[PATCH] Password Locked Account Control

Patrick McCarty mccartyp at apu.edu
Sat Jul 13 10:06:01 GMT 2002 

> Patrick McCarty wrote:
>>
>> Attached is a patch against HEAD that provides the 'P' option for
>> acctFlags.
>
> Can you please verify that this is the correct bit to set?  Rember, MS
> defines them - so we should check.  Ethereal should be able to show you.

I 'borrowed' this bit from the Samba-TNG code, which used it there.

I thought the ACB bits were just a bitmask, and used only internally to
samba. Do they ever get sent to the client?

>> I havent been able to test this yet, so use with care.
>>
>> Ideally, this would eventually set the "user cannot change password"
>> bit to the client, but as Andrew mentioned, this hasnt been fully
>> implemented, and I'm not clear as to where in the code that
>> functionality should even be. (I am working on it however.)
>>
>> I plan on attempting to implement the pwdCanChange as well, as I
>> believe I understand how that could be done.
>
> This patch is incorrect.  The problem is that there are about 5
> different ways you can change a password remotely.

When I was playing with a much simpler patch which in the
_samr_chgpasswd_user function simply returned NT_STATUS_ACCESS_DENIED,
Windows XP at least from the change password dialog box would correctly
report all password changes with a "You dont have access" type error
message.

Perhaps other clients send different RPCs?

I just quickly wrote the modifications to store the P flag per user,
instead of just blanketly denying password changes to everyone.

What other RPC call remotely changes passwords? What did I miss?

> Basiclly, the code needs a general rewrite - at the very lest we need
> the BOOLs converted to NTSTATUS.
>
> We don't really have a single 'choke point'.  We need to get one, and to
> do access control etc there.
>
> change_oem_password() is as close as we get, and thats called *after*
> the unix password sync stuff.  Sniff around the functions that call
> that, and try to get the scope of the problem.

I definately will. I'm still trying to get a feel for how a password
change flows through the code -- But I thought I had it.

--
Patrick McCarty
Video Technician
Azusa Pacific University

Logic is a systematic method of coming to the wrong conclusion with
confidence.

More information about the samba-technical mailing list