X-Git-Url: http://git.samba.org/samba.git/?p=nivanova%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=source3%2Fsmbd%2Fchgpasswd.c;h=fb6e6c0f09125bb9180b3da48c824aee5dc938d6;hp=8146d6d13776bea4dfb82e67200d60d6fae88499;hb=30191d1a5704ad2b158386b511558972d539ce47;hpb=56ba44766854ed7cda265bdaf85913f2a1008282 diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 8146d6d1377..fb6e6c0f091 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ /* These comments regard the code to change the user's unix password: */ @@ -120,7 +119,7 @@ static int findpty(char **slave) } static int dochild(int master, const char *slavedev, const struct passwd *pass, - const char *passwordprogram, BOOL as_root) + const char *passwordprogram, bool as_root) { int slave; struct termios stermios; @@ -234,7 +233,7 @@ static int expect(int master, char *issue, char *expected) { pstring buffer; int attempts, timeout, nread, len; - BOOL match = False; + bool match = False; for (attempts = 0; attempts < 2; attempts++) { if (!strequal(issue, ".")) { @@ -332,14 +331,14 @@ static int talktochild(int master, const char *seq) return (count > 0); } -static BOOL chat_with_program(char *passwordprogram, const struct passwd *pass, - char *chatsequence, BOOL as_root) +static bool chat_with_program(char *passwordprogram, const struct passwd *pass, + char *chatsequence, bool as_root) { char *slavedev; int master; pid_t pid, wpid; int wstat; - BOOL chstat = False; + bool chstat = False; if (pass == NULL) { DEBUG(0, ("chat_with_program: user doesn't exist in the UNIX password database.\n")); @@ -447,8 +446,8 @@ while we were waiting\n", WTERMSIG(wstat))); return (chstat); } -BOOL chgpasswd(const char *name, const struct passwd *pass, - const char *oldpass, const char *newpass, BOOL as_root) +bool chgpasswd(const char *name, const struct passwd *pass, + const char *oldpass, const char *newpass, bool as_root) { pstring passwordprogram; pstring chatsequence; @@ -497,7 +496,7 @@ BOOL chgpasswd(const char *name, const struct passwd *pass, #ifdef WITH_PAM if (lp_pam_password_change()) { - BOOL ret; + bool ret; if (as_root) become_root(); @@ -558,8 +557,8 @@ the string %%u, and the given string %s does not.\n", passwordprogram )); #else /* ALLOW_CHANGE_PASSWORD */ -BOOL chgpasswd(const char *name, const struct passwd *pass, - const char *oldpass, const char *newpass, BOOL as_root) +bool chgpasswd(const char *name, const struct passwd *pass, + const char *oldpass, const char *newpass, bool as_root) { DEBUG(0, ("chgpasswd: Unix Password changing not compiled in (user=%s)\n", name)); return (False); @@ -570,7 +569,7 @@ BOOL chgpasswd(const char *name, const struct passwd *pass, Code to check the lanman hashed password. ************************************************************/ -BOOL check_lanman_password(char *user, uchar * pass1, +bool check_lanman_password(char *user, uchar * pass1, uchar * pass2, struct samu **hnd) { uchar unenc_new_pw[16]; @@ -578,7 +577,7 @@ BOOL check_lanman_password(char *user, uchar * pass1, struct samu *sampass = NULL; uint32 acct_ctrl; const uint8 *lanman_pw; - BOOL ret; + bool ret; if ( !(sampass = samu_new(NULL)) ) { DEBUG(0, ("samu_new() failed!\n")); @@ -642,11 +641,11 @@ BOOL check_lanman_password(char *user, uchar * pass1, is correct before calling. JRA. ************************************************************/ -BOOL change_lanman_password(struct samu *sampass, uchar *pass2) +bool change_lanman_password(struct samu *sampass, uchar *pass2) { static uchar null_pw[16]; uchar unenc_new_pw[16]; - BOOL ret; + bool ret; uint32 acct_ctrl; const uint8 *pwd; @@ -767,10 +766,10 @@ static NTSTATUS check_oem_password(const char *user, uchar new_lm_hash[16]; uchar verifier[16]; char no_pw[2]; - BOOL ret; + bool ret; - BOOL nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted); - BOOL lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted); + bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted); + bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted); *hnd = NULL; @@ -949,13 +948,13 @@ static NTSTATUS check_oem_password(const char *user, found in the history list. ************************************************************/ -static BOOL check_passwd_history(struct samu *sampass, const char *plaintext) +static bool check_passwd_history(struct samu *sampass, const char *plaintext) { uchar new_nt_p16[NT_HASH_LEN]; uchar zero_md5_nt_pw[SALTED_MD5_HASH_LEN]; const uint8 *nt_pw; const uint8 *pwhistory; - BOOL found = False; + bool found = False; int i; uint32 pwHisLen, curr_pwHisLen; @@ -1016,9 +1015,10 @@ static BOOL check_passwd_history(struct samu *sampass, const char *plaintext) is correct before calling. JRA. ************************************************************/ -NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason) +NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, uint32 *samr_reject_reason) { uint32 min_len; + uint32 refuse; struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); @@ -1036,6 +1036,21 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw return NT_STATUS_ACCOUNT_RESTRICTION; } + /* check to see if it is a Machine account and if the policy + * denies machines to change the password. * + * Should we deny also SRVTRUST and/or DOMSTRUST ? .SSS. */ + if (pdb_get_acct_ctrl(hnd) & ACB_WSTRUST) { + if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) { + DEBUG(1, ("Machine %s cannot change password now, " + "denied by Refuse Machine Password Change policy\n", + username)); + if (samr_reject_reason) { + *samr_reject_reason = REJECT_REASON_OTHER; + } + return NT_STATUS_ACCOUNT_RESTRICTION; + } + } + /* removed calculation here, becuase passdb now calculates based on policy. jmcd */ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {