The branch, master has been updated via 85f57eb torture-samr: Add testing of account lockout and password change behaviour via 311de5f selftest: Run rpc.samr.passwords.badpwdcount against s3dc via 6a4bedd torture-samr: Add test for lockout with and without a password history via 3c73178 torture-samr: Improve rpc.samr.passwords.badpwdcount test via e266f61 selftest: Add test for password lockout via 05c2f83 dsdb: Allow SAMR server to return the computed, not actual badPwdCount via 6ac62b3 s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer. via 50b9748 s4:dsdb/samldb: rework samldb_user_account_control_change() via 6cb91a8 libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK via 245d0f1 s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change() via a6b82ee s4-samr: Escape the username in the LDAP filter via f557f82 s4-auth: Support password history correctly, including allowing NTLM logins using the old password via 9d5f4ca lib/param: Add new parameter "old password allowed period" via afdd5fb dsdb: check type with talloc_get_type_abort in samdb_set_password via c918230 dsdb: Implement password lockout on LDAP password changes via 8a89f7f4 dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c via 26c0eb6 auth: Split out badPwdCount update into a helper function via 752b817 kdc: call authsam_zero_bad_pwd_count on successful AS-REQ via 997e120 kdc: Include values from msDS-User-Account-Control-Computed when checking user flags via 10cbd5e kdc: Set flags.locked_out on a locked-out user. via d202191 heimdal: Only indicate successful authentication after successful authz via 580a705 heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out via 30bae40 heimdal: Do not attempt password authentication for locked out accounts via 7e653f5 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login via 1a483a8 s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0 via 3ed5521 dsdb: collapse wrong password and no-password-hash errors into one handler via 2dd71de dsdb: Add samdb_result_passwords_from_history helper function via 0f3dd92 s4-auth: Rework memory handling to use a tmp_ctx via ba4c985 samba-tool add password lockout handling to samba-tool domain passwordsettings via 526f983 dsdb: give a better error message and return code on failed password change via 3f07737 s4:auth: Add password lockout support to the AD DC via a0de929 dsdb: Put password lockout support in samdb_result_passwords() via 6f8fb16 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed via 77e4beb dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed via 1d266b4 dsdb-operational: Implement msDS-User-Account-Control-Computed via 9a3651e dsdb-operational: Use a list for the extra attributes that may be required via 9a36fab s4:auth/sam: use a higher time resolution in authsam_account_ok() via 5c1cfe2 s4:dsdb/util_samr: simplify dsdb_add_user() via 090c556 selftest: Run rpc.samr.passwords.lockout against the s3dc environment via 9e1a8dc dsdb-tests: Remove pointless creation of ldaptestou via fa8a3ca torture-samr: Do not issue a TORTURE_FAIL unless *this* test failed via ae81cca torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount test to ensure consistent results via b53b3fa torture-samr: Try breaking the NT hash first, as the LM hash may not be being checked via 8e147f8 torture-samr: set min password age to 0 for lockout and badpwdcount tests via 2d2dbaf torture-samr: Make failures easier to trace with torture_assert via 2acfba3 torture-samr: Indent samba3-skip block via b822353 torture-samr: Actually fail on failures in rpc.samr, rather than just printing pretty warnings via 60024cd kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT via befae7f ldb_ildap: Map some wrong username/password errors on to LDB_ERR_INVALID_CREDENTIALS via c3baddf auth: Pass though error from GENSEC sub-mechanism via 6f8297d selftest: make blackbox_setpassword.sh test run independently via c8e4c6a s3-auth: Do not reset bad password count to 0 if account is disabled via 56d3e52 s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_security via 3f8f997 torture/samr: Re-open the user when checking for ACB_AUTOLOCK via 5a2eae4 torture-samr: Set lockout_seconds to 60 for samba3 via 44a624d s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout from 1dba07d dlinklist: Fix a typo
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 85f57ebda360092efd5d71744d018c4cadd6d86b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Oct 31 16:57:10 2013 +1300 torture-samr: Add testing of account lockout and password change behaviour This is the regression test to avoid a repeat of CVE-2013-4496 This includes confirming that badPwdCount is updated on login, not just on first failure However the badPwdCount is not updated if the account is disabled Note: that samr_QueryUserInfo return the effective bad_password_count in level 5, 16 and 21, while it returns the raw value in level 3. (Sadly the s3 code does not do this correctly, so a knownfail is added) Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Apr 2 19:30:59 CEST 2014 on sn-devel-104 commit 311de5fb4ae46536eb43178f4102728855625e20 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 5 11:43:41 2013 +1300 selftest: Run rpc.samr.passwords.badpwdcount against s3dc Change-Id: I9529def954521bf8ab05212759a2ef6bbe9913f8 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6a4bedd36ad9877f35489ffa28eb38a458d4f01b Author: Andrew Bartlett <abart...@samba.org> Date: Sun Mar 16 21:14:51 2014 +1300 torture-samr: Add test for lockout with and without a password history Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3c731783e0e9ee4a7b4b9289544d4d8a465940b9 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 9 14:25:06 2013 +1300 torture-samr: Improve rpc.samr.passwords.badpwdcount test Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e266f610dbd421107c8a06e3ee07354456b9f521 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 10:03:05 2013 +1300 selftest: Add test for password lockout Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711 Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 05c2f83f266db208982858067680f888e637378b Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 26 11:32:05 2014 +1300 dsdb: Allow SAMR server to return the computed, not actual badPwdCount This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6ac62b30007d5b5870443f392d41f7ebfe52a5c3 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 25 07:12:04 2014 +0100 s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer. The samldb module will handle the verification and magic. Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 50b9748fc5c0d49ab0720b0ddfb59fdb88c186bd Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 25 07:10:02 2014 +0100 s4:dsdb/samldb: rework samldb_user_account_control_change() - Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags (combined with msDS-User-Account-Control-Computed) results in lockoutTime=0 (implying badPadCount=0). - We also do more validation of the account type flags now. Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 1 13:21:35 2014 +0200 libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 245d0f1b3dd844c680bfa9b1d9e56d26305e6bae Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 1 10:54:27 2014 +0200 s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change() Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"! Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a6b82ee197f6f79bb74e0720d328c4a518e513fe Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 17 13:33:18 2014 +1300 s4-samr: Escape the username in the LDAP filter Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f557f82acc54d0fddf8be31bebdbc525ea80a171 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 11 10:38:03 2013 +1300 s4-auth: Support password history correctly, including allowing NTLM logins using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 9d5f4cabf3f491fd1c22dbc1daaad8a657d12914 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 9 14:23:49 2013 +1300 lib/param: Add new parameter "old password allowed period" Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit afdd5fbd51b4dbde419da7bc64bab5eaf42a955d Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 2 15:44:37 2013 +1300 dsdb: check type with talloc_get_type_abort in samdb_set_password Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c91823028f67a4581d282c15422aab1e7f7f5c87 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Nov 6 17:11:18 2013 +1300 dsdb: Implement password lockout on LDAP password changes To do this, and have the badPwdCount update stick, we must abort, open, close and reopen transactions such that the badPwdCount update is in it's own transaction. To ensure the tests can confirm the correct behaviour here, we must output the Windows error code in the error message. Andrew Bartlett Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8a89f7f4bcf784852452ca5d6914a0d070c2786f Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 28 16:18:31 2013 +1300 dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 26c0eb623f2776a02569d78eabe6d903ad232409 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 28 15:42:07 2013 +1300 auth: Split out badPwdCount update into a helper function This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 752b8173659f6ee12db93981a588b1e2b884fb3e Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 26 15:32:18 2013 +1300 kdc: call authsam_zero_bad_pwd_count on successful AS-REQ Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 997e120f664facfb48548b765a44063b31b96880 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 30 10:50:19 2013 +1300 kdc: Include values from msDS-User-Account-Control-Computed when checking user flags Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 10cbd5e43092b8bd1ee8d55879a1c37b27f3fbc4 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 12:31:46 