summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/passdb/pdb_get_set.c12
-rw-r--r--source3/passdb/pdb_interface.c41
-rwxr-xr-xsource3/script/mksmbpasswd.sh2
3 files changed, 52 insertions, 3 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 11df0ad56d..869165f1dc 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -925,7 +925,11 @@ BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[NT_HASH_LEN], enum
data_blob_clear_free(&sampass->private.nt_pw);
- sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN);
+ if (pwd) {
+ sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN);
+ } else {
+ sampass->private.nt_pw = data_blob(NULL, 0);
+ }
return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
}
@@ -941,7 +945,11 @@ BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[LM_HASH_LEN],
data_blob_clear_free(&sampass->private.lm_pw);
- sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN);
+ if (pwd) {
+ sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN);
+ } else {
+ sampass->private.lm_pw = data_blob(NULL, 0);
+ }
return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
}
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 3592d5f0fd..1087624aca 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -36,6 +36,44 @@ static void lazy_initialize_passdb(void)
static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name);
+/*******************************************************************
+ Clean up uninitialised passwords. The only way to tell
+ that these values are not 'real' is that they do not
+ have a valid last set time. Instead, the value is fixed at 0.
+ Therefore we use that as the key for 'is this a valid password'.
+ However, it is perfectly valid to have a 'default' last change
+ time, such LDAP with a missing attribute would produce.
+********************************************************************/
+
+static void pdb_force_pw_initialization(SAM_ACCOUNT *pass)
+{
+ const char *lm_pwd, *nt_pwd;
+
+ /* only reset a password if the last set time has been
+ explicitly been set to zero. A default last set time
+ is ignored */
+
+ if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT)
+ && (pdb_get_pass_last_set_time(pass) == 0) )
+ {
+
+ if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT)
+ {
+ lm_pwd = pdb_get_lanman_passwd(pass);
+ if (lm_pwd)
+ pdb_set_lanman_passwd(pass, NULL, PDB_SET);
+ }
+ if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT)
+ {
+ nt_pwd = pdb_get_nt_passwd(pass);
+ if (nt_pwd)
+ pdb_set_nt_passwd(pass, NULL, PDB_SET);
+ }
+ }
+
+ return;
+}
+
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
{
struct pdb_init_function_entry *entry = backends;
@@ -141,6 +179,7 @@ static NTSTATUS context_getsampwent(struct pdb_context *context, SAM_ACCOUNT *us
context->pwent_methods->setsampwent(context->pwent_methods, False);
}
user->methods = context->pwent_methods;
+ pdb_force_pw_initialization(user);
return ret;
}
@@ -156,6 +195,7 @@ static NTSTATUS context_getsampwnam(struct pdb_context *context, SAM_ACCOUNT *sa
curmethods = context->pdb_methods;
while (curmethods){
if (NT_STATUS_IS_OK(ret = curmethods->getsampwnam(curmethods, sam_acct, username))) {
+ pdb_force_pw_initialization(sam_acct);
sam_acct->methods = curmethods;
return ret;
}
@@ -179,6 +219,7 @@ static NTSTATUS context_getsampwsid(struct pdb_context *context, SAM_ACCOUNT *sa
while (curmethods){
if (NT_STATUS_IS_OK(ret = curmethods->getsampwsid(curmethods, sam_acct, sid))) {
+ pdb_force_pw_initialization(sam_acct);
sam_acct->methods = curmethods;
return ret;
}
diff --git a/source3/script/mksmbpasswd.sh b/source3/script/mksmbpasswd.sh
index 854e1bd1b5..119a55611e 100755
--- a/source3/script/mksmbpasswd.sh
+++ b/source3/script/mksmbpasswd.sh
@@ -2,5 +2,5 @@
awk 'BEGIN {FS=":"
printf("#\n# SMB password file.\n#\n")
}
-{ printf( "%s:%s:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:%s\n", $1, $3, $5) }
+{ printf( "%s:%s:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UD ]:LCT-00000000:%s\n", $1, $3, $5) }
'