From 12e97ee3e86d72b9edad9a2ac37249ffa0d28331 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 4 Nov 2019 15:27:43 +0100 Subject: [PATCH] smbdotconf: mark "check password script" with substitution="1" Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- .../security/checkpasswordscript.xml | 1 + source3/rpc_server/samr/srv_samr_chgpasswd.c | 8 +++++--- source3/rpc_server/samr/srv_samr_nt.c | 20 +++++++++++++------ source4/dsdb/common/util.c | 4 +++- 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml index 1e9031fda42..18aa2c6d290 100644 --- a/docs-xml/smbdotconf/security/checkpasswordscript.xml +++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml @@ -1,6 +1,7 @@ The name of a program that can be used to check password diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c index 8c9cf73bdd8..d37543f58a8 100644 --- a/source3/rpc_server/samr/srv_samr_chgpasswd.c +++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c @@ -990,16 +990,18 @@ NTSTATUS check_password_complexity(const char *username, enum samPwdChangeReason *samr_reject_reason) { TALLOC_CTX *tosctx = talloc_tos(); + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); int check_ret; char *cmd; /* Use external script to check password complexity */ - if ((lp_check_password_script(tosctx) == NULL) - || (*(lp_check_password_script(tosctx)) == '\0')) { + if ((lp_check_password_script(tosctx, lp_sub) == NULL) + || (*(lp_check_password_script(tosctx, lp_sub)) == '\0')){ return NT_STATUS_OK; } - cmd = talloc_string_sub(tosctx, lp_check_password_script(tosctx), "%u", + cmd = talloc_string_sub(tosctx, lp_check_password_script(tosctx, lp_sub), "%u", username); if (!cmd) { return NT_STATUS_PASSWORD_RESTRICTION; diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 87214b2899e..2e007d6b86a 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -518,6 +518,8 @@ NTSTATUS _samr_OpenDomain(struct pipes_struct *p, NTSTATUS _samr_GetUserPwInfo(struct pipes_struct *p, struct samr_GetUserPwInfo *r) { + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); struct samr_user_info *uinfo; enum lsa_SidType sid_type; uint32_t min_password_length = 0; @@ -554,8 +556,8 @@ NTSTATUS _samr_GetUserPwInfo(struct pipes_struct *p, &password_properties); unbecome_root(); - if (lp_check_password_script(talloc_tos()) - && *lp_check_password_script(talloc_tos())) { + if (lp_check_password_script(talloc_tos(), lp_sub) + && *lp_check_password_script(talloc_tos(), lp_sub)) { password_properties |= DOMAIN_PASSWORD_COMPLEX; } @@ -1883,6 +1885,8 @@ NTSTATUS _samr_ChangePasswordUser3(struct pipes_struct *p, enum samPwdChangeReason reject_reason; struct samr_DomInfo1 *dominfo = NULL; struct userPwdChangeFailureInformation *reject = NULL; + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); uint32_t tmp; char *rhost; @@ -1972,8 +1976,8 @@ NTSTATUS _samr_ChangePasswordUser3(struct pipes_struct *p, unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire); unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age); - if (lp_check_password_script(talloc_tos()) - && *lp_check_password_script(talloc_tos())) { + if (lp_check_password_script(talloc_tos(), lp_sub) + && *lp_check_password_script(talloc_tos(), lp_sub)) { dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX; } @@ -3217,6 +3221,8 @@ static uint32_t samr_get_server_role(void) static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx, struct samr_DomInfo1 *r) { + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); uint32_t account_policy_temp; time_t u_expire, u_min_age; @@ -3246,7 +3252,7 @@ static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx, unix_to_nt_time_abs((NTTIME *)&r->max_password_age, u_expire); unix_to_nt_time_abs((NTTIME *)&r->min_password_age, u_min_age); - if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) { + if (lp_check_password_script(talloc_tos(), lp_sub) && *lp_check_password_script(talloc_tos(), lp_sub)){ r->password_properties |= DOMAIN_PASSWORD_COMPLEX; } @@ -6258,6 +6264,8 @@ NTSTATUS _samr_SetAliasInfo(struct pipes_struct *p, NTSTATUS _samr_GetDomPwInfo(struct pipes_struct *p, struct samr_GetDomPwInfo *r) { + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); uint32_t min_password_length = 0; uint32_t password_properties = 0; @@ -6277,7 +6285,7 @@ NTSTATUS _samr_GetDomPwInfo(struct pipes_struct *p, &password_properties); unbecome_root(); - if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) { + if (lp_check_password_script(talloc_tos(), lp_sub) && *lp_check_password_script(talloc_tos(), lp_sub)) { password_properties |= DOMAIN_PASSWORD_COMPLEX; } diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index bad2ee7a494..f1b28129c38 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2041,6 +2041,8 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, const uint32_t pwdProperties, const uint32_t minPwdLength) { + const struct loadparm_substitution *lp_sub = + lpcfg_noop_substitution(); char *password_script = NULL; const char *utf8_pw = (const char *)utf8_blob->data; @@ -2074,7 +2076,7 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; } - password_script = lpcfg_check_password_script(lp_ctx, mem_ctx); + password_script = lpcfg_check_password_script(lp_ctx, lp_sub, mem_ctx); if (password_script != NULL && *password_script != '\0') { int check_ret = 0; int error = 0; -- 2.47.3