[PATCH] Password Locked Account Control
Andrew Bartlett
abartlet at samba.org
Fri Jul 12 23:09:02 GMT 2002
Patrick McCarty wrote:
>
> Attached is a patch against HEAD that provides the 'P' option for
> acctFlags.
Can you please verify that this is the correct bit to set? Rember, MS
defines them - so we should check. Ethereal should be able to show you.
> I havent been able to test this yet, so use with care.
>
> Ideally, this would eventually set the "user cannot change password" bit
> to the client, but as Andrew mentioned, this hasnt been fully implemented,
> and I'm not clear as to where in the code that functionality should even
> be. (I am working on it however.)
>
> I plan on attempting to implement the pwdCanChange as well, as I believe I
> understand how that could be done.
This patch is incorrect. The problem is that there are about 5
different ways you can change a password remotely.
Basiclly, the code needs a general rewrite - at the very lest we need
the BOOLs converted to NTSTATUS.
We don't really have a single 'choke point'. We need to get one, and to
do access control etc there.
change_oem_password() is as close as we get, and thats called *after*
the unix password sync stuff. Sniff around the functions that call
that, and try to get the scope of the problem.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list