Tidy up some formatting. Get ready for allowing bad password lockout. (based

on a patch posted from Richard Renard <rrenard@idealx.com>. Jeremy. (This used to be commit abf54b58e95a949cb883d4485853dc560489c03f)
author: Jeremy Allison <jra@samba.org> 2003-09-08 20:42:33 +0000
committer: Jeremy Allison <jra@samba.org> 2003-09-08 20:42:33 +0000
commit: 07c90e499e5e02db94d4ca3f3d303b2b1952ace9 (patch)
tree: ef421200bd6fa88cea4eff8d32518dfbb4459720 /source3
parent: 5daacc87b514ec4fe2e50f159a6a422a85a77324 (diff)
download: samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.gz
samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.bz2
samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.zip
2 files changed, 56 insertions, 63 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index fb66d53cd4..ce97bd7df2 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -27,8 +27,9 @@
 #define DBGC_CLASS DBGC_AUTH
 
 /****************************************************************************
-core of smb password checking routine.
+ Core of smb password checking routine.
 ****************************************************************************/
+
 static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
 				 const uchar *part_passwd,
 				 const DATA_BLOB *sec_blob,
@@ -54,8 +55,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
 	}
 
 	SMBOWFencrypt(part_passwd, sec_blob->data, p24);
-	if (user_sess_key != NULL)
-	{
+	if (user_sess_key != NULL) {
 		SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key);
 	}
 	
@@ -74,12 +74,11 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
   return (memcmp(p24, nt_response->data, 24) == 0);
 }
 
-
 /****************************************************************************
-core of smb password checking routine. (NTLMv2, LMv2)
-
-Note:  The same code works with both NTLMv2 and LMv2.
+ Core of smb password checking routine. (NTLMv2, LMv2)
+ Note:  The same code works with both NTLMv2 and LMv2.
 ****************************************************************************/
+
 static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 				 const uchar *part_passwd,
 				 const DATA_BLOB *sec_blob,
@@ -92,8 +91,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 	uchar client_response[16];
 	DATA_BLOB client_key_data;
 
-	if (part_passwd == NULL)
-	{
+	if (part_passwd == NULL) {
 		DEBUG(10,("No password set - DISALLOWING access\n"));
 		/* No password set - always False */
 		return False;
@@ -121,8 +119,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 	}
 
 	SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
-	if (user_sess_key != NULL)
-	{
+	if (user_sess_key != NULL) {
 		SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key);
 	}
 
@@ -142,11 +139,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 	return (memcmp(value_from_encryption, client_response, 16) == 0);
 }
 
-
 /****************************************************************************
  Do a specific test for an smb password being correct, given a smb_password and
  the lanman and NT responses.
 ****************************************************************************/
+
 static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 				TALLOC_CTX *mem_ctx,
 				SAM_ACCOUNT *sampass, 
@@ -158,15 +155,11 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 	uint32 auth_flags;
 
 	acct_ctrl = pdb_get_acct_ctrl(sampass);
-	if (acct_ctrl & ACB_PWNOTREQ) 
-	{
-		if (lp_null_passwords()) 
-		{
+	if (acct_ctrl & ACB_PWNOTREQ) {
+		if (lp_null_passwords()) {
 			DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", pdb_get_username(sampass)));
 			return(NT_STATUS_OK);
-		} 
-		else 
-		{
+		} else {
 			DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", pdb_get_username(sampass)));
 			return(NT_STATUS_LOGON_FAILURE);
 		}		
@@ -191,8 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 					  nt_pw, &auth_context->challenge, 
 					  user_info->smb_name.str, 
 					  user_info->client_domain.str,
-					  user_sess_key))
-		{
+					  user_sess_key)) {
 			return NT_STATUS_OK;
 		}
 
@@ -201,9 +193,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 					  nt_pw, &auth_context->challenge, 
 					  user_info->smb_name.str, 
 					  "",
-					  user_sess_key))
-		    
-		{
+					  user_sess_key)) {
 			return NT_STATUS_OK;
 		} else {
 			DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
@@ -218,8 +208,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 			DEBUG(4,("sam_password_ok: Checking NT MD4 password\n"));
 			if (smb_pwd_check_ntlmv1(&user_info->nt_resp, 
 						 nt_pw, &auth_context->challenge,
-						 user_sess_key)) 
-			{
+						 user_sess_key)) {
 				return NT_STATUS_OK;
 			} else {
 				DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass)));
@@ -247,8 +236,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 			DEBUG(4,("sam_password_ok: Checking LM password\n"));
 			if (smb_pwd_check_ntlmv1(&user_info->lm_resp, 
 						 lm_pw, &auth_context->challenge,
-						 user_sess_key)) 
-			{
+						 user_sess_key)) {
 				return NT_STATUS_OK;
 			}
 		}
@@ -268,8 +256,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 					  nt_pw, &auth_context->challenge, 
 					  user_info->smb_name.str, 
 					  user_info->client_domain.str,
-					  user_sess_key))
-		{
+					  user_sess_key)) {
 			return NT_STATUS_OK;
 		}
 
