From b73cb40dd280e815549ce99e4a44a1b39b5094d4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 2 Jun 2016 14:14:06 +0200 Subject: [PATCH] s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source4/auth/ntlm/auth_sam.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 096359c9bf0..b223706f884 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -495,7 +495,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, { NTSTATUS nt_status; bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH); - uint16_t acct_flags = samdb_result_acct_flags(msg, NULL); + uint32_t acct_flags = samdb_result_acct_flags(msg, NULL); TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -507,6 +507,20 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } + if (acct_flags & ACB_SMARTCARD_REQUIRED) { + if (acct_flags & ACB_DISABLED) { + DEBUG(2,("authsam_authenticate: Account for user '%s' " + "was disabled.\n", + user_info->mapped.account_name)); + TALLOC_FREE(tmp_ctx); + return NT_STATUS_ACCOUNT_DISABLED; + } + DEBUG(2,("authsam_authenticate: Account for user '%s' " + "requires interactive smartcard logon.\n", + user_info->mapped.account_name)); + TALLOC_FREE(tmp_ctx); + return NT_STATUS_SMARTCARD_LOGON_REQUIRED; + } } nt_status = authsam_password_check_and_record(auth_context, tmp_ctx, -- 2.47.3