diff options
| author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-06-21 19:40:50 +0200 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-06-22 22:21:04 +0200 |
| commit | 0e637be43b584aef9f5101d15ae5bdc1172c5502 (patch) | |
| tree | a44bb5f1222ec922874440ffe63c61ce2045bfda /source4 | |
| parent | 37264e5917cace1582f41d6029a857fd4059eff6 (diff) | |
| download | samba-0e637be43b584aef9f5101d15ae5bdc1172c5502.tar.gz samba-0e637be43b584aef9f5101d15ae5bdc1172c5502.tar.bz2 samba-0e637be43b584aef9f5101d15ae5bdc1172c5502.zip | |
s4:password_hash LDB module - fix another problem regarding the lanman hash
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 94eb9cf9fa..0a34645a91 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_UNWILLING_TO_PERFORM; } } else if (io->og.lm_hash) { - struct loadparm_context *lp_ctx = - (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); - - if (!lp_lanman_auth(lp_ctx)) { - ldb_asprintf_errstring(ldb, - "check_password_restrictions: " - "The password change through the LM hash is deactivated!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - if (!io->o.lm_hash) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " @@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac, { const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct loadparm_context *lp_ctx = + (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); int ret; ZERO_STRUCTP(io); @@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac, "it's not allowed to set the LM hash password directly'"); return LDB_ERR_UNWILLING_TO_PERFORM; } - if (lm_hash != NULL) { + + if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) { io->n.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length, sizeof(io->n.lm_hash->hash))); } - - if (old_lm_hash != NULL) { + if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) { io->og.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length, sizeof(io->og.lm_hash->hash))); @@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac, return LDB_ERR_UNWILLING_TO_PERFORM; } + /* refuse the change if someone tries to set/change the password by + * the lanman hash alone and we've deactivated that mechanism. This + * would end in an account without any password! */ + if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16) + && (!io->n.nt_hash) && (!io->n.lm_hash)) { + ldb_asprintf_errstring(ldb, + "setup_io: " + "The password change/set operations performed using the LAN Manager hash alone are deactivated!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* refuse the change if someone wants to compare against a plaintext or hash at the same time for a "password modify" operation... */ if ((io->og.cleartext_utf8 || io->og.cleartext_utf16) |