@@ -278,8 +265,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 					  nt_pw, &auth_context->challenge, 
 					  user_info->smb_name.str, 
 					  "",
-					  user_sess_key))
-		{
+					  user_sess_key)) {
 			return NT_STATUS_OK;
 		}
 
@@ -287,12 +273,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 		   - I think this is related to Win9X pass-though authentication
 		*/
 		DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
-		if (lp_ntlm_auth()) 
-		{
+		if (lp_ntlm_auth()) {
 			if (smb_pwd_check_ntlmv1(&user_info->lm_resp, 
 						 nt_pw, &auth_context->challenge,
-						 user_sess_key)) 
-			{
+						 user_sess_key)) {
 				return NT_STATUS_OK;
 			}
 			DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass)));
@@ -313,6 +297,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
  Do a specific test for a SAM_ACCOUNT being vaild for this connection 
  (ie not disabled, expired and the like).
 ****************************************************************************/
+
 static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 			       SAM_ACCOUNT *sampass, 
 			       const auth_usersupplied_info *user_info)
@@ -325,16 +310,22 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 
 	/* Quit if the account was disabled. */
 	if (acct_ctrl & ACB_DISABLED) {
-		DEBUG(1,("Account for user '%s' was disabled.\n", pdb_get_username(sampass)));
+		DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass)));
 		return NT_STATUS_ACCOUNT_DISABLED;
 	}
 
+	/* Quit if the account was locked out. */
+	if (acct_ctrl & ACB_AUTOLOCK) {
+		DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass)));
+		return NT_STATUS_ACCOUNT_LOCKED_OUT;
+	}
+
 	/* Test account expire time */
 	
 	kickoff_time = pdb_get_kickoff_time(sampass);
 	if (kickoff_time != 0 && time(NULL) > kickoff_time) {
-		DEBUG(1,("Account for user '%s' has expired.\n", pdb_get_username(sampass)));
-		DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
+		DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass)));
+		DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time));
 		return NT_STATUS_ACCOUNT_EXPIRED;
 	}
 
@@ -344,14 +335,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 
 		/* check for immediate expiry "must change at next logon" */
 		if (must_change_time == 0 && last_set_time != 0) {
-			DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
+			DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
 			return NT_STATUS_PASSWORD_MUST_CHANGE;
 		}
 
 		/* check for expired password */
 		if (must_change_time < time(NULL) && must_change_time != 0) {
-			DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass)));
-			DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time));
+			DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass)));
+			DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time));
 			return NT_STATUS_PASSWORD_EXPIRED;
 		}
 	}
@@ -359,8 +350,8 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 	/* Test workstation. Workstation list is comma separated. */
 
 	workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass));
-
-	if (!workstation_list) return NT_STATUS_NO_MEMORY;
+	if (!workstation_list)
+		return NT_STATUS_NO_MEMORY;
 
 	if (*workstation_list) {
 		BOOL invalid_ws = True;
@@ -369,7 +360,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 		fstring tok;
 			
 		while (next_token(&s, tok, ",", sizeof(tok))) {
-			DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+			DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n",
 				  tok, user_info->wksta_name.str, user_info->wksta_name.len));
 			if(strequal(tok, user_info->wksta_name.str)) {
 				invalid_ws = False;
@@ -399,7 +390,6 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-
 /****************************************************************************
 check if a username/password is OK assuming the password is a 24 byte
 SMB hash supplied in the user_info structure
@@ -434,9 +424,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
 	ret = pdb_getsampwnam(sampass, user_info->internal_username.str);
 	unbecome_root();
 
-	if (ret == False)
-	{
-		DEBUG(3,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str));
+	if (ret == False) {
+		DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str));
 		pdb_free_sam(&sampass);
 		return NT_STATUS_NO_SUCH_USER;
 	}
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index 4475f1446f..91bc20af90 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -419,10 +419,10 @@ int get_share_modes(connection_struct *conn,
 	struct locking_data *data;
 	int num_share_modes;
 	share_mode_entry *shares = NULL;
-
+	TDB_DATA key = locking_key(dev, inode);
 	*pp_shares = NULL;
 
-	dbuf = tdb_fetch(tdb, locking_key(dev, inode));
+	dbuf = tdb_fetch(tdb, key);
 	if (!dbuf.dptr)
 		return 0;
 
@@ -469,7 +469,7 @@ int get_share_modes(connection_struct *conn,
 			/* The record has shrunk a bit */
 			dbuf.dsize -= del_count * sizeof(share_mode_entry);
 
