Beau Kuiper: provided patch so that passwords could only be changed by

root if the ACB_PWLOCK bit is set (on a per-user basis).  he also added
an extra smbpasswd option so that this bit can be modified from
command-line.

diff --git a/source/include/smb.h b/source/include/smb.h
index 1c1a16b5b46b3afca5904533008e9e4257e74da6..65746d219ca186f27023ff1f8b40e2bd6f63cd08 100644 (file)
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -372,6 +372,7 @@ typedef struct nttime_info
 #define ACB_SVRTRUST   0x0100  /* 1 = Server trust account */
 #define ACB_PWNOEXP    0x0200  /* 1 = User password does not expire */
 #define ACB_AUTOLOCK   0x0400  /* 1 = Account auto locked */
+#define ACB_PWLOCK     0x0800  /* 1 = Password is locked and connot be changed remotely */
  
 #define MAX_HOURS_LEN 32
 

diff --git a/source/lib/util_pwdb.c b/source/lib/util_pwdb.c
index 495193e5713734416554d5cd2713a7d66be5c7ab..a678e4b0635e873143179cfdfb077e2196aa8e37 100644 (file)
--- a/source/lib/util_pwdb.c
+++ b/source/lib/util_pwdb.c
@@ -225,6 +225,7 @@ char *pwdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
        if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
        if (acct_ctrl & ACB_PWNOEXP  ) acct_str[i++] = 'X';
        if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
+       if (acct_ctrl & ACB_PWLOCK   ) acct_str[i++] = 'P';
 
        for ( ; i < length - 2 ; i++ )
        {
@@ -273,6 +274,7 @@ uint16 pwdb_decode_acct_ctrl(const char *p)
                        case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } 
                        case 'X': { acct_ctrl |= ACB_PWNOEXP  ; break; /* No 'X'piry on password */ } 
                        case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
+                       case 'P': { acct_ctrl |= ACB_PWLOCK   ; break; /* 'P'assword cannot be changed remotely */ } 
                        case ' ': { break; }
                        case ':':
                        case '\n':

diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index 167fce6e8cb56002420adfde5dd034f24f4192f2..852d6aa6185a1ffc5d6970112fad9d57afb96cb5 100644 (file)
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -571,6 +571,14 @@ BOOL pass_oem_change(char *user,
                                       &sampw, 
                                       new_passwd, sizeof(new_passwd));
 
+       /* now we check to see if we are actually allowed to change the
+          password. */
+          
+       if (ret && (sampw->acct_ctrl & ACB_PWLOCK))
+       {
+               ret = False;
+       }
+       
        /* 
         * At this point we have the new case-sensitive plaintext
         * password in the fstring new_passwd. If we wanted to synchronise

diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c
index 83b9b0bdc9c3aae4aa6adf376fc7b84ddabff42c..e1c66668201b8b145492be91fa5a581c870146a8 100644 (file)
--- a/source/utils/smbpasswd.c
+++ b/source/utils/smbpasswd.c
@@ -70,7 +70,10 @@ static void usage(void)
                printf("  -n                   set no password\n");
                printf("  -m                   workstation trust account\n");
                printf("  -i                   inter-domain trust account\n");
+               printf("  -p                   user cannot change password\n");
+               printf("  -x                   user can change password\n");
        }
+       
        exit(1);
 }
 
@@ -286,13 +289,15 @@ static int process_root(int argc, char *argv[])
        BOOL enable_user = False;
        BOOL set_no_password = False;
        BOOL stdin_passwd_get = False;
+       BOOL lock_password = False;
+       BOOL unlock_password = False;
        char *user_name = NULL;
        char *new_domain = NULL;
        char *new_passwd = NULL;
        char *old_passwd = NULL;
        char *remote_machine = NULL;
 
-       while ((ch = getopt(argc, argv, "adehimnj:r:sR:D:U:")) != EOF)
+       while ((ch = getopt(argc, argv, "adehimnpxj:r:sR:D:U:")) != EOF)
        {
                switch(ch)
                {
@@ -362,6 +367,16 @@ static int process_root(int argc, char *argv[])
                                user_name = optarg;
                                break;
                        }
+                       case 'p':
+                       {
+                               lock_password = True;
+                               break;
+                       }
+                       case 'x':
+                       {
+                               unlock_password = True;
+                               break;
+                       }
                        default:
                        {
                                usage();
@@ -497,6 +512,18 @@ static int process_root(int argc, char *argv[])
                acb_info |= ACB_PWNOTREQ;
        }
 
+       if (lock_password)
+       {
+               acb_mask |= ACB_PWLOCK;
+               acb_info |= ACB_PWLOCK;
+       }
+
+       if (unlock_password)
+       {
+               acb_mask |= ACB_PWLOCK;
+               acb_info &= ~ACB_PWLOCK;
+       }
+       
        if (wks_trust_account)
        {
                acb_mask |= ACB_WSTRUST;
@@ -552,7 +579,7 @@ static int process_nonroot(int argc, char *argv[])
        char *remote_machine = NULL;
        char *user_name = NULL;
        char *new_passwd = NULL;
-
+       
        while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF)
        {
                switch(ch)
@@ -607,7 +634,6 @@ static int process_nonroot(int argc, char *argv[])
                remote_machine = "127.0.0.1";
        }
 
-
        if (remote_machine != NULL) {
                old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
        }