From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 2 Jun 2016 12:14:06 +0000 (+0200)
Subject: s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
X-Git-Tag: tdb-1.3.10~627
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b73cb40dd280e815549ce99e4a44a1b39b5094d4;p=thirdparty%2Fsamba.git

s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 096359c9bf0..b223706f884 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -495,7 +495,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 {
 	NTSTATUS nt_status;
 	bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH);
-	uint16_t acct_flags = samdb_result_acct_flags(msg, NULL);
+	uint32_t acct_flags = samdb_result_acct_flags(msg, NULL);
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
@@ -507,6 +507,20 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_NO_SUCH_USER;
 		}
+		if (acct_flags & ACB_SMARTCARD_REQUIRED) {
+			if (acct_flags & ACB_DISABLED) {
+				DEBUG(2,("authsam_authenticate: Account for user '%s' "
+					 "was disabled.\n",
+					 user_info->mapped.account_name));
+				TALLOC_FREE(tmp_ctx);
+				return NT_STATUS_ACCOUNT_DISABLED;
+			}
+			DEBUG(2,("authsam_authenticate: Account for user '%s' "
+				 "requires interactive smartcard logon.\n",
+				 user_info->mapped.account_name));
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_SMARTCARD_LOGON_REQUIRED;
+		}
 	}
 
 	nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,