From c64ff63349c0ed5409db1a20be8d9c5bce6ab501 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Sat, 21 Feb 2004 17:41:32 +0000 Subject: Add calls to password lockout functions. Should now work against tdbsam only. (This used to be commit 6ccb90acfd8591f6ef0d91b4ada89c5ad8ac98d5) --- source3/auth/auth_sam.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ebb1e3d861..b35cc78d6b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -179,6 +179,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); + BOOL updated_autolock = False, updated_badpw = False; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -202,14 +203,51 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } + /* see if autolock flag needs to be updated */ + if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) + pdb_update_autolock_flag(sampass, &updated_autolock); + /* Quit if the account was locked out. */ + if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { + DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && + pdb_get_acct_ctrl(sampass) &ACB_NORMAL) { + pdb_increment_bad_password_count(sampass); + updated_badpw = True; + } else { + pdb_update_bad_password_count(sampass, + &updated_badpw); + } + if (updated_autolock || updated_badpw){ + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry.\n")); + unbecome_root(); + } pdb_free_sam(&sampass); return nt_status; } + if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && + (pdb_get_bad_password_count(sampass) > 0)){ + pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); + pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); + updated_badpw = True; + } + + if (updated_autolock || updated_badpw){ + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry.\n")); + unbecome_root(); + } + nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { -- cgit