2 Unix SMB/CIFS implementation.
3 Samba utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2004
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 /* These comments regard the code to change the user's unix password: */
24 /* fork a child process to exec passwd and write to its
25 * tty to change a users password. This is running as the
26 * user who is attempting to change the password.
30 * This code was copied/borrowed and stolen from various sources.
31 * The primary source was the poppasswd.c from the authors of POPMail. This software
32 * was included as a client to change passwords using the 'passwd' program
33 * on the remote machine.
35 * This code has been hacked by Bob Nance (nance@niehs.nih.gov) and Evan Patterson
36 * (patters2@niehs.nih.gov) at the National Institute of Environmental Health Sciences
37 * and rights to modify, distribute or incorporate this change to the CAP suite or
38 * using it for any other reason are granted, so long as this disclaimer is left intact.
42 This code was hacked considerably for inclusion in Samba, primarily
43 by Andrew.Tridgell@anu.edu.au. The biggest change was the addition
44 of the "password chat" option, which allows the easy runtime
45 specification of the expected sequence of events to change a
51 extern struct passdb_ops pdb_ops
;
53 static NTSTATUS
check_oem_password(const char *user
,
54 uchar password_encrypted_with_lm_hash
[516],
55 const uchar old_lm_hash_encrypted
[16],
56 uchar password_encrypted_with_nt_hash
[516],
57 const uchar old_nt_hash_encrypted
[16],
58 struct samu
**hnd
, char *new_passwd
,
61 #if ALLOW_CHANGE_PASSWORD
63 static int findpty(char **slave
)
70 #if defined(HAVE_GRANTPT)
71 /* Try to open /dev/ptmx. If that fails, fall through to old method. */
72 if ((master
= sys_open("/dev/ptmx", O_RDWR
, 0)) >= 0)
76 *slave
= (char *)ptsname(master
);
80 ("findpty: Unable to create master/slave pty pair.\n"));
81 /* Stop fd leak on error. */
88 ("findpty: Allocated slave pty %s\n", *slave
));
92 #endif /* HAVE_GRANTPT */
94 fstrcpy(line
, "/dev/ptyXX");
96 dirp
= sys_opendir("/dev");
99 while ((dpname
= readdirname(dirp
)) != NULL
)
101 if (strncmp(dpname
, "pty", 3) == 0 && strlen(dpname
) == 5)
104 ("pty: try to open %s, line was %s\n", dpname
,
108 if ((master
= sys_open(line
, O_RDWR
, 0)) >= 0)
110 DEBUG(3, ("pty: opened %s\n", line
));
122 static int dochild(int master
, const char *slavedev
, const struct passwd
*pass
,
123 const char *passwordprogram
, BOOL as_root
)
126 struct termios stermios
;
129 char * const eptrs
[1] = { NULL
};
134 ("dochild: user doesn't exist in the UNIX password database.\n"));
141 gain_root_privilege();
143 /* Start new session - gets rid of controlling terminal. */
147 ("Weirdness, couldn't let go of controlling terminal\n"));
151 /* Open slave pty and acquire as new controlling terminal. */
152 if ((slave
= sys_open(slavedev
, O_RDWR
, 0)) < 0)
154 DEBUG(3, ("More weirdness, could not open %s\n", slavedev
));
157 #if defined(TIOCSCTTY) && !defined(SUNOS5)
159 * On patched Solaris 10 TIOCSCTTY is defined but seems not to work,
160 * see the discussion under
161 * https://bugzilla.samba.org/show_bug.cgi?id=5366.
