diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-11-11 11:35:12 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:47 +0200 |
| commit | 7e653f5ae28c822c2e9c42dd2853126f7f86f0f0 (patch) | |
| tree | e029b0cbf64bd393968b2b420331454554a9e7ac /source4/auth | |
| parent | 1a483a8b4ba9640c2f57c34366433b6e219c27b2 (diff) | |
| download | samba-7e653f5ae28c822c2e9c42dd2853126f7f86f0f0.tar.gz samba-7e653f5ae28c822c2e9c42dd2853126f7f86f0f0.tar.xz samba-7e653f5ae28c822c2e9c42dd2853126f7f86f0f0.zip | |
s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/ntlm/auth_sam.c | 6 | ||||
| -rw-r--r-- | source4/auth/sam.c | 61 |
2 files changed, 67 insertions, 0 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 5964ef19764..b66eb50f48d 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -256,6 +256,12 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, return nt_status; } + nt_status = authsam_zero_bad_pwd_count(auth_context->sam_ctx, msg); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; + } + if (user_sess_key && user_sess_key->data) { talloc_steal(mem_ctx, user_sess_key->data); } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 789ff19d15c..a88935cef9f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -67,6 +67,12 @@ const char *user_attrs[] = { "logonHours", + /* + * To allow us to zero the badPwdCount and lockoutTime on + * successful logon, without database churn + */ + "lockoutTime", + /* check 'allowed workstations' */ "userWorkstations", @@ -751,3 +757,58 @@ NTSTATUS authsam_update_bad_pwd_count(struct ldb_context *sam_ctx, TALLOC_FREE(mem_ctx); return NT_STATUS_OK; } + +NTSTATUS authsam_zero_bad_pwd_count(struct ldb_context *sam_ctx, + const struct ldb_message *msg) +{ + int ret; + int badPwdCount; + int64_t lockoutTime; + struct ldb_message *msg_mod; + TALLOC_CTX *mem_ctx; + + lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0); + badPwdCount = ldb_msg_find_attr_as_int(msg, "badPwdCount", 0); + if (lockoutTime == 0 && badPwdCount == 0) { + return NT_STATUS_OK; + } + + mem_ctx = talloc_new(msg); + if (mem_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + msg_mod = ldb_msg_new(mem_ctx); + if (msg_mod == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + msg_mod->dn = msg->dn; + + if (lockoutTime != 0) { + /* + * This implies "badPwdCount" = 0, see samldb_lockout_time() + */ + ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "lockoutTime", 0); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } else { + ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "badPwdCount", 0); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } + + ret = dsdb_replace(sam_ctx, msg_mod, 0); + if (ret != LDB_SUCCESS) { + DEBUG(0, ("Failed to set badPwdCount and lockoutTime to 0 on %s: %s\n", + ldb_dn_get_linearized(msg_mod->dn), ldb_errstring(sam_ctx))); + TALLOC_FREE(mem_ctx); + return NT_STATUS_INTERNAL_ERROR; + } + + TALLOC_FREE(mem_ctx); + return NT_STATUS_OK; +} |