passwords to be stored over time, allowing a smbpasswd file migration.
Adds new parameter "update encrypted".
Will also add to 1.9.18 branch.
Docs update to follow.
Jeremy.
BOOL check_oem_password(char *user, unsigned char *data,
struct smb_passwd **psmbpw, char *new_passwd,
int new_passwd_size);
-BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd);
+BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, BOOL flag);
/*The following definitions come from client.c */
BOOL lp_null_passwords(void);
BOOL lp_strip_dot(void);
BOOL lp_encrypted_passwords(void);
+BOOL lp_update_encrypted(void);
BOOL lp_syslog_only(void);
BOOL lp_browse_list(void);
BOOL lp_unix_realname(void);
int **p_attrs);
uint16 register_vuid(int uid,int gid, char *name,BOOL guest);
void add_session_user(char *user);
+BOOL update_smbpassword_file( char *user, fstring password);
void dfs_unlogin(void);
BOOL password_check(char *password);
BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8);
struct smb_passwd *getsmbpwuid(unsigned int uid);
char *encode_acct_ctrl(uint16 acct_ctrl);
BOOL add_smbpwd_entry(struct smb_passwd *newpwd);
-BOOL mod_smbpwd_entry(struct smb_passwd* pwd);
+BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override);
void *machine_password_lock( char *domain, char *name, BOOL update);
BOOL machine_password_unlock( void *token );
BOOL machine_password_delete( char *domain, char *name );
BOOL bDomainMaster;
BOOL bDomainLogons;
BOOL bEncryptPasswords;
+ BOOL bUpdateEncrypt;
BOOL bStripDot;
BOOL bNullPasswords;
BOOL bLoadPrinters;
{"Security Options", P_SEP, P_SEPARATOR},
{"security", P_ENUM, P_GLOBAL, &Globals.security, NULL, enum_security, FLAG_BASIC},
{"encrypt passwords",P_BOOL, P_GLOBAL, &Globals.bEncryptPasswords, NULL, NULL, FLAG_BASIC},
+ {"update encrypted", P_BOOL, P_GLOBAL, &Globals.bUpdateEncrypt, NULL, NULL, FLAG_BASIC},
{"use rhosts", P_BOOL, P_GLOBAL, &Globals.bUseRhosts, NULL, NULL, 0},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
{"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
Globals.maxprotocol = PROTOCOL_NT1;
Globals.security = SEC_SHARE;
Globals.bEncryptPasswords = False;
+ Globals.bUpdateEncrypt = False;
Globals.bReadRaw = True;
Globals.bWriteRaw = True;
Globals.bReadPrediction = False;
FN_GLOBAL_BOOL(lp_null_passwords,&Globals.bNullPasswords)
FN_GLOBAL_BOOL(lp_strip_dot,&Globals.bStripDot)
FN_GLOBAL_BOOL(lp_encrypted_passwords,&Globals.bEncryptPasswords)
+FN_GLOBAL_BOOL(lp_update_encrypted,&Globals.bUpdateEncrypt)
FN_GLOBAL_BOOL(lp_syslog_only,&Globals.bSyslogOnly)
FN_GLOBAL_BOOL(lp_browse_list,&Globals.bBrowseList)
FN_GLOBAL_BOOL(lp_unix_realname,&Globals.bUnixRealname)
and then modify its password entry. We can't use the startsmbpwent()/
getsmbpwent()/endsmbpwent() interfaces here as we depend on looking
in the actual file to decide how much room we have to write data.
