summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-08-31 19:56:16 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:52:33 -0500
commit0fc457be2fbb83edd10a688d220d74ede46cbe50 (patch)
treec48bd251a0abc6c3680041d3c04c6d4f967bbcd3
parent4c20275f51c68e3ff66a96621e578ec18c47e254 (diff)
downloadsamba-0fc457be2fbb83edd10a688d220d74ede46cbe50.tar.gz
samba-0fc457be2fbb83edd10a688d220d74ede46cbe50.tar.bz2
samba-0fc457be2fbb83edd10a688d220d74ede46cbe50.zip
r2137: This is a patch I've been running at Hawker for a while.
The purpose of this patch is to avoid changing the machine account password, when it has 'already been changed'. This occours in situations where the secure channel between the workstation and the DC breaks down, such as occoured in the MS04-11 security patch. This avoids LDAP replication load issues, due to the client changing the password repeatedly. We also now set the LM password to NULL explicitly, rather than the NT password value, as this is what we get out of a vampire, or when a long password is set (as XP seems to do these days). Andrew Bartlett (This used to be commit 1ad1317a815898b52b1803211ab7b502e331e782)
-rw-r--r--source3/rpc_server/srv_netlog_nt.c48
1 files changed, 29 insertions, 19 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index b5871a7e56..3e0762fa43 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -445,6 +445,7 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
unsigned char pwd[16];
int i;
uint32 acct_ctrl;
+ const uchar *old_pw;
/* checks and updates credentials. creates reply credentials */
if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->clnt_id.cred, &srv_cred)))
@@ -482,34 +483,43 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
return NT_STATUS_ACCOUNT_DISABLED;
}
+ cred_hash3( pwd, q_u->pwd, p->dc.sess_key, 0);
+
DEBUG(100,("Server password set : new given value was :\n"));
for(i = 0; i < 16; i++)
DEBUG(100,("%02X ", q_u->pwd[i]));
DEBUG(100,("\n"));
- cred_hash3( pwd, q_u->pwd, p->dc.sess_key, 0);
+ old_pw = pdb_get_nt_passwd(sampass);
- /* lies! nt and lm passwords are _not_ the same: don't care */
- if (!pdb_set_lanman_passwd (sampass, pwd, PDB_CHANGED)) {
- pdb_free_sam(&sampass);
- return NT_STATUS_NO_MEMORY;
- }
+ if (old_pw && memcmp(pwd, old_pw, 16) == 0) {
+ /* Avoid backend modificiations and other fun if the
+ client changed the password to the *same thing* */
- if (!pdb_set_nt_passwd (sampass, pwd, PDB_CHANGED)) {
- pdb_free_sam(&sampass);
- return NT_STATUS_NO_MEMORY;
- }
+ ret = True;
+ } else {
- if (!pdb_set_pass_changed_now (sampass)) {
- pdb_free_sam(&sampass);
- /* Not quite sure what this one qualifies as, but this will do */
- return NT_STATUS_UNSUCCESSFUL;
+ /* LM password should be NULL for machines */
+ if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) {
+ pdb_free_sam(&sampass);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_nt_passwd (sampass, pwd, PDB_CHANGED)) {
+ pdb_free_sam(&sampass);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_pass_changed_now (sampass)) {
+ pdb_free_sam(&sampass);
+ /* Not quite sure what this one qualifies as, but this will do */
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ become_root();
+ ret = pdb_update_sam_account (sampass);
+ unbecome_root();
}
-
- become_root();
- ret = pdb_update_sam_account (sampass);
- unbecome_root();
-
if (ret)
status = NT_STATUS_OK;