The branch, master has been updated
via bbff693... s3-samr: implement _samr_ValidatePassword().
via 46784b4... s3-chgpasswd: split out a check_password_complexity()
function.
via 9599d14... s4-smbtorture: strip trailing whitespace in RPC-SAMR.
from e8d2fe3... README.Coding: Fix typos.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bbff69384eb6ff3169e330e2ba29b8f756c04c9a
Author: Günther Deschner <[email protected]>
Date: Mon Nov 9 18:18:44 2009 +0100
s3-samr: implement _samr_ValidatePassword().
Guenther
commit 46784b4d99c00d98811c1e6be43bda78eae77fe6
Author: Günther Deschner <[email protected]>
Date: Tue Nov 10 12:48:52 2009 +0100
s3-chgpasswd: split out a check_password_complexity() function.
Guenther
commit 9599d142c0edd750e254c82ca96e75a8e1d200d5
Author: Günther Deschner <[email protected]>
Date: Mon Nov 9 17:40:28 2009 +0100
s4-smbtorture: strip trailing whitespace in RPC-SAMR.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 3 +
source3/rpc_server/srv_samr_nt.c | 128 +++++++++++++++++++++++++++++++++++---
source3/smbd/chgpasswd.c | 64 ++++++++++++-------
source4/torture/rpc/samr.c | 4 +-
4 files changed, 165 insertions(+), 34 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index e46fe3c..6955593 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user,
uchar password_encrypted_with_nt_hash[516],
const uchar old_nt_hash_encrypted[16],
enum samPwdChangeReason *reject_reason);
+NTSTATUS check_password_complexity(const char *username,
+ const char *password,
+ enum samPwdChangeReason *samr_reject_reason);
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char
*new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason);
/* The following definitions come from smbd/close.c */
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 9af141b..3ba24e8 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -6678,6 +6678,124 @@ NTSTATUS _samr_RidToSid(pipes_struct *p,
/****************************************************************
****************************************************************/
+static enum samr_ValidationStatus samr_ValidatePassword_Change(TALLOC_CTX
*mem_ctx,
+ const struct
samr_PwInfo *dom_pw_info,
+ const struct
samr_ValidatePasswordReq2 *req,
+ struct
samr_ValidatePasswordRepCtr *rep)
+{
+ NTSTATUS status;
+
+ if (req->password.string) {
+ if (strlen(req->password.string) <
dom_pw_info->min_password_length) {
+ ZERO_STRUCT(rep->info);
+ return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+ }
+ if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX)
{
+ status = check_password_complexity(req->account.string,
+ req->password.string,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCT(rep->info);
+ return
SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+ }
+ }
+ }
+
+ return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+static enum samr_ValidationStatus samr_ValidatePassword_Reset(TALLOC_CTX
*mem_ctx,
+ const struct
samr_PwInfo *dom_pw_info,
+ const struct
samr_ValidatePasswordReq3 *req,
+ struct
samr_ValidatePasswordRepCtr *rep)
+{
+ NTSTATUS status;
+
+ if (req->password.string) {
+ if (strlen(req->password.string) <
dom_pw_info->min_password_length) {
+ ZERO_STRUCT(rep->info);
+ return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+ }
+ if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX)
{
+ status = check_password_complexity(req->account.string,
+ req->password.string,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCT(rep->info);
+ return
SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+ }
+ }
+ }
+
+ return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+ _samr_ValidatePassword
+****************************************************************/
+
+NTSTATUS _samr_ValidatePassword(pipes_struct *p,
+ struct samr_ValidatePassword *r)
+{
+ union samr_ValidatePasswordRep *rep;
+ NTSTATUS status;
+ struct samr_GetDomPwInfo pw;
+ struct samr_PwInfo dom_pw_info;
+
+ if (r->in.level < 1 || r->in.level > 3) {
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ pw.in.domain_name = NULL;
+ pw.out.info = &dom_pw_info;
+
+ status = _samr_GetDomPwInfo(p, &pw);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ rep = talloc_zero(p->mem_ctx, union samr_ValidatePasswordRep);
+ if (!rep) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ switch (r->in.level) {
+ case 1:
