summaryrefslogtreecommitdiffstats
path: root/source/smbd
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2006-10-03 17:14:18 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:15:06 -0500
commit21abbeaee9b7f7cff1d34d048463c30cda44a2e3 (patch)
tree2cd084533267635433538e03581a0d3f8107adf5 /source/smbd
parentec526e1b882e3ade23f90c5e3d637c72b6839da5 (diff)
downloadsamba-21abbeaee9b7f7cff1d34d048463c30cda44a2e3.tar.gz
samba-21abbeaee9b7f7cff1d34d048463c30cda44a2e3.tar.xz
samba-21abbeaee9b7f7cff1d34d048463c30cda44a2e3.zip
r19058: Implement "user cannot change password", and complete "user must change
password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc.
Diffstat (limited to 'source/smbd')
-rw-r--r--source/smbd/chgpasswd.c45
1 files changed, 19 insertions, 26 deletions
diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index cd847240ddb..0b8dbfb492b 100644
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -689,7 +689,7 @@ BOOL change_lanman_password(struct samu *sampass, uchar *pass2)
return False; /* We lose the NT hash. Sorry. */
}
- if (!pdb_set_pass_changed_now (sampass)) {
+ if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) {
TALLOC_FREE(sampass);
/* Not quite sure what this one qualifies as, but this will do */
return False;
@@ -1018,41 +1018,34 @@ static BOOL check_passwd_history(struct samu *sampass, const char *plaintext)
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason)
{
- uint32 min_len, min_age;
+ uint32 min_len;
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
- time_t last_change_time = pdb_get_pass_last_set_time(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
if (samr_reject_reason) {
*samr_reject_reason = Undefined;
}
- if (pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)) {
- /*
- * Windows calculates the minimum password age check
- * dynamically, it basically ignores the pwdcanchange
- * timestamp. Do likewise.
- */
- if (last_change_time + min_age > time(NULL)) {
- DEBUG(1, ("user %s cannot change password now, must "
- "wait until %s\n", username,
- http_timestring(last_change_time+min_age)));
- if (samr_reject_reason) {
- *samr_reject_reason = REJECT_REASON_OTHER;
- }
- return NT_STATUS_ACCOUNT_RESTRICTION;
+ /* check to see if the secdesc has previously been set to disallow */
+ if (!pdb_get_pass_can_change(hnd)) {
+ DEBUG(1, ("user %s does not have permissions to change password\n"));
+ if (samr_reject_reason) {
+ *samr_reject_reason = REJECT_REASON_OTHER;
}
- } else {
- if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
- DEBUG(1, ("user %s cannot change password now, must "
- "wait until %s\n", username,
- http_timestring(can_change_time)));
- if (samr_reject_reason) {
- *samr_reject_reason = REJECT_REASON_OTHER;
- }
- return NT_STATUS_ACCOUNT_RESTRICTION;
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+
+ /* removed calculation here, becuase passdb now calculates
+ based on policy. jmcd */
+ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
+ DEBUG(1, ("user %s cannot change password now, must "
+ "wait until %s\n", username,
+ http_timestring(can_change_time)));
+ if (samr_reject_reason) {
+ *samr_reject_reason = REJECT_REASON_OTHER;
}
+ return NT_STATUS_ACCOUNT_RESTRICTION;
}
if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {