summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server/srv_samr_nt.c')
-rw-r--r--source3/rpc_server/srv_samr_nt.c143
1 files changed, 79 insertions, 64 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 1128a856cd..c60d904b18 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -719,7 +719,7 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
/*******************************************************************
********************************************************************/
-static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
+static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol,
DOM_SID *sid, uint32 *acc_granted,
DISP_INFO **ppdisp_info)
{
@@ -2122,8 +2122,6 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
{
struct samu *sampass=NULL;
DOM_SID sid;
- POLICY_HND domain_pol = *r->in.domain_handle;
- POLICY_HND *user_pol = r->out.user_handle;
struct samr_info *info = NULL;
SEC_DESC *psd = NULL;
uint32 acc_granted;
@@ -2135,7 +2133,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
/* find the domain policy handle and get domain SID / access bits in the domain policy. */
- if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
+ if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
return NT_STATUS_INVALID_HANDLE;
nt_status = access_check_samr_function(acc_granted,
@@ -2188,7 +2186,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
info->acc_granted = acc_granted;
/* get a (unique) handle. open a policy on it. */
- if (!create_policy_hnd(p, user_pol, info))
+ if (!create_policy_hnd(p, r->out.user_handle, info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return NT_STATUS_OK;
@@ -3032,9 +3030,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
{
const char *account = NULL;
DOM_SID sid;
- POLICY_HND dom_pol = *r->in.domain_handle;
uint32_t acb_info = r->in.acct_flags;
- POLICY_HND *user_pol = r->out.user_handle;
struct samr_info *info = NULL;
NTSTATUS nt_status;
uint32 acc_granted;
@@ -3047,7 +3043,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
DISP_INFO *disp_info = NULL;
/* Get the domain SID stored in the domain policy */
- if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
+ if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted,
&disp_info))
return NT_STATUS_INVALID_HANDLE;
@@ -3159,7 +3155,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
info->acc_granted = acc_granted;
/* get a (unique) handle. open a policy on it. */
- if (!create_policy_hnd(p, user_pol, info)) {
+ if (!create_policy_hnd(p, r->out.user_handle, info)) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
@@ -3447,9 +3443,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
struct samr_OpenAlias *r)
{
DOM_SID sid;
- POLICY_HND domain_pol = *r->in.domain_handle;
uint32 alias_rid = r->in.rid;
- POLICY_HND *alias_pol = r->out.alias_handle;
struct samr_info *info = NULL;
SEC_DESC *psd = NULL;
uint32 acc_granted;
@@ -3460,7 +3454,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
/* find the domain policy and get the SID / access bits stored in the domain policy */
- if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
+ if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
return NT_STATUS_INVALID_HANDLE;
status = access_check_samr_function(acc_granted,
@@ -3521,7 +3515,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
info->acc_granted = acc_granted;
/* get a (unique) handle. open a policy on it. */
- if (!create_policy_hnd(p, alias_pol, info))
+ if (!create_policy_hnd(p, r->out.alias_handle, info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return NT_STATUS_OK;
@@ -3642,12 +3636,7 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
}
- if (id18->password_expired) {
- pdb_set_pass_last_set_time(pwd, 0, PDB_CHANGED);
- } else {
- /* FIXME */
- pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
- }
+ copy_id18_to_sam_passwd(pwd, id18);
return pdb_update_sam_account(pwd);
}
@@ -3854,23 +3843,16 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
set_user_info_pw
********************************************************************/
-static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
- int level)
+static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
{
uint32 len = 0;
char *plaintext_buf = NULL;
uint32 acct_ctrl;
- time_t last_set_time;
- enum pdb_value_state last_set_state;
DEBUG(5, ("Attempting administrator password change for user %s\n",
pdb_get_username(pwd)));
acct_ctrl = pdb_get_acct_ctrl(pwd);
- /* we need to know if it's expired, because this is an admin change, not a
- user change, so it's still expired when we're done */
- last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
- last_set_time = pdb_get_pass_last_set_time(pwd);
if (!decode_pw_buffer(talloc_tos(),
pass,
@@ -3913,29 +3895,38 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
memset(plaintext_buf, '\0', strlen(plaintext_buf));
- /*
- * A level 25 change does reset the pwdlastset field, a level 24
- * change does not. I know this is probably not the full story, but
- * it is needed to make XP join LDAP correctly, without it the later
- * auth2 check can fail with PWD_MUST_CHANGE.
- */
- if (level != 25) {
- /*
- * restore last set time as this is an admin change, not a
- * user pw change
- */
- pdb_set_pass_last_set_time (pwd, last_set_time,
- last_set_state);
+ DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
+
+ return True;
+}
+
+/*******************************************************************
+ set_user_info_24
+ ********************************************************************/
+
+static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
+ struct samr_UserInfo24 *id24,
+ struct samu *pwd)
+{
+ NTSTATUS status;
+
+ if (id24 == NULL) {
+ DEBUG(5, ("set_user_info_24: NULL id24\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
- DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
+ if (!set_user_info_pw(id24->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
- /* update the SAMBA password */
- if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
- return False;
+ copy_id24_to_sam_passwd(pwd, id24);
+
+ status = pdb_update_sam_account(pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- return True;
+ return NT_STATUS_OK;
}
/*******************************************************************
@@ -3961,6 +3952,14 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCESS_DENIED;
}
+ if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
+
+ if (!set_user_info_pw(id25->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
copy_id25_to_sam_passwd(pwd, id25);
/* write the change out */
@@ -3987,6 +3986,36 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
}
/*******************************************************************
+ set_user_info_26
+ ********************************************************************/
+
+static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
+ struct samr_UserInfo26 *id26,
+ struct samu *pwd)
+{
+ NTSTATUS status;
+
+ if (id26 == NULL) {
+ DEBUG(5, ("set_user_info_26: NULL id26\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!set_user_info_pw(id26->password.data, pwd)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ copy_id26_to_sam_passwd(pwd, id26);
+
+ status = pdb_update_sam_account(pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/*******************************************************************
samr_SetUserInfo
********************************************************************/
@@ -3996,7 +4025,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
NTSTATUS status;
struct samu *pwd = NULL;
DOM_SID sid;
- POLICY_HND *pol = r->in.user_handle;
union samr_UserInfo *info = r->in.info;
uint16_t switch_value = r->in.level;
uint32_t acc_granted;
@@ -4009,7 +4037,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
/* find the policy handle. open a policy on it. */
- if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
+ if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) {
return NT_STATUS_INVALID_HANDLE;
}
@@ -4146,10 +4174,8 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
dump_data(100, info->info24.password.data, 516);
- if (!set_user_info_pw(info->info24.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
+ status = set_user_info_24(p->mem_ctx,
+ &info->info24, pwd);
break;
case 25:
@@ -4164,13 +4190,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
status = set_user_info_25(p->mem_ctx,
&info->info25, pwd);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- if (!set_user_info_pw(info->info25.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
break;
case 26:
@@ -4183,18 +4202,14 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
dump_data(100, info->info26.password.data, 516);
- if (!set_user_info_pw(info->info26.password.data, pwd,
- switch_value)) {
- status = NT_STATUS_WRONG_PASSWORD;
- }
+ status = set_user_info_26(p->mem_ctx,
+ &info->info26, pwd);
break;
default:
status = NT_STATUS_INVALID_INFO_CLASS;
}
- done:
-
TALLOC_FREE(pwd);
if (has_enough_rights) {
generated by cgit (git 2.34.1) at 2024-06-29 00:40:18 +0000