Now the users of "Domain Admins" will not be locked. But until we have not
the right provilege for "Domain Admins", I will continue to use the "admin
users" for administrator's use (like add machine, user manager for domain...).
In attach is the new patch.
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--- auth_sam.c. Thu Mar 20 16:31:34 2003
+++ auth_sam.c.fix Mon Mar 31 17:23:09 2003
@@ -326,6 +326,12 @@
return NT_STATUS_ACCOUNT_DISABLED;
}
+ /* Quit if the account was locked out. */
+ if (acct_ctrl & ACB_AUTOLOCK) {
+ DEBUG(1,("Account for user '%s' was locked out.\n",
pdb_get_username(sampass)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,8 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
+ uint32 account_policy_lockout, badpwattempt;
+ GROUP_MAP map;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +456,45 @@
nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info,
user_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) {
+ badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+ if (!pdb_set_bad_pw_attempt(sampass, badpwattempt,
PDB_CHANGED))
+ DEBUG(1, ("Failed to set 'badPwAttempt' for
user % s. \n",
+
user_info->internal_username.str));
+ account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
&account_policy_lockout);
+ if (!get_group_map_from_ntname("Domain Admins", &map,
MAPPING_WITHOUT_PRIV))
+ DEBUG(1, ("auth_sam.c: Failed to get groupmap for
Domain Admins"));
+ if ((badpwattempt >= account_policy_lockout) &&
!user_in_list(user_info->internal_username.str, lp_admin_users(-1), NULL, 0) &&
!user_in_group_list(user_info->internal_username.str, gidtoname(map.gid), NULL, 0))
+ if (!pdb_set_acct_ctrl (sampass,
+
pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
+
PDB_CHANGED)) {
+ DEBUG(1, ("Failed to set 'disabled' flag for
user % s. \n",
+
user_info->internal_username.str));
+ }
+
+ become_root();
+ if (!pdb_update_sam_account(sampass)) {
+ DEBUG(1, ("Failed to modify entry for user % s.\n",
+
user_info->internal_username.str));
+ unbecome_root();
+ }
+ }
pdb_free_sam(&sampass);
return nt_status;
}
+ if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+ DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n",
+ user_info->internal_username.str));
+ if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+ DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n"));
+
+ become_root();
+ if(!pdb_update_sam_account(sampass))
+ DEBUG(1, ("Failed to modify entry for user % s.\n",
+ user_info->internal_username.str));
+ unbecome_root();
+
if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass)))
{
DEBUG(0,("check_sam_security: make_server_info_sam() failed with
'%s'\n", nt_errstr(nt_status)));
return nt_status;
