[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Tue Jun 22 14:44:41 MDT 2010 

The branch, master has been updated
       via  eff7d2d... s4:samr RPC server - make use of LDB constants in macros
       via  0e637be... s4:password_hash LDB module - fix another problem regarding the lanman hash
      from  37264e5... Fix bug 7528 - Solaris with NIS autohome.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit eff7d2db312ba7e811ffc8985d6122fc852a39b5
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Jun 21 22:19:21 2010 +0200

    s4:samr RPC server - make use of LDB constants in macros

commit 0e637be43b584aef9f5101d15ae5bdc1172c5502
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Jun 21 19:40:50 2010 +0200

    s4:password_hash LDB module - fix another problem regarding the lanman hash
    
    When a user only provides only the lanman hash (and nothing else) and the
    lanman authentication is deactivated then we end in an account with no
    password attribute at all! Lock this down.

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/password_hash.c |   29 +++++++++++++----------
 source4/rpc_server/samr/dcesrv_samr.c          |   14 +++++-----
 2 files changed, 23 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 94eb9cf..0a34645 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
 				return LDB_ERR_UNWILLING_TO_PERFORM;
 			}
 		} else if (io->og.lm_hash) {
-			struct loadparm_context *lp_ctx =
-				(struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
-
-			if (!lp_lanman_auth(lp_ctx)) {
-				ldb_asprintf_errstring(ldb,
-					"check_password_restrictions: "
-					"The password change through the LM hash is deactivated!");
-				return LDB_ERR_UNWILLING_TO_PERFORM;
-			}
-
 			if (!io->o.lm_hash) {
 				ldb_asprintf_errstring(ldb,
 					"check_password_restrictions: "
@@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac,
 { 
 	const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
 	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+	struct loadparm_context *lp_ctx =
+		(struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
 	int ret;
 
 	ZERO_STRUCTP(io);
@@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac,
 			"it's not allowed to set the LM hash password directly'");
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
-	if (lm_hash != NULL) {
+
+	if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) {
 		io->n.lm_hash = talloc(io->ac, struct samr_Password);
 		memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length,
 		       sizeof(io->n.lm_hash->hash)));
 	}
-
-	if (old_lm_hash != NULL) {
+	if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) {
 		io->og.lm_hash = talloc(io->ac, struct samr_Password);
 		memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length,
 		       sizeof(io->og.lm_hash->hash)));
@@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac,
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
 
+	/* refuse the change if someone tries to set/change the password by
+	 * the lanman hash alone and we've deactivated that mechanism. This
+	 * would end in an account without any password! */
+	if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+	    && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+		ldb_asprintf_errstring(ldb,
+			"setup_io: "
+			"The password change/set operations performed using the LAN Manager hash alone are deactivated!");
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
+
 	/* refuse the change if someone wants to compare against a plaintext
 	   or hash at the same time for a "password modify" operation... */
 	if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 60109c2..67098f6 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -70,11 +70,11 @@
 	struct ldb_message_element *set_el;				\
 	if (r->in.info->field.string == NULL) return NT_STATUS_INVALID_PARAMETER; \
         if (r->in.info->field.string[0] == '\0') {			\
-		if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, NULL)) { \
+		if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, NULL) != LDB_SUCCESS) { \
 			return NT_STATUS_NO_MEMORY;			\
 		}							\
 	}								\
-        if (ldb_msg_add_string(msg, attr, r->in.info->field.string) != 0) { \
+        if (ldb_msg_add_string(msg, attr, r->in.info->field.string) != LDB_SUCCESS) { \
 		return NT_STATUS_NO_MEMORY;				\
 	}								\
         set_el = ldb_msg_find_element(msg, attr);			\
@@ -83,7 +83,7 @@
 
 #define SET_UINT(msg, field, attr) do {					\
 	struct ldb_message_element *set_el;				\
-	if (samdb_msg_add_uint(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+	if (samdb_msg_add_uint(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
 		return NT_STATUS_NO_MEMORY;				\
 	}								\
         set_el = ldb_msg_find_element(msg, attr);			\
@@ -92,7 +92,7 @@
 									
 #define SET_INT64(msg, field, attr) do {				\
 	struct ldb_message_element *set_el;				\
-	if (samdb_msg_add_int64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+	if (samdb_msg_add_int64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
 		return NT_STATUS_NO_MEMORY;				\
 	}								\
         set_el = ldb_msg_find_element(msg, attr);			\
@@ -101,7 +101,7 @@
 									
 #define SET_UINT64(msg, field, attr) do {				\
 	struct ldb_message_element *set_el;				\
-	if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+	if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
 		return NT_STATUS_NO_MEMORY;				\
 	}								\
         set_el = ldb_msg_find_element(msg, attr);			\
@@ -134,7 +134,7 @@
 									
 #define SET_LHOURS(msg, field, attr) do {				\
 	struct ldb_message_element *set_el;				\
-	if (samdb_msg_add_logon_hours(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != 0) { \
+	if (samdb_msg_add_logon_hours(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != LDB_SUCCESS) { \
 		return NT_STATUS_NO_MEMORY;				\
 	}								\
         set_el = ldb_msg_find_element(msg, attr);			\
@@ -144,7 +144,7 @@
 #define SET_PARAMETERS(msg, field, attr) do {				\
 	struct ldb_message_element *set_el;				\
 	if (r->in.info->field.length != 0) {				\
-		if (samdb_msg_add_parameters(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != 0) { \
+		if (samdb_msg_add_parameters(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != LDB_SUCCESS) { \
 			return NT_STATUS_NO_MEMORY;			\
 		}							\
 		set_el = ldb_msg_find_element(msg, attr);		\


-- 
Samba Shared Repository

More information about the samba-cvs mailing list