svn commit: samba r13720 - branches/SAMBA_3_0/source/nsswitch
trunk/source/nsswitch
gd at samba.org
gd at samba.org
Mon Feb 27 16:39:57 GMT 2006
Author: gd
Date: 2006-02-27 16:39:56 +0000 (Mon, 27 Feb 2006)
New Revision: 13720
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13720
Log:
Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties.
Guenther
Modified:
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
trunk/source/nsswitch/winbindd_pam.c
Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-27 16:26:19 UTC (rev 13719)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-27 16:39:56 UTC (rev 13720)
@@ -298,7 +298,28 @@
return NT_STATUS_OK;
}
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *password_properties)
+{
+ struct winbindd_methods *methods;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ SAM_UNK_INFO_1 password_policy;
+ *password_properties = 0;
+
+ methods = domain->methods;
+
+ status = methods->password_policy(domain, mem_ctx, &password_policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ *password_properties = password_policy.password_properties;
+
+ return NT_STATUS_OK;
+}
+
static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
const char *type,
uid_t uid,
@@ -789,22 +810,30 @@
"Won't be able to honour account lockout policies\n"));
}
+ /* increase counter */
+ my_info3->bad_pw_count++;
+
if (max_allowed_bad_attempts == 0) {
- return NT_STATUS_WRONG_PASSWORD;
+ goto failed;
}
- /* increase counter */
- if (my_info3->bad_pw_count < max_allowed_bad_attempts) {
-
- my_info3->bad_pw_count++;
- }
-
/* lockout user */
if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
- my_info3->acct_flags |= ACB_AUTOLOCK;
+ uint32 password_properties;
+
+ result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+ }
+
+ if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
+ (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
+ my_info3->acct_flags |= ACB_AUTOLOCK;
+ }
}
+failed:
result = winbindd_update_creds_by_info3(domain,
state->mem_ctx,
state->request.data.auth.user,
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2006-02-27 16:26:19 UTC (rev 13719)
+++ trunk/source/nsswitch/winbindd_pam.c 2006-02-27 16:39:56 UTC (rev 13720)
@@ -298,7 +298,28 @@
return NT_STATUS_OK;
}
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *password_properties)
+{
+ struct winbindd_methods *methods;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ SAM_UNK_INFO_1 password_policy;
+ *password_properties = 0;
+
+ methods = domain->methods;
+
+ status = methods->password_policy(domain, mem_ctx, &password_policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ *password_properties = password_policy.password_properties;
+
+ return NT_STATUS_OK;
+}
+
static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
const char *type,
uid_t uid,
@@ -789,22 +810,30 @@
"Won't be able to honour account lockout policies\n"));
}
+ /* increase counter */
+ my_info3->bad_pw_count++;
+
if (max_allowed_bad_attempts == 0) {
- return NT_STATUS_WRONG_PASSWORD;
+ goto failed;
}
- /* increase counter */
- if (my_info3->bad_pw_count < max_allowed_bad_attempts) {
-
- my_info3->bad_pw_count++;
- }
-
/* lockout user */
if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
- my_info3->acct_flags |= ACB_AUTOLOCK;
+ uint32 password_properties;
+
+ result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+ }
+
+ if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
+ (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
+ my_info3->acct_flags |= ACB_AUTOLOCK;
+ }
}
+failed:
result = winbindd_update_creds_by_info3(domain,
state->mem_ctx,
state->request.data.auth.user,
More information about the samba-cvs
mailing list