[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1767-g4dcc058

Mon May 25 03:50:37 GMT 2009

The branch, master has been updated
       via  4dcc058ea1d98e40f59f2726c4dd37a98401b258 (commit)
       via  2bf1e8b5e104520a49583be0822f5b8542f5ef1a (commit)
      from  5302db632660de44129d7cf48073bf52c9b27eca (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4dcc058ea1d98e40f59f2726c4dd37a98401b258
Author: Andrew Tridgell <tridge at samba.org>
Date:   Mon May 25 13:40:52 2009 +1000

    fixed the client side password change code
    
    The client side code was not falling back to older routines correctly
    as it didn't check for the operation range error appropriately. It
    also used the old rpc semantics.

commit 2bf1e8b5e104520a49583be0822f5b8542f5ef1a
Author: Andrew Tridgell <tridge at samba.org>
Date:   Mon May 25 13:39:56 2009 +1000

    cope with lanman auth being disabled in old password change code
    
    When lanman auth is disabled and a user calls a password change
    method that requires it we should give NT_STATUS_NOT_SUPPORTED

-----------------------------------------------------------------------

Summary of changes:
 source4/libnet/libnet_passwd.c          |   86 +++++++++----------------------
 source4/rpc_server/samr/samr_password.c |   23 +++++---
 2 files changed, 40 insertions(+), 69 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index c2db219..2c96916 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -99,30 +99,19 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
 
 	/* 2. try samr_ChangePasswordUser3 */
 	status = dcerpc_samr_ChangePasswordUser3(c.out.dcerpc_pipe, mem_ctx, &pw3);
-	if (!NT_STATUS_IS_OK(status)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_ChangePasswordUser3 failed: %s",
-						nt_errstr(status));
-		goto ChangePasswordUser2;
-	}
-
-	/* check result of samr_ChangePasswordUser3 */
-	if (!NT_STATUS_IS_OK(pw3.out.result)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_ChangePasswordUser3 for '%s\\%s' failed: %s",
-						r->samr.in.domain_name, r->samr.in.account_name, 
-						nt_errstr(pw3.out.result));
-						/* TODO: give the reason of the reject */
-		if (NT_STATUS_EQUAL(pw3.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
-			status = pw3.out.result;
-			goto disconnect;
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+		if (!NT_STATUS_IS_OK(status)) {
+			r->samr.out.error_string = talloc_asprintf(mem_ctx,
+								   "samr_ChangePasswordUser3 failed: %s",
+								   nt_errstr(status));
+			r->samr.out.error_string = talloc_asprintf(mem_ctx,
+								   "samr_ChangePasswordUser3 for '%s\\%s' failed: %s",
+								   r->samr.in.domain_name, r->samr.in.account_name, 
+								   nt_errstr(status));
 		}
-		goto ChangePasswordUser2;
-	}
-
-	goto disconnect;
+		goto disconnect;
+	} 
 
-ChangePasswordUser2:
 	/* prepare samr_ChangePasswordUser2 */
 	encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII|STR_TERMINATE);
 	arcfour_crypt(lm_pass.data, old_lm_hash, 516);
@@ -142,29 +131,17 @@ ChangePasswordUser2:
 
 	/* 3. try samr_ChangePasswordUser2 */
 	status = dcerpc_samr_ChangePasswordUser2(c.out.dcerpc_pipe, mem_ctx, &pw2);
-	if (!NT_STATUS_IS_OK(status)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_ChangePasswordUser2 failed: %s",
-						nt_errstr(status));
-		goto OemChangePasswordUser2;
-	}
-
-	/* check result of samr_ChangePasswordUser2 */
-	if (!NT_STATUS_IS_OK(pw2.out.result)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_ChangePasswordUser2 for '%s\\%s' failed: %s",
-						r->samr.in.domain_name, r->samr.in.account_name, 
-						nt_errstr(pw2.out.result));
-		if (NT_STATUS_EQUAL(pw2.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
-			status = pw2.out.result;
-			goto disconnect;
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+		if (!NT_STATUS_IS_OK(status)) {
+			r->samr.out.error_string = talloc_asprintf(mem_ctx,
+								   "samr_ChangePasswordUser2 for '%s\\%s' failed: %s",
+								   r->samr.in.domain_name, r->samr.in.account_name, 
+								   nt_errstr(status));
 		}
-		goto OemChangePasswordUser2;
+		goto disconnect;
 	}
 
