More updates to prevent account-guessing.

This moves the check that ensures that the account being looked up is the same
account as the machine logged in as to the front, before we even start with
passdb.

Merge for 2.2.2?

Andrew Bartlett
(This used to be commit f7ed0ecc14aeba5ad260f24a76ced70cf52f8e48)

1 files changed, 10 insertions, 12 deletions

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 173c4218cb..bf615682d3 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -391,6 +391,16 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
 
 	DEBUG(3,("Server Password Set Wksta:[%s]\n", mach_acct));
 	
+	/*
+	 * Check the machine account name we're changing is the same
+	 * as the one we've authenticated from. This prevents arbitrary
+	 * machines changing other machine account passwords.
+	 */
+
+	if (!strequal(mach_acct, p->dc.mach_acct)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	pdb_init_sam(&sampass);
 
 	become_root();
@@ -403,18 +413,6 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
 		pdb_free_sam(sampass);
 		return NT_STATUS_NO_SUCH_USER;
 	}
-
-	/*
-	 * Check the machine account name we're changing is the same
-	 * as the one we've authenticated from. This prevents arbitrary
-	 * machines changing other machine account passwords.
-	 */
-
-	if (!strequal(mach_acct, p->dc.mach_acct)) {
-		pdb_free_sam(sampass);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
 	
 	DEBUG(100,("Server password set : new given value was :\n"));
 	for(i = 0; i < 16; i++)