diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/configure.in | 58 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 17 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 81 | ||||
-rw-r--r-- | source3/utils/smbpasswd.c | 7 | ||||
-rw-r--r-- | source3/web/swat.c | 7 |
5 files changed, 144 insertions, 26 deletions
diff --git a/source3/configure.in b/source3/configure.in index 8e0434971c..da046d3cc2 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2962,6 +2962,64 @@ if test x"$samba_cv_HAVE_TRUNCATED_SALT" = x"yes"; then fi fi + +dictpath="/usr/lib/cracklib_dict" + +############################################### +# test for where we get FaciestCheck from +AC_MSG_CHECKING(where to use cracklib from (default=$dictpath)) +AC_ARG_WITH(cracklib, +[ --with-cracklib[=DIR] Look for cracklib dictionary in this location ], +[ case "$withval" in + yes) + AC_MSG_RESULT(${dictpath}) + ;; + no) + AC_MSG_RESULT(no) + dictpath="" + ;; + *) + dictpath="$withval" + AC_MSG_RESULT(${dictpath}) + ;; + esac ], + dictpath="" + AC_MSG_RESULT(no) +) + +if test x$dictpath != x""; then + AC_SEARCH_LIBS(FascistCheck, [crack], + [test "$ac_cv_search_crack" = "none required" || samba_cv_found_crack="yes" + AC_DEFINE(HAVE_CRACK,1,[Whether the system has the FaciestCheck function from cracklib])]) + + crack_saved_libs=$LIBS; + + if test x$samba_cv_found_crack=x"yes"; then + AC_SEARCH_LIBS(CRACKLIB_DICTPATH, [crypt], + AC_DEFINE(HAVE_CRACKLIB_DICTPATH, 1, [Whether we have given a CRACKLIB_DICTPATH in our headers]) + ) + + AC_DEFINE_UNQUOTED(SAMBA_CRACKLIB_DICTPATH, "$dictpath", [Where the cracklib dictionay is]) + AC_MSG_CHECKING(Whether we have a working cracklib) + AC_TRY_RUN([ + #include "${srcdir-.}/tests/crack.c"], + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_WORKING_CRACKLIB,1,[Whether we have a working cracklib]) + AUTH_LIBS="-lcrack $AUTH_LIBS", + + AC_MSG_RESULT(no) + AC_MSG_WARN(cracklib exists - but does not function correctly), + + AC_MSG_RESULT(no) + AC_MSG_WARN(cannot test-run when cross-compiling) + ) + else + AC_MSG_CHECKING(Whether we have cracklib) + AC_MSG_RESULT(no) + fi + LIBS=$crack_saved_libs +fi + ######################################################################################## ## ## TESTS FOR SAM BACKENDS. KEEP THESE GROUPED TOGETHER diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bcb5b239be..b8de24cf39 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2834,11 +2834,17 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + if (lp_unix_password_sync() ) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } + } } ZERO_STRUCT(plaintext_buf); @@ -2899,7 +2905,12 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index a452575af3..e3df8a11d0 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -48,6 +48,16 @@ #include "includes.h" +#ifdef HAVE_WORKING_CRACKLIB +#include <crack.h> + +#ifndef HAVE_CRACKLIB_DICTPATH +#ifndef CRACKLIB_DICTPATH +#define CRACKLIB_DICTPATH SAMBA_CRACKLIB_DICTPATH +#endif +#endif +#endif + extern struct passdb_ops pdb_ops; static NTSTATUS check_oem_password(const char *user, @@ -442,25 +452,14 @@ while we were waiting\n", WTERMSIG(wstat))); return (chstat); } -BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) +BOOL chgpasswd(const char *name, const struct passwd *pass, + const char *oldpass, const char *newpass, BOOL as_root) { pstring passwordprogram; pstring chatsequence; size_t i; size_t len; - struct passwd *pass; - - if (!name) { - DEBUG(1, ("chgpasswd: NULL username specfied !\n")); - } - - pass = Get_Pwnam(name); - if (!pass) { - DEBUG(1, ("chgpasswd: Username does not exist in system !