163 if (ioctl(slave
, TIOCSCTTY
, 0) < 0)
165 DEBUG(3, ("Error in ioctl call for slave pty\n"));
168 #elif defined(I_PUSH) && defined(I_FIND)
169 if (ioctl(slave
, I_FIND
, "ptem") == 0) {
170 ioctl(slave
, I_PUSH
, "ptem");
172 if (ioctl(slave
, I_FIND
, "ldterm") == 0) {
173 ioctl(slave
, I_PUSH
, "ldterm");
180 /* Make slave stdin/out/err of child. */
182 if (sys_dup2(slave
, STDIN_FILENO
) != STDIN_FILENO
)
184 DEBUG(3, ("Could not re-direct stdin\n"));
187 if (sys_dup2(slave
, STDOUT_FILENO
) != STDOUT_FILENO
)
189 DEBUG(3, ("Could not re-direct stdout\n"));
192 if (sys_dup2(slave
, STDERR_FILENO
) != STDERR_FILENO
)
194 DEBUG(3, ("Could not re-direct stderr\n"));
200 /* Set proper terminal attributes - no echo, canonical input processing,
201 no map NL to CR/NL on output. */
203 if (tcgetattr(0, &stermios
) < 0)
206 ("could not read default terminal attributes on pty\n"));
209 stermios
.c_lflag
&= ~(ECHO
| ECHOE
| ECHOK
| ECHONL
);
210 stermios
.c_lflag
|= ICANON
;
212 stermios
.c_oflag
&= ~(ONLCR
);
214 if (tcsetattr(0, TCSANOW
, &stermios
) < 0)
216 DEBUG(3, ("could not set attributes of pty\n"));
220 /* make us completely into the right uid */
223 become_user_permanently(uid
, gid
);
227 ("Invoking '%s' as password change program.\n",
230 /* execl() password-change application */
231 if (execle("/bin/sh", "sh", "-c", passwordprogram
, NULL
, eptrs
) < 0)
233 DEBUG(3, ("Bad status returned from %s\n", passwordprogram
));
239 static int expect(int master
, char *issue
, char *expected
)
242 int attempts
, timeout
, nread
, len
;
245 for (attempts
= 0; attempts
< 2; attempts
++) {
246 if (!strequal(issue
, ".")) {
247 if (lp_passwd_chat_debug())
248 DEBUG(100, ("expect: sending [%s]\n", issue
));
250 if ((len
= sys_write(master
, issue
, strlen(issue
))) != strlen(issue
)) {
251 DEBUG(2,("expect: (short) write returned %d\n", len
));
256 if (strequal(expected
, "."))
259 /* Initial timeout. */
260 timeout
= lp_passwd_chat_timeout() * 1000;
264 while ((len
= read_socket_with_timeout(master
, buffer
+ nread
, 1,
265 sizeof(buffer
) - nread
- 1,
271 /* Eat leading/trailing whitespace before match. */
273 pstrcpy( str
, buffer
);
274 trim_char( str
, ' ', ' ');
276 if ((match
= unix_wild_match(expected
, str
)) == True
) {
277 /* Now data has started to return, lower timeout. */
278 timeout
= lp_passwd_chat_timeout() * 100;
283 if (lp_passwd_chat_debug())
284 DEBUG(100, ("expect: expected [%s] received [%s] match %s\n",
285 expected
, buffer
, match
? "yes" : "no" ));
291 DEBUG(2, ("expect: %s\n", strerror(errno
)));
296 DEBUG(10,("expect: returning %s\n", match
? "True" : "False" ));
300 static void pwd_sub(char *buf
)
302 all_string_sub(buf
, "\\n", "\n", 0);
303 all_string_sub(buf
, "\\r", "\r", 0);
304 all_string_sub(buf
, "\\s", " ", 0);
305 all_string_sub(buf
, "\\t", "\t", 0);
308 static int talktochild(int master
, const char *seq
)
311 fstring issue
, expected
;
315 while (next_token(&seq
, expected
, NULL
, sizeof(expected
)))
320 if (!expect(master
, issue
, expected
))
322 DEBUG(3, ("Response %d incorrect\n", count
));
326 if (!next_token(&seq
, issue
, NULL
, sizeof(issue
)))
331 if (!strequal(issue
, ".")) {
332 /* we have one final issue to send */
333 fstrcpy(expected
, ".");
334 if (!expect(master
, issue
, expected
))
341 static BOOL
chat_with_program(char *passwordprogram
, const struct passwd
*pass
,
342 char *chatsequence
, BOOL as_root
)
351 DEBUG(0, ("chat_with_program: user doesn't exist in the UNIX password database.\n"));
355 /* allocate a pseudo-terminal device */
356 if ((master
= findpty(&slavedev
)) < 0) {
357 DEBUG(3, ("chat_with_program: Cannot Allocate pty for password change: %s\n", pass
->pw_name
));
362 * We need to temporarily stop CatchChild from eating
363 * SIGCLD signals as it also eats the exit status code. JRA.
