From 8b1d9b7a6db4fec9dcc2c9e02d69f45ae1e5c60e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 27 Feb 2006 16:39:56 +0000 Subject: r13720: Only lockout Administrator after x bad password attempts in offline-mode when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94) --- source3/nsswitch/winbindd_pam.c | 45 +++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 8 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 2b9b13caf8..aa759af09a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -298,6 +298,27 @@ static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain return NT_STATUS_OK; } +static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *password_properties) +{ + struct winbindd_methods *methods; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + SAM_UNK_INFO_1 password_policy; + + *password_properties = 0; + + methods = domain->methods; + + status = methods->password_policy(domain, mem_ctx, &password_policy); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + + *password_properties = password_policy.password_properties; + + return NT_STATUS_OK; +} static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *type, @@ -789,22 +810,30 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, "Won't be able to honour account lockout policies\n")); } - if (max_allowed_bad_attempts == 0) { - return NT_STATUS_WRONG_PASSWORD; - } - /* increase counter */ - if (my_info3->bad_pw_count < max_allowed_bad_attempts) { - - my_info3->bad_pw_count++; + my_info3->bad_pw_count++; + + if (max_allowed_bad_attempts == 0) { + goto failed; } /* lockout user */ if (my_info3->bad_pw_count >= max_allowed_bad_attempts) { - my_info3->acct_flags |= ACB_AUTOLOCK; + uint32 password_properties; + + result = get_pwd_properties(domain, state->mem_ctx, &password_properties); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n")); + } + + if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || + (password_properties & DOMAIN_LOCKOUT_ADMINS)) { + my_info3->acct_flags |= ACB_AUTOLOCK; + } } +failed: result = winbindd_update_creds_by_info3(domain, state->mem_ctx, state->request.data.auth.user, -- cgit