s4:dsdb:util: export SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password script

This allows the check password script to reject the username and other
things.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/user_check_password_script

@@ -1 +0,0 @@
-^samba.tests.samba_tool.user_check_password_script.*samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_username

source4/dsdb/common/util.c

@@ -2083,6 +2083,9 @@ static void pwd_timeout_debug(struct tevent_context *unused1,
  */
 enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
 						struct loadparm_context *lp_ctx,
+						const char *account_name,
+						const char *user_principal_name,
+						const char *full_name,
 						const DATA_BLOB *utf8_blob,
 						const uint32_t pwdProperties,
 						const uint32_t minPwdLength)
@@ -2129,9 +2132,40 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
 				 tevent_timeval_current_ofs(1, 0),
 				 pwd_timeout_debug, NULL);
 
+		check_ret = setenv("SAMBA_CPS_ACCOUNT_NAME", account_name, 1);
+		if (check_ret != 0) {
+			TALLOC_FREE(password_script);
+			TALLOC_FREE(event_ctx);
+			return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
+		}
+		if (user_principal_name != NULL) {
+			check_ret = setenv("SAMBA_CPS_USER_PRINCIPAL_NAME",
+					   user_principal_name, 1);
+		} else {
+			unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
+		}
+		if (check_ret != 0) {
+			TALLOC_FREE(password_script);
+			TALLOC_FREE(event_ctx);
+			return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
+		}
+		if (full_name != NULL) {
+			check_ret = setenv("SAMBA_CPS_FULL_NAME", full_name, 1);
+		} else {
+			unsetenv("SAMBA_CPS_FULL_NAME");
+		}
+		if (check_ret != 0) {
+			TALLOC_FREE(password_script);
+			TALLOC_FREE(event_ctx);
+			return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
+		}
+
 		req = samba_runcmd_send(event_ctx, event_ctx,
 					tevent_timeval_current_ofs(10, 0),
 					100, 100, cmd, NULL);
+		unsetenv("SAMBA_CPS_ACCOUNT_NAME");
+		unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
+		unsetenv("SAMBA_CPS_FULL_NAME");
 		if (req == NULL) {
 			TALLOC_FREE(password_script);
 			TALLOC_FREE(event_ctx);

source4/dsdb/samdb/ldb_modules/password_hash.c

@@ -130,6 +130,7 @@ struct setup_password_fields_io {
 		NTTIME pwdLastSet;
 		const char *sAMAccountName;
 		const char *user_principal_name;
+		const char *displayName; /* full name */
 		bool is_krbtgt;
 		uint32_t restrictions;
 		struct dom_sid *account_sid;
@@ -2716,6 +2717,9 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
 	if (io->n.cleartext_utf8 != NULL) {
 		enum samr_ValidationStatus vstat;
 		vstat = samdb_check_password(io->ac, lp_ctx,
+					     io->u.sAMAccountName,
+					     io->u.user_principal_name,
+					     io->u.displayName,
 					     io->n.cleartext_utf8,
 					     io->ac->status->domain_data.pwdProperties,
 					     io->ac->status->domain_data.minPwdLength);
@@ -3191,6 +3195,8 @@ static int setup_io(struct ph_context *ac,
 								      "sAMAccountName", NULL);
 	io->u.user_principal_name	= ldb_msg_find_attr_as_string(info_msg,
 								      "userPrincipalName", NULL);
+	io->u.displayName		= ldb_msg_find_attr_as_string(info_msg,
+								      "displayName", NULL);
 
 	/* Ensure it has an objectSID too */
 	io->u.account_sid = samdb_result_dom_sid(ac, info_msg, "objectSid");
@@ -4707,6 +4713,7 @@ static int password_hash_mod_search_self(struct ph_context *ac)
 					      "sAMAccountName",
 					      "objectSid",
 					      "userPrincipalName",
+					      "displayName",
 					      "supplementalCredentials",
 					      "lmPwdHistory",
 					      "ntPwdHistory",

source4/rpc_server/samr/dcesrv_samr.c

@@ -4871,6 +4871,7 @@ static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call,
 {
 	struct samr_GetDomPwInfo r2;
 	struct samr_PwInfo pwInfo;
+	const char *account = NULL;
 	DATA_BLOB password;
 	enum samr_ValidationStatus res;
 	NTSTATUS status;
@@ -4905,20 +4906,28 @@ static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call,
 		return NT_STATUS_NOT_SUPPORTED;
 	break;
 	case NetValidatePasswordChange:
+		account = r->in.req->req2.account.string;
 		password = data_blob_const(r->in.req->req2.password.string,
 					   r->in.req->req2.password.length);
 		res = samdb_check_password(mem_ctx,
 					   dce_call->conn->dce_ctx->lp_ctx,
+					   account,
+					   NULL, /* userPrincipalName */
+					   NULL, /* displayName/full_name */
 					   &password,
 					   pwInfo.password_properties,
 					   pwInfo.min_password_length);
 		(*r->out.rep)->ctr2.status = res;
 	break;
 	case NetValidatePasswordReset:
+		account = r->in.req->req3.account.string;
 		password = data_blob_const(r->in.req->req3.password.string,
 					   r->in.req->req3.password.length);
 		res = samdb_check_password(mem_ctx,
 					   dce_call->conn->dce_ctx->lp_ctx,
+					   account,
+					   NULL, /* userPrincipalName */
+					   NULL, /* displayName/full_name */
 					   &password,
 					   pwInfo.password_properties,
 					   pwInfo.min_password_length);