summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-09-26 11:13:55 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-09-26 11:13:55 +0000
commit6744ca0a369ef85858b6e1a129649cd175187e51 (patch)
tree2b9c8eb5bc05c7b87cd5aa138165d388b008e0b5
parent345a670324ae5023cd755ba81a4d9a29031ccfc5 (diff)
downloadsamba-6744ca0a369ef85858b6e1a129649cd175187e51.tar.gz
samba-6744ca0a369ef85858b6e1a129649cd175187e51.tar.bz2
samba-6744ca0a369ef85858b6e1a129649cd175187e51.zip
More updates to prevent account-guessing.
This moves the check that ensures that the account being looked up is the same account as the machine logged in as to the front, before we even start with passdb. Merge for 2.2.2? Andrew Bartlett (This used to be commit f7ed0ecc14aeba5ad260f24a76ced70cf52f8e48)
-rw-r--r--source3/rpc_server/srv_netlog_nt.c22
1 files changed, 10 insertions, 12 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 173c4218cb..bf615682d3 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -391,6 +391,16 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
DEBUG(3,("Server Password Set Wksta:[%s]\n", mach_acct));
+ /*
+ * Check the machine account name we're changing is the same
+ * as the one we've authenticated from. This prevents arbitrary
+ * machines changing other machine account passwords.
+ */
+
+ if (!strequal(mach_acct, p->dc.mach_acct)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
pdb_init_sam(&sampass);
become_root();
@@ -403,18 +413,6 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
pdb_free_sam(sampass);
return NT_STATUS_NO_SUCH_USER;
}
-
- /*
- * Check the machine account name we're changing is the same
- * as the one we've authenticated from. This prevents arbitrary
- * machines changing other machine account passwords.
- */
-
- if (!strequal(mach_acct, p->dc.mach_acct)) {
- pdb_free_sam(sampass);
- return NT_STATUS_ACCESS_DENIED;
- }
-
DEBUG(100,("Server password set : new given value was :\n"));
for(i = 0; i < 16; i++)