Author: gd Date: 2006-02-27 16:39:56 +0000 (Mon, 27 Feb 2006) New Revision: 13720
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13720 Log: Only lockout Administrator after x bad password attempts in offline-mode when we are told to do so by the password_properties. Guenther Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c trunk/source/nsswitch/winbindd_pam.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-27 16:26:19 UTC (rev 13719) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-27 16:39:56 UTC (rev 13720) @@ -298,7 +298,28 @@ return NT_STATUS_OK; } +static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *password_properties) +{ + struct winbindd_methods *methods; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + SAM_UNK_INFO_1 password_policy; + *password_properties = 0; + + methods = domain->methods; + + status = methods->password_policy(domain, mem_ctx, &password_policy); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + + *password_properties = password_policy.password_properties; + + return NT_STATUS_OK; +} + static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *type, uid_t uid, @@ -789,22 +810,30 @@ "Won't be able to honour account lockout policies\n")); } + /* increase counter */ + my_info3->bad_pw_count++; + if (max_allowed_bad_attempts == 0) { - return NT_STATUS_WRONG_PASSWORD; + goto failed; } - /* increase counter */ - if (my_info3->bad_pw_count < max_allowed_bad_attempts) { - - my_info3->bad_pw_count++; - } - /* lockout user */ if (my_info3->bad_pw_count >= max_allowed_bad_attempts) { - my_info3->acct_flags |= ACB_AUTOLOCK; + uint32 password_properties; + + result = get_pwd_properties(domain, state->mem_ctx, &password_properties); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n")); + } + + if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || + (password_properties & DOMAIN_LOCKOUT_ADMINS)) { + my_info3->acct_flags |= ACB_AUTOLOCK; + } } +failed: result = winbindd_update_creds_by_info3(domain, state->mem_ctx, state->request.data.auth.user, Modified: trunk/source/nsswitch/winbindd_pam.c =================================================================== --- trunk/source/nsswitch/winbindd_pam.c 2006-02-27 16:26:19 UTC (rev 13719) +++ trunk/source/nsswitch/winbindd_pam.c 2006-02-27 16:39:56 UTC (rev 13720) @@ -298,7 +298,28 @@ return NT_STATUS_OK; } +static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *password_properties) +{ + struct winbindd_methods *methods; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + SAM_UNK_INFO_1 password_policy; + *password_properties = 0; + + methods = domain->methods; + + status = methods->password_policy(domain, mem_ctx, &password_policy); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + + *password_properties = password_policy.password_properties; + + return NT_STATUS_OK; +} + static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *type, uid_t uid, @@ -789,22 +810,30 @@ "Won't be able to honour account lockout policies\n")); } + /* increase counter */ + my_info3->bad_pw_count++; + if (max_allowed_bad_attempts == 0) { - return NT_STATUS_WRONG_PASSWORD; + goto failed; } - /* increase counter */ - if (my_info3->bad_pw_count < max_allowed_bad_attempts) { - - my_info3->bad_pw_count++; - } - /* lockout user */ if (my_info3->bad_pw_count >= max_allowed_bad_attempts) { - my_info3->acct_flags |= ACB_AUTOLOCK; + uint32 password_properties; + + result = get_pwd_properties(domain, state->mem_ctx, &password_properties); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n")); + } + + if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || + (password_properties & DOMAIN_LOCKOUT_ADMINS)) { + my_info3->acct_flags |= ACB_AUTOLOCK; + } } +failed: result = winbindd_update_creds_by_info3(domain, state->mem_ctx, state->request.data.auth.user,
