[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-5190-g962a920
Günther Deschner
gd at samba.org
Fri Apr 3 10:57:39 GMT 2009
The branch, v3-3-test has been updated
via 962a92024dda7db06d07d6e736d79d25c5d8f40a (commit)
via 3420ce3f2a9c75b3e339d2ab439f6c8df326ab47 (commit)
from b737a6202cc18bfab091d5f45a3c30e97828e927 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 962a92024dda7db06d07d6e736d79d25c5d8f40a
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 3 12:50:50 2009 +0200
s3-nsswitch: Fix Bug #6238 2nd part. zero blob pointer in wbcLogoffUserParams.
Patch from Rashid N. Achilov <citycat4 at ngs.ru>.
Guenther
(cherry picked from commit 43372b27403f617897bab564c42eead4d64532e4)
commit 3420ce3f2a9c75b3e339d2ab439f6c8df326ab47
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 3 12:06:40 2009 +0200
s3-samr: try to to fix password_expired flag handling.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/include/proto.h | 6 ++
source/nsswitch/pam_winbind.c | 1 +
source/rpc_server/srv_samr_nt.c | 120 ++++++++++++++++++++++---------------
source/rpc_server/srv_samr_util.c | 87 ++++++++++++++++++++++++++-
4 files changed, 162 insertions(+), 52 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/include/proto.h b/source/include/proto.h
index 794742c..ec8637b 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -8373,6 +8373,8 @@ ssize_t write_to_internal_pipe(struct pipes_struct *p, char *data, size_t n);
/* The following definitions come from rpc_server/srv_samr_util.c */
+void copy_id18_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo18 *from);
void copy_id20_to_sam_passwd(struct samu *to,
struct samr_UserInfo20 *from);
void copy_id21_to_sam_passwd(const char *log_prefix,
@@ -8380,8 +8382,12 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
struct samr_UserInfo21 *from);
void copy_id23_to_sam_passwd(struct samu *to,
struct samr_UserInfo23 *from);
+void copy_id24_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo24 *from);
void copy_id25_to_sam_passwd(struct samu *to,
struct samr_UserInfo25 *from);
+void copy_id26_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo26 *from);
/* The following definitions come from rpc_server/srv_spoolss.c */
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 46e142c..26ef1d4 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -2406,6 +2406,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
user, "wbcLogoffUser");
wbcFreeMemory(error);
wbcFreeMemory(logoff.blobs);
+ logoff.blobs = NULL;
if (!WBC_ERROR_IS_OK(wbc_status)) {
_pam_log(ctx, LOG_INFO,
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 7a131b3..a946d2e 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -3743,12 +3743,7 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
}
- if (id18->password_expired) {
- pdb_set_pass_last_set_time(pwd, 0, PDB_CHANGED);
- } else {
- /* FIXME */
- pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
- }
+ copy_id18_to_sam_passwd(pwd, id18);
return pdb_update_sam_account(pwd);
}
@@ -3955,23 +3950,16 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
set_user_info_pw
********************************************************************/
-static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
- int level)
+static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
{
uint32 len = 0;
char *plaintext_buf = NULL;
uint32 acct_ctrl;
- time_t last_set_time;
- enum pdb_value_state last_set_state;
DEBUG(5, ("Attempting administrator password change for user %s\n",
pdb_get_username(pwd)));
acct_ctrl = pdb_get_acct_ctrl(pwd);
- /* we need to know if it's expired, because this is an admin change, not a
- user change, so it's still expired when we're done */
- last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
- last_set_time = pdb_get_pass_last_set_time(pwd);
if (!decode_pw_buffer(talloc_tos(),
pass,
@@ -4014,29 +4002,38 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
memset(plaintext_buf, '\0', strlen(plaintext_buf));
- /*
- * A level 25 change does reset the pwdlastset field, a level 24
- * change does not. I know this is probably not the full story, but
- * it is needed to make XP join LDAP correctly, without it the later
- * auth2 check can fail with PWD_MUST_CHANGE.
