[ekohl] 62519: [MSV1_0] LsaApLogonUser: - Check password prior to checking account restrictions. - Add checks for expired account (disabled) and password.
16 Mar
2014
16 Mar
'14
7:54 p.m.
Author: ekohl
Date: Sun Mar 16 19:54:33 2014
New Revision: 62519
URL: http://svn.reactos.org/svn/reactos?rev=62519&view=rev
Log:
[MSV1_0]
LsaApLogonUser:
- Check password prior to checking account restrictions.
- Add checks for expired account (disabled) and password.
Modified:
trunk/reactos/dll/win32/msv1_0/msv1_0.c
Modified: trunk/reactos/dll/win32/msv1_0/msv1_0.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msv1_0/msv1_0.c?…
==============================================================================
--- trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] Sun Mar 16 19:54:33 2014
@@ -966,6 +966,10 @@
PSAMPR_USER_INFO_BUFFER UserInfo = NULL;
UNICODE_STRING LogonServer;
BOOLEAN SessionCreated = FALSE;
+ LARGE_INTEGER LogonTime;
+// LARGE_INTEGER AccountExpires;
+ LARGE_INTEGER PasswordMustChange;
+ LARGE_INTEGER PasswordLastSet;
NTSTATUS Status;
TRACE("()\n");
@@ -1005,6 +1009,10 @@
return STATUS_NOT_IMPLEMENTED;
}
+ /* Get the logon time */
+ NtQuerySystemTime(&LogonTime);
+
+ /* Get the domain SID */
Status = GetDomainSid(&AccountDomainSid);
if (!NT_SUCCESS(Status))
{
@@ -1080,8 +1088,19 @@
goto done;
}
-
TRACE("UserName: %S\n", UserInfo->All.UserName.Buffer);
+
+ /* Check the password */
+ if ((UserInfo->All.UserAccountControl & USER_PASSWORD_NOT_REQUIRED) == 0)
+ {
+ Status = MsvpCheckPassword(&(LogonInfo->Password),
+ UserInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("MsvpCheckPassword failed (Status %08lx)\n", Status);
+ goto done;
+ }
+ }
/* Check account restrictions for non-administrator accounts */
if (RelativeIds.Element[0] != DOMAIN_USER_RID_ADMIN)
@@ -1098,29 +1117,48 @@
/* Check if the account has been locked */
if (UserInfo->All.UserAccountControl & USER_ACCOUNT_AUTO_LOCKED)
{
- ERR("Account disabled!\n");
+ ERR("Account locked!\n");
*SubStatus = STATUS_ACCOUNT_LOCKED_OUT;
Status = STATUS_ACCOUNT_RESTRICTION;
goto done;
}
+#if 0
+ /* Check if the account expired */
+ AccountExpires.LowPart = UserInfo->All.AccountExpires.LowPart;
+ AccountExpires.HighPart = UserInfo->All.AccountExpires.HighPart;
+
+ if (AccountExpires.QuadPart != 0 &&
+ LogonTime.QuadPart >= AccountExpires.QuadPart)
+ {
+ ERR("Account expired!\n");
+ *SubStatus = STATUS_ACCOUNT_EXPIRED;
+ Status = STATUS_ACCOUNT_RESTRICTION;
+ goto done;
+ }
+#endif
+
+ /* Check if the password expired */
+ PasswordMustChange.LowPart = UserInfo->All.PasswordMustChange.LowPart;
+ PasswordMustChange.HighPart = UserInfo->All.PasswordMustChange.HighPart;
+ PasswordLastSet.LowPart = UserInfo->All.PasswordLastSet.LowPart;
+ PasswordLastSet.HighPart = UserInfo->All.PasswordLastSet.HighPart;
+
+ if (LogonTime.QuadPart >= PasswordMustChange.QuadPart)
+ {
+ ERR("Password expired!\n");
+ if (PasswordLastSet.QuadPart == 0)
+ *SubStatus = STATUS_PASSWORD_MUST_CHANGE;
+ else
+ *SubStatus = STATUS_PASSWORD_EXPIRED;
+
+ Status = STATUS_ACCOUNT_RESTRICTION;
+ goto done;
+ }
+
/* FIXME: more checks */
-// *SubStatus = STATUS_PASSWORD_EXPIRED;
-// *SubStatus = STATUS_INVALID_LOGON_HOURS;
-// *SubStatus = STATUS_INVALID_WORKSTATION;
-
- }
-
- /* Check the password */
- if ((UserInfo->All.UserAccountControl & USER_PASSWORD_NOT_REQUIRED) == 0)
- {
- Status = MsvpCheckPassword(&(LogonInfo->Password),
- UserInfo);
- if (!NT_SUCCESS(Status))
- {
- TRACE("MsvpCheckPassword failed (Status %08lx)\n", Status);
- goto done;
- }
+ // STATUS_INVALID_LOGON_HOURS;
+ // STATUS_INVALID_WORKSTATION;
}
/* Return logon information */
@@ -1220,7 +1258,7 @@
Status = STATUS_LOGON_FAILURE;
}
- TRACE("LsaApLogonUser done (Status %08lx)\n", Status);
+ TRACE("LsaApLogonUser done (Status 0x%08lx SubStatus 0x%08lx)\n", Status,
*SubStatus);
return Status;
}
3840
days inactive
3840
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org