svn commit: samba r12741 - in trunk/source/nsswitch: .

Fri Jan 6 14:16:00 GMT 2006

Author: gd
Date: 2006-01-06 14:15:59 +0000 (Fri, 06 Jan 2006)
New Revision: 12741

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12741

Log:
Fix order of checks in winbindd_dual_pam_auth_cached().

According to Jeremy we may never leak account property information
before having successfully checked the user's password.

Guenther

Modified:
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================

--- trunk/source/nsswitch/winbindd_pam.c	2006-01-06 13:41:56 UTC (rev 12740)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-01-06 14:15:59 UTC (rev 12741)
@@ -714,46 +714,6 @@
 
 	*info3 = my_info3;
 
-	my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
-
-	if (my_info3->acct_flags & ACB_AUTOLOCK) {
-		return NT_STATUS_ACCOUNT_LOCKED_OUT;
-	}
-
-	if (my_info3->acct_flags & ACB_DISABLED) {
-		return NT_STATUS_ACCOUNT_DISABLED;
-	}
-
-	if (my_info3->acct_flags & ACB_WSTRUST) {
-		return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
-	}
-
-	if (my_info3->acct_flags & ACB_SVRTRUST) {
-		return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
-	}
-
-	if (my_info3->acct_flags & ACB_DOMTRUST) {
-		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
-	}
-
-	if (!(my_info3->acct_flags & ACB_NORMAL)) {
-		DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", my_info3->acct_flags));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
-	kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
-	if (kickoff_time != 0 && time(NULL) > kickoff_time) {
-		return NT_STATUS_ACCOUNT_EXPIRED;
-	}
-
-	must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
-	if (must_change_time != 0 && must_change_time < time(NULL)) {
-		return NT_STATUS_PASSWORD_EXPIRED;
-	}
-
-	/* FIXME: we possibly should handle logon hours as well (does xp when
-	 * offline?) see auth/auth_sam.c:sam_account_ok for details */
-
 	E_md4hash(state->request.data.auth.pass, new_nt_pass);
 
 	dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN);
@@ -764,6 +724,47 @@
 		/* User *DOES* know the password, update logon_time and reset
 		 * bad_pw_count */
 	
+		my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
+	
+		if (my_info3->acct_flags & ACB_AUTOLOCK) {
+			return NT_STATUS_ACCOUNT_LOCKED_OUT;
+		}
+	
+		if (my_info3->acct_flags & ACB_DISABLED) {
+			return NT_STATUS_ACCOUNT_DISABLED;
+		}
+	
+		if (my_info3->acct_flags & ACB_WSTRUST) {
+			return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		}
+	
+		if (my_info3->acct_flags & ACB_SVRTRUST) {
+			return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		}
+	
+		if (my_info3->acct_flags & ACB_DOMTRUST) {
+			return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+		}
+	
+		if (!(my_info3->acct_flags & ACB_NORMAL)) {
+			DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", 
+				my_info3->acct_flags));
+			return NT_STATUS_LOGON_FAILURE;
+		}
+	
+		kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
+		if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+			return NT_STATUS_ACCOUNT_EXPIRED;
+		}
+
+		must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
+		if (must_change_time != 0 && must_change_time < time(NULL)) {
+			return NT_STATUS_PASSWORD_EXPIRED;
+		}
+	
+		/* FIXME: we possibly should handle logon hours as well (does xp when
+		 * offline?) see auth/auth_sam.c:sam_account_ok for details */
+
 		unix_to_nt_time(&my_info3->logon_time, time(NULL));
 		my_info3->bad_pw_count = 0;
 

