archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/kerberos/common2/restrict.cxx

172 lines
4.0 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1991 - 1992
  6. //
  7. // File: restrict.cxx
  8. //
  9. // Contents: Logon restriction code
  10. //
  11. //
  12. // History: 4-Aug-1996 MikeSw Created from tickets.cxx
  13. //
  14. //------------------------------------------------------------------------
  16. extern "C"
  17. {
  18. #include <nt.h>
  19. #include <ntrtl.h>
  20. #include <nturtl.h>
  21. #include <ntlsa.h>
  22. #include <samrpc.h>
  23. #include <samisrv.h>
  24. }
  25. #include <kerbcomm.h>
  26. #include <kerberr.h>
  27. #include <kerbcon.h>
  28. #include <lmcons.h>
  29. #include "debug.h"
  32. //+-------------------------------------------------------------------------
  33. //
  34. // Function: KerbCheckLogonRestrictions
  35. //
  36. // Synopsis: Checks logon restrictions for an account
  37. //
  38. // Effects:
  39. //
  40. // Arguments: UserHandle - handle to a user
  41. // Workstation - Name of client's workstation
  42. // SecondsToLogon - Receives logon duration in seconds
  43. //
  44. // Requires:
  45. //
  46. // Returns: kerberos errors
  47. //
  48. // Notes:
  49. //
  50. //
  51. //--------------------------------------------------------------------------
  53. KERBERR
  54. KerbCheckLogonRestrictions(
  55. IN PVOID UserHandle,
  56. IN PUNICODE_STRING Workstation,
  57. IN PUSER_ALL_INFORMATION UserAll,
  58. IN ULONG LogonRestrictionsFlags,
  59. OUT PLARGE_INTEGER LogoffTime,
  60. OUT PNTSTATUS RetStatus
  61. )
  62. {
  63. NTSTATUS Status;
  64. KERBERR KerbErr;
  65. LARGE_INTEGER KickoffTime;
  66. LARGE_INTEGER CurrentTime;
  67. PLARGE_INTEGER TempTime;
  69. GetSystemTimeAsFileTime((PFILETIME) &CurrentTime );
  71. //
  72. // Check the restrictions SAM doesn't:
  73. //
  75. TempTime = (PLARGE_INTEGER) &UserAll->AccountExpires;
  76. if ((TempTime->QuadPart != 0) &&
  77. (TempTime->QuadPart < CurrentTime.QuadPart))
  78. {
  79. Status = STATUS_ACCOUNT_EXPIRED;
  80. goto Cleanup;
  81. }
  83. //
  84. // For user accounts, check if the password has expired.
  85. //
  87. if (((LogonRestrictionsFlags & KDC_RESTRICT_IGNORE_PW_EXPIRATION) == 0) &&
  88. ((UserAll->UserAccountControl & USER_NORMAL_ACCOUNT) != 0))
  89. {
  90. TempTime = (PLARGE_INTEGER) &UserAll->PasswordMustChange;
  92. if (TempTime->QuadPart < CurrentTime.QuadPart)
  93. {
  94. if (TempTime->QuadPart == 0)
  95. {
  96. Status = STATUS_PASSWORD_MUST_CHANGE;
  97. }
  98. else
  99. {
  100. Status = STATUS_PASSWORD_EXPIRED;
  101. }
  102. goto Cleanup;
  103. }
  104. }
  106. if ((UserAll->UserAccountControl & USER_ACCOUNT_DISABLED))
  107. {
  108. Status = STATUS_ACCOUNT_DISABLED;
  109. goto Cleanup;
  110. }
  112. //
  113. // The Administrator account can not be locked out.
  114. //
  117. if ((UserAll->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED) &&
  118. (UserAll->UserId != DOMAIN_USER_RID_ADMIN))
  119. {
  120. Status = STATUS_ACCOUNT_LOCKED_OUT;
  121. goto Cleanup;
  122. }
  124. if ((UserAll->UserAccountControl & USER_SMARTCARD_REQUIRED) &&
  125. ((LogonRestrictionsFlags & KDC_RESTRICT_PKINIT_USED) == 0))
  126. {
  127. Status = STATUS_SMARTCARD_LOGON_REQUIRED;
  128. goto Cleanup;
  129. }
  132. Status = SamIAccountRestrictions(
  133. UserHandle,
  134. Workstation,
  135. &UserAll->WorkStations,
  136. &UserAll->LogonHours,
  137. LogoffTime,
  138. &KickoffTime
  139. );
  140. if (!NT_SUCCESS(Status))
  141. {
  142. goto Cleanup;
  143. }
  145. Cleanup:
  147. *RetStatus = Status;
  148. switch(Status)
  149. {
  150. case STATUS_SUCCESS:
  151. KerbErr = KDC_ERR_NONE;
  152. break;
  153. case STATUS_ACCOUNT_EXPIRED: // See bug #23456
  154. case STATUS_ACCOUNT_LOCKED_OUT:
  155. case STATUS_ACCOUNT_DISABLED:
  156. case STATUS_INVALID_LOGON_HOURS:
  157. case STATUS_LOGIN_TIME_RESTRICTION:
  158. case STATUS_LOGIN_WKSTA_RESTRICTION:
  159. KerbErr = KDC_ERR_CLIENT_REVOKED;
  160. break;
  161. case STATUS_PASSWORD_EXPIRED:
  162. case STATUS_PASSWORD_MUST_CHANGE:
  163. KerbErr = KDC_ERR_KEY_EXPIRED;
  164. break;
  165. default:
  166. KerbErr = KDC_ERR_POLICY;
  167. }
  168. return(KerbErr);
  169. }