The Samba-Bugzilla – Attachment 4048 Details for
Bug 6245
usrmgr, when creating a new user, "user must change password on next logon" doesnt take effect
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport to 3-3-test
password_expired.patch (text/plain), 10.77 KB, created by
Guenther Deschner
on 2009-04-03 05:08:44 UTC
(
hide
)
Description:
backport to 3-3-test
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2009-04-03 05:08:44 UTC
Size:
10.77 KB
patch
obsolete
>commit 3420ce3f2a9c75b3e339d2ab439f6c8df326ab47 >Author: Günther Deschner <gd@samba.org> >AuthorDate: Fri Apr 3 12:06:40 2009 +0200 >Commit: Günther Deschner <gd@samba.org> >CommitDate: Fri Apr 3 12:06:40 2009 +0200 > > s3-samr: try to to fix password_expired flag handling. > > Guenther >--- > source/include/proto.h | 6 ++ > source/rpc_server/srv_samr_nt.c | 120 ++++++++++++++++++++++--------------- > source/rpc_server/srv_samr_util.c | 87 ++++++++++++++++++++++++++- > 3 files changed, 161 insertions(+), 52 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index 794742c..ec8637b 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -8373,6 +8373,8 @@ ssize_t write_to_internal_pipe(struct pipes_struct *p, char *data, size_t n); > > /* The following definitions come from rpc_server/srv_samr_util.c */ > >+void copy_id18_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo18 *from); > void copy_id20_to_sam_passwd(struct samu *to, > struct samr_UserInfo20 *from); > void copy_id21_to_sam_passwd(const char *log_prefix, >@@ -8380,8 +8382,12 @@ void copy_id21_to_sam_passwd(const char *log_prefix, > struct samr_UserInfo21 *from); > void copy_id23_to_sam_passwd(struct samu *to, > struct samr_UserInfo23 *from); >+void copy_id24_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo24 *from); > void copy_id25_to_sam_passwd(struct samu *to, > struct samr_UserInfo25 *from); >+void copy_id26_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo26 *from); > > /* The following definitions come from rpc_server/srv_spoolss.c */ > >diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c >index 7a131b3..a946d2e 100644 >--- a/source/rpc_server/srv_samr_nt.c >+++ b/source/rpc_server/srv_samr_nt.c >@@ -3743,12 +3743,7 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, > pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); > } > >- if (id18->password_expired) { >- pdb_set_pass_last_set_time(pwd, 0, PDB_CHANGED); >- } else { >- /* FIXME */ >- pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); >- } >+ copy_id18_to_sam_passwd(pwd, id18); > > return pdb_update_sam_account(pwd); > } >@@ -3955,23 +3950,16 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, > set_user_info_pw > ********************************************************************/ > >-static bool set_user_info_pw(uint8 *pass, struct samu *pwd, >- int level) >+static bool set_user_info_pw(uint8 *pass, struct samu *pwd) > { > uint32 len = 0; > char *plaintext_buf = NULL; > uint32 acct_ctrl; >- time_t last_set_time; >- enum pdb_value_state last_set_state; > > DEBUG(5, ("Attempting administrator password change for user %s\n", > pdb_get_username(pwd))); > > acct_ctrl = pdb_get_acct_ctrl(pwd); >- /* we need to know if it's expired, because this is an admin change, not a >- user change, so it's still expired when we're done */ >- last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET); >- last_set_time = pdb_get_pass_last_set_time(pwd); > > if (!decode_pw_buffer(talloc_tos(), > pass, >@@ -4014,29 +4002,38 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd, > > memset(plaintext_buf, '\0', strlen(plaintext_buf)); > >- /* >- * A level 25 change does reset the pwdlastset field, a level 24 >- * change does not. I know this is probably not the full story, but >- * it is needed to make XP join LDAP correctly, without it the later >- * auth2 check can fail with PWD_MUST_CHANGE. >- */ >- if (level != 25) { >- /* >- * restore last set time as this is an admin change, not a >- * user pw change >- */ >- pdb_set_pass_last_set_time (pwd, last_set_time, >- last_set_state); >+ DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); >+ >+ return True; >+} >+ >+/******************************************************************* >+ set_user_info_24 >+ ********************************************************************/ >+ >+static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx, >+ struct samr_UserInfo24 *id24, >+ struct samu *pwd) >+{ >+ NTSTATUS status; >+ >+ if (id24 == NULL) { >+ DEBUG(5, ("set_user_info_24: NULL id24\n")); >+ return NT_STATUS_INVALID_PARAMETER; > } > >- DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); >+ if (!set_user_info_pw(id24->password.data, pwd)) { >+ return NT_STATUS_WRONG_PASSWORD; >+ } > >- /* update the SAMBA password */ >- if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { >- return False; >+ copy_id24_to_sam_passwd(pwd, id24); >+ >+ status = pdb_update_sam_account(pwd); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; > } > >- return True; >+ return NT_STATUS_OK; > } > > /******************************************************************* >@@ -4062,6 +4059,14 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, > return NT_STATUS_ACCESS_DENIED; > } > >+ if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) || >+ (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) { >+ >+ if (!set_user_info_pw(id25->password.data, pwd)) { >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ } >+ > copy_id25_to_sam_passwd(pwd, id25); > > /* write the change out */ >@@ -4088,6 +4093,36 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, > } > > /******************************************************************* >+ set_user_info_26 >+ ********************************************************************/ >+ >+static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx, >+ struct samr_UserInfo26 *id26, >+ struct samu *pwd) >+{ >+ NTSTATUS status; >+ >+ if (id26 == NULL) { >+ DEBUG(5, ("set_user_info_26: NULL id26\n")); >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ >+ if (!set_user_info_pw(id26->password.data, pwd)) { >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ copy_id26_to_sam_passwd(pwd, id26); >+ >+ status = pdb_update_sam_account(pwd); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return NT_STATUS_OK; >+} >+ >+ >+/******************************************************************* > samr_SetUserInfo > ********************************************************************/ > >@@ -4247,10 +4282,8 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > > dump_data(100, info->info24.password.data, 516); > >- if (!set_user_info_pw(info->info24.password.data, pwd, >- switch_value)) { >- status = NT_STATUS_WRONG_PASSWORD; >- } >+ status = set_user_info_24(p->mem_ctx, >+ &info->info24, pwd); > break; > > case 25: >@@ -4265,13 +4298,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > > status = set_user_info_25(p->mem_ctx, > &info->info25, pwd); >- if (!NT_STATUS_IS_OK(status)) { >- goto done; >- } >- if (!set_user_info_pw(info->info25.password.data, pwd, >- switch_value)) { >- status = NT_STATUS_WRONG_PASSWORD; >- } > break; > > case 26: >@@ -4284,18 +4310,14 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > > dump_data(100, info->info26.password.data, 516); > >- if (!set_user_info_pw(info->info26.password.data, pwd, >- switch_value)) { >- status = NT_STATUS_WRONG_PASSWORD; >- } >+ status = set_user_info_26(p->mem_ctx, >+ &info->info26, pwd); > break; > > default: > status = NT_STATUS_INVALID_INFO_CLASS; > } > >- done: >- > TALLOC_FREE(pwd); > > if (has_enough_rights) { >diff --git a/source/rpc_server/srv_samr_util.c b/source/rpc_server/srv_samr_util.c >index ef588ae..0681560 100644 >--- a/source/rpc_server/srv_samr_util.c >+++ b/source/rpc_server/srv_samr_util.c >@@ -36,6 +36,27 @@ > ((s1) && (s2) && (strcmp((s1), (s2)) != 0)) > > /************************************************************* >+ Copies a struct samr_UserInfo18 to a struct samu >+**************************************************************/ >+ >+void copy_id18_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo18 *from) >+{ >+ struct samr_UserInfo21 i; >+ >+ if (from == NULL || to == NULL) { >+ return; >+ } >+ >+ ZERO_STRUCT(i); >+ >+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG; >+ i.password_expired = from->password_expired; >+ >+ copy_id21_to_sam_passwd("INFO_18", to, &i); >+} >+ >+/************************************************************* > Copies a struct samr_UserInfo20 to a struct samu > **************************************************************/ > >@@ -336,7 +357,7 @@ void copy_id21_to_sam_passwd(const char *log_prefix, > if (from->fields_present & SAMR_FIELD_EXPIRED_FLAG) { > DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l, > from->password_expired)); >- if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) { >+ if (from->password_expired != 0) { > pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); > } else { > /* A subtlety here: some windows commands will >@@ -345,9 +366,27 @@ void copy_id21_to_sam_passwd(const char *log_prefix, > in these caess. "net user /dom <user> /active:y" > for example, to clear an autolocked acct. > We must check to see if it's expired first. jmcd */ >+ >+ uint32_t pwd_max_age = 0; >+ time_t now = time(NULL); >+ >+ pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &pwd_max_age); >+ >+ if (pwd_max_age == (uint32_t)-1 || pwd_max_age == 0) { >+ pwd_max_age = get_time_t_max(); >+ } >+ > stored_time = pdb_get_pass_last_set_time(to); >- if (stored_time == 0) >- pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED); >+ >+ /* we will only *set* a pwdlastset date when >+ a) the last pwdlastset time was 0 (user was forced to >+ change password). >+ b) the users password has not expired. gd. */ >+ >+ if ((stored_time == 0) || >+ ((now - stored_time) > pwd_max_age)) { >+ pdb_set_pass_last_set_time(to, now, PDB_CHANGED); >+ } > } > } > } >@@ -368,6 +407,27 @@ void copy_id23_to_sam_passwd(struct samu *to, > } > > /************************************************************* >+ Copies a struct samr_UserInfo24 to a struct samu >+**************************************************************/ >+ >+void copy_id24_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo24 *from) >+{ >+ struct samr_UserInfo21 i; >+ >+ if (from == NULL || to == NULL) { >+ return; >+ } >+ >+ ZERO_STRUCT(i); >+ >+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG; >+ i.password_expired = from->password_expired; >+ >+ copy_id21_to_sam_passwd("INFO_24", to, &i); >+} >+ >+/************************************************************* > Copies a struct samr_UserInfo25 to a struct samu > **************************************************************/ > >@@ -380,3 +440,24 @@ void copy_id25_to_sam_passwd(struct samu *to, > > copy_id21_to_sam_passwd("INFO_25", to, &from->info); > } >+ >+/************************************************************* >+ Copies a struct samr_UserInfo26 to a struct samu >+**************************************************************/ >+ >+void copy_id26_to_sam_passwd(struct samu *to, >+ struct samr_UserInfo26 *from) >+{ >+ struct samr_UserInfo21 i; >+ >+ if (from == NULL || to == NULL) { >+ return; >+ } >+ >+ ZERO_STRUCT(i); >+ >+ i.fields_present = SAMR_FIELD_EXPIRED_FLAG; >+ i.password_expired = from->password_expired; >+ >+ copy_id21_to_sam_passwd("INFO_26", to, &i); >+}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 6245
: 4048