svn commit: samba r2137 - in branches/SAMBA_3_0/source/rpc_server: .

abartlet at samba.org abartlet at samba.org
Tue Aug 31 19:56:16 GMT 2004


Author: abartlet
Date: 2004-08-31 19:56:16 +0000 (Tue, 31 Aug 2004)
New Revision: 2137

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_3_0/source/rpc_server&rev=2137&nolog=1

Log:
This is a patch I've been running at Hawker for a while.

The purpose of this patch is to avoid changing the machine account
password, when it has 'already been changed'.  This occours in
situations where the secure channel between the workstation and the DC
breaks down, such as occoured in the MS04-11 security patch.  This
avoids LDAP replication load issues, due to the client changing the
password repeatedly.

We also now set the LM password to NULL explicitly, rather than the NT
password value, as this is what we get out of a vampire, or when a
long password is set (as XP seems to do these days).

Andrew Bartlett

Modified:
   branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c


Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c	2004-08-31 18:39:31 UTC (rev 2136)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c	2004-08-31 19:56:16 UTC (rev 2137)
@@ -445,6 +445,7 @@
 	unsigned char pwd[16];
 	int i;
 	uint32 acct_ctrl;
+	const uchar *old_pw;
 
 	/* checks and updates credentials.  creates reply credentials */
 	if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->clnt_id.cred, &srv_cred)))
@@ -482,34 +483,43 @@
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
 
+	cred_hash3( pwd, q_u->pwd, p->dc.sess_key, 0);
+
 	DEBUG(100,("Server password set : new given value was :\n"));
 	for(i = 0; i < 16; i++)
 		DEBUG(100,("%02X ", q_u->pwd[i]));
 	DEBUG(100,("\n"));
 
-	cred_hash3( pwd, q_u->pwd, p->dc.sess_key, 0);
+	old_pw = pdb_get_nt_passwd(sampass);
 
-	/* lies!  nt and lm passwords are _not_ the same: don't care */
-	if (!pdb_set_lanman_passwd (sampass, pwd, PDB_CHANGED)) {
-		pdb_free_sam(&sampass);
-		return NT_STATUS_NO_MEMORY;
-	}
+	if (old_pw && memcmp(pwd, old_pw, 16) == 0) {
+		/* Avoid backend modificiations and other fun if the 
+		   client changed the password to the *same thing* */
 
-	if (!pdb_set_nt_passwd     (sampass, pwd, PDB_CHANGED)) {
-		pdb_free_sam(&sampass);
-		return NT_STATUS_NO_MEMORY;
-	}
+		ret = True;
+	} else {
 
-	if (!pdb_set_pass_changed_now     (sampass)) {
-		pdb_free_sam(&sampass);
-		/* Not quite sure what this one qualifies as, but this will do */
-		return NT_STATUS_UNSUCCESSFUL; 
+		/* LM password should be NULL for machines */
+		if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) {
+			pdb_free_sam(&sampass);
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		if (!pdb_set_nt_passwd     (sampass, pwd, PDB_CHANGED)) {
+			pdb_free_sam(&sampass);
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		if (!pdb_set_pass_changed_now     (sampass)) {
+			pdb_free_sam(&sampass);
+			/* Not quite sure what this one qualifies as, but this will do */
+			return NT_STATUS_UNSUCCESSFUL; 
+		}
+		
+		become_root();
+		ret = pdb_update_sam_account (sampass);
+		unbecome_root();
 	}
- 
-	become_root();
-	ret = pdb_update_sam_account (sampass);
-	unbecome_root();
- 
 	if (ret)
 		status = NT_STATUS_OK;
 



More information about the samba-cvs mailing list