diff options
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 94eb9cf9fa..0a34645a91 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_UNWILLING_TO_PERFORM; } } else if (io->og.lm_hash) { - struct loadparm_context *lp_ctx = - (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); - - if (!lp_lanman_auth(lp_ctx)) { - ldb_asprintf_errstring(ldb, - "check_password_restrictions: " - "The password change through the LM hash is deactivated!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - if (!io->o.lm_hash) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " @@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac, { const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct loadparm_context *lp_ctx = + (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); int ret; ZERO_STRUCTP(io); @@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac, "it's not allowed to set the LM hash password directly'"); return LDB_ERR_UNWILLING_TO_PERFORM; } - if (lm_hash != NULL) { + + if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) { io->n.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length, sizeof(io->n.lm_hash->hash))); } - - if (old_lm_hash != NULL) { + if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) { io->og.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length, sizeof(io->og.lm_hash->hash))); @@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac, return LDB_ERR_UNWILLING_TO_PERFORM; } + /* refuse the change if someone tries to set/change the password by + * the lanman hash alone and we've deactivated that mechanism. This + * would end in an account without any password! */ + if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16) + && (!io->n.nt_hash) && (!io->n.lm_hash)) { + ldb_asprintf_errstring(ldb, + "setup_io: " + "The password change/set operations performed using the LAN Manager hash alone are deactivated!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* refuse the change if someone wants to compare against a plaintext or hash at the same time for a "password modify" operation... */ if ((io->og.cleartext_utf8 || io->og.cleartext_utf16) |