r18636: Excessive testing with pam_winbind within Samba3 revealed a new samr

reject reason code while password changing: SAMR_REJECT_IN_HISTORY which
is different from SAMR_REJECT_COMPLEXITY.

torture test to follow as well.

Guenther
(This used to be commit 7513748208214339e764cc990aa1dbbcf864975a)

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index e0691e4c3292eaf8e640b8a7246e76dbc81bfe6c..e6752716ab0e46aef11e7e740242978ca8d30864 100644 (file)
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -1282,13 +1282,13 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
                if (pwdHistoryLength > 0) {
                        if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash, lmPwdHash->hash, 16) == 0) {
                                if (reject_reason) {
-                                       *reject_reason = SAMR_REJECT_COMPLEXITY;
+                                       *reject_reason = SAMR_REJECT_IN_HISTORY;
                                }
                                return NT_STATUS_PASSWORD_RESTRICTION;
                        }
                        if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash, ntPwdHash->hash, 16) == 0) {
                                if (reject_reason) {
-                                       *reject_reason = SAMR_REJECT_COMPLEXITY;
+                                       *reject_reason = SAMR_REJECT_IN_HISTORY;
                                }
                                return NT_STATUS_PASSWORD_RESTRICTION;
                        }
@@ -1301,7 +1301,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
                for (i=0; lmNewHash && i<sambaLMPwdHistory_len;i++) {
                        if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash, 16) == 0) {
                                if (reject_reason) {
-                                       *reject_reason = SAMR_REJECT_COMPLEXITY;
+                                       *reject_reason = SAMR_REJECT_IN_HISTORY;
                                }
                                return NT_STATUS_PASSWORD_RESTRICTION;
                        }
@@ -1309,7 +1309,7 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct
                for (i=0; ntNewHash && i<sambaNTPwdHistory_len;i++) {
                        if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash, 16) == 0) {
                                if (reject_reason) {
-                                       *reject_reason = SAMR_REJECT_COMPLEXITY;
+                                       *reject_reason = SAMR_REJECT_IN_HISTORY;
                                }
                                return NT_STATUS_PASSWORD_RESTRICTION;
                        }

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 57b4de5e699c3924924efddc31d6a9cdf9cdb30b..dc8d5c73108d3c8f559dfc50f28c567d22f37d00 100644 (file)
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -134,6 +134,9 @@ static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
                case SAMR_REJECT_COMPLEXITY:
                        reject_string = "Password does not meet complexity requirements";
                        break;
+               case SAMR_REJECT_IN_HISTORY:
+                       reject_string = "Password is already in password history";
+                       break;
                case SAMR_REJECT_OTHER:
                default:
                        reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",

diff --git a/source4/librpc/idl/misc.idl b/source4/librpc/idl/misc.idl
index 353457dd02fc55076d3cdc816007ac3725d9ee00..9d43a806b7f0ef16588728c25e410ed0b6550b8f 100644 (file)
--- a/source4/librpc/idl/misc.idl
+++ b/source4/librpc/idl/misc.idl
@@ -40,7 +40,8 @@ interface misc
        typedef [public,v1_enum] enum {
                SAMR_REJECT_OTHER      = 0,
                SAMR_REJECT_TOO_SHORT  = 1,
-               SAMR_REJECT_COMPLEXITY = 2
+               SAMR_REJECT_IN_HISTORY = 2,
+               SAMR_REJECT_COMPLEXITY = 5
        } samr_RejectReason;