diff options
-rw-r--r-- | source3/include/proto.h | 3 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 64 |
2 files changed, 45 insertions, 22 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index e46fe3c1fd..6955593179 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user, uchar password_encrypted_with_nt_hash[516], const uchar old_nt_hash_encrypted[16], enum samPwdChangeReason *reject_reason); +NTSTATUS check_password_complexity(const char *username, + const char *password, + enum samPwdChangeReason *samr_reject_reason); NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason); /* The following definitions come from smbd/close.c */ diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index e2069060aa..2da36b2fe6 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1075,6 +1075,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext) } /*********************************************************** +************************************************************/ + +NTSTATUS check_password_complexity(const char *username, + const char *password, + enum samPwdChangeReason *samr_reject_reason) +{ + TALLOC_CTX *tosctx = talloc_tos(); + + /* Use external script to check password complexity */ + if (lp_check_password_script() && *(lp_check_password_script())) { + int check_ret; + char *cmd; + + cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username); + if (!cmd) { + return NT_STATUS_PASSWORD_RESTRICTION; + } + + check_ret = smbrunsecret(cmd, password); + DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n", + cmd, check_ret)); + TALLOC_FREE(cmd); + + if (check_ret != 0) { + DEBUG(1,("check_password_complexity: " + "check password script said new password is not good enough!\n")); + if (samr_reject_reason) { + *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; + } + return NT_STATUS_PASSWORD_RESTRICTION; + } + } + + return NT_STATUS_OK; +} + +/*********************************************************** Code to change the oem password. Changes both the lanman and NT hashes. Old_passwd is almost always NULL. NOTE this function is designed to be called as root. Check the old password @@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); + NTSTATUS status; if (samr_reject_reason) { *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; @@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw return NT_STATUS_ACCESS_DENIED; } - /* Use external script to check password complexity */ - if (lp_check_password_script() && *(lp_check_password_script())) { - int check_ret; - char *cmd; - - cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username); - if (!cmd) { - return NT_STATUS_PASSWORD_RESTRICTION; - } - - check_ret = smbrunsecret(cmd, new_passwd); - DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret)); - TALLOC_FREE(cmd); - - if (check_ret != 0) { - DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n")); - if (samr_reject_reason) { - *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; - } - TALLOC_FREE(pass); - return NT_STATUS_PASSWORD_RESTRICTION; - } + status = check_password_complexity(username, new_passwd, samr_reject_reason); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(pass); + return status; } /* |