svn commit: samba r13720 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

gd at samba.org gd at samba.org
Mon Feb 27 16:39:57 GMT 2006 

Author: gd
Date: 2006-02-27 16:39:56 +0000 (Mon, 27 Feb 2006)
New Revision: 13720

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13720

Log:
Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-02-27 16:26:19 UTC (rev 13719)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-02-27 16:39:56 UTC (rev 13720)
@@ -298,7 +298,28 @@
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, 
+				   TALLOC_CTX *mem_ctx, 
+				   uint32 *password_properties)
+{
+	struct winbindd_methods *methods;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	SAM_UNK_INFO_1 password_policy;
 
+	*password_properties = 0;
+
+	methods = domain->methods;
+
+	status = methods->password_policy(domain, mem_ctx, &password_policy);
+	if (NT_STATUS_IS_ERR(status)) {
+		return status;
+	}
+
+	*password_properties = password_policy.password_properties;
+
+	return NT_STATUS_OK;
+}
+
 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, 
 					const char *type,
 					uid_t uid,
@@ -789,22 +810,30 @@
 			  "Won't be able to honour account lockout policies\n"));
 	}
 
+	/* increase counter */
+	my_info3->bad_pw_count++;
+
 	if (max_allowed_bad_attempts == 0) {
-		return NT_STATUS_WRONG_PASSWORD;
+		goto failed;
 	}
 
-	/* increase counter */
-	if (my_info3->bad_pw_count < max_allowed_bad_attempts) {
-	
-		my_info3->bad_pw_count++;
-	}
-
 	/* lockout user */
 	if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
 
-		my_info3->acct_flags |= ACB_AUTOLOCK;
+		uint32 password_properties;
+
+		result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+		}
+
+		if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || 
+		    (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
+			my_info3->acct_flags |= ACB_AUTOLOCK;
+		}
 	}
 
+failed:
 	result = winbindd_update_creds_by_info3(domain,
 						state->mem_ctx,
 						state->request.data.auth.user,

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2006-02-27 16:26:19 UTC (rev 13719)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-02-27 16:39:56 UTC (rev 13720)
@@ -298,7 +298,28 @@
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, 
+				   TALLOC_CTX *mem_ctx, 
+				   uint32 *password_properties)
+{
+	struct winbindd_methods *methods;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	SAM_UNK_INFO_1 password_policy;
 
+	*password_properties = 0;
+
+	methods = domain->methods;
+
+	status = methods->password_policy(domain, mem_ctx, &password_policy);
+	if (NT_STATUS_IS_ERR(status)) {
+		return status;
+	}
+
+	*password_properties = password_policy.password_properties;
+
+	return NT_STATUS_OK;
+}
+
 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, 
 					const char *type,
 					uid_t uid,
@@ -789,22 +810,30 @@
 			  "Won't be able to honour account lockout policies\n"));
 	}
 
+	/* increase counter */
+	my_info3->bad_pw_count++;
+
 	if (max_allowed_bad_attempts == 0) {
-		return NT_STATUS_WRONG_PASSWORD;
+		goto failed;
 	}
 
-	/* increase counter */
-	if (my_info3->bad_pw_count < max_allowed_bad_attempts) {
-	
-		my_info3->bad_pw_count++;
-	}
-
 	/* lockout user */
 	if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
 
-		my_info3->acct_flags |= ACB_AUTOLOCK;
+		uint32 password_properties;
+
+		result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+		}
+
+		if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || 
+		    (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
+			my_info3->acct_flags |= ACB_AUTOLOCK;
+		}
 	}
 
+failed:
 	result = winbindd_update_creds_by_info3(domain,
 						state->mem_ctx,
 						state->request.data.auth.user,

More information about the samba-cvs mailing list