summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml14
-rw-r--r--librpc/gen_ndr/cli_samr.c4
-rw-r--r--librpc/gen_ndr/cli_samr.h4
-rw-r--r--librpc/gen_ndr/ndr_samr.c126
-rw-r--r--librpc/gen_ndr/ndr_samr.h8
-rw-r--r--librpc/gen_ndr/samr.h53
-rw-r--r--librpc/gen_ndr/srv_samr.c4
-rw-r--r--librpc/idl/samr.idl30
-rw-r--r--nsswitch/libwbclient/wbclient.h13
-rw-r--r--nsswitch/pam_winbind.c8
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/rpc_client/cli_samr.c2
-rw-r--r--source3/rpc_server/srv_samr_nt.c7
-rw-r--r--source3/rpcclient/cmd_samr.c21
-rw-r--r--source3/smbd/chgpasswd.c18
-rw-r--r--source3/smbd/nttrans.c2
-rw-r--r--source3/winbindd/winbindd_cache.c1
-rw-r--r--source3/winbindd/winbindd_pam.c4
-rw-r--r--source4/dsdb/common/util.c25
-rw-r--r--source4/kdc/kpasswdd.c17
-rw-r--r--source4/rpc_server/samr/samr_password.c39
-rw-r--r--source4/torture/rpc/samr.c54
22 files changed, 250 insertions, 206 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml
index 33e2697bd3..2c59aa7420 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-Winbind.xml
@@ -93,7 +93,6 @@
<indexterm><primary>idmap uid</primary></indexterm>
<indexterm><primary>idmap gid</primary></indexterm>
<indexterm><primary>idmap backend</primary></indexterm>
-<indexterm><primary>LDAP</primary></indexterm>
Winbind maintains a database called winbind_idmap.tdb in which it stores
mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only
for users and groups that do not have a local UID/GID. It stores the UID/GID
@@ -210,7 +209,7 @@
Users on the UNIX machine can then use NT user and group
names as they would <quote>native</quote> UNIX names. They can chown files
so they are owned by NT domain users or even login to the
- UNIX machine and run a UNIX X-Window session as a domain user.</para>
+ UNIX machine and run a UNIX X Window session as a domain user.</para>
<para>
<indexterm><primary>domain controller</primary></indexterm>
@@ -571,7 +570,7 @@ is for you.
<para>
<indexterm><primary>PAM</primary></indexterm>
<indexterm><primary>back up</primary></indexterm>
-<indexterm><primary>boot disk`</primary></indexterm>
+<indexterm><primary>boot disk</primary></indexterm>
If you have a Samba configuration file that you are currently using, <emphasis>BACK IT UP!</emphasis>
If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory
contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE NOW!</emphasis>
@@ -602,7 +601,7 @@ instructions on downloading the source code.
<indexterm><primary>development libraries</primary></indexterm>
To allow domain users the ability to access Samba shares and files, as well as potentially other services
provided by your Samba machine, PAM must be set up properly on your
-machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
+machine. In order to compile the Winbind modules, the PAM development libraries should be installed
on your system. Please refer to the PAM Web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
</para>
</sect2>
@@ -976,9 +975,6 @@ The same thing can be done for groups with the command:
<indexterm><primary>/etc/init.d/smb</primary></indexterm>
<indexterm><primary>/etc/init.d/samba</primary></indexterm>
<indexterm><primary>/usr/local/samba/bin</primary></indexterm>
-<indexterm><primary></primary></indexterm>
-<indexterm><primary></primary></indexterm>
-<indexterm><primary></primary></indexterm>
The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running. To accomplish this
task, you need to modify the startup scripts of your system. They are located at
<filename>/etc/init.d/smb</filename> in Red Hat Linux and in <filename>/etc/init.d/samba</filename> in Debian
@@ -1119,7 +1115,7 @@ usually only starts smbd and nmbd but should now start winbindd, too. If you hav
</programlisting></para>
<para>
-Again, if you would like to run Samba in dual daemon mode, replace:
+Again, if you would like to run winbindd in dual daemon mode, replace:
<programlisting>
/usr/local/samba/sbin/winbindd
</programlisting>
@@ -1234,7 +1230,7 @@ pre-create the directories of users to make sure users can log in on UNIX with t
<indexterm><primary>Winbind</primary></indexterm>
<indexterm><primary>ftp access</primary></indexterm>
The <filename>/etc/pam.d/ftp</filename> file can be changed to allow Winbind ftp access in a manner similar to
-the samba file. My <filename>/etc/pam.d/ftp</filename> file was changed to look like this:
+the <filename>/etc/pam.d/samba</filename> file. My <filename>/etc/pam.d/ftp</filename> file was changed to look like this:
<programlisting>
auth required /lib/security/pam_listfile.so item=user sense=deny \
