1998-05-07 22:19:05 +04:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
1998-05-07 22:19:05 +04:00
Password and authentication handling
2001-09-26 00:21:21 +04:00
Copyright ( C ) Jeremy Allison 1996 - 2001
2000-11-14 02:03:34 +03:00
Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1998
2006-02-21 17:34:11 +03:00
Copyright ( C ) Gerald ( Jerry ) Carter 2000 - 2006
2002-01-12 04:55:09 +03:00
Copyright ( C ) Andrew Bartlett 2001 - 2002
2003-05-12 22:12:31 +04:00
Copyright ( C ) Simo Sorce 2003
2006-02-13 20:08:25 +03:00
Copyright ( C ) Volker Lendecke 2006
2009-01-31 18:57:46 +03:00
1998-05-07 22:19:05 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
1998-05-07 22:19:05 +04:00
( at your option ) any later version .
2009-01-31 18:57:46 +03:00
1998-05-07 22:19:05 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-01-31 18:57:46 +03:00
1998-05-07 22:19:05 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
1998-05-07 22:19:05 +04:00
*/
# include "includes.h"
2011-03-18 20:58:37 +03:00
# include "passdb.h"
2011-02-25 19:14:22 +03:00
# include "system/passwd.h"
2009-03-16 13:27:58 +03:00
# include "../libcli/auth/libcli_auth.h"
2010-08-05 04:25:37 +04:00
# include "secrets.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2011-03-02 18:11:00 +03:00
# include "../lib/util/util_pw.h"
2011-05-05 13:25:29 +04:00
# include "util_tdb.h"
1998-05-07 22:19:05 +04:00
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_PASSDB
2009-02-13 00:01:45 +03:00
/******************************************************************
Get the default domain / netbios name to be used when
testing authentication .
LEGACY : this function provides the legacy domain mapping used with
the lp_map_untrusted_to_domain ( ) parameter
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
const char * my_sam_name ( void )
{
/* Standalone servers can only use the local netbios name */
if ( lp_server_role ( ) = = ROLE_STANDALONE )
return global_myname ( ) ;
/* Default to the DOMAIN name when not specified */
return lp_workgroup ( ) ;
}
2006-02-25 00:36:40 +03:00
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-08-29 23:14:25 +04:00
static int samu_destroy ( struct samu * user )
2006-02-25 00:36:40 +03:00
{
data_blob_clear_free ( & user - > lm_pw ) ;
data_blob_clear_free ( & user - > nt_pw ) ;
if ( user - > plaintext_pw )
memset ( user - > plaintext_pw , 0x0 , strlen ( user - > plaintext_pw ) ) ;
return 0 ;
}
2001-09-27 13:13:26 +04:00
2006-02-25 00:36:40 +03:00
/**********************************************************************
generate a new struct samuser
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-06-15 05:54:09 +04:00
struct samu * samu_new ( TALLOC_CTX * ctx )
2001-09-27 13:13:26 +04:00
{
2006-02-25 00:36:40 +03:00
struct samu * user ;
2009-01-31 18:57:46 +03:00
2011-06-07 05:44:43 +04:00
if ( ! ( user = talloc_zero ( ctx , struct samu ) ) ) {
2006-02-25 00:36:40 +03:00
DEBUG ( 0 , ( " samuser_new: Talloc failed! \n " ) ) ;
return NULL ;
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
talloc_set_destructor ( user , samu_destroy ) ;
2009-01-31 18:57:46 +03:00
2002-11-07 10:19:10 +03:00
/* no initial methods */
2009-01-31 18:57:46 +03:00
2002-11-07 10:19:10 +03:00
user - > methods = NULL ;
2001-10-04 03:08:10 +04:00
/* Don't change these timestamp settings without a good reason.
They are important for NT member server compatibility . */
2006-02-20 23:09:36 +03:00
user - > logon_time = ( time_t ) 0 ;
user - > pass_last_set_time = ( time_t ) 0 ;
user - > pass_can_change_time = ( time_t ) 0 ;
2006-02-21 17:34:11 +03:00
user - > logoff_time = get_time_t_max ( ) ;
user - > kickoff_time = get_time_t_max ( ) ;
2006-02-20 23:09:36 +03:00
user - > pass_must_change_time = get_time_t_max ( ) ;
user - > fields_present = 0x00ffffff ;
user - > logon_divs = 168 ; /* hours per week */
user - > hours_len = 21 ; /* 21 times 8 bits = 168 */
memset ( user - > hours , 0xff , user - > hours_len ) ; /* available at all hours */
user - > bad_password_count = 0 ;
user - > logon_count = 0 ;
user - > unknown_6 = 0x000004ec ; /* don't know */
2002-01-15 04:14:58 +03:00
/* Some parts of samba strlen their pdb_get...() returns,
so this keeps the interface unchanged for now . */
2009-01-31 18:57:46 +03:00
2006-02-20 23:09:36 +03:00
user - > username = " " ;
user - > domain = " " ;
user - > nt_username = " " ;
user - > full_name = " " ;
user - > home_dir = " " ;
user - > logon_script = " " ;
user - > profile_path = " " ;
user - > acct_desc = " " ;
user - > workstations = " " ;
2006-07-11 22:01:26 +04:00
user - > comment = " " ;
2006-02-20 23:09:36 +03:00
user - > munged_dial = " " ;
user - > plaintext_pw = NULL ;
2002-09-25 19:19:00 +04:00
2006-02-25 00:36:40 +03:00
/* Unless we know otherwise have a Account Control Bit
2003-10-10 16:57:44 +04:00
value of ' normal user ' . This helps User Manager , which
2006-02-25 00:36:40 +03:00
asks for a filtered list of users . */
2003-10-10 16:57:44 +04:00
2006-02-20 23:09:36 +03:00
user - > acct_ctrl = ACB_NORMAL ;
2009-01-31 18:57:46 +03:00
2006-02-20 23:09:36 +03:00
return user ;
}
2001-09-27 13:13:26 +04:00
2010-02-06 15:26:06 +03:00
static int count_commas ( const char * str )
{
int num_commas = 0 ;
const char * comma = str ;
while ( ( comma = strchr ( comma , ' , ' ) ) ! = NULL ) {
comma + = 1 ;
num_commas + = 1 ;
}
return num_commas ;
}
2006-02-21 19:46:21 +03:00
/*********************************************************************
Initialize a struct samu from a struct passwd including the user
2006-02-25 00:36:40 +03:00
and group SIDs . The * user structure is filled out with the Unix
attributes and a user SID .
2006-02-21 19:46:21 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-02-12 18:20:40 +03:00
2007-10-19 04:40:25 +04:00
static NTSTATUS samu_set_unix_internal ( struct samu * user , const struct passwd * pwd , bool create )
2004-02-12 18:20:40 +03:00
{
const char * guest_account = lp_guestaccount ( ) ;
2006-02-25 00:36:40 +03:00
const char * domain = global_myname ( ) ;
2010-02-06 15:26:06 +03:00
char * fullname ;
2010-05-21 04:38:04 +04:00
uint32_t urid ;
2006-02-21 19:46:21 +03:00
if ( ! pwd ) {
return NT_STATUS_NO_SUCH_USER ;
2004-02-12 18:20:40 +03:00
}
2006-02-21 22:22:49 +03:00
/* Basic properties based upon the Unix account information */
2009-01-31 18:57:46 +03:00
2006-02-21 19:46:21 +03:00
pdb_set_username ( user , pwd - > pw_name , PDB_SET ) ;
2010-02-06 15:26:06 +03:00
fullname = NULL ;
if ( count_commas ( pwd - > pw_gecos ) = = 3 ) {
/*
* Heuristic : This seems to be a gecos field that has been
* edited by chfn ( 1 ) . Only use the part before the first
* comma . Fixes bug 5198.
*/
fullname = talloc_strndup (
talloc_tos ( ) , pwd - > pw_gecos ,
strchr ( pwd - > pw_gecos , ' , ' ) - pwd - > pw_gecos ) ;
}
if ( fullname ! = NULL ) {
pdb_set_fullname ( user , fullname , PDB_SET ) ;
} else {
pdb_set_fullname ( user , pwd - > pw_gecos , PDB_SET ) ;
}
TALLOC_FREE ( fullname ) ;
2006-02-21 19:46:21 +03:00
pdb_set_domain ( user , get_global_sam_name ( ) , PDB_DEFAULT ) ;
2006-08-25 02:05:53 +04:00
#if 0
/* This can lead to a primary group of S-1-22-2-XX which
will be rejected by other parts of the Samba code .