-	goto disconnect;
 
-OemChangePasswordUser2:
 	/* prepare samr_OemChangePasswordUser2 */
 	a_server.string = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(c.out.dcerpc_pipe));
 	a_account.string = r->samr.in.account_name;
@@ -180,29 +157,16 @@ OemChangePasswordUser2:
 
 	/* 4. try samr_OemChangePasswordUser2 */
 	status = dcerpc_samr_OemChangePasswordUser2(c.out.dcerpc_pipe, mem_ctx, &oe2);
-	if (!NT_STATUS_IS_OK(status)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_OemChangePasswordUser2 failed: %s",
-						nt_errstr(status));
-		goto ChangePasswordUser;
-	}
-
-	/* check result of samr_OemChangePasswordUser2 */
-	if (!NT_STATUS_IS_OK(oe2.out.result)) {
-		r->samr.out.error_string = talloc_asprintf(mem_ctx,
-						"samr_OemChangePasswordUser2 for '%s\\%s' failed: %s",
-						r->samr.in.domain_name, r->samr.in.account_name, 
-						nt_errstr(oe2.out.result));
-		if (NT_STATUS_EQUAL(oe2.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
-			status = oe2.out.result;
-			goto disconnect;
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+		if (!NT_STATUS_IS_OK(oe2.out.result)) {
+			r->samr.out.error_string = talloc_asprintf(mem_ctx,
+								   "samr_OemChangePasswordUser2 for '%s\\%s' failed: %s",
+								   r->samr.in.domain_name, r->samr.in.account_name, 
+								   nt_errstr(status));
 		}
-		goto ChangePasswordUser;
+		goto disconnect;
 	}
 
-	goto disconnect;
-
-ChangePasswordUser:
 #if 0
 	/* prepare samr_ChangePasswordUser */
 	E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index f334eeb..ec83cbf 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -88,17 +88,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 
 	status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
 					msg, &lm_pwd, &nt_pwd);
-	if (!NT_STATUS_IS_OK(status) || !lm_pwd || !nt_pwd) {
+	if (!NT_STATUS_IS_OK(status) || !nt_pwd) {
 		ldb_transaction_cancel(sam_ctx);
 		return NT_STATUS_WRONG_PASSWORD;
 	}
 
 	/* decrypt and check the new lm hash */
-	D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-	D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-	if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_WRONG_PASSWORD;
+	if (lm_pwd) {
+		D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
+		D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
+		if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
+			ldb_transaction_cancel(sam_ctx);
+			return NT_STATUS_WRONG_PASSWORD;
+		}
 	}
 
 	/* decrypt and check the new nt hash */
@@ -111,7 +113,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 	
 	/* The NT Cross is not required by Win2k3 R2, but if present
 	   check the nt cross hash */
-	if (r->in.cross1_present && r->in.nt_cross) {
+	if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
 		D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
 		if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
 			ldb_transaction_cancel(sam_ctx);
@@ -121,7 +123,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 
 	/* The LM Cross is not required by Win2k3 R2, but if present
 	   check the lm cross hash */
-	if (r->in.cross2_present && r->in.lm_cross) {
+	if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
 		D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
 		if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
 			ldb_transaction_cancel(sam_ctx);
@@ -206,6 +208,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	/* this call can only work with lanman auth */
+	if (!lp_lanman_auth(dce_call->conn->dce_ctx->lp_ctx)) {
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
 	/* To change a password we need to open as system */
 	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {


-- 
Samba Shared Repository
