[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Tue Nov 10 05:09:54 MST 2009


The branch, master has been updated
       via  bbff693... s3-samr: implement _samr_ValidatePassword().
       via  46784b4... s3-chgpasswd: split out a check_password_complexity() function.
       via  9599d14... s4-smbtorture: strip trailing whitespace in RPC-SAMR.
      from  e8d2fe3... README.Coding: Fix typos.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit bbff69384eb6ff3169e330e2ba29b8f756c04c9a
Author: Günther Deschner <gd at samba.org>
Date:   Mon Nov 9 18:18:44 2009 +0100

    s3-samr: implement _samr_ValidatePassword().
    
    Guenther

commit 46784b4d99c00d98811c1e6be43bda78eae77fe6
Author: Günther Deschner <gd at samba.org>
Date:   Tue Nov 10 12:48:52 2009 +0100

    s3-chgpasswd: split out a check_password_complexity() function.
    
    Guenther

commit 9599d142c0edd750e254c82ca96e75a8e1d200d5
Author: Günther Deschner <gd at samba.org>
Date:   Mon Nov 9 17:40:28 2009 +0100

    s4-smbtorture: strip trailing whitespace in RPC-SAMR.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h          |    3 +
 source3/rpc_server/srv_samr_nt.c |  128 +++++++++++++++++++++++++++++++++++---
 source3/smbd/chgpasswd.c         |   64 ++++++++++++-------
 source4/torture/rpc/samr.c       |    4 +-
 4 files changed, 165 insertions(+), 34 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index e46fe3c..6955593 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user,
 			 uchar password_encrypted_with_nt_hash[516],
 			 const uchar old_nt_hash_encrypted[16],
 			 enum samPwdChangeReason *reject_reason);
+NTSTATUS check_password_complexity(const char *username,
+				   const char *password,
+				   enum samPwdChangeReason *samr_reject_reason);
 NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason);
 
 /* The following definitions come from smbd/close.c  */
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 9af141b..3ba24e8 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -6678,6 +6678,124 @@ NTSTATUS _samr_RidToSid(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
+static enum samr_ValidationStatus samr_ValidatePassword_Change(TALLOC_CTX *mem_ctx,
+							       const struct samr_PwInfo *dom_pw_info,
+							       const struct samr_ValidatePasswordReq2 *req,
+							       struct samr_ValidatePasswordRepCtr *rep)
+{
+	NTSTATUS status;
+
+	if (req->password.string) {
+		if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+			ZERO_STRUCT(rep->info);
+			return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+		}
+		if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+			status = check_password_complexity(req->account.string,
+							   req->password.string,
+							   NULL);
+			if (!NT_STATUS_IS_OK(status)) {
+				ZERO_STRUCT(rep->info);
+				return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+			}
+		}
+	}
+
+	return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+static enum samr_ValidationStatus samr_ValidatePassword_Reset(TALLOC_CTX *mem_ctx,
+							      const struct samr_PwInfo *dom_pw_info,
+							      const struct samr_ValidatePasswordReq3 *req,
+							      struct samr_ValidatePasswordRepCtr *rep)
+{
+	NTSTATUS status;
+
+	if (req->password.string) {
+		if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+			ZERO_STRUCT(rep->info);
+			return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+		}
+		if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+			status = check_password_complexity(req->account.string,
+							   req->password.string,
+							   NULL);
+			if (!NT_STATUS_IS_OK(status)) {
+				ZERO_STRUCT(rep->info);
+				return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+			}
+		}
+	}
+
+	return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+ _samr_ValidatePassword
+****************************************************************/
+
+NTSTATUS _samr_ValidatePassword(pipes_struct *p,
+				struct samr_ValidatePassword *r)
+{
+	union samr_ValidatePasswordRep *rep;
+	NTSTATUS status;
+	struct samr_GetDomPwInfo pw;
+	struct samr_PwInfo dom_pw_info;
+
+	if (r->in.level < 1 || r->in.level > 3) {
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	pw.in.domain_name = NULL;
+	pw.out.info = &dom_pw_info;
+
+	status = _samr_GetDomPwInfo(p, &pw);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	rep = talloc_zero(p->mem_ctx, union samr_ValidatePasswordRep);
+	if (!rep) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	switch (r->in.level) {
+	case 1:
+		status = NT_STATUS_NOT_SUPPORTED;
+		break;
+	case 2:
+		rep->ctr2.status = samr_ValidatePassword_Change(p->mem_ctx,
+								&dom_pw_info,
+								&r->in.req->req2,
+								&rep->ctr2);
+		break;
+	case 3:
+		rep->ctr3.status = samr_ValidatePassword_Reset(p->mem_ctx,
+							       &dom_pw_info,
+							       &r->in.req->req3,
+							       &rep->ctr3);
+		break;
+	default:
+		status = NT_STATUS_INVALID_INFO_CLASS;
+		break;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(rep);
+		return status;
+	}
+
+	*r->out.rep = rep;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
 NTSTATUS _samr_Shutdown(pipes_struct *p,
 			struct samr_Shutdown *r)
 {
@@ -6762,13 +6880,3 @@ NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
 	p->rng_fault_state = true;
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS _samr_ValidatePassword(pipes_struct *p,
-				struct samr_ValidatePassword *r)
-{
-	p->rng_fault_state = true;
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index e206906..2da36b2 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1075,6 +1075,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
 }
 
