From 40bbee0c269bf9169bbdee2e99426bba3fe43ed4 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 3 May 2009 15:16:15 +0000 Subject: [PATCH] allow to disable LM hashes --- lam/HISTORY | 4 +++ lam/lib/modules/sambaSamAccount.inc | 54 +++++++++++++++++++++++------ 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/lam/HISTORY b/lam/HISTORY index 4b341035..1206d52b 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,3 +1,7 @@ +July 2009 2.7.0 + - Samba 3: allow to disable LM hashes (on by default) + + 08.04.2009 2.6.0 - support NIS netgroups - support EDU person accounts (RFE 1413731) diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc index eb9e46bb..49863480 100644 --- a/lam/lib/modules/sambaSamAccount.inc +++ b/lam/lib/modules/sambaSamAccount.inc @@ -336,7 +336,10 @@ class sambaSamAccount extends baseModule { "Text" => _("Here you can change the settings for the terminal server access.")), 'profilePwdCanMustChange' => array ( "Headline" => _("User can/must change password"), - "Text" => _("This is the number of seconds after when the user may or has to change his password.")) + "Text" => _("This is the number of seconds after when the user may or has to change his password.")), + 'lmHash' => array ( + "Headline" => _("Disable LM hashes"), + "Text" => _("Windows password hashes are saved by default as NT and LM hashes. LM hashes are insecure and only needed for old versions of Windows. You should disable them unless you really need them.")) ); // upload dependencies $return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson'); @@ -519,7 +522,18 @@ class sambaSamAccount extends baseModule { ), 'options_selected' => array('0'), 'descriptiveOptions' => true), - array('kind' => 'help', 'value' => 'timeZone')) + array('kind' => 'help', 'value' => 'timeZone')), + array( + array('kind' => 'text', 'text' => '' . _("Disable LM hashes") . ':  '), + array('kind' => 'select', 'name' => 'sambaSamAccount_lmHash', 'size' => '1', + 'options' => array( + array('yes', _('yes')), + array('no', _('no')) + ), + 'options_selected' => array('yes'), + 'descriptiveOptions' => true), + array('kind' => 'help', 'value' => 'lmHash') + ) ); return $return; } @@ -633,6 +647,12 @@ class sambaSamAccount extends baseModule { if (!in_array('sambaSamAccount', $this->attributes['objectClass'])) { return array(); } + // delete LM hash if needed + if (!isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) || ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'yes')) { + if (isset($this->attributes['sambaLMPassword'])) { + unset($this->attributes['sambaLMPassword']); + } + } $errors = array(); $sambaDomains = search_domains(); if (sizeof($sambaDomains) == 0) { @@ -690,11 +710,13 @@ class sambaSamAccount extends baseModule { // host attributes if ($this->get_scope()=='host') { $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain computers')]; - if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaLMPassword'][0]) { + if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaNTPassword'][0]) { $attrs = $this->getAccountContainer()->getAccountModule('posixAccount')->getAttributes(); $hostname = $attrs['uid'][0]; $hostname = substr($hostname, 0, strlen($hostname) - 1); - $this->attributes['sambaLMPassword'][0] = lmPassword($hostname); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $this->attributes['sambaLMPassword'][0] = lmPassword($hostname); + } $this->attributes['sambaNTPassword'][0] = ntPassword($hostname); $this->attributes['sambaPwdLastSet'][0] = time(); } @@ -734,7 +756,9 @@ class sambaSamAccount extends baseModule { if (isset($_POST['useunixpwd'])) { $this->useunixpwd = true; - $this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); + } $this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); $this->attributes['sambaPwdLastSet'][0] = time(); } @@ -747,7 +771,9 @@ class sambaSamAccount extends baseModule { else { if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1]; else { - $this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']); + } $this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']); $this->attributes['sambaPwdLastSet'][0] = time(); } @@ -1853,16 +1879,22 @@ class sambaSamAccount extends baseModule { } // use Unix password if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == "") { // default: use Unix - $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); + } $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); } elseif (in_array($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']], array('true', 'false'))) { if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == 'true') { // use Unix - $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); + } $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); } else { // use given password - $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); + } $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); } } @@ -2133,7 +2165,9 @@ class sambaSamAccount extends baseModule { } // passwords ( = host name) $partialAccounts[$i]['sambaPwdLastSet'] = time(); - $partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); + if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) { + $partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); + } $partialAccounts[$i]['sambaNTPassword'] = ntPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); // flags $partialAccounts[$i]['sambaAcctFlags'] = "[W ]";