s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on...

Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 65f9fd274f616f182c4209079eb7705db1016d8c..40850ab26d664943a9ddcbcfe9d3d257d4db323f 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -97,7 +97,6 @@
 ^samba4.rpc.netlogon.*.DatabaseRedo
 ^samba4.rpc.netlogon.*.ServerGetTrustInfo
 ^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet
-^samba4.rpc.samr.passwords.lockout
 ^samba4.base.charset.*.Testing partial surrogate
 ^samba4.*.base.maximum_allowed         # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
 .*net.api.delshare.*                           # DelShare isn't implemented yet

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 5964ef19764db0122d9a8ef547ffa9f8c12a65ef..b66eb50f48d11d48b9882f9e08ea12b1c850d1ae 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -256,6 +256,12 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
                return nt_status;
        }
 
+       nt_status = authsam_zero_bad_pwd_count(auth_context->sam_ctx, msg);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               TALLOC_FREE(tmp_ctx);
+               return nt_status;
+       }
+
        if (user_sess_key && user_sess_key->data) {
                talloc_steal(mem_ctx, user_sess_key->data);
        }

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 789ff19d15c24ef94f368858bef1cad4d96f419e..a88935cef9f672de062b1c82016614669856ce76 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -67,6 +67,12 @@ const char *user_attrs[] = {
 
        "logonHours",
 
+       /*
+        * To allow us to zero the badPwdCount and lockoutTime on
+        * successful logon, without database churn
+        */
+       "lockoutTime",
+
        /* check 'allowed workstations' */
        "userWorkstations",
                       
@@ -751,3 +757,58 @@ NTSTATUS authsam_update_bad_pwd_count(struct ldb_context *sam_ctx,
        TALLOC_FREE(mem_ctx);
        return NT_STATUS_OK;
 }
+
+NTSTATUS authsam_zero_bad_pwd_count(struct ldb_context *sam_ctx,
+                                   const struct ldb_message *msg)
+{
+       int ret;
+       int badPwdCount;
+       int64_t lockoutTime;
+       struct ldb_message *msg_mod;
+       TALLOC_CTX *mem_ctx;
+
+       lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
+       badPwdCount = ldb_msg_find_attr_as_int(msg, "badPwdCount", 0);
+       if (lockoutTime == 0 && badPwdCount == 0) {
+               return NT_STATUS_OK;
+       }
+
+       mem_ctx = talloc_new(msg);
+       if (mem_ctx == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       msg_mod = ldb_msg_new(mem_ctx);
+       if (msg_mod == NULL) {
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+       msg_mod->dn = msg->dn;
+
+       if (lockoutTime != 0) {
+               /*
+                * This implies "badPwdCount" = 0, see samldb_lockout_time()
+                */
+               ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "lockoutTime", 0);
+               if (ret != LDB_SUCCESS) {
+                       TALLOC_FREE(mem_ctx);
+                       return NT_STATUS_NO_MEMORY;
+               }
+       } else {
+               ret = samdb_msg_add_int(sam_ctx, msg_mod, msg_mod, "badPwdCount", 0);
+               if (ret != LDB_SUCCESS) {
+                       TALLOC_FREE(mem_ctx);
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
+       ret = dsdb_replace(sam_ctx, msg_mod, 0);
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0, ("Failed to set badPwdCount and lockoutTime to 0 on %s: %s\n",
+                         ldb_dn_get_linearized(msg_mod->dn), ldb_errstring(sam_ctx)));
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       TALLOC_FREE(mem_ctx);
+       return NT_STATUS_OK;
+}