 /***********************************************************
+************************************************************/
+
+NTSTATUS check_password_complexity(const char *username,
+				   const char *password,
+				   enum samPwdChangeReason *samr_reject_reason)
+{
+	TALLOC_CTX *tosctx = talloc_tos();
+
+	/* Use external script to check password complexity */
+	if (lp_check_password_script() && *(lp_check_password_script())) {
+		int check_ret;
+		char *cmd;
+
+		cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
+		if (!cmd) {
+			return NT_STATUS_PASSWORD_RESTRICTION;
+		}
+
+		check_ret = smbrunsecret(cmd, password);
+		DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n",
+			cmd, check_ret));
+		TALLOC_FREE(cmd);
+
+		if (check_ret != 0) {
+			DEBUG(1,("check_password_complexity: "
+				"check password script said new password is not good enough!\n"));
+			if (samr_reject_reason) {
+				*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
+			}
+			return NT_STATUS_PASSWORD_RESTRICTION;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
+/***********************************************************
  Code to change the oem password. Changes both the lanman
  and NT hashes.  Old_passwd is almost always NULL.
  NOTE this function is designed to be called as root. Check the old password
@@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
 	struct passwd *pass = NULL;
 	const char *username = pdb_get_username(hnd);
 	time_t can_change_time = pdb_get_pass_can_change_time(hnd);
+	NTSTATUS status;
 
 	if (samr_reject_reason) {
 		*samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
@@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* Use external script to check password complexity */
-	if (lp_check_password_script() && *(lp_check_password_script())) {
-		int check_ret;
-		char *cmd;
-
-		cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
-        	if (!cmd) {
-                	return NT_STATUS_PASSWORD_RESTRICTION;
-        	}
-
-		check_ret = smbrunsecret(cmd, new_passwd);
-		DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret));
-		TALLOC_FREE(cmd);
-
-		if (check_ret != 0) {
-			DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
-			if (samr_reject_reason) {
-				*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
-			}
-			TALLOC_FREE(pass);
-			return NT_STATUS_PASSWORD_RESTRICTION;
-		}
+	status = check_password_complexity(username, new_passwd, samr_reject_reason);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(pass);
+		return status;
 	}
 
 	/*
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 3f59637..5340d2c 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -6771,7 +6771,7 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_con
 	r.in.level = NetValidatePasswordReset;
 	r.in.req = &req;
 	r.out.rep = &repp;
-	
+
 	ZERO_STRUCT(req);
 	req.req3.account.string = "non-existant-account-aklsdji";
 
@@ -6784,7 +6784,7 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_con
 				req.req3.password.string, repp->ctr3.status);
 	}
 
-	return true;	
+	return true;
 }
 
 bool torture_rpc_samr(struct torture_context *torture)


-- 
Samba Shared Repository


More information about the samba-cvs mailing list