diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-11-04 21:37:17 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:46 +0200 |
| commit | a0de9290099a93413048a03740cfb04ca1355c78 (patch) | |
| tree | b509db21f5a72740e2f5e6ef13e1f50c89b55409 /source4/rpc_server | |
| parent | 6f8fb163e02579d57e731c0c09eafee5627bec62 (diff) | |
| download | samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.gz samba-a0de9290099a93413048a03740cfb04ca1355c78.tar.xz samba-a0de9290099a93413048a03740cfb04ca1355c78.zip | |
dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 | ||||
| -rw-r--r-- | source4/rpc_server/samr/samr_password.c | 14 |
2 files changed, 17 insertions, 9 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c3e33bd4209..50e7cab7ff1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -461,9 +461,9 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call return NT_STATUS_WRONG_PASSWORD; } - nt_status = samdb_result_passwords(mem_ctx, - dce_call->conn->dce_ctx->lp_ctx, - res[0], NULL, &oldNtHash); + nt_status = samdb_result_passwords_no_lockout(mem_ctx, + dce_call->conn->dce_ctx->lp_ctx, + res[0], NULL, &oldNtHash); if (!NT_STATUS_IS_OK(nt_status) || !oldNtHash) { return NT_STATUS_WRONG_PASSWORD; } @@ -531,9 +531,9 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal return NT_STATUS_WRONG_PASSWORD; } - nt_status = samdb_result_passwords(mem_ctx, - dce_call->conn->dce_ctx->lp_ctx, - res[0], &oldLmHash, &oldNtHash); + nt_status = samdb_result_passwords_no_lockout(mem_ctx, + dce_call->conn->dce_ctx->lp_ctx, + res[0], &oldLmHash, &oldNtHash); if (!NT_STATUS_IS_OK(nt_status) || (!oldLmHash && !oldNtHash)) { return NT_STATUS_WRONG_PASSWORD; } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 685a8e7864a..0c4f3384604 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -61,7 +61,10 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, struct ldb_dn *user_dn; int ret; struct ldb_message **res; - const char * const attrs[] = { "objectSid", "dBCSPwd", NULL }; + const char * const attrs[] = { "objectSid", "dBCSPwd", + "userAccountControl", + "msDS-User-Account-Control-Computed", + NULL }; struct samr_Password *lm_pwd; DATA_BLOB lm_pwd_blob; uint8_t new_lm_hash[16]; @@ -107,7 +110,9 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, res[0], &lm_pwd, NULL); - if (!NT_STATUS_IS_OK(status) || !lm_pwd) { + if (!NT_STATUS_IS_OK(status)) { + return status; + } else if (!lm_pwd) { return NT_STATUS_WRONG_PASSWORD; } @@ -202,7 +207,10 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, struct ldb_dn *user_dn; int ret; struct ldb_message **res; - const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL }; + const char * const attrs[] = { "unicodePwd", "dBCSPwd", + "userAccountControl", + "msDS-User-Account-Control-Computed", + NULL }; struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo = NULL; |