Kill off the old varient of 'check_plaintext_password' (new version just

committed in auth/auth_compat.c and use the new version to make the plaintext
password change slightly sane...  (Needs testing).

Andrew Bartlett

2 files changed, 28 insertions, 103 deletions

diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index b22ccacbf1e..5e646b62258 100644
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -934,53 +934,5 @@ BOOL change_oem_password(SAM_ACCOUNT *hnd, char *new_passwd)
 	return ret;
 }
 
-/***********************************************************
- Code to check a plaintext password against smbpasswd entries.
-***********************************************************/
-
-BOOL check_plaintext_password(char *user, char *old_passwd,
-			      int old_passwd_size, SAM_ACCOUNT **hnd)
-{
-	SAM_ACCOUNT  *sampass = NULL;
-	uchar old_pw[16], old_ntpw[16];
-	BOOL ret;
-
-	pdb_init_sam(&sampass);
-
-	become_root();
-	ret = pdb_getsampwnam(sampass, user);
-	unbecome_root();
-
-	*hnd = sampass;
-
-	if (ret == False)
-	{
-		DEBUG(0,("check_plaintext_password: getsmbpwnam returned NULL\n"));
-		return False;
-	}
-
-	if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED)
-	{
-		DEBUG(0,("check_plaintext_password: account %s disabled.\n", user));
-		return (False);
-	}
 
-	nt_lm_owf_gen(old_passwd, old_ntpw, old_pw);
 
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("check_plaintext_password: nt_passwd \n"));
-	dump_data(100, pdb_get_nt_passwd(sampass), 16);
-	DEBUG(100, ("check_plaintext_password: old_ntpw \n"));
-	dump_data(100, old_ntpw, 16);
-	DEBUG(100, ("check_plaintext_password: lanman_passwd \n"));
-	dump_data(100, pdb_get_lanman_passwd(sampass), 16);
-	DEBUG(100, ("check_plaintext_password: old_pw\n"));
-	dump_data(100, old_pw, 16);
-#endif
-
-	if (memcmp(pdb_get_nt_passwd(sampass), old_ntpw, 16)
-	    && memcmp(pdb_get_lanman_passwd(sampass), old_pw, 16))
-		return (False);
-	else
-		return (True);
-}
diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index fb8b52342ac..1a5777e1d4b 100644
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -1923,8 +1923,6 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
   fstring user;
   fstring pass1,pass2;
 
-  struct passwd *passwd;
-
   pull_ascii_fstring(user,p);
 
   p = skip_string(p,1);
@@ -1945,67 +1943,42 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
   DEBUG(3,("Set password for <%s>\n",user));
 
   /*
-   * Pass the user through the NT -> unix user mapping
-   * function.
-   */
-
-  (void)map_username(user);
-
-  /*
-   * Do any UNIX username case mangling.
-   */
-  passwd = Get_Pwnam_Modify( user );
-
-  /*
    * Attempt to verify the old password against smbpasswd entries
    * Win98 clients send old and new password in plaintext for this call.
    */
 
   {
-    fstring saved_pass2;
-    SAM_ACCOUNT *sampass=NULL;
-
-    /*
-     * Save the new password as change_oem_password overwrites it
-     * with zeros.
-     */
-
-    fstrcpy(saved_pass2, pass2);
-
-    if (check_plaintext_password(user,pass1,strlen(pass1),&sampass) &&
-        change_oem_password(sampass,pass2))
-    {
-      SSVAL(*rparam,0,NERR_Success);
-
-      /*
-       * If unix password sync was requested, attempt to change
-       * the /etc/passwd database also. Return failure if this cannot
-       * be done.
-       */
-
-      if(lp_unix_password_sync() && !chgpasswd(user,pass1,saved_pass2,False))
-        SSVAL(*rparam,0,NERR_badpass);
-    }
- 	pdb_free_sam(&sampass);
- }
-  
-
-  /*
-   * If the above failed, attempt the plaintext password change.
-   * This tests against the /etc/passwd database only.
-   */
-
-  if(SVAL(*rparam,0) != NERR_Success)
-  {
-	  if NT_STATUS_IS_OK(pass_check(passwd, user, pass1, 
-					strlen(pass1), NULL, False)) 
+	  auth_serversupplied_info *server_info = NULL;
+	  DATA_BLOB password = data_blob(pass1, strlen(pass1)+1);
+	  if (NT_STATUS_IS_OK(check_plaintext_password(user,password,&server_info))) {
+		  if (change_oem_password(server_info->sam_account,pass2))
 		  {
-			  if (chgpasswd(user,pass1,pass2,False)) {
-				  SSVAL(*rparam,0,NERR_Success);
-			  }
+			  SSVAL(*rparam,0,NERR_Success);
 		  }
+		  
+		  /*
+		   * If unix password sync was requested, attempt to change
+		   * the /etc/passwd database also. Return failure if this cannot
+		   * be done.
+		   *
+		   * This occours regardless of the previous result, becouse 
+		   * It might not have been testing the password against the SAM backend.
+		   * (and therefore the change_oem_password would fail).
+		   *
+		   * Conditional on lp_unix_password_sync() becouse we don't want
+                   * to touch the unix db unless we have admin permission.
+		   */
+		  
+		  if(lp_unix_password_sync() && !chgpasswd(pdb_get_username(server_info->sam_account),
+							   pass1,pass2,False)) {
+			  SSVAL(*rparam,0,NERR_badpass);
+		  }
+		  
+		  free_server_info(&server_info);
+	  }
+	  data_blob_clear_free(&password);
   }
-  
+
   /*
    * If the plaintext change failed, attempt
    * the old encrypted method. NT will generate this