Bug 4666 - Refuse machine password change is not obeyed
Summary: Refuse machine password change is not obeyed
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.6
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-28 00:25 UTC by Dmitry Melekhov
Modified: 2019-07-10 06:19 UTC (History)
4 users (show)

See Also:

Attachments
Patch to obey Refus eMachine Change Password Policy (1.26 KB, patch)
2007-06-09 13:52 UTC, Simo Sorce 		no flags Details
Work in progress for ADDC in master (21.60 KB, patch)
2019-07-10 06:17 UTC, Stefan Metzmacher 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Melekhov 2007-05-28 00:25:44 UTC 
If I set this windows domain members still can change passwords, I see this comparing smbpasswd with yesterday copy.
Comment 1 Guenther Deschner 2007-05-29 04:59:28 UTC 
Just to get you correct: You want that domain members don't change their MACHINE account password (not the USER account passwords), as that is what the "refuse machine password change" policy is for. Correct?
Comment 2 Dmitry Melekhov 2007-05-29 05:03:42 UTC 
Yes, this is correct.
I want PDC to reject password changes from machines.
Comment 3 Simo Sorce 2007-06-09 13:52:19 UTC 
Created attachment 2744 [details]
Patch to obey Refus eMachine Change Password Policy

Can you test this patch and see if it fixes your problem?
Comment 4 Dmitry Melekhov 2007-06-13 23:49:17 UTC 
unfortunately, machines still can change passwords :-(
Comment 5 Dmitry Melekhov 2007-06-21 22:43:14 UTC 
more interesting is that I added debug output to this patched function and I see that it is never called for changing machine password...
Comment 6 Dmitry Melekhov 2007-08-29 22:26:23 UTC 
Hello!

Looks like I found right place for patch

--- samba-3.0.22.orig/source/rpc_server/srv_netlog_nt.c
+++ samba-3.0.22/source/rpc_server/srv_netlog_nt.c
@@ -463,6 +463,7 @@
        uint32 acct_ctrl;
        DOM_CRED cred_out;
        const uchar *old_pw;
+       uint32 refuse;

        if (!p->dc || !p->dc->authenticated) {
                return NT_STATUS_INVALID_HANDLE;
@@ -507,6 +508,14 @@
                return NT_STATUS_ACCOUNT_DISABLED;
        }

+       if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) {
+                               DEBUG(1, ("Machine %s cannot change password now, "
+                                         "denied by Refuse Machine Password Change policy\n",
+                                         workstation));
+               pdb_free_sam(&sampass);
+               return NT_STATUS_ACCOUNT_RESTRICTION;
+       }
+
        /* Woah - what does this to to the credential chain ? JRA */
        cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0);

Hope it will be included in next release :-)
Comment 7 Gerald (Jerry) Carter (dead mail address) 2007-08-30 07:21:56 UTC 
Please don't mark a bug as fixed until the change is made in 
the upstream code base.  Also, in the future please attach patches
and not include them inline.  Thanks.
Comment 8 Dmitry Melekhov 2007-09-10 06:27:38 UTC 
Looks like NT_STATUS_ACCOUNT_RESTRICTION is wrong status code.
According to http://support.microsoft.com/kb/154501 
"future attempts to change the password are prevented (by returning a distinct status code)."
but machines try to change password again and again...
Comment 9 Dmitry Melekhov 2007-09-21 01:39:57 UTC 
NT_STATUS_WRONG_PASSWORD is the best I found.
It  doesn't work as should, but machines tries to change password only at boot, i.e. once per day,not every 20 minutes :-)
Comment 10 Stefan Metzmacher 2010-02-21 06:49:49 UTC 
Shouldn't we fix that in 3.6.x?
Comment 11 SATOH Fumiyasu 2019-07-10 06:00:12 UTC 
I want this option for Samba AD DC, not NT DC.
Comment 12 Stefan Metzmacher 2019-07-10 06:17:44 UTC 
Created attachment 15297 [details]
Work in progress for ADDC in master