[MSV1_0]
authorEric Kohl <eric.kohl@reactos.org>
Sun, 16 Mar 2014 19:54:33 +0000 (19:54 +0000)
committerEric Kohl <eric.kohl@reactos.org>
Sun, 16 Mar 2014 19:54:33 +0000 (19:54 +0000)
LsaApLogonUser:
- Check password prior to checking account restrictions.
- Add checks for expired account (disabled) and password.

svn path=/trunk/; revision=62519

reactos/dll/win32/msv1_0/msv1_0.c

index ec63a04..046f48f 100644 (file)
@@ -966,6 +966,10 @@ LsaApLogonUser(IN PLSA_CLIENT_REQUEST ClientRequest,
     PSAMPR_USER_INFO_BUFFER UserInfo = NULL;
     UNICODE_STRING LogonServer;
     BOOLEAN SessionCreated = FALSE;
     PSAMPR_USER_INFO_BUFFER UserInfo = NULL;
     UNICODE_STRING LogonServer;
     BOOLEAN SessionCreated = FALSE;
+    LARGE_INTEGER LogonTime;
+//    LARGE_INTEGER AccountExpires;
+    LARGE_INTEGER PasswordMustChange;
+    LARGE_INTEGER PasswordLastSet;
     NTSTATUS Status;
 
     TRACE("()\n");
     NTSTATUS Status;
 
     TRACE("()\n");
@@ -1005,6 +1009,10 @@ LsaApLogonUser(IN PLSA_CLIENT_REQUEST ClientRequest,
         return STATUS_NOT_IMPLEMENTED;
     }
 
         return STATUS_NOT_IMPLEMENTED;
     }
 
+    /* Get the logon time */
+    NtQuerySystemTime(&LogonTime);
+
+    /* Get the domain SID */
     Status = GetDomainSid(&AccountDomainSid);
     if (!NT_SUCCESS(Status))
     {
     Status = GetDomainSid(&AccountDomainSid);
     if (!NT_SUCCESS(Status))
     {
@@ -1080,9 +1088,20 @@ LsaApLogonUser(IN PLSA_CLIENT_REQUEST ClientRequest,
         goto done;
     }
 
         goto done;
     }
 
-
     TRACE("UserName: %S\n", UserInfo->All.UserName.Buffer);
 
     TRACE("UserName: %S\n", UserInfo->All.UserName.Buffer);
 
+    /* Check the password */
+    if ((UserInfo->All.UserAccountControl & USER_PASSWORD_NOT_REQUIRED) == 0)
+    {
+        Status = MsvpCheckPassword(&(LogonInfo->Password),
+                                   UserInfo);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("MsvpCheckPassword failed (Status %08lx)\n", Status);
+            goto done;
+        }
+    }
+
     /* Check account restrictions for non-administrator accounts */
     if (RelativeIds.Element[0] != DOMAIN_USER_RID_ADMIN)
     {
     /* Check account restrictions for non-administrator accounts */
     if (RelativeIds.Element[0] != DOMAIN_USER_RID_ADMIN)
     {
@@ -1098,29 +1117,48 @@ LsaApLogonUser(IN PLSA_CLIENT_REQUEST ClientRequest,
         /* Check if the account has been locked */
         if (UserInfo->All.UserAccountControl & USER_ACCOUNT_AUTO_LOCKED)
         {
         /* Check if the account has been locked */
         if (UserInfo->All.UserAccountControl & USER_ACCOUNT_AUTO_LOCKED)
         {
-            ERR("Account disabled!\n");
+            ERR("Account locked!\n");
             *SubStatus = STATUS_ACCOUNT_LOCKED_OUT;
             Status = STATUS_ACCOUNT_RESTRICTION;
             goto done;
         }
 
             *SubStatus = STATUS_ACCOUNT_LOCKED_OUT;
             Status = STATUS_ACCOUNT_RESTRICTION;
             goto done;
         }
 
-        /* FIXME: more checks */
-//            *SubStatus = STATUS_PASSWORD_EXPIRED;
-//            *SubStatus = STATUS_INVALID_LOGON_HOURS;
-//            *SubStatus = STATUS_INVALID_WORKSTATION;
+#if 0
+        /* Check if the account expired */
+        AccountExpires.LowPart = UserInfo->All.AccountExpires.LowPart;
+        AccountExpires.HighPart = UserInfo->All.AccountExpires.HighPart;
 
 
-    }
+        if (AccountExpires.QuadPart != 0 &&
+            LogonTime.QuadPart >= AccountExpires.QuadPart)
+        {
+            ERR("Account expired!\n");
+            *SubStatus = STATUS_ACCOUNT_EXPIRED;
+            Status = STATUS_ACCOUNT_RESTRICTION;
+            goto done;
+        }
+#endif
 
 
-    /* Check the password */
-    if ((UserInfo->All.UserAccountControl & USER_PASSWORD_NOT_REQUIRED) == 0)
-    {
-        Status = MsvpCheckPassword(&(LogonInfo->Password),
-                                   UserInfo);
-        if (!NT_SUCCESS(Status))
+        /* Check if the password expired */
+        PasswordMustChange.LowPart = UserInfo->All.PasswordMustChange.LowPart;
+        PasswordMustChange.HighPart = UserInfo->All.PasswordMustChange.HighPart;
+        PasswordLastSet.LowPart = UserInfo->All.PasswordLastSet.LowPart;
+        PasswordLastSet.HighPart = UserInfo->All.PasswordLastSet.HighPart;
+
+        if (LogonTime.QuadPart >= PasswordMustChange.QuadPart)
         {
         {
-            TRACE("MsvpCheckPassword failed (Status %08lx)\n", Status);
+            ERR("Password expired!\n");
+            if (PasswordLastSet.QuadPart == 0)
+                *SubStatus = STATUS_PASSWORD_MUST_CHANGE;
+            else
+                *SubStatus = STATUS_PASSWORD_EXPIRED;
+
+            Status = STATUS_ACCOUNT_RESTRICTION;
             goto done;
         }
             goto done;
         }
+
+        /* FIXME: more checks */
+        // STATUS_INVALID_LOGON_HOURS;
+        // STATUS_INVALID_WORKSTATION;
     }
 
     /* Return logon information */
     }
 
     /* Return logon information */
@@ -1220,7 +1258,7 @@ done:
         Status = STATUS_LOGON_FAILURE;
     }
 
         Status = STATUS_LOGON_FAILURE;
     }
 
-    TRACE("LsaApLogonUser done (Status %08lx)\n", Status);
+    TRACE("LsaApLogonUser done (Status 0x%08lx  SubStatus 0x%08lx)\n", Status, *SubStatus);
 
     return Status;
 }
 
     return Status;
 }