1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Jo Sutton 2024-05-01 14:58:31 +12:00 committed by Andrew Bartlett
parent 92d010af2d
commit e5357c75a6

View File

@ -467,10 +467,10 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
for (i = 1; i < MIN(history_len, 3); i++) {
const struct samr_Password *nt_history_pwd = NULL;
NTTIME pwdLastSet;
struct timeval tv_now;
NTTIME now;
int allowed_period_mins;
NTTIME allowed_period;
bool ok;
/* Reset these variables back to starting as empty */
aes_256_key = NULL;
@ -650,8 +650,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
allowed_period = (NTTIME) allowed_period_mins *
60 * 1000*1000*10;
pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
tv_now = timeval_current();
now = timeval_to_nttime(&tv_now);
ok = dsdb_gmsa_current_time(sam_ctx, &now);
if (!ok) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
if (now < pwdLastSet) {
/*