diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/common/util.c | 25 | ||||
-rw-r--r-- | source4/kdc/kpasswdd.c | 17 | ||||
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 39 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 54 |
4 files changed, 69 insertions, 66 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index ce74c7b19c..9a8b59e55d 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1583,7 +1583,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, struct samr_Password *param_lmNewHash, struct samr_Password *param_ntNewHash, bool user_change, - enum samr_RejectReason *reject_reason, + enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { const char * const user_attrs[] = { "userAccountControl", @@ -1702,7 +1702,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, && (minPwdLength > utf16_len_n( new_password->data, new_password->length)/2)) { if (reject_reason) { - *reject_reason = SAMR_REJECT_TOO_SHORT; + *reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1726,7 +1726,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, & DOMAIN_PASSWORD_COMPLEX) != 0) && (!check_password_quality(new_pass))) { if (reject_reason) { - *reject_reason = SAMR_REJECT_COMPLEXITY; + *reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1742,7 +1742,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* are all password changes disallowed? */ if ((pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) != 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1750,7 +1750,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* can this user change the password? */ if ((userAccountControl & UF_PASSWD_CANT_CHANGE) != 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1758,7 +1758,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */ if (pwdLastSet - minPwdAge > now_nt) { if (reject_reason) { - *reject_reason = SAMR_REJECT_OTHER; + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1768,14 +1768,14 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash, lmPwdHash->hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash, ntPwdHash->hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1791,7 +1791,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1800,7 +1800,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash, 16) == 0) { if (reject_reason) { - *reject_reason = SAMR_REJECT_IN_HISTORY; + *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY; } return NT_STATUS_PASSWORD_RESTRICTION; } @@ -1833,6 +1833,9 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, } } + if (reject_reason) { + *reject_reason = SAM_PWD_CHANGE_NO_ERROR; + } return NT_STATUS_OK; } @@ -1851,7 +1854,7 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, bool user_change, - enum samr_RejectReason *reject_reason, + enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { NTSTATUS nt_status; diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 9664d1b016..f9bd683e88 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -113,7 +113,7 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, NTSTATUS status, - enum samr_RejectReason reject_reason, + enum samPwdChangeReason reject_reason, struct samr_DomInfo1 *dominfo, DATA_BLOB *error_blob) { @@ -132,17 +132,16 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { const char *reject_string; switch (reject_reason) { - case SAMR_REJECT_TOO_SHORT: + case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT: reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long", dominfo->min_password_length); break; - case SAMR_REJECT_COMPLEXITY: + case SAM_PWD_CHANGE_NOT_COMPLEX: reject_string = "Password does not meet complexity requirements"; break; - case SAMR_REJECT_IN_HISTORY: + case SAM_PWD_CHANGE_PWD_IN_HISTORY: reject_string = "Password is already in password history"; break; - case SAMR_REJECT_OTHER: default: reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords", dominfo->min_password_length, dominfo->password_history_length); @@ -178,7 +177,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, DATA_BLOB *reply) { NTSTATUS status; - enum samr_RejectReason reject_reason; + enum samPwdChangeReason reject_reason; struct samr_DomInfo1 *dominfo; struct ldb_context *samdb; @@ -248,7 +247,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, case KRB5_KPASSWD_VERS_SETPW: { NTSTATUS status; - enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER; + enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR; struct samr_DomInfo1 *dominfo = NULL; struct ldb_context *samdb; struct ldb_message *msg; @@ -349,7 +348,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, status = NT_STATUS_TRANSACTION_ABORTED; return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, - SAMR_REJECT_OTHER, + SAM_PWD_CHANGE_NO_ERROR, NULL, reply); } @@ -362,7 +361,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, ldb_transaction_cancel(samdb); return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, - SAMR_REJECT_OTHER, + SAM_PWD_CHANGE_NO_ERROR, NULL, reply); } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 450af82895..1e6eb47e86 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -177,8 +177,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, /* samr_OemChangePasswordUser2 */ -NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct samr_OemChangePasswordUser2 *r) +NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct samr_OemChangePasswordUser2 *r) { NTSTATUS status; DATA_BLOB new_password, new_unicode_password; @@ -335,8 +336,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, samr_ChangePasswordUser3 */ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - TALLOC_CTX *mem_ctx, - struct samr_ChangePasswordUser3 *r) + TALLOC_CTX *mem_ctx, + struct samr_ChangePasswordUser3 *r) { NTSTATUS status; DATA_BLOB new_password; @@ -348,8 +349,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; - enum samr_RejectReason reason = SAMR_REJECT_OTHER; + struct userPwdChangeFailureInformation *reject = NULL; + enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR; uint8_t new_nt_hash[16], new_lm_hash[16]; struct samr_Password nt_verifier, lm_verifier; @@ -465,6 +466,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, true, /* this is a user password change */ &reason, &dominfo); + if (!NT_STATUS_IS_OK(status)) { goto failed; } @@ -494,18 +496,16 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, failed: ldb_transaction_cancel(sam_ctx); - talloc_free(sam_ctx); - reject = talloc(mem_ctx, struct samr_ChangeReject); - *r->out.dominfo = dominfo; - *r->out.reject = reject; + reject = talloc(mem_ctx, struct userPwdChangeFailureInformation); + if (reject != NULL) { + ZERO_STRUCTP(reject); + reject->extendedFailureReason = reason; - if (reject == NULL) { - return status; + *r->out.reject = reject; } - ZERO_STRUCTP(reject); - reject->reason = reason; + *r->out.dominfo = dominfo; return status; } @@ -516,12 +516,13 @@ failed: easy - just a subset of samr_ChangePasswordUser3 */ -NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct samr_ChangePasswordUser2 *r) +NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct samr_ChangePasswordUser2 *r) { struct samr_ChangePasswordUser3 r2; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; r2.in.server = r->in.server; r2.in.account = r->in.account; @@ -584,7 +585,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, */ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, struct ldb_context *sam_ctx, - struct ldb_dn *account_dn, struct ldb_dn *domain_dn, + struct ldb_dn *account_dn, + struct ldb_dn *domain_dn, TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct samr_CryptPasswordEx *pwbuf) @@ -627,4 +629,3 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, NULL, NULL); } - diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index b786c3f46a..c448b3bb83 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2132,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct uint8_t old_lm_hash[16], new_lm_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; torture_comment(tctx, "Testing ChangePasswordUser3\n"); @@ -2269,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct && (!null_nttime(last_password_change) || !dominfo->min_password_age)) { if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) { - if (reject && (reject->reason != SAMR_REJECT_OTHER)) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } @@ -2288,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) && (last_password_change + dominfo->min_password_age > t)) { - if (reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } else if ((dominfo->min_password_length > 0) && (strlen(newpass) < dominfo->min_password_length)) { - if (reject->reason != SAMR_REJECT_TOO_SHORT) { - torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n", - SAMR_REJECT_TOO_SHORT, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n", + SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason); return false; } } else if ((dominfo->password_history_length > 0) && strequal(oldpass, newpass)) { - if (reject->reason != SAMR_REJECT_IN_HISTORY) { - torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n", - SAMR_REJECT_IN_HISTORY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n", + SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason); return false; } } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) { - if (reject->reason != SAMR_REJECT_COMPLEXITY) { - torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n", - SAMR_REJECT_COMPLEXITY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n", + SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason); return false; } } - if (reject->reason == SAMR_REJECT_TOO_SHORT) { + if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { /* retry with adjusted size */ return test_ChangePasswordUser3(p, tctx, account_string, dominfo->min_password_length, @@ -2330,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct } } else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2369,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex uint8_t old_nt_hash[16], new_nt_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; new_random_pass = samr_very_rand_pass(tctx, 128); @@ -2444,9 +2444,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2482,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ |