diff options
author | Günther Deschner <gd@samba.org> | 2006-02-27 16:39:56 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:10:50 -0500 |
commit | 8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e (patch) | |
tree | 1e3527c839627d6a78df47c79c01ea4c6d6c7a5c | |
parent | fe4a6081e4f0ed80cbb8203766563d7db99ad7ba (diff) | |
download | samba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.tar.gz samba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.tar.bz2 samba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.zip |
r13720: Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties.
Guenther
(This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 45 |
1 files changed, 37 insertions, 8 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 2b9b13caf8..aa759af09a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -298,6 +298,27 @@ static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain return NT_STATUS_OK; } +static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *password_properties) +{ + struct winbindd_methods *methods; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + SAM_UNK_INFO_1 password_policy; + + *password_properties = 0; + + methods = domain->methods; + + status = methods->password_policy(domain, mem_ctx, &password_policy); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + + *password_properties = password_policy.password_properties; + + return NT_STATUS_OK; +} static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *type, @@ -789,22 +810,30 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, "Won't be able to honour account lockout policies\n")); } - if (max_allowed_bad_attempts == 0) { - return NT_STATUS_WRONG_PASSWORD; - } - /* increase counter */ - if (my_info3->bad_pw_count < max_allowed_bad_attempts) { - - my_info3->bad_pw_count++; + my_info3->bad_pw_count++; + + if (max_allowed_bad_attempts == 0) { + goto failed; } /* lockout user */ if (my_info3->bad_pw_count >= max_allowed_bad_attempts) { - my_info3->acct_flags |= ACB_AUTOLOCK; + uint32 password_properties; + + result = get_pwd_properties(domain, state->mem_ctx, &password_properties); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n")); + } + + if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || + (password_properties & DOMAIN_LOCKOUT_ADMINS)) { + my_info3->acct_flags |= ACB_AUTOLOCK; + } } +failed: result = winbindd_update_creds_by_info3(domain, state->mem_ctx, state->request.data.auth.user, |