366 CatchChildLeaveStatus();
368 if ((pid
= sys_fork()) < 0) {
369 DEBUG(3, ("chat_with_program: Cannot fork() child for password change: %s\n", pass
->pw_name
));
375 /* we now have a pty */
376 if (pid
> 0) { /* This is the parent process */
377 if ((chstat
= talktochild(master
, chatsequence
)) == False
) {
378 DEBUG(3, ("chat_with_program: Child failed to change password: %s\n", pass
->pw_name
));
379 kill(pid
, SIGKILL
); /* be sure to end this process */
382 while ((wpid
= sys_waitpid(pid
, &wstat
, 0)) < 0) {
383 if (errno
== EINTR
) {
391 DEBUG(3, ("chat_with_program: The process is no longer waiting!\n\n"));
398 * Go back to ignoring children.
405 DEBUG(3, ("chat_with_program: We were waiting for the wrong process ID\n"));
408 if (WIFEXITED(wstat
) && (WEXITSTATUS(wstat
) != 0)) {
409 DEBUG(3, ("chat_with_program: The process exited with status %d \
410 while we were waiting\n", WEXITSTATUS(wstat
)));
413 #if defined(WIFSIGNALLED) && defined(WTERMSIG)
414 else if (WIFSIGNALLED(wstat
)) {
415 DEBUG(3, ("chat_with_program: The process was killed by signal %d \
416 while we were waiting\n", WTERMSIG(wstat
)));
424 * Lose any elevated privileges.
426 drop_effective_capability(KERNEL_OPLOCK_CAPABILITY
);
427 drop_effective_capability(DMAPI_ACCESS_CAPABILITY
);
429 /* make sure it doesn't freeze */
435 DEBUG(3, ("chat_with_program: Dochild for user %s (uid=%d,gid=%d) (as_root = %s)\n", pass
->pw_name
,
436 (int)getuid(), (int)getgid(), BOOLSTR(as_root
) ));
437 chstat
= dochild(master
, slavedev
, pass
, passwordprogram
, as_root
);
443 * The child should never return from dochild() ....
446 DEBUG(0, ("chat_with_program: Error: dochild() returned %d\n", chstat
));
451 DEBUG(3, ("chat_with_program: Password change %ssuccessful for user %s\n",
452 (chstat
? "" : "un"), pass
->pw_name
));
456 BOOL
chgpasswd(const char *name
, const struct passwd
*pass
,
457 const char *oldpass
, const char *newpass
, BOOL as_root
)
459 pstring passwordprogram
;
460 pstring chatsequence
;
468 DEBUG(3, ("chgpasswd: Password change (as_root=%s) for user: %s\n", BOOLSTR(as_root
), name
));
470 #ifdef DEBUG_PASSWORD
471 DEBUG(100, ("chgpasswd: Passwords: old=%s new=%s\n", oldpass
, newpass
));
474 /* Take the passed information and test it for minimum criteria */
476 /* Password is same as old password */
477 if (strcmp(oldpass
, newpass
) == 0) {
478 /* don't allow same password */
479 DEBUG(2, ("chgpasswd: Password Change: %s, New password is same as old\n", name
)); /* log the attempt */
480 return (False
); /* inform the user */
484 * Check the old and new passwords don't contain any control
488 len
= strlen(oldpass
);
489 for (i
= 0; i
< len
; i
++) {
490 if (iscntrl((int)oldpass
[i
])) {
491 DEBUG(0, ("chgpasswd: oldpass contains control characters (disallowed).\n"));
496 len
= strlen(newpass
);
497 for (i
= 0; i
< len
; i
++) {
498 if (iscntrl((int)newpass
[i
])) {
499 DEBUG(0, ("chgpasswd: newpass contains control characters (disallowed).\n"));
505 if (lp_pam_password_change()) {
507 #ifdef HAVE_SETLOCALE
508 char *prevlocale
= setlocale(LC_ALL
, "C");
515 ret
= smb_pam_passchange(pass
->pw_name
, oldpass
, newpass
);
517 ret
= smb_pam_passchange(name
, oldpass
, newpass
);
523 #ifdef HAVE_SETLOCALE
524 setlocale(LC_ALL
, prevlocale
);