Rely on pdb_get_group_sid ( ) to " Do The Right Thing " ( TM )
- - jerry */
2009-01-31 18:57:46 +03:00
2006-05-14 19:24:14 +04:00
gid_to_sid ( & group_sid , pwd - > pw_gid ) ;
pdb_set_group_sid ( user , & group_sid , PDB_SET ) ;
2006-08-25 02:05:53 +04:00
# endif
2009-01-31 18:57:46 +03:00
2006-02-21 22:22:49 +03:00
/* save the password structure for later use */
2009-01-31 18:57:46 +03:00
2006-02-21 22:22:49 +03:00
user - > unix_pw = tcopy_passwd ( user , pwd ) ;
2006-02-25 00:36:40 +03:00
/* Special case for the guest account which must have a RID of 501 */
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
if ( strequal ( pwd - > pw_name , guest_account ) ) {
2010-05-18 00:04:24 +04:00
if ( ! pdb_set_user_sid_from_rid ( user , DOMAIN_RID_GUEST , PDB_DEFAULT ) ) {
2006-02-21 19:46:21 +03:00
return NT_STATUS_NO_SUCH_USER ;
}
return NT_STATUS_OK ;
2004-02-12 18:20:40 +03:00
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
/* Non-guest accounts...Check for a workstation or user account */
2006-02-21 19:46:21 +03:00
if ( pwd - > pw_name [ strlen ( pwd - > pw_name ) - 1 ] = = ' $ ' ) {
/* workstation */
2009-01-31 18:57:46 +03:00
2006-02-21 19:46:21 +03:00
if ( ! pdb_set_acct_ctrl ( user , ACB_WSTRUST , PDB_DEFAULT ) ) {
DEBUG ( 1 , ( " Failed to set 'workstation account' flags for user %s. \n " ,
pwd - > pw_name ) ) ;
return NT_STATUS_INVALID_COMPUTER_NAME ;
2006-02-25 00:36:40 +03:00
}
2004-02-12 18:20:40 +03:00
}
2006-02-21 19:46:21 +03:00
else {
/* user */
2009-01-31 18:57:46 +03:00
2006-02-21 19:46:21 +03:00
if ( ! pdb_set_acct_ctrl ( user , ACB_NORMAL , PDB_DEFAULT ) ) {
DEBUG ( 1 , ( " Failed to set 'normal account' flags for user %s. \n " ,
pwd - > pw_name ) ) ;
return NT_STATUS_INVALID_ACCOUNT_NAME ;
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
/* set some basic attributes */
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
pdb_set_profile_path ( user , talloc_sub_specified ( user ,
lp_logon_path ( ) , pwd - > pw_name , domain , pwd - > pw_uid , pwd - > pw_gid ) ,
PDB_DEFAULT ) ;
pdb_set_homedir ( user , talloc_sub_specified ( user ,
lp_logon_home ( ) , pwd - > pw_name , domain , pwd - > pw_uid , pwd - > pw_gid ) ,
PDB_DEFAULT ) ;
pdb_set_dir_drive ( user , talloc_sub_specified ( user ,
lp_logon_drive ( ) , pwd - > pw_name , domain , pwd - > pw_uid , pwd - > pw_gid ) ,
PDB_DEFAULT ) ;
pdb_set_logon_script ( user , talloc_sub_specified ( user ,
lp_logon_script ( ) , pwd - > pw_name , domain , pwd - > pw_uid , pwd - > pw_gid ) ,
PDB_DEFAULT ) ;
2006-02-21 17:34:11 +03:00
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
/* Now deal with the user SID. If we have a backend that can generate
RIDs , then do so . But sometimes the caller just wanted a structure
initialized and will fill in these fields later ( such as from a
2008-02-17 04:09:35 +03:00
netr_SamInfo3 structure ) */
2006-02-21 17:34:11 +03:00
2009-06-28 19:36:12 +04:00
if ( create & & ( pdb_capabilities ( ) & PDB_CAP_STORE_RIDS ) ) {
2010-05-21 04:38:04 +04:00
uint32_t user_rid ;
2010-05-21 05:25:01 +04:00
struct dom_sid user_sid ;
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
if ( ! pdb_new_rid ( & user_rid ) ) {
DEBUG ( 3 , ( " Could not allocate a new RID \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2006-02-04 01:19:41 +03:00
}
2010-01-10 19:39:27 +03:00
sid_compose ( & user_sid , get_global_sam_sid ( ) , user_rid ) ;
2006-02-04 01:19:41 +03:00
2006-02-25 00:36:40 +03:00
if ( ! pdb_set_user_sid ( user , & user_sid , PDB_SET ) ) {
DEBUG ( 3 , ( " pdb_set_user_sid failed \n " ) ) ;
return NT_STATUS_INTERNAL_ERROR ;
2006-02-04 01:19:41 +03:00
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
return NT_STATUS_OK ;
2006-02-04 01:19:41 +03:00
}
2006-03-01 23:47:36 +03:00
/* generate a SID for the user with the RID algorithm */
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
urid = algorithmic_pdb_uid_to_user_rid ( user - > unix_pw - > pw_uid ) ;
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
if ( ! pdb_set_user_sid_from_rid ( user , urid , PDB_SET ) ) {
return NT_STATUS_INTERNAL_ERROR ;
2006-02-04 01:19:41 +03:00
}
2009-01-31 18:57:46 +03:00
2006-02-25 00:36:40 +03:00
return NT_STATUS_OK ;
}
2006-02-04 01:19:41 +03:00
2006-02-25 00:36:40 +03:00
/********************************************************************
Set the Unix user attributes
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
2006-02-25 00:36:40 +03:00
NTSTATUS samu_set_unix ( struct samu * user , const struct passwd * pwd )
{
return samu_set_unix_internal ( user , pwd , False ) ;
2003-04-29 13:43:17 +04:00
}
2006-02-25 00:36:40 +03:00
NTSTATUS samu_alloc_rid_unix ( struct samu * user , const struct passwd * pwd )
{
return samu_set_unix_internal ( user , pwd , True ) ;
}
2003-04-29 13:43:17 +04:00
2001-09-26 00:21:21 +04:00
/**********************************************************
Encode the account control bits into a string .