file=/etc/ftpusers onerr=succeed
diff --git a/librpc/gen_ndr/cli_samr.c b/librpc/gen_ndr/cli_samr.c
index 27119e53cc..72f5f74864 100644
--- a/librpc/gen_ndr/cli_samr.c
+++ b/librpc/gen_ndr/cli_samr.c
@@ -10448,7 +10448,7 @@ struct tevent_req *rpccli_samr_ChangePasswordUser3_send(TALLOC_CTX *mem_ctx,
struct samr_Password *_lm_verifier /* [in] [unique] */,
struct samr_CryptPassword *_password3 /* [in] [unique] */,
struct samr_DomInfo1 **_dominfo /* [out] [ref] */,
- struct samr_ChangeReject **_reject /* [out] [ref] */)
+ struct userPwdChangeFailureInformation **_reject /* [out] [ref] */)
{
struct tevent_req *req;
struct rpccli_samr_ChangePasswordUser3_state *state;
@@ -10576,7 +10576,7 @@ NTSTATUS rpccli_samr_ChangePasswordUser3(struct rpc_pipe_client *cli,
struct samr_Password *lm_verifier /* [in] [unique] */,
struct samr_CryptPassword *password3 /* [in] [unique] */,
struct samr_DomInfo1 **dominfo /* [out] [ref] */,
- struct samr_ChangeReject **reject /* [out] [ref] */)
+ struct userPwdChangeFailureInformation **reject /* [out] [ref] */)
{
struct samr_ChangePasswordUser3 r;
NTSTATUS status;
diff --git a/librpc/gen_ndr/cli_samr.h b/librpc/gen_ndr/cli_samr.h
index ed2baa9aba..c94ff11cc7 100644
--- a/librpc/gen_ndr/cli_samr.h
+++ b/librpc/gen_ndr/cli_samr.h
@@ -963,7 +963,7 @@ struct tevent_req *rpccli_samr_ChangePasswordUser3_send(TALLOC_CTX *mem_ctx,
struct samr_Password *_lm_verifier /* [in] [unique] */,
struct samr_CryptPassword *_password3 /* [in] [unique] */,
struct samr_DomInfo1 **_dominfo /* [out] [ref] */,
- struct samr_ChangeReject **_reject /* [out] [ref] */);
+ struct userPwdChangeFailureInformation **_reject /* [out] [ref] */);
NTSTATUS rpccli_samr_ChangePasswordUser3_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
NTSTATUS *result);
@@ -978,7 +978,7 @@ NTSTATUS rpccli_samr_ChangePasswordUser3(struct rpc_pipe_client *cli,
struct samr_Password *lm_verifier /* [in] [unique] */,
struct samr_CryptPassword *password3 /* [in] [unique] */,
struct samr_DomInfo1 **dominfo /* [out] [ref] */,
- struct samr_ChangeReject **reject /* [out] [ref] */);
+ struct userPwdChangeFailureInformation **reject /* [out] [ref] */);
struct tevent_req *rpccli_samr_Connect5_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct rpc_pipe_client *cli,
diff --git a/librpc/gen_ndr/ndr_samr.c b/librpc/gen_ndr/ndr_samr.c
index 8e6e0059c0..f4c1a0cfcf 100644
--- a/librpc/gen_ndr/ndr_samr.c
+++ b/librpc/gen_ndr/ndr_samr.c
@@ -32,33 +32,6 @@ _PUBLIC_ void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *na
ndr_print_enum(ndr, name, "ENUM", val, r);
}
-_PUBLIC_ enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r)
-{
- NDR_CHECK(ndr_push_enum_uint32(ndr, NDR_SCALARS, r));
- return NDR_ERR_SUCCESS;
-}
-
-_PUBLIC_ enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r)
-{
- uint32_t v;
- NDR_CHECK(ndr_pull_enum_uint32(ndr, NDR_SCALARS, &v));
- *r = v;
- return NDR_ERR_SUCCESS;
-}
-
-_PUBLIC_ void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r)
-{
- const char *val = NULL;
-
- switch (r) {
- case SAMR_REJECT_OTHER: val = "SAMR_REJECT_OTHER"; break;
- case SAMR_REJECT_TOO_SHORT: val = "SAMR_REJECT_TOO_SHORT"; break;
- case SAMR_REJECT_IN_HISTORY: val = "SAMR_REJECT_IN_HISTORY"; break;
- case SAMR_REJECT_COMPLEXITY: val = "SAMR_REJECT_COMPLEXITY"; break;
- }
- ndr_print_enum(ndr, name, "ENUM", val, r);
-}
-
_PUBLIC_ enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r)
{
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r));
@@ -4738,41 +4711,100 @@ _PUBLIC_ void ndr_print_samr_ConnectVersion(struct ndr_print *ndr, const char *n
ndr_print_enum(ndr, name, "ENUM", val, r);
}
-static enum ndr_err_code ndr_push_samr_ChangeReject(struct ndr_push *ndr, int ndr_flags, const struct samr_ChangeReject *r)
+_PUBLIC_ enum ndr_err_code ndr_push_samPwdChangeReason(struct ndr_push *ndr, int ndr_flags, enum samPwdChangeReason r)
+{
+ NDR_CHECK(ndr_push_enum_uint32(ndr, NDR_SCALARS, r));
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_samPwdChangeReason(struct ndr_pull *ndr, int ndr_flags, enum samPwdChangeReason *r)
+{
+ uint32_t v;
+ NDR_CHECK(ndr_pull_enum_uint32(ndr, NDR_SCALARS, &v));
+ *r = v;
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_samPwdChangeReason(struct ndr_print *ndr, const char *name, enum samPwdChangeReason r)
+{
+ const char *val = NULL;
+
+ switch (r) {
+ case SAM_PWD_CHANGE_NO_ERROR: val = "SAM_PWD_CHANGE_NO_ERROR"; break;
+ case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT: val = "SAM_PWD_CHANGE_PASSWORD_TOO_SHORT"; break;