+ status = NT_STATUS_NOT_SUPPORTED;
+ break;
+ case 2:
+ rep->ctr2.status = samr_ValidatePassword_Change(p->mem_ctx,
+ &dom_pw_info,
+
&r->in.req->req2,
+ &rep->ctr2);
+ break;
+ case 3:
+ rep->ctr3.status = samr_ValidatePassword_Reset(p->mem_ctx,
+ &dom_pw_info,
+ &r->in.req->req3,
+ &rep->ctr3);
+ break;
+ default:
+ status = NT_STATUS_INVALID_INFO_CLASS;
+ break;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(rep);
+ return status;
+ }
+
+ *r->out.rep = rep;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
NTSTATUS _samr_Shutdown(pipes_struct *p,
struct samr_Shutdown *r)
{
@@ -6762,13 +6880,3 @@ NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
p->rng_fault_state = true;
return NT_STATUS_NOT_IMPLEMENTED;
}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS _samr_ValidatePassword(pipes_struct *p,
- struct samr_ValidatePassword *r)
-{
- p->rng_fault_state = true;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index e206906..2da36b2 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1075,6 +1075,43 @@ static bool check_passwd_history(struct samu *sampass,
const char *plaintext)
}
/***********************************************************
+************************************************************/
+
+NTSTATUS check_password_complexity(const char *username,
+ const char *password,
+ enum samPwdChangeReason *samr_reject_reason)
+{
+ TALLOC_CTX *tosctx = talloc_tos();
+
+ /* Use external script to check password complexity */
+ if (lp_check_password_script() && *(lp_check_password_script())) {
+ int check_ret;
+ char *cmd;
+
+ cmd = talloc_string_sub(tosctx, lp_check_password_script(),
"%u", username);
+ if (!cmd) {
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+
+ check_ret = smbrunsecret(cmd, password);
+ DEBUG(5,("check_password_complexity: check password script (%s)
returned [%d]\n",
+ cmd, check_ret));
+ TALLOC_FREE(cmd);
+
+ if (check_ret != 0) {
+ DEBUG(1,("check_password_complexity: "
+ "check password script said new password is not
good enough!\n"));
+ if (samr_reject_reason) {
+ *samr_reject_reason =
SAM_PWD_CHANGE_NOT_COMPLEX;
+ }
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/***********************************************************
Code to change the oem password. Changes both the lanman
and NT hashes. Old_passwd is almost always NULL.
NOTE this function is designed to be called as root. Check the old password
@@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char
*old_passwd, char *new_passw
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
+ NTSTATUS status;
if (samr_reject_reason) {
*samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
@@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char
*old_passwd, char *new_passw
return NT_STATUS_ACCESS_DENIED;
}
- /* Use external script to check password complexity */
- if (lp_check_password_script() && *(lp_check_password_script())) {
- int check_ret;
- char *cmd;
-
- cmd = talloc_string_sub(tosctx, lp_check_password_script(),
"%u", username);
- if (!cmd) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- check_ret = smbrunsecret(cmd, new_passwd);
- DEBUG(5, ("change_oem_password: check password script (%s)
returned [%d]\n", cmd, check_ret));
- TALLOC_FREE(cmd);
-
- if (check_ret != 0) {
- DEBUG(1, ("change_oem_password: check password script
said new password is not good enough!\n"));
- if (samr_reject_reason) {
- *samr_reject_reason =
SAM_PWD_CHANGE_NOT_COMPLEX;
- }
- TALLOC_FREE(pass);
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
+ status = check_password_complexity(username, new_passwd,
samr_reject_reason);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(pass);
+ return status;
}
/*
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 3f59637..5340d2c 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -6771,7 +6771,7 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe
*p, struct torture_con
r.in.level = NetValidatePasswordReset;
r.in.req = &req;
r.out.rep = &repp;
-
+
ZERO_STRUCT(req);
req.req3.account.string = "non-existant-account-aklsdji";
@@ -6784,7 +6784,7 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe
*p, struct torture_con
req.req3.password.string, repp->ctr3.status);
}
- return true;
+ return true;
}
bool torture_rpc_samr(struct torture_context *torture)
--
Samba Shared Repository
