summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h3
-rw-r--r--source3/smbd/chgpasswd.c64
2 files changed, 45 insertions, 22 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index e46fe3c1fd..6955593179 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user,
uchar password_encrypted_with_nt_hash[516],
const uchar old_nt_hash_encrypted[16],
enum samPwdChangeReason *reject_reason);
+NTSTATUS check_password_complexity(const char *username,
+ const char *password,
+ enum samPwdChangeReason *samr_reject_reason);
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason);
/* The following definitions come from smbd/close.c */
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index e2069060aa..2da36b2fe6 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1075,6 +1075,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
}
/***********************************************************
+************************************************************/
+
+NTSTATUS check_password_complexity(const char *username,
+ const char *password,
+ enum samPwdChangeReason *samr_reject_reason)
+{
+ TALLOC_CTX *tosctx = talloc_tos();
+
+ /* Use external script to check password complexity */
+ if (lp_check_password_script() && *(lp_check_password_script())) {
+ int check_ret;
+ char *cmd;
+
+ cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
+ if (!cmd) {
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+
+ check_ret = smbrunsecret(cmd, password);
+ DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n",
+ cmd, check_ret));
+ TALLOC_FREE(cmd);
+
+ if (check_ret != 0) {
+ DEBUG(1,("check_password_complexity: "
+ "check password script said new password is not good enough!\n"));
+ if (samr_reject_reason) {
+ *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
+ }
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/***********************************************************
Code to change the oem password. Changes both the lanman
and NT hashes. Old_passwd is almost always NULL.
NOTE this function is designed to be called as root. Check the old password
@@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
+ NTSTATUS status;
if (samr_reject_reason) {
*samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
@@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
return NT_STATUS_ACCESS_DENIED;
}
- /* Use external script to check password complexity */
- if (lp_check_password_script() && *(lp_check_password_script())) {
- int check_ret;
- char *cmd;
-
- cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
- if (!cmd) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- check_ret = smbrunsecret(cmd, new_passwd);
- DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret));
- TALLOC_FREE(cmd);
-
- if (check_ret != 0) {
- DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
- if (samr_reject_reason) {
- *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
- }
- TALLOC_FREE(pass);
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
+ status = check_password_complexity(username, new_passwd, samr_reject_reason);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(pass);
+ return status;
}
/*