2013 +1300 kdc: Set flags.locked_out on a locked-out user. This only changes the log output, the same error is still returned Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d202191f9c6f304cfd603b1a78a56bb5a33fec49 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Feb 18 13:53:38 2014 +1300 heimdal: Only indicate successful authentication after successful authz This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 580a705b83014e94556b9d5a8877406816e02190 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 14:13:02 2013 +1300 heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 30bae409477da2c42d41ce2d42fa85b86d799c98 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 28 13:28:29 2013 +1300 heimdal: Do not attempt password authentication for locked out accounts Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7e653f5ae28c822c2e9c42dd2853126f7f86f0f0 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 11 11:35:12 2013 +1300 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1a483a8b4ba9640c2f57c34366433b6e219c27b2 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 25 07:23:04 2014 +0100 s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0 See [MS-SAMR] 3.1.1.8.3 lockoutTime. Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3ed55210ff5301ca06ec924c5fb4b08bc8832d4b Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 26 17:04:46 2013 +1300 dsdb: collapse wrong password and no-password-hash errors into one handler This avoids giving away too much information to an attacker. Andrew Bartlett Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2dd71de11ac8c5bb5b1a3a68b7971adf75d9a8d3 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 11 10:37:38 2013 +1300 dsdb: Add samdb_result_passwords_from_history helper function Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0f3dd921b375d2ee56149abe3f50de739b17690b Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 11 10:32:58 2013 +1300 s4-auth: Rework memory handling to use a tmp_ctx Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ba4c9851f2801c5f5654572a38cfdf3a724c2d4f Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 8 13:38:22 2013 +1300 samba-tool add password lockout handling to samba-tool domain passwordsettings Change-Id: I291924785b505b26b91152c0c13b4afd4de068a6 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 526f98308a58a2f1fd6bf70d56b9b8bb21bf0d55 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Nov 6 15:54:17 2013 +1300 dsdb: give a better error message and return code on failed password change Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3f07737fd4a92fc948cfc432bc46098d6dd5269a Author: Andrew Bartlett <abart...@samba.org> Date: Wed Nov 6 10:39:42 2013 +1300 s4:auth: Add password lockout support to the AD DC Including a fix by Arvid Requate <requ...@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit a0de9290099a93413048a03740cfb04ca1355c78 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 4 21:37:17 2013 +1300 dsdb: Put password lockout support in samdb_result_passwords() This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6f8fb163e02579d57e731c0c09eafee5627bec62 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 17:30:18 2013 +1300 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 77e4beb0e027bb49454716b86c782c98c2ed823b Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 15:44:15 2013 +1300 dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed This assists in testing this aspect of msDS-User-Account-Control-Computed, and is exposed in AD for clients to query. Andrew Bartlett Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1d266b493894ad55c6c30e73a4cf9bc6aa28f559 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 15:38:08 2013 +1300 dsdb-operational: Implement msDS-User-Account-Control-Computed This is needed to get consistent account lockout support across the whole server. Andrew Bartlett Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 9a3651ece1ddd273fdf88b5d4fceef82babbf4a7 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 12:30:58 2013 +1300 dsdb-operational: Use a list for the extra attributes that may be required Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9a36fabde0e212b06c2b44db157070b7debdb06b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 31 13:35:25 2014 +0200 s4:auth/sam: use a higher time resolution in authsam_account_ok() Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5c1cfe267ce10180e2c42105a1d84f84e7512c8d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 26 01:25:34 2014 +0100 s4:dsdb/util_samr: simplify dsdb_add_user() We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 090c55681db410ac2bbf9ec2f9e2208329ed8d5b Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 4 12:30:55 2013 +1300 selftest: Run rpc.samr.passwords.lockout against the s3dc environment Change-Id: I7ee562cbf1e067ed90b22e212002e88752450e34 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9e1a8dc8b7214782f8bc07b60a31ad6d6ab13aea Author: Andrew Bartlett <abart...