diff options
-rw-r--r-- | docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml | 14 | ||||
-rw-r--r-- | librpc/gen_ndr/cli_samr.c | 4 | ||||
-rw-r--r-- | librpc/gen_ndr/cli_samr.h | 4 | ||||
-rw-r--r-- | librpc/gen_ndr/ndr_samr.c | 126 | ||||
-rw-r--r-- | librpc/gen_ndr/ndr_samr.h | 8 | ||||
-rw-r--r-- | librpc/gen_ndr/samr.h | 53 | ||||
-rw-r--r-- | librpc/gen_ndr/srv_samr.c | 4 | ||||
-rw-r--r-- | librpc/idl/samr.idl | 30 | ||||
-rw-r--r-- | nsswitch/libwbclient/wbclient.h | 13 | ||||
-rw-r--r-- | nsswitch/pam_winbind.c | 8 | ||||
-rw-r--r-- | source3/include/proto.h | 2 | ||||
-rw-r--r-- | source3/rpc_client/cli_samr.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 7 | ||||
-rw-r--r-- | source3/rpcclient/cmd_samr.c | 21 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 18 | ||||
-rw-r--r-- | source3/smbd/nttrans.c | 2 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cache.c | 1 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 4 | ||||
-rw-r--r-- | source4/dsdb/common/util.c | 25 | ||||
-rw-r--r-- | source4/kdc/kpasswdd.c | 17 | ||||
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 39 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 54 |
22 files changed, 250 insertions, 206 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml index 33e2697bd3..2c59aa7420 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml @@ -93,7 +93,6 @@ <indexterm><primary>idmap uid</primary></indexterm> <indexterm><primary>idmap gid</primary></indexterm> <indexterm><primary>idmap backend</primary></indexterm> -<indexterm><primary>LDAP</primary></indexterm> Winbind maintains a database called winbind_idmap.tdb in which it stores mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only for users and groups that do not have a local UID/GID. It stores the UID/GID @@ -210,7 +209,7 @@ Users on the UNIX machine can then use NT user and group names as they would <quote>native</quote> UNIX names. They can chown files so they are owned by NT domain users or even login to the - UNIX machine and run a UNIX X-Window session as a domain user.</para> + UNIX machine and run a UNIX X Window session as a domain user.</para> <para> <indexterm><primary>domain controller</primary></indexterm> @@ -571,7 +570,7 @@ is for you. <para> <indexterm><primary>PAM</primary></indexterm> <indexterm><primary>back up</primary></indexterm> -<indexterm><primary>boot disk`</primary></indexterm> +<indexterm><primary>boot disk</primary></indexterm> If you have a Samba configuration file that you are currently using, <emphasis>BACK IT UP!</emphasis> If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE NOW!</emphasis> @@ -602,7 +601,7 @@ instructions on downloading the source code. <indexterm><primary>development libraries</primary></indexterm> To allow domain users the ability to access Samba shares and files, as well as potentially other services provided by your Samba machine, PAM must be set up properly on your -machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed +machine. In order to compile the Winbind modules, the PAM development libraries should be installed on your system. Please refer to the PAM Web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>. </para> </sect2> @@ -976,9 +975,6 @@ The same thing can be done for groups with the command: <indexterm><primary>/etc/init.d/smb</primary></indexterm> <indexterm><primary>/etc/init.d/samba</primary></indexterm> <indexterm><primary>/usr/local/samba/bin</primary></indexterm> -<indexterm><primary></primary></indexterm> -<indexterm><primary></primary></indexterm> -<indexterm><primary></primary></indexterm> The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and in <filename>/etc/init.d/samba</filename> in Debian @@ -1119,7 +1115,7 @@ usually only starts smbd and nmbd but should now start winbindd, too. If you hav </programlisting></para> <para> -Again, if you would like to run Samba in dual daemon mode, replace: +Again, if you would like to run winbindd in dual daemon mode, replace: <programlisting> /usr/local/samba/sbin/winbindd </programlisting> @@ -1234,7 +1230,7 @@ pre-create the directories of users to make sure users can log in on UNIX with t <indexterm><primary>Winbind</primary></indexterm> <indexterm><primary>ftp access</primary></indexterm> The <filename>/etc/pam.d/ftp</filename> file can be changed to allow Winbind ftp access in a manner similar to -the samba file. My <filename>/etc/pam.d/ftp</filename> file was changed to look like this: +the <filename>/etc/pam.d/samba</filename> file. My <filename>/etc/pam.d/ftp</filename> file was changed to look like this: <programlisting> auth required /lib/security/pam_listfile.so item=user sense=deny \ file=/etc/ftpusers onerr=succeed diff --git a/librpc/gen_ndr/cli_samr.c b/librpc/gen_ndr/cli_samr.c index 27119e53cc..72f5f74864 100644 --- a/librpc/gen_ndr/cli_samr.c +++ b/librpc/gen_ndr/cli_samr.c @@ -10448,7 +10448,7 @@ struct tevent_req *rpccli_samr_ChangePasswordUser3_send(TALLOC_CTX *mem_ctx, struct samr_Password *_lm_verifier /* [in] [unique] */, struct samr_CryptPassword *_password3 /* [in] [unique] */, struct