mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
r13291: NT checks the minimum password age dynamically. That means we have to ignore
the sambapwdmustchange field if we can access the corresponding account
policy and calculate it dynamically based on the pwdlastset field.
Volker
(This used to be commit b02b1d3ef3
)
This commit is contained in:
parent
8b54e0b2a0
commit
206cbff8b7
@ -1010,15 +1010,31 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
|
||||
NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd, BOOL as_root)
|
||||
{
|
||||
BOOL ret;
|
||||
uint32 min_len;
|
||||
uint32 min_len, min_age;
|
||||
struct passwd *pass = NULL;
|
||||
const char *username = pdb_get_username(hnd);
|
||||
time_t last_change_time = pdb_get_pass_last_set_time(hnd);
|
||||
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
|
||||
|
||||
if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
|
||||
DEBUG(1, ("user %s cannot change password now, must wait until %s\n",
|
||||
username, http_timestring(can_change_time)));
|
||||
return NT_STATUS_ACCOUNT_RESTRICTION;
|
||||
if (pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)) {
|
||||
/*
|
||||
* Windows calculates the minimum password age check
|
||||
* dynamically, it basically ignores the pwdcanchange
|
||||
* timestamp. Do likewise.
|
||||
*/
|
||||
if (last_change_time + min_age > time(NULL)) {
|
||||
DEBUG(1, ("user %s cannot change password now, must "
|
||||
"wait until %s\n", username,
|
||||
http_timestring(last_change_time+min_age)));
|
||||
return NT_STATUS_ACCOUNT_RESTRICTION;
|
||||
}
|
||||
} else {
|
||||
if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
|
||||
DEBUG(1, ("user %s cannot change password now, must "
|
||||
"wait until %s\n", username,
|
||||
http_timestring(can_change_time)));
|
||||
return NT_STATUS_ACCOUNT_RESTRICTION;
|
||||
}
|
||||
}
|
||||
|
||||
if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
|
||||
|
Loading…
Reference in New Issue
Block a user