From d7f84b51f96c2e1b48a38de823329f2e4ea86e55 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 22 Aug 2007 04:28:15 +0000
Subject: r24611: Following up on the re-opening of bug 4817 is it pretty clear
 that machine accounts are not subject to password policy in Win2k3 R2 (at
 least in terms of password quality).

In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.

Andrew Bartlett
(This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)
---
 source4/rpc_server/samr/samr_password.c | 45 ++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 23 deletions(-)

(limited to 'source4/rpc_server/samr')

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index fac0015f0e..e3cb70ad17 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -62,12 +62,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
 		   present */
 		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
-	if (!r->in.cross1_present || !r->in.nt_cross) {
-		return NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED;
-	}
-	if (!r->in.cross2_present || !r->in.lm_cross) {
-		return NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED;
-	}
 
 	/* To change a password we need to open as system */
 	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
@@ -112,18 +106,24 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
 		return NT_STATUS_WRONG_PASSWORD;
 	}
 	
-	/* check the nt cross hash */
-	D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
-	if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_WRONG_PASSWORD;
+	/* The NT Cross is not required by Win2k3 R2, but if present
+	   check the nt cross hash */
+	if (r->in.cross1_present && r->in.nt_cross) {
+		D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
+		if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
+			ldb_transaction_cancel(sam_ctx);
+			return NT_STATUS_WRONG_PASSWORD;
+		}
 	}
 
-	/* check the lm cross hash */
-	D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
-	if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-		ldb_transaction_cancel(sam_ctx);
-		return NT_STATUS_WRONG_PASSWORD;
+	/* The LM Cross is not required by Win2k3 R2, but if present
+	   check the lm cross hash */
+	if (r->in.cross2_present && r->in.lm_cross) {
+		D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
+		if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
+			ldb_transaction_cancel(sam_ctx);
+			return NT_STATUS_WRONG_PASSWORD;
+		}
 	}
 
 	msg = ldb_msg_new(mem_ctx);
@@ -144,7 +144,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALL
 				    a_state->account_dn, a_state->domain_state->domain_dn,
 				    msg, NULL, &new_lmPwdHash, &new_ntPwdHash, 
 				    True, /* this is a user password change */
-				    True, /* run restriction tests */
 				    NULL,
 				    NULL);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -196,7 +195,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 	struct samr_Password lm_verifier;
 
 	if (pwbuf == NULL) {
-		return NT_STATUS_WRONG_PASSWORD;
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (r->in.hash == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	/* To change a password we need to open as system */
@@ -245,7 +248,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 	}
 
 	/* check LM verifier */
-	if (lm_pwd == NULL || r->in.hash == NULL) {
+	if (lm_pwd == NULL) {
 		ldb_transaction_cancel(sam_ctx);
 		return NT_STATUS_WRONG_PASSWORD;
 	}
@@ -276,7 +279,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 				    mod, new_pass, 
 				    NULL, NULL,
 				    True, /* this is a user password change */
-				    True, /* run restriction tests */
 				    NULL, 
 				    NULL);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -430,7 +432,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 				    mod, new_pass, 
 				    NULL, NULL,
 				    True, /* this is a user password change */
-				    True, /* run restriction tests */
 				    &reason, 
 				    &dominfo);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -539,7 +540,6 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
 				  msg, new_pass, 
 				  NULL, NULL,
 				  False, /* This is a password set, not change */
-				  True, /* run restriction tests */
 				  NULL, NULL);
 }
 
@@ -593,7 +593,6 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
 				  msg, new_pass, 
 				  NULL, NULL,
 				  False, /* This is a password set, not change */
-				  True, /* run restriction tests */
 				  NULL, NULL);
 }
 
-- 
cgit