samr_DomInfo1 **_dominfo /* [out] [ref] */, - struct samr_ChangeReject **_reject /* [out] [ref] */) + struct userPwdChangeFailureInformation **_reject /* [out] [ref] */) { struct tevent_req *req; struct rpccli_samr_ChangePasswordUser3_state *state; @@ -10576,7 +10576,7 @@ NTSTATUS rpccli_samr_ChangePasswordUser3(struct rpc_pipe_client *cli, struct samr_Password *lm_verifier /* [in] [unique] */, struct samr_CryptPassword *password3 /* [in] [unique] */, struct samr_DomInfo1 **dominfo /* [out] [ref] */, - struct samr_ChangeReject **reject /* [out] [ref] */) + struct userPwdChangeFailureInformation **reject /* [out] [ref] */) { struct samr_ChangePasswordUser3 r; NTSTATUS status; diff --git a/librpc/gen_ndr/cli_samr.h b/librpc/gen_ndr/cli_samr.h index ed2baa9aba..c94ff11cc7 100644 --- a/librpc/gen_ndr/cli_samr.h +++ b/librpc/gen_ndr/cli_samr.h @@ -963,7 +963,7 @@ struct tevent_req *rpccli_samr_ChangePasswordUser3_send(TALLOC_CTX *mem_ctx, struct samr_Password *_lm_verifier /* [in] [unique] */, struct samr_CryptPassword *_password3 /* [in] [unique] */, struct samr_DomInfo1 **_dominfo /* [out] [ref] */, - struct samr_ChangeReject **_reject /* [out] [ref] */); + struct userPwdChangeFailureInformation **_reject /* [out] [ref] */); NTSTATUS rpccli_samr_ChangePasswordUser3_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, NTSTATUS *result); @@ -978,7 +978,7 @@ NTSTATUS rpccli_samr_ChangePasswordUser3(struct rpc_pipe_client *cli, struct samr_Password *lm_verifier /* [in] [unique] */, struct samr_CryptPassword *password3 /* [in] [unique] */, struct samr_DomInfo1 **dominfo /* [out] [ref] */, - struct samr_ChangeReject **reject /* [out] [ref] */); + struct userPwdChangeFailureInformation **reject /* [out] [ref] */); struct tevent_req *rpccli_samr_Connect5_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct rpc_pipe_client *cli, diff --git a/librpc/gen_ndr/ndr_samr.c b/librpc/gen_ndr/ndr_samr.c index 8e6e0059c0..f4c1a0cfcf 100644 --- a/librpc/gen_ndr/ndr_samr.c +++ b/librpc/gen_ndr/ndr_samr.c @@ -32,33 +32,6 @@ _PUBLIC_ void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *na ndr_print_enum(ndr, name, "ENUM", val, r); } -_PUBLIC_ enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r) -{ - NDR_CHECK(ndr_push_enum_uint32(ndr, NDR_SCALARS, r)); - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r) -{ - uint32_t v; - NDR_CHECK(ndr_pull_enum_uint32(ndr, NDR_SCALARS, &v)); - *r = v; - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r) -{ - const char *val = NULL; - - switch (r) { - case SAMR_REJECT_OTHER: val = "SAMR_REJECT_OTHER"; break; - case SAMR_REJECT_TOO_SHORT: val = "SAMR_REJECT_TOO_SHORT"; break; - case SAMR_REJECT_IN_HISTORY: val = "SAMR_REJECT_IN_HISTORY"; break; - case SAMR_REJECT_COMPLEXITY: val = "SAMR_REJECT_COMPLEXITY"; break; - } - ndr_print_enum(ndr, name, "ENUM", val, r); -} - _PUBLIC_ enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); @@ -4738,41 +4711,100 @@ _PUBLIC_ void ndr_print_samr_ConnectVersion(struct ndr_print *ndr, const char *n ndr_print_enum(ndr, name, "ENUM", val, r); } -static enum ndr_err_code ndr_push_samr_ChangeReject(struct ndr_push *ndr, int ndr_flags, const struct samr_ChangeReject *r) +_PUBLIC_ enum ndr_err_code ndr_push_samPwdChangeReason(struct ndr_push *ndr, int ndr_flags, enum samPwdChangeReason r) +{ + NDR_CHECK(ndr_push_enum_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_samPwdChangeReason(struct ndr_pull *ndr, int ndr_flags, enum samPwdChangeReason *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_enum_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_samPwdChangeReason(struct ndr_print *ndr, const char *name, enum samPwdChangeReason r) +{ + const char *val = NULL; + + switch (r) { + case SAM_PWD_CHANGE_NO_ERROR: val = "SAM_PWD_CHANGE_NO_ERROR"; break; + case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT: val = "SAM_PWD_CHANGE_PASSWORD_TOO_SHORT"; break; + case SAM_PWD_CHANGE_PWD_IN_HISTORY: val = "SAM_PWD_CHANGE_PWD_IN_HISTORY"; break; + case SAM_PWD_CHANGE_USERNAME_IN_PASSWORD: val = "SAM_PWD_CHANGE_USERNAME_IN_PASSWORD"; break; + case SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD: val = "SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD"; break; + case SAM_PWD_CHANGE_NOT_COMPLEX: val = "SAM_PWD_CHANGE_NOT_COMPLEX"; break; + case SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT: val = "SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT"; break; + case SAM_PWD_CHANGE_FAILED_BY_FILTER: val = "SAM_PWD_CHANGE_FAILED_BY_FILTER"; break; + case SAM_PWD_CHANGE_PASSWORD_TOO_LONG: val = "SAM_PWD_CHANGE_PASSWORD_TOO_LONG"; break; + } + ndr_print_enum(ndr, name, "ENUM", val, r); +} + +static enum ndr_err_code ndr_push_userPwdChangeFailureInformation(struct ndr_push *ndr, int ndr_flags, const struct userPwdChangeFailureInformation *r) { if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_samr_RejectReason(ndr, NDR_SCALARS, r->reason)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown1)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown2)); - NDR_CHECK(ndr_push_trailer_align(ndr, 