+ override = False, normal
+ override = True, override XXXXXXXX'd out password or NO PASS
************************************************************************/
-BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
+BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override)
{
/* Static buffers we will return. */
static pstring user_name;
/* Record exact password position */
pwd_seekpos += PTR_DIFF(p, linebuf);
- if (*p == '*' || *p == 'X') {
+ if (!override && (*p == '*' || *p == 'X')) {
/* Password deliberately invalid - end here. */
- DEBUG(10, ("get_smbpwd_entry: entry invalidated for user %s\n", user_name));
+ DEBUG(10, ("mod_smbpwd_entry: entry invalidated for user %s\n", user_name));
pw_file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
return False;
return False;
}
- if (*p == '*' || *p == 'X') {
+ if (!override && (*p == '*' || *p == 'X')) {
pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
return False;
smb_pass->acct_ctrl = ACB_WSTRUST;
become_root(True);
- ret = mod_smbpwd_entry(smb_pass);
+ ret = mod_smbpwd_entry(smb_pass,False);
unbecome_root(True);
if (ret)
/* Now write it into the file. */
become_root(0);
- ret = mod_smbpwd_entry(smbpw);
+ ret = mod_smbpwd_entry(smbpw,False);
unbecome_root(0);
return ret;
/***********************************************************
Code to change the oem password. Changes both the lanman
and NT hashes.
+ override = False, normal
+ override = True, override XXXXXXXXXX'd password
************************************************************/
-BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd)
+BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, BOOL override)
{
int ret;
fstring upper_case_new_passwd;
/* Now write it into the file. */
become_root(0);
- ret = mod_smbpwd_entry(smbpw);
+ ret = mod_smbpwd_entry(smbpw,override);
unbecome_root(0);
memset(upper_case_new_passwd, '\0', strlen(upper_case_new_passwd));
if(lp_unix_password_sync())
chgpasswd(user,"", new_passwd, True);
- if(change_oem_password( smbpw, new_passwd)) {
+ if(change_oem_password( smbpw, new_passwd, False)) {
SSVAL(*rparam,0,NERR_Success);
}
}
#endif
+/****************************************************************************
+update the encrypted smbpasswd file from the plaintext username and password
+*****************************************************************************/
+BOOL update_smbpassword_file( char *user, fstring password)
+{
+ struct smb_passwd *smbpw;
+ BOOL ret;
+
+ become_root(0);
+ smbpw = getsmbpwnam(user);
+ unbecome_root(0);
+
+ if(smbpw == NULL)
+ {
+ DEBUG(0,("update_smbpassword_file: getsmbpwnam returned NULL\n"));
+ return False;
+ }
+
+ /* Here, the flag is one, because we want to ignore the XXXXXXX'd out password */
+ ret = change_oem_password( smbpw, password, True);
+ if (ret == False)
+ DEBUG(3,("update_smbpasswd_file: change_oem_password returned False\n"));
+
+ return ret;
+}
/****************************************************************************
update the enhanced security database. Only relevant for OSF1 at the moment.
struct passwd *pass;
char challenge[8];
struct smb_passwd *smb_pass;
+ BOOL update_encrypted = lp_update_encrypted();
BOOL challenge_done = False;
if (password) password[pwlen] = 0;
if (password_check(password))
{
update_protected_database(user,True);
+ if (update_encrypted)
+ update_smbpassword_file(user,password);
return(True);
}
if (password_check(password))
{
update_protected_database(user,True);
+ if (update_encrypted)
+ update_smbpassword_file(user,password);
return(True);
}
if (string_combinations(password,password_check,level))
{
update_protected_database(user,True);
+ if (update_encrypted)
+ update_smbpassword_file(user,password);
return(True);
}
smb_pwent->smb_nt_passwd = new_nt_p16;
}
- if(mod_smbpwd_entry(smb_pwent) == False) {
+ if(mod_smbpwd_entry(smb_pwent,True) == False) {
fprintf(stderr, "%s: Failed to modify entry for user %s.\n",
prog_name, pwd->pw_name);
endsmbpwent(vp);
/* we need these because we link to locking*.o */
void become_root(BOOL save_dir) {}
void unbecome_root(BOOL restore_dir) {}
+/* We need this because we link to password.o */
+BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, BOOL override) {return False;}
connection_struct Connections[MAX_CONNECTIONS];
files_struct Files[MAX_OPEN_FILES];
struct current_user current_user;
git.samba.org / tprouty / samba.git / commitdiff