sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

auth_winbind: Allow badPwdCount to be set to 0 with this auth method

Browse Source 
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Garming Sam 2017-04-03 15:26:12 +12:00 committed by Andrew Bartlett
parent 2368f57b4d
commit b50a147a7e
3 changed files with 68 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
source4/auth/ntlm/auth_sam.c
View File

@ -41,35 +41,6 @@ NTSTATUS auth_sam_init(void);
extern const char *user_attrs[];
extern const char *domain_ref_attrs[];
/****************************************************************************
Look for the specified user in the sam, return ldb result structures
****************************************************************************/
static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *account_name,
struct ldb_dn *domain_dn,
struct ldb_message **ret_msg)
{
int ret;
/* pull the user attributes */
ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, LDB_SCOPE_SUBTREE,
user_attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN,
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(mem_ctx, account_name));
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n",
account_name, ldb_dn_get_linearized(domain_dn)));
return NT_STATUS_NO_SUCH_USER;
}
if (ret != LDB_SUCCESS) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
return NT_STATUS_OK;
}
/****************************************************************************
Do a specific test for an smb password being correct, given a smb_password and
the lanman and NT responses.

40
source4/auth/ntlm/auth_winbind.c
View File

@ -31,6 +31,7 @@
#include "auth/auth_sam_reply.h"
#include "libcli/security/security.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth_sam.h"
_PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *);
@ -107,6 +108,9 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
struct winbind_check_password_state *s;
const struct auth_usersupplied_info *user_info_new;
struct netr_IdentityInfo *identity_info;
struct ldb_dn *domain_dn;
struct ldb_message *msg;
if (!ctx->auth_ctx->msg_ctx) {
DEBUG(0,("winbind_check_password: auth_context_create was called with out messaging context\n"));
@ -190,6 +194,42 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* At best, reset the badPwdCount to 0 if the account exists.
* This means that lockouts happen at a badPwdCount earlier than
* normal, but makes it more fault tolerant.
*/
if (NT_STATUS_IS_OK(s->req.out.result)) {
const char *account_name = user_info->mapped.account_name;
const char *p = NULL;
p = strchr_m(account_name, '@');
if (p != NULL) {
const char *nt4_domain = NULL;
const char *nt4_account = NULL;
status = crack_name_to_nt4_name(mem_ctx,
ctx->auth_ctx->event_ctx,
ctx->auth_ctx->lp_ctx,
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
account_name,
&nt4_domain, &nt4_account);
if (NT_STATUS_IS_OK(status) &&
lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain)) {
account_name = nt4_account;
}
}
domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
if (domain_dn != NULL) {
status = authsam_search_account(mem_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
if (NT_STATUS_IS_OK(status)) {
authsam_logon_success_accounting(ctx->auth_ctx->sam_ctx, msg,
domain_dn,
user_info->flags & USER_INFO_INTERACTIVE_LOGON);
}
}
}
status = make_user_info_dc_netlogon_validation(mem_ctx,
user_info->client.account_name,
s->req.in.validation_level,

28
source4/auth/sam.c
View File

@ -837,6 +837,34 @@ static NTSTATUS authsam_update_lastlogon_timestamp(struct ldb_context *sam_ctx,
return NT_STATUS_OK;
}
/****************************************************************************
Look for the specified user in the sam, return ldb result structures
****************************************************************************/
NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *account_name,
struct ldb_dn *domain_dn,
struct ldb_message **ret_msg)
{
int ret;
/* pull the user attributes */
ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, LDB_SCOPE_SUBTREE,
user_attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN,
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(mem_ctx, account_name));
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n",
account_name, ldb_dn_get_linearized(domain_dn)));
return NT_STATUS_NO_SUCH_USER;
}
if (ret != LDB_SUCCESS) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
return NT_STATUS_OK;
}
/* Reset the badPwdCount to zero and update the lastLogon time. */