Changeset 862 for trunk/server/source3/rpc_server/samr

Timestamp:

May 13, 2014, 11:39:04 AM (11 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update trunk to 3.6.23

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source3/rpc_server/samr/srv_samr_chgpasswd.c (modified) (4 diffs)
• source3/rpc_server/samr/srv_samr_nt.c (modified) (2 diffs)

trunk/server/source3/rpc_server/samr/srv_samr_chgpasswd.c

@@ -74 +74 @@
 
 #if defined(HAVE_GRANTPT)
+#if defined(HAVE_POSIX_OPENPT)
+        master = posix_openpt(O_RDWR|O_NOCTTY);
+#else
         /* Try to open /dev/ptmx. If that fails, fall through to old method. */
-        if ((master = sys_open("/dev/ptmx", O_RDWR, 0)) >= 0) {
+        master = sys_open("/dev/ptmx", O_RDWR, 0);
+#endif
+        if (master >= 0) {
                 grantpt(master);
                 unlockpt(master);
@@ -1102 +1107 @@
         NTSTATUS nt_status;
         bool ret = false;
+        bool updated_badpw = false;
+        NTSTATUS update_login_attempts_status;
 
         if (!(sampass = samu_new(NULL))) {
@@ -1115 +1122 @@
                 TALLOC_FREE(sampass);
                 return NT_STATUS_NO_SUCH_USER;
+        }
+
+        /* Quit if the account was locked out. */
+        if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
+                DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user));
+                TALLOC_FREE(sampass);
+                return NT_STATUS_ACCOUNT_LOCKED_OUT;
         }
 
@@ -1125 +1139 @@
                                        &new_passwd);
 
+        /*
+         * Notify passdb backend of login success/failure. If not
+         * NT_STATUS_OK the backend doesn't like the login
+         */
+        update_login_attempts_status = pdb_update_login_attempts(sampass,
+                                                NT_STATUS_IS_OK(nt_status));
+
+        if (!NT_STATUS_IS_OK(nt_status)) {
+                bool increment_bad_pw_count = false;
+
+                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) &&
+                    (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+                    NT_STATUS_IS_OK(update_login_attempts_status))
+                {
+                        increment_bad_pw_count = true;
+                }
+
+                if (increment_bad_pw_count) {
+                        pdb_increment_bad_password_count(sampass);
+                        updated_badpw = true;
+                } else {
+                        pdb_update_bad_password_count(sampass,
+                                                      &updated_badpw);
+                }
+        } else {
+
+                if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+                    (pdb_get_bad_password_count(sampass) > 0)){
+                        pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+                        pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+                        updated_badpw = true;
+                }
+        }
+
+        if (updated_badpw) {
+                NTSTATUS update_status;
+                become_root();
+                update_status = pdb_update_sam_account(sampass);
+                unbecome_root();
+
+                if (!NT_STATUS_IS_OK(update_status)) {
+                        DEBUG(1, ("Failed to modify entry: %s\n",
+                                  nt_errstr(update_status)));
+                }
+        }
+
         if (!NT_STATUS_IS_OK(nt_status)) {
                 TALLOC_FREE(sampass);

trunk/server/source3/rpc_server/samr/srv_samr_nt.c

@@ -1707 +1707 @@
 
 /****************************************************************
- _samr_ChangePasswordUser
+ _samr_ChangePasswordUser.
+
+ So old it is just not worth implementing
+ because it does not supply a plaintext and so we can't do password
+ complexity checking and cannot update other services that use a
+ plaintext password via passwd chat/pam password change/ldap password
+ sync.
 ****************************************************************/
 
@@ -1713 +1719 @@
                                   struct samr_ChangePasswordUser *r)
 {
-        NTSTATUS status;
-        bool ret = false;
-        struct samr_user_info *uinfo;
-        struct samu *pwd;
-        struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
-        struct samr_Password lm_pwd, nt_pwd;
-
-        uinfo = policy_handle_find(p, r->in.user_handle,
-                                   SAMR_USER_ACCESS_SET_PASSWORD, NULL,
-                                   struct samr_user_info, &status);
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
-        }
-
-        DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
-                  sid_string_dbg(&uinfo->sid)));
-
-        if (!(pwd = samu_new(NULL))) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        become_root();
-        ret = pdb_getsampwsid(pwd, &uinfo->sid);
-        unbecome_root();
-
-        if (!ret) {
-                TALLOC_FREE(pwd);
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-
-        {
-                const uint8_t *lm_pass, *nt_pass;
-
-                lm_pass = pdb_get_lanman_passwd(pwd);
-                nt_pass = pdb_get_nt_passwd(pwd);
-
-                if (!lm_pass || !nt_pass) {
-                        status = NT_STATUS_WRONG_PASSWORD;
-                        goto out;
-                }
-
-                memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
-                memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
-        }
-
-        /* basic sanity checking on parameters.  Do this before any database ops */
-        if (!r->in.lm_present || !r->in.nt_present ||
-            !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-            !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-                /* we should really handle a change with lm not
-                   present */
-                status = NT_STATUS_INVALID_PARAMETER_MIX;
-                goto out;
-        }
-
-        /* decrypt and check the new lm hash */
-        D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-        D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-        if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
-                status = NT_STATUS_WRONG_PASSWORD;
-                goto out;
-        }
-
-        /* decrypt and check the new nt hash */
-        D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
-        D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
-        if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
-                status = NT_STATUS_WRONG_PASSWORD;
-                goto out;
-        }
-
-        /* The NT Cross is not required by Win2k3 R2, but if present
-           check the nt cross hash */
-        if (r->in.cross1_present && r->in.nt_cross) {
-                D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
-                if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-                        status = NT_STATUS_WRONG_PASSWORD;
-                        goto out;
-                }
-        }
-
-        /* The LM Cross is not required by Win2k3 R2, but if present
-           check the lm cross hash */
-        if (r->in.cross2_present && r->in.lm_cross) {
-                D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
-                if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-                        status = NT_STATUS_WRONG_PASSWORD;
-                        goto out;
-                }
-        }
-
-        if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
-            !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
-                status = NT_STATUS_ACCESS_DENIED;
-                goto out;
-        }
-
-        status = pdb_update_sam_account(pwd);
- out:
-        TALLOC_FREE(pwd);
-
-        return status;
+        return NT_STATUS_NOT_IMPLEMENTED;
 }