length = length of string to encode into ( including terminating
null ) . length * MUST BE MORE THAN 2 * !
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-10-22 05:41:24 +04:00
char * pdb_encode_acct_ctrl ( uint32_t acct_ctrl , size_t length )
2001-09-26 00:21:21 +04:00
{
2007-11-04 20:15:37 +03:00
fstring acct_str ;
char * result ;
2004-02-08 14:02:11 +03:00
2001-09-26 00:21:21 +04:00
size_t i = 0 ;
2004-02-09 18:21:42 +03:00
SMB_ASSERT ( length < = sizeof ( acct_str ) ) ;
2001-09-26 00:21:21 +04:00
acct_str [ i + + ] = ' [ ' ;
if ( acct_ctrl & ACB_PWNOTREQ ) acct_str [ i + + ] = ' N ' ;
if ( acct_ctrl & ACB_DISABLED ) acct_str [ i + + ] = ' D ' ;
if ( acct_ctrl & ACB_HOMDIRREQ ) acct_str [ i + + ] = ' H ' ;
if ( acct_ctrl & ACB_TEMPDUP ) acct_str [ i + + ] = ' T ' ;
if ( acct_ctrl & ACB_NORMAL ) acct_str [ i + + ] = ' U ' ;
if ( acct_ctrl & ACB_MNS ) acct_str [ i + + ] = ' M ' ;
if ( acct_ctrl & ACB_WSTRUST ) acct_str [ i + + ] = ' W ' ;
if ( acct_ctrl & ACB_SVRTRUST ) acct_str [ i + + ] = ' S ' ;
if ( acct_ctrl & ACB_AUTOLOCK ) acct_str [ i + + ] = ' L ' ;
if ( acct_ctrl & ACB_PWNOEXP ) acct_str [ i + + ] = ' X ' ;
if ( acct_ctrl & ACB_DOMTRUST ) acct_str [ i + + ] = ' I ' ;
for ( ; i < length - 2 ; i + + )
acct_str [ i ] = ' ' ;
i = length - 2 ;
acct_str [ i + + ] = ' ] ' ;
acct_str [ i + + ] = ' \0 ' ;
2007-11-04 20:15:37 +03:00
result = talloc_strdup ( talloc_tos ( ) , acct_str ) ;
SMB_ASSERT ( result ! = NULL ) ;
return result ;
2001-09-26 00:21:21 +04:00
}
/**********************************************************
Decode the account control bits from a string .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-10-22 05:41:24 +04:00
uint32_t pdb_decode_acct_ctrl ( const char * p )
2001-09-26 00:21:21 +04:00
{
2008-10-22 05:41:24 +04:00
uint32_t acct_ctrl = 0 ;
bool finished = false ;
2001-09-26 00:21:21 +04:00
/*
* Check if the account type bits have been encoded after the
* NT password ( in the form [ NDHTUWSLXI ] ) .
