s3-samr: disable check for ACB_DISABLED in check_oem_password().
authorGünther Deschner <gd@samba.org>
Thu, 7 May 2009 21:54:58 +0000 (23:54 +0200)
committerGünther Deschner <gd@samba.org>
Thu, 7 May 2009 22:43:24 +0000 (00:43 +0200)
It is a bad idea to just tell everyone that an account is disabled without
really having checked the password first.

Found by torture test.

Guenther

source3/smbd/chgpasswd.c

index 5e89b6c80c4306c6d5bb20eb3f82045898f31c2e..dd1864e08b25751d5fbc6d1adf4226149faa8e37 100644 (file)
@@ -860,12 +860,15 @@ static NTSTATUS check_oem_password(const char *user,
        bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
 
        acct_ctrl = pdb_get_acct_ctrl(sampass);
+#if 0
+       /* I am convinced this check here is wrong, it is valid to
+        * change a password of a user that has a disabled account - gd */
 
        if (acct_ctrl & ACB_DISABLED) {
                DEBUG(2,("check_lanman_password: account %s disabled.\n", user));
                return NT_STATUS_ACCOUNT_DISABLED;
        }
-
+#endif
        if ((acct_ctrl & ACB_PWNOTREQ) && lp_null_passwords()) {
                /* construct a null password (in case one is needed */
                no_pw[0] = 0;