diff options
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/ntlm/auth_sam.c | 6 | ||||
| -rw-r--r-- | source4/auth/sam.c | 61 |
2 files changed, 67 insertions, 0 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 5964ef19764..b66eb50f48d 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -256,6 +256,12 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, return nt_status; } + nt_status = authsam_zero_bad_pwd_count(auth_context->sam_ctx, msg); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; + } + if (user_sess_key && user_sess_key->data) { talloc_steal(mem_ctx, user_sess_key->data); } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 789ff19d15c..a88935cef9f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -67,6 +67,12 @@ const char *user_attrs[] = { "logonHours", + /* + * To allow us to zero the badPwdCount and lockoutTime on + * successful logon, without database churn + */ + "lockoutTime", + /* check 'allowed workstations' */ "userWorkstations", @@ -751,3 +757,58 @@ NTSTATUS authsam_update_bad_pwd_count(struct ldb_context *sam_ctx, TALLOC_FREE(mem_ctx); return NT_STATUS_OK; } + +NTSTATUS authsam_zero_bad_pwd_count(struct ldb_context *sam_ctx, + const struct ldb_message *msg) +{ + int ret; + int badPwdCount; + int64_t lockoutTime; + struct ldb_message *msg_mod; + TALLOC_CTX *mem_ctx; + + lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0); + badPwdCount = ldb_msg_find_attr_as_int(msg, "badPwdCount", 0); + if (lockoutTime == 0 && badPwdCount == 0) { + return NT_STATUS_OK; + } + + mem_ctx = talloc_new(msg); + if (mem_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + msg_mod = ldb_msg_new(mem_ctx); + if (msg_mod == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + msg_mod->dn = msg->dn; + + if (lockoutTime != 0) { + /* + * This implies "badPwdCount" = 0, see samldb_lockout_time() + */ + ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "lockoutTime", 0); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } else { + ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "badPwdCount", 0); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } + + ret = dsdb_replace(sam_ctx, msg_mod, 0); + if (ret != LDB_SUCCESS) { + DEBUG(0, ("Failed to set badPwdCount and lockoutTime to 0 on %s: %s\n", + ldb_dn_get_linearized(msg_mod->dn), ldb_errstring(sam_ctx))); + TALLOC_FREE(mem_ctx); + return NT_STATUS_INTERNAL_ERROR; + } + + TALLOC_FREE(mem_ctx); + return NT_STATUS_OK; +} |