-			if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1) {
+			if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) {
 				SAFE_FREE(shares);
 				SAFE_FREE(dbuf.dptr);
 				return 0;
@@ -544,12 +544,13 @@ ssize_t del_share_entry( SMB_DEV_T dev, SMB_INO_T inode,
 	int i, del_count=0;
 	share_mode_entry *shares;
 	ssize_t count = 0;
+	TDB_DATA key = locking_key(dev, inode);
 
 	if (ppse)
 		*ppse = NULL;
 
 	/* read in the existing share modes */
-	dbuf = tdb_fetch(tdb, locking_key(dev, inode));
+	dbuf = tdb_fetch(tdb, key);
 	if (!dbuf.dptr)
 		return -1;
 
@@ -590,10 +591,10 @@ ssize_t del_share_entry( SMB_DEV_T dev, SMB_INO_T inode,
 
 		/* store it back in the database */
 		if (data->u.num_share_mode_entries == 0) {
-			if (tdb_delete(tdb, locking_key(dev, inode)) == -1)
+			if (tdb_delete(tdb, key) == -1)
 				count = -1;
 		} else {
-			if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1)
+			if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1)
 				count = -1;
 		}
 	}
@@ -630,10 +631,11 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)
 	struct locking_data *data;
 	char *p=NULL;
 	int size;
+	TDB_DATA key = locking_key_fsp(fsp);
 	BOOL ret = True;
 		
 	/* read in the existing share modes if any */
-	dbuf = tdb_fetch(tdb, locking_key_fsp(fsp));
+	dbuf = tdb_fetch(tdb, key);
 	if (!dbuf.dptr) {
 		size_t offset;
 		/* we'll need to create a new record */
@@ -658,7 +660,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)
 		fill_share_mode(p + sizeof(*data), fsp, port, op_type);
 		dbuf.dptr = p;
 		dbuf.dsize = size;
-		if (tdb_store(tdb, locking_key_fsp(fsp), dbuf, TDB_REPLACE) == -1)
+		if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1)
 			ret = False;
 
 		print_share_mode_table((struct locking_data *)p);
@@ -688,7 +690,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)
 	SAFE_FREE(dbuf.dptr);
 	dbuf.dptr = p;
 	dbuf.dsize = size;
-	if (tdb_store(tdb, locking_key_fsp(fsp), dbuf, TDB_REPLACE) == -1)
+	if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1)
 		ret = False;
 	print_share_mode_table((struct locking_data *)p);
 	SAFE_FREE(p);
@@ -709,9 +711,10 @@ static BOOL mod_share_mode( SMB_DEV_T dev, SMB_INO_T inode, share_mode_entry *en
 	share_mode_entry *shares;
 	BOOL need_store=False;
 	BOOL ret = True;
+	TDB_DATA key = locking_key(dev, inode);
 
 	/* read in the existing share modes */
-	dbuf = tdb_fetch(tdb, locking_key(dev, inode));
+	dbuf = tdb_fetch(tdb, key);
 	if (!dbuf.dptr)
 		return False;
 
@@ -729,10 +732,10 @@ static BOOL mod_share_mode( SMB_DEV_T dev, SMB_INO_T inode, share_mode_entry *en
 	/* if the mod fn was called then store it back */
 	if (need_store) {
 		if (data->u.num_share_mode_entries == 0) {
-			if (tdb_delete(tdb, locking_key(dev, inode)) == -1)
+			if (tdb_delete(tdb, key) == -1)
 				ret = False;
 		} else {
-			if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1)
+			if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1)
 				ret = False;
 		}
 	}
@@ -808,9 +811,10 @@ BOOL modify_delete_flag( SMB_DEV_T dev, SMB_INO_T inode, BOOL delete_on_close)
 	struct locking_data *data;
 	int i;
 	share_mode_entry *shares;
+	TDB_DATA key = locking_key(dev, inode);
 
 	/* read in the existing share modes */
-	dbuf = tdb_fetch(tdb, locking_key(dev, inode));
+	dbuf = tdb_fetch(tdb, key);
 	if (!dbuf.dptr)
 		return False;
 
@@ -826,7 +830,7 @@ BOOL modify_delete_flag( SMB_DEV_T dev, SMB_INO_T inode, BOOL delete_on_close)
 
 	/* store it back */
 	if (data->u.num_share_mode_entries) {
-		if (tdb_store(tdb, locking_key(dev,inode), dbuf, TDB_REPLACE)==-1) {
+		if (tdb_store(tdb, key, dbuf, TDB_REPLACE)==-1) {
 			SAFE_FREE(dbuf.dptr);
 			return False;
 		}
author	Jeremy Allison <jra@samba.org>	2003-09-08 20:42:33 +0000
committer	Jeremy Allison <jra@samba.org>	2003-09-08 20:42:33 +0000
commit	07c90e499e5e02db94d4ca3f3d303b2b1952ace9 (patch)
tree	ef421200bd6fa88cea4eff8d32518dfbb4459720 /source3
parent	5daacc87b514ec4fe2e50f159a6a422a85a77324 (diff)
download	samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.gz samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.bz2 samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.zip