Ok, user cannot change password patch, Take 2

Beau Kuiper ekuiperba at cc.curtin.edu.au
Sat Mar 13 09:38:04 GMT 1999 

Hi all,

I downloaded the CVS version of samba, and have manually patched it
with my earlier patch. I also added a smbpasswd option to allow the user
to change the password. Aparrently, since smbpasswd uses the samba
server to change the password when a normal user uses it, setting a user
to PW_LOCK means that the user cannot change the password anywhere,
:). Only root is able to modify the password when running smbpasswd. I
think this is a good thing. (correct me if i am wrong).

This patch won't allow the feature to be set in LDAP or SQL databases, it
will only work for smbpasswd database.

To use the patch, change to the root samba dir, eg if the sources are 
/usr/src/samba-dev, change to that dir and execute:

	patch -p0 < smbpatch

Have fun breaking it,
Beau Kuiper

-------------- next part --------------
diff -r -C 3 ../sambaold/samba/source/include/smb.h ./source/include/smb.h
*** ../sambaold/samba/source/include/smb.h	Tue Mar  9 09:17:42 1999
--- ./source/include/smb.h	Sat Mar 13 16:12:09 1999
***************
*** 372,377 ****
--- 372,378 ----
  #define ACB_SVRTRUST   0x0100  /* 1 = Server trust account */
  #define ACB_PWNOEXP    0x0200  /* 1 = User password does not expire */
  #define ACB_AUTOLOCK   0x0400  /* 1 = Account auto locked */
+ #define ACB_PWLOCK     0x0800  /* 1 = Password is locked and connot be changed remotely */
   
  #define MAX_HOURS_LEN 32
  
diff -r -C 3 ../sambaold/samba/source/lib/util_pwdb.c ./source/lib/util_pwdb.c
*** ../sambaold/samba/source/lib/util_pwdb.c	Wed Feb 10 06:13:20 1999
--- ./source/lib/util_pwdb.c	Sat Mar 13 11:03:50 1999
***************
*** 225,230 ****
--- 225,231 ----
  	if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
  	if (acct_ctrl & ACB_PWNOEXP  ) acct_str[i++] = 'X';
  	if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
+ 	if (acct_ctrl & ACB_PWLOCK   ) acct_str[i++] = 'P';
  
  	for ( ; i < length - 2 ; i++ )
  	{
***************
*** 273,278 ****
--- 274,280 ----
  			case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } 
  			case 'X': { acct_ctrl |= ACB_PWNOEXP  ; break; /* No 'X'piry on password */ } 
  			case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
+ 			case 'P': { acct_ctrl |= ACB_PWLOCK   ; break; /* 'P'assword cannot be changed remotely */ } 
  			case ' ': { break; }
  			case ':':
  			case '\n':
diff -r -C 3 ../sambaold/samba/source/smbd/chgpasswd.c ./source/smbd/chgpasswd.c
*** ../sambaold/samba/source/smbd/chgpasswd.c	Fri Feb 12 08:16:09 1999
--- ./source/smbd/chgpasswd.c	Sat Mar 13 11:09:11 1999
***************
*** 571,576 ****
--- 571,584 ----
  	                               &sampw, 
  	                               new_passwd, sizeof(new_passwd));
  
+ 	/* now we check to see if we are actually allowed to change the
+ 	   password. */
+ 	   
+ 	if (ret && (sampw->acct_ctrl & ACB_PWLOCK))
+ 	{
+ 		ret = False;
+ 	}
+ 	
  	/* 
  	 * At this point we have the new case-sensitive plaintext
  	 * password in the fstring new_passwd. If we wanted to synchronise
diff -r -C 3 ../sambaold/samba/source/utils/smbpasswd.c ./source/utils/smbpasswd.c
*** ../sambaold/samba/source/utils/smbpasswd.c	Tue Mar  9 09:21:57 1999
--- ./source/utils/smbpasswd.c	Sat Mar 13 17:03:20 1999
***************
*** 70,76 ****
--- 70,79 ----
  		printf("  -n                   set no password\n");
  		printf("  -m                   workstation trust account\n");
  		printf("  -i                   inter-domain trust account\n");
+ 		printf("  -p                   user cannot change password\n");
+ 		printf("  -x                   user can change password\n");
  	}
+ 	
  	exit(1);
  }
  
***************
*** 286,298 ****
  	BOOL enable_user = False;
  	BOOL set_no_password = False;
  	BOOL stdin_passwd_get = False;
  	char *user_name = NULL;
  	char *new_domain = NULL;
  	char *new_passwd = NULL;
  	char *old_passwd = NULL;
  	char *remote_machine = NULL;
  
! 	while ((ch = getopt(argc, argv, "adehimnj:r:sR:D:U:")) != EOF)
  	{
  		switch(ch)
  		{
--- 289,303 ----
  	BOOL enable_user = False;
  	BOOL set_no_password = False;
  	BOOL stdin_passwd_get = False;
+ 	BOOL lock_password = False;
+ 	BOOL unlock_password = False;
  	char *user_name = NULL;
  	char *new_domain = NULL;
  	char *new_passwd = NULL;
  	char *old_passwd = NULL;
  	char *remote_machine = NULL;
  
! 	while ((ch = getopt(argc, argv, "adehimnpxj:r:sR:D:U:")) != EOF)
  	{
  		switch(ch)
  		{
***************
*** 362,367 ****
--- 367,382 ----
  				user_name = optarg;
  				break;
  			}
+ 			case 'p':
+ 			{
+ 				lock_password = True;
+ 				break;
+ 			}
+ 			case 'x':
+ 			{
+ 				unlock_password = True;
+ 				break;
+ 			}
  			default:
  			{
  				usage();
***************
*** 497,502 ****
--- 512,529 ----
  		acb_info |= ACB_PWNOTREQ;
  	}
  
+ 	if (lock_password)
+ 	{
+ 		acb_mask |= ACB_PWLOCK;
+ 		acb_info |= ACB_PWLOCK;
+ 	}
+ 
+ 	if (unlock_password)
+ 	{
+ 		acb_mask |= ACB_PWLOCK;
+ 		acb_info &= ~ACB_PWLOCK;
+ 	}
+ 	
  	if (wks_trust_account)
  	{
  		acb_mask |= ACB_WSTRUST;
***************
*** 552,558 ****
  	char *remote_machine = NULL;
  	char *user_name = NULL;
  	char *new_passwd = NULL;
! 
  	while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF)
  	{
  		switch(ch)
--- 579,585 ----
  	char *remote_machine = NULL;
  	char *user_name = NULL;
  	char *new_passwd = NULL;
! 	
  	while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF)
  	{
  		switch(ch)
***************
*** 606,612 ****
  	if (remote_machine == NULL) {
  		remote_machine = "127.0.0.1";
  	}
- 
  
  	if (remote_machine != NULL) {
  		old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
--- 633,638 ----
-------------- next part --------------


Beau Kuiper - ekuiperba at cc.curtin.edu.au
========================================================
The more advanced the technology, the more people you have to employ
maintain it

More information about the samba-technical mailing list