*/
if ( * p ! = ' [ ' )
return 0 ;
for ( p + + ; * p & & ! finished ; p + + ) {
switch ( * p ) {
case ' N ' : { acct_ctrl | = ACB_PWNOTREQ ; break ; /* 'N'o password. */ }
case ' D ' : { acct_ctrl | = ACB_DISABLED ; break ; /* 'D'isabled. */ }
case ' H ' : { acct_ctrl | = ACB_HOMDIRREQ ; break ; /* 'H'omedir required. */ }
case ' T ' : { acct_ctrl | = ACB_TEMPDUP ; break ; /* 'T'emp account. */ }
case ' U ' : { acct_ctrl | = ACB_NORMAL ; break ; /* 'U'ser account (normal). */ }
case ' M ' : { acct_ctrl | = ACB_MNS ; break ; /* 'M'NS logon user account. What is this ? */ }
case ' W ' : { acct_ctrl | = ACB_WSTRUST ; break ; /* 'W'orkstation account. */ }
case ' S ' : { acct_ctrl | = ACB_SVRTRUST ; break ; /* 'S'erver account. */ }
case ' L ' : { acct_ctrl | = ACB_AUTOLOCK ; break ; /* 'L'ocked account. */ }
case ' X ' : { acct_ctrl | = ACB_PWNOEXP ; break ; /* No 'X'piry on password */ }
case ' I ' : { acct_ctrl | = ACB_DOMTRUST ; break ; /* 'I'nterdomain trust account. */ }
case ' ' : { break ; }
case ' : ' :
case ' \n ' :
case ' \0 ' :
case ' ] ' :
2008-10-22 05:41:24 +04:00
default : { finished = true ; }
2001-09-26 00:21:21 +04:00
}
}
return acct_ctrl ;
}
/*************************************************************
Routine to set 32 hex password characters from a 16 byte array .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
void pdb_sethexpwd ( char p [ 33 ] , const unsigned char * pwd , uint32_t acct_ctrl )
2001-09-26 00:21:21 +04:00
{
if ( pwd ! = NULL ) {
int i ;
for ( i = 0 ; i < 16 ; i + + )
slprintf ( & p [ i * 2 ] , 3 , " %02X " , pwd [ i ] ) ;
} else {
if ( acct_ctrl & ACB_PWNOTREQ )
2011-05-04 00:52:06 +04:00
strlcpy ( p , " NO PASSWORDXXXXXXXXXXXXXXXXXXXXX " , 33 ) ;
2001-09-26 00:21:21 +04:00
else
2011-05-04 00:52:06 +04:00
strlcpy ( p , " XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX " , 33 ) ;
2001-09-26 00:21:21 +04:00
}
}
/*************************************************************
Routine to get the 32 hex characters and turn them
into a 16 byte array .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_gethexpwd ( const char * p , unsigned char * pwd )
2001-09-26 00:21:21 +04:00
{
int i ;
unsigned char lonybble , hinybble ;
2003-01-03 11:28:12 +03:00
const char * hexchars = " 0123456789ABCDEF " ;
2001-09-26 00:21:21 +04:00
char * p1 , * p2 ;
2009-01-31 18:57:46 +03:00
2001-09-26 00:21:21 +04:00
if ( ! p )
2008-10-22 05:41:24 +04:00
return false ;
2009-01-31 18:57:46 +03:00
2001-09-26 00:21:21 +04:00
for ( i = 0 ; i < 32 ; i + = 2 ) {
2005-12-27 23:52:36 +03:00
hinybble = toupper_ascii ( p [ i ] ) ;
lonybble = toupper_ascii ( p [ i + 1 ] ) ;
2001-09-26 00:21:21 +04:00
p1 = strchr ( hexchars , hinybble ) ;
p2 = strchr ( hexchars , lonybble ) ;
if ( ! p1 | | ! p2 )
2008-10-22 05:41:24 +04:00
return false ;
2001-09-26 00:21:21 +04:00
hinybble = PTR_DIFF ( p1 , hexchars ) ;
lonybble = PTR_DIFF ( p2 , hexchars ) ;
pwd [ i / 2 ] = ( hinybble < < 4 ) | lonybble ;
}
2008-10-22 05:41:24 +04:00
return true ;
2001-09-26 00:21:21 +04:00
}
2004-08-13 22:02:58 +04:00
/*************************************************************
Routine to set 42 hex hours characters from a 21 byte array .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void pdb_sethexhours ( char * p , const unsigned char * hours )
{
if ( hours ! = NULL ) {
int i ;
for ( i = 0 ; i < 21 ; i + + ) {
slprintf ( & p [ i * 2 ] , 3 , " %02X " , hours [ i ] ) ;
}
} else {
2011-05-04 00:52:06 +04:00
strlcpy ( p , " FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF " , 44 ) ;
2004-08-13 22:02:58 +04:00
}
}
/*************************************************************
Routine to get the 42 hex characters and turn them
into a 21 byte array .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_gethexhours ( const char * p , unsigned char * hours )
2004-08-13 22:02:58 +04:00
{
int i ;
unsigned char lonybble , hinybble ;
const char * hexchars = " 0123456789ABCDEF " ;
char * p1 , * p2 ;
if ( ! p ) {
return ( False ) ;
}
for ( i = 0 ; i < 42 ; i + = 2 ) {
2005-12-27 23:52:36 +03:00
hinybble = toupper_ascii ( p [ i ] ) ;
lonybble = toupper_ascii ( p [ i + 1 ] ) ;
2004-08-13 22:02:58 +04:00
p1 = strchr ( hexchars , hinybble ) ;
p2 = strchr ( hexchars , lonybble ) ;
if ( ! p1 | | ! p2 ) {
return ( False ) ;
}
hinybble = PTR_DIFF ( p1 , hexchars ) ;
lonybble = PTR_DIFF ( p2 , hexchars ) ;
