diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2022-02-10 14:11:03 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2022-03-17 01:57:38 +0000 |
| commit | 557b1ab5f9661f52c2a47b648294603cf108404c (patch) | |
| tree | dbcd2d8caba41f7d6518bf58709ce02034b176b1 | |
| parent | 0a907c2f45c34efcac784738c9d75303b9d04d2f (diff) | |
| download | samba-557b1ab5f9661f52c2a47b648294603cf108404c.tar.gz | |
kdc: Remove pre-check for existing NT and LM hash from kpasswd
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/kdc/kpasswd-service-heimdal.c | 1 | ||||
| -rw-r--r-- | source4/kdc/kpasswd-service-mit.c | 1 | ||||
| -rw-r--r-- | source4/kdc/kpasswd_glue.c | 37 | ||||
| -rw-r--r-- | source4/kdc/kpasswd_glue.h | 1 | ||||
| -rw-r--r-- | source4/kdc/mit_samba.c | 1 |
5 files changed, 4 insertions, 37 deletions
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c index c804852c3a7..21596d8d8a4 100644 --- a/source4/kdc/kpasswd-service-heimdal.c +++ b/source4/kdc/kpasswd-service-heimdal.c @@ -46,7 +46,6 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, status = samdb_kpasswd_change_password(mem_ctx, kdc->task->lp_ctx, kdc->task->event_ctx, - kdc->samdb, session_info, password, &reject_reason, diff --git a/source4/kdc/kpasswd-service-mit.c b/source4/kdc/kpasswd-service-mit.c index 2117c1c1696..1dbe5adad6d 100644 --- a/source4/kdc/kpasswd-service-mit.c +++ b/source4/kdc/kpasswd-service-mit.c @@ -52,7 +52,6 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, status = samdb_kpasswd_change_password(mem_ctx, kdc->task->lp_ctx, kdc->task->event_ctx, - kdc->samdb, session_info, password, &reject_reason, diff --git a/source4/kdc/kpasswd_glue.c b/source4/kdc/kpasswd_glue.c index 3f985bbfc71..d50d9d2bcee 100644 --- a/source4/kdc/kpasswd_glue.c +++ b/source4/kdc/kpasswd_glue.c @@ -37,7 +37,6 @@ NTSTATUS samdb_kpasswd_change_password(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct tevent_context *event_ctx, - struct ldb_context *samdb, struct auth_session_info *session_info, const DATA_BLOB *password, enum samPwdChangeReason *reject_reason, @@ -45,38 +44,8 @@ NTSTATUS samdb_kpasswd_change_password(TALLOC_CTX *mem_ctx, const char **error_string, NTSTATUS *result) { - struct samr_Password *oldLmHash, *oldNtHash; - const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL }; - struct ldb_message *msg; NTSTATUS status; - int ret; - - /* Fetch the old hashes to get the old password in order to perform - * the password change operation. Naturally it would be much better to - * have a password hash from an authentication around but this doesn't - * seem to be the case here. */ - ret = dsdb_search_one(samdb, mem_ctx, &msg, ldb_get_default_basedn(samdb), - LDB_SCOPE_SUBTREE, - attrs, - DSDB_SEARCH_NO_GLOBAL_CATALOG, - "(&(objectClass=user)(sAMAccountName=%s))", - session_info->info->account_name); - if (ret != LDB_SUCCESS) { - *error_string = "No such user when changing password"; - return NT_STATUS_NO_SUCH_USER; - } - - /* - * No need to check for password lockout here, the KDC will - * have done that when issuing the ticket, which is not based - * on the user's password - */ - status = samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg, - &oldLmHash, &oldNtHash); - if (!NT_STATUS_IS_OK(status)) { - *error_string = "Not permitted to change password"; - return NT_STATUS_ACCESS_DENIED; - } + struct ldb_context *samdb = NULL; /* Start a SAM with user privileges for the password change */ samdb = samdb_connect(mem_ctx, @@ -106,7 +75,9 @@ NTSTATUS samdb_kpasswd_change_password(TALLOC_CTX *mem_ctx, DSDB_PASSWORD_CHECKED_AND_CORRECT, reject_reason, dominfo); - if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + *error_string = "No such user when changing password"; + } else if (!NT_STATUS_IS_OK(status)) { *error_string = nt_errstr(status); } *result = status; diff --git a/source4/kdc/kpasswd_glue.h b/source4/kdc/kpasswd_glue.h index 4d5c6c4d895..49246af9016 100644 --- a/source4/kdc/kpasswd_glue.h +++ b/source4/kdc/kpasswd_glue.h @@ -23,7 +23,6 @@ NTSTATUS samdb_kpasswd_change_password(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct tevent_context *event_ctx, - struct ldb_context *samdb, struct auth_session_info *session_info, const DATA_BLOB *password, enum samPwdChangeReason *reject_reason, diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index b0440663ba0..2503dc5d612 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -1012,7 +1012,6 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, status = samdb_kpasswd_change_password(tmp_ctx, ctx->db_ctx->lp_ctx, ctx->db_ctx->ev_ctx, - ctx->db_ctx->samdb, ctx->session_info, &password, &reject_reason, |