{
struct samr_Password *lm_pwd, *nt_pwd;
NTSTATUS nt_status;
-
- uint16_t acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
-
- /* Quit if the account was locked out. */
- if (acct_flags & ACB_AUTOLOCK) {
- DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
- user_info->mapped.account_name));
- return NT_STATUS_ACCOUNT_LOCKED_OUT;
- }
+ uint16_t acct_flags = samdb_result_acct_flags(msg, NULL);
/* You can only do an interactive login to normal accounts */
if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
return count;
}
-NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
- struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
+NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct ldb_message *msg,
+ struct samr_Password **lm_pwd,
+ struct samr_Password **nt_pwd)
{
struct samr_Password *lmPwdHash, *ntPwdHash;
+
if (nt_pwd) {
unsigned int num_nt;
num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
return NT_STATUS_OK;
}
+NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct ldb_message *msg,
+ struct samr_Password **lm_pwd,
+ struct samr_Password **nt_pwd)
+{
+ uint16_t acct_flags;
+
+ acct_flags = samdb_result_acct_flags(msg,
+ "msDS-User-Account-Control-Computed");
+ /* Quit if the account was locked out. */
+ if (acct_flags & ACB_AUTOLOCK) {
+ DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n",
+ ldb_dn_get_linearized(msg->dn)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
+ return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg,
+ lm_pwd, nt_pwd);
+}
+
/*
pull a samr_LogonHours structutre from a result set.
*/
struct ldb_context *ldb;
static const char * const attrs[] = { "objectClass",
"userAccountControl",
+ "msDS-User-Account-Control-Computed",
"pwdLastSet",
"sAMAccountName",
"objectSid",
return ret;
}
- /* Get the old password from the database */
- status = samdb_result_passwords(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash, &io.o.nt_hash);
+ if (io.ac->pwd_reset) {
+ /* Get the old password from the database */
+ status = samdb_result_passwords_no_lockout(io.ac,
+ lp_ctx,
+ discard_const_p(struct ldb_message, searched_msg),
+ &io.o.lm_hash,
+ &io.o.nt_hash);
+ } else {
+ /* Get the old password from the database */
+ status = samdb_result_passwords(io.ac,
+ lp_ctx,
+ discard_const_p(struct ldb_message, searched_msg),
+ &io.o.lm_hash, &io.o.nt_hash);
+ }
+
if (!NT_STATUS_IS_OK(status)) {
return ldb_operr(ldb);
}
reply);
}
- status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg,
- &oldLmHash, &oldNtHash);
+ /*
+ * No need to check for password lockout here, the KDC will
+ * have done that when issuing the ticket, which is not based
+ * on the user's password
+ */
+ status = samdb_result_passwords_no_lockout(mem_ctx, kdc->task->lp_ctx, msg,
+ &oldLmHash, &oldNtHash);
if (!NT_STATUS_IS_OK(status)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
return NT_STATUS_WRONG_PASSWORD;
}
- nt_status = samdb_result_passwords(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- res[0], NULL, &oldNtHash);
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ res[0], NULL, &oldNtHash);
if (!NT_STATUS_IS_OK(nt_status) || !oldNtHash) {
return NT_STATUS_WRONG_PASSWORD;
}
return NT_STATUS_WRONG_PASSWORD;
}
- nt_status = samdb_result_passwords(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- res[0], &oldLmHash, &oldNtHash);
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ res[0], &oldLmHash, &oldNtHash);
if (!NT_STATUS_IS_OK(nt_status) || (!oldLmHash && !oldNtHash)) {
return NT_STATUS_WRONG_PASSWORD;
}
struct ldb_dn *user_dn;
int ret;
struct ldb_message **res;
- const char * const attrs[] = { "objectSid", "dBCSPwd", NULL };
+ const char * const attrs[] = { "objectSid", "dBCSPwd",
+ "userAccountControl",
+ "msDS-User-Account-Control-Computed",
+ NULL };
struct samr_Password *lm_pwd;
DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
res[0], &lm_pwd, NULL);
- if (!NT_STATUS_IS_OK(status) || !lm_pwd) {
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ } else if (!lm_pwd) {
return NT_STATUS_WRONG_PASSWORD;
}
struct ldb_dn *user_dn;
int ret;
struct ldb_message **res;
- const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL };
+ const char * const attrs[] = { "unicodePwd", "dBCSPwd",
+ "userAccountControl",
+ "msDS-User-Account-Control-Computed",
+ NULL };
struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo = NULL;