s4:samdb_set_password/samdb_set_password_sid - Rework

Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
author: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> 2009-09-26 12:09:07 +0200
committer: Matthias Dieter Wallnöfer <mdw@samba.org> 2010-05-10 19:07:46 +0200
commit: 6e8098b261b9357204c8fa5534871a4c137ca1c5 (patch)
tree: d3d438644b66be45e06d114d198ca72757b30e12 /source4/rpc_server
parent: fc8e3ffb5f261e7efdcbcef46b1f13c3b5599730 (diff)
download: samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.tar.gz
samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.tar.bz2
samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.zip
2 files changed, 21 insertions, 96 deletions
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index e2890f7ad7..5775b1410f 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -3562,14 +3562,14 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL
 						   a_state->sam_ctx,
 						   a_state->account_dn,
 						   a_state->domain_state->domain_dn,
-						   mem_ctx, msg, 
+						   mem_ctx,
 						   &r->in.info->info23.password);
 		} else IFSET(SAMR_FIELD_LM_PASSWORD_PRESENT) {
 			status = samr_set_password(dce_call,
 						   a_state->sam_ctx,
 						   a_state->account_dn,
 						   a_state->domain_state->domain_dn,
-						   mem_ctx, msg, 
+						   mem_ctx,
 						   &r->in.info->info23.password);
 		}
 #undef IFSET
@@ -3581,7 +3581,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL
 					   a_state->sam_ctx,
 					   a_state->account_dn,
 					   a_state->domain_state->domain_dn,
-					   mem_ctx, msg, 
+					   mem_ctx,
 					   &r->in.info->info24.password);
 		break;
 
@@ -3625,14 +3625,14 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL
 						      a_state->sam_ctx,
 						      a_state->account_dn,
 						      a_state->domain_state->domain_dn,
-						      mem_ctx, msg, 
+						      mem_ctx,
 						      &r->in.info->info25.password);
 		} else IFSET(SAMR_FIELD_LM_PASSWORD_PRESENT) {
 			status = samr_set_password_ex(dce_call,
 						      a_state->sam_ctx,
 						      a_state->account_dn,
 						      a_state->domain_state->domain_dn,
-						      mem_ctx, msg, 
+						      mem_ctx,
 						      &r->in.info->info25.password);
 		}
 #undef IFSET
@@ -3644,7 +3644,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL
 					      a_state->sam_ctx,
 					      a_state->account_dn,
 					      a_state->domain_state->domain_dn,
-					      mem_ctx, msg, 
+					      mem_ctx,
 					      &r->in.info->info26.password);
 		break;
 		
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 1a09283ea6..288df91b09 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -40,7 +40,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 	struct dcesrv_handle *h;
 	struct samr_account_state *a_state;
 	struct ldb_context *sam_ctx;
-	struct ldb_message **res, *msg;
+	struct ldb_message **res;
 	int ret;
 	struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
 	struct samr_Password *lm_pwd, *nt_pwd;
@@ -79,10 +79,10 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 		ldb_transaction_cancel(sam_ctx);
 		return NT_STATUS_WRONG_PASSWORD;
 	}
-	msg = res[0];
 
-	status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
-					msg, &lm_pwd, &nt_pwd);
+	status = samdb_result_passwords(mem_ctx,
+					dce_call->conn->dce_ctx->lp_ctx,
+					res[0], &lm_pwd, &nt_pwd);
 	if (!NT_STATUS_IS_OK(status) || !nt_pwd) {
 		ldb_transaction_cancel(sam_ctx);
 		return NT_STATUS_WRONG_PASSWORD;
@@ -126,23 +126,12 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 		}
 	}
 
-	msg = ldb_msg_new(mem_ctx);
-	if (msg == NULL) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	msg->dn = ldb_dn_copy(msg, a_state->account_dn);
-	if (!msg->dn) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	/* setup password modify mods on the user DN specified.  This may fail
 	 * due to password policies.  */
 	status = samdb_set_password(sam_ctx, mem_ctx,
-				    a_state->account_dn, a_state->domain_state->domain_dn,
-				    msg, NULL, &new_lmPwdHash, &new_ntPwdHash, 
+				    a_state->account_dn,
+				    a_state->domain_state->domain_dn,
+				    NULL, &new_lmPwdHash, &new_ntPwdHash,
 				    true, /* this is a user password change */
 				    NULL,
 				    NULL);
@@ -151,17 +140,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 		return status;
 	}
 
-	/* The above call only setup the modifications, this actually
-	 * makes the write to the database. */
-	ret = dsdb_replace(sam_ctx, msg, 0);
-	if (ret != LDB_SUCCESS) {
-		DEBUG(2,("Failed to modify record to change password on %s: %s\n",
-			 ldb_dn_get_linearized(a_state->account_dn),
-			 ldb_errstring(sam_ctx)));
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-
 	/* And this confirms it in a transaction commit */
 	ret = ldb_transaction_commit(sam_ctx);
 	if (ret != LDB_SUCCESS) {
@@ -188,7 +166,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 	struct ldb_context *sam_ctx;
 	struct ldb_dn *user_dn;
 	int ret;
-	struct ldb_message **res, *mod;
+	struct ldb_message **res;
 	const char * const attrs[] = { "objectSid", "dBCSPwd", NULL };
 	struct samr_Password *lm_pwd;
 	DATA_BLOB lm_pwd_blob;
@@ -282,23 +260,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 		return NT_STATUS_WRONG_PASSWORD;
 	}
 