- */
- if (level != 25) {
- /*
- * restore last set time as this is an admin change, not a
- * user pw change
- */
- pdb_set_pass_last_set_time (pwd, last_set_time,
- last_set_state);
+ DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
+
+ return True;
+}
+
+/*******************************************************************
+ set_user_info_24
+ ********************************************************************/
+
+static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
+ struct samr_UserInfo24 *id24,
+ struct samu *pwd)
+{
+ NTSTATUS status;
+
+ if (id24 == NULL) {
+ DEBUG(5, ("set_user_info_24: NULL id24\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
- DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
+ if (!set_user_info_pw(id24->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
- /* update the SAMBA password */
- if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
- return False;
+ copy_id24_to_sam_passwd(pwd, id24);
+
+ status = pdb_update_sam_account(pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- return True;
+ return NT_STATUS_OK;
}
/*******************************************************************
@@ -4062,6 +4059,14 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCESS_DENIED;
}
+ if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
+
+ if (!set_user_info_pw(id25->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
copy_id25_to_sam_passwd(pwd, id25);
/* write the change out */
@@ -4088,6 +4093,36 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
}
/*******************************************************************
+ set_user_info_26
+ ********************************************************************/
+
+static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
+ struct samr_UserInfo26 *id26,
+ struct samu *pwd)
+{
+ NTSTATUS status;
+
+ if (id26 == NULL) {
+ DEBUG(5, ("set_user_info_26: NULL id26\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!set_user_info_pw(id26->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ copy_id26_to_sam_passwd(pwd, id26);
+
+ status = pdb_update_sam_account(pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/*******************************************************************
samr_SetUserInfo
********************************************************************/
@@ -4247,10 +4282,8 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
dump_data(100, info->info24.password.data, 516);
- if (!set_user_info_pw(info->info24.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
+ status = set_user_info_24(p->mem_ctx,
+ &info->info24, pwd);
break;
case 25:
@@ -4265,13 +4298,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
status = set_user_info_25(p->mem_ctx,
&info->info25, pwd);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- if (!set_user_info_pw(info->info25.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
break;
case 26:
@@ -4284,18 +4310,14 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
dump_data(100, info->info26.password.data, 516);
- if (!set_user_info_pw(info->info26.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
+ status = set_user_info_26(p->mem_ctx,
+ &info->info26, pwd);
break;
default:
status = NT_STATUS_INVALID_INFO_CLASS;
}
- done:
-
TALLOC_FREE(pwd);
if (has_enough_rights) {
diff --git a/source/rpc_server/srv_samr_util.c b/source/rpc_server/srv_samr_util.c
index ef588ae..0681560 100644
--- a/source/rpc_server/srv_samr_util.c
+++ b/source/rpc_server/srv_samr_util.c
@@ -36,6 +36,27 @@
((s1) && (s2) && (strcmp((s1), (s2)) != 0))
/*************************************************************
+ Copies a struct samr_UserInfo18 to a struct samu
+**************************************************************/
+
+void copy_id18_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo18 *from)
+{
+ struct samr_UserInfo21 i;
+
+ if (from == NULL || to == NULL) {
+ return;
+ }
+
+ ZERO_STRUCT(i);
+
+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG;
+ i.password_expired = from->password_expired;
+
+ copy_id21_to_sam_passwd("INFO_18", to, &i);
+}
+
+/*************************************************************
Copies a struct samr_UserInfo20 to a struct samu
**************************************************************/
@@ -336,7 +357,7 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
if (from->fields_present & SAMR_FIELD_EXPIRED_FLAG) {
DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
from->password_expired));
- if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) {
+ if (from->password_expired != 0) {
pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
} else {
/* A subtlety here: some windows commands will
@@ -345,9 +366,27 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
in these caess. "net user /dom <user> /active:y"
for example, to clear an autolocked acct.
We must check to see if it's expired first. jmcd */
+
+ uint32_t pwd_max_age = 0;
+ time_t now = time(NULL);
+
+ pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &pwd_max_age);
+
+ if (pwd_max_age == (uint32_t)-1 || pwd_max_age == 0) {
+ pwd_max_age = get_time_t_max();
+ }
+
stored_time = pdb_get_pass_last_set_time(to);
- if (stored_time == 0)
- pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
+
+ /* we will only *set* a pwdlastset date when
+ a) the last pwdlastset time was 0 (user was forced to
+ change password).
+ b) the users password has not expired. gd. */
+
+ if ((stored_time == 0) ||
+ ((now - stored_time) > pwd_max_age)) {
+ pdb_set_pass_last_set_time(to, now, PDB_CHANGED);
+ }
}
}
}
@@ -368,6 +407,27 @@ void copy_id23_to_sam_passwd(struct samu *to,
}
/*************************************************************
+ Copies a struct samr_UserInfo24 to a struct samu
+**************************************************************/
+
+void copy_id24_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo24 *from)
+{
+ struct samr_UserInfo21 i;
+
+ if (from == NULL || to == NULL) {
+ return;
+ }
+
+ ZERO_STRUCT(i);
+
+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG;
+ i.password_expired = from->password_expired;
+
+ copy_id21_to_sam_passwd("INFO_24", to, &i);
+}
+
+/*************************************************************
Copies a struct samr_UserInfo25 to a struct samu
**************************************************************/
@@ -380,3 +440,24 @@ void copy_id25_to_sam_passwd(struct samu *to,
copy_id21_to_sam_passwd("INFO_25", to, &from->info);
}
+
+/*************************************************************
+ Copies a struct samr_UserInfo26 to a struct samu
+**************************************************************/
+
+void copy_id26_to_sam_passwd(struct samu *to,
+ struct samr_UserInfo26 *from)
+{
+ struct samr_UserInfo21 i;
+
+ if (from == NULL || to == NULL) {
+ return;
+ }
+
+ ZERO_STRUCT(i);
+
+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG;
+ i.password_expired = from->password_expired;
+
+ copy_id21_to_sam_passwd("INFO_26", to, &i);
+}
--
Samba Shared Repository
More information about the samba-cvs
mailing list