[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Tue Dec 11 10:07:43 MST 2012
The branch, v4-0-test has been updated
via 9b4bd43 VERSION: Bump version number up to 4.0.1.
via df33344 VERSION: Bump version number up to 4.0.0.
via a69e731 WHATSNEW: Update changes since rc6.
via 0eb0a5e selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and s4member environments
via 55cf387 s4:torture:rpc:samr: fix password age calculation in test_ChangePasswordUser3()
via 9fcd01c s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
via 89e11bb s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
via 59a6739 s4:dsdb/password_hash: do the min password age checks first
via 8fc0b57 s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
via ee4f3ff s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
via 22fcbd5 s4:dsdb/password_hash: Honor password complexity settings.
via a86ee3d WHATSNEW: Fix typo.
via 1819e94 WHATSNEW: Add link to the whitepaper.
via 3c131a8 WHATSNEW: Move AD stuff to the corresponding paragraph.
via f553377 WHATSNEW: Update release notes.
via 5b202f0 WHATSNEW: Update release notes.
from 3ecca2d WHATSNEW: Update changes since rc6.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 9b4bd4322febc429e4daf286000bd9a51cbc34ec
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 18:07:32 2012 +0100
VERSION: Bump version number up to 4.0.1.
And re-enable git snapshots.
Karolin
commit df33344d8eb40221d60c99931690703a11d91bc2
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 18:01:14 2012 +0100
VERSION: Bump version number up to 4.0.0.
And disable git snapshots.
Karolin
commit a69e7314a4ac42910eeed0b30a478d699d27a97a
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 17:56:18 2012 +0100
WHATSNEW: Update changes since rc6.
Karolin
commit 0eb0a5e93cbb62c1039f7f24c19bdb542edca718
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 16:13:39 2012 +0100
selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and s4member environments
These currently fail in a corner case.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Karolin Seeger <kseeger at samba.org>
The last 9 patches address bug #9414 - 'samba-tool user add' ignores password
complexity settings.
commit 55cf3873b45d626e4abaa8e95cf48b1889d25efe
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:34:49 2012 +0100
s4:torture:rpc:samr: fix password age calculation in test_ChangePasswordUser3()
The min_password_age field is the negative of the age.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9fcd01c08d6e2df82867b93bd3c3f6b86358f016
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:21:11 2012 +0100
s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 89e11bb08c5d4fe12d7a0955500c6d9803698a1b
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:18:00 2012 +0100
s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 59a67391bf297c7db8966beee88c298235faaa7f
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:04:22 2012 +0100
s4:dsdb/password_hash: do the min password age checks first
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 8fc0b5774966590d1175bbe2bc2bcd8384105661
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 23:56:47 2012 +0100
s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit ee4f3ff81309b53411e6d6282e130d69d7cb9c38
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 11:42:11 2012 +0100
s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 22fcbd53b6c33cf35c6bba72da6df229ac46915e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 23 11:49:05 2012 +0100
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger at samba.org>
Pair-Programmed-With: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
commit a86ee3da838cd7ebaa268d606e403e3ca0b4c93e
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 15:32:11 2012 +0100
WHATSNEW: Fix typo.
Karolin
commit 1819e94125a03d6de7268017ff6f810753aa07b2
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 14:56:02 2012 +0100
WHATSNEW: Add link to the whitepaper.
Karolin
commit 3c131a8b188df6ae4295fe063f395be78af18c70
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 14:44:31 2012 +0100
WHATSNEW: Move AD stuff to the corresponding paragraph.
Karolin
commit f5533770b2d2f2793be24a7696aea53d415df9ca
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 13:24:26 2012 +0100
WHATSNEW: Update release notes.
Apply changes provided by Andrew Bartlett.
Thanks!
Karolin
commit 5b202f00c88399d051b1f15e0ae79f04ecf58062
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 12:04:24 2012 +0100
WHATSNEW: Update release notes.
Karolin
-----------------------------------------------------------------------
Summary of changes:
VERSION | 4 +-
WHATSNEW.txt | 63 ++++-------
selftest/skip | 2 +
source4/dsdb/common/util.c | 18 ++--
source4/dsdb/samdb/ldb_modules/password_hash.c | 29 +++---
source4/rpc_server/samr/samr_password.c | 112 +++++++++++--------
source4/torture/rpc/samr.c | 135 ++++++++++++++++++++++--
7 files changed, 241 insertions(+), 122 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 15a3fcc..dc13d87 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=7
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 3a27fda..520075f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -9,7 +9,7 @@ This is is the first stable release of Samba 4.0.
This release contains the best of all of Samba's
technology parts, both a file server (that you can reasonably expect
to upgrade existing Samba 3.x releases to) and the AD domain
-controller work previously known as 'samba4'.
+controller work previously known as 'Samba4'.
Major enhancements in Samba 4.0.0 include:
@@ -26,6 +26,14 @@ Samba3-like logon services provided over CIFS. We correctly generate
the infamous Kerberos PAC, and include it with the Kerberos tickets we
issue.