@samba.org> Date: Sun Mar 16 22:17:51 2014 +1300 dsdb-tests: Remove pointless creation of ldaptestou This is not used in this test, and is not removed by the test either. Andrew Bartlett Change-Id: I34366d469a1ebed04c3cea5a7f206cb0bf433e03 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fa8a3ca0b8237989b3b124713fb9aabf90f9b6e2 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Mar 16 22:59:32 2014 +1300 torture-samr: Do not issue a TORTURE_FAIL unless *this* test failed Change-Id: I349d8ac77a98b934cd4b11b01a96a231097eeeed Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit ae81cca5b7a88076c2d386d4ade9afd72bd7071c Author: Andrew Bartlett <abart...@samba.org> Date: Thu Dec 5 16:57:49 2013 +1300 torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount test to ensure consistent results For "samba3" we use 60 seconds as in test_Password_lockout(). Change-Id: I886eb83d4c620e4d719a38ec47b45bacd1406b9d Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit b53b3fa2a0ec6f2dd00dab417a9ee2bcc67ac242 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 7 17:04:14 2013 +1300 torture-samr: Try breaking the NT hash first, as the LM hash may not be being checked Change-Id: Iea9040bc7130f8b779c35bd367a9915633cd494d Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8e147f838edbb2739830d58ce9ea6b5d38a11495 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 8 16:21:39 2013 +1300 torture-samr: set min password age to 0 for lockout and badpwdcount tests Change-Id: I0d44fcc712e6f239d9adc739fdafc1b20dd2beba Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2d2dbafd2b761d6ae554484a22283338da224f02 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Oct 31 16:57:47 2013 +1300 torture-samr: Make failures easier to trace with torture_assert Change-Id: I729ba2f0a0501575357977754401a0cb40d95b34 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2acfba33c694f09f8e1af306c8b7c82967f275d0 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 30 14:16:27 2013 +1300 torture-samr: Indent samba3-skip block Change-Id: I2bb9f175e61401606742737a883604b922044ea5 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b8223531de83066626dff87d400a9059790b4db7 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 30 14:16:03 2013 +1300 torture-samr: Actually fail on failures in rpc.samr, rather than just printing pretty warnings Change-Id: I00d66ecd84cd1a7d733f491d19328cec93ba8d2b Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 60024cdd730bc2c97ab80b1e8c7d26da9f9bd624 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 14:09:48 2013 +1300 kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit befae7f6e65add893cf24a088b93f0350b0b482e Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 14:09:26 2013 +1300 ldb_ildap: Map some wrong username/password errors on to LDB_ERR_INVALID_CREDENTIALS This is better than just LDB_ERR_OPERATIONS_ERROR for all errors. Andrew Bartlett Change-Id: Id832cf02fcd1dc0347d5ab9eb9a2db78fda39dc6 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c3baddf271b9d09819aff4ce05314f940c6f1e4d Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 14:08:38 2013 +1300 auth: Pass though error from GENSEC sub-mechanism This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6f8297d3cfa0beb4c21101b528dfa598a24700ba Author: Andrew Bartlett <abart...@samba.org> Date: Fri Feb 14 23:13:37 2014 +1300 selftest: make blackbox_setpassword.sh test run independently Change-Id: I8f3cdfc2c66800f9a1e11aec4f25a42752b6b205 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c8e4c6a022046e70461e9faa2a7e39d9489f9b42 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Dec 5 16:06:46 2013 +1300 s3-auth: Do not reset bad password count to 0 if account is disabled Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 56d3e528bd31a4ee0d24fa476aeff8eaf2da236b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Oct 31 16:59:16 2013 +1300 s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_security Change-Id: I43792711543e25c50c29ab5a24d16f614c670cca Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3f8f9972f491228b2bbe8880cc139387e9332b09 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 25 17:23:53 2013 +1300 torture/samr: Re-open the user when checking for ACB_AUTOLOCK This flag appears to be cached from the open, so the test incorrectly indicated that the flag was not set over SAMR. Andrew Bartlett Change-Id: I2f1f017191dddb6c2ac496712064fa1b6b48be53 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5a2eae4229192c8bc009ec8c8d30f372ff4d32e5 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 4 12:26:18 2013 +1300 torture-samr: Set lockout_seconds to 60 for samba3 The source3 account policy code deals with lockouts in terms of minutes, not nanoseconds, so we have to lock out for at least 60 seconds otherwise we do not wait long enough. Andrew Bartlett. Change-Id: I2b30d1c0d9b020b3aba6ed3343361e9a576b7d9a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 