When trying to update the "User Cannot Change Password" checkbox in user manager for domains against a Samba DC an error is returned. The following error occurred changing the properties of the user <username>: Incorrect function. OK
This requires to remove the SA_RIGHT_USER_CHANGE_PASSWORD-right on the user's security descriptor. If we would store the user's security descriptor in the passdb-backend then we would easily be able to remove that particular right. But I need to find out how to integrate that with the ACB_NOCHGPW account flag. This is doable and on my list.
user manage support needs an overhaul and some solid testing. This is on the plater for 3.0.21
jmcd wants these. So here you go.
reopen
adding my older (and untested) patch to mimic the (broken) TNG way of implementing this feature.
Created attachment 1415 [details] initial patch (inspired by tng)
Will this patch make it into the 3.0.21 final release?
No. It's a little late to add this size of change. But I will go ahead and add it to the SAMBA_3_0 tree.
Jerry, be aware that when using the acb_info Microsoft obviously uses 0x00000800 for its own purpose (seen in the info3 of a PAC). One more argument to implement it with real security descriptors.
Fixed in r19058. We now use the pass-can-change-time field for this. For allowed time/expiration purposes, they're calculated from the last-sset-time. The pass-can-change time in the passdb now will have MAX_TIME_T when it is unallowed, and we will return the appropriate (and allow setting from) security descriptor.
(In reply to comment #10) > Fixed in r19058. We now use the pass-can-change-time field for this. For > allowed time/expiration purposes, they're calculated from the last-sset-time. > The pass-can-change time in the passdb now will have MAX_TIME_T when it is > unallowed, and we will return the appropriate (and allow setting from) security > descriptor. > is there any user tools available to change this flag?