+ case SAM_PWD_CHANGE_PWD_IN_HISTORY: val = "SAM_PWD_CHANGE_PWD_IN_HISTORY"; break;
+ case SAM_PWD_CHANGE_USERNAME_IN_PASSWORD: val = "SAM_PWD_CHANGE_USERNAME_IN_PASSWORD"; break;
+ case SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD: val = "SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD"; break;
+ case SAM_PWD_CHANGE_NOT_COMPLEX: val = "SAM_PWD_CHANGE_NOT_COMPLEX"; break;
+ case SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT: val = "SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT"; break;
+ case SAM_PWD_CHANGE_FAILED_BY_FILTER: val = "SAM_PWD_CHANGE_FAILED_BY_FILTER"; break;
+ case SAM_PWD_CHANGE_PASSWORD_TOO_LONG: val = "SAM_PWD_CHANGE_PASSWORD_TOO_LONG"; break;
+ }
+ ndr_print_enum(ndr, name, "ENUM", val, r);
+}
+
+static enum ndr_err_code ndr_push_userPwdChangeFailureInformation(struct ndr_push *ndr, int ndr_flags, const struct userPwdChangeFailureInformation *r)
{
if (ndr_flags & NDR_SCALARS) {
- NDR_CHECK(ndr_push_align(ndr, 4));
- NDR_CHECK(ndr_push_samr_RejectReason(ndr, NDR_SCALARS, r->reason));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown1));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown2));
- NDR_CHECK(ndr_push_trailer_align(ndr, 4));
+ NDR_CHECK(ndr_push_align(ndr, 5));
+ NDR_CHECK(ndr_push_samPwdChangeReason(ndr, NDR_SCALARS, r->extendedFailureReason));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->filterModuleName));
+ NDR_CHECK(ndr_push_trailer_align(ndr, 5));
}
if (ndr_flags & NDR_BUFFERS) {
+ if (r->filterModuleName) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->filterModuleName, CH_UTF16)));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->filterModuleName, CH_UTF16)));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->filterModuleName, ndr_charset_length(r->filterModuleName, CH_UTF16), sizeof(uint16_t), CH_UTF16));
+ }
}
return NDR_ERR_SUCCESS;
}
-static enum ndr_err_code ndr_pull_samr_ChangeReject(struct ndr_pull *ndr, int ndr_flags, struct samr_ChangeReject *r)
+static enum ndr_err_code ndr_pull_userPwdChangeFailureInformation(struct ndr_pull *ndr, int ndr_flags, struct userPwdChangeFailureInformation *r)
{
+ uint32_t _ptr_filterModuleName;
+ TALLOC_CTX *_mem_save_filterModuleName_0;
if (ndr_flags & NDR_SCALARS) {
- NDR_CHECK(ndr_pull_align(ndr, 4));
- NDR_CHECK(ndr_pull_samr_RejectReason(ndr, NDR_SCALARS, &r->reason));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2));
- NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
+ NDR_CHECK(ndr_pull_align(ndr, 5));
+ NDR_CHECK(ndr_pull_samPwdChangeReason(ndr, NDR_SCALARS, &r->extendedFailureReason));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_filterModuleName));
+ if (_ptr_filterModuleName) {
+ NDR_PULL_ALLOC(ndr, r->filterModuleName);
+ } else {
+ r->filterModuleName = NULL;
+ }
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
}
if (ndr_flags & NDR_BUFFERS) {
+ if (r->filterModuleName) {
+ _mem_save_filterModuleName_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->filterModuleName, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->filterModuleName));
+ NDR_CHECK(ndr_pull_array_length(ndr, &r->filterModuleName));
+ if (ndr_get_array_length(ndr, &r->filterModuleName) > ndr_get_array_size(ndr, &r->filterModuleName)) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->filterModuleName), ndr_get_array_length(ndr, &r->filterModuleName));
+ }
+ NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->filterModuleName), sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->filterModuleName, ndr_get_array_length(ndr, &r->filterModuleName), sizeof(uint16_t), CH_UTF16));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filterModuleName_0, 0);
+ }
}
return NDR_ERR_SUCCESS;
}
-_PUBLIC_ void ndr_print_samr_ChangeReject(struct ndr_print *ndr, const char *name, const struct samr_ChangeReject *r)
+_PUBLIC_ void ndr_print_userPwdChangeFailureInformation(struct ndr_print *ndr, const char *name, const struct userPwdChangeFailureInformation *r)
{
- ndr_print_struct(ndr, name, "samr_ChangeReject");
+ ndr_print_struct(ndr, name, "userPwdChangeFailureInformation");
ndr->depth++;
- ndr_print_samr_RejectReason(ndr, "reason", r->reason);
- ndr_print_uint32(ndr, "unknown1", r->unknown1);
- ndr_print_uint32(ndr, "unknown2", r->unknown2);
+ ndr_print_samPwdChangeReason(ndr, "extendedFailureReason", r->extendedFailureReason);
+ ndr_print_ptr(ndr, "filterModuleName", r->filterModuleName);
+ ndr->depth++;
+ if (r->filterModuleName) {
+ ndr_print_string(ndr, "filterModuleName", r->filterModuleName);
+ }
+ ndr->depth--;
ndr->depth--;
}
