[PATCH] Password Locked Account Control

Patrick McCarty mccartyp at apu.edu
Fri Jul 12 20:58:03 GMT 2002 

Attached is a patch against HEAD that provides the 'P' option for 
acctFlags.

I havent been able to test this yet, so use with care.

Ideally, this would eventually set the "user cannot change password" bit
to the client, but as Andrew mentioned, this hasnt been fully implemented, 
and I'm not clear as to where in the code that functionality should even 
be. (I am working on it however.)

I plan on attempting to implement the pwdCanChange as well, as I believe I 
understand how that could be done.

Also, the HTTP link to the samba-latest.tgz on the download page fails, 
aparrently Apache wont follow the symlink and just returns a 403.

--
Patrick McCarty
Video Technician
Azusa Pacific University

Logic is a systematic method of coming to the wrong conclusion with confidence.
-------------- next part --------------
diff -ruN samba.orig/source/include/smb.h samba/source/include/smb.h
--- samba.orig/source/include/smb.h	Sun Jul  7 17:40:57 2002
+++ samba/source/include/smb.h	Fri Jul 12 20:47:32 2002
@@ -241,6 +241,7 @@
 #define ACB_SVRTRUST   0x0100  /* 1 = Server trust account */
 #define ACB_PWNOEXP    0x0200  /* 1 = User password does not expire */
 #define ACB_AUTOLOCK   0x0400  /* 1 = Account auto locked */
+#define ACB_PWLOCK     0x0800  /* 1 = User cannot change password */
  
 #define MAX_HOURS_LEN 32
 
diff -ruN samba.orig/source/passdb/passdb.c samba/source/passdb/passdb.c
--- samba.orig/source/passdb/passdb.c	Wed Jul  3 00:37:51 2002
+++ samba/source/passdb/passdb.c	Fri Jul 12 20:49:18 2002
@@ -357,6 +357,7 @@
 	if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
 	if (acct_ctrl & ACB_PWNOEXP  ) acct_str[i++] = 'X';
 	if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
+	if (acct_ctrl & ACB_PWLOCK   ) acct_str[i++] = 'P';
 
 	for ( ; i < length - 2 ; i++ )
 		acct_str[i] = ' ';
diff -ruN samba.orig/source/rpc_server/srv_samr_nt.c samba/source/rpc_server/srv_samr_nt.c
--- samba.orig/source/rpc_server/srv_samr_nt.c	Thu Jul  4 21:08:32 2002
+++ samba/source/rpc_server/srv_samr_nt.c	Fri Jul 12 20:49:58 2002
@@ -1521,8 +1521,10 @@
 
 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
 {
+    SAM_ACCOUNT *sampass=NULL;
     fstring user_name;
     fstring wks;
+    BOOL ret;
 
     DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
 
@@ -1532,7 +1534,25 @@
     rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
 
     DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
+    pdb_init_sam(&sampass);
 
+       become_root();
+       ret = pdb_getsampwnam(sampass, user_name);
+       unbecome_root();
+
+       /* check that the user exists in our domain. */
+       if (ret == False) {
+        pdb_free_sam(sampass);
+        return NT_STATUS_NO_SUCH_USER;
+       }
+
+       /* Check to see if the user account's got the PWLOCK bit set*/
+       if ( pdb_get_acct_ctrl(sampass) & ACB_PWLOCK) {
+               pdb_free_sam(sampass);
+			   DEBUG(5,("samr_chgpasswd_user: Password locked. Not changed\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+	
 	/*
 	 * Pass the user through the NT -> unix user mapping
 	 * function.
@@ -1553,6 +1573,7 @@
 
     DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
 
+    pdb_free_sam(sampass);
     return r_u->status;
 }

More information about the samba-technical mailing list