Patch from David_Tiller@ccnotes.ccity.com finally applied now I've thought

about it to stop account lockouts with "security=server" mode. Sorry for
the delay David.
Jeremy.
(This used to be commit e8819715038ed49b07ed5639b1b88ad12e994b53)

diff --git a/source3/include/local.h b/source3/include/local.h
index e534f39306ac54d2027d7ef67e36a5827eb92a33..e9e4fb2d35fd268c8d6f0d6533aed9d4c74ca803 100644 (file)
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -100,6 +100,11 @@
 #define GUEST_ACCOUNT "nobody"
 #endif
 
+/* user to test password server with as invalid in security=server mode. */
+#ifndef INVALID_USER_PREFIX
+#define INVALID_USER_PREFIX "sambatest"
+#endif
+
 /* the default pager to use for the client "more" command. Users can
    override this with the PAGER environment variable */
 #ifndef PAGER

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index f42451dceb026e470802d619b7356d7a749d0483..0bc21dbbd69aa8ed59bed6dbc680a194fded1485 100644 (file)
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1156,96 +1156,103 @@ BOOL server_validate(char *user, char *domain,
                     char *pass, int passlen,
                     char *ntpass, int ntpasslen)
 {
-  struct cli_state *cli;
-  static unsigned char badpass[24];
-  static BOOL tested_password_server = False;
-  static BOOL bad_password_server = False;
+       struct cli_state *cli;
+       static unsigned char badpass[24];
+       static fstring baduser; 
+       static BOOL tested_password_server = False;
+       static BOOL bad_password_server = False;
 
-  cli = server_client();
+       cli = server_client();
 
-  if (!cli->initialised) {
-    DEBUG(1,("password server %s is not connected\n", cli->desthost));
-    return(False);
-  }  
+       if (!cli->initialised) {
+               DEBUG(1,("password server %s is not connected\n", cli->desthost));
+               return(False);
+       }  
 
-  if(badpass[0] == 0)
-    memset(badpass, 0x1f, sizeof(badpass));
+       if(badpass[0] == 0)
+               memset(badpass, 0x1f, sizeof(badpass));
 
-  if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
-    /* 
-     * Very unlikely, our random bad password is the same as the users
-     * password. */
-    memset(badpass, badpass[0]+1, sizeof(badpass));
-  }
+       if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
+               /* 
+                * Very unlikely, our random bad password is the same as the users
+                * password.
+                */
+               memset(badpass, badpass[0]+1, sizeof(badpass));
+       }
 
-  /*
-   * Attempt a session setup with a totally incorrect password.
-   * If this succeeds with the guest bit *NOT* set then the password
-   * server is broken and is not correctly setting the guest bit. We
-   * need to detect this as some versions of NT4.x are broken. JRA.
-   */
+       if(baduser[0] == 0) {
+               fstrcpy(baduser, INVALID_USER_PREFIX);
+               fstrcat(baduser, global_myname);
+       }
+
+       /*
+        * Attempt a session setup with a totally incorrect password.
+        * If this succeeds with the guest bit *NOT* set then the password
+        * server is broken and is not correctly setting the guest bit. We
+        * need to detect this as some versions of NT4.x are broken. JRA.
+        */
 
-  if(!tested_password_server) {
-    if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass), 
-                              (char *)badpass, sizeof(badpass), domain)) {
+       if(!tested_password_server) {
+               if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), 
+                                       (char *)badpass, sizeof(badpass), domain)) {
 
-      /*
-       * We connected to the password server so we
-       * can say we've tested it.
-       */
-      tested_password_server = True;
+                       /*
+                        * We connected to the password server so we
+                        * can say we've tested it.
+                        */
+                       tested_password_server = True;
 
-      if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
-        DEBUG(0,("server_validate: password server %s allows users as non-guest \
+                       if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
+                               DEBUG(0,("server_validate: password server %s allows users as non-guest \
 with a bad password.\n", cli->desthost));
-        DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
+                               DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
 use this machine as the password server.\n"));
-        cli_ulogoff(cli);
+                               cli_ulogoff(cli);
 
-        /*
-         * Password server has the bug.
-         */
-        bad_password_server = True;
-        return False;
-      }
-      cli_ulogoff(cli);
-    }
-  } else {
+                               /*
+                                * Password server has the bug.
+                                */
+                               bad_password_server = True;
+                               return False;
+                       }
+                       cli_ulogoff(cli);
+               }
+       } else {
 
-    /*
-     * We have already tested the password server.
-     * Fail immediately if it has the bug.
-     */
+               /*
+                * We have already tested the password server.
+                * Fail immediately if it has the bug.
+                */
 
-    if(bad_password_server) {
-      DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
+               if(bad_password_server) {
+                       DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
 with a bad password.\n", cli->desthost));
-      DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
+                       DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
 use this machine as the password server.\n"));
-      return False;
-    }
-  }
+                       return False;
+               }
+       }
 
-  /*
-   * Now we know the password server will correctly set the guest bit, or is
-   * not guest enabled, we can try with the real password.
-   */
+       /*
+        * Now we know the password server will correctly set the guest bit, or is
+        * not guest enabled, we can try with the real password.
+        */
 
-  if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
-    DEBUG(1,("password server %s rejected the password\n", cli->desthost));
-    return False;
-  }
+       if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
+               DEBUG(1,("password server %s rejected the password\n", cli->desthost));
+               return False;
+       }
 
-  /* if logged in as guest then reject */
-  if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
-    DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
-    cli_ulogoff(cli);
-    return(False);
-  }
+       /* if logged in as guest then reject */
+       if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+               DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
+               cli_ulogoff(cli);
+               return(False);
+       }
 
-  cli_ulogoff(cli);
+       cli_ulogoff(cli);
 
-  return(True);
+       return(True);
 }
 
 /***********************************************************************