@@ -11806,7 +11838,7 @@ static enum ndr_err_code ndr_push_samr_ChangePasswordUser3(struct ndr_push *ndr,
}
NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.reject));
if (*r->out.reject) {
- NDR_CHECK(ndr_push_samr_ChangeReject(ndr, NDR_SCALARS, *r->out.reject));
+ NDR_CHECK(ndr_push_userPwdChangeFailureInformation(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.reject));
}
NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result));
}
@@ -11955,7 +11987,7 @@ static enum ndr_err_code ndr_pull_samr_ChangePasswordUser3(struct ndr_pull *ndr,
if (*r->out.reject) {
_mem_save_reject_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, *r->out.reject, 0);
- NDR_CHECK(ndr_pull_samr_ChangeReject(ndr, NDR_SCALARS, *r->out.reject));
+ NDR_CHECK(ndr_pull_userPwdChangeFailureInformation(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.reject));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reject_1, 0);
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reject_0, LIBNDR_FLAG_REF_ALLOC);
@@ -12034,7 +12066,7 @@ _PUBLIC_ void ndr_print_samr_ChangePasswordUser3(struct ndr_print *ndr, const ch
ndr_print_ptr(ndr, "reject", *r->out.reject);
ndr->depth++;
if (*r->out.reject) {
- ndr_print_samr_ChangeReject(ndr, "reject", *r->out.reject);
+ ndr_print_userPwdChangeFailureInformation(ndr, "reject", *r->out.reject);
}
ndr->depth--;
ndr->depth--;
diff --git a/librpc/gen_ndr/ndr_samr.h b/librpc/gen_ndr/ndr_samr.h
index a341f69af0..9ece0ed5ca 100644
--- a/librpc/gen_ndr/ndr_samr.h
+++ b/librpc/gen_ndr/ndr_samr.h
@@ -151,9 +151,6 @@ extern const struct ndr_interface_table ndr_table_samr;
enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r);
enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r);
void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r);
-enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r);
-enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r);
-void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r);
enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r);
enum ndr_err_code ndr_pull_samr_AcctFlags(struct ndr_pull *ndr, int ndr_flags, uint32_t *r);
void ndr_print_samr_AcctFlags(struct ndr_print *ndr, const char *name, uint32_t r);
@@ -248,7 +245,10 @@ void ndr_print_samr_DispInfoAscii(struct ndr_print *ndr, const char *name, const
void ndr_print_samr_DispInfo(struct ndr_print *ndr, const char *name, const union samr_DispInfo *r);
void ndr_print_samr_PwInfo(struct ndr_print *ndr, const char *name, const struct samr_PwInfo *r);
void ndr_print_samr_ConnectVersion(struct ndr_print *ndr, const char *name, enum samr_ConnectVersion r);
-void ndr_print_samr_ChangeReject(struct ndr_print *ndr, const char *name, const struct samr_ChangeReject *r);
+enum ndr_err_code ndr_push_samPwdChangeReason(struct ndr_push *ndr, int ndr_flags, enum samPwdChangeReason r);
+enum ndr_err_code ndr_pull_samPwdChangeReason(struct ndr_pull *ndr, int ndr_flags, enum samPwdChangeReason *r);
+void ndr_print_samPwdChangeReason(struct ndr_print *ndr, const char *name, enum samPwdChangeReason r);
+void ndr_print_userPwdChangeFailureInformation(struct ndr_print *ndr, const char *name, const struct userPwdChangeFailureInformation *r);
void ndr_print_samr_ConnectInfo1(struct ndr_print *ndr, const char *name, const struct samr_ConnectInfo1 *r);
void ndr_print_samr_ConnectInfo(struct ndr_print *ndr, const char *name, const union samr_ConnectInfo *r);
void ndr_print_samr_ValidateFieldsPresent(struct ndr_print *ndr, const char *name, uint32_t r);
diff --git a/librpc/gen_ndr/samr.h b/librpc/gen_ndr/samr.h
index 33b21d2d05..75462dec73 100644
--- a/librpc/gen_ndr/samr.h
+++ b/librpc/gen_ndr/samr.h
@@ -53,23 +53,6 @@ enum netr_SamDatabaseID
#endif
;
-enum samr_RejectReason
-#ifndef USE_UINT_ENUMS
- {
- SAMR_REJECT_OTHER=(int)(0),
- SAMR_REJECT_TOO_SHORT=(int)(1),
- SAMR_REJECT_IN_HISTORY=(int)(2),
- SAMR_REJECT_COMPLEXITY=(int)(5)
-}
-#else
- { __donnot_use_enum_samr_RejectReason=0x7FFFFFFF}
-#define SAMR_REJECT_OTHER ( 0 )
-#define SAMR_REJECT_TOO_SHORT ( 1 )
-#define SAMR_REJECT_IN_HISTORY ( 2 )
-#define SAMR_REJECT_COMPLEXITY ( 5 )
-#endif
-;
-
/* bitmap samr_AcctFlags */
#define ACB_DISABLED ( 0x00000001 )
#define ACB_HOMDIRREQ ( 0x00000002 )
@@ -790,10 +773,36 @@ enum samr_ConnectVersion
#endif
;
-struct samr_ChangeReject {
- enum samr_RejectReason reason;
- uint32_t unknown1;
- uint32_t unknown2;
+enum samPwdChangeReason
+#ifndef USE_UINT_ENUMS
+ {
+ SAM_PWD_CHANGE_NO_ERROR=(int)(0),
+ SAM_PWD_CHANGE_PASSWORD_TOO_SHORT=(int)(1),
+ SAM_PWD_CHANGE_PWD_IN_HISTORY=(int)(2),
+ SAM_PWD_CHANGE_USERNAME_IN_PASSWORD=(int)(3),
+ SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD=(int)(4),
+ SAM_PWD_CHANGE_NOT_COMPLEX=(int)(5),
+ SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT=(int)(6),
+ SAM_PWD_CHANGE_FAILED_BY_FILTER=(int)(7),
+ SAM_PWD_CHANGE_PASSWORD_TOO_LONG=(int)(8)
+}
+#else
+ { __donnot_use_enum_samPwdChangeReason=0x7FFFFFFF}
+#define SAM_PWD_CHANGE_NO_ERROR ( 0 )
+#define SAM_PWD_CHANGE_PASSWORD_TOO_SHORT ( 1 )
+#define SAM_PWD_CHANGE_PWD_IN_HISTORY ( 2 )
+#define SAM_PWD_CHANGE_USERNAME_IN_PASSWORD ( 3 )
+#define SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD ( 4 )
+#define SAM_PWD_CHANGE_NOT_COMPLEX ( 5 )
+#define SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT ( 6 )
+#define SAM_PWD_CHANGE_FAILED_BY_FILTER ( 7 )
+#define SAM_PWD_CHANGE_PASSWORD_TOO_LONG ( 8 )
+#endif
+;
+
+struct userPwdChangeFailureInformation {
+ enum samPwdChangeReason extendedFailureReason;
+ const char *filterModuleName;/* [unique,charset(UTF16)] */
};
struct samr_ConnectInfo1 {
@@ -1852,7 +1861,7 @@ struct samr_ChangePasswordUser3 {
struct {
struct samr_DomInfo1 **dominfo;/* [ref] */
- struct samr_ChangeReject **reject;/* [ref] */
+ struct userPwdChangeFailureInformation **reject;/* [ref] */
NTSTATUS result;
} out;
diff --git a/librpc/gen_ndr/srv_samr.c b/librpc/gen_ndr/srv_samr.c
index e1b6951b3c..eba50b3e11 100644
--- a/librpc/gen_ndr/srv_samr.c
+++ b/librpc/gen_ndr/srv_samr.c
@@ -5030,7 +5030,7 @@ static bool api_samr_ChangePasswordUser3(pipes_struct *p)
return false;
}
- r->out.reject = talloc_zero(r, struct samr_ChangeReject *);
+ r->out.reject = talloc_zero(r, struct userPwdChangeFailureInformation *);
if (r->out.reject == NULL) {
talloc_free(r);
return false;
@@ -6195,7 +6195,7 @@ NTSTATUS rpc_samr_dispatch(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, con
return NT_STATUS_NO_MEMORY;
}
- r->out.reject = talloc_zero(mem_ctx, struct samr_ChangeReject *);
+ r->out.reject = talloc_zero(mem_ctx, struct userPwdChangeFailureInformation *);
if (r->out.reject == NULL) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/librpc/idl/samr.idl b/librpc/idl/samr.idl
index 8a5692fe17..da7b1aa82e 100644
--- a/librpc/idl/samr.idl
+++ b/librpc/idl/samr.idl
@@ -24,15 +24,6 @@ import "misc.idl", "lsa.idl", "security.idl";
SAM_DATABASE_PRIVS = 2 /* Privileges */
} netr_SamDatabaseID;
- typedef [public,v1_enum] enum {
- SAMR_REJECT_OTHER = 0,
- SAMR_REJECT_TOO_SHORT = 1,
- SAMR_REJECT_IN_HISTORY = 2,
- SAMR_REJECT_COMPLEXITY = 5
- } samr_RejectReason;
-
-
-
/* account control (acct_flags) bits */
typedef [public,bitmap32bit] bitmap {
ACB_DISABLED = 0x00000001, /* 1 = User account disabled */
@@ -1447,13 +1438,22 @@ import "misc.idl", "lsa.idl", "security.idl";
/************************/
/* Function 0x3f */
- typedef enum samr_RejectReason samr_RejectReason;
+ typedef [public,v1_enum] enum {
+ SAM_PWD_CHANGE_NO_ERROR = 0,
+ SAM_PWD_CHANGE_PASSWORD_TOO_SHORT = 1,
+ SAM_PWD_CHANGE_PWD_IN_HISTORY = 2,
+ SAM_PWD_CHANGE_USERNAME_IN_PASSWORD = 3,
+ SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD = 4,
+ SAM_PWD_CHANGE_NOT_COMPLEX = 5,
+ SAM_PWD_CHANGE_MACHINE_NOT_DEFAULT = 6,
+ SAM_PWD_CHANGE_FAILED_BY_FILTER = 7,
+ SAM_PWD_CHANGE_PASSWORD_TOO_LONG = 8
+ } samPwdChangeReason;
typedef struct {
- samr_RejectReason reason;
- uint32 unknown1;
- uint32 unknown2;
- } samr_ChangeReject;
+ samPwdChangeReason extendedFailureReason;
+ [string,charset(UTF16)] uint16 *filterModuleName;
+ } userPwdChangeFailureInformation;
NTSTATUS samr_ChangePasswordUser3(
[in,unique] lsa_String *server,
@@ -1465,7 +1465,7 @@ import "misc.idl", "lsa.idl", "security.idl";
[in,unique] samr_Password *lm_verifier,
[in,unique] samr_CryptPassword *password3,
[out,ref] samr_DomInfo1 **dominfo,
- [out,ref] samr_ChangeReject **reject
+ [out,ref] userPwdChangeFailureInformation **reject
);
/************************/
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 4dc6d23dfc..ced82d8d22 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -427,10 +427,15 @@ struct wbcUserPasswordPolicyInfo {
**/
enum wbcPasswordChangeRejectReason {
- WBC_PWD_CHANGE_REJECT_OTHER=0,
- WBC_PWD_CHANGE_REJECT_TOO_SHORT=1,
- WBC_PWD_CHANGE_REJECT_IN_HISTORY=2,
- WBC_PWD_CHANGE_REJECT_COMPLEXITY=5
+ WBC_PWD_CHANGE_NO_ERROR=0,
+ WBC_PWD_CHANGE_PASSWORD_TOO_SHORT=1,
+ WBC_PWD_CHANGE_PWD_IN_HISTORY=2,
+ WBC_PWD_CHANGE_USERNAME_IN_PASSWORD=3,
+ WBC_PWD_CHANGE_FULLNAME_IN_PASSWORD=4,
+ WBC_PWD_CHANGE_NOT_COMPLEX=5,
+ WBC_PWD_CHANGE_MACHINE_NOT_DEFAULT=6,
+ WBC_PWD_CHANGE_FAILED_BY_FILTER=7,
+ WBC_PWD_CHANGE_PASSWORD_TOO_LONG=8
};
/**
