#include "lib/crypto/md4.h"
#include "param/param.h"
#include "lib/krb5_wrap/krb5_samba.h"
+#include "auth/auth_sam.h"
#include "auth/common_auth.h"
#include "lib/messaging/messaging.h"
#include "lib/param/loadparm.h"
struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
struct ldb_message *mod_msg = NULL;
struct ldb_message *pso_msg = NULL;
- NTSTATUS status;
+ struct ldb_message *current = NULL;
+ NTSTATUS status = NT_STATUS_OK;
int ret; /* The errors we will actually return */
int dbg_ret; /* The errors we can only complain about in logs */
goto done;
}
+ /*
+ * Re-read the account details, using the GUID in case the DN
+ * is being changed.
+ */
+ status = authsam_reread_user_logon_data(
+ ldb, io->ac,
+ io->ac->search_res->message,
+ ¤t);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* The re-read can return account locked out, as well
+ * as an internal error
+ */
+ goto end_transaction;
+ }
+
/* PSO search result is optional (NULL if no PSO applies) */
if (io->ac->pso_res != NULL) {
pso_msg = io->ac->pso_res->message;
}
status = dsdb_update_bad_pwd_count(io->ac, ldb,
- io->ac->search_res->message,
+ current,
io->ac->dom_res->message,
pso_msg,
&mod_msg);
done:
ret = LDB_ERR_CONSTRAINT_VIOLATION;
- *werror = WERR_INVALID_PASSWORD;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ *werror = WERR_ACCOUNT_LOCKED_OUT;
+ } else {
+ *werror = WERR_INVALID_PASSWORD;
+ }
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
"The old password specified doesn't match!",