531 /* A non-PAM password change just doen't make sense without a valid local user */
534 DEBUG(0, ("chgpasswd: user %s doesn't exist in the UNIX password database.\n", name
));
538 pstrcpy(passwordprogram
, lp_passwd_program());
539 pstrcpy(chatsequence
, lp_passwd_chat());
541 if (!*chatsequence
) {
542 DEBUG(2, ("chgpasswd: Null chat sequence - no password changing\n"));
546 if (!*passwordprogram
) {
547 DEBUG(2, ("chgpasswd: Null password program - no password changing\n"));
552 /* The password program *must* contain the user name to work. Fail if not. */
553 if (strstr_m(passwordprogram
, "%u") == NULL
) {
554 DEBUG(0,("chgpasswd: Running as root the 'passwd program' parameter *MUST* contain \
555 the string %%u, and the given string %s does not.\n", passwordprogram
));
560 pstring_sub(passwordprogram
, "%u", name
);
561 /* note that we do NOT substitute the %o and %n in the password program
562 as this would open up a security hole where the user could use
563 a new password containing shell escape characters */
565 pstring_sub(chatsequence
, "%u", name
);
566 all_string_sub(chatsequence
, "%o", oldpass
, sizeof(pstring
));
567 all_string_sub(chatsequence
, "%n", newpass
, sizeof(pstring
));
568 return (chat_with_program
569 (passwordprogram
, pass
, chatsequence
, as_root
));
572 #else /* ALLOW_CHANGE_PASSWORD */
574 BOOL
chgpasswd(const char *name
, const struct passwd
*pass
,
575 const char *oldpass
, const char *newpass
, BOOL as_root
)
577 DEBUG(0, ("chgpasswd: Unix Password changing not compiled in (user=%s)\n", name
));
580 #endif /* ALLOW_CHANGE_PASSWORD */
582 /***********************************************************
583 Code to check the lanman hashed password.
584 ************************************************************/
586 BOOL
check_lanman_password(char *user
, uchar
* pass1
,
587 uchar
* pass2
, struct samu
**hnd
)
589 uchar unenc_new_pw
[16];
590 uchar unenc_old_pw
[16];
591 struct samu
*sampass
= NULL
;
593 const uint8
*lanman_pw
;
596 if ( !(sampass
= samu_new(NULL
)) ) {
597 DEBUG(0, ("samu_new() failed!\n"));
602 ret
= pdb_getsampwnam(sampass
, user
);
606 DEBUG(0,("check_lanman_password: getsampwnam returned NULL\n"));
607 TALLOC_FREE(sampass
);
611 acct_ctrl
= pdb_get_acct_ctrl (sampass
);
612 lanman_pw
= pdb_get_lanman_passwd (sampass
);
614 if (acct_ctrl
& ACB_DISABLED
) {
615 DEBUG(0,("check_lanman_password: account %s disabled.\n", user
));
616 TALLOC_FREE(sampass
);
620 if (lanman_pw
== NULL
) {
621 if (acct_ctrl
& ACB_PWNOTREQ
) {
622 /* this saves the pointer for the caller */
626 DEBUG(0, ("check_lanman_password: no lanman password !\n"));
627 TALLOC_FREE(sampass
);
632 /* Get the new lanman hash. */
633 D_P16(lanman_pw
, pass2
, unenc_new_pw
);
635 /* Use this to get the old lanman hash. */
636 D_P16(unenc_new_pw
, pass1
, unenc_old_pw
);
638 /* Check that the two old passwords match. */
639 if (memcmp(lanman_pw
, unenc_old_pw
, 16)) {
640 DEBUG(0,("check_lanman_password: old password doesn't match.\n"));
641 TALLOC_FREE(sampass
);
645 /* this saves the pointer for the caller */
650 /***********************************************************
651 Code to change the lanman hashed password.
652 It nulls out the NT hashed password as it will
654 NOTE this function is designed to be called as root. Check the old password
655 is correct before calling. JRA.
