Patch for Bad Password Attempt Lockout, samba3.0a22.

Jianliang Lu j.lu at tiesse.com
Mon Mar 31 15:50:42 GMT 2003 

Now the users of "Domain Admins" will not be locked. But until we have not 
the right provilege for "Domain Admins", I will continue to use the "admin 
users" for administrator's use (like add machine, user manager for domain...).
In attach is the new patch.

Jianliang Lu
TieSse s.p.a.
Via Jervis, 60.  10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it
-------------- next part --------------
--- auth_sam.c.	Thu Mar 20 16:31:34 2003
+++ auth_sam.c.fix	Mon Mar 31 17:23:09 2003
@@ -326,6 +326,12 @@
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
 
+	/* Quit if the account was locked out. */
+	if (acct_ctrl & ACB_AUTOLOCK) {
+		DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass)));
+		return NT_STATUS_ACCOUNT_LOCKED_OUT;
+	}
+
 	/* Test account expire time */
 	
 	kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,8 @@
 	NTSTATUS nt_status;
 	uint8 user_sess_key[16];
 	const uint8* lm_hash;
+	uint32 account_policy_lockout, badpwattempt;
+	GROUP_MAP map;
 
 	if (!user_info || !auth_context) {
 		return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +456,45 @@
 	nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) {     	
+			badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+			if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED))
+					DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", 
+								 user_info->internal_username.str));
+		 	account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
+			if (!get_group_map_from_ntname("Domain Admins", &map, MAPPING_WITHOUT_PRIV))
+				DEBUG(1, ("auth_sam.c: Failed to get groupmap for Domain Admins"));
+			if ((badpwattempt >= account_policy_lockout) && !user_in_list(user_info->internal_username.str, lp_admin_users(-1), NULL, 0) && !user_in_group_list(user_info->internal_username.str, gidtoname(map.gid), NULL, 0))
+				if (!pdb_set_acct_ctrl (sampass, 
+										pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, 
+										PDB_CHANGED)) {
+					DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n", 
+								 user_info->internal_username.str));
+			    }
+
+			become_root();
+			if (!pdb_update_sam_account(sampass)) {
+		    	DEBUG(1, ("Failed to modify entry for user % s.\n", 
+							 user_info->internal_username.str));
+			unbecome_root();
+            }
+		}
 		pdb_free_sam(&sampass);
 		return nt_status;
 	}
 
+	if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+			DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", 
+						 user_info->internal_username.str));
+	if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+	        DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n"));
+
+	become_root();
+	if(!pdb_update_sam_account(sampass)) 
+	    	DEBUG(1, ("Failed to modify entry for user % s.\n", 
+					 user_info->internal_username.str));
+	unbecome_root();
+
 	if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {		
 		DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
 		return nt_status;

More information about the samba-technical mailing list