1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

s3-chgpasswd: split out a check_password_complexity() function.

Guenther
This commit is contained in:
Günther Deschner 2009-11-10 12:48:52 +01:00
parent 9599d142c0
commit 46784b4d99
2 changed files with 45 additions and 22 deletions

View File

@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user,
uchar password_encrypted_with_nt_hash[516],
const uchar old_nt_hash_encrypted[16],
enum samPwdChangeReason *reject_reason);
NTSTATUS check_password_complexity(const char *username,
const char *password,
enum samPwdChangeReason *samr_reject_reason);
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason);
/* The following definitions come from smbd/close.c */

View File

@ -1074,6 +1074,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
return found;
}
/***********************************************************
************************************************************/
NTSTATUS check_password_complexity(const char *username,
const char *password,
enum samPwdChangeReason *samr_reject_reason)
{
TALLOC_CTX *tosctx = talloc_tos();
/* Use external script to check password complexity */
if (lp_check_password_script() && *(lp_check_password_script())) {
int check_ret;
char *cmd;
cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
if (!cmd) {
return NT_STATUS_PASSWORD_RESTRICTION;
}
check_ret = smbrunsecret(cmd, password);
DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n",
cmd, check_ret));
TALLOC_FREE(cmd);
if (check_ret != 0) {
DEBUG(1,("check_password_complexity: "
"check password script said new password is not good enough!\n"));
if (samr_reject_reason) {
*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
}
return NT_STATUS_PASSWORD_RESTRICTION;
}
}
return NT_STATUS_OK;
}
/***********************************************************
Code to change the oem password. Changes both the lanman
and NT hashes. Old_passwd is almost always NULL.
@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
NTSTATUS status;
if (samr_reject_reason) {
*samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
return NT_STATUS_ACCESS_DENIED;
}
/* Use external script to check password complexity */
if (lp_check_password_script() && *(lp_check_password_script())) {
int check_ret;
char *cmd;
cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
if (!cmd) {
return NT_STATUS_PASSWORD_RESTRICTION;
}
check_ret = smbrunsecret(cmd, new_passwd);
DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret));
TALLOC_FREE(cmd);
if (check_ret != 0) {
DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
if (samr_reject_reason) {
*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
}
TALLOC_FREE(pass);
return NT_STATUS_PASSWORD_RESTRICTION;
}
status = check_password_complexity(username, new_passwd, samr_reject_reason);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(pass);
return status;
}
/*