From 406f345d889d7e804c5d861223fa66abb213bb23 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 26 May 2004 04:20:17 +0000 Subject: r897: - user/group creation needs to create unique names across both the Builtin and local domain, as some calls (notably password change calls) don't specify a domain name, they just specifiy an account name. - added the remaining password set levels to SetUserInfo in the samr server. We now support all of the password set and change levels that we know about in SAMR. (This used to be commit 965748cbee7853238e9e5f4a4d75780f206d492e) --- source4/rpc_server/samr/dcesrv_samr.c | 81 ++++++++++++++++++++++++++++++++- source4/rpc_server/samr/samr_password.c | 47 +++++++++++++++++++ 2 files changed, 126 insertions(+), 2 deletions(-) diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 1ffda9795b..da89688d8f 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -427,7 +427,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO } /* check if the group already exists */ - name = samdb_search_string(d_state->sam_ctx, mem_ctx, d_state->domain_dn, + name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, "sAMAccountName", "(&(sAMAccountName=%s)(objectclass=group))", groupname); @@ -573,7 +573,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX } /* check if the user already exists */ - name = samdb_search_string(d_state->sam_ctx, mem_ctx, d_state->domain_dn, + name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, "sAMAccountName", "(&(sAMAccountName=%s)(objectclass=user))", username); if (name != NULL) { @@ -1711,6 +1711,40 @@ static NTSTATUS samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX SET_UINT (msg, info21.country_code, "countryCode"); IFSET(SAMR_FIELD_CODE_PAGE) SET_UINT (msg, info21.code_page, "codePage"); +#undef IFSET + break; + + case 23: +#define IFSET(bit) if (bit & r->in.info->info23.info.fields_present) + IFSET(SAMR_FIELD_NAME) + SET_STRING(msg, info23.info.full_name.name, "displayName"); + IFSET(SAMR_FIELD_DESCRIPTION) + SET_STRING(msg, info23.info.description.name, "description"); + IFSET(SAMR_FIELD_COMMENT) + SET_STRING(msg, info23.info.comment.name, "comment"); + IFSET(SAMR_FIELD_LOGON_SCRIPT) + SET_STRING(msg, info23.info.logon_script.name, "scriptPath"); + IFSET(SAMR_FIELD_PROFILE) + SET_STRING(msg, info23.info.profile.name, "profilePath"); + IFSET(SAMR_FIELD_WORKSTATION) + SET_STRING(msg, info23.info.workstations.name, "userWorkstations"); + IFSET(SAMR_FIELD_LOGON_HOURS) + SET_LHOURS(msg, info23.info.logon_hours, "logonHours"); + IFSET(SAMR_FIELD_CALLBACK) + SET_STRING(msg, info23.info.callback.name, "userParameters"); + IFSET(SAMR_FIELD_COUNTRY_CODE) + SET_UINT (msg, info23.info.country_code, "countryCode"); + IFSET(SAMR_FIELD_CODE_PAGE) + SET_UINT (msg, info23.info.code_page, "codePage"); + IFSET(SAMR_FIELD_PASSWORD) { + status = samr_set_password(dce_call, + a_state->sam_ctx, + a_state->account_dn, + a_state->domain_state->domain_dn, + mem_ctx, msg, + &r->in.info->info23.password); + } +#undef IFSET break; /* the set password levels are handled separately */ @@ -1722,6 +1756,49 @@ static NTSTATUS samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX mem_ctx, msg, &r->in.info->info24.password); break; + + case 25: +#define IFSET(bit) if (bit & r->in.info->info25.info.fields_present) + IFSET(SAMR_FIELD_NAME) + SET_STRING(msg, info25.info.full_name.name, "displayName"); + IFSET(SAMR_FIELD_DESCRIPTION) + SET_STRING(msg, info25.info.description.name, "description"); + IFSET(SAMR_FIELD_COMMENT) + SET_STRING(msg, info25.info.comment.name, "comment"); + IFSET(SAMR_FIELD_LOGON_SCRIPT) + SET_STRING(msg, info25.info.logon_script.name, "scriptPath"); + IFSET(SAMR_FIELD_PROFILE) + SET_STRING(msg, info25.info.profile.name, "profilePath"); + IFSET(SAMR_FIELD_WORKSTATION) + SET_STRING(msg, info25.info.workstations.name, "userWorkstations"); + IFSET(SAMR_FIELD_LOGON_HOURS) + SET_LHOURS(msg, info25.info.logon_hours, "logonHours"); + IFSET(SAMR_FIELD_CALLBACK) + SET_STRING(msg, info25.info.callback.name, "userParameters"); + IFSET(SAMR_FIELD_COUNTRY_CODE) + SET_UINT (msg, info25.info.country_code, "countryCode"); + IFSET(SAMR_FIELD_CODE_PAGE) + SET_UINT (msg, info25.info.code_page, "codePage"); + IFSET(SAMR_FIELD_PASSWORD) { + status = samr_set_password_ex(dce_call, + a_state->sam_ctx, + a_state->account_dn, + a_state->domain_state->domain_dn, + mem_ctx, msg, + &r->in.info->info25.password); + } +#undef IFSET + break; + + /* the set password levels are handled separately */ + case 26: + status = samr_set_password_ex(dce_call, + a_state->sam_ctx, + a_state->account_dn, + a_state->domain_state->domain_dn, + mem_ctx, msg, + &r->in.info->info26.password); + break; default: diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index c912566d09..46c2a41fb2 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -704,3 +704,50 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, NULL); } + +/* + set password via a samr_CryptPasswordEx buffer + this will in the 'msg' with modify operations that will update the user + password when applied +*/ +NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, + void *sam_ctx, + const char *account_dn, const char *domain_dn, + TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct samr_CryptPasswordEx *pwbuf) +{ + char new_pass[512]; + uint32_t new_pass_len; + DATA_BLOB co_session_key; + DATA_BLOB session_key = dce_call->conn->session_key; + struct MD5Context ctx; + + co_session_key = data_blob_talloc(mem_ctx, NULL, 16); + if (!co_session_key.data) { + return NT_STATUS_NO_MEMORY; + } + + MD5Init(&ctx); + MD5Update(&ctx, &pwbuf->data[516], 16); + MD5Update(&ctx, session_key.data, session_key.length); + MD5Final(co_session_key.data, &ctx); + + SamOEMhashBlob(pwbuf->data, 516, &co_session_key); + + if (!decode_pw_buffer(pwbuf->data, new_pass, sizeof(new_pass), + &new_pass_len, STR_UNICODE)) { + DEBUG(3,("samr: failed to decode password buffer\n")); + return NT_STATUS_WRONG_PASSWORD; + } + + /* set the password - samdb needs to know both the domain and user DNs, + so the domain password policy can be used */ + return samdb_set_password(sam_ctx, mem_ctx, + account_dn, domain_dn, + msg, new_pass, + NULL, NULL, + False, + NULL); +} + -- cgit