Author: metze Date: 2005-01-12 10:49:52 +0000 (Wed, 12 Jan 2005) New Revision: 4707
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4707 Log: w2k3 don't restict passwords on netr_ServerPasswordSet and netr_ServerPasswordSet2 so we do now I also add a torture test for this metze Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c branches/SAMBA_4_0/source/torture/rpc/netlogon.c Changeset: Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c =================================================================== --- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-01-12 10:25:44 UTC (rev 4706) +++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-01-12 10:49:52 UTC (rev 4707) @@ -389,7 +389,8 @@ mod, NULL, /* Don't have plaintext */ NULL, &r->in.new_password, - False /* This is not considered a password change */, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ NULL); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -1097,7 +1098,8 @@ msgs_domain[0]->dn, mod, new_pass, /* we have plaintext */ NULL, NULL, - False /* This is not considered a password change */, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ NULL); ZERO_ARRAY(new_pass); NT_STATUS_NOT_OK_RETURN(nt_status); Modified: branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c =================================================================== --- branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c 2005-01-12 10:25:44 UTC (rev 4706) +++ branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c 2005-01-12 10:49:52 UTC (rev 4707) @@ -115,7 +115,9 @@ status = samdb_set_password(a_state->sam_ctx, mem_ctx, a_state->account_dn, a_state->domain_state->domain_dn, msg, NULL, &new_lmPwdHash, &new_ntPwdHash, - True, NULL); + True, /* this is a user password change */ + True, /* run restriction tests */ + NULL); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -229,7 +231,9 @@ user_dn, domain_dn, mod, new_pass, NULL, NULL, - True, NULL); + True, /* this is a user password change */ + True, /* run restriction tests */ + NULL); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -378,7 +382,9 @@ user_dn, domain_dn, mod, new_pass, NULL, NULL, - True, &reason); + True, /* this is a user password change */ + True, /* run restriction tests */ + &reason); if (!NT_STATUS_IS_OK(status)) { goto failed; } @@ -481,6 +487,7 @@ struct samr_Password *lmNewHash, struct samr_Password *ntNewHash, BOOL user_change, + BOOL restrict, uint32_t *reject_reason) { const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory", @@ -536,7 +543,7 @@ if (new_pass) { /* check the various password restrictions */ - if (minPwdLength > strlen_m(new_pass)) { + if (restrict && minPwdLength > strlen_m(new_pass)) { if (reject_reason) { *reject_reason = SAMR_REJECT_TOO_SHORT; } @@ -544,7 +551,7 @@ } /* possibly check password complexity */ - if (pwdProperties & DOMAIN_PASSWORD_COMPLEX && + if (restrict && pwdProperties & DOMAIN_PASSWORD_COMPLEX && !samdb_password_complexity_ok(new_pass)) { if (reject_reason) { *reject_reason = SAMR_REJECT_COMPLEXITY; @@ -560,7 +567,7 @@ ntNewHash = &local_ntNewHash; } - if (user_change) { + if (restrict && user_change) { /* are all password changes disallowed? */ if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) { if (reject_reason) { @@ -757,7 +764,8 @@ account_dn, domain_dn, msg, new_pass, NULL, NULL, - False /* This is a password set, not change */, + False, /* This is a password set, not change */ + True, /* run restriction tests */ NULL); } @@ -810,7 +818,8 @@ account_dn, domain_dn, msg, new_pass, NULL, NULL, - False, + False, /* This is a password set, not change */ + True, /* run restriction tests */ NULL); } Modified: branches/SAMBA_4_0/source/torture/rpc/netlogon.c =================================================================== --- branches/SAMBA_4_0/source/torture/rpc/netlogon.c 2005-01-12 10:25:44 UTC (rev 4706) +++ branches/SAMBA_4_0/source/torture/rpc/netlogon.c 2005-01-12 10:49:52 UTC (rev 4707) @@ -268,6 +268,37 @@ r.in.secure_channel_type = SEC_CHAN_BDC; r.in.computer_name = TEST_MACHINE_NAME; + password = ""; + E_md4hash(password, r.in.new_password.hash); + + creds_des_encrypt(&creds, &r.in.new_password); + /* by changing the machine password to "" + * we check if the server uses password restrictions + * for ServerPasswordSet2 + * (win2k3 accepts "") + */ + printf("Testing a second ServerPasswordSet on machine account\n"); + printf("Changing machine account password to '%s'\n", password); + + creds_client_authenticator(&creds, &r.in.credential); + + status = dcerpc_netr_ServerPasswordSet(p, mem_ctx, &r); + if (!NT_STATUS_IS_OK(status)) { + printf("ServerPasswordSet (2) - %s\n", nt_errstr(status)); + return False; + } + + if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) { + printf("Credential chaining failed\n"); + } + + machine_password = password; + + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { + printf("ServerPasswordSet failed to actually change the password\n"); + return False; + } + password = generate_random_str(mem_ctx, 8); E_md4hash(password, r.in.new_password.hash); @@ -337,6 +368,38 @@ r.in.secure_channel_type = SEC_CHAN_BDC; r.in.computer_name = TEST_MACHINE_NAME; + password = ""; + encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE); + creds_arcfour_crypt(&creds, r.in.new_password.data, 516); + + /* by changing the machine password to "" + * we check if the server uses password restrictions + * for ServerPasswordSet2 + * (win2k3 accepts "") + */ + printf("Testing a second ServerPasswordSet2 on machine account\n"); + printf("Changing machine account password to '%s'\n", password); + + creds_client_authenticator(&creds, &r.in.credential); + + status = dcerpc_netr_ServerPasswordSet2(p, mem_ctx, &r); + if (!NT_STATUS_IS_OK(status)) { + printf("ServerPasswordSet (2) - %s\n", nt_errstr(status)); + return False; + } + + if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) { + printf("Credential chaining failed\n"); + } + + machine_password = password; + + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { + printf("ServerPasswordSet failed to actually change the password\n"); + return False; + } + + /* now try a random password */ password = generate_random_str(mem_ctx, 8); encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE); creds_arcfour_crypt(&creds, r.in.new_password.data, 516);