diff options
author | Andrew Bartlett <abartlet@samba.org> | 2013-11-06 10:39:42 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:46 +0200 |
commit | 3f07737fd4a92fc948cfc432bc46098d6dd5269a (patch) | |
tree | 9fb99bf3cad568fe51ad3d6cbeeba83718462223 /source4/rpc_server | |
parent | a0de9290099a93413048a03740cfb04ca1355c78 (diff) | |
download | samba-3f07737fd4a92fc948cfc432bc46098d6dd5269a.tar.gz samba-3f07737fd4a92fc948cfc432bc46098d6dd5269a.tar.xz samba-3f07737fd4a92fc948cfc432bc46098d6dd5269a.zip |
s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 16 | ||||
-rwxr-xr-x | source4/rpc_server/wscript_build | 2 |
2 files changed, 15 insertions, 3 deletions
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 0c4f3384604..383fce1223f 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -30,6 +30,7 @@ #include "libcli/auth/libcli_auth.h" #include "../lib/util/util_ldb.h" #include "rpc_server/samr/proto.h" +#include "auth/auth_sam.h" /* samr_ChangePasswordUser @@ -64,6 +65,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, const char * const attrs[] = { "objectSid", "dBCSPwd", "userAccountControl", "msDS-User-Account-Control-Computed", + "badPwdCount", "badPasswordTime", NULL }; struct samr_Password *lm_pwd; DATA_BLOB lm_pwd_blob; @@ -123,6 +125,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) { DEBUG(3,("samr: failed to decode password buffer\n")); + authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); return NT_STATUS_WRONG_PASSWORD; } @@ -132,6 +135,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, new_password.length, (void **)&new_pass, &converted_size)) { DEBUG(3,("samr: failed to convert incoming password buffer to unix charset\n")); + authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); return NT_STATUS_WRONG_PASSWORD; } @@ -141,6 +145,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, new_password.length, (void **)&new_unicode_password.data, &unicode_pw_len)) { DEBUG(3,("samr: failed to convert incoming password buffer to UTF16 charset\n")); + authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); return NT_STATUS_WRONG_PASSWORD; } new_unicode_password.length = unicode_pw_len; @@ -148,6 +153,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, E_deshash(new_pass, new_lm_hash); E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash); if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) { + authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); return NT_STATUS_WRONG_PASSWORD; } @@ -204,13 +210,14 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, NTSTATUS status; DATA_BLOB new_password; struct ldb_context *sam_ctx = NULL; - struct ldb_dn *user_dn; + struct ldb_dn *user_dn = NULL; int ret; struct ldb_message **res; const char * const attrs[] = { "unicodePwd", "dBCSPwd", "userAccountControl", "msDS-User-Account-Control-Computed", - NULL }; + "badPwdCount", "badPasswordTime", + "objectSid", NULL }; struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo = NULL; @@ -351,6 +358,11 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, return NT_STATUS_OK; failed: + /* Only update the badPwdCount if we found the user */ + if (user_dn != NULL && NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); + } + reject = talloc_zero(mem_ctx, struct userPwdChangeFailureInformation); if (reject != NULL) { reject->extendedFailureReason = reason; diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index aaee8208eb2..28662578eba 100755 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -80,7 +80,7 @@ bld.SAMBA_MODULE('dcesrv_samr', autoproto='samr/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_samr_init', - deps='samdb DCERPC_COMMON ndr-standard' + deps='samdb DCERPC_COMMON ndr-standard auth4_sam' ) |