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 324bede9ea..654b4385d8 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1862,22 +1862,22 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
switch (reject_reason) {
case -1:
break;
- case WBC_PWD_CHANGE_REJECT_OTHER:
+ case WBC_PWD_CHANGE_NO_ERROR:
if ((min_pwd_age > 0) &&
(pwd_last_set + min_pwd_age > time(NULL))) {
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_RECENT");
}
break;
- case WBC_PWD_CHANGE_REJECT_TOO_SHORT:
+ case WBC_PWD_CHANGE_PASSWORD_TOO_SHORT:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_SHORT");
break;
- case WBC_PWD_CHANGE_REJECT_IN_HISTORY:
+ case WBC_PWD_CHANGE_PWD_IN_HISTORY:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_HISTORY_CONFLICT");
break;
- case WBC_PWD_CHANGE_REJECT_COMPLEXITY:
+ case WBC_PWD_CHANGE_NOT_COMPLEX:
_make_remark(ctx, PAM_ERROR_MSG,
_("Password does not meet "
"complexity requirements"));
diff --git a/source3/include/proto.h b/source3/include/proto.h
index d31483a02e..dd46bdda83 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5427,7 +5427,7 @@ NTSTATUS rpccli_samr_chgpasswd_user3(struct rpc_pipe_client *cli,
const char *newpassword,
const char *oldpassword,
struct samr_DomInfo1 **dominfo1,
- struct samr_ChangeReject **reject);
+ struct userPwdChangeFailureInformation **reject);
void get_query_dispinfo_params(int loop_count, uint32 *max_entries,
uint32 *max_size);
NTSTATUS rpccli_try_samr_connects(struct rpc_pipe_client *cli,
diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c
index 5a0dff2965..df22ecb284 100644
--- a/source3/rpc_client/cli_samr.c
+++ b/source3/rpc_client/cli_samr.c
@@ -187,7 +187,7 @@ NTSTATUS rpccli_samr_chgpasswd_user3(struct rpc_pipe_client *cli,
const char *newpassword,
const char *oldpassword,
struct samr_DomInfo1 **dominfo1,
- struct samr_ChangeReject **reject)
+ struct userPwdChangeFailureInformation **reject)
{
NTSTATUS status;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 9e95c48033..d3a3372107 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2025,7 +2025,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
const char *wks = NULL;
uint32 reject_reason;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
uint32_t tmp;
DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
@@ -2070,7 +2070,8 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
return NT_STATUS_NO_MEMORY;
}
- reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
+ reject = TALLOC_ZERO_P(p->mem_ctx,
+ struct userPwdChangeFailureInformation);
if (!reject) {
return NT_STATUS_NO_MEMORY;
}
@@ -2105,7 +2106,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
}
- reject->reason = reject_reason;
+ reject->extendedFailureReason = reject_reason;
*r->out.dominfo = dominfo;
*r->out.reject = reject;
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 699b54d364..e52411f8f7 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -2538,7 +2538,7 @@ static NTSTATUS cmd_samr_chgpasswd3(struct rpc_pipe_client *cli,
const char *user, *oldpass, *newpass;
uint32 access_mask = MAXIMUM_ALLOWED_ACCESS;
struct samr_DomInfo1 *info = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
if (argc < 3) {
printf("Usage: %s username oldpass newpass\n", argv[0]);
@@ -2581,22 +2581,19 @@ static NTSTATUS cmd_samr_chgpasswd3(struct rpc_pipe_client *cli,
display_sam_dom_info_1(info);
- switch (reject->reason) {
- case SAMR_REJECT_TOO_SHORT:
- d_printf("SAMR_REJECT_TOO_SHORT\n");
+ switch (reject->extendedFailureReason) {
+ case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
+ d_printf("SAM_PWD_CHANGE_PASSWORD_TOO_SHORT\n");
break;
- case SAMR_REJECT_IN_HISTORY:
- d_printf("SAMR_REJECT_IN_HISTORY\n");
+ case SAM_PWD_CHANGE_PWD_IN_HISTORY:
+ d_printf("SAM_PWD_CHANGE_PWD_IN_HISTORY\n");
break;
- case SAMR_REJECT_COMPLEXITY:
- d_printf("SAMR_REJECT_COMPLEXITY\n");
- break;
- case SAMR_REJECT_OTHER:
- d_printf("SAMR_REJECT_OTHER\n");
+ case SAM_PWD_CHANGE_NOT_COMPLEX:
+ d_printf("SAM_PWD_CHANGE_NOT_COMPLEX\n");
break;
default:
d_printf("unknown reject reason: %d\n",
- reject->reason);
+ reject->extendedFailureReason);
break;
}
}
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index eaee3d8509..e2069060aa 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -778,7 +778,7 @@ NTSTATUS pass_oem_change(char *user,
const uchar old_lm_hash_encrypted[16],
uchar password_encrypted_with_nt_hash[516],
const uchar old_nt_hash_encrypted[16],
- uint32 *reject_reason)
+ enum samPwdChangeReason *reject_reason)
{
char *new_passwd = NULL;
struct samu *sampass = NULL;
@@ -1081,7 +1081,7 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
is correct before calling. JRA.
