From d72d7f9c5f318b58e38a47d38debe72bb6f53891 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 15 Aug 2010 20:44:28 +0200 Subject: s4:samdb_set_password/samdb_set_password_sid - make the adaptions to support the password change control And introduce parameters to pass the old password hashes. --- source4/dsdb/common/util.c | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 86b74d5630..25d6a407c5 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2000,11 +2000,11 @@ int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares) /* * Sets the user password using plaintext UTF16 (attribute "new_password") or * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass - * as parameter if it's a user change or not ("userChange"). The "rejectReason" - * gives some more informations if the changed failed. + * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a + * user change or not. The "rejectReason" gives some more informations if the + * change failed. * - * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION, - * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL, + * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL, * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION */ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -2012,7 +2012,8 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const DATA_BLOB *new_password, struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, - bool user_change, + const struct samr_Password *lmOldHash, + const struct samr_Password *ntOldHash, enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -2070,12 +2071,23 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (user_change) { - /* a user password change and we've checked already the old - * password somewhere else (callers responsability) */ + /* A password change operation */ + if ((ntOldHash != NULL) || (lmOldHash != NULL)) { + struct dsdb_control_password_change *change; + + change = talloc(req, struct dsdb_control_password_change); + if (change == NULL) { + talloc_free(req); + talloc_free(msg); + return NT_STATUS_NO_MEMORY; + } + + change->old_nt_pwd_hash = ntOldHash; + change->old_lm_pwd_hash = lmOldHash; + ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID, - true, NULL); + true, change); if (ret != LDB_SUCCESS) { talloc_free(req); talloc_free(msg); @@ -2170,8 +2182,9 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, /* * Sets the user password using plaintext UTF16 (attribute "new_password") or * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass - * as parameter if it's a user change or not ("userChange"). The "rejectReason" - * gives some more informations if the changed failed. + * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a + * user change or not. The "rejectReason" gives some more informations if the + * change failed. * * This wrapper function for "samdb_set_password" takes a SID as input rather * than a user DN. @@ -2189,7 +2202,8 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const DATA_BLOB *new_password, struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, - bool user_change, + const struct samr_Password *lmOldHash, + const struct samr_Password *ntOldHash, enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { @@ -2217,7 +2231,7 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, user_dn, NULL, new_password, lmNewHash, ntNewHash, - user_change, + lmOldHash, ntOldHash, reject_reason, _dominfo); if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ldb); -- cgit