Context Navigation

source: branches/samba-3.3.x/source/libsmb/passchange.c@ 342

Visit:

Last change on this file since 342 was 342, checked in by Herwig Bauernfeind, 15 years ago
Update 3.3 to 3.3.9
File size: 8.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	SMB client password change routine
4	Copyright (C) Andrew Tridgell 1994-1998
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	/*************************************************************
23	Change a password on a remote machine using IPC calls.
24	*************************************************************/
25
26	NTSTATUS remote_password_change(const char remote_machine, const char user_name,
27	const char old_passwd, const char new_passwd,
28	char **err_str)
29	{
30	struct nmb_name calling, called;
31	struct cli_state *cli;
32	struct rpc_pipe_client *pipe_hnd;
33	struct sockaddr_storage ss;
34
35	NTSTATUS result;
36	bool pass_must_change = False;
37
38	*err_str = NULL;
39
40	if(!resolve_name( remote_machine, &ss, 0x20)) {
41	if (asprintf(err_str, "Unable to find an IP address for machine "
42	"%s.\n", remote_machine) == -1) {
43	*err_str = NULL;
44	}
45	return NT_STATUS_UNSUCCESSFUL;
46	}
47
48	cli = cli_initialise();
49	if (!cli) {
50	return NT_STATUS_NO_MEMORY;
51	}
52
53	result = cli_connect(cli, remote_machine, &ss);
54	if (!NT_STATUS_IS_OK(result)) {
55	if (asprintf(err_str, "Unable to connect to SMB server on "
56	"machine %s. Error was : %s.\n",
57	remote_machine, nt_errstr(result))==-1) {
58	*err_str = NULL;
59	}
60	cli_shutdown(cli);
61	return result;
62	}
63
64	make_nmb_name(&calling, global_myname() , 0x0);
65	make_nmb_name(&called , remote_machine, 0x20);
66
67	if (!cli_session_request(cli, &calling, &called)) {
68	if (asprintf(err_str, "machine %s rejected the session setup. "
69	"Error was : %s.\n",
70	remote_machine, cli_errstr(cli)) == -1) {
71	*err_str = NULL;
72	}
73	result = cli_nt_error(cli);
74	cli_shutdown(cli);
75	return result;
76	}
77
78	cli->protocol = PROTOCOL_NT1;
79
80	if (!cli_negprot(cli)) {
81	if (asprintf(err_str, "machine %s rejected the negotiate "
82	"protocol. Error was : %s.\n",
83	remote_machine, cli_errstr(cli)) == -1) {
84	*err_str = NULL;
85	}
86	result = cli_nt_error(cli);
87	cli_shutdown(cli);
88	return result;
89	}
90
91	/* Given things like SMB signing, restrict anonymous and the like,
92	try an authenticated connection first */
93	result = cli_session_setup(cli, user_name,
94	old_passwd, strlen(old_passwd)+1,
95	old_passwd, strlen(old_passwd)+1, "");
96
97	if (!NT_STATUS_IS_OK(result)) {
98
99	/* Password must change or Password expired are the only valid
100	* error conditions here from where we can proceed, the rest like
101	* account locked out or logon failure will lead to errors later
102	* anyway */
103
104	if (!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) &&
105	!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED)) {
106	if (asprintf(err_str, "Could not connect to machine %s: "
107	"%s\n", remote_machine, cli_errstr(cli)) == -1) {
108	*err_str = NULL;
109	}
110	cli_shutdown(cli);
111	return result;
112	}
113
114	pass_must_change = True;
115
116	/*
117	* We should connect as the anonymous user here, in case
118	* the server has "must change password" checked...
119	* Thanks to <Nicholas.S.Jenkins@cdc.com> for this fix.
120	*/
121
122	result = cli_session_setup(cli, "", "", 0, "", 0, "");
123
124	if (!NT_STATUS_IS_OK(result)) {
125	if (asprintf(err_str, "machine %s rejected the session "
126	"setup. Error was : %s.\n",
127	remote_machine, cli_errstr(cli)) == -1) {
128	*err_str = NULL;
129	}
130	cli_shutdown(cli);
131	return result;
132	}
133
134	cli_init_creds(cli, "", "", NULL);
135	} else {
136	cli_init_creds(cli, user_name, "", old_passwd);
137	}
138
139	if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
140	if (asprintf(err_str, "machine %s rejected the tconX on the IPC$ "
141	"share. Error was : %s.\n",
142	remote_machine, cli_errstr(cli)) == -1) {
143	*err_str = NULL;
144	}
145	result = cli_nt_error(cli);
146	cli_shutdown(cli);
147	return result;
148	}
149
150	/* Try not to give the password away too easily */
