summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c29
1 files changed, 16 insertions, 13 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 94eb9cf9fa..0a34645a91 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
} else if (io->og.lm_hash) {
- struct loadparm_context *lp_ctx =
- (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
-
- if (!lp_lanman_auth(lp_ctx)) {
- ldb_asprintf_errstring(ldb,
- "check_password_restrictions: "
- "The password change through the LM hash is deactivated!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
if (!io->o.lm_hash) {
ldb_asprintf_errstring(ldb,
"check_password_restrictions: "
@@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac,
{
const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+ struct loadparm_context *lp_ctx =
+ (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
int ret;
ZERO_STRUCTP(io);
@@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac,
"it's not allowed to set the LM hash password directly'");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- if (lm_hash != NULL) {
+
+ if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) {
io->n.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length,
sizeof(io->n.lm_hash->hash)));
}
-
- if (old_lm_hash != NULL) {
+ if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) {
io->og.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length,
sizeof(io->og.lm_hash->hash)));
@@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac,
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* refuse the change if someone tries to set/change the password by
+ * the lanman hash alone and we've deactivated that mechanism. This
+ * would end in an account without any password! */
+ if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+ && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+ ldb_asprintf_errstring(ldb,
+ "setup_io: "
+ "The password change/set operations performed using the LAN Manager hash alone are deactivated!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
/* refuse the change if someone wants to compare against a plaintext
or hash at the same time for a "password modify" operation... */
if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)