diff options
| author | Volker Lendecke <vl@samba.org> | 2010-04-16 16:28:05 +0200 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2010-04-19 14:27:20 +0200 |
| commit | 9d0629d1552cac93ad8b746fa60122432762e6ac (patch) | |
| tree | 883f5b5ee0ee62467aaf6c5dc09e669874f36435 /source3 | |
| parent | 45eeed2893e569483136c3f998eacb776d52e1ce (diff) | |
| download | samba-9d0629d1552cac93ad8b746fa60122432762e6ac.tar.gz samba-9d0629d1552cac93ad8b746fa60122432762e6ac.tar.bz2 samba-9d0629d1552cac93ad8b746fa60122432762e6ac.zip | |
s3-winbind: Allow changing the password for pdb
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/Makefile.in | 4 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 47 |
2 files changed, 50 insertions, 1 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index c28dec466c..6cfa85dbc5 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1246,6 +1246,8 @@ WINBINDD_OBJ1 = \ auth/server_info.o \ auth/server_info_sam.o \ auth/user_info.o \ + auth/pampass.o \ + smbd/chgpasswd.o \ ../nsswitch/libwbclient/wb_reqtrans.o WINBINDD_OBJ = \ @@ -2537,7 +2539,7 @@ bin/librpc_echo.@SHLIBEXT@: $(BINARY_PREREQS) $(RPC_ECHO_OBJ) bin/winbindd@EXEEXT@: $(BINARY_PREREQS) $(WINBINDD_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) @echo "Linking $@" @$(CC) -o $@ $(WINBINDD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ - $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) \ + $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(AUTH_LIBS) \ $(PASSDB_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) \ $(ZLIB_LIBS) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 6aeeb2d143..d8643a6158 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1924,6 +1924,53 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact /* Initialize reject reason */ state->response->data.auth.reject_reason = Undefined; + if (strequal(domain, get_global_sam_name())) { + struct samr_CryptPassword new_nt_password; + struct samr_CryptPassword new_lm_password; + struct samr_Password old_nt_hash_enc; + struct samr_Password old_lanman_hash_enc; + enum samPwdChangeReason rejectReason; + + uchar old_nt_hash[16]; + uchar old_lanman_hash[16]; + uchar new_nt_hash[16]; + uchar new_lanman_hash[16]; + + contact_domain = NULL; + + E_md4hash(oldpass, old_nt_hash); + E_md4hash(newpass, new_nt_hash); + + if (lp_client_lanman_auth() && + E_deshash(newpass, new_lanman_hash) && + E_deshash(oldpass, old_lanman_hash)) { + + /* E_deshash returns false for 'long' passwords (> 14 + DOS chars). This allows us to match Win2k, which + does not store a LM hash for these passwords (which + would reduce the effective password length to 14) */ + + encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE); + arcfour_crypt(new_lm_password.data, old_nt_hash, 516); + E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); + } else { + ZERO_STRUCT(new_lm_password); + ZERO_STRUCT(old_lanman_hash_enc); + } + + encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE); + + arcfour_crypt(new_nt_password.data, old_nt_hash, 516); + E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); + + result = pass_oem_change( + user, + new_lm_password.data, old_lanman_hash_enc.hash, + new_nt_password.data, old_nt_hash_enc.hash, + &rejectReason); + goto done; + } + /* Get sam handle */ result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, |