656 ************************************************************/
658 BOOL
change_lanman_password(struct samu
*sampass
, uchar
*pass2
)
660 static uchar null_pw
[16];
661 uchar unenc_new_pw
[16];
666 if (sampass
== NULL
) {
667 DEBUG(0,("change_lanman_password: no smb password entry.\n"));
671 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
672 pwd
= pdb_get_lanman_passwd(sampass
);
674 if (acct_ctrl
& ACB_DISABLED
) {
675 DEBUG(0,("change_lanman_password: account %s disabled.\n",
676 pdb_get_username(sampass
)));
681 if (acct_ctrl
& ACB_PWNOTREQ
) {
683 memset(no_pw
, '\0', 14);
684 E_P16(no_pw
, null_pw
);
686 /* Get the new lanman hash. */
687 D_P16(null_pw
, pass2
, unenc_new_pw
);
689 DEBUG(0,("change_lanman_password: no lanman password !\n"));
693 /* Get the new lanman hash. */
694 D_P16(pwd
, pass2
, unenc_new_pw
);
697 if (!pdb_set_lanman_passwd(sampass
, unenc_new_pw
, PDB_CHANGED
)) {
701 if (!pdb_set_nt_passwd (sampass
, NULL
, PDB_CHANGED
)) {
702 return False
; /* We lose the NT hash. Sorry. */
705 if (!pdb_set_pass_last_set_time (sampass
, time(NULL
), PDB_CHANGED
)) {
706 TALLOC_FREE(sampass
);
707 /* Not quite sure what this one qualifies as, but this will do */
711 /* Now flush the sam_passwd struct to persistent storage */
712 ret
= NT_STATUS_IS_OK(pdb_update_sam_account (sampass
));
717 /***********************************************************
718 Code to check and change the OEM hashed password.
719 ************************************************************/
721 NTSTATUS
pass_oem_change(char *user
,
722 uchar password_encrypted_with_lm_hash
[516],
723 const uchar old_lm_hash_encrypted
[16],
724 uchar password_encrypted_with_nt_hash
[516],
725 const uchar old_nt_hash_encrypted
[16],
726 uint32
*reject_reason
)
729 struct samu
*sampass
= NULL
;
730 NTSTATUS nt_status
= check_oem_password(user
, password_encrypted_with_lm_hash
,
731 old_lm_hash_encrypted
,
732 password_encrypted_with_nt_hash
,
733 old_nt_hash_encrypted
,
734 &sampass
, new_passwd
, sizeof(new_passwd
));
736 if (!NT_STATUS_IS_OK(nt_status
))
739 /* We've already checked the old password here.... */
741 nt_status
= change_oem_password(sampass
, NULL
, new_passwd
, True
, reject_reason
);
744 memset(new_passwd
, 0, sizeof(new_passwd
));
746 TALLOC_FREE(sampass
);
751 /***********************************************************
752 Decrypt and verify a user password change.
754 The 516 byte long buffers are encrypted with the old NT and
755 old LM passwords, and if the NT passwords are present, both
756 buffers contain a unicode string.
758 After decrypting the buffers, check the password is correct by
759 matching the old hashed passwords with the passwords in the passdb.
