allow to disable LM hashes

This commit is contained in:
Roland Gruber 2009-05-03 15:16:15 +00:00
parent ca4c946f88
commit 40bbee0c26
2 changed files with 48 additions and 10 deletions

View File

@ -1,3 +1,7 @@
July 2009 2.7.0
- Samba 3: allow to disable LM hashes (on by default)
08.04.2009 2.6.0 08.04.2009 2.6.0
- support NIS netgroups - support NIS netgroups
- support EDU person accounts (RFE 1413731) - support EDU person accounts (RFE 1413731)

View File

@ -336,7 +336,10 @@ class sambaSamAccount extends baseModule {
"Text" => _("Here you can change the settings for the terminal server access.")), "Text" => _("Here you can change the settings for the terminal server access.")),
'profilePwdCanMustChange' => array ( 'profilePwdCanMustChange' => array (
"Headline" => _("User can/must change password"), "Headline" => _("User can/must change password"),
"Text" => _("This is the number of seconds after when the user may or has to change his password.")) "Text" => _("This is the number of seconds after when the user may or has to change his password.")),
'lmHash' => array (
"Headline" => _("Disable LM hashes"),
"Text" => _("Windows password hashes are saved by default as NT and LM hashes. LM hashes are insecure and only needed for old versions of Windows. You should disable them unless you really need them."))
); );
// upload dependencies // upload dependencies
$return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson'); $return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson');
@ -519,7 +522,18 @@ class sambaSamAccount extends baseModule {
), ),
'options_selected' => array('0'), 'options_selected' => array('0'),
'descriptiveOptions' => true), 'descriptiveOptions' => true),
array('kind' => 'help', 'value' => 'timeZone')) array('kind' => 'help', 'value' => 'timeZone')),
array(
array('kind' => 'text', 'text' => '<b>' . _("Disable LM hashes") . ': &nbsp;</b>'),
array('kind' => 'select', 'name' => 'sambaSamAccount_lmHash', 'size' => '1',
'options' => array(
array('yes', _('yes')),
array('no', _('no'))
),
'options_selected' => array('yes'),
'descriptiveOptions' => true),
array('kind' => 'help', 'value' => 'lmHash')
)
); );
return $return; return $return;
} }
@ -633,6 +647,12 @@ class sambaSamAccount extends baseModule {
if (!in_array('sambaSamAccount', $this->attributes['objectClass'])) { if (!in_array('sambaSamAccount', $this->attributes['objectClass'])) {
return array(); return array();
} }
// delete LM hash if needed
if (!isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) || ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'yes')) {
if (isset($this->attributes['sambaLMPassword'])) {
unset($this->attributes['sambaLMPassword']);
}
}
$errors = array(); $errors = array();
$sambaDomains = search_domains(); $sambaDomains = search_domains();
if (sizeof($sambaDomains) == 0) { if (sizeof($sambaDomains) == 0) {
@ -690,11 +710,13 @@ class sambaSamAccount extends baseModule {
// host attributes // host attributes
if ($this->get_scope()=='host') { if ($this->get_scope()=='host') {
$this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain computers')]; $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain computers')];
if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaLMPassword'][0]) { if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaNTPassword'][0]) {
$attrs = $this->getAccountContainer()->getAccountModule('posixAccount')->getAttributes(); $attrs = $this->getAccountContainer()->getAccountModule('posixAccount')->getAttributes();
$hostname = $attrs['uid'][0]; $hostname = $attrs['uid'][0];
$hostname = substr($hostname, 0, strlen($hostname) - 1); $hostname = substr($hostname, 0, strlen($hostname) - 1);
$this->attributes['sambaLMPassword'][0] = lmPassword($hostname); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($hostname);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($hostname); $this->attributes['sambaNTPassword'][0] = ntPassword($hostname);
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -734,7 +756,9 @@ class sambaSamAccount extends baseModule {
if (isset($_POST['useunixpwd'])) { if (isset($_POST['useunixpwd'])) {
$this->useunixpwd = true; $this->useunixpwd = true;
$this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
}
$this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); $this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -747,7 +771,9 @@ class sambaSamAccount extends baseModule {
else { else {
if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1]; if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1];
else { else {
$this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']); $this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']);
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -1853,16 +1879,22 @@ class sambaSamAccount extends baseModule {
} }
// use Unix password // use Unix password
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == "") { // default: use Unix if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == "") { // default: use Unix
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]);
} }
elseif (in_array($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']], array('true', 'false'))) { elseif (in_array($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']], array('true', 'false'))) {
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == 'true') { // use Unix if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == 'true') { // use Unix
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]);
} }
else { // use given password else { // use given password
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]);
} }
} }
@ -2133,7 +2165,9 @@ class sambaSamAccount extends baseModule {
} }
// passwords ( = host name) // passwords ( = host name)
$partialAccounts[$i]['sambaPwdLastSet'] = time(); $partialAccounts[$i]['sambaPwdLastSet'] = time();
$partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1));
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); $partialAccounts[$i]['sambaNTPassword'] = ntPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1));
// flags // flags
$partialAccounts[$i]['sambaAcctFlags'] = "[W ]"; $partialAccounts[$i]['sambaAcctFlags'] = "[W ]";