[PATCH] Password Locked Account Control

Andrew Bartlett abartlet at samba.org
Sat Jul 13 17:50:02 GMT 2002

Patrick McCarty wrote:
> > Basiclly, the code needs a general rewrite - at the very lest we need
> > the BOOLs converted to NTSTATUS.
> These are the three functions that call change_oem_password:
> pass_oem_change in smbd/chgpassword.c
> api_SetUserPassword in smbd/lanman.c

api_SamOEMChangePassword is smbd/lanman.c

> update_smbpassword_file in smbd/password.c

Hmm, firstly:  You need to work in HEAD here, no further development
will occour in 2.2 and you will just confuse me - I have already changed
this stuff around a fair bit.

You also probably missed the 'change_lanman_password' at the bottom on
api_SetUserPassword.  It doesn't get the plaintext, but does change the
LM hash. (but not the NT hash)

> They are currently BOOLs. If I change them to be NTSTATUS with
> and add similar code to that of the patch I recently mailed to the list,
> and check add a check for acctFlags somewhere in the Unix Password Sync
> code, we are looking okay?

Starting to.  We need one of two things:

a 'user password change' fucntion, that takes the old password, new
password, a flags feild and returns an NTSTATUS.  The flags should
indicate if the old password is actually there, and if the new password
is plaintext or an LM hash.

It should probably do some of the things that are done in
pdb_set_plaintext_password(), but I'm not quite sure.

It should certainly enforce a 'minimum password length' paramater, and
possibly check with cracklib (if so configured)

or a 'user password change authorization' fuction - but getting this all
in one place would be good.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list