diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/chgpasswd.c | 48 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 83 |
2 files changed, 28 insertions, 103 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index b22ccacbf1..5e646b6225 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -934,53 +934,5 @@ BOOL change_oem_password(SAM_ACCOUNT *hnd, char *new_passwd) return ret; } -/*********************************************************** - Code to check a plaintext password against smbpasswd entries. -***********************************************************/ - -BOOL check_plaintext_password(char *user, char *old_passwd, - int old_passwd_size, SAM_ACCOUNT **hnd) -{ - SAM_ACCOUNT *sampass = NULL; - uchar old_pw[16], old_ntpw[16]; - BOOL ret; - - pdb_init_sam(&sampass); - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - *hnd = sampass; - - if (ret == False) - { - DEBUG(0,("check_plaintext_password: getsmbpwnam returned NULL\n")); - return False; - } - - if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) - { - DEBUG(0,("check_plaintext_password: account %s disabled.\n", user)); - return (False); - } - nt_lm_owf_gen(old_passwd, old_ntpw, old_pw); -#ifdef DEBUG_PASSWORD - DEBUG(100, ("check_plaintext_password: nt_passwd \n")); - dump_data(100, pdb_get_nt_passwd(sampass), 16); - DEBUG(100, ("check_plaintext_password: old_ntpw \n")); - dump_data(100, old_ntpw, 16); - DEBUG(100, ("check_plaintext_password: lanman_passwd \n")); - dump_data(100, pdb_get_lanman_passwd(sampass), 16); - DEBUG(100, ("check_plaintext_password: old_pw\n")); - dump_data(100, old_pw, 16); -#endif - - if (memcmp(pdb_get_nt_passwd(sampass), old_ntpw, 16) - && memcmp(pdb_get_lanman_passwd(sampass), old_pw, 16)) - return (False); - else - return (True); -} diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index fb8b52342a..1a5777e1d4 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1923,8 +1923,6 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param fstring user; fstring pass1,pass2; - struct passwd *passwd; - pull_ascii_fstring(user,p); p = skip_string(p,1); @@ -1945,67 +1943,42 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param DEBUG(3,("Set password for <%s>\n",user)); /* - * Pass the user through the NT -> unix user mapping - * function. - */ - - (void)map_username(user); - - /* - * Do any UNIX username case mangling. - */ - passwd = Get_Pwnam_Modify( user ); - - /* * Attempt to verify the old password against smbpasswd entries * Win98 clients send old and new password in plaintext for this call. */ { - fstring saved_pass2; - SAM_ACCOUNT *sampass=NULL; - - /* - * Save the new password as change_oem_password overwrites it - * with zeros. - */ - - fstrcpy(saved_pass2, pass2); - - if (check_plaintext_password(user,pass1,strlen(pass1),&sampass) && - change_oem_password(sampass,pass2)) - { - SSVAL(*rparam,0,NERR_Success); - - /* - * If unix password sync was requested, attempt to change - * the /etc/passwd database also. Return failure if this cannot - * be done. - */ - - if(lp_unix_password_sync() && !chgpasswd(user,pass1,saved_pass2,False)) - SSVAL(*rparam,0,NERR_badpass); - } - pdb_free_sam(&sampass); - } - - - /* - * If the above failed, attempt the plaintext password change. - * This tests against the /etc/passwd database only. - */ - - if(SVAL(*rparam,0) != NERR_Success) - { - if NT_STATUS_IS_OK(pass_check(passwd, user, pass1, - strlen(pass1), NULL, False)) + auth_serversupplied_info *server_info = NULL; + DATA_BLOB password = data_blob(pass1, strlen(pass1)+1); + if (NT_STATUS_IS_OK(check_plaintext_password(user,password,&server_info))) { + if (change_oem_password(server_info->sam_account,pass2)) { - if (chgpasswd(user,pass1,pass2,False)) { - SSVAL(*rparam,0,NERR_Success); - } + SSVAL(*rparam,0,NERR_Success); } + + /* + * If unix password sync was requested, attempt to change + * the /etc/passwd database also. Return failure if this cannot + * be done. + * + * This occours regardless of the previous result, becouse + * It might not have been testing the password against the SAM backend. + * (and therefore the change_oem_password would fail). + * + * Conditional on lp_unix_password_sync() becouse we don't want + * to touch the unix db unless we have admin permission. + */ + + if(lp_unix_password_sync() && !chgpasswd(pdb_get_username(server_info->sam_account), + pass1,pass2,False)) { + SSVAL(*rparam,0,NERR_badpass); + } + + free_server_info(&server_info); + } + data_blob_clear_free(&password); } - + /* * If the plaintext change failed, attempt * the old encrypted method. NT will generate this |