summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-06-21 19:40:50 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-06-22 22:21:04 +0200
commit0e637be43b584aef9f5101d15ae5bdc1172c5502 (patch)
treea44bb5f1222ec922874440ffe63c61ce2045bfda /source4/dsdb
parent37264e5917cace1582f41d6029a857fd4059eff6 (diff)
downloadsamba-0e637be43b584aef9f5101d15ae5bdc1172c5502.tar.gz
samba-0e637be43b584aef9f5101d15ae5bdc1172c5502.tar.bz2
samba-0e637be43b584aef9f5101d15ae5bdc1172c5502.zip
s4:password_hash LDB module - fix another problem regarding the lanman hash
When a user only provides only the lanman hash (and nothing else) and the lanman authentication is deactivated then we end in an account with no password attribute at all! Lock this down.
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c29
1 files changed, 16 insertions, 13 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 94eb9cf9fa..0a34645a91 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
} else if (io->og.lm_hash) {
- struct loadparm_context *lp_ctx =
- (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
-
- if (!lp_lanman_auth(lp_ctx)) {
- ldb_asprintf_errstring(ldb,
- "check_password_restrictions: "
- "The password change through the LM hash is deactivated!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
if (!io->o.lm_hash) {
ldb_asprintf_errstring(ldb,
"check_password_restrictions: "
@@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac,
{
const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+ struct loadparm_context *lp_ctx =
+ (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
int ret;
ZERO_STRUCTP(io);
@@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac,
"it's not allowed to set the LM hash password directly'");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- if (lm_hash != NULL) {
+
+ if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) {
io->n.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length,
sizeof(io->n.lm_hash->hash)));
}
-
- if (old_lm_hash != NULL) {
+ if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) {
io->og.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length,
sizeof(io->og.lm_hash->hash)));
@@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac,
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* refuse the change if someone tries to set/change the password by
+ * the lanman hash alone and we've deactivated that mechanism. This
+ * would end in an account without any password! */
+ if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+ && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+ ldb_asprintf_errstring(ldb,
+ "setup_io: "
+ "The password change/set operations performed using the LAN Manager hash alone are deactivated!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
/* refuse the change if someone wants to compare against a plaintext
or hash at the same time for a "password modify" operation... */
if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)