Bug 2964 - Unable to set "User Cannot Change Password" via User Manager
Summary: Unable to set "User Cannot Change Password" via User Manager
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-08 13:28 UTC by John Janosik
Modified: 2007-10-10 09:04 UTC (History)
2 users (show)

See Also:

Attachments
initial patch (inspired by tng) (12.59 KB, patch)
2005-09-05 08:58 UTC, Guenther Deschner 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2005-08-08 13:28:33 UTC 
When trying to update the "User Cannot Change Password" checkbox in user manager
for domains against a Samba DC an error is returned.  

The following error occurred changing the properties of the user <username>:

Incorrect function.

OK
Comment 1 Guenther Deschner 2005-08-09 03:07:23 UTC 
This requires to remove the SA_RIGHT_USER_CHANGE_PASSWORD-right on the user's
security descriptor. If we would store the user's security descriptor in the
passdb-backend then we would easily be able to remove that particular right. But
I need to find out how to integrate that with the ACB_NOCHGPW account flag.

This is doable and on my list.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-30 05:36:07 UTC 
user manage support needs an overhaul and some solid testing.  
This is on the plater for 3.0.21
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-09-01 12:38:32 UTC 
jmcd wants these.  So here you go.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-09-01 12:39:02 UTC 
reopen
Comment 5 Guenther Deschner 2005-09-05 08:56:58 UTC 
adding my older (and untested) patch to mimic the (broken) TNG way of
implementing this feature.
Comment 6 Guenther Deschner 2005-09-05 08:58:45 UTC 
Created attachment 1415 [details]
initial patch (inspired by tng)
Comment 7 xpxp2002 2005-12-15 11:16:29 UTC 
Will this patch make it into the 3.0.21 final release?
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-12-15 11:19:50 UTC 
No.  It's a little late to add this size of change.  But I will go ahead 
and add it to the SAMBA_3_0 tree.
Comment 9 Guenther Deschner 2005-12-15 13:15:15 UTC 
Jerry, be aware that when using the acb_info Microsoft obviously uses 0x00000800 for its own purpose (seen in the info3 of a PAC). One more argument to implement it with real security descriptors.
Comment 10 Jim McDonough 2006-10-03 13:03:14 UTC 
Fixed in r19058.  We now use the pass-can-change-time field for this.  For allowed time/expiration purposes, they're calculated from the last-sset-time.  The pass-can-change time in the passdb now will have MAX_TIME_T when it is unallowed, and we will return the appropriate (and allow setting from) security descriptor.
Comment 11 costin gusa 2007-10-10 09:04:29 UTC 
(In reply to comment #10)
> Fixed in r19058.  We now use the pass-can-change-time field for this.  For
> allowed time/expiration purposes, they're calculated from the last-sset-time. 
> The pass-can-change time in the passdb now will have MAX_TIME_T when it is
> unallowed, and we will return the appropriate (and allow setting from) security
> descriptor.
> 

is there any user tools available to change this flag?