From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Jul 2022 14:54:36 +0000 (+0200)
Subject: s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for PamAuthChangePassword
X-Git-Tag: samba-4.17.0rc1~184
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3469895aca624cf3fcf56c612fe4469bb03a8b5d;p=thirdparty%2Fsamba.git

s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for PamAuthChangePassword

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 28 12:47:31 UTC 2022 on sn-devel-184
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a16c8d552ab..9805d90fef0 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2898,6 +2898,7 @@ NTSTATUS _wbint_PamAuthChangePassword(struct pipes_struct *p,
 	bool got_info = false;
 	struct samr_DomInfo1 *info = NULL;
 	struct userPwdChangeFailureInformation *reject = NULL;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	fstring namespace, domain, user;
 	struct dcerpc_binding_handle *b = NULL;
@@ -2953,6 +2954,34 @@ NTSTATUS _wbint_PamAuthChangePassword(struct pipes_struct *p,
 
 	b = cli->binding_handle;
 
+	status = dcerpc_samr_chgpasswd_user4(cli->binding_handle,
+					     p->mem_ctx,
+					     cli->srv_name_slash,
+					     user,
+					     r->in.old_password,
+					     r->in.new_password,
+					     &result);
+	if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+		/* Password successfully changed. */
+		goto done;
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+			/* DO NOT FALLBACK TO RC4 */
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+				result = NT_STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
+				goto process_result;
+			}
+		}
+	} else {
+		/* Password change was unsuccessful. */
+		if (!NT_STATUS_IS_OK(result)) {
+			goto done;
+		}
+	}
+
 	result = rpccli_samr_chgpasswd_user3(cli,
 					     p->mem_ctx,
 					     user,