r4707: w2k3 don't restict passwords on

netr_ServerPasswordSet and netr_ServerPasswordSet2

so we do now

I also add a torture test for this

metze
(This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d)

3 files changed, 84 insertions, 10 deletions

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9eed9eb1f3..6ef1c66714 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -389,7 +389,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
 				       mod,
 				       NULL, /* Don't have plaintext */
 				       NULL, &r->in.new_password,
-				       False /* This is not considered a password change */,
+				       False, /* This is not considered a password change */
+				       False, /* don't restrict this password change (match w2k3) */
 				       NULL);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
@@ -1097,7 +1098,8 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
 				       msgs_domain[0]->dn,
 				       mod, new_pass, /* we have plaintext */
 				       NULL, NULL,
-				       False /* This is not considered a password change */,
+				       False, /* This is not considered a password change */
+				       False, /* don't restrict this password change (match w2k3) */
 				       NULL);
 	ZERO_ARRAY(new_pass);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 0e009f7b02..085fe450ac 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -115,7 +115,9 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	status = samdb_set_password(a_state->sam_ctx, mem_ctx,
 				    a_state->account_dn, a_state->domain_state->domain_dn,
 				    msg, NULL, &new_lmPwdHash, &new_ntPwdHash, 
-				    True, NULL);
+				    True, /* this is a user password change */
+				    True, /* run restriction tests */
+				    NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -229,7 +231,9 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
 				    user_dn, domain_dn, 
 				    mod, new_pass, 
 				    NULL, NULL,
-				    True, NULL);
+				    True, /* this is a user password change */
+				    True, /* run restriction tests */
+				    NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -378,7 +382,9 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 				    user_dn, domain_dn, 
 				    mod, new_pass, 
 				    NULL, NULL,
-				    True, &reason);
+				    True, /* this is a user password change */
+				    True, /* run restriction tests */
+				    &reason);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto failed;
 	}
@@ -481,6 +487,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 			    struct samr_Password *lmNewHash, 
 			    struct samr_Password *ntNewHash,
 			    BOOL user_change,
+			    BOOL restrict,
 			    uint32_t *reject_reason)
 {
 	const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory", 
@@ -536,7 +543,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 
 	if (new_pass) {
 		/* check the various password restrictions */
-		if (minPwdLength > strlen_m(new_pass)) {
+		if (restrict && minPwdLength > strlen_m(new_pass)) {
 			if (reject_reason) {
 				*reject_reason = SAMR_REJECT_TOO_SHORT;
 			}
@@ -544,7 +551,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 		}
 		
 		/* possibly check password complexity */
-		if (pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
+		if (restrict && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
 		    !samdb_password_complexity_ok(new_pass)) {
 			if (reject_reason) {
 				*reject_reason = SAMR_REJECT_COMPLEXITY;
@@ -560,7 +567,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 		ntNewHash = &local_ntNewHash;
 	}
 
-	if (user_change) {
+	if (restrict && user_change) {
 		/* are all password changes disallowed? */
 		if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
 			if (reject_reason) {
@@ -757,7 +764,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
 				  account_dn, domain_dn, 
 				  msg, new_pass, 
 				  NULL, NULL,
-				  False /* This is a password set, not change */,
+				  False, /* This is a password set, not change */
+				  True, /* run restriction tests */
 				  NULL);
 }
 
@@ -810,7 +818,8 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
 				  account_dn, domain_dn, 
 				  msg, new_pass, 
 				  NULL, NULL,
-				  False,
+				  False, /* This is a password set, not change */
+				  True, /* run restriction tests */
 				  NULL);
 }
 
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 6128495043..3da539aea5 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -268,6 +268,37 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	r.in.secure_channel_type = SEC_CHAN_BDC;
 	r.in.computer_name = TEST_MACHINE_NAME;
 
+	password = "";
+	E_md4hash(password, r.in.new_password.hash);
+
+	creds_des_encrypt(&creds, &r.in.new_password);
+	/* by changing the machine password to ""
+	 * we check if the server uses password restrictions
+	 * for ServerPasswordSet2
+	 * (win2k3 accepts "")
+	 */
+	printf("Testing a second ServerPasswordSet on machine account\n");
+	printf("Changing machine account password to '%s'\n", password);
+
+	creds_client_authenticator(&creds, &r.in.credential);
+
+	status = dcerpc_netr_ServerPasswordSet(p, mem_ctx, &r);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("ServerPasswordSet (2) - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) {
+		printf("Credential chaining failed\n");
+	}
+
+	machine_password = password;
+
+	if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) {
+		printf("ServerPasswordSet failed to actually change the password\n");
+		return False;
+	}
+
 	password = generate_random_str(mem_ctx, 8);
 	E_md4hash(password, r.in.new_password.hash);
 
@@ -337,6 +368,38 @@ static BOOL test_SetPassword2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	r.in.secure_channel_type = SEC_CHAN_BDC;
 	r.in.computer_name = TEST_MACHINE_NAME;
 
+	password = "";
+	encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE);
+	creds_arcfour_crypt(&creds, r.in.new_password.data, 516);
+
+	/* by changing the machine password to ""
+	 * we check if the server uses password restrictions
+	 * for ServerPasswordSet2
+	 * (win2k3 accepts "")
+	 */
+	printf("Testing a second ServerPasswordSet2 on machine account\n");
+	printf("Changing machine account password to '%s'\n", password);
+
+	creds_client_authenticator(&creds, &r.in.credential);
+
+	status = dcerpc_netr_ServerPasswordSet2(p, mem_ctx, &r);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("ServerPasswordSet (2) - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) {
+		printf("Credential chaining failed\n");
+	}
+
+	machine_password = password;
+
+	if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) {
+		printf("ServerPasswordSet failed to actually change the password\n");
+		return False;
+	}
+
+	/* now try a random password */
 	password = generate_random_str(mem_ctx, 8);
 	encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE);
 	creds_arcfour_crypt(&creds, r.in.new_password.data, 516);