sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

r4707: w2k3 don't restict passwords on

Browse Source 
netr_ServerPasswordSet and netr_ServerPasswordSet2

so we do now

I also add a torture test for this

metze
This commit is contained in:
Stefan Metzmacher 2005-01-12 10:49:52 +00:00 committed by Gerald (Jerry) Carter
parent 8f47c7b02c
commit d896ac603a
3 changed files with 84 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source/rpc_server/netlogon/dcerpc_netlogon.c
View File

@ -389,7 +389,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
mod,
NULL, /* Don't have plaintext */
NULL, &r->in.new_password,
False /* This is not considered a password change */,
False, /* This is not considered a password change */
False, /* don't restrict this password change (match w2k3) */
NULL);
NT_STATUS_NOT_OK_RETURN(nt_status);
@ -1097,7 +1098,8 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
msgs_domain[0]->dn,
mod, new_pass, /* we have plaintext */
NULL, NULL,
False /* This is not considered a password change */,
False, /* This is not considered a password change */
False, /* don't restrict this password change (match w2k3) */
NULL);
ZERO_ARRAY(new_pass);
NT_STATUS_NOT_OK_RETURN(nt_status);

25
source/rpc_server/samr/samr_password.c
View File

@ -115,7 +115,9 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
status = samdb_set_password(a_state->sam_ctx, mem_ctx,
a_state->account_dn, a_state->domain_state->domain_dn,
msg, NULL, &new_lmPwdHash, &new_ntPwdHash,
True, NULL);
True, /* this is a user password change */
True, /* run restriction tests */
NULL);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@ -229,7 +231,9 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
user_dn, domain_dn,
mod, new_pass,
NULL, NULL,
True, NULL);
True, /* this is a user password change */
True, /* run restriction tests */
NULL);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@ -378,7 +382,9 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
user_dn, domain_dn,
mod, new_pass,
NULL, NULL,
True, &reason);
True, /* this is a user password change */
True, /* run restriction tests */
&reason);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
@ -481,6 +487,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
struct samr_Password *lmNewHash,
struct samr_Password *ntNewHash,
BOOL user_change,
BOOL restrict,
uint32_t *reject_reason)
{
const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory",
@ -536,7 +543,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
if (new_pass) {
/* check the various password restrictions */
if (minPwdLength > strlen_m(new_pass)) {
if (restrict && minPwdLength > strlen_m(new_pass)) {
if (reject_reason) {
*reject_reason = SAMR_REJECT_TOO_SHORT;
}
@ -544,7 +551,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
}
/* possibly check password complexity */
if (pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
if (restrict && pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
!samdb_password_complexity_ok(new_pass)) {
if (reject_reason) {
*reject_reason = SAMR_REJECT_COMPLEXITY;
@ -560,7 +567,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
ntNewHash = &local_ntNewHash;
}
if (user_change) {
if (restrict && user_change) {
/* are all password changes disallowed? */
if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
if (reject_reason) {
@ -757,7 +764,8 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
account_dn, domain_dn,
msg, new_pass,
NULL, NULL,
False /* This is a password set, not change */,
False, /* This is a password set, not change */
True, /* run restriction tests */
NULL);
}
@ -810,7 +818,8 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
account_dn, domain_dn,
msg, new_pass,
NULL, NULL,
False,
False, /* This is a password set, not change */
True, /* run restriction tests */
NULL);
}

63
source/torture/rpc/netlogon.c
View File

@ -268,6 +268,37 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
r.in.secure_channel_type = SEC_CHAN_BDC;
r.in.computer_name = TEST_MACHINE_NAME;
password = "";
E_md4hash(password, r.in.new_password.hash);
creds_des_encrypt(&creds, &r.in.new_password);
/* by changing the machine password to ""
* we check if the server uses password restrictions
* for ServerPasswordSet2
* (win2k3 accepts "")
*/
printf("Testing a second ServerPasswordSet on machine account\n");
printf("Changing machine account password to '%s'\n", password);
creds_client_authenticator(&creds, &r.in.credential);
status = dcerpc_netr_ServerPasswordSet(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("ServerPasswordSet (2) - %s\n", nt_errstr(status));
return False;
}
if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) {
printf("Credential chaining failed\n");
}
machine_password = password;
if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) {
printf("ServerPasswordSet failed to actually change the password\n");
return False;
}
password = generate_random_str(mem_ctx, 8);
E_md4hash(password, r.in.new_password.hash);
@ -337,6 +368,38 @@ static BOOL test_SetPassword2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
r.in.secure_channel_type = SEC_CHAN_BDC;
r.in.computer_name = TEST_MACHINE_NAME;
password = "";
encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE);
creds_arcfour_crypt(&creds, r.in.new_password.data, 516);
/* by changing the machine password to ""
* we check if the server uses password restrictions
* for ServerPasswordSet2
* (win2k3 accepts "")
*/
printf("Testing a second ServerPasswordSet2 on machine account\n");
printf("Changing machine account password to '%s'\n", password);
creds_client_authenticator(&creds, &r.in.credential);
status = dcerpc_netr_ServerPasswordSet2(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("ServerPasswordSet (2) - %s\n", nt_errstr(status));
return False;
}
if (!creds_client_check(&creds, &r.out.return_authenticator.cred)) {
printf("Credential chaining failed\n");
}
machine_password = password;
if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) {
printf("ServerPasswordSet failed to actually change the password\n");
return False;
}
/* now try a random password */
password = generate_random_str(mem_ctx, 8);
encode_pw_buffer(r.in.new_password.data, password, STR_UNICODE);
creds_arcfour_crypt(&creds, r.in.new_password.data, 516);