+When running an AD DC, you only need to run 'samba' (not smbd/nmbd/winbindd),
+as the required services are co-coordinated by this master binary.
+The tool to administer the Active Directory services is called 'samba-tool'.
+
+A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
+
+ http://wiki.samba.org/index.php/Samba4/HOWTO
+
File Services
=============
@@ -35,7 +43,7 @@ file server from the Samba 3.x series 'smbd' for all file serving by
default.
Samba 4.0 also ships with the 'NTVFS' file server. This file server
-is what was used in all previous releases of Samba 4.0, and is
+is what was used prior to the beta2 release of Samba 4.0, and is
tuned to match the requirements of an AD domain controller. We
continue to support this, not only to provide continuity to
installations that have deployed it as part of an AD DC, but also as a
@@ -43,10 +51,7 @@ running example of the NT-FSA architecture we expect to move smbd to in
the longer term.
For pure file server work, the binaries users would expect from that
-series (nmbd, winbindd, smbpasswd) continue to be available. When
-running an AD DC, you only need to run 'samba' (not
-nmbd/smbd/winbind), as the required services are co-coordinated by this
-master binary.
+series (smbd, nmbd, winbindd, smbpasswd) continue to be available.
DNS
@@ -74,7 +79,7 @@ ntpsigndsocket options.
Python Scripting Interface
==========================
-Finally, a new scripting interface has been added to Samba 4, allowing
+A new scripting interface has been added to Samba 4, allowing
Python programs to interface to Samba's internals, and many tools and
internal workings of the DC code is now implemented in python.
@@ -82,26 +87,6 @@ internal workings of the DC code is now implemented in python.
Known Issues
============
-- 'samba-tool domain classicupgrade' will fail when setting ACLs on
- the GPO folders with NT_STATUS_INVALID_ONWER in the default
- configuration. This happens if, as is typical a 'domain admins'
- group (-512) is mapped in the passdb backend being upgraded. This
- is because the group mapping to a GID only prevents Samba from
- allocating a uid for that group. The uid is needed so the 'domain
- admins' group can own the GPO file objects.
-
- To work around this issue, remove the 'domain admins' group before
- upgrade, as it will be re-created automatically. You will
- of course need to fill in the group membership again. A future release
- will make this automatic, or find some other workaround.
-
-- This release makes the s3fs file server the default, as this is the
- file server combination we will use for the Samba 4.0 release.
-
-- For similar reasons, sites with ACLs stored by the ntvfs file server
- may wish to continue to use that file server implementation, as a
- posix ACL will similarly not be set in this case.
-
- Replication of DNS data from one AD server to another may not work.
The DNS data used by the internal DNS server and bind9_dlz is stored
in an application partition in our directory. The replication of
@@ -136,13 +121,8 @@ Known Issues
experience issues with DRS replication, as we have fixed many issues
here in response to feedback from our production users.
-
-Running Samba 4.0 as an AD DC
-=============================
-
-A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
-
- http://wiki.samba.org/index.php/Samba4/HOWTO
+- Linux inotify will now only be supported on systems where glibc also supports
+ it (for details, please refer to bug #8850).
Upgrading
@@ -169,6 +149,14 @@ you'll have to add '-dns' to the 'server services' option,
as the internal dns server (SAMBA_INTERNAL) is the default now.
+Supported features
+==================
+
+A whitepaper of currently (un-)supported features is available on the wiki:
+
+ https://wiki.samba.org/index.php/Samba_4.0_Whitepaper
+
+
######################################################################
Changes
#######
@@ -239,15 +227,11 @@ smb.conf changes
winbindd socket directory New
-Commit Highlights
-=================
-
-
-
CHANGES SINCE 4.0.0rc6
======================
o Michael Adam <obnox at samba.org>
+ * BUG 9414: Honor password complexity settings.
* BUG 9456: developer-build: Fix panic when acl_xattr fails with access
denied.
* BUG 9457: Fix "map username script" with "security=ads" and Winbind.
@@ -275,6 +259,7 @@ o Tsukasa Hamano <hamano at osstech.co.jp>
o Stefan Metzmacher <metze at samba.org>
+ * BUG 9414: Honor password complexity settings.
* BUG 9470: Fix MMC crashes.