\n")); - return False; - } - if (!oldpass) { oldpass = ""; } @@ -472,13 +471,6 @@ BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL #endif /* Take the passed information and test it for minimum criteria */ - /* Minimum password length */ - if (strlen(newpass) < lp_min_passwd_length()) { - /* too short, must be at least MINPASSWDLENGTH */ - DEBUG(0, ("chgpasswd: Password Change: user %s, New password is shorter than minimum password length = %d\n", - name, lp_min_passwd_length())); - return (False); /* inform the user */ - } /* Password is same as old password */ if (strcmp(oldpass, newpass) == 0) { @@ -571,7 +563,8 @@ the string %%u, and the given string %s does not.\n", passwordprogram )); #else /* ALLOW_CHANGE_PASSWORD */ -BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) +BOOL chgpasswd(const char *name, const struct passwd *pass, + const char *oldpass, const char *newpass, BOOL as_root) { DEBUG(0, ("chgpasswd: Unix Password changing not compiled in (user=%s)\n", name)); return (False); @@ -958,6 +951,8 @@ static NTSTATUS check_oem_password(const char *user, NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd, BOOL as_root) { + struct passwd *pass; + BOOL ret; uint32 min_len; @@ -985,7 +980,47 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw /* return NT_STATUS_PWD_TOO_SHORT; */ } - /* TODO: Add cracklib support here */ + pass = Get_Pwnam(pdb_get_username(hnd)); + if (!pass) { + DEBUG(1, ("check_oem_password: Username does not exist in system !?!\n")); + } + +#ifdef HAVE_WORKING_CRACKLIB + if (pass) { + /* if we can, become the user to overcome internal cracklib sillyness */ + if (!push_sec_ctx()) + return NT_STATUS_UNSUCCESSFUL; + + set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL); + set_re_uid(); + } + + if (lp_use_cracklib()) { + const char *crack_check_reason; + DEBUG(4, ("change_oem_password: Checking password for user [%s]" + " against cracklib. \n", pdb_get_username(hnd))); + DEBUGADD(4, ("If this is your last message, then something is " + "wrong with cracklib, it might be missing it's " + "dictionaries at %s\n", + CRACKLIB_DICTPATH)); + dbgflush(); + + crack_check_reason = FascistCheck(new_passwd, (char *)CRACKLIB_DICTPATH); + if (crack_check_reason) { + DEBUG(1, ("Password Change: user [%s], " + "New password failed cracklib test - %s\n", + pdb_get_username(hnd), crack_check_reason)); + + /* get back to where we should be */ + if (pass) + pop_sec_ctx(); + return NT_STATUS_PASSWORD_RESTRICTION; + } + } + + if (pass) + pop_sec_ctx(); +#endif /* * If unix password sync was requested, attempt to change @@ -1000,7 +1035,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw */ if(lp_unix_password_sync() && - !chgpasswd(pdb_get_username(hnd), old_passwd, new_passwd, as_root)) { + !chgpasswd(pdb_get_username(hnd), pass, old_passwd, new_passwd, as_root)) { return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 6854842b20..b4973b4dd5 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -37,6 +37,13 @@ static const char *remote_machine = NULL; static fstring ldap_secret; +/* FUNCTION DECLARATIONS */ + +BOOL remote_password_change(const char *rmachine, const char *username, + const char *old_pw, const char *new_pw, + char *err_str, size_t err_str_len); + + /********************************************************* Print command usage on stderr and die. **********************************************************/ diff --git a/source3/web/swat.c b/source3/web/swat.c index 1faef46e25..d1b028836d 100644 --- a/source3/web/swat.c +++ b/source3/web/swat.c @@ -51,6 +51,13 @@ static int iNumNonAutoPrintServices = 0; #define ENABLE_USER_FLAG "enable_user_flag" #define RHOST "remote_host" +/* FUNCTION DECLARATIONS */ + +BOOL remote_password_change(const char *rmachine, const char *username, + const char *old_pw, const char *new_pw, + char *err_str, size_t err_str_len); + + /**************************************************************************** ****************************************************************************/ static int enum_index(int value, const struct enum_list *enumlist) |