761 ************************************************************/
763 static NTSTATUS
check_oem_password(const char *user
,
764 uchar password_encrypted_with_lm_hash
[516],
765 const uchar old_lm_hash_encrypted
[16],
766 uchar password_encrypted_with_nt_hash
[516],
767 const uchar old_nt_hash_encrypted
[16],
768 struct samu
**hnd
, char *new_passwd
,
771 static uchar null_pw
[16];
772 static uchar null_ntpw
[16];
773 struct samu
*sampass
= NULL
;
774 uint8
*password_encrypted
;
775 const uint8
*encryption_key
;
776 const uint8
*lanman_pw
, *nt_pw
;
779 uchar new_nt_hash
[16];
780 uchar new_lm_hash
[16];
785 BOOL nt_pass_set
= (password_encrypted_with_nt_hash
&& old_nt_hash_encrypted
);
786 BOOL lm_pass_set
= (password_encrypted_with_lm_hash
&& old_lm_hash_encrypted
);
790 if ( !(sampass
= samu_new( NULL
)) ) {
791 return NT_STATUS_NO_MEMORY
;
795 ret
= pdb_getsampwnam(sampass
, user
);
799 DEBUG(0, ("check_oem_password: getsmbpwnam returned NULL\n"));
800 TALLOC_FREE(sampass
);
801 return NT_STATUS_NO_SUCH_USER
;
804 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
806 if (acct_ctrl
& ACB_DISABLED
) {
807 DEBUG(2,("check_lanman_password: account %s disabled.\n", user
));
808 TALLOC_FREE(sampass
);
809 return NT_STATUS_ACCOUNT_DISABLED
;
812 if ((acct_ctrl
& ACB_PWNOTREQ
) && lp_null_passwords()) {
813 /* construct a null password (in case one is needed */
816 nt_lm_owf_gen(no_pw
, null_ntpw
, null_pw
);
821 /* save pointers to passwords so we don't have to keep looking them up */
822 if (lp_lanman_auth()) {
823 lanman_pw
= pdb_get_lanman_passwd(sampass
);
827 nt_pw
= pdb_get_nt_passwd(sampass
);
830 if (nt_pw
&& nt_pass_set
) {
831 /* IDEAL Case: passwords are in unicode, and we can
832 * read use the password encrypted with the NT hash
834 password_encrypted
= password_encrypted_with_nt_hash
;
835 encryption_key
= nt_pw
;
836 } else if (lanman_pw
&& lm_pass_set
) {
837 /* password may still be in unicode, but use LM hash version */
838 password_encrypted
= password_encrypted_with_lm_hash
;
839 encryption_key
= lanman_pw
;
840 } else if (nt_pass_set
) {
841 DEBUG(1, ("NT password change supplied for user %s, but we have no NT password to check it with\n",
843 TALLOC_FREE(sampass
);
844 return NT_STATUS_WRONG_PASSWORD
;
845 } else if (lm_pass_set
) {
846 if (lp_lanman_auth()) {
847 DEBUG(1, ("LM password change supplied for user %s, but we have no LanMan password to check it with\n",
850 DEBUG(1, ("LM password change supplied for user %s, but we have disabled LanMan authentication\n",
853 TALLOC_FREE(sampass
);
854 return NT_STATUS_WRONG_PASSWORD
;
856 DEBUG(1, ("password change requested for user %s, but no password supplied!\n",
858 TALLOC_FREE(sampass
);
859 return NT_STATUS_WRONG_PASSWORD
;
863 * Decrypt the password with the key
865 SamOEMhash( password_encrypted
, encryption_key
, 516);
867 if ( !decode_pw_buffer(password_encrypted
, new_passwd
, new_passwd_size
, &new_pw_len
,
868 nt_pass_set
? STR_UNICODE
: STR_ASCII
)) {
869 TALLOC_FREE(sampass
);
870 return NT_STATUS_WRONG_PASSWORD
;
874 * To ensure we got the correct new password, hash it and
875 * use it as a key to test the passed old password.