* BUG 9481: Fix ACL on "cn=partitions,cn=configuration".
diff --git a/selftest/skip b/selftest/skip
index 171eee0..f1fc690 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -49,6 +49,8 @@
^samba4.smb2.hold-oplock # Not a test, but a way to block other clients for a test
^samba4.raw.ping.pong # Needs second server to test
^samba4.rpc.samr.accessmask
+^samba4.rpc.samr.passwords.*ncacn_np\(dc\) # currently fails, possibly config issue
+^samba4.rpc.samr.passwords.*s4member # currently fails, possibly config issue
^samba4.raw.scan.eamax
^samba4.smb2.notify
^samba4.smb2.scan
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 632d5bf..4543003 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1978,6 +1978,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_request *req;
struct dsdb_control_password_change_status *pwd_stat = NULL;
int ret;
+ bool hash_values = false;
NTSTATUS status = NT_STATUS_OK;
#define CHECK_RET(x) \
@@ -2013,6 +2014,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
el = ldb_msg_find_element(msg, "unicodePwd");
el->flags = LDB_FLAG_MOD_REPLACE;
}
+ hash_values = true;
} else {
/* the password wasn't specified correctly */
talloc_free(msg);
@@ -2050,13 +2052,15 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
}
- ret = ldb_request_add_control(req,
- DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
- true, NULL);
- if (ret != LDB_SUCCESS) {
- talloc_free(req);
- talloc_free(msg);
- return NT_STATUS_NO_MEMORY;
+ if (hash_values) {
+ ret = ldb_request_add_control(req,
+ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
+ true, NULL);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(req);
+ talloc_free(msg);
+ return NT_STATUS_NO_MEMORY;
+ }
}
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 620de75..9bf596c 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1954,6 +1954,19 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
return LDB_SUCCESS;
}
+ /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
+ if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) &&
+ !io->ac->pwd_reset)
+ {
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ ldb_asprintf_errstring(ldb,
+ "%08X: %s - check_password_restrictions: "
+ "password is too young to change!",
+ W_ERROR_V(WERR_PASSWORD_RESTRICTION),
+ ldb_strerror(ret));
+ return ret;
+ }
+
/*
* Fundamental password checks done by the call
* "samdb_check_password".
@@ -2064,17 +2077,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
return ret;
}
- /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
- if (io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "password is too young to change!",
- W_ERROR_V(WERR_PASSWORD_RESTRICTION),
- ldb_strerror(ret));
- return ret;
- }
-
return LDB_SUCCESS;
}
@@ -2188,11 +2190,6 @@ static int setup_io(struct ph_context *ac,
& (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
| UF_SERVER_TRUST_ACCOUNT));
- if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) {
- /* see [MS-ADTS] 2.2.15 */
- io->u.restrictions = 0;
- }
-
if (ac->userPassword) {
ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
ac->req->operation,
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 8963b04..5caf4b9 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -88,34 +88,22 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
if (lm_pwd) {
D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* decrypt and check the new nt hash */
D_P16(nt_pwd->hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
/* The NT Cross is not required by Win2k3 R2, but if present
check the nt cross hash */
if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* The LM Cross is not required by Win2k3 R2, but if present
check the lm cross hash */
if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* Start a SAM with user privileges for the password change */
@@ -148,6 +136,37 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
return status;
}
+ /* decrypt and check the new lm hash */
+ if (lm_pwd) {
+ if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ /* The NT Cross is not required by Win2k3 R2, but if present
+ check the nt cross hash */
+ if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
+ if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ /* The LM Cross is not required by Win2k3 R2, but if present
+ check the lm cross hash */
+ if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
+ if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
@@ -256,9 +275,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
- if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
/* Connect to a SAMDB with user privileges for the password change */
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
@@ -290,6 +306,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
return status;
}
+ if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
@@ -379,8 +400,33 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
goto failed;
}
- if (r->in.nt_verifier == NULL) {
- status = NT_STATUS_WRONG_PASSWORD;
+ /* Connect to a SAMDB with user privileges for the password change */
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ dce_call->conn->auth_state.session_info, 0);
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ ret = ldb_transaction_start(sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
+ return NT_STATUS_TRANSACTION_ABORTED;
+ }
+
+ /* Performs the password modification. We pass the old hashes read out
+ * from the database since they were already checked against the user-
+ * provided ones. */
+ status = samdb_set_password(sam_ctx, mem_ctx,
+ user_dn, NULL,
+ &new_password,
+ NULL, NULL,
+ lm_pwd, nt_pwd, /* this is a user password change */
+ &reason,
+ &dominfo);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_transaction_cancel(sam_ctx);
goto failed;
}
@@ -389,6 +435,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
@@ -408,42 +455,13 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
}
}
- /* Connect to a SAMDB with user privileges for the password change */
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
- if (sam_ctx == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
- ret = ldb_transaction_start(sam_ctx);
- if (ret != LDB_SUCCESS) {
- DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
- return NT_STATUS_TRANSACTION_ABORTED;
- }
-
- /* Performs the password modification. We pass the old hashes read out
- * from the database since they were already checked against the user-
- * provided ones. */
- status = samdb_set_password(sam_ctx, mem_ctx,
- user_dn, NULL,
- &new_password,
- NULL, NULL,
- lm_pwd, nt_pwd, /* this is a user password change */
- &reason,
- &dominfo);
-
- if (!NT_STATUS_IS_OK(status)) {
- ldb_transaction_cancel(sam_ctx);
- goto failed;
- }
-
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 7f50ce9..f17f0d7 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -665,6 +665,9 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -724,6 +727,9 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -749,6 +755,9 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -818,6 +827,9 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
--
Samba Shared Repository
More information about the samba-cvs
mailing list