hours [ i / 2 ] = ( hinybble < < 4 ) | lonybble ;
}
return ( True ) ;
}
2006-02-25 00:36:40 +03:00
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int algorithmic_rid_base ( void )
2002-11-05 10:20:27 +03:00
{
2008-02-02 16:01:26 +03:00
int rid_offset ;
2002-11-05 10:20:27 +03:00
rid_offset = lp_algorithmic_rid_base ( ) ;
if ( rid_offset < BASE_RID ) {
/* Try to prevent admin foot-shooting, we can't put algorithmic
rids below 1000 , that ' s the ' well known RIDs ' on NT */
DEBUG ( 0 , ( " 'algorithmic rid base' must be equal to or above %ld \n " , BASE_RID ) ) ;
rid_offset = BASE_RID ;
}
if ( rid_offset & 1 ) {
DEBUG ( 0 , ( " algorithmic rid base must be even \n " ) ) ;
rid_offset + = 1 ;
}
return rid_offset ;
}
2003-05-12 22:12:31 +04:00
/*******************************************************************
Converts NT user RID to a UNIX uid .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-11-05 10:20:27 +03:00
2010-05-21 04:38:04 +04:00
uid_t algorithmic_pdb_user_rid_to_uid ( uint32_t user_rid )
1999-12-13 16:27:58 +03:00
{
2002-11-05 10:20:27 +03:00
int rid_offset = algorithmic_rid_base ( ) ;
2003-05-12 22:12:31 +04:00
return ( uid_t ) ( ( ( user_rid & ( ~ USER_RID_TYPE ) ) - rid_offset ) / RID_MULTIPLIER ) ;
1999-12-13 16:27:58 +03:00
}
2006-02-04 01:19:41 +03:00
uid_t max_algorithmic_uid ( void )
{
return algorithmic_pdb_user_rid_to_uid ( 0xfffffffe ) ;
}
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
/*******************************************************************
2002-03-18 14:35:53 +03:00
converts UNIX uid to an NT User RID .
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
uint32_t algorithmic_pdb_uid_to_user_rid ( uid_t uid )
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
{
2002-11-05 10:20:27 +03:00
int rid_offset = algorithmic_rid_base ( ) ;
2010-05-21 04:38:04 +04:00
return ( ( ( ( ( uint32_t ) uid ) * RID_MULTIPLIER ) + rid_offset ) | USER_RID_TYPE ) ;
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
}
2000-11-14 02:03:34 +03:00
/*******************************************************************
2002-03-18 14:35:53 +03:00
Converts NT group RID to a UNIX gid .
2000-11-14 02:03:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2010-05-21 04:38:04 +04:00
gid_t pdb_group_rid_to_gid ( uint32_t group_rid )
1999-12-13 16:27:58 +03:00
{
2002-11-05 10:20:27 +03:00
int rid_offset = algorithmic_rid_base ( ) ;
2002-07-15 14:35:28 +04:00
return ( gid_t ) ( ( ( group_rid & ( ~ GROUP_RID_TYPE ) ) - rid_offset ) / RID_MULTIPLIER ) ;
1999-12-13 16:27:58 +03:00
}
2006-02-04 01:19:41 +03:00
gid_t max_algorithmic_gid ( void )
{
return pdb_group_rid_to_gid ( 0xffffffff ) ;
}
2000-11-14 02:03:34 +03:00
/*******************************************************************
converts NT Group RID to a UNIX uid .
2001-12-02 03:03:35 +03:00
warning : you must not call that function only
you must do a call to the group mapping first .
there is not anymore a direct link between the gid and the rid .
2000-11-14 02:03:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-10-07 19:56:36 +04:00
2010-05-21 04:38:04 +04:00
uint32_t algorithmic_pdb_gid_to_group_rid ( gid_t gid )
2000-10-07 19:56:36 +04:00
{
2002-11-05 10:20:27 +03:00
int rid_offset = algorithmic_rid_base ( ) ;
2010-05-21 04:38:04 +04:00
return ( ( ( ( ( uint32_t ) gid ) * RID_MULTIPLIER ) + rid_offset ) | GROUP_RID_TYPE ) ;
2000-10-07 19:56:36 +04:00
}
2000-11-14 02:03:34 +03:00
/*******************************************************************
Decides if a RID is a well known RID .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
static bool rid_is_well_known ( uint32_t rid )
2000-10-07 19:56:36 +04:00
{
2003-05-14 04:46:43 +04:00
/* Not using rid_offset here, because this is the actual
2002-07-15 14:35:28 +04:00
NT fixed value ( 1000 ) */
return ( rid < BASE_RID ) ;
2000-10-07 19:56:36 +04:00
}
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
/*******************************************************************
Decides if a RID is a user or group RID .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-26 00:21:21 +04:00
2010-05-21 04:38:04 +04:00
bool algorithmic_pdb_rid_is_user ( uint32_t rid )
2000-11-14 02:03:34 +03:00
{
2006-02-25 00:36:40 +03:00
if ( rid_is_well_known ( rid ) ) {
2004-08-17 23:59:22 +04:00
/*
2010-05-18 00:04:24 +04:00
* The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
* and DOMAIN_RID_GUEST .
2004-08-17 23:59:22 +04:00
*/
2010-05-18 00:04:24 +04:00
if ( rid = = DOMAIN_RID_ADMINISTRATOR | | rid = = DOMAIN_RID_GUEST )
2004-08-17 23:59:22 +04:00
return True ;
} else if ( ( rid & RID_TYPE_MASK ) = = USER_RID_TYPE ) {
return True ;
}
return False ;
2000-11-14 02:03:34 +03:00
}
/*******************************************************************
Convert a name into a SID . Used in the lookup name rpc .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2007-10-19 04:40:25 +04:00
bool lookup_global_sam_name ( const char * name , int flags , uint32_t * rid ,
2006-09-08 18:28:06 +04:00
enum lsa_SidType * type )
1998-05-18 18:43:06 +04:00
{
2002-07-15 14:35:28 +04:00
GROUP_MAP map ;
2007-10-19 04:40:25 +04:00
bool ret ;
2009-01-31 18:57:46 +03:00
2006-03-15 20:40:28 +03:00
/* Windows treats "MACHINE\None" as a special name for
rid 513 on non - DCs . You cannot create a user or group
name " None " on Windows . You will get an error that
the group already exists . */
2009-01-31 18:57:46 +03:00
2006-12-18 23:05:50 +03:00
if ( strequal ( name , " None " ) ) {
2010-05-18 00:04:24 +04:00
* rid = DOMAIN_RID_USERS ;
2006-03-15 20:40:28 +03:00
* type = SID_NAME_DOM_GRP ;
2009-01-31 18:57:46 +03:00
2006-03-15 20:40:28 +03:00
return True ;
}
2006-02-04 01:19:41 +03:00
/* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
* correctly in the case where foo also exists as a user . If the flag
* is set , don ' t look for users at all . */
2006-02-13 20:08:25 +03:00
if ( ( flags & LOOKUP_NAME_GROUP ) = = 0 ) {
2006-02-20 23:09:36 +03:00
struct samu * sam_account = NULL ;
2010-05-21 05:25:01 +04:00
struct dom_sid user_sid ;
2005-12-03 21:34:13 +03:00
2006-02-21 17:34:11 +03:00
if ( ! ( sam_account = samu_new ( NULL ) ) ) {
2005-12-03 21:34:13 +03:00
return False ;
}
2009-01-31 18:57:46 +03:00
2006-02-13 20:08:25 +03:00
become_root ( ) ;
2006-12-18 23:05:50 +03:00
ret = pdb_getsampwnam ( sam_account , name ) ;
2006-02-13 20:08:25 +03:00
unbecome_root ( ) ;
2005-12-03 21:34:13 +03:00
2006-02-13 20:08:25 +03:00
if ( ret ) {
sid_copy ( & user_sid , pdb_get_user_sid ( sam_account ) ) ;
}
2009-01-31 18:57:46 +03:00
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sam_account ) ;
2002-01-26 15:24:18 +03:00
2006-02-13 20:08:25 +03:00
if ( ret ) {
if ( ! sid_check_is_in_our_domain ( & user_sid ) ) {
DEBUG ( 0 , ( " User %s with invalid SID %s in passdb \n " ,
2007-12-15 23:11:36 +03:00
name , sid_string_dbg ( & user_sid ) ) ) ;
2006-02-13 20:08:25 +03:00
return False ;
}
2005-12-03 21:34:13 +03:00
2006-02-13 20:08:25 +03:00
sid_peek_rid ( & user_sid , rid ) ;
* type = SID_NAME_USER ;
return True ;
2003-11-24 20:31:38 +03:00
}
2005-12-03 21:34:13 +03:00
}
2006-02-13 20:08:25 +03:00
/*
* Maybe it is a group ?
