summaryrefslogtreecommitdiff
path: root/source3/libsmb
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2006-01-28 22:49:25 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:06:18 -0500
commitba611cb0368629dd7b98c20ed88e9394be0c29e5 (patch)
tree83ca7c8284fece9ffcbe6a303f0829a6a636595e /source3/libsmb
parentb2e8358b3d76d88d5dc090095a4e62647c823aa5 (diff)
downloadsamba-ba611cb0368629dd7b98c20ed88e9394be0c29e5.tar.gz
samba-ba611cb0368629dd7b98c20ed88e9394be0c29e5.tar.bz2
samba-ba611cb0368629dd7b98c20ed88e9394be0c29e5.zip
r13211: Fix remote password changing if password must change is set
The problem was that the ntlmssp bind silently failed in that case, we have to do it anonymously. Or does anybody have a better idea? Give a better error message if something else is wrong with the account. Volker (This used to be commit 0e24c701ce3755d71de7fdccb9f4564b381bf996)
Diffstat (limited to 'source3/libsmb')
-rw-r--r--source3/libsmb/passchange.c37
1 files changed, 36 insertions, 1 deletions
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index b104a4678d..8b811b06ea 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -34,6 +34,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
struct in_addr ip;
NTSTATUS result;
+ BOOL pass_must_change = False;
*err_str = '\0';
@@ -73,6 +74,28 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
/* Given things like SMB signing, restrict anonymous and the like,
try an authenticated connection first */
if (!cli_session_setup(&cli, user_name, old_passwd, strlen(old_passwd)+1, old_passwd, strlen(old_passwd)+1, "")) {
+
+ result = cli_nt_error(&cli);
+
+ if (!NT_STATUS_IS_OK(result)) {
+
+ /* Password must change is the only valid error
+ * condition here from where we can proceed, the rest
+ * like account locked out or logon failure will lead
+ * to errors later anyway */
+
+ if (!NT_STATUS_EQUAL(result,
+ NT_STATUS_PASSWORD_MUST_CHANGE)) {
+ slprintf(err_str, err_str_len-1, "Could not "
+ "connect to machine %s: %s\n",
+ remote_machine, cli_errstr(&cli));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ pass_must_change = True;
+ }
+
/*
* We should connect as the anonymous user here, in case
* the server has "must change password" checked...
@@ -100,13 +123,25 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
/* Try not to give the password away too easily */
- pipe_hnd = cli_rpc_pipe_open_ntlmssp(&cli,
+ if (!pass_must_change) {
+ pipe_hnd = cli_rpc_pipe_open_ntlmssp(&cli,
PI_SAMR,
PIPE_AUTH_LEVEL_PRIVACY,
"", /* what domain... ? */
user_name,
old_passwd,
&result);
+ } else {
+ /*
+ * If the user password must be changed the ntlmssp bind will
+ * fail the same way as the session setup above did. The
+ * difference ist that with a pipe bind we don't get a good
+ * error message, the result will be that the rpc call below
+ * will just fail. So we do it anonymously, there's no other
+ * way.
+ */
+ pipe_hnd = cli_rpc_pipe_open_noauth(&cli, PI_SAMR, &result);
+ }
if (!pipe_hnd) {
if (lp_client_lanman_auth()) {