diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-11-04 21:37:17 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:46 +0200 |
| commit | a0de9290099a93413048a03740cfb04ca1355c78 (patch) | |
| tree | b509db21f5a72740e2f5e6ef13e1f50c89b55409 /source4/kdc/kpasswdd.c | |
| parent | 6f8fb163e02579d57e731c0c09eafee5627bec62 (diff) | |
| download | samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.gz samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.xz samba-a0de9290099a93413048a03740cfb04ca1355c78.zip | |
dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/kdc/kpasswdd.c')
| -rw-r--r-- | source4/kdc/kpasswdd.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index d79427b64f9..e8d46ad963d 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -181,8 +181,13 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, reply); } - status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg, - &oldLmHash, &oldNtHash); + /* + * No need to check for password lockout here, the KDC will + * have done that when issuing the ticket, which is not based + * on the user's password + */ + status = samdb_result_passwords_no_lockout(mem_ctx, kdc->task->lp_ctx, msg, + &oldLmHash, &oldNtHash); if (!NT_STATUS_IS_OK(status)) { return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_ACCESSDENIED, |