44a624d6ce97078f93baf83f36737238363f788e Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 30 14:09:15 2013 +1300 s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout This was not noticed previously because the test was not run. Andrew Bartlett Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/gensec/spnego.c | 2 +- .../security/oldpasswordallowedperiod.xml | 13 + lib/ldb-samba/ldb_ildap.c | 10 +- lib/param/loadparm.c | 1 + lib/param/param_table.c | 9 + libds/common/flags.h | 3 +- python/samba/netcmd/domain.py | 77 +- selftest/knownfail | 4 +- selftest/skip | 1 + source3/auth/check_samsec.c | 32 +- source3/libads/krb5_errs.c | 2 +- source3/param/loadparm.c | 1 + source3/passdb/pdb_samba_dsdb.c | 11 +- source3/rpc_server/samr/srv_samr_nt.c | 17 + source3/selftest/tests.py | 2 +- source4/auth/gensec/gensec_gssapi.c | 3 + source4/auth/ntlm/auth_sam.c | 388 +++++- source4/auth/sam.c | 123 ++- source4/dsdb/common/util.c | 259 ++++- source4/dsdb/common/util_samr.c | 50 +- source4/dsdb/samdb/ldb_modules/operational.c | 292 ++++- source4/dsdb/samdb/ldb_modules/password_hash.c | 199 ++- source4/dsdb/samdb/ldb_modules/samldb.c | 292 +++-- source4/dsdb/tests/python/password_lockout.py | 1484 ++++++++++++++++++++ source4/dsdb/tests/python/sam.py | 1 - source4/heimdal/kdc/kerberos5.c | 18 +- source4/kdc/db-glue.c | 22 +- source4/kdc/hdb-samba4.c | 20 +- source4/kdc/kpasswdd.c | 9 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 +- source4/rpc_server/samr/dcesrv_samr.c | 55 +- source4/rpc_server/samr/samr_password.c | 32 +- source4/rpc_server/wscript_build | 2 +- source4/selftest/tests.py | 1 + source4/setup/tests/blackbox_setpassword.sh | 2 + source4/torture/rpc/samr.c | 916 ++++++++---- 36 files changed, 3697 insertions(+), 668 deletions(-) create mode 100644 docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml create mode 100755 source4/dsdb/tests/python/password_lockout.py Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 7e9dcae..20cacdb 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -705,7 +705,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec spnego_state->sub_sec_security = NULL; DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml new file mode 100644 index 0000000..ead720a --- /dev/null +++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml @@ -0,0 +1,13 @@ +<samba:parameter name="old password allowed period" + context="G" + advanced="1" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Number of minutes to permit an NTLM login after a password change or reset using the old password. This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. </para> + + <para>This parameter only applies when <smbconfoption name="server role"/> is set to Active Directory Domain Controller</para> +</description> + +<value type="default">60</value> +</samba:parameter> diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c index 18853eb..6ec363d 100644 --- a/lib/ldb-samba/ldb_ildap.c +++ b/lib/ldb-samba/ldb_ildap.c @@ -791,7 +791,7 @@ static int ildb_connect(struct ldb_context *ldb, const char *url, { struct ldb_module *module; struct ildb_private *ildb; - NTSTATUS status; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; struct cli_credentials *creds; struct loadparm_context *lp_ctx; @@ -862,6 +862,14 @@ static int ildb_connect(struct ldb_context *ldb, const char *url, failed: talloc_free(module); + if (NT_STATUS_IS_LDAP(status)) { + return NT_STATUS_LDAP_CODE(status); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD) + || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) + || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE) + || NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) { + return LDB_ERR_INVALID_CREDENTIALS; + } return LDB_ERR_OPERATIONS_ERROR; } diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index fd5e5e3..97a06a0 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2082,6 +2082,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True"); lpcfg_do_global_parameter(lp_ctx, "WriteRaw", "True"); lpcfg_do_global_parameter(lp_ctx, "NullPasswords", "False"); + lpcfg_do_global_parameter(lp_ctx, "old password allowed period", "60"); lpcfg_do_global_parameter(lp_ctx, "ObeyPamRestrictions", "False"); lpcfg_do_global_parameter(lp_ctx, "TimeServer", "False"); diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 40f8eb5..8df7d1b 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -490,6 +490,15 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_DEPRECATED, }, { + .label = "old password allowed period", + .type = P_INTEGER, + .p_class = P_GLOBAL, + .offset = GLOBAL_VAR(old_password_allowed_period), + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, + { .label = "obey pam restrictions", .type = P_BOOL, .p_class = P_GLOBAL, diff --git a/libds/common/flags.h b/libds/common/flags.h index 96709af..4975024 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -64,7 +64,8 @@ UF_NORMAL_ACCOUNT |\ UF_INTERDOMAIN_TRUST_ACCOUNT |\ UF_WORKSTATION_TRUST_ACCOUNT |\ - UF_SERVER_TRUST_ACCOUNT \ + UF_SERVER_TRUST_ACCOUNT |\ + UF_PARTIAL_SECRETS_ACCOUNT \ ) #define UF_SETTABLE_BITS (\ diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index 2765902..0e00bd5 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -1079,8 +1079,11 @@ class cmd_domain_level(Command): class cmd_domain_passwordsettings(Command): """Set password settings. - Password complexity, history length, minimum password length, the minimum - and maximum password age) on a Samba4 server. + Password complexity, password lockout policy, history length, + minimum password length, the minimum and maximum password age) on + a Samba AD DC server. + + Use against a Windows DC is possible, but group policy will override it. """ synopsis = "%prog (show|set <options>) [options]" @@ -1107,13 +1110,20 @@ class cmd_domain_passwordsettings(Command): help="The minimum password age (<integer in days> | default). Default is 1.", type=str), Option("--max-pwd-age", help="The maximum password age (<integer in days> | default). Default is 43.", type=str), + Option("--account-lockout-duration", + help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str), + Option("--account-lockout-threshold", + help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str), + Option("--reset-account-lockout-after", + help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str), ] takes_args = ["subcommand"] def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None, quiet=False, complexity=None, store_plaintext=None, history_length=None, - min_pwd_length=None, credopts=None, sambaopts=None, + min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None, + reset_account_lockout_after=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) @@ -1124,7 +1134,8 @@ class cmd_domain_passwordsettings(Command): domain_dn = samdb.domain_dn() res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", - "minPwdAge", "maxPwdAge"]) + "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold", + "lockOutObservationWindow"]) assert(len(res) == 1) try: pwd_props = int(res[0]["pwdProperties"][0]) @@ -1136,6 +1147,13 @@ class cmd_domain_passwordsettings(Command): cur_max_pwd_age = 0 else: cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) + cur_account_lockout_threshold = int(res[0]["lockoutThreshold"][0]) + # ticks -> mins + if int(res[0]["lockoutDuration"][0]) == -0x8000000000000000: + cur_account_lockout_duration = 0 + else: + cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60) + cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60) except Exception, e: raise CommandError("Could not retrieve password properties!", e) @@ -1154,6 +1172,9 @@ class cmd_domain_passwordsettings(Command): self.message("Minimum password length: %d" % cur_min_pwd_len) self.message("Minimum password age (days): %d" % cur_min_pwd_age) self.message("Maximum password age (days): %d" % cur_max_pwd_age) + self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration) + self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold) + self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after) elif subcommand == "set": msgs = [] m = ldb.Message() @@ -1240,6 +1261,54 @@ class cmd_domain_passwordsettings(Command): ldb.FLAG_MOD_REPLACE, "maxPwdAge") msgs.append("Maximum password age changed!") + if account_lockout_duration is not None: + if account_lockout_duration == "default": + account_lockout_duration = 30 + else: + account_lockout_duration = int(account_lockout_duration) + + if account_lockout_duration < 0 or account_lockout_duration > 99999: + raise CommandError("Maximum password age must be in the range of 0 to 99999!") + + # days -> ticks + if account_lockout_duration == 0: + account_lockout_duration_ticks = -0x8000000000000000 + else: + account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7)) + + m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks), + ldb.FLAG_MOD_REPLACE, "lockoutDuration") + msgs.append("Account lockout duration changed!") + + if account_lockout_threshold is not None: + if account_lockout_threshold == "default": + account_lockout_threshold = 0 + else: + account_lockout_threshold = int(account_lockout_threshold) + + m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold), + ldb.FLAG_MOD_REPLACE, "lockoutThreshold") + msgs.append("Account lockout threshold changed!") + + if reset_account_lockout_after is not None: + if reset_account_lockout_after == "default": + reset_account_lockout_after = 30 + else: + reset_account_lockout_after = int(reset_account_lockout_after) + + if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999: + raise CommandError("Maximum password age must be in the range of 0 to 99999!") + + # days -> ticks + if reset_account_lockout_after == 0: + reset_account_lockout_after_ticks = -0x8000000000000000 + else: + reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7)) + + m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks), + ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow") + msgs.append("Duration to reset account lockout after changed!") + if max_pwd_age > 0 and min_pwd_age >= max_pwd_age: raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)) diff --git a/selftest/knownfail b/selftest/knownfail index 65f9fd2..35dba20 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -96,8 +96,6 @@ ^samba4.rpc.netlogon.