From a0de9290099a93413048a03740cfb04ca1355c78 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Nov 2013 21:37:17 +1300 Subject: [PATCH] dsdb: Put password lockout support in samdb_result_passwords() This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- source4/auth/ntlm/auth_sam.c | 10 +------ source4/dsdb/common/util.c | 29 +++++++++++++++++-- .../dsdb/samdb/ldb_modules/password_hash.c | 21 ++++++++++---- source4/kdc/kpasswdd.c | 9 ++++-- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++---- source4/rpc_server/samr/samr_password.c | 14 +++++++-- 6 files changed, 68 insertions(+), 27 deletions(-) diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 664908bfea7..d07f9301fb4 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -179,15 +179,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, { struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; - - uint16_t acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed"); - - /* Quit if the account was locked out. */ - if (acct_flags & ACB_AUTOLOCK) { - DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", - user_info->mapped.account_name)); - return NT_STATUS_ACCOUNT_LOCKED_OUT; - } + uint16_t acct_flags = samdb_result_acct_flags(msg, NULL); /* You can only do an interactive login to normal accounts */ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index b65af66889b..8cecf79e020 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -558,10 +558,14 @@ unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message * return count; } -NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg, - struct samr_Password **lm_pwd, struct samr_Password **nt_pwd) +NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_message *msg, + struct samr_Password **lm_pwd, + struct samr_Password **nt_pwd) { struct samr_Password *lmPwdHash, *ntPwdHash; + if (nt_pwd) { unsigned int num_nt; num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash); @@ -594,6 +598,27 @@ NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp return NT_STATUS_OK; } +NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_message *msg, + struct samr_Password **lm_pwd, + struct samr_Password **nt_pwd) +{ + uint16_t acct_flags; + + acct_flags = samdb_result_acct_flags(msg, + "msDS-User-Account-Control-Computed"); + /* Quit if the account was locked out. */ + if (acct_flags & ACB_AUTOLOCK) { + DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n", + ldb_dn_get_linearized(msg->dn))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + + return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg, + lm_pwd, nt_pwd); +} + /* pull a samr_LogonHours structutre from a result set. */ diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 3e0f1a091e6..a8d32724053 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3231,6 +3231,7 @@ static int password_hash_mod_search_self(struct ph_context *ac) struct ldb_context *ldb; static const char * const attrs[] = { "objectClass", "userAccountControl", + "msDS-User-Account-Control-Computed", "pwdLastSet", "sAMAccountName", "objectSid", @@ -3293,11 +3294,21 @@ static int password_hash_mod_do_mod(struct ph_context *ac) return ret; } - /* Get the old password from the database */ - status = samdb_result_passwords(io.ac, - lp_ctx, - discard_const_p(struct ldb_message, searched_msg), - &io.o.lm_hash, &io.o.nt_hash); + if (io.ac->pwd_reset) { + /* Get the old password from the database */ + status = samdb_result_passwords_no_lockout(io.ac, + lp_ctx, + discard_const_p(struct ldb_message, searched_msg), + &io.o.lm_hash, + &io.o.nt_hash); + } else { + /* Get the old password from the database */ + status = samdb_result_passwords(io.ac, + lp_ctx, + discard_const_p(struct ldb_message, searched_msg), + &io.o.lm_hash, &io.o.nt_hash); + } + if (!NT_STATUS_IS_OK(status)) { return ldb_operr(ldb); } diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index d79427b64f9..e8d46ad963d 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -181,8 +181,13 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, reply); } - status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg, - &oldLmHash, &oldNtHash); + /* + * No need to check for password lockout here, the KDC will + * have done that when issuing the ticket, which is not based + * on the user's password + */ + status = samdb_result_passwords_no_lockout(mem_ctx, kdc->task->lp_ctx, msg, + &oldLmHash, &oldNtHash); if (!NT_STATUS_IS_OK(status)) { return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_ACCESSDENIED, diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c3e33bd4209..50e7cab7ff1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -461,9 +461,9 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call return NT_STATUS_WRONG_PASSWORD; } - nt_status = samdb_result_passwords(mem_ctx, - dce_call->conn->dce_ctx->lp_ctx, - res[0], NULL, &oldNtHash); + nt_status = samdb_result_passwords_no_lockout(mem_ctx, + dce_call->conn->dce_ctx->lp_ctx, + res[0], NULL, &oldNtHash); if (!NT_STATUS_IS_OK(nt_status) || !oldNtHash) { return NT_STATUS_WRONG_PASSWORD; } @@ -531,9 +531,9 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal return NT_STATUS_WRONG_PASSWORD; } - nt_status = samdb_result_passwords(mem_ctx, - dce_call->conn->dce_ctx->lp_ctx, - res[0], &oldLmHash, &oldNtHash); + nt_status = samdb_result_passwords_no_lockout(mem_ctx, + dce_call->conn->dce_ctx->lp_ctx, + res[0], &oldLmHash, &oldNtHash); if (!NT_STATUS_IS_OK(nt_status) || (!oldLmHash && !oldNtHash)) { return NT_STATUS_WRONG_PASSWORD; } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 685a8e7864a..0c4f3384604 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -61,7 +61,10 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, struct ldb_dn *user_dn; int ret; struct ldb_message **res; - const char * const attrs[] = { "objectSid", "dBCSPwd", NULL }; + const char * const attrs[] = { "objectSid", "dBCSPwd", + "userAccountControl", + "msDS-User-Account-Control-Computed", + NULL }; struct samr_Password *lm_pwd; DATA_BLOB lm_pwd_blob; uint8_t new_lm_hash[16]; @@ -107,7 +110,9 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, res[0], &lm_pwd, NULL); - if (!NT_STATUS_IS_OK(status) || !lm_pwd) { + if (!NT_STATUS_IS_OK(status)) { + return status; + } else if (!lm_pwd) { return NT_STATUS_WRONG_PASSWORD; } @@ -202,7 +207,10 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, struct ldb_dn *user_dn; int ret; struct ldb_message **res; - const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL }; + const char * const attrs[] = { "unicodePwd", "dBCSPwd", + "userAccountControl", + "msDS-User-Account-Control-Computed", + NULL }; struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo = NULL; -- 2.34.1