-	mod = ldb_msg_new(mem_ctx);
-	if (mod == NULL) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	mod->dn = ldb_dn_copy(mod, user_dn);
-	if (!mod->dn) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	/* set the password on the user DN specified.  This may fail
 	 * due to password policies */
 	status = samdb_set_password(sam_ctx, mem_ctx,
 				    user_dn, NULL, 
-				    mod, &new_unicode_password, 
+				    &new_unicode_password,
 				    NULL, NULL,
 				    true, /* this is a user password change */
 				    NULL, 
@@ -308,17 +274,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 		return status;
 	}
 
-	/* The above call only setup the modifications, this actually
-	 * makes the write to the database. */
-	ret = dsdb_replace(sam_ctx, mod, 0);
-	if (ret != LDB_SUCCESS) {
-		DEBUG(2,("Failed to modify record to change password on %s: %s\n",
-			 ldb_dn_get_linearized(user_dn),
-			 ldb_errstring(sam_ctx)));
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-
 	/* And this confirms it in a transaction commit */
 	ret = ldb_transaction_commit(sam_ctx);
 	if (ret != LDB_SUCCESS) {
@@ -344,7 +299,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 	struct ldb_context *sam_ctx = NULL;
 	struct ldb_dn *user_dn;
 	int ret;
-	struct ldb_message **res, *mod;
+	struct ldb_message **res;
 	const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL };
 	struct samr_Password *nt_pwd, *lm_pwd;
 	DATA_BLOB nt_pwd_blob;
@@ -445,23 +400,11 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 		}
 	}
 
-	mod = ldb_msg_new(mem_ctx);
-	if (mod == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto failed;
-	}
-
-	mod->dn = ldb_dn_copy(mod, user_dn);
-	if (!mod->dn) {
-		status = NT_STATUS_NO_MEMORY;
-		goto failed;
-	}
-
 	/* set the password on the user DN specified.  This may fail
 	 * due to password policies */
 	status = samdb_set_password(sam_ctx, mem_ctx,
 				    user_dn, NULL, 
-				    mod, &new_password, 
+				    &new_password,
 				    NULL, NULL,
 				    true, /* this is a user password change */
 				    &reason, 
@@ -471,17 +414,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 		goto failed;
 	}
 
-	/* The above call only setup the modifications, this actually
-	 * makes the write to the database. */
-	ret = dsdb_replace(sam_ctx, mod, 0);
-	if (ret != LDB_SUCCESS) {
-		DEBUG(2,("dsdb_replace failed to change password for %s: %s\n",
-			 ldb_dn_get_linearized(user_dn),
-			 ldb_errstring(sam_ctx)));
-		status = NT_STATUS_UNSUCCESSFUL;
-		goto failed;
-	}
-
 	/* And this confirms it in a transaction commit */
 	ret = ldb_transaction_commit(sam_ctx);
 	if (ret != LDB_SUCCESS) {
@@ -497,9 +429,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 failed:
 	ldb_transaction_cancel(sam_ctx);
 
-	reject = talloc(mem_ctx, struct userPwdChangeFailureInformation);
+	reject = talloc_zero(mem_ctx, struct userPwdChangeFailureInformation);
 	if (reject != NULL) {
-		ZERO_STRUCTP(reject);
 		reject->extendedFailureReason = reason;
 
 		*r->out.reject = reject;
@@ -541,14 +472,11 @@ NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call,
 
 /*
   set password via a samr_CryptPassword buffer
-  this will in the 'msg' with modify operations that will update the user
-  password when applied
 */
 NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
-			   void *sam_ctx,
+			   struct ldb_context *sam_ctx,
 			   struct ldb_dn *account_dn, struct ldb_dn *domain_dn,
 			   TALLOC_CTX *mem_ctx,
-			   struct ldb_message *msg, 
 			   struct samr_CryptPassword *pwbuf)
 {
 	NTSTATUS nt_status;
@@ -571,7 +499,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
 	   so the domain password policy can be used */
 	return samdb_set_password(sam_ctx, mem_ctx,
 				  account_dn, domain_dn, 
-				  msg, &new_password, 
+				  &new_password,
 				  NULL, NULL,
 				  false, /* This is a password set, not change */
 				  NULL, NULL);
@@ -580,15 +508,12 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
 
 /*
   set password via a samr_CryptPasswordEx buffer
-  this will in the 'msg' with modify operations that will update the user
-  password when applied
 */
 NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
 			      struct ldb_context *sam_ctx,
 			      struct ldb_dn *account_dn,
 			      struct ldb_dn *domain_dn,
 			      TALLOC_CTX *mem_ctx,
-			      struct ldb_message *msg, 
 			      struct samr_CryptPasswordEx *pwbuf)
 {
 	NTSTATUS nt_status;
@@ -623,7 +548,7 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
 	   so the domain password policy can be used */
 	return samdb_set_password(sam_ctx, mem_ctx,
 				  account_dn, domain_dn, 
-				  msg, &new_password, 
+				  &new_password,
 				  NULL, NULL,
 				  false, /* This is a password set, not change */
 				  NULL, NULL);
author	Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>	2009-09-26 12:09:07 +0200
committer	Matthias Dieter Wallnöfer <mdw@samba.org>	2010-05-10 19:07:46 +0200
commit	6e8098b261b9357204c8fa5534871a4c137ca1c5 (patch)
tree	d3d438644b66be45e06d114d198ca72757b30e12 /source4/rpc_server
parent	fc8e3ffb5f261e7efdcbcef46b1f13c3b5599730 (diff)
download	samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.tar.gz samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.tar.bz2 samba-6e8098b261b9357204c8fa5534871a4c137ca1c5.zip