sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code

s4:password_hash LDB module - fix another problem regarding the lanman hash

Browse Source 
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
This commit is contained in:
Matthias Dieter Wallnöfer 2010-06-21 19:40:50 +02:00
parent 37264e5917
commit 0e637be43b
1 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
source4/dsdb/samdb/ldb_modules/password_hash.c
View File

@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
} else if (io->og.lm_hash) {
struct loadparm_context *lp_ctx =
(struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
if (!lp_lanman_auth(lp_ctx)) {
ldb_asprintf_errstring(ldb,
"check_password_restrictions: "
"The password change through the LM hash is deactivated!");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
if (!io->o.lm_hash) {
ldb_asprintf_errstring(ldb,
"check_password_restrictions: "
@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac,
{
const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct loadparm_context *lp_ctx =
(struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
int ret;
ZERO_STRUCTP(io);
@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac,
"it's not allowed to set the LM hash password directly'");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
if (lm_hash != NULL) {
if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) {
io->n.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length,
sizeof(io->n.lm_hash->hash)));
}
if (old_lm_hash != NULL) {
if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) {
io->og.lm_hash = talloc(io->ac, struct samr_Password);
memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length,
sizeof(io->og.lm_hash->hash)));
@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac,
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* refuse the change if someone tries to set/change the password by
* the lanman hash alone and we've deactivated that mechanism. This
* would end in an account without any password! */
if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
&& (!io->n.nt_hash) && (!io->n.lm_hash)) {
ldb_asprintf_errstring(ldb,
"setup_io: "
"The password change/set operations performed using the LAN Manager hash alone are deactivated!");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* refuse the change if someone wants to compare against a plaintext
or hash at the same time for a "password modify" operation... */
if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)