4)); + NDR_CHECK(ndr_push_align(ndr, 5)); + NDR_CHECK(ndr_push_samPwdChangeReason(ndr, NDR_SCALARS, r->extendedFailureReason)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->filterModuleName)); + NDR_CHECK(ndr_push_trailer_align(ndr, 5)); } if (ndr_flags & NDR_BUFFERS) { + if (r->filterModuleName) { + NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->filterModuleName, CH_UTF16))); + NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0)); + NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->filterModuleName, CH_UTF16))); + NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->filterModuleName, ndr_charset_length(r->filterModuleName, CH_UTF16), sizeof(uint16_t), CH_UTF16)); + } } return NDR_ERR_SUCCESS; } -static enum ndr_err_code ndr_pull_samr_ChangeReject(struct ndr_pull *ndr, int ndr_flags, struct samr_ChangeReject *r) +static enum ndr_err_code ndr_pull_userPwdChangeFailureInformation(struct ndr_pull *ndr, int ndr_flags, struct userPwdChangeFailureInformation *r) { + uint32_t _ptr_filterModuleName; + TALLOC_CTX *_mem_save_filterModuleName_0; if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_samr_RejectReason(ndr, NDR_SCALARS, &r->reason)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); - NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_samPwdChangeReason(ndr, NDR_SCALARS, &r->extendedFailureReason)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_filterModuleName)); + if (_ptr_filterModuleName) { + NDR_PULL_ALLOC(ndr, r->filterModuleName); + } else { + r->filterModuleName = NULL; + } + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); } if (ndr_flags & NDR_BUFFERS) { + if (r->filterModuleName) { + _mem_save_filterModuleName_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->filterModuleName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->filterModuleName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->filterModuleName)); + if (ndr_get_array_length(ndr, &r->filterModuleName) > ndr_get_array_size(ndr, &r->filterModuleName)) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->filterModuleName), ndr_get_array_length(ndr, &r->filterModuleName)); + } + NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->filterModuleName), sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->filterModuleName, ndr_get_array_length(ndr, &r->filterModuleName), sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filterModuleName_0, 0); + } } return NDR_ERR_SUCCESS; } -_PUBLIC_ void ndr_print_samr_ChangeReject(struct ndr_print *ndr, const char *name, const struct samr_ChangeReject *r) +_PUBLIC_ void ndr_print_userPwdChangeFailureInformation(struct ndr_print *ndr, const char *name, const struct userPwdChangeFailureInformation *r) { - ndr_print_struct(ndr, name, "samr_ChangeReject"); + ndr_print_struct(ndr, name, "userPwdChangeFailureInformation"); ndr->depth++; - ndr_print_samr_RejectReason(ndr, "reason", r->reason); - ndr_print_uint32(ndr, "unknown1", r->unknown1); - ndr_print_uint32(ndr, "unknown2", r->unknown2); + ndr_print_samPwdChangeReason(ndr, "extendedFailureReason", r->extendedFailureReason); + ndr_print_ptr(ndr, "filterModuleName", r->filterModuleName); + ndr->depth++; + if (r->filterModuleName) { + ndr_print_string(ndr, "filterModuleName", r->filterModuleName); + } + ndr->depth--; ndr->depth--; } @@ -11806,7 +11838,7 @@ static enum ndr_err_code ndr_push_samr_ChangePasswordUser3(struct ndr_push *ndr, } NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.reject)); if (*r->out.reject) { - NDR_CHECK(ndr_push_samr_ChangeReject(ndr, NDR_SCALARS, *r->out.reject)); + NDR_CHECK(ndr_push_userPwdChangeFailureInformation(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.reject)); } NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result)); } @@ -11955,7 +11987,7 @@ static enum ndr_err_code ndr_pull_samr_ChangePasswordUser3(struct ndr_pull *ndr, if (*r->out.reject) { _mem_save_reject_1 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, *r->out.reject, 0); - NDR_CHECK(ndr_pull_samr_ChangeReject(ndr, NDR_SCALARS, *r->out.reject)); + NDR_CHECK(ndr_pull_userPwdChangeFailureInformation(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.reject)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reject_1, 0); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reject_0, LIBNDR_FLAG_REF_ALLOC); @@ -12034,7 +12066,7 @@ _PUBLIC_ void ndr_print_samr_ChangePasswordUser3(struct ndr_print *ndr, const ch ndr_print_ptr(ndr, "reject", *r->out.reject); ndr->depth++; if (*r->out.reject) { - ndr_print_samr_ChangeReject(ndr, "reject", *r->out.reject); + ndr_print_userPwdChangeFailureInformation(ndr, "reject", *r->out.reject); } ndr->depth--; ndr->depth--; diff --git a/librpc/gen_ndr/ndr_samr.h b/librpc/gen_ndr/ndr_samr.h index a341f69af0..9ece0ed5ca 100644 --- a/librpc/gen_ndr/ndr_samr.h +++ b/librpc/gen_ndr/ndr_samr.h @@ -151,9 +151,6 @@ extern const struct ndr_interface_table