cope with lanman auth being disabled in old password change code

When lanman auth is disabled and a user calls a password change
method that requires it we should give NT_STATUS_NOT_SUPPORTED

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index f334eeb8f30aa881917e742b289c02347b599ed2..ec83cbfdc93e1773c630639c64d2b6f2612a7f4f 100644 (file)
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -88,17 +88,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 
        status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
                                        msg, &lm_pwd, &nt_pwd);
-       if (!NT_STATUS_IS_OK(status) || !lm_pwd || !nt_pwd) {
+       if (!NT_STATUS_IS_OK(status) || !nt_pwd) {
                ldb_transaction_cancel(sam_ctx);
                return NT_STATUS_WRONG_PASSWORD;
        }
 
        /* decrypt and check the new lm hash */
-       D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-       D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-       if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
-               ldb_transaction_cancel(sam_ctx);
-               return NT_STATUS_WRONG_PASSWORD;
+       if (lm_pwd) {
+               D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
+               D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
+               if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
+                       ldb_transaction_cancel(sam_ctx);
+                       return NT_STATUS_WRONG_PASSWORD;
+               }
        }
 
        /* decrypt and check the new nt hash */
@@ -111,7 +113,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
        
        /* The NT Cross is not required by Win2k3 R2, but if present
           check the nt cross hash */
-       if (r->in.cross1_present && r->in.nt_cross) {
+       if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
                D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
                if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
                        ldb_transaction_cancel(sam_ctx);
@@ -121,7 +123,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 
        /* The LM Cross is not required by Win2k3 R2, but if present
           check the lm cross hash */
-       if (r->in.cross2_present && r->in.lm_cross) {
+       if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
                D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
                if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
                        ldb_transaction_cancel(sam_ctx);
@@ -206,6 +208,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       /* this call can only work with lanman auth */
+       if (!lp_lanman_auth(dce_call->conn->dce_ctx->lp_ctx)) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
        /* To change a password we need to open as system */
        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
        if (sam_ctx == NULL) {