Bug 2964 - Unable to set "User Cannot Change Password" via User Manager
Summary: Unable to set "User Cannot Change Password" via User Manager
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-08 13:28 UTC by John Janosik
Modified: 2007-10-10 09:04 UTC (History)
2 users (show)

See Also:


Attachments
initial patch (inspired by tng) (12.59 KB, patch)
2005-09-05 08:58 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2005-08-08 13:28:33 UTC
When trying to update the "User Cannot Change Password" checkbox in user manager
for domains against a Samba DC an error is returned.  

The following error occurred changing the properties of the user <username>:

Incorrect function.

OK
Comment 1 Guenther Deschner 2005-08-09 03:07:23 UTC
This requires to remove the SA_RIGHT_USER_CHANGE_PASSWORD-right on the user's
security descriptor. If we would store the user's security descriptor in the
passdb-backend then we would easily be able to remove that particular right. But
I need to find out how to integrate that with the ACB_NOCHGPW account flag.

This is doable and on my list.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-30 05:36:07 UTC
user manage support needs an overhaul and some solid testing.  
This is on the plater for 3.0.21
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-09-01 12:38:32 UTC
jmcd wants these.  So here you go.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-09-01 12:39:02 UTC
reopen
Comment 5 Guenther Deschner 2005-09-05 08:56:58 UTC
adding my older (and untested) patch to mimic the (broken) TNG way of
implementing this feature.
Comment 6 Guenther Deschner 2005-09-05 08:58:45 UTC
Created attachment 1415 [details]
initial patch (inspired by tng)
Comment 7 xpxp2002 2005-12-15 11:16:29 UTC
Will this patch make it into the 3.0.21 final release?
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-12-15 11:19:50 UTC
No.  It's a little late to add this size of change.  But I will go ahead 
and add it to the SAMBA_3_0 tree.
Comment 9 Guenther Deschner 2005-12-15 13:15:15 UTC
Jerry, be aware that when using the acb_info Microsoft obviously uses 0x00000800 for its own purpose (seen in the info3 of a PAC). One more argument to implement it with real security descriptors.
Comment 10 Jim McDonough 2006-10-03 13:03:14 UTC
Fixed in r19058.  We now use the pass-can-change-time field for this.  For allowed time/expiration purposes, they're calculated from the last-sset-time.  The pass-can-change time in the passdb now will have MAX_TIME_T when it is unallowed, and we will return the appropriate (and allow setting from) security descriptor.
Comment 11 costin gusa 2007-10-10 09:04:29 UTC
(In reply to comment #10)
> Fixed in r19058.  We now use the pass-can-change-time field for this.  For
> allowed time/expiration purposes, they're calculated from the last-sset-time. 
> The pass-can-change time in the passdb now will have MAX_TIME_T when it is
> unallowed, and we will return the appropriate (and allow setting from) security
> descriptor.
> 

is there any user tools available to change this flag?