struct ldb_reply *search_res;
+ struct ldb_message *update_msg;
+
struct dsdb_control_password_change_status *status;
struct dsdb_control_password_change *change;
bool change_status;
bool hash_values;
bool userPassword;
+ bool update_password;
+ bool update_lastset;
bool pwd_last_set_bypass;
};
{
struct ldb_context *ldb;
struct supplementalCredentialsBlob scb;
- struct supplementalCredentialsBlob _old_scb;
struct supplementalCredentialsBlob *old_scb = NULL;
/* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
uint32_t num_names = 0;
return LDB_SUCCESS;
}
- /* if there's an old supplementaCredentials blob then parse it */
+ /* if there's an old supplementaCredentials blob then use it */
if (io->o.supplemental) {
- ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
- &_old_scb,
- (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
- ldb_asprintf_errstring(ldb,
- "setup_supplemental_field: "
- "failed to pull old supplementalCredentialsBlob: %s",
- nt_errstr(status));
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
- old_scb = &_old_scb;
+ if (io->o.scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
+ old_scb = &io->o.scb;
} else {
ldb_debug(ldb, LDB_DEBUG_ERROR,
- "setup_supplemental_field: "
- "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
- _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
+ "setup_supplemental_field: "
+ "supplementalCredentialsBlob "
+ "signature[0x%04X] expected[0x%04X]",
+ io->o.scb.sub.signature,
+ SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
}
}
/* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
return LDB_SUCCESS;
}
-static int update_final_msg(struct setup_password_fields_io *io,
- struct ldb_message *msg)
+static int update_final_msg(struct setup_password_fields_io *io)
{
struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
int ret;
+ int el_flags = 0;
+
+ if (io->ac->req->operation == LDB_MODIFY) {
+ el_flags |= LDB_FLAG_MOD_REPLACE;
+ }
+
+ /* make sure we replace all the old attributes */
+ if (io->ac->update_password && el_flags != 0) {
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "unicodePwd",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "dBCSPwd",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "ntPwdHistory",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "lmPwdHistory",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "supplementalCredentials",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ if (io->ac->update_lastset && el_flags != 0) {
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "pwdLastSet",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
if (io->g.nt_hash != NULL) {
- ret = samdb_msg_add_hash(ldb, io->ac, msg,
+ ret = samdb_msg_add_hash(ldb, io->ac,
+ io->ac->update_msg,
"unicodePwd",
io->g.nt_hash);
if (ret != LDB_SUCCESS) {
}
}
if (io->g.lm_hash != NULL) {
- ret = samdb_msg_add_hash(ldb, io->ac, msg,
+ ret = samdb_msg_add_hash(ldb, io->ac,
+ io->ac->update_msg,
"dBCSPwd",
io->g.lm_hash);
if (ret != LDB_SUCCESS) {
}
}
if (io->g.nt_history_len > 0) {
- ret = samdb_msg_add_hashes(ldb, io->ac, msg,
+ ret = samdb_msg_add_hashes(ldb, io->ac,
+ io->ac->update_msg,
"ntPwdHistory",
io->g.nt_history,
io->g.nt_history_len);
}
}
if (io->g.lm_history_len > 0) {
- ret = samdb_msg_add_hashes(ldb, io->ac, msg,
+ ret = samdb_msg_add_hashes(ldb, io->ac,
+ io->ac->update_msg,
"lmPwdHistory",
io->g.lm_history,
io->g.lm_history_len);
}
}
if (io->g.supplemental.length > 0) {
- ret = ldb_msg_add_value(msg, "supplementalCredentials",
+ ret = ldb_msg_add_value(io->ac->update_msg,
+ "supplementalCredentials",
&io->g.supplemental, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
- ret = samdb_msg_add_uint64(ldb, io->ac, msg,
+ ret = samdb_msg_add_uint64(ldb, io->ac,
+ io->ac->update_msg,
"pwdLastSet",
io->g.last_set);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
+ if (existing_msg != NULL) {
+ NTSTATUS status;
+
+ if (ac->pwd_reset) {
+ /* Get the old password from the database */
+ status = samdb_result_passwords_no_lockout(ac,
+ lp_ctx,
+ existing_msg,
+ &io->o.lm_hash,
+ &io->o.nt_hash);
+ } else {
+ /* Get the old password from the database */
+ status = samdb_result_passwords(ac,
+ lp_ctx,
+ existing_msg,
+ &io->o.lm_hash,
+ &io->o.nt_hash);
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ WERR_ACCOUNT_LOCKED_OUT,
+ "Password change not permitted,"
+ " account locked out!");
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * This only happens if the database has gone weird,
+ * not if we are just missing the passwords
+ */
+ return ldb_operr(ldb);
+ }
+
+ io->o.nt_history_len = samdb_result_hashes(ac, existing_msg,
+ "ntPwdHistory",
+ &io->o.nt_history);
+ io->o.lm_history_len = samdb_result_hashes(ac, existing_msg,
+ "lmPwdHistory",
+ &io->o.lm_history);
+ io->o.supplemental = ldb_msg_find_ldb_val(existing_msg,
+ "supplementalCredentials");
+
+ if (io->o.supplemental != NULL) {
+ enum ndr_err_code ndr_err;
+
+ ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
+ &io->o.scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ ldb_asprintf_errstring(ldb,
+ "setup_io: failed to pull "
+ "old supplementalCredentialsBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ }
+ }
+
return LDB_SUCCESS;
}
static struct ph_context *ph_init_context(struct ldb_module *module,
struct ldb_request *req,
- bool userPassword)
+ bool userPassword,
+ bool update_password)
{
struct ldb_context *ldb;
struct ph_context *ac;
ac->module = module;
ac->req = req;
ac->userPassword = userPassword;
+ ac->update_password = update_password;
+ ac->update_lastset = true;
return ac;
}
unsigned int attr_cnt = 0;
struct ldb_control *bypass = NULL;
bool userPassword = dsdb_user_password_support(module, req, req);
+ bool update_password = false;
*_ac = NULL;
}
}
- if (attr_cnt == 0) {
+ if (attr_cnt > 0) {
+ update_password = true;
+ }
+
+ if (!update_password) {
return ldb_next_request(module, req);
}
- ac = ph_init_context(module, req, userPassword);
+ ac = ph_init_context(module, req, userPassword, update_password);
if (!ac) {
DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
return ldb_operr(ldb);
}
ph_apply_controls(ac);
+ /*
+ * Make a copy in order to apply our modifications
+ * to the final update
+ */
+ ac->update_msg = ldb_msg_copy_shallow(ac, msg);
+ if (ac->update_msg == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ /*
+ * Remove all password related attributes.
+ */
+ if (ac->userPassword) {
+ ldb_msg_remove_attr(ac->update_msg, "userPassword");
+ }
+ ldb_msg_remove_attr(ac->update_msg, "clearTextPassword");
+ ldb_msg_remove_attr(ac->update_msg, "unicodePwd");
+ ldb_msg_remove_attr(ac->update_msg, "ntPwdHistory");
+ ldb_msg_remove_attr(ac->update_msg, "dBCSPwd");
+ ldb_msg_remove_attr(ac->update_msg, "lmPwdHistory");
+ ldb_msg_remove_attr(ac->update_msg, "supplementalCredentials");
+ ldb_msg_remove_attr(ac->update_msg, "pwdLastSet");
+
*_ac = ac;
return LDB_SUCCESS;
}
static int password_hash_add_do_add(struct ph_context *ac)
{
- struct ldb_context *ldb;
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct ldb_request *down_req;
- struct ldb_message *msg;
struct setup_password_fields_io io;
int ret;
return ret;
}
- ldb = ldb_module_get_ctx(ac->module);
-
- msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
- if (msg == NULL) {
- return ldb_operr(ldb);
- }
-
- /* remove attributes that we just read into 'io' */
- if (ac->userPassword) {
- ldb_msg_remove_attr(msg, "userPassword");
- }
- ldb_msg_remove_attr(msg, "clearTextPassword");
- ldb_msg_remove_attr(msg, "unicodePwd");
- ldb_msg_remove_attr(msg, "dBCSPwd");
- ldb_msg_remove_attr(msg, "pwdLastSet");
-
ret = setup_password_fields(&io);
if (ret != LDB_SUCCESS) {
return ret;
return ret;
}
- ret = update_final_msg(&io, msg);
+ ret = update_final_msg(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_build_add_req(&down_req, ldb, ac,
- msg,
+ ac->update_msg,
ac->req->controls,
ac, ph_op_callback,
ac->req);
struct ldb_message *msg;
struct ldb_request *down_req;
int ret;
+ unsigned int i = 0;
ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
return password_hash_mod_search_self(ac);
}
+ /*
+ * Now we apply all changes remaining in msg
+ * and remove them from our final update_msg
+ */
+
+ for (i = 0; i < msg->num_elements; i++) {
+ ldb_msg_remove_attr(ac->update_msg,
+ msg->elements[i].name);
+ }
+
ret = ldb_build_mod_req(&down_req, ldb, ac,
msg,
req->controls,
static int password_hash_mod_do_mod(struct ph_context *ac)
{
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- struct loadparm_context *lp_ctx =
- talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
- struct loadparm_context);
struct ldb_request *mod_req;
- struct ldb_message *msg;
- const struct ldb_message *searched_msg;
struct setup_password_fields_io io;
int ret;
- NTSTATUS status;
-
- /* use a new message structure so that we can modify it */
- msg = ldb_msg_new(ac);
- if (msg == NULL) {
- return ldb_operr(ldb);
- }
-
- /* modify dn */
- msg->dn = ac->req->op.mod.message->dn;
-
- searched_msg = ac->search_res->message;
/* Prepare the internal data structure containing the passwords */
ret = setup_io(ac, ac->req->op.mod.message,
if (ret != LDB_SUCCESS) {
return ret;
}
-
- if (io.ac->pwd_reset) {
- /* Get the old password from the database */
- status = samdb_result_passwords_no_lockout(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash,
- &io.o.nt_hash);
- } else {
- /* Get the old password from the database */
- status = samdb_result_passwords(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash, &io.o.nt_hash);
- }
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
- ldb_asprintf_errstring(ldb,
- "%08X: check_password: "
- "Password change not permitted, account locked out!",
- W_ERROR_V(WERR_ACCOUNT_LOCKED_OUT));
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- /*
- * This only happens if the database has gone weird,
- * not if we are just missing the passwords
- */
- return ldb_operr(ldb);
- }
-
- io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
- io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
- io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
ret = setup_password_fields(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
- /* make sure we replace all the old attributes */
- ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
-
- ret = update_final_msg(&io, msg);
+ ret = update_final_msg(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_build_mod_req(&mod_req, ldb, ac,
- msg,
+ ac->update_msg,
ac->req->controls,
ac, ph_op_callback,
ac->req);