can_change_time != 0) && (time(NULL) < can_change_time)) {