151
152	if (!pass_must_change) {
153	result = cli_rpc_pipe_open_ntlmssp(cli,
154	&ndr_table_samr.syntax_id,
155	NCACN_NP,
156	PIPE_AUTH_LEVEL_PRIVACY,
157	"", /* what domain... ? */
158	user_name,
159	old_passwd,
160	&pipe_hnd);
161	} else {
162	/*
163	* If the user password must be changed the ntlmssp bind will
164	* fail the same way as the session setup above did. The
165	* difference ist that with a pipe bind we don't get a good
166	* error message, the result will be that the rpc call below
167	* will just fail. So we do it anonymously, there's no other
168	* way.
169	*/
170	result = cli_rpc_pipe_open_noauth(
171	cli, &ndr_table_samr.syntax_id, &pipe_hnd);
172	}
173
174	if (!NT_STATUS_IS_OK(result)) {
175	if (lp_client_lanman_auth()) {
176	/* Use the old RAP method. */
177	if (!cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
178	if (asprintf(err_str, "machine %s rejected the "
179	"password change: Error was : %s.\n",
180	remote_machine, cli_errstr(cli)) == -1) {
181	*err_str = NULL;
182	}
183	result = cli_nt_error(cli);
184	cli_shutdown(cli);
185	return result;
186	}
187	} else {
188	if (asprintf(err_str, "SAMR connection to machine %s "
189	"failed. Error was %s, but LANMAN password "
190	"changes are disabled\n",
191	remote_machine, nt_errstr(result)) == -1) {
192	*err_str = NULL;
193	}
194	result = cli_nt_error(cli);
195	cli_shutdown(cli);
196	return result;
197	}
198	}
199
200	result = rpccli_samr_chgpasswd_user2(pipe_hnd, talloc_tos(),
201	user_name, new_passwd, old_passwd);
202	if (NT_STATUS_IS_OK(result)) {
203	/* Great - it all worked! */
204	cli_shutdown(cli);
205	return NT_STATUS_OK;
206
207	} else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
208	\|\| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
209	/* it failed, but for reasons such as wrong password, too short etc ... */
210
211	if (asprintf(err_str, "machine %s rejected the password change: "
212	"Error was : %s.\n",
213	remote_machine, get_friendly_nt_error_msg(result)) == -1) {
214	*err_str = NULL;
215	}
216	cli_shutdown(cli);
217	return result;
218	}
219
220	/* OK, that failed, so try again... */
221	TALLOC_FREE(pipe_hnd);
222
223	/* Try anonymous NTLMSSP... */
224	cli_init_creds(cli, "", "", NULL);
225
226	result = NT_STATUS_UNSUCCESSFUL;
227
228	/* OK, this is ugly, but... try an anonymous pipe. */
229	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
230	&pipe_hnd);
231
232	if ( NT_STATUS_IS_OK(result) &&
233	(NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user2(
234	pipe_hnd, talloc_tos(), user_name,
235	new_passwd, old_passwd)))) {
236	/* Great - it all worked! */
237	cli_shutdown(cli);
238	return NT_STATUS_OK;
239	} else {
240	if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
241	\|\| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
242	/* it failed, but again it was due to things like new password too short */
243
244	if (asprintf(err_str, "machine %s rejected the "
245	"(anonymous) password change: Error was : "
246	"%s.\n", remote_machine,
247	get_friendly_nt_error_msg(result)) == -1) {
248	*err_str = NULL;
249	}
250	cli_shutdown(cli);
251	return result;
252	}
253
254	/* We have failed to change the user's password, and we think the server
255	just might not support SAMR password changes, so fall back */
256
257	if (lp_client_lanman_auth()) {
258	/* Use the old RAP method. */
259	if (cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
260	/* SAMR failed, but the old LanMan protocol worked! */
261
262	cli_shutdown(cli);
263	return NT_STATUS_OK;
264	}
265	if (asprintf(err_str, "machine %s rejected the password "
266	"change: Error was : %s.\n",
267	remote_machine, cli_errstr(cli)) == -1) {
268	*err_str = NULL;
269	}
270	result = cli_nt_error(cli);
271	cli_shutdown(cli);
272	return result;
273	} else {
274	if (asprintf(err_str, "SAMR connection to machine %s "
275	"failed. Error was %s, but LANMAN password "
276	"changed are disabled\n",
277	nt_errstr(result), remote_machine) == -1) {
278	*err_str = NULL;
279	}
280	cli_shutdown(cli);
281	return NT_STATUS_UNSUCCESSFUL;
282	}
283	}
284	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: