summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-02-27 16:39:56 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:10:50 -0500
commit8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e (patch)
tree1e3527c839627d6a78df47c79c01ea4c6d6c7a5c /source3
parentfe4a6081e4f0ed80cbb8203766563d7db99ad7ba (diff)
downloadsamba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.tar.gz
samba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.tar.bz2
samba-8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e.zip
r13720: Only lockout Administrator after x bad password attempts in offline-mode
when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_pam.c45
1 files changed, 37 insertions, 8 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 2b9b13caf8..aa759af09a 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -298,6 +298,27 @@ static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain
return NT_STATUS_OK;
}
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *password_properties)
+{
+ struct winbindd_methods *methods;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ SAM_UNK_INFO_1 password_policy;
+
+ *password_properties = 0;
+
+ methods = domain->methods;
+
+ status = methods->password_policy(domain, mem_ctx, &password_policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ *password_properties = password_policy.password_properties;
+
+ return NT_STATUS_OK;
+}
static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
const char *type,
@@ -789,22 +810,30 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
"Won't be able to honour account lockout policies\n"));
}
- if (max_allowed_bad_attempts == 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
-
/* increase counter */
- if (my_info3->bad_pw_count < max_allowed_bad_attempts) {
-
- my_info3->bad_pw_count++;
+ my_info3->bad_pw_count++;
+
+ if (max_allowed_bad_attempts == 0) {
+ goto failed;
}
/* lockout user */
if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
- my_info3->acct_flags |= ACB_AUTOLOCK;
+ uint32 password_properties;
+
+ result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+ }
+
+ if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
+ (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
+ my_info3->acct_flags |= ACB_AUTOLOCK;
+ }
}
+failed:
result = winbindd_update_creds_by_info3(domain,
state->mem_ctx,
state->request.data.auth.user,