CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change

This is more specific than NT_STATUS_UNSUCCESSFUL, and for the SAMR
password change, matches the result the call to samdb_result_passwords()
would give.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 451495fe4c58d3177712a123d7f87dbb454e0bad..aff31ac86516a5ab86a5808a02c9a0996135dc10 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2301,7 +2301,8 @@ int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
  * change failed.
  *
  * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
- *   NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
+ *   NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
+ *   NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY
  */
 static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
                            struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
@@ -2474,6 +2475,9 @@ static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX
                        if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
                                status = NT_STATUS_PASSWORD_RESTRICTION;
                        }
+                       if (W_ERROR_EQUAL(werr, WERR_ACCOUNT_LOCKED_OUT)) {
+                               status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+                       }
                }
        } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
                /* don't let the caller know if an account doesn't exist */
@@ -2523,6 +2527,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
  * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
  *   NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
  *   NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
+ *   NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY
  *   NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
  */
 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,