summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/chgpasswd.c48
-rw-r--r--source3/smbd/lanman.c83
2 files changed, 28 insertions, 103 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index b22ccacbf1..5e646b6225 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -934,53 +934,5 @@ BOOL change_oem_password(SAM_ACCOUNT *hnd, char *new_passwd)
return ret;
}
-/***********************************************************
- Code to check a plaintext password against smbpasswd entries.
-***********************************************************/
-
-BOOL check_plaintext_password(char *user, char *old_passwd,
- int old_passwd_size, SAM_ACCOUNT **hnd)
-{
- SAM_ACCOUNT *sampass = NULL;
- uchar old_pw[16], old_ntpw[16];
- BOOL ret;
-
- pdb_init_sam(&sampass);
-
- become_root();
- ret = pdb_getsampwnam(sampass, user);
- unbecome_root();
-
- *hnd = sampass;
-
- if (ret == False)
- {
- DEBUG(0,("check_plaintext_password: getsmbpwnam returned NULL\n"));
- return False;
- }
-
- if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED)
- {
- DEBUG(0,("check_plaintext_password: account %s disabled.\n", user));
- return (False);
- }
- nt_lm_owf_gen(old_passwd, old_ntpw, old_pw);
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("check_plaintext_password: nt_passwd \n"));
- dump_data(100, pdb_get_nt_passwd(sampass), 16);
- DEBUG(100, ("check_plaintext_password: old_ntpw \n"));
- dump_data(100, old_ntpw, 16);
- DEBUG(100, ("check_plaintext_password: lanman_passwd \n"));
- dump_data(100, pdb_get_lanman_passwd(sampass), 16);
- DEBUG(100, ("check_plaintext_password: old_pw\n"));
- dump_data(100, old_pw, 16);
-#endif
-
- if (memcmp(pdb_get_nt_passwd(sampass), old_ntpw, 16)
- && memcmp(pdb_get_lanman_passwd(sampass), old_pw, 16))
- return (False);
- else
- return (True);
-}
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index fb8b52342a..1a5777e1d4 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -1923,8 +1923,6 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
fstring user;
fstring pass1,pass2;
- struct passwd *passwd;
-
pull_ascii_fstring(user,p);
p = skip_string(p,1);
@@ -1945,67 +1943,42 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
DEBUG(3,("Set password for <%s>\n",user));
/*
- * Pass the user through the NT -> unix user mapping
- * function.
- */
-
- (void)map_username(user);
-
- /*
- * Do any UNIX username case mangling.
- */
- passwd = Get_Pwnam_Modify( user );
-
- /*
* Attempt to verify the old password against smbpasswd entries
* Win98 clients send old and new password in plaintext for this call.
*/
{
- fstring saved_pass2;
- SAM_ACCOUNT *sampass=NULL;
-
- /*
- * Save the new password as change_oem_password overwrites it
- * with zeros.
- */
-
- fstrcpy(saved_pass2, pass2);
-
- if (check_plaintext_password(user,pass1,strlen(pass1),&sampass) &&
- change_oem_password(sampass,pass2))
- {
- SSVAL(*rparam,0,NERR_Success);
-
- /*
- * If unix password sync was requested, attempt to change
- * the /etc/passwd database also. Return failure if this cannot
- * be done.
- */
-
- if(lp_unix_password_sync() && !chgpasswd(user,pass1,saved_pass2,False))
- SSVAL(*rparam,0,NERR_badpass);
- }
- pdb_free_sam(&sampass);
- }
-
-
- /*
- * If the above failed, attempt the plaintext password change.
- * This tests against the /etc/passwd database only.
- */
-
- if(SVAL(*rparam,0) != NERR_Success)
- {
- if NT_STATUS_IS_OK(pass_check(passwd, user, pass1,
- strlen(pass1), NULL, False))
+ auth_serversupplied_info *server_info = NULL;
+ DATA_BLOB password = data_blob(pass1, strlen(pass1)+1);
+ if (NT_STATUS_IS_OK(check_plaintext_password(user,password,&server_info))) {
+ if (change_oem_password(server_info->sam_account,pass2))
{
- if (chgpasswd(user,pass1,pass2,False)) {
- SSVAL(*rparam,0,NERR_Success);
- }
+ SSVAL(*rparam,0,NERR_Success);
}
+
+ /*
+ * If unix password sync was requested, attempt to change
+ * the /etc/passwd database also. Return failure if this cannot
+ * be done.
+ *
+ * This occours regardless of the previous result, becouse
+ * It might not have been testing the password against the SAM backend.
+ * (and therefore the change_oem_password would fail).
+ *
+ * Conditional on lp_unix_password_sync() becouse we don't want
+ * to touch the unix db unless we have admin permission.
+ */
+
+ if(lp_unix_password_sync() && !chgpasswd(pdb_get_username(server_info->sam_account),
+ pass1,pass2,False)) {
+ SSVAL(*rparam,0,NERR_badpass);
+ }
+
+ free_server_info(&server_info);
+ }
+ data_blob_clear_free(&password);
}
-
+
/*
* If the plaintext change failed, attempt
* the old encrypted method. NT will generate this