summaryrefslogtreecommitdiff
path: root/source4/rpc_server/samr
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-08-22 04:28:15 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:02:23 -0500
commitd7f84b51f96c2e1b48a38de823329f2e4ea86e55 (patch)
tree7c542a304bf3da5d2eaad177b8ac400ee6d5da44 /source4/rpc_server/samr
parentbd93ed4680b3a86348b0d84a93d20f3daafbe8ad (diff)
downloadsamba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.gz
samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.tar.bz2
samba-d7f84b51f96c2e1b48a38de823329f2e4ea86e55.zip
r24611: Following up on the re-opening of bug 4817 is it pretty clear that
machine accounts are not subject to password policy in Win2k3 R2 (at least in terms of password quality). In testing this, I found that Win2k3 R2 has changed the way the old ChangePassword RPC call is handled - the 'cross-checks' between new LM and NT passwords are not required. Andrew Bartlett (This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)
Diffstat (limited to 'source4/rpc_server/samr')
-rw-r--r--source4/rpc_server/samr/samr_password.c45
1 files changed, 22 insertions, 23 deletions
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index fac0015f0e..e3cb70ad17 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -62,12 +62,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
present */
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- if (!r->in.cross1_present || !r->in.nt_cross) {
- return NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED;
- }
- if (!r->in.cross2_present || !r->in.lm_cross) {
- return NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED;
- }
/* To change a password we need to open as system */
sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
@@ -112,18 +106,24 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_WRONG_PASSWORD;
}
- /* check the nt cross hash */
- D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
- ldb_transaction_cancel(sam_ctx);
- return NT_STATUS_WRONG_PASSWORD;
+ /* The NT Cross is not required by Win2k3 R2, but if present
+ check the nt cross hash */
+ if (r->in.cross1_present && r->in.nt_cross) {
+ D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
+ if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
}
- /* check the lm cross hash */
- D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
- ldb_transaction_cancel(sam_ctx);
- return NT_STATUS_WRONG_PASSWORD;
+ /* The LM Cross is not required by Win2k3 R2, but if present
+ check the lm cross hash */
+ if (r->in.cross2_present && r->in.lm_cross) {
+ D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
+ if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
}
msg = ldb_msg_new(mem_ctx);
@@ -144,7 +144,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
a_state->account_dn, a_state->domain_state->domain_dn,
msg, NULL, &new_lmPwdHash, &new_ntPwdHash,
True, /* this is a user password change */
- True, /* run restriction tests */
NULL,
NULL);
if (!NT_STATUS_IS_OK(status)) {
@@ -196,7 +195,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
struct samr_Password lm_verifier;
if (pwbuf == NULL) {
- return NT_STATUS_WRONG_PASSWORD;
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (r->in.hash == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
}
/* To change a password we need to open as system */
@@ -245,7 +248,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
}
/* check LM verifier */
- if (lm_pwd == NULL || r->in.hash == NULL) {
+ if (lm_pwd == NULL) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
@@ -276,7 +279,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
mod, new_pass,
NULL, NULL,
True, /* this is a user password change */
- True, /* run restriction tests */
NULL,
NULL);
if (!NT_STATUS_IS_OK(status)) {
@@ -430,7 +432,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
mod, new_pass,
NULL, NULL,
True, /* this is a user password change */
- True, /* run restriction tests */
&reason,
&dominfo);
if (!NT_STATUS_IS_OK(status)) {
@@ -539,7 +540,6 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
msg, new_pass,
NULL, NULL,
False, /* This is a password set, not change */
- True, /* run restriction tests */
NULL, NULL);
}
@@ -593,7 +593,6 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
msg, new_pass,
NULL, NULL,
False, /* This is a password set, not change */
- True, /* run restriction tests */
NULL, NULL);
}