Patch for Bad Password Attempt Lockout, samba3.0a22.
Jianliang Lu
j.lu at tiesse.com
Fri Mar 28 12:55:48 GMT 2003
Now the users of "admin users" will not be locked. In attach is the new patch
file.
About lockout duration, I will implement next time. I think that we should
extend another attribute to record the lockout time.
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it
-------------- next part --------------
--- samba-3.0alpha22/source/auth/auth_sam.c Thu Mar 20 16:31:34 2003
+++ samba-3.0alpha22/source/auth/auth_sam.c.fix Fri Mar 28 12:21:35 2003
@@ -326,6 +326,12 @@
return NT_STATUS_ACCOUNT_DISABLED;
}
+ /* Quit if the account was locked out. */
+ if (acct_ctrl & ACB_AUTOLOCK) {
+ DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,7 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
+ uint32 account_policy_lockout, badpwattempt;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +455,43 @@
nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if ((NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) && !user_in_list(user_info->internal_username.str, lp_admin_users(-1), NULL, 0)){
+ badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+ if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED))
+ DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n",
+ user_info->internal_username.str));
+ account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
+ if (badpwattempt >= account_policy_lockout)
+ if (!pdb_set_acct_ctrl (sampass,
+ pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
+ PDB_CHANGED)) {
+ DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n",
+ user_info->internal_username.str));
+ }
+
+ become_root();
+ if (!pdb_update_sam_account(sampass)) {
+ DEBUG(1, ("Failed to modify entry for user % s.\n",
+ user_info->internal_username.str));
+ unbecome_root();
+ }
+ }
pdb_free_sam(&sampass);
return nt_status;
}
+ if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+ DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n",
+ user_info->internal_username.str));
+ if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+ DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n"));
+
+ become_root();
+ if(!pdb_update_sam_account(sampass))
+ DEBUG(1, ("Failed to modify entry for user % s.\n",
+ user_info->internal_username.str));
+ unbecome_root();
+
if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
return nt_status;
More information about the samba-technical
mailing list