Patch for Bad Password Attempt Lockout, samba3.0a22.

[Jianliang Lu]

Now the users of "admin users" will not be locked. In attach is the new patch 
file.
About lockout duration, I will implement next time. I think that we should 
extend another attribute to record the lockout time.

Jianliang Lu
TieSse s.p.a.
Via Jervis, 60.  10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it
-------------- next part --------------
--- samba-3.0alpha22/source/auth/auth_sam.c	Thu Mar 20 16:31:34 2003
+++ samba-3.0alpha22/source/auth/auth_sam.c.fix	Fri Mar 28 12:21:35 2003
@@ -326,6 +326,12 @@
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
 
+	/* Quit if the account was locked out. */
+	if (acct_ctrl & ACB_AUTOLOCK) {
+		DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass)));
+		return NT_STATUS_ACCOUNT_LOCKED_OUT;
+	}
+
 	/* Test account expire time */
 	
 	kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,7 @@
 	NTSTATUS nt_status;
 	uint8 user_sess_key[16];
 	const uint8* lm_hash;
+	uint32 account_policy_lockout, badpwattempt;
 
 	if (!user_info || !auth_context) {
 		return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +455,43 @@
 	nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		if ((NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) && !user_in_list(user_info->internal_username.str, lp_admin_users(-1), NULL, 0)){     	
+			badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+			if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED))
+					DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", 
+								 user_info->internal_username.str));
+		 	account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
+			if (badpwattempt >= account_policy_lockout)
+				if (!pdb_set_acct_ctrl (sampass, 
+										pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, 
+										PDB_CHANGED)) {
+					DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n", 
+								 user_info->internal_username.str));
+			    }
+
+			become_root();
+			if (!pdb_update_sam_account(sampass)) {
+		    	DEBUG(1, ("Failed to modify entry for user % s.\n", 
+							 user_info->internal_username.str));
+			unbecome_root();
+            }
+		}
 		pdb_free_sam(&sampass);
 		return nt_status;
 	}
 
+	if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+			DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", 
+						 user_info->internal_username.str));
+	if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+	        DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n"));
+
+	become_root();
+	if(!pdb_update_sam_account(sampass)) 
+	    	DEBUG(1, ("Failed to modify entry for user % s.\n", 
+					 user_info->internal_username.str));
+	unbecome_root();
+
 	if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {		
 		DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
 		return nt_status;