************************************************************/
-NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, uint32 *samr_reject_reason)
+NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason)
{
uint32 min_len;
uint32 refuse;
@@ -1091,14 +1091,14 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
if (samr_reject_reason) {
- *samr_reject_reason = Undefined;
+ *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
/* check to see if the secdesc has previously been set to disallow */
if (!pdb_get_pass_can_change(hnd)) {
DEBUG(1, ("user %s does not have permissions to change password\n", username));
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_OTHER;
+ *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_ACCOUNT_RESTRICTION;
}
@@ -1112,7 +1112,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
"denied by Refuse Machine Password Change policy\n",
username));
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_OTHER;
+ *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_ACCOUNT_RESTRICTION;
}
@@ -1125,7 +1125,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
"wait until %s\n", username,
http_timestring(tosctx, can_change_time)));
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_OTHER;
+ *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_ACCOUNT_RESTRICTION;
}
@@ -1135,7 +1135,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
username));
DEBUGADD(1, (" account policy min password len = %d\n", min_len));
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_TOO_SHORT;
+ *samr_reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
}
return NT_STATUS_PASSWORD_RESTRICTION;
/* return NT_STATUS_PWD_TOO_SHORT; */
@@ -1143,7 +1143,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
if (check_passwd_history(hnd,new_passwd)) {
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_IN_HISTORY;
+ *samr_reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1171,7 +1171,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
if (check_ret != 0) {
DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
if (samr_reject_reason) {
- *samr_reject_reason = SAMR_REJECT_COMPLEXITY;
+ *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
}
TALLOC_FREE(pass);
return NT_STATUS_PASSWORD_RESTRICTION;
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index cf955d9651..0cc05dbd52 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2036,7 +2036,7 @@ static void call_nt_transact_ioctl(connection_struct *conn,
}
/* needed_data_count 4 bytes */
- SIVAL(pdata,8,labels_data_count);
+ SIVAL(pdata, 8, labels_data_count+4);
cur_pdata+=12;
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 6d48fe5f85..543b8b12b7 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -4359,6 +4359,7 @@ static bool wcache_opnum_cacheable(uint32_t opnum)
case NDR_WBINT_QUERYSEQUENCENUMBER:
case NDR_WBINT_ALLOCATEUID:
case NDR_WBINT_ALLOCATEGID:
+ case NDR_WBINT_CHECKMACHINEACCOUNT:
return false;
}
return true;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 178b3ea74b..edbaa55e9b 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2060,7 +2060,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
struct rpc_pipe_client *cli;
bool got_info = false;
struct samr_DomInfo1 *info = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring domain, user;
@@ -2102,7 +2102,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
fill_in_password_policy(state->response, info);
state->response->data.auth.reject_reason =
- reject->reason;
+ reject->extendedFailureReason;
got_info = true;
}
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index ce74c7b19c..9a8b59e55d 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1583,7 +1583,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
struct samr_Password *param_lmNewHash,
struct samr_Password *param_ntNewHash,
bool user_change,
- enum samr_RejectReason *reject_reason,
+ enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
const char * const user_attrs[] = { "userAccountControl",
@@ -1702,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
&& (minPwdLength > utf16_len_n(
new_password->data, new_password->length)/2)) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_TOO_SHORT;
+ *reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1726,7 +1726,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
& DOMAIN_PASSWORD_COMPLEX) != 0)
&& (!check_password_quality(new_pass))) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_COMPLEXITY;
+ *reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1742,7 +1742,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
/* are all password changes disallowed? */
if ((pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) != 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_OTHER;
+ *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1750,7 +1750,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
/* can this user change the password? */
if ((userAccountControl & UF_PASSWD_CANT_CHANGE) != 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_OTHER;
+ *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1758,7 +1758,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
/* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
if (pwdLastSet - minPwdAge > now_nt) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_OTHER;
+ *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1768,14 +1768,14 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash,
lmPwdHash->hash, 16) == 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_IN_HISTORY;
+ *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash,
ntPwdHash->hash, 16) == 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_IN_HISTORY;
+ *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1791,7 +1791,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash,
16) == 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_IN_HISTORY;
+ *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1800,7 +1800,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash,
16) == 0) {
if (reject_reason) {
- *reject_reason = SAMR_REJECT_IN_HISTORY;
+ *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
@@ -1833,6 +1833,9 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
}
}
+ if (reject_reason) {
+ *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
+ }
return NT_STATUS_OK;
}
@@ -1851,7 +1854,7 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
struct samr_Password *lmNewHash,
struct samr_Password *ntNewHash,
bool user_change,
- enum samr_RejectReason *reject_reason,
+ enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
NTSTATUS nt_status;
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 9664d1b016..f9bd683e88 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -113,7 +113,7 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
NTSTATUS status,
- enum samr_RejectReason reject_reason,
+ enum samPwdChangeReason reject_reason,
