diff options
-rw-r--r-- | source3/passdb/pdb_get_set.c | 12 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 41 | ||||
-rwxr-xr-x | source3/script/mksmbpasswd.sh | 2 |
3 files changed, 52 insertions, 3 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 11df0ad56d..869165f1dc 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -925,7 +925,11 @@ BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[NT_HASH_LEN], enum data_blob_clear_free(&sampass->private.nt_pw); - sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN); + if (pwd) { + sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN); + } else { + sampass->private.nt_pw = data_blob(NULL, 0); + } return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag); } @@ -941,7 +945,11 @@ BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[LM_HASH_LEN], data_blob_clear_free(&sampass->private.lm_pw); - sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN); + if (pwd) { + sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN); + } else { + sampass->private.lm_pw = data_blob(NULL, 0); + } return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag); } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 3592d5f0fd..1087624aca 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -36,6 +36,44 @@ static void lazy_initialize_passdb(void) static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name); +/******************************************************************* + Clean up uninitialised passwords. The only way to tell + that these values are not 'real' is that they do not + have a valid last set time. Instead, the value is fixed at 0. + Therefore we use that as the key for 'is this a valid password'. + However, it is perfectly valid to have a 'default' last change + time, such LDAP with a missing attribute would produce. +********************************************************************/ + +static void pdb_force_pw_initialization(SAM_ACCOUNT *pass) +{ + const char *lm_pwd, *nt_pwd; + + /* only reset a password if the last set time has been + explicitly been set to zero. A default last set time + is ignored */ + + if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT) + && (pdb_get_pass_last_set_time(pass) == 0) ) + { + + if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT) + { + lm_pwd = pdb_get_lanman_passwd(pass); + if (lm_pwd) + pdb_set_lanman_passwd(pass, NULL, PDB_SET); + } + if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT) + { + nt_pwd = pdb_get_nt_passwd(pass); + if (nt_pwd) + pdb_set_nt_passwd(pass, NULL, PDB_SET); + } + } + + return; +} + NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init) { struct pdb_init_function_entry *entry = backends; @@ -141,6 +179,7 @@ static NTSTATUS context_getsampwent(struct pdb_context *context, SAM_ACCOUNT *us context->pwent_methods->setsampwent(context->pwent_methods, False); } user->methods = context->pwent_methods; + pdb_force_pw_initialization(user); return ret; } @@ -156,6 +195,7 @@ static NTSTATUS context_getsampwnam(struct pdb_context *context, SAM_ACCOUNT *sa curmethods = context->pdb_methods; while (curmethods){ if (NT_STATUS_IS_OK(ret = curmethods->getsampwnam(curmethods, sam_acct, username))) { + pdb_force_pw_initialization(sam_acct); sam_acct->methods = curmethods; return ret; } @@ -179,6 +219,7 @@ static NTSTATUS context_getsampwsid(struct pdb_context *context, SAM_ACCOUNT *sa while (curmethods){ if (NT_STATUS_IS_OK(ret = curmethods->getsampwsid(curmethods, sam_acct, sid))) { + pdb_force_pw_initialization(sam_acct); sam_acct->methods = curmethods; return ret; } diff --git a/source3/script/mksmbpasswd.sh b/source3/script/mksmbpasswd.sh index 854e1bd1b5..119a55611e 100755 --- a/source3/script/mksmbpasswd.sh +++ b/source3/script/mksmbpasswd.sh @@ -2,5 +2,5 @@ awk 'BEGIN {FS=":" printf("#\n# SMB password file.\n#\n") } -{ printf( "%s:%s:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:%s\n", $1, $3, $5) } +{ printf( "%s:%s:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UD ]:LCT-00000000:%s\n", $1, $3, $5) } ' |