From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Jul 2022 14:27:32 +0000 (+0200)
Subject: s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()
X-Git-Tag: samba-4.17.0rc1~185
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8b80b1040641420c64e27e4390041f7ede27541c;p=thirdparty%2Fsamba.git

s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 2137c183f0e..dff5ad1602f 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -38,6 +38,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
 	struct cli_state *cli = NULL;
 	struct cli_credentials *creds = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
+	NTSTATUS status;
 	NTSTATUS result;
 	bool pass_must_change = False;
 
@@ -193,6 +194,45 @@ NTSTATUS remote_password_change(const char *remote_machine,
 		}
 	}
 
+	status = dcerpc_samr_chgpasswd_user4(pipe_hnd->binding_handle,
+					     talloc_tos(),
+					     pipe_hnd->srv_name_slash,
+					     user_name,
+					     old_passwd,
+					     new_passwd,
+					     &result);
+	if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+		/* All good, password successfully changed. */
+		cli_shutdown(cli);
+		return NT_STATUS_OK;
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		if (NT_STATUS_EQUAL(status,
+				    NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+			/* DO NOT FALLBACK TO RC4 */
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+				cli_shutdown(cli);
+				return NT_STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
+			}
+		}
+	} else {
+		if (!NT_STATUS_IS_OK(result)) {
+			int rc = asprintf(
+				err_str,
+				"machine %s rejected to change the password"
+				"with error: %s",
+				remote_machine,
+				get_friendly_nt_error_msg(result));
+			if (rc <= 0) {
+				*err_str = NULL;
+			}
+			cli_shutdown(cli);
+			return result;
+		}
+	}
+
 	result = rpccli_samr_chgpasswd_user2(pipe_hnd, talloc_tos(),
 					     user_name, new_passwd, old_passwd);
 	if (NT_STATUS_IS_OK(result)) {