From 0e637be43b584aef9f5101d15ae5bdc1172c5502 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Matthias=20Dieter=20Walln=C3=B6fer?= Date: Mon, 21 Jun 2010 19:40:50 +0200 Subject: [PATCH] s4:password_hash LDB module - fix another problem regarding the lanman hash When a user only provides only the lanman hash (and nothing else) and the lanman authentication is deactivated then we end in an account with no password attribute at all! Lock this down. --- source4/dsdb/samdb/ldb_modules/password_hash.c | 29 ++++++++++++++------------ 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 94eb9cf9fa2..0a34645a917 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1494,16 +1494,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io) return LDB_ERR_UNWILLING_TO_PERFORM; } } else if (io->og.lm_hash) { - struct loadparm_context *lp_ctx = - (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); - - if (!lp_lanman_auth(lp_ctx)) { - ldb_asprintf_errstring(ldb, - "check_password_restrictions: " - "The password change through the LM hash is deactivated!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - if (!io->o.lm_hash) { ldb_asprintf_errstring(ldb, "check_password_restrictions: " @@ -1640,6 +1630,8 @@ static int setup_io(struct ph_context *ac, { const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct loadparm_context *lp_ctx = + (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); int ret; ZERO_STRUCTP(io); @@ -1845,13 +1837,13 @@ static int setup_io(struct ph_context *ac, "it's not allowed to set the LM hash password directly'"); return LDB_ERR_UNWILLING_TO_PERFORM; } - if (lm_hash != NULL) { + + if (lp_lanman_auth(lp_ctx) && (lm_hash != NULL)) { io->n.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length, sizeof(io->n.lm_hash->hash))); } - - if (old_lm_hash != NULL) { + if (lp_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) { io->og.lm_hash = talloc(io->ac, struct samr_Password); memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length, sizeof(io->og.lm_hash->hash))); @@ -1876,6 +1868,17 @@ static int setup_io(struct ph_context *ac, return LDB_ERR_UNWILLING_TO_PERFORM; } + /* refuse the change if someone tries to set/change the password by + * the lanman hash alone and we've deactivated that mechanism. This + * would end in an account without any password! */ + if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16) + && (!io->n.nt_hash) && (!io->n.lm_hash)) { + ldb_asprintf_errstring(ldb, + "setup_io: " + "The password change/set operations performed using the LAN Manager hash alone are deactivated!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* refuse the change if someone wants to compare against a plaintext or hash at the same time for a "password modify" operation... */ if ((io->og.cleartext_utf8 || io->og.cleartext_utf16) -- 2.11.4.GIT