diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-11-04 21:37:17 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:46 +0200 |
| commit | a0de9290099a93413048a03740cfb04ca1355c78 (patch) | |
| tree | b509db21f5a72740e2f5e6ef13e1f50c89b55409 /source4/dsdb | |
| parent | 6f8fb163e02579d57e731c0c09eafee5627bec62 (diff) | |
| download | samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.gz samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.xz samba-a0de9290099a93413048a03740cfb04ca1355c78.zip | |
dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/dsdb')
| -rw-r--r-- | source4/dsdb/common/util.c | 29 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 21 |
2 files changed, 43 insertions, 7 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index b65af66889..8cecf79e02 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -558,10 +558,14 @@ unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message * return count; } -NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg, - struct samr_Password **lm_pwd, struct samr_Password **nt_pwd) +NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_message *msg, + struct samr_Password **lm_pwd, + struct samr_Password **nt_pwd) { struct samr_Password *lmPwdHash, *ntPwdHash; + if (nt_pwd) { unsigned int num_nt; num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash); @@ -594,6 +598,27 @@ NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp return NT_STATUS_OK; } +NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_message *msg, + struct samr_Password **lm_pwd, + struct samr_Password **nt_pwd) +{ + uint16_t acct_flags; + + acct_flags = samdb_result_acct_flags(msg, + "msDS-User-Account-Control-Computed"); + /* Quit if the account was locked out. */ + if (acct_flags & ACB_AUTOLOCK) { + DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n", + ldb_dn_get_linearized(msg->dn))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + + return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg, + lm_pwd, nt_pwd); +} + /* pull a samr_LogonHours structutre from a result set. */ diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 3e0f1a091e..a8d3272405 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3231,6 +3231,7 @@ static int password_hash_mod_search_self(struct ph_context *ac) struct ldb_context *ldb; static const char * const attrs[] = { "objectClass", "userAccountControl", + "msDS-User-Account-Control-Computed", "pwdLastSet", "sAMAccountName", "objectSid", @@ -3293,11 +3294,21 @@ static int password_hash_mod_do_mod(struct ph_context *ac) return ret; } - /* Get the old password from the database */ - status = samdb_result_passwords(io.ac, - lp_ctx, - discard_const_p(struct ldb_message, searched_msg), - &io.o.lm_hash, &io.o.nt_hash); + if (io.ac->pwd_reset) { + /* Get the old password from the database */ + status = samdb_result_passwords_no_lockout(io.ac, + lp_ctx, + discard_const_p(struct ldb_message, searched_msg), + &io.o.lm_hash, + &io.o.nt_hash); + } else { + /* Get the old password from the database */ + status = samdb_result_passwords(io.ac, + lp_ctx, + discard_const_p(struct ldb_message, searched_msg), + &io.o.lm_hash, &io.o.nt_hash); + } + if (!NT_STATUS_IS_OK(status)) { return ldb_operr(ldb); } |