svn commit: samba r12741 - in trunk/source/nsswitch: .
gd at samba.org
gd at samba.org
Fri Jan 6 14:16:00 GMT 2006
Author: gd
Date: 2006-01-06 14:15:59 +0000 (Fri, 06 Jan 2006)
New Revision: 12741
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12741
Log:
Fix order of checks in winbindd_dual_pam_auth_cached().
According to Jeremy we may never leak account property information
before having successfully checked the user's password.
Guenther
Modified:
trunk/source/nsswitch/winbindd_pam.c
Changeset:
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2006-01-06 13:41:56 UTC (rev 12740)
+++ trunk/source/nsswitch/winbindd_pam.c 2006-01-06 14:15:59 UTC (rev 12741)
@@ -714,46 +714,6 @@
*info3 = my_info3;
- my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
-
- if (my_info3->acct_flags & ACB_AUTOLOCK) {
- return NT_STATUS_ACCOUNT_LOCKED_OUT;
- }
-
- if (my_info3->acct_flags & ACB_DISABLED) {
- return NT_STATUS_ACCOUNT_DISABLED;
- }
-
- if (my_info3->acct_flags & ACB_WSTRUST) {
- return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
- }
-
- if (my_info3->acct_flags & ACB_SVRTRUST) {
- return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
- }
-
- if (my_info3->acct_flags & ACB_DOMTRUST) {
- return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
- }
-
- if (!(my_info3->acct_flags & ACB_NORMAL)) {
- DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", my_info3->acct_flags));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
- if (kickoff_time != 0 && time(NULL) > kickoff_time) {
- return NT_STATUS_ACCOUNT_EXPIRED;
- }
-
- must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
- if (must_change_time != 0 && must_change_time < time(NULL)) {
- return NT_STATUS_PASSWORD_EXPIRED;
- }
-
- /* FIXME: we possibly should handle logon hours as well (does xp when
- * offline?) see auth/auth_sam.c:sam_account_ok for details */
-
E_md4hash(state->request.data.auth.pass, new_nt_pass);
dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN);
@@ -764,6 +724,47 @@
/* User *DOES* know the password, update logon_time and reset
* bad_pw_count */
+ my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
+
+ if (my_info3->acct_flags & ACB_AUTOLOCK) {
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
+ if (my_info3->acct_flags & ACB_DISABLED) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ if (my_info3->acct_flags & ACB_WSTRUST) {
+ return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ }
+
+ if (my_info3->acct_flags & ACB_SVRTRUST) {
+ return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ }
+
+ if (my_info3->acct_flags & ACB_DOMTRUST) {
+ return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ }
+
+ if (!(my_info3->acct_flags & ACB_NORMAL)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
+ my_info3->acct_flags));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ return NT_STATUS_ACCOUNT_EXPIRED;
+ }
+
+ must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
+ if (must_change_time != 0 && must_change_time < time(NULL)) {
+ return NT_STATUS_PASSWORD_EXPIRED;
+ }
+
+ /* FIXME: we possibly should handle logon hours as well (does xp when
+ * offline?) see auth/auth_sam.c:sam_account_ok for details */
+
unix_to_nt_time(&my_info3->logon_time, time(NULL));
my_info3->bad_pw_count = 0;
More information about the samba-cvs
mailing list