[PATCH] Password Locked Account Control

Andrew Bartlett abartlet at samba.org
Fri Jul 12 23:09:02 GMT 2002

Patrick McCarty wrote:
> Attached is a patch against HEAD that provides the 'P' option for
> acctFlags.

Can you please verify that this is the correct bit to set?  Rember, MS
defines them - so we should check.  Ethereal should be able to show you.

> I havent been able to test this yet, so use with care.
> Ideally, this would eventually set the "user cannot change password" bit
> to the client, but as Andrew mentioned, this hasnt been fully implemented,
> and I'm not clear as to where in the code that functionality should even
> be. (I am working on it however.)
> I plan on attempting to implement the pwdCanChange as well, as I believe I
> understand how that could be done.

This patch is incorrect.  The problem is that there are about 5
different ways you can change a password remotely.  

Basiclly, the code needs a general rewrite - at the very lest we need
the BOOLs converted to NTSTATUS.

We don't really have a single 'choke point'.  We need to get one, and to
do access control etc there.

change_oem_password() is as close as we get, and thats called *after*
the unix password sync stuff.  Sniff around the functions that call
that, and try to get the scope of the problem.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list