ndr_table_samr; enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r); enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r); void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r); -enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r); -enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r); -void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r); enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r); enum ndr_err_code ndr_pull_samr_AcctFlags(struct ndr_pull *ndr, int ndr_flags, uint32_t *r); void ndr_print_samr_AcctFlags(struct ndr_print *ndr, const char *name, uint32_t r); @@ -248,7 +245,10 @@ void ndr_print_samr_DispInfoAscii(struct ndr_print *ndr, const char *name, const void ndr_print_samr_DispInfo(struct ndr_print *ndr, const char *name, const union samr_DispInfo *r); void ndr_print_samr_PwInfo(struct ndr_print *ndr, const char *name, const struct samr_PwInfo *r); void ndr_print_samr_ConnectVersion(struct ndr_print *ndr, const char *name, enum samr_ConnectVersion r); -void ndr_print_samr_ChangeReject(struct ndr_print *ndr, const char *name, const struct samr_ChangeReject *r); +enum ndr_err_code ndr_push_samPwdChangeReason(struct ndr_push *ndr, int ndr_flags, enum samPwdChangeReason r); +enum ndr_err_code ndr_pull_samPwdChangeReason(struct ndr_pull *ndr, int ndr_flags, enum samPwdChangeReason *r); +void ndr_print_samPwdChangeReason(struct ndr_print *ndr, const char *name, enum samPwdChangeReason r); +void ndr_print_userPwdChangeFailureInformation(struct ndr_print *ndr, const char *name, const struct userPwdChangeFailureInformation *r); void ndr_print_samr_ConnectInfo1(struct ndr_print *ndr, const char *name, const struct samr_ConnectInfo1 *r); void ndr_print_samr_ConnectInfo(struct ndr_print *ndr, const char *name, const union samr_ConnectInfo *r); void ndr_print_samr_ValidateFieldsPresent(struct ndr_print *ndr, const char *name, uint32_t r); diff --git a/librpc/gen_ndr/samr.h b/librpc/gen_ndr/samr.h index 33b21d2d05..75462dec73 100644 --- a/librpc/gen_ndr/samr.h +++ b/librpc/gen_ndr/samr.h @@ -53,23 +53,6 @@ enum netr_SamDatabaseID #endif ; -enum samr_RejectReason -#ifndef USE_UINT_ENUMS - { - SAMR_REJECT_OTHER=(int)(0), - SAMR_REJECT_TOO_SHORT=(int)(1), - SAMR_REJECT_IN_HISTORY=(int)(2), - SAMR_REJECT_COMPLEXITY=(int)(5) -} -#else - { __donnot_use_enum_samr_RejectReason=0x7FFFFFFF} -#define SAMR_REJECT_OTHER ( 0 ) -#define SAMR_REJECT_TOO_SHORT ( 1 ) -#define SAMR_REJECT_IN_HISTORY ( 2 ) -#define SAMR_REJECT_COMPLEXITY ( 5 ) -#endif -; - /* bitmap samr_AcctFlags */ #define ACB_DISABLED ( 0x00000001 ) #define ACB_HOMDIRREQ ( 0x00000002 ) @@ -790,10 +773,36 @@ enum samr_ConnectVersion #endif ; -struct samr_ChangeReject { - enum samr_RejectReason reason; - uint32_t unknown1; - uint32_t unknown2; +enum samPwdChangeReason +#ifndef USE_UINT_ENUMS + { + SAM_PWD_CHANGE_NO_ERROR=(int)(0), + SAM_PWD_CHANGE_PASSWORD_TOO_SHORT=(int)(1), + SAM_PWD_CHANGE_PWD_IN_HISTORY=(int)(2), + SAM_PWD_CHANGE_USERNAME_IN_PASSWORD=(int)(3), + SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD=(int)(4), + SAM_PWD_CHANGE_NOT_COMPLEX=(int)(5), + SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT=(int)(6), + SAM_PWD_CHANGE_FAILED_BY_FILTER=(int)(7), + SAM_PWD_CHANGE_PASSWORD_TOO_LONG=(int)(8) +} +#else + { __donnot_use_enum_samPwdChangeReason=0x7FFFFFFF} +#define SAM_PWD_CHANGE_NO_ERROR ( 0 ) +#define SAM_PWD_CHANGE_PASSWORD_TOO_SHORT ( 1 ) +#define SAM_PWD_CHANGE_PWD_IN_HISTORY ( 2 ) +#define SAM_PWD_CHANGE_USERNAME_IN_PASSWORD ( 3 ) +#define SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD ( 4 ) +#define SAM_PWD_CHANGE_NOT_COMPLEX ( 5 ) +#define SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT ( 6 ) +#define SAM_PWD_CHANGE_FAILED_BY_FILTER ( 7 ) +#define SAM_PWD_CHANGE_PASSWORD_TOO_LONG ( 8 ) +#endif +; + +struct userPwdChangeFailureInformation { + enum samPwdChangeReason extendedFailureReason; + const char *filterModuleName;/* [unique,charset(UTF16)] */ }; struct samr_ConnectInfo1 { @@ -1852,7 +1861,7 @@ struct samr_ChangePasswordUser3 { struct { struct samr_DomInfo1 **dominfo;/* [ref] */ - struct samr_ChangeReject **reject;/* [ref] */ + struct userPwdChangeFailureInformation **reject;/* [ref] */ NTSTATUS result; } out; diff --git a/librpc/gen_ndr/srv_samr.c b/librpc/gen_ndr/srv_samr.c index e1b6951b3c..eba50b3e11 100644 --- a/librpc/gen_ndr/srv_samr.c +++ b/librpc/gen_ndr/srv_samr.c @@ -5030,7 +5030,7 @@ static bool api_samr_ChangePasswordUser3(pipes_struct *p) return false; } - r->out.reject = talloc_zero(r, struct samr_ChangeReject *); + r->out.reject = talloc_zero(r, struct userPwdChangeFailureInformation *); if (r->out.reject == NULL) { talloc_free(r); return false; @@ -6195,7 +6195,7 @@ NTSTATUS rpc_samr_dispatch(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, con return NT_STATUS_NO_MEMORY; } - r->out.reject = talloc_zero(mem_ctx, struct samr_ChangeReject *); + r->out.reject = talloc_zero(mem_ctx, struct userPwdChangeFailureInformation *); if (r->out.reject == NULL) { return NT_STATUS_NO_MEMORY; } diff --git a/librpc/idl/samr.idl b/librpc/idl/samr.idl index 8a5692fe17..da7b1aa82e 100644 --- a/librpc/idl/samr.idl +++ b/librpc/idl/samr.idl @@ -24,15 +24,6 @@ import "misc.idl", "lsa.idl", "security.idl"; SAM_DATABASE_PRIVS = 2 /* Privileges */ } netr_SamDatabaseID; - typedef [public,v1_enum] enum { - SAMR_REJECT_OTHER = 0, - SAMR_REJECT_TOO_SHORT = 1, - SAMR_REJECT_IN_HISTORY = 2, - SAMR_REJECT_COMPLEXITY = 5 - } samr_RejectReason; - - - /* account control (acct_flags) bits */ typedef [public,bitmap32bit] bitmap { ACB_DISABLED = 0x00000001, /* 1 = User account disabled */ @@ -1447,13 +1438,22 @@ import "misc.idl", "lsa.idl", "security.idl"; /************************/ /* Function 0x3f */ - typedef enum samr_RejectReason samr_RejectReason; + typedef [public,v1_enum] enum { + SAM_PWD_CHANGE_NO_ERROR = 0, + SAM_PWD_CHANGE_PASSWORD_TOO_SHORT = 1, + SAM_PWD_CHANGE_PWD_IN_HISTORY = 2, + SAM_PWD_CHANGE_USERNAME_IN_PASSWORD = 3, + SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD = 4, + SAM_PWD_CHANGE_NOT_COMPLEX = 5, + SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT = 6, + SAM_PWD_CHANGE_FAILED_BY_FILTER = 7, + SAM_PWD_CHANGE_PASSWORD_TOO_LONG = 8 + } samPwdChangeReason; typedef struct { - samr_RejectReason reason; - uint32 unknown1; - uint32 unknown2; - } samr_ChangeReject; + samPwdChangeReason extendedFailureReason; + [string,charset(UTF16)] uint16 *filterModuleName; + } userPwdChangeFailureInformation; NTSTATUS samr_ChangePasswordUser3( [in,unique] lsa_String *server, @@ -1465,7 +1465,7 @@ import "misc.idl", "lsa.idl", "security.idl"; [in,unique] samr_Password *lm_verifier, [in,unique] samr_CryptPassword *password3, [out,ref] samr_DomInfo1 **dominfo, - [out,ref] samr_ChangeReject **reject + [out,ref] userPwdChangeFailureInformation **reject ); /************************/ diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h index 4dc6d23dfc..ced82d8d22 100644 --- a/nsswitch/libwbclient/wbclient.h +++ b/nsswitch/libwbclient/wbclient.h @@ -427,10 +427,15 @@ struct wbcUserPasswordPolicyInfo { **/ enum wbcPasswordChangeRejectReason { - WBC_PWD_CHANGE_REJECT_OTHER=0, - WBC_PWD_CHANGE_REJECT_TOO_SHORT=1, - WBC_PWD_CHANGE_REJECT_IN_HISTORY=2, - WBC_PWD_CHANGE_REJECT_COMPLEXITY=5 + WBC_PWD_CHANGE_NO_ERROR=0, + WBC_PWD_CHANGE_PASSWORD_TOO_SHORT=1, + WBC_PWD_CHANGE_PWD_IN_HISTORY=2, + WBC_PWD_CHANGE_USERNAME_IN_PASSWORD=3, + WBC_PWD_CHANGE_FULLNAME_IN_PASSWORD=4, + WBC_PWD_CHANGE_NOT_COMPLEX=5, + WBC_PWD_CHANGE_MACHINE_NOT_DEFAULT=6, + WBC_PWD_CHANGE_FAILED_BY_FILTER=7, + WBC_PWD_CHANGE_PASSWORD_TOO_LONG=8 }; /** diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 324bede9ea..654b4385d8 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -1862,22 +1862,22 @@ static int winbind_chauthtok_request(struct pwb_context *ctx, switch (reject_reason) { case -1: break; - case WBC_PWD_CHANGE_REJECT_OTHER: + case WBC_PWD_CHANGE_NO_ERROR: if ((min_pwd_age > 0) && (pwd_last_set + min_pwd_age > time(NULL))) { PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PWD_TOO_RECENT"); } break; - case WBC_PWD_CHANGE_REJECT_TOO_SHORT: + case WBC_PWD_CHANGE_PASSWORD_TOO_SHORT: PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PWD_TOO_SHORT"); break; - case WBC_PWD_CHANGE_REJECT_IN_HISTORY: + case WBC_PWD_CHANGE_PWD_IN_HISTORY: PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PWD_HISTORY_CONFLICT"); break; - case WBC_PWD_CHANGE_REJECT_COMPLEXITY: + case WBC_PWD_CHANGE_NOT_COMPLEX: _make_remark(ctx, PAM_ERROR_MSG, _("Password does not meet " "complexity requirements")); diff --git a/source3/include/proto.h b/source3/include/proto.h index d31483a02e..dd46bdda83 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5427,7 +5427,7 @@ NTSTATUS rpccli_samr_chgpasswd_user3(struct rpc_pipe_client *cli, const char *newpassword, const char *oldpassword, struct samr_DomInfo1 **dominfo1, - struct samr_ChangeReject **reject); + struct userPwdChangeFailureInformation **reject); void get_query_dispinfo_params(int loop_count, uint32 *max_entries, uint32 *max_size); NTSTATUS rpccli_try_samr_connects(struct rpc_pipe_client *cli, diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index 5a0dff2965..df22ecb284 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -187,7 +187,7 @@ NTSTATUS rpccli_samr_chgpasswd_user3(struct rpc_pipe_client *cli, const char *newpassword, const char *oldpassword, struct samr_DomInfo1 **dominfo1, - struct samr_ChangeReject **reject) + struct userPwdChangeFailureInformation **reject) { NTSTATUS status; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9e95c48033..d3a3372107 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2025,7 +2025,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, const char *wks = NULL; uint32 reject_reason; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; uint32_t tmp; DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__)); @@ -2070,7 +2070,8 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, return NT_STATUS_NO_MEMORY; } - reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject); + reject = TALLOC_ZERO_P(p->mem_ctx, + struct userPwdChangeFailureInformation); if (!reject) { return NT_STATUS_NO_MEMORY; } @@ -2105,7 +2106,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX; } - reject->reason = reject_reason; + reject->extendedFailureReason = reject_reason; *r->out.dominfo = dominfo; *r->out.reject = reject; diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 699b54d364..e52411f8f7 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -2538,7 +2538,7 @@ static NTSTATUS cmd_samr_chgpasswd3(struct rpc_pipe_client *cli, const char *user, *oldpass, *newpass; uint32 access_mask = MAXIMUM_ALLOWED_ACCESS; struct samr_DomInfo1 *info = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; if (argc < 3) { printf("Usage: %s username oldpass newpass\n", argv[0]); @@ -2581,22 +2581,19 @@ static NTSTATUS cmd_samr_chgpasswd3(struct rpc_pipe_client *cli, display_sam_dom_info_1(info); - switch (reject->reason) { - case SAMR_REJECT_TOO_SHORT: - d_printf("SAMR_REJECT_TOO_SHORT\n"); + switch (reject->extendedFailureReason) { + case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT: + d_printf("SAM_PWD_CHANGE_PASSWORD_TOO_SHORT\n"); break; - case SAMR_REJECT_IN_HISTORY: - d_printf("SAMR_REJECT_IN_HISTORY\n"); + case SAM_PWD_CHANGE_PWD_IN_HISTORY: + d_printf("SAM_PWD_CHANGE_PWD_IN_HISTORY\n"); break; - case SAMR_REJECT_COMPLEXITY: - d_printf("SAMR_REJECT_COMPLEXITY\n"); - break; - case SAMR_REJECT_OTHER: - d_printf("SAMR_REJECT_OTHER\n"); + case SAM_PWD_CHANGE_NOT_COMPLEX: + d_printf("SAM_PWD_CHANGE_NOT_COMPLEX\n"); break; default: d_printf("unknown reject reason: %d\n", - reject->reason); + reject->extendedFailureReason); break; } } diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index eaee3d8509..e2069060aa 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -778,7 +778,7 @@ NTSTATUS pass_oem_change(char *user, const uchar old_lm_hash_encrypted[16], uchar password_encrypted_with_nt_hash[516], const uchar old_nt_hash_encrypted[16], - uint32 *reject_reason) + enum samPwdChangeReason *reject_reason) { char *new_passwd = NULL; struct samu *sampass = NULL; @@ -1081,7 +1081,7 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext) is correct before calling. JRA. ************************************************************/ -NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, uint32 *samr_reject_reason) +NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason) { uint32 min_len; uint32 refuse; @@ -1091,14 +1091,14 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw time_t can_change_time = pdb_get_pass_can_change_time(hnd); if (samr_reject_reason) { - *samr_reject_reason = Undefined; + *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; } /* check to see if the secdesc has previously been set to disallow */ if (!pdb_get_pass_can_change(hnd)) { DEBUG(1, ("user %s does not have permissions to change password\n", username)); if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_OTHER; + *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_ACCOUNT_RESTRICTION; } @@ -1112,7 +1112,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw "denied by Refuse Machine Password Change policy\n", username)); if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_OTHER; + *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_ACCOUNT_RESTRICTION; } @@ -1125,7 +1125,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw "wait until %s\n", username, http_timestring(tosctx, can_change_time))); if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_OTHER; + *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_ACCOUNT_RESTRICTION; } @@ -1135,7 +1135,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw username)); DEBUGADD(1, (" account policy min password len = %d\n", min_len)); if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_TOO_SHORT; + *samr_reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT; } return NT_STATUS_PASSWORD_RESTRICTION; /* return NT_STATUS_PWD_TOO_SHORT; */ @@ -1143,7 +1143,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw if (check_passwd_history(hnd,new_passwd)) { if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_IN_HISTORY; + *samr_reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1171,7 +1171,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw if (check_ret != 0) { DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n")); if (samr_reject_reason) { - *samr_reject_reason = SAMR_REJECT_COMPLEXITY; + *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; } TALLOC_FREE(pass); return NT_STATUS_PASSWORD_RESTRICTION; diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index cf955d9651..0cc05dbd52 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2036,7 +2036,7 @@ static void call_nt_transact_ioctl(connection_struct *conn, } /* needed_data_count 4 bytes */ - SIVAL(pdata,8,labels_data_count); + SIVAL(pdata, 8, labels_data_count+4); cur_pdata+=12; diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 6d48fe5f85..543b8b12b7 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -4359,6 +4359,7 @@ static bool wcache_opnum_cacheable(uint32_t opnum) case NDR_WBINT_QUERYSEQUENCENUMBER: case NDR_WBINT_ALLOCATEUID: case NDR_WBINT_ALLOCATEGID: + case NDR_WBINT_CHECKMACHINEACCOUNT: return false; } return true; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 178b3ea74b..edbaa55e9b 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2060,7 +2060,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact struct rpc_pipe_client *cli; bool got_info = false; struct samr_DomInfo1 *info = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; fstring domain, user; @@ -2102,7 +2102,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact fill_in_password_policy(state->response, info); state->response->data.auth.reject_reason = - reject->reason; + reject->extendedFailureReason; got_info = true; } diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index ce74c7b19c..9a8b59e55d 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1583,7 +1583,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, struct samr_Password *param_lmNewHash, struct samr_Password *param_ntNewHash, bool user_change, - enum samr_RejectReason *reject_reason, + enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { const char * const user_attrs[] = { "userAccountControl", @@ -1702,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, && (minPwdLength > utf16_len_n( new_password->data, new_password->length)/2)) { if (reject_reason) { - *reject_reason = SAMR_REJECT_TOO_SHORT; + *reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1726,7 +1726,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, & DOMAIN_PASSWORD_COMPLEX) != 0) && (!check_password_quality(new_pass))) { if (reject_reason) { - *reject_reason = SAMR_REJECT_COMPLEXITY; + *reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1742,7 +1742,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* are all password changes disallowed? */ if ((pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) != 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1750,7 +1750,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* can this user change the password? */ if ((userAccountControl & UF_PASSWD_CANT_CHANGE) != 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1758,7 +1758,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */ if (pwdLastSet - minPwdAge > now_nt) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1768,14 +1768,14 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash, lmPwdHash->hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash, ntPwdHash->hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1791,7 +1791,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1800,7 +1800,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1833,6 +1833,9 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, } } + if (reject_reason) { + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; + } return NT_STATUS_OK; } @@ -1851,7 +1854,7 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, bool user_change, - enum samr_RejectReason *reject_reason, + enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { NTSTATUS nt_status; diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 9664d1b016..f9bd683e88 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -113,7 +113,7 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, NTSTATUS status, - enum samr_RejectReason reject_reason, + enum samPwdChangeReason reject_reason, struct samr_DomInfo1 *dominfo, DATA_BLOB *error_blob) { @@ -132,17 +132,16 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { const char *reject_string; switch (reject_reason) { - case SAMR_REJECT_TOO_SHORT: + case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT: reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long", dominfo->min_password_length); break; - case SAMR_REJECT_COMPLEXITY: + case SAM_PWD_CHANGE_NOT_COMPLEX: reject_string = "Password does not meet complexity requirements"; break; - case SAMR_REJECT_IN_HISTORY: + case SAM_PWD_CHANGE_PWD_IN_HISTORY: reject_string = "Password is already in password history"; break; - case SAMR_REJECT_OTHER: default: reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords", dominfo->min_password_length, dominfo->password_history_length); @@ -178,7 +177,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, DATA_BLOB *reply) { NTSTATUS status; - enum samr_RejectReason reject_reason; + enum samPwdChangeReason reject_reason; struct samr_DomInfo1 *dominfo; struct ldb_context *samdb; @@ -248,7 +247,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, case KRB5_KPASSWD_VERS_SETPW: { NTSTATUS status; - enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER; + enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR; struct samr_DomInfo1 *dominfo = NULL; struct ldb_context *samdb; struct ldb_message *msg; @@ -349,7 +348,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, status = NT_STATUS_TRANSACTION_ABORTED; return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, - SAMR_REJECT_OTHER, + SAM_PWD_CHANGE_NO_ERROR, NULL, reply); } @@ -362,7 +361,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, ldb_transaction_cancel(samdb); return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, - SAMR_REJECT_OTHER, + SAM_PWD_CHANGE_NO_ERROR, NULL, reply); } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 450af82895..1e6eb47e86 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -177,8 +177,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, /* samr_OemChangePasswordUser2 */ -NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct samr_OemChangePasswordUser2 *r) +NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct samr_OemChangePasswordUser2 *r) { NTSTATUS status; DATA_BLOB new_password, new_unicode_password; @@ -335,8 +336,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, samr_ChangePasswordUser3 */ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - TALLOC_CTX *mem_ctx, - struct samr_ChangePasswordUser3 *r) + TALLOC_CTX *mem_ctx, + struct samr_ChangePasswordUser3 *r) { NTSTATUS status; DATA_BLOB new_password; @@ -348,8 +349,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; - enum samr_RejectReason reason = SAMR_REJECT_OTHER; + struct userPwdChangeFailureInformation *reject = NULL; + enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR; uint8_t new_nt_hash[16], new_lm_hash[16]; struct samr_Password nt_verifier, lm_verifier; @@ -465,6 +466,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, true, /* this is a user password change */ &reason, &dominfo); + if (!NT_STATUS_IS_OK(status)) { goto failed; } @@ -494,18 +496,16 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, failed: ldb_transaction_cancel(sam_ctx); - talloc_free(sam_ctx); - reject = talloc(mem_ctx, struct samr_ChangeReject); - *r->out.dominfo = dominfo; - *r->out.reject = reject; + reject = talloc(mem_ctx, struct userPwdChangeFailureInformation); + if (reject != NULL) { + ZERO_STRUCTP(reject); + reject->extendedFailureReason = reason; - if (reject == NULL) { - return status; + *r->out.reject = reject; } - ZERO_STRUCTP(reject); - reject->reason = reason; + *r->out.dominfo = dominfo; return status; } @@ -516,12 +516,13 @@ failed: easy - just a subset of samr_ChangePasswordUser3 */ -NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct samr_ChangePasswordUser2 *r) +NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct samr_ChangePasswordUser2 *r) { struct samr_ChangePasswordUser3 r2; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; r2.in.server = r->in.server; r2.in.account = r->in.account; @@ -584,7 +585,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, */ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, struct ldb_context *sam_ctx, - struct ldb_dn *account_dn, struct ldb_dn *domain_dn, + struct ldb_dn *account_dn, + struct ldb_dn *domain_dn, TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct samr_CryptPasswordEx *pwbuf) @@ -627,4 +629,3 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, NULL, NULL); } - diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index b786c3f46a..c448b3bb83 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2132,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct uint8_t old_lm_hash[16], new_lm_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; torture_comment(tctx, "Testing ChangePasswordUser3\n"); @@ -2269,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct && (!null_nttime(last_password_change) || !dominfo->min_password_age)) { if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) { - if (reject && (reject->reason != SAMR_REJECT_OTHER)) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } @@ -2288,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) && (last_password_change + dominfo->min_password_age > t)) { - if (reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } else if ((dominfo->min_password_length > 0) && (strlen(newpass) < dominfo->min_password_length)) { - if (reject->reason != SAMR_REJECT_TOO_SHORT) { - torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n", - SAMR_REJECT_TOO_SHORT, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n", + SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason); return false; } } else if ((dominfo->password_history_length > 0) && strequal(oldpass, newpass)) { - if (reject->reason != SAMR_REJECT_IN_HISTORY) { - torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n", - SAMR_REJECT_IN_HISTORY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n", + SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason); return false; } } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) { - if (reject->reason != SAMR_REJECT_COMPLEXITY) { - torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n", - SAMR_REJECT_COMPLEXITY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n", + SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason); return false; } } - if (reject->reason == SAMR_REJECT_TOO_SHORT) { + if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { /* retry with adjusted size */ return test_ChangePasswordUser3(p, tctx, account_string, dominfo->min_password_length, @@ -2330,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct } } else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2369,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex uint8_t old_nt_hash[16], new_nt_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; new_random_pass = samr_very_rand_pass(tctx, 128); @@ -2444,9 +2444,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2482,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ |