X-Git-Url: http://git.samba.org/samba.git/?p=jra%2Fsamba%2F.git;a=blobdiff_plain;f=source3%2Fsmbd%2Fchgpasswd.c;h=68871deb90cbdf85e44e5e0baac9b774132ee0ae;hp=b6aaf4765bed8076d96e329ce446385499668502;hb=e90b65284812aaa5ff9e9935ce9bbad7791cbbcd;hpb=15cf0e847009faf7fb90bd7e9e27db6999c88eef diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index b6aaf4765be..68871deb90c 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1,8 +1,5 @@ -#define OLD_NTDOMAIN 1 - /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Samba utility functions Copyright (C) Andrew Tridgell 1992-1998 @@ -22,9 +19,9 @@ */ /* fork a child process to exec passwd and write to its -* tty to change a users password. This is running as the -* user who is attempting to change the password. -*/ + * tty to change a users password. This is running as the + * user who is attempting to change the password. + */ /* * This code was copied/borrowed and stolen from various sources. @@ -51,7 +48,13 @@ #include "includes.h" -extern int DEBUGLEVEL; +extern struct passdb_ops pdb_ops; + +static BOOL check_oem_password(const char *user, + uchar * lmdata, const uchar * lmhash, + const uchar * ntdata, const uchar * nthash, + SAM_ACCOUNT **hnd, char *new_passwd, + int new_passwd_size); #if ALLOW_CHANGE_PASSWORD @@ -114,20 +117,18 @@ static int findpty(char **slave) return (-1); } -static int dochild(int master, char *slavedev, char *name, - char *passwordprogram, BOOL as_root) +static int dochild(int master, const char *slavedev, const struct passwd *pass, + const char *passwordprogram, BOOL as_root) { int slave; struct termios stermios; - struct passwd *pass = Get_Pwnam(name, True); gid_t gid; uid_t uid; if (pass == NULL) { DEBUG(0, - ("dochild: user name %s doesn't exist in the UNIX password database.\n", - name)); + ("dochild: user doesn't exist in the UNIX password database.\n")); return False; } @@ -195,7 +196,7 @@ static int dochild(int master, char *slavedev, char *name, } stermios.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL); stermios.c_lflag |= ICANON; - stermios.c_oflag &= ~(ONLCR); + stermios.c_oflag &= ~(ONLCR); if (tcsetattr(0, TCSANOW, &stermios) < 0) { DEBUG(3, ("could not set attributes of pty\n")); @@ -227,14 +228,15 @@ static int expect(int master, char *issue, char *expected) int attempts, timeout, nread, len; BOOL match = False; - for (attempts = 0; attempts < 2; attempts++) - { - if (!strequal(issue, ".")) - { + for (attempts = 0; attempts < 2; attempts++) { + if (!strequal(issue, ".")) { if (lp_passwd_chat_debug()) DEBUG(100, ("expect: sending [%s]\n", issue)); - write(master, issue, strlen(issue)); + if ((len = write(master, issue, strlen(issue))) != strlen(issue)) { + DEBUG(2,("expect: (short) write returned %d\n", len )); + return False; + } } if (strequal(expected, ".")) @@ -246,29 +248,35 @@ static int expect(int master, char *issue, char *expected) while ((len = read_with_timeout(master, buffer + nread, 1, sizeof(buffer) - nread - 1, - timeout)) > 0) - { + timeout)) > 0) { nread += len; buffer[nread] = 0; - if ((match = (ms_fnmatch(expected, buffer) == 0))) - timeout = 200; + { + /* Eat leading/trailing whitespace before match. */ + pstring str; + pstrcpy( str, buffer); + trim_string( str, " ", " "); + + if ((match = (unix_wild_match(expected, str) == 0))) + timeout = 200; + } } if (lp_passwd_chat_debug()) - DEBUG(100, ("expect: expected [%s] received [%s]\n", - expected, buffer)); + DEBUG(100, ("expect: expected [%s] received [%s] match %s\n", + expected, buffer, match ? "yes" : "no" )); if (match) break; - if (len < 0) - { + if (len < 0) { DEBUG(2, ("expect: %s\n", strerror(errno))); return False; } } + DEBUG(10,("expect: returning %s\n", match ? "True" : "False" )); return match; } @@ -303,11 +311,17 @@ static int talktochild(int master, char *seq) pwd_sub(issue); } + if (!strequal(issue, ".")) { + /* we have one final issue to send */ + fstrcpy(expected, "."); + if (!expect(master, issue, expected)) + return False; + } return (count > 0); } -static BOOL chat_with_program(char *passwordprogram, char *name, +static BOOL chat_with_program(char *passwordprogram, struct passwd *pass, char *chatsequence, BOOL as_root) { char *slavedev; @@ -316,12 +330,19 @@ static BOOL chat_with_program(char *passwordprogram, char *name, int wstat; BOOL chstat = False; + if (pass == NULL) + { + DEBUG(0, + ("chat_with_program: user doesn't exist in the UNIX password database.\n")); + return False; + } + /* allocate a pseudo-terminal device */ if ((master = findpty(&slavedev)) < 0) { DEBUG(3, ("Cannot Allocate pty for password change: %s\n", - name)); + pass->pw_name)); return (False); } @@ -336,7 +357,7 @@ static BOOL chat_with_program(char *passwordprogram, char *name, { DEBUG(3, ("Cannot fork() child for password change: %s\n", - name)); + pass->pw_name)); close(master); CatchChild(); return (False); @@ -349,7 +370,7 @@ static BOOL chat_with_program(char *passwordprogram, char *name, { DEBUG(3, ("Child failed to change password: %s\n", - name)); + pass->pw_name)); kill(pid, SIGKILL); /* be sure to end this process */ } @@ -412,14 +433,18 @@ static BOOL chat_with_program(char *passwordprogram, char *name, alarm(20); if (as_root) - become_root(False); + become_root(); + DEBUG(3, - ("Dochild for user %s (uid=%d,gid=%d)\n", name, + ("Dochild for user %s (uid=%d,gid=%d)\n", pass->pw_name, (int)getuid(), (int)getgid())); chstat = - dochild(master, slavedev, name, passwordprogram, + dochild(master, slavedev, pass, passwordprogram, as_root); + if (as_root) + unbecome_root(); + /* * The child should never return from dochild() .... */ @@ -433,19 +458,24 @@ static BOOL chat_with_program(char *passwordprogram, char *name, if (chstat) DEBUG(3, ("Password change %ssuccessful for user %s\n", - (chstat ? "" : "un"), name)); + (chstat ? "" : "un"), pass->pw_name)); return (chstat); } -BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) +BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) { pstring passwordprogram; pstring chatsequence; size_t i; size_t len; - strlower(name); + struct passwd *pass; + + if (!name) { + DEBUG(1, ("NULL username specfied to chgpasswd()!\n")); + } + DEBUG(3, ("Password change for user: %s\n", name)); #if DEBUG_PASSWORD @@ -454,47 +484,28 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) /* Take the passed information and test it for minimum criteria */ /* Minimum password length */ - if (strlen(newpass) < lp_min_passwd_length()) /* too short, must be at least MINPASSWDLENGTH */ - { - DEBUG(0, - ("Password Change: user %s, New password is shorter than minimum password length = %d\n", + if (strlen(newpass) < lp_min_passwd_length()) { + /* too short, must be at least MINPASSWDLENGTH */ + DEBUG(0, ("Password Change: user %s, New password is shorter than minimum password length = %d\n", name, lp_min_passwd_length())); return (False); /* inform the user */ } /* Password is same as old password */ - if (strcmp(oldpass, newpass) == 0) /* don't allow same password */ - { - DEBUG(2, - ("Password Change: %s, New password is same as old\n", name)); /* log the attempt */ + if (strcmp(oldpass, newpass) == 0) { + /* don't allow same password */ + DEBUG(2, ("Password Change: %s, New password is same as old\n", name)); /* log the attempt */ return (False); /* inform the user */ } - pstrcpy(passwordprogram, lp_passwd_program()); - pstrcpy(chatsequence, lp_passwd_chat()); - - if (!*chatsequence) - { - DEBUG(2, ("Null chat sequence - no password changing\n")); - return (False); - } - - if (!*passwordprogram) - { - DEBUG(2, ("Null password program - no password changing\n")); - return (False); - } - /* * Check the old and new passwords don't contain any control * characters. */ len = strlen(oldpass); - for (i = 0; i < len; i++) - { - if (iscntrl((int)oldpass[i])) - { + for (i = 0; i < len; i++) { + if (iscntrl((int)oldpass[i])) { DEBUG(0, ("chat_with_program: oldpass contains control characters (disallowed).\n")); return False; @@ -502,15 +513,67 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) } len = strlen(newpass); - for (i = 0; i < len; i++) - { - if (iscntrl((int)newpass[i])) - { + for (i = 0; i < len; i++) { + if (iscntrl((int)newpass[i])) { DEBUG(0, ("chat_with_program: newpass contains control characters (disallowed).\n")); return False; } } + + pass = Get_Pwnam(name); + +#ifdef WITH_PAM + if (lp_pam_password_change()) { + BOOL ret; + + if (as_root) + become_root(); + + if (pass) { + ret = smb_pam_passchange(pass->pw_name, oldpass, newpass); + } else { + ret = smb_pam_passchange(name, oldpass, newpass); + } + + if (as_root) + unbecome_root(); + + return ret; + } +#endif + + /* A non-PAM password change just doen't make sense without a valid local user */ + + if (pass == NULL) + { + DEBUG(0, + ("chgpasswd: user %s doesn't exist in the UNIX password database.\n", + name)); + return False; + } + + pstrcpy(passwordprogram, lp_passwd_program()); + pstrcpy(chatsequence, lp_passwd_chat()); + + if (!*chatsequence) { + DEBUG(2, ("chgpasswd: Null chat sequence - no password changing\n")); + return (False); + } + + if (!*passwordprogram) { + DEBUG(2, ("chgpasswd: Null password program - no password changing\n")); + return (False); + } + + if (as_root) { + /* The password program *must* contain the user name to work. Fail if not. */ + if (strstr(passwordprogram, "%u") == NULL) { + DEBUG(0,("chgpasswd: Running as root the 'passwd program' parameter *MUST* contain \ +the string %%u, and the given string %s does not.\n", passwordprogram )); + return False; + } + } pstring_sub(passwordprogram, "%u", name); /* note that we do NOT substitute the %o and %n in the password program @@ -521,11 +584,12 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) all_string_sub(chatsequence, "%o", oldpass, sizeof(pstring)); all_string_sub(chatsequence, "%n", newpass, sizeof(pstring)); return (chat_with_program - (passwordprogram, name, chatsequence, as_root)); + (passwordprogram, pass, chatsequence, as_root)); } #else /* ALLOW_CHANGE_PASSWORD */ -BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) + +BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) { DEBUG(0, ("Password changing not compiled in (user=%s)\n", name)); return (False); @@ -537,62 +601,61 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) ************************************************************/ BOOL check_lanman_password(char *user, uchar * pass1, - uchar * pass2, struct smb_passwd **psmbpw) + uchar * pass2, SAM_ACCOUNT **hnd) { - static uchar null_pw[16]; uchar unenc_new_pw[16]; uchar unenc_old_pw[16]; - struct smb_passwd *smbpw; - - *psmbpw = NULL; - - become_root(0); - smbpw = getsmbpwnam(user); - unbecome_root(0); - - if (smbpw == NULL) - { - DEBUG(0, - ("check_lanman_password: getsmbpwnam returned NULL\n")); + SAM_ACCOUNT *sampass = NULL; + uint16 acct_ctrl; + const uint8 *lanman_pw; + BOOL ret; + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if (ret == False) { + DEBUG(0,("check_lanman_password: getsampwnam returned NULL\n")); + pdb_free_sam(&sampass); return False; } + + acct_ctrl = pdb_get_acct_ctrl (sampass); + lanman_pw = pdb_get_lanman_passwd (sampass); - if (smbpw->acct_ctrl & ACB_DISABLED) - { - DEBUG(0, - ("check_lanman_password: account %s disabled.\n", - user)); + if (acct_ctrl & ACB_DISABLED) { + DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); + pdb_free_sam(&sampass); return False; } - if ((smbpw->smb_passwd == NULL) && (smbpw->acct_ctrl & ACB_PWNOTREQ)) - { - uchar no_pw[14]; - memset(no_pw, '\0', 14); - E_P16(no_pw, null_pw); - smbpw->smb_passwd = null_pw; - } - else if (smbpw->smb_passwd == NULL) - { - DEBUG(0, ("check_lanman_password: no lanman password !\n")); - return False; + if (lanman_pw == NULL) { + if (acct_ctrl & ACB_PWNOTREQ) { + /* this saves the pointer for the caller */ + *hnd = sampass; + return True; + } else { + DEBUG(0, ("check_lanman_password: no lanman password !\n")); + pdb_free_sam(&sampass); + return False; + } } /* Get the new lanman hash. */ - D_P16(smbpw->smb_passwd, pass2, unenc_new_pw); + D_P16(lanman_pw, pass2, unenc_new_pw); /* Use this to get the old lanman hash. */ D_P16(unenc_new_pw, pass1, unenc_old_pw); /* Check that the two old passwords match. */ - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) - { - DEBUG(0, - ("check_lanman_password: old password doesn't match.\n")); + if (memcmp(lanman_pw, unenc_old_pw, 16)) { + DEBUG(0,("check_lanman_password: old password doesn't match.\n")); + pdb_free_sam(&sampass); return False; } - *psmbpw = smbpw; + /* this saves the pointer for the caller */ + *hnd = sampass; return True; } @@ -602,51 +665,64 @@ BOOL check_lanman_password(char *user, uchar * pass1, no longer be valid. ************************************************************/ -BOOL change_lanman_password(struct smb_passwd *smbpw, uchar * pass1, +BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar * pass1, uchar * pass2) { static uchar null_pw[16]; uchar unenc_new_pw[16]; BOOL ret; + uint16 acct_ctrl; + const uint8 *pwd; - if (smbpw == NULL) - { - DEBUG(0, - ("change_lanman_password: no smb password entry.\n")); + if (sampass == NULL) { + DEBUG(0,("change_lanman_password: no smb password entry.\n")); return False; } + + acct_ctrl = pdb_get_acct_ctrl(sampass); + pwd = pdb_get_lanman_passwd(sampass); - if (smbpw->acct_ctrl & ACB_DISABLED) - { - DEBUG(0, - ("change_lanman_password: account %s disabled.\n", - smbpw->smb_name)); + if (acct_ctrl & ACB_DISABLED) { + DEBUG(0,("change_lanman_password: account %s disabled.\n", + pdb_get_username(sampass))); return False; } - if ((smbpw->smb_passwd == NULL) && (smbpw->acct_ctrl & ACB_PWNOTREQ)) - { - uchar no_pw[14]; - memset(no_pw, '\0', 14); - E_P16(no_pw, null_pw); - smbpw->smb_passwd = null_pw; + if (pwd == NULL) { + if (acct_ctrl & ACB_PWNOTREQ) { + uchar no_pw[14]; + memset(no_pw, '\0', 14); + E_P16(no_pw, null_pw); + + /* Get the new lanman hash. */ + D_P16(null_pw, pass2, unenc_new_pw); + } else { + DEBUG(0,("change_lanman_password: no lanman password !\n")); + return False; + } + } else { + /* Get the new lanman hash. */ + D_P16(pwd, pass2, unenc_new_pw); } - else if (smbpw->smb_passwd == NULL) - { - DEBUG(0, ("change_lanman_password: no lanman password !\n")); + + if (!pdb_set_lanman_passwd(sampass, unenc_new_pw)) { return False; } - /* Get the new lanman hash. */ - D_P16(smbpw->smb_passwd, pass2, unenc_new_pw); - - smbpw->smb_passwd = unenc_new_pw; - smbpw->smb_nt_passwd = NULL; /* We lose the NT hash. Sorry. */ + if (!pdb_set_nt_passwd (sampass, NULL)) { + return False; /* We lose the NT hash. Sorry. */ + } - /* Now write it into the file. */ - become_root(0); - ret = mod_smbpwd_entry(smbpw, False); - unbecome_root(0); + if (!pdb_set_pass_changed_now (sampass)) { + pdb_free_sam(&sampass); + /* Not quite sure what this one qualifies as, but this will do */ + return False; + } + + /* Now flush the sam_passwd struct to persistent storage */ + become_root(); + ret = pdb_update_sam_account (sampass); + unbecome_root(); return ret; } @@ -659,10 +735,10 @@ BOOL pass_oem_change(char *user, uchar * ntdata, uchar * nthash) { fstring new_passwd; - struct smb_passwd *sampw; + const char *unix_user; + SAM_ACCOUNT *sampass = NULL; BOOL ret = check_oem_password(user, lmdata, lmhash, ntdata, nthash, - &sampw, - new_passwd, sizeof(new_passwd)); + &sampass, new_passwd, sizeof(new_passwd)); /* * At this point we have the new case-sensitive plaintext @@ -673,18 +749,18 @@ BOOL pass_oem_change(char *user, * available. JRA. */ - if (ret && lp_unix_password_sync()) - { - ret = chgpasswd(user, "", new_passwd, True); - } + unix_user = pdb_get_username(sampass); + + if ((ret) && (unix_user) && (*unix_user) && lp_unix_password_sync()) + ret = chgpasswd(unix_user, "", new_passwd, True); if (ret) - { - ret = change_oem_password(sampw, new_passwd, False); - } + ret = change_oem_password(sampass, new_passwd); memset(new_passwd, 0, sizeof(new_passwd)); + pdb_free_sam(&sampass); + return ret; } @@ -695,39 +771,44 @@ BOOL pass_oem_change(char *user, but does use the lm OEM password to check the nt hashed-hash. ************************************************************/ -BOOL check_oem_password(char *user, - uchar * lmdata, uchar * lmhash, - uchar * ntdata, uchar * nthash, - struct smb_passwd **psmbpw, char *new_passwd, - int new_passwd_size) +static BOOL check_oem_password(const char *user, + uchar * lmdata, const uchar * lmhash, + const uchar * ntdata, const uchar * nthash, + SAM_ACCOUNT **hnd, char *new_passwd, + int new_passwd_size) { static uchar null_pw[16]; static uchar null_ntpw[16]; - struct smb_passwd *smbpw = NULL; + SAM_ACCOUNT *sampass = NULL; + const uint8 *lanman_pw, *nt_pw; + uint16 acct_ctrl; int new_pw_len; uchar new_ntp16[16]; uchar unenc_old_ntpw[16]; uchar new_p16[16]; uchar unenc_old_pw[16]; char no_pw[2]; + BOOL ret; BOOL nt_pass_set = (ntdata != NULL && nthash != NULL); - become_root(False); - *psmbpw = smbpw = getsmbpwnam(user); - unbecome_root(False); + pdb_init_sam(&sampass); - if (smbpw == NULL) - { + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if (ret == False) { DEBUG(0, ("check_oem_password: getsmbpwnam returned NULL\n")); return False; } - if (smbpw->acct_ctrl & ACB_DISABLED) - { - DEBUG(0, - ("check_lanman_password: account %s disabled.\n", - user)); + *hnd = sampass; + + acct_ctrl = pdb_get_acct_ctrl(sampass); + + if (acct_ctrl & ACB_DISABLED) { + DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); return False; } @@ -736,39 +817,29 @@ BOOL check_oem_password(char *user, no_pw[1] = 0; nt_lm_owf_gen(no_pw, null_ntpw, null_pw); + /* save pointers to passwords so we don't have to keep looking them up */ + lanman_pw = pdb_get_lanman_passwd(sampass); + nt_pw = pdb_get_nt_passwd (sampass); + /* check for null passwords */ - if (smbpw->smb_passwd == NULL) - { - if (smbpw->acct_ctrl & ACB_PWNOTREQ) - { - smbpw->smb_passwd = null_pw; - } - else - { - DEBUG(0, - ("check_oem_password: no lanman password !\n")); + if (lanman_pw == NULL) { + if (!(acct_ctrl & ACB_PWNOTREQ)) { + DEBUG(0,("check_oem_password: no lanman password !\n")); return False; } } - - if (smbpw->smb_nt_passwd == NULL && nt_pass_set) - { - if (smbpw->acct_ctrl & ACB_PWNOTREQ) - { - smbpw->smb_nt_passwd = null_pw; - } - else - { - DEBUG(0, - ("check_oem_password: no ntlm password !\n")); + + if (pdb_get_nt_passwd(sampass) == NULL && nt_pass_set) { + if (!(acct_ctrl & ACB_PWNOTREQ)) { + DEBUG(0,("check_oem_password: no ntlm password !\n")); return False; } } - + /* * Call the hash function to get the new password. */ - SamOEMhash((uchar *) lmdata, (uchar *) smbpw->smb_passwd, True); + SamOEMhash( lmdata, lanman_pw, 516); /* * The length of the new password is in the last 4 bytes of @@ -776,31 +847,21 @@ BOOL check_oem_password(char *user, */ new_pw_len = IVAL(lmdata, 512); - if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) - { - DEBUG(0, - ("check_oem_password: incorrect password length (%d).\n", - new_pw_len)); + if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) { + DEBUG(0,("check_oem_password: incorrect password length (%d).\n", new_pw_len)); return False; } - if (nt_pass_set) - { + if (nt_pass_set) { /* * nt passwords are in unicode */ - int uni_pw_len = new_pw_len; - char *pw; - new_pw_len /= 2; - pw = - dos_unistrn2((uint16 *)(&lmdata[512 - uni_pw_len]), - new_pw_len); - memcpy(new_passwd, pw, new_pw_len + 1); - } - else - { + pull_ucs2(NULL, new_passwd, + (const smb_ucs2_t *)&lmdata[512 - new_pw_len], + new_passwd_size, new_pw_len, 0); + } else { memcpy(new_passwd, &lmdata[512 - new_pw_len], new_pw_len); - new_passwd[new_pw_len] = '\0'; + new_passwd[new_pw_len] = 0; } /* @@ -818,10 +879,9 @@ BOOL check_oem_password(char *user, */ D_P16(new_p16, lmhash, unenc_old_pw); - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) + if (memcmp(lanman_pw, unenc_old_pw, 16)) { - DEBUG(0, - ("check_oem_password: old lm password doesn't match.\n")); + DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); return False; } @@ -839,17 +899,15 @@ BOOL check_oem_password(char *user, D_P16(new_ntp16, lmhash, unenc_old_pw); D_P16(new_ntp16, nthash, unenc_old_ntpw); - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) + if (memcmp(lanman_pw, unenc_old_pw, 16)) { - DEBUG(0, - ("check_oem_password: old lm password doesn't match.\n")); + DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); return False; } - if (memcmp(smbpw->smb_nt_passwd, unenc_old_ntpw, 16)) + if (memcmp(nt_pw, unenc_old_ntpw, 16)) { - DEBUG(0, - ("check_oem_password: old nt password doesn't match.\n")); + DEBUG(0,("check_oem_password: old nt password doesn't match.\n")); return False; } #ifdef DEBUG_PASSWORD @@ -861,79 +919,23 @@ BOOL check_oem_password(char *user, /*********************************************************** Code to change the oem password. Changes both the lanman and NT hashes. - override = False, normal - override = True, override XXXXXXXXXX'd password ************************************************************/ -BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, - BOOL override) +BOOL change_oem_password(SAM_ACCOUNT *hnd, char *new_passwd) { - int ret; - uchar new_nt_p16[16]; - uchar new_p16[16]; - - nt_lm_owf_gen(new_passwd, new_nt_p16, new_p16); + BOOL ret; - smbpw->smb_passwd = new_p16; - smbpw->smb_nt_passwd = new_nt_p16; + if (!pdb_set_plaintext_passwd (hnd, new_passwd)) { + return False; + } /* Now write it into the file. */ - become_root(0); - ret = mod_smbpwd_entry(smbpw, override); - unbecome_root(0); - - memset(new_passwd, '\0', strlen(new_passwd)); + become_root(); + ret = pdb_update_sam_account (hnd); + unbecome_root(); return ret; } -/*********************************************************** - Code to check a plaintext password against smbpasswd entries. -***********************************************************/ - -BOOL check_plaintext_password(char *user, char *old_passwd, - int old_passwd_size, struct smb_passwd **psmbpw) -{ - struct smb_passwd *smbpw = NULL; - uchar old_pw[16], old_ntpw[16]; - become_root(False); - *psmbpw = smbpw = getsmbpwnam(user); - unbecome_root(False); - - if (smbpw == NULL) - { - DEBUG(0, - ("check_plaintext_password: getsmbpwnam returned NULL\n")); - return False; - } - - if (smbpw->acct_ctrl & ACB_DISABLED) - { - DEBUG(0, - ("check_plaintext_password: account %s disabled.\n", - user)); - return (False); - } - - nt_lm_owf_gen(old_passwd, old_ntpw, old_pw); - -#ifdef DEBUG_PASSWORD - DEBUG(100, ("check_plaintext_password: smbpw->smb_nt_passwd \n")); - dump_data(100, smbpw->smb_nt_passwd, 16); - DEBUG(100, ("check_plaintext_password: old_ntpw \n")); - dump_data(100, old_ntpw, 16); - DEBUG(100, ("check_plaintext_password: smbpw->smb_passwd \n")); - dump_data(100, smbpw->smb_passwd, 16); - DEBUG(100, ("check_plaintext_password: old_pw\n")); - dump_data(100, old_pw, 16); -#endif - - if (memcmp(smbpw->smb_nt_passwd, old_ntpw, 16) - && memcmp(smbpw->smb_passwd, old_pw, 16)) - return (False); - else - return (True); -} -#undef OLD_NTDOMAIN