diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 30f55d6360..112a493174 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1437,6 +1437,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io) /* First check the old password is correct, for password changes */ if (!io->ac->pwd_reset && !io->ac->change_old_pw_checked) { + bool nt_hash_checked = false; + /* we need to old nt or lm hash given by the client */ if (!io->og.nt_hash && !io->og.lm_hash) { ldb_asprintf_errstring(ldb, @@ -1446,6 +1448,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_UNWILLING_TO_PERFORM; } + /* The password modify through the NT hash is encouraged and + has no problems at all */ if (io->og.nt_hash) { if (!io->o.nt_hash) { ldb_asprintf_errstring(ldb, @@ -1455,16 +1459,22 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_CONSTRAINT_VIOLATION; } - /* The password modify through the NT hash is encouraged - and has no problems at all */ if (memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " "The old password specified doesn't match!"); return LDB_ERR_CONSTRAINT_VIOLATION; } - } else if (io->og.lm_hash) { - if (!io->o.lm_hash) { + + nt_hash_checked = true; + } + + /* But it is also possible to change a password by the LM hash + * alone for compatibility reasons. This check is optional if + * the NT hash was already checked - otherwise it's mandatory. + * (as the SAMR operations request it). */ + if (io->og.lm_hash) { + if (!io->o.lm_hash && !nt_hash_checked) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " "There's no old lm_hash, which is needed " @@ -1472,7 +1482,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_CONSTRAINT_VIOLATION; } - if (memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) { + if (io->o.lm_hash && + memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " "The old password specified doesn't match!"); |