*.GetTrustPasswords ^samba4.rpc.netlogon.*.DatabaseRedo ^samba4.rpc.netlogon.*.ServerGetTrustInfo -^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet -^samba4.rpc.samr.passwords.lockout ^samba4.base.charset.*.Testing partial surrogate ^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT .*net.api.delshare.* # DelShare isn't implemented yet @@ -213,6 +211,8 @@ ^samba3.smb2.session.*reauth5 # some special anonymous checks? ^samba3.smb2.compound.interim2 # wrong return code (STATUS_CANCELLED) ^samba3.raw.session.*reauth2 # maybe fix this? +^samba3.rpc.samr.passwords.badpwdcount.samr.badPwdCount\(s3dc\) # We fail this test currently +^samba3.rpc.samr.passwords.lockout.*\(s3dc\)$ # We fail this test currently ^samba3.rpc.spoolss.printer.addprinter.driver_info_winreg # knownfail or flapping? ^samba3.rpc.spoolss.printer.addprinterex.driver_info_winreg # knownfail or flapping? ^samba3.rpc.spoolss.printer.*.publish_toggle\(.*\)$ # needs spoolss AD member env diff --git a/selftest/skip b/selftest/skip index c16dcf5..ed20649 100644 --- a/selftest/skip +++ b/selftest/skip @@ -44,6 +44,7 @@ ^samba3.smb2.durable-open-disconnect # Not a test, but a way to create a disconnected durable ^samba3.smb2.scan # No tests ^samba3.smb2.oplock.levelii501 # No test yet +^samba3.rpc.samr.passwords.lockout\(plugin_s4_dc\) # No point running this version, it just waits 12 times longer the samba4 version of this test, covering the same code ^samba4.base.iometer ^samba4.base.casetable ^samba4.base.nttrans diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c index 7c97170..ff634aa 100644 --- a/source3/auth/check_samsec.c +++ b/source3/auth/check_samsec.c @@ -379,6 +379,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, const char *username; const uint8_t *nt_pw; const uint8_t *lm_pw; + uint32_t acct_ctrl; /* the returned struct gets kept on the server_info, by means of a steal further down */ @@ -401,19 +402,20 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, return NT_STATUS_NO_SUCH_USER; } + acct_ctrl = pdb_get_acct_ctrl(sampass); username = pdb_get_username(sampass); nt_pw = pdb_get_nt_passwd(sampass); lm_pw = pdb_get_lanman_passwd(sampass); /* Quit if the account was locked out. */ - if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { + if (acct_ctrl & ACB_AUTOLOCK) { DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); TALLOC_FREE(sampass); return NT_STATUS_ACCOUNT_LOCKED_OUT; } nt_status = sam_password_ok(mem_ctx, - username, pdb_get_acct_ctrl(sampass), + username, acct_ctrl, challenge, lm_pw, nt_pw, user_info, &user_sess_key, &lm_sess_key); @@ -426,7 +428,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, bool increment_bad_pw_count = false; if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && - pdb_get_acct_ctrl(sampass) & ACB_NORMAL && + (acct_ctrl & ACB_NORMAL) && NT_STATUS_IS_OK(update_login_attempts_status)) { increment_bad_pw_count = @@ -456,16 +458,22 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, goto done; } - if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && - (pdb_get_bad_password_count(sampass) > 0)){ - pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); - pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); - updated_badpw = True; + /* + * We must only reset the bad password count if the login was + * successful, including checking account policies + */ + nt_status = sam_account_ok(mem_ctx, sampass, user_info); + if (!NT_STATUS_IS_OK(nt_status)) { + goto done; } - if (updated_badpw){ + if ((acct_ctrl & ACB_NORMAL) && + (pdb_get_bad_password_count(sampass) > 0)){ NTSTATUS status; + pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); + pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); + become_root(); status = pdb_update_sam_account(sampass); unbecome_root(); @@ -476,12 +484,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, } } - nt_status = sam_account_ok(mem_ctx, sampass, user_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - goto done; - } - become_root(); nt_status = make_server_info_sam(mem_ctx, sampass, server_info); unbecome_root(); diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index d4ff09a..8eb5d82 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -28,7 +28,7 @@ static const struct { } krb5_to_nt_status_map[] = { {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR}, {KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER}, - {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED}, + {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCOUNT_LOCKED_OUT}, {KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, {KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE}, #if defined(KRB5KDC_ERR_KEY_EXP) /* MIT */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ad87972..8006167 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -802,6 +802,7 @@ static void init_globals(bool reinit_globals) Globals.read_raw = true; Globals.write_raw = true; Globals.null_passwords = false; + Globals.old_password_allowed_period = 60; Globals.obey_pam_restrictions = false; Globals.syslog = 1; Globals.syslog_only = false; diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index dee20ef..01e747a 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -272,12 +272,12 @@ static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m, } pdb_set_user_sid(sam, sid, PDB_SET); - n = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); + n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed"); if (n == 0) { DEBUG(10, ("Could not pull userAccountControl\n")); goto fail; } - pdb_set_acct_ctrl(sam, ds_uf2acb(n), PDB_SET); + pdb_set_acct_ctrl(sam, n, PDB_SET); blob = ldb_msg_find_ldb_val(msg, "unicodePwd"); if (blob) { @@ -614,7 +614,8 @@ static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state, "sAMAccountName", "displayName", "homeDirectory", "homeDrive", "scriptPath", "profilePath", "description", "userWorkstations", "comment", "userParameters", "objectSid", - "primaryGroupID", "userAccountControl", "logonHours", + "primaryGroupID", "userAccountControl", + "msDS-User-Account-Control-Computed", "logonHours", "badPwdCount", "logonCount", "countryCode", "codePage", "unicodePwd", "dBCSPwd", NULL }; @@ -1936,9 +1937,7 @@ static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m, } sid_peek_rid(sid, &e->rid); - e->acct_flags = samdb_result_acct_flags(state->ldb, tmp_ctx, - res->msgs[i], - ldb_get_default_basedn(state->ldb)); + e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl"); e->account_name = ldb_msg_find_attr_as_string( res->msgs[i], "samAccountName", NULL); if (e->account_name == NULL) { diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 48cfc7e..5318ba2 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -6378,6 +6378,23 @@ static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx, { time_t u_lock_duration, u_reset_time; + /* + * It is not possible to set lockout_duration < lockout_window. + * (The test is the other way around since the negative numbers + * are stored...) + * + * This constraint is documented here for the samr rpc service: + * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates + * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx + * + * And here for the ldap backend: + * MS-ADTS 3.1.1.5.3.2 Constraints + * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx + */ + if (r->lockout_duration > r->lockout_window) { + return NT_STATUS_INVALID_PARAMETER; + } + u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration); if (u_lock_duration != -1) { u_lock_duration /= 60; diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 81ef184..e64cf77 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -301,7 +301,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh "rpc.lsa", "rpc.lsa-getuser", "rpc.lsa.lookupsids", "rpc.lsa.lookupnames", "rpc.lsa.privileges", "rpc.lsa.secrets", "rpc.samr", "rpc.samr.users", "rpc.samr.users.privileges", "rpc.samr.passwords", - "rpc.samr.passwords.pwdlastset", "rpc.samr.large-dc", "rpc.samr.machine.auth", + "rpc.samr.passwords.pwdlastset", "rpc.samr.passwords.lockout", "rpc.samr.passwords.badpwdcount", "rpc.samr.large-dc", "rpc.samr.machine.auth", "rpc.samr.priv", "rpc.samr.passwords.validate", "rpc.netlogon.admin", "rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.join", "rpc.bind"] diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0bb307f..63fda1f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -306,6 +306,9 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: DEBUG(1, ("Wrong username or password: %s\n", error_string)); return NT_STATUS_LOGON_FAILURE; + case KRB5KDC_ERR_CLIENT_REVOKED: + DEBUG(1, ("Account locked out: %s\n", error_string)); + return NT_STATUS_ACCOUNT_LOCKED_OUT; case KRB5_KDC_UNREACH: DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string)); return NT_STATUS_NO_LOGON_SERVERS; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index c8d6e5b..6b184f8 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -33,6 +33,7 @@ #include "param/param.h" #include "librpc/gen_ndr/ndr_irpc_c.h" #include "lib/messaging/irpc.h" +#include "libcli/auth/libcli_auth.h" NTSTATUS auth_sam_init(void); @@ -127,13 +128,6 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, break; } - if (user_sess_key && user_sess_key->data) { - talloc_steal(auth_context, user_sess_key->data); - } - if (lm_sess_key && lm_sess_key->data) { - talloc_steal(auth_context, lm_sess_key->data); - } - return NT_STATUS_OK; } -- Samba Shared Repository