diff options
author | Matthieu Patou <mat@matws.net> | 2010-05-21 11:57:29 +0400 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2010-06-02 14:32:23 +0200 |
commit | 57ab910b6f3a24bf188415baf58de610203594b1 (patch) | |
tree | df32dc663dbbda02d4a76bc92b935d6ba58f81ae /source3/passdb | |
parent | 95863bfb5e547132c8f02c49a2bed1ec308d8f5e (diff) | |
download | samba-57ab910b6f3a24bf188415baf58de610203594b1.tar.gz samba-57ab910b6f3a24bf188415baf58de610203594b1.tar.bz2 samba-57ab910b6f3a24bf188415baf58de610203594b1.zip |
s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
previous password key when the password is changed. It also check the
user ticket against previous password.
Signed-off-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source3/passdb')
-rw-r--r-- | source3/passdb/machine_account_secrets.c | 81 |
1 files changed, 77 insertions, 4 deletions
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 4a1c3faa87..db99d010ec 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -161,6 +161,23 @@ static const char *machine_last_change_time_keystr(const char *domain) /** + * Form a key for fetching the machine previous trust account password + * + * @param domain domain name + * + * @return keystring + **/ +static const char *machine_prev_password_keystr(const char *domain) +{ + char *keystr; + + keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", + SECRETS_MACHINE_PASSWORD_PREV, domain); + SMB_ASSERT(keystr != NULL); + return keystr; +} + +/** * Form a key for fetching the machine trust account password * * @param domain domain name @@ -300,21 +317,42 @@ bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], } /************************************************************************ - Routine to delete the plaintext machine account password + Routine to delete the old plaintext machine account password if any +************************************************************************/ + +static bool secrets_delete_prev_machine_password(const char *domain) +{ + char *oldpass = (char *)secrets_fetch(machine_prev_password_keystr(domain), NULL); + if (oldpass == NULL) { + return true; + } + SAFE_FREE(oldpass); + return secrets_delete(machine_prev_password_keystr(domain)); +} + +/************************************************************************ + Routine to delete the plaintext machine account password and old + password if any ************************************************************************/ bool secrets_delete_machine_password(const char *domain) { + if (!secrets_delete_prev_machine_password(domain)) { + return false; + } return secrets_delete(machine_password_keystr(domain)); } /************************************************************************ - Routine to delete the plaintext machine account password, sec channel type and - last change time from secrets database + Routine to delete the plaintext machine account password, old password, + sec channel type and last change time from secrets database ************************************************************************/ bool secrets_delete_machine_password_ex(const char *domain) { + if (!secrets_delete_prev_machine_password(domain)) { + return false; + } if (!secrets_delete(machine_password_keystr(domain))) { return false; } @@ -334,8 +372,28 @@ bool secrets_delete_domain_sid(const char *domain) } /************************************************************************ + Routine to store the previous machine password (by storing the current password + as the old) +************************************************************************/ + +static bool secrets_store_prev_machine_password(const char *domain) +{ + char *oldpass; + bool ret; + + oldpass = (char *)secrets_fetch(machine_password_keystr(domain), NULL); + if (oldpass == NULL) { + return true; + } + ret = secrets_store(machine_prev_password_keystr(domain), oldpass, strlen(oldpass)+1); + SAFE_FREE(oldpass); + return ret; +} + +/************************************************************************ Routine to set the plaintext machine account password for a realm -the password is assumed to be a null terminated ascii string + the password is assumed to be a null terminated ascii string. + Before storing ************************************************************************/ bool secrets_store_machine_password(const char *pass, const char *domain, @@ -345,6 +403,10 @@ bool secrets_store_machine_password(const char *pass, const char *domain, uint32 last_change_time; uint32 sec_channel_type; + if (!secrets_store_prev_machine_password(domain)) { + return false; + } + ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1); if (!ret) return ret; @@ -358,6 +420,17 @@ bool secrets_store_machine_password(const char *pass, const char *domain, return ret; } + +/************************************************************************ + Routine to fetch the previous plaintext machine account password for a realm + the password is assumed to be a null terminated ascii string. +************************************************************************/ + +char *secrets_fetch_prev_machine_password(const char *domain) +{ + return (char *)secrets_fetch(machine_prev_password_keystr(domain), NULL); +} + /************************************************************************ Routine to fetch the plaintext machine account password for a realm the password is assumed to be a null terminated ascii string. |