mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
s3-chgpasswd: split out a check_password_complexity() function.
Guenther
This commit is contained in:
parent
9599d142c0
commit
46784b4d99
@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user,
|
||||
uchar password_encrypted_with_nt_hash[516],
|
||||
const uchar old_nt_hash_encrypted[16],
|
||||
enum samPwdChangeReason *reject_reason);
|
||||
NTSTATUS check_password_complexity(const char *username,
|
||||
const char *password,
|
||||
enum samPwdChangeReason *samr_reject_reason);
|
||||
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason);
|
||||
|
||||
/* The following definitions come from smbd/close.c */
|
||||
|
@ -1074,6 +1074,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
|
||||
return found;
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
************************************************************/
|
||||
|
||||
NTSTATUS check_password_complexity(const char *username,
|
||||
const char *password,
|
||||
enum samPwdChangeReason *samr_reject_reason)
|
||||
{
|
||||
TALLOC_CTX *tosctx = talloc_tos();
|
||||
|
||||
/* Use external script to check password complexity */
|
||||
if (lp_check_password_script() && *(lp_check_password_script())) {
|
||||
int check_ret;
|
||||
char *cmd;
|
||||
|
||||
cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
|
||||
if (!cmd) {
|
||||
return NT_STATUS_PASSWORD_RESTRICTION;
|
||||
}
|
||||
|
||||
check_ret = smbrunsecret(cmd, password);
|
||||
DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n",
|
||||
cmd, check_ret));
|
||||
TALLOC_FREE(cmd);
|
||||
|
||||
if (check_ret != 0) {
|
||||
DEBUG(1,("check_password_complexity: "
|
||||
"check password script said new password is not good enough!\n"));
|
||||
if (samr_reject_reason) {
|
||||
*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
|
||||
}
|
||||
return NT_STATUS_PASSWORD_RESTRICTION;
|
||||
}
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
Code to change the oem password. Changes both the lanman
|
||||
and NT hashes. Old_passwd is almost always NULL.
|
||||
@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
|
||||
struct passwd *pass = NULL;
|
||||
const char *username = pdb_get_username(hnd);
|
||||
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
|
||||
NTSTATUS status;
|
||||
|
||||
if (samr_reject_reason) {
|
||||
*samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR;
|
||||
@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
/* Use external script to check password complexity */
|
||||
if (lp_check_password_script() && *(lp_check_password_script())) {
|
||||
int check_ret;
|
||||
char *cmd;
|
||||
|
||||
cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username);
|
||||
if (!cmd) {
|
||||
return NT_STATUS_PASSWORD_RESTRICTION;
|
||||
}
|
||||
|
||||
check_ret = smbrunsecret(cmd, new_passwd);
|
||||
DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret));
|
||||
TALLOC_FREE(cmd);
|
||||
|
||||
if (check_ret != 0) {
|
||||
DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
|
||||
if (samr_reject_reason) {
|
||||
*samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
|
||||
}
|
||||
status = check_password_complexity(username, new_passwd, samr_reject_reason);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(pass);
|
||||
return NT_STATUS_PASSWORD_RESTRICTION;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user