struct samr_DomInfo1 *dominfo,
DATA_BLOB *error_blob)
{
@@ -132,17 +132,16 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
const char *reject_string;
switch (reject_reason) {
- case SAMR_REJECT_TOO_SHORT:
+ case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long",
dominfo->min_password_length);
break;
- case SAMR_REJECT_COMPLEXITY:
+ case SAM_PWD_CHANGE_NOT_COMPLEX:
reject_string = "Password does not meet complexity requirements";
break;
- case SAMR_REJECT_IN_HISTORY:
+ case SAM_PWD_CHANGE_PWD_IN_HISTORY:
reject_string = "Password is already in password history";
break;
- case SAMR_REJECT_OTHER:
default:
reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
dominfo->min_password_length, dominfo->password_history_length);
@@ -178,7 +177,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
DATA_BLOB *reply)
{
NTSTATUS status;
- enum samr_RejectReason reject_reason;
+ enum samPwdChangeReason reject_reason;
struct samr_DomInfo1 *dominfo;
struct ldb_context *samdb;
@@ -248,7 +247,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
case KRB5_KPASSWD_VERS_SETPW:
{
NTSTATUS status;
- enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
+ enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR;
struct samr_DomInfo1 *dominfo = NULL;
struct ldb_context *samdb;
struct ldb_message *msg;
@@ -349,7 +348,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
status = NT_STATUS_TRANSACTION_ABORTED;
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- SAMR_REJECT_OTHER,
+ SAM_PWD_CHANGE_NO_ERROR,
NULL,
reply);
}
@@ -362,7 +361,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- SAMR_REJECT_OTHER,
+ SAM_PWD_CHANGE_NO_ERROR,
NULL,
reply);
}
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 450af82895..1e6eb47e86 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -177,8 +177,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
/*
samr_OemChangePasswordUser2
*/
-NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct samr_OemChangePasswordUser2 *r)
+NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct samr_OemChangePasswordUser2 *r)
{
NTSTATUS status;
DATA_BLOB new_password, new_unicode_password;
@@ -335,8 +336,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
samr_ChangePasswordUser3
*/
NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct samr_ChangePasswordUser3 *r)
+ TALLOC_CTX *mem_ctx,
+ struct samr_ChangePasswordUser3 *r)
{
NTSTATUS status;
DATA_BLOB new_password;
@@ -348,8 +349,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
- enum samr_RejectReason reason = SAMR_REJECT_OTHER;
+ struct userPwdChangeFailureInformation *reject = NULL;
+ enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR;
uint8_t new_nt_hash[16], new_lm_hash[16];
struct samr_Password nt_verifier, lm_verifier;
@@ -465,6 +466,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
true, /* this is a user password change */
&reason,
&dominfo);
+
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
@@ -494,18 +496,16 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
failed:
ldb_transaction_cancel(sam_ctx);
- talloc_free(sam_ctx);
- reject = talloc(mem_ctx, struct samr_ChangeReject);
- *r->out.dominfo = dominfo;
- *r->out.reject = reject;
+ reject = talloc(mem_ctx, struct userPwdChangeFailureInformation);
+ if (reject != NULL) {
+ ZERO_STRUCTP(reject);
+ reject->extendedFailureReason = reason;
- if (reject == NULL) {
- return status;
+ *r->out.reject = reject;
}
- ZERO_STRUCTP(reject);
- reject->reason = reason;
+ *r->out.dominfo = dominfo;
return status;
}
@@ -516,12 +516,13 @@ failed:
easy - just a subset of samr_ChangePasswordUser3
*/
-NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct samr_ChangePasswordUser2 *r)
+NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct samr_ChangePasswordUser2 *r)
{
struct samr_ChangePasswordUser3 r2;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
r2.in.server = r->in.server;
r2.in.account = r->in.account;
@@ -584,7 +585,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
*/
NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
struct ldb_context *sam_ctx,
- struct ldb_dn *account_dn, struct ldb_dn *domain_dn,
+ struct ldb_dn *account_dn,
+ struct ldb_dn *domain_dn,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
struct samr_CryptPasswordEx *pwbuf)
@@ -627,4 +629,3 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
NULL, NULL);
}
-
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index b786c3f46a..c448b3bb83 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2132,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
uint8_t old_lm_hash[16], new_lm_hash[16];
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
@@ -2269,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
&& (!null_nttime(last_password_change) || !dominfo->min_password_age)) {
if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) {
- if (reject && (reject->reason != SAMR_REJECT_OTHER)) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
}
@@ -2288,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) &&
(last_password_change + dominfo->min_password_age > t)) {
- if (reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
} else if ((dominfo->min_password_length > 0) &&
(strlen(newpass) < dominfo->min_password_length)) {
- if (reject->reason != SAMR_REJECT_TOO_SHORT) {
- torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n",
- SAMR_REJECT_TOO_SHORT, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
+ SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason);
return false;
}
} else if ((dominfo->password_history_length > 0) &&
strequal(oldpass, newpass)) {
- if (reject->reason != SAMR_REJECT_IN_HISTORY) {
- torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n",
- SAMR_REJECT_IN_HISTORY, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
+ SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason);
return false;
}
} else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) {
- if (reject->reason != SAMR_REJECT_COMPLEXITY) {
- torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n",
- SAMR_REJECT_COMPLEXITY, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
+ SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason);
return false;
}
}
- if (reject->reason == SAMR_REJECT_TOO_SHORT) {
+ if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
/* retry with adjusted size */
return test_ChangePasswordUser3(p, tctx, account_string,
dominfo->min_password_length,
@@ -2330,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
}
} else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */
@@ -2369,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
uint8_t old_nt_hash[16], new_nt_hash[16];
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
new_random_pass = samr_very_rand_pass(tctx, 128);
@@ -2444,9 +2444,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */
@@ -2482,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */