620
620
if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
621
621
return NT_STATUS_INVALID_HANDLE;
623
status = access_check_samr_function(info->acc_granted,
624
SAMR_ACCESS_OPEN_DOMAIN,
625
"_samr_OpenDomain" );
627
if ( !NT_STATUS_IS_OK(status) )
630
623
/*check if access can be granted as requested by client. */
631
624
map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2899
2892
status = access_check_samr_function(info->acc_granted,
2900
SAMR_ACCESS_OPEN_DOMAIN,
2893
SAMR_ACCESS_LOOKUP_DOMAIN,
2901
2894
"_samr_QueryDomainInfo" );
2903
2896
if ( !NT_STATUS_IS_OK(status) )
3322
3315
map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3324
3317
se_map_generic( &des_access, &sam_generic_mapping );
3325
info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
3318
info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
3327
3320
/* get a (unique) handle. open a policy on it. */
3328
3321
if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3458
3451
Reverted that change so we will work with RAS servers again */
3460
3453
status = access_check_samr_function(info->acc_granted,
3461
SAMR_ACCESS_OPEN_DOMAIN,
3454
SAMR_ACCESS_LOOKUP_DOMAIN,
3462
3455
"_samr_LookupDomain");
3463
3456
if (!NT_STATUS_IS_OK(status)) {
3743
3736
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3746
if (id18->password_expired) {
3747
pdb_set_pass_last_set_time(pwd, 0, PDB_CHANGED);
3750
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3739
copy_id18_to_sam_passwd(pwd, id18);
3753
3741
return pdb_update_sam_account(pwd);
3955
3943
set_user_info_pw
3956
3944
********************************************************************/
3958
static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
3946
static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
3961
3948
uint32 len = 0;
3962
3949
char *plaintext_buf = NULL;
3963
3950
uint32 acct_ctrl;
3964
time_t last_set_time;
3965
enum pdb_value_state last_set_state;
3967
3952
DEBUG(5, ("Attempting administrator password change for user %s\n",
3968
3953
pdb_get_username(pwd)));
3970
3955
acct_ctrl = pdb_get_acct_ctrl(pwd);
3971
/* we need to know if it's expired, because this is an admin change, not a
3972
user change, so it's still expired when we're done */
3973
last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
3974
last_set_time = pdb_get_pass_last_set_time(pwd);
3976
3957
if (!decode_pw_buffer(talloc_tos(),
4015
3996
memset(plaintext_buf, '\0', strlen(plaintext_buf));
4018
* A level 25 change does reset the pwdlastset field, a level 24
4019
* change does not. I know this is probably not the full story, but
4020
* it is needed to make XP join LDAP correctly, without it the later
4021
* auth2 check can fail with PWD_MUST_CHANGE.
4025
* restore last set time as this is an admin change, not a
4028
pdb_set_pass_last_set_time (pwd, last_set_time,
4032
3998
DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4034
/* update the SAMBA password */
4035
if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4003
/*******************************************************************
4005
********************************************************************/
4007
static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
4008
struct samr_UserInfo24 *id24,
4014
DEBUG(5, ("set_user_info_24: NULL id24\n"));
4015
return NT_STATUS_INVALID_PARAMETER;
4018
if (!set_user_info_pw(id24->password.data, pwd)) {
4019
return NT_STATUS_WRONG_PASSWORD;
4022
copy_id24_to_sam_passwd(pwd, id24);
4024
status = pdb_update_sam_account(pwd);
4025
if (!NT_STATUS_IS_OK(status)) {
4029
return NT_STATUS_OK;
4042
4032
/*******************************************************************
4062
4052
return NT_STATUS_ACCESS_DENIED;
4055
if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4056
(id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4058
if (!set_user_info_pw(id25->password.data, pwd)) {
4059
return NT_STATUS_WRONG_PASSWORD;
4065
4063
copy_id25_to_sam_passwd(pwd, id25);
4067
4065
/* write the change out */
4090
4088
/*******************************************************************
4090
********************************************************************/
4092
static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4093
struct samr_UserInfo26 *id26,
4099
DEBUG(5, ("set_user_info_26: NULL id26\n"));
4100
return NT_STATUS_INVALID_PARAMETER;
4103
if (!set_user_info_pw(id26->password.data, pwd)) {
4104
return NT_STATUS_WRONG_PASSWORD;
4107
copy_id26_to_sam_passwd(pwd, id26);
4109
status = pdb_update_sam_account(pwd);
4110
if (!NT_STATUS_IS_OK(status)) {
4114
return NT_STATUS_OK;
4118
/*******************************************************************
4091
4119
samr_SetUserInfo
4092
4120
********************************************************************/
4248
4276
dump_data(100, info->info24.password.data, 516);
4250
if (!set_user_info_pw(info->info24.password.data, pwd,
4252
status = NT_STATUS_WRONG_PASSWORD;
4278
status = set_user_info_24(p->mem_ctx,
4279
&info->info24, pwd);
4266
4292
status = set_user_info_25(p->mem_ctx,
4267
4293
&info->info25, pwd);
4268
if (!NT_STATUS_IS_OK(status)) {
4271
if (!set_user_info_pw(info->info25.password.data, pwd,
4273
status = NT_STATUS_WRONG_PASSWORD;
4285
4304
dump_data(100, info->info26.password.data, 516);
4287
if (!set_user_info_pw(info->info26.password.data, pwd,
4289
status = NT_STATUS_WRONG_PASSWORD;
4306
status = set_user_info_26(p->mem_ctx,
4307
&info->info26, pwd);
4294
4311
status = NT_STATUS_INVALID_INFO_CLASS;
4299
4314
TALLOC_FREE(pwd);
4301
4316
if (has_enough_rights) {