From e5357c75a6090a5cd375bf063c8ceb0dd11dc9a9 Mon Sep 17 00:00:00 2001 From: Jo Sutton Date: Wed, 1 May 2024 14:58:31 +1200 Subject: [PATCH] s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- source4/auth/ntlm/auth_sam.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 099d10e7917..d5806838579 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -467,10 +467,10 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con for (i = 1; i < MIN(history_len, 3); i++) { const struct samr_Password *nt_history_pwd = NULL; NTTIME pwdLastSet; - struct timeval tv_now; NTTIME now; int allowed_period_mins; NTTIME allowed_period; + bool ok; /* Reset these variables back to starting as empty */ aes_256_key = NULL; @@ -650,8 +650,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con allowed_period = (NTTIME) allowed_period_mins * 60 * 1000*1000*10; pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0); - tv_now = timeval_current(); - now = timeval_to_nttime(&tv_now); + ok = dsdb_gmsa_current_time(sam_ctx, &now); + if (!ok) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_WRONG_PASSWORD; + } if (now < pwdLastSet) { /*