1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:rpc_server/samr: Use extended DN when searching for user

Switch to dsdb_search() for looking up the user for changing the
password, and specify that we want extended DNs. Using the SID or GUID
avoids a race condition if the DN of the user changes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184
This commit is contained in:
Joseph Sutton 2022-03-03 14:54:00 +13:00 committed by Stefan Metzmacher
parent 7b710a05de
commit cf8048cd49

View File

@ -26,6 +26,7 @@
#include "rpc_server/samr/dcesrv_samr.h"
#include "system/time.h"
#include "lib/crypto/md4.h"
#include "dsdb/common/util.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/auth/libcli_auth.h"
@ -123,7 +124,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
struct ldb_context *sam_ctx = NULL;
struct ldb_dn *user_dn = NULL;
int ret;
struct ldb_message **res;
struct ldb_result *res = NULL;
const char * const attrs[] = { "unicodePwd", "dBCSPwd",
"userAccountControl",
"msDS-ResultantPSO",
@ -170,21 +171,23 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
/* we need the users dn and the domain dn (derived from the
user SID). We also need the current lm and nt password hashes
in order to decrypt the incoming passwords */
ret = gendb_search(sam_ctx,
mem_ctx, NULL, &res, attrs,
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(mem_ctx, r->in.account->string));
if (ret != 1) {
ret = dsdb_search(sam_ctx, mem_ctx, &res,
ldb_get_default_basedn(sam_ctx),
LDB_SCOPE_SUBTREE, attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN,
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(mem_ctx, r->in.account->string));
if (ret != LDB_SUCCESS || res->count != 1) {
status = NT_STATUS_NO_SUCH_USER; /* Converted to WRONG_PASSWORD below */
goto failed;
}
user_dn = res[0]->dn;
user_samAccountName = ldb_msg_find_attr_as_string(res[0], "samAccountName", NULL);
user_objectSid = samdb_result_dom_sid(res, res[0], "objectSid");
user_dn = res->msgs[0]->dn;
user_samAccountName = ldb_msg_find_attr_as_string(res->msgs[0], "samAccountName", NULL);
user_objectSid = samdb_result_dom_sid(res, res->msgs[0], "objectSid");
status = samdb_result_passwords(mem_ctx, lp_ctx,
res[0], &nt_pwd);
res->msgs[0], &nt_pwd);
if (!NT_STATUS_IS_OK(status) ) {
goto failed;
}
@ -300,7 +303,7 @@ failed:
/* Only update the badPwdCount if we found the user */
if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx));
authsam_update_bad_pwd_count(sam_ctx, res->msgs[0], ldb_get_default_basedn(sam_ctx));
} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
/* Don't give the game away: (don't allow anonymous users to prove the existence of usernames) */
status = NT_STATUS_WRONG_PASSWORD;