879 /* NT passwords, verify the NT hash. */
881 /* Calculate the MD4 hash (NT compatible) of the password */
882 memset(new_nt_hash
, '\0', 16);
883 E_md4hash(new_passwd
, new_nt_hash
);
887 * check the NT verifier
889 E_old_pw_hash(new_nt_hash
, nt_pw
, verifier
);
890 if (memcmp(verifier
, old_nt_hash_encrypted
, 16)) {
891 DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
892 TALLOC_FREE(sampass
);
893 return NT_STATUS_WRONG_PASSWORD
;
896 /* We could check the LM password here, but there is
897 * little point, we already know the password is
898 * correct, and the LM password might not even be
901 /* Further, LM hash generation algorithms
902 * differ with charset, so we could
903 * incorrectly fail a perfectly valid password
905 #ifdef DEBUG_PASSWORD
907 ("check_oem_password: password %s ok\n", new_passwd
));
915 * check the lm verifier
917 E_old_pw_hash(new_nt_hash
, lanman_pw
, verifier
);
918 if (memcmp(verifier
, old_lm_hash_encrypted
, 16)) {
919 DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
920 TALLOC_FREE(sampass
);
921 return NT_STATUS_WRONG_PASSWORD
;
923 #ifdef DEBUG_PASSWORD
925 ("check_oem_password: password %s ok\n", new_passwd
));
932 if (lanman_pw
&& lm_pass_set
) {
934 E_deshash(new_passwd
, new_lm_hash
);
937 * check the lm verifier
939 E_old_pw_hash(new_lm_hash
, lanman_pw
, verifier
);
940 if (memcmp(verifier
, old_lm_hash_encrypted
, 16)) {
941 DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
942 TALLOC_FREE(sampass
);
943 return NT_STATUS_WRONG_PASSWORD
;
946 #ifdef DEBUG_PASSWORD
948 ("check_oem_password: password %s ok\n", new_passwd
));
954 /* should not be reached */
955 TALLOC_FREE(sampass
);
956 return NT_STATUS_WRONG_PASSWORD
;
959 /***********************************************************
960 This routine takes the given password and checks it against
961 the password history. Returns True if this password has been
962 found in the history list.
963 ************************************************************/
965 static BOOL
check_passwd_history(struct samu
*sampass
, const char *plaintext
)
967 uchar new_nt_p16
[NT_HASH_LEN
];
968 uchar zero_md5_nt_pw
[SALTED_MD5_HASH_LEN
];
970 const uint8
*pwhistory
;
973 uint32 pwHisLen
, curr_pwHisLen
;
975 pdb_get_account_policy(AP_PASSWORD_HISTORY
, &pwHisLen
);
980 pwhistory
= pdb_get_pw_history(sampass
, &curr_pwHisLen
);
981 if (!pwhistory
|| curr_pwHisLen
== 0) {
985 /* Only examine the minimum of the current history len and
986 the stored history len. Avoids race conditions. */
987 pwHisLen
= MIN(pwHisLen
,curr_pwHisLen
);
989 nt_pw
= pdb_get_nt_passwd(sampass
);
991 E_md4hash(plaintext
, new_nt_p16
);
993 if (!memcmp(nt_pw
, new_nt_p16
, NT_HASH_LEN
)) {
994 DEBUG(10,("check_passwd_history: proposed new password for user %s is the same as the current password !\n",
995 pdb_get_username(sampass
) ));
999 dump_data(100, (const char *)new_nt_p16
, NT_HASH_LEN
);
1000 dump_data(100, (const char *)pwhistory
, PW_HISTORY_ENTRY_LEN
*pwHisLen
);
1002 memset(zero_md5_nt_pw
, '\0', SALTED_MD5_HASH_LEN
);
1003 for (i
=0; i
<pwHisLen
; i
++) {
1004 uchar new_nt_pw_salted_md5_hash
[SALTED_MD5_HASH_LEN
];
1005 const uchar
*current_salt
= &pwhistory
[i
*PW_HISTORY_ENTRY_LEN
];
1006 const uchar
*old_nt_pw_salted_md5_hash
= &pwhistory
[(i
*PW_HISTORY_ENTRY_LEN
)+
1007 PW_HISTORY_SALT_LEN
];
1008 if (!memcmp(zero_md5_nt_pw
, old_nt_pw_salted_md5_hash
, SALTED_MD5_HASH_LEN
)) {
1009 /* Ignore zero valued entries. */
1012 /* Create salted versions of new to compare. */
1013 E_md5hash(current_salt
, new_nt_p16
, new_nt_pw_salted_md5_hash
);
1015 if (!memcmp(new_nt_pw_salted_md5_hash
, old_nt_pw_salted_md5_hash
, SALTED_MD5_HASH_LEN
)) {
1016 DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n",
1017 pdb_get_username(sampass
) ));
1025 /***********************************************************
1026 Code to change the oem password. Changes both the lanman
1027 and NT hashes. Old_passwd is almost always NULL.
1028 NOTE this function is designed to be called as root. Check the old password
1029 is correct before calling. JRA.
1030 ************************************************************/
1032 NTSTATUS
change_oem_password(struct samu
*hnd
, char *old_passwd
, char *new_passwd
, BOOL as_root
, uint32
*samr_reject_reason
)
1035 struct passwd
*pass
= NULL
;
1036 const char *username
= pdb_get_username(hnd
);
1037 time_t can_change_time
= pdb_get_pass_can_change_time(hnd
);
1039 if (samr_reject_reason
) {
1040 *samr_reject_reason
= Undefined
;
1043 /* check to see if the secdesc has previously been set to disallow */
1044 if (!pdb_get_pass_can_change(hnd
)) {
1045 DEBUG(1, ("user %s does not have permissions to change password\n", username
));
1046 if (samr_reject_reason
) {
1047 *samr_reject_reason
= REJECT_REASON_OTHER
;
1049 return NT_STATUS_ACCOUNT_RESTRICTION
;
1052 /* removed calculation here, becuase passdb now calculates
1053 based on policy. jmcd */
1054 if ((can_change_time
!= 0) && (time(NULL
) < can_change_time
)) {
1055 DEBUG(1, ("user %s cannot change password now, must "
1056 "wait until %s\n", username
,
1057 http_timestring(can_change_time
)));
1058 if (samr_reject_reason
) {
1059 *samr_reject_reason
= REJECT_REASON_OTHER
;
1061 return NT_STATUS_ACCOUNT_RESTRICTION
;
1064 if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN
, &min_len
) && (str_charnum(new_passwd
) < min_len
)) {
1065 DEBUG(1, ("user %s cannot change password - password too short\n",
1067 DEBUGADD(1, (" account policy min password len = %d\n", min_len
));
1068 if (samr_reject_reason
) {
1069 *samr_reject_reason
= REJECT_REASON_TOO_SHORT
;
1071 return NT_STATUS_PASSWORD_RESTRICTION
;
1072 /* return NT_STATUS_PWD_TOO_SHORT; */
1075 if (check_passwd_history(hnd
,new_passwd
)) {
1076 if (samr_reject_reason
) {
1077 *samr_reject_reason
= REJECT_REASON_IN_HISTORY
;
1079 return NT_STATUS_PASSWORD_RESTRICTION
;
1082 pass
= Get_Pwnam(username
);
1084 DEBUG(1, ("change_oem_password: Username %s does not exist in system !?!\n", username
));
1085 return NT_STATUS_ACCESS_DENIED
;
1088 /* Use external script to check password complexity */
1089 if (lp_check_password_script() && *(lp_check_password_script())) {
1092 check_ret
= smbrunsecret(lp_check_password_script(), new_passwd
);
1093 DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", lp_check_password_script(), check_ret
));
1095 if (check_ret
!= 0) {
1096 DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
1097 if (samr_reject_reason
) {
1098 *samr_reject_reason
= REJECT_REASON_NOT_COMPLEX
;
1100 return NT_STATUS_PASSWORD_RESTRICTION
;
1105 * If unix password sync was requested, attempt to change
1106 * the /etc/passwd database first. Return failure if this cannot
1109 * This occurs before the oem change, because we don't want to
1110 * update it if chgpasswd failed.
1112 * Conditional on lp_unix_password_sync() because we don't want
1113 * to touch the unix db unless we have admin permission.
1116 if(lp_unix_password_sync() &&
1117 !chgpasswd(username
, pass
, old_passwd
, new_passwd
, as_root
)) {
1118 return NT_STATUS_ACCESS_DENIED
;
1121 if (!pdb_set_plaintext_passwd (hnd
, new_passwd
)) {
1122 return NT_STATUS_ACCESS_DENIED
;
1125 /* Now write it into the file. */
1126 return pdb_update_sam_account (hnd
);