*/
become_root ( ) ;
2006-12-18 23:05:50 +03:00
ret = pdb_getgrnam ( & map , name ) ;
2006-02-13 20:08:25 +03:00
unbecome_root ( ) ;
2006-02-04 01:19:41 +03:00
2006-02-13 20:08:25 +03:00
if ( ! ret ) {
2007-05-29 17:18:57 +04:00
return False ;
2005-12-03 21:34:13 +03:00
}
2006-02-13 20:08:25 +03:00
/* BUILTIN groups are looked up elsewhere */
if ( ! sid_check_is_in_our_domain ( & map . sid ) ) {
DEBUG ( 10 , ( " Found group %s (%s) not in our domain -- "
2007-12-15 23:11:36 +03:00
" ignoring. " , name , sid_string_dbg ( & map . sid ) ) ) ;
2005-12-03 21:34:13 +03:00
return False ;
2000-11-14 02:03:34 +03:00
}
2006-02-13 20:08:25 +03:00
/* yes it's a mapped group */
sid_peek_rid ( & map . sid , rid ) ;
* type = map . sid_name_use ;
2000-11-14 02:03:34 +03:00
return True ;
1998-05-18 18:43:06 +04:00
}
2000-11-14 02:03:34 +03:00
/*************************************************************
2009-05-17 02:10:39 +04:00
Change a password entry in the local passdb backend .
Assumptions :
- always called as root
- ignores the account type except when adding a new account
- will create / delete the unix account if the relative
add / delete user script is configured
2000-11-14 02:03:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2007-11-22 04:42:52 +03:00
NTSTATUS local_password_change ( const char * user_name ,
int local_flags ,
const char * new_passwd ,
char * * pp_err_str ,
char * * pp_msg_str )
2000-11-14 02:03:34 +03:00
{
2009-05-17 02:10:39 +04:00
TALLOC_CTX * tosctx ;
struct samu * sam_pass ;
uint32_t acb ;
uint32_t rid ;
2006-02-04 01:19:41 +03:00
NTSTATUS result ;
2009-05-17 02:10:39 +04:00
bool user_exists ;
2009-05-29 20:08:02 +04:00
int ret = - 1 ;
1999-12-13 16:27:58 +03:00
2007-11-22 04:42:52 +03:00
* pp_err_str = NULL ;
* pp_msg_str = NULL ;
1999-12-13 16:27:58 +03:00
2009-05-17 02:10:39 +04:00
tosctx = talloc_tos ( ) ;
2003-07-09 04:20:43 +04:00
2009-05-17 02:10:39 +04:00
sam_pass = samu_new ( tosctx ) ;
if ( ! sam_pass ) {
result = NT_STATUS_NO_MEMORY ;
goto done ;
}
2006-02-04 01:19:41 +03:00
2009-05-17 02:10:39 +04:00
/* Get the smb passwd entry for this user */
user_exists = pdb_getsampwnam ( sam_pass , user_name ) ;
/* Check delete first, we don't need to do anything else if we
* are going to delete the acocunt */
if ( user_exists & & ( local_flags & LOCAL_DELETE_USER ) ) {
result = pdb_delete_user ( tosctx , sam_pass ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
ret = asprintf ( pp_err_str ,
" Failed to delete entry for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
* pp_err_str = NULL ;
2006-02-25 00:36:40 +03:00
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
} else {
ret = asprintf ( pp_msg_str ,
" Deleted user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
* pp_msg_str = NULL ;
2006-02-25 00:36:40 +03:00
}
2009-05-17 02:10:39 +04:00
}
goto done ;
}
2006-02-25 00:36:40 +03:00
2009-05-17 02:10:39 +04:00
if ( user_exists & & ( local_flags & LOCAL_ADD_USER ) ) {
/* the entry already existed */
local_flags & = ~ LOCAL_ADD_USER ;
}
2006-02-25 00:36:40 +03:00
2009-05-17 02:10:39 +04:00
if ( ! user_exists & & ! ( local_flags & LOCAL_ADD_USER ) ) {
ret = asprintf ( pp_err_str ,
" Failed to find entry for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
* pp_err_str = NULL ;
}
result = NT_STATUS_NO_SUCH_USER ;
goto done ;
}
2006-02-25 00:36:40 +03:00
2009-05-17 02:10:39 +04:00
/* First thing add the new user if we are required to do so */
if ( local_flags & LOCAL_ADD_USER ) {
2006-02-04 01:19:41 +03:00
2009-05-17 02:10:39 +04:00
if ( local_flags & LOCAL_TRUST_ACCOUNT ) {
acb = ACB_WSTRUST ;
} else if ( local_flags & LOCAL_INTERDOM_ACCOUNT ) {
acb = ACB_DOMTRUST ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
} else {
2009-05-17 02:10:39 +04:00
acb = ACB_NORMAL ;
2001-09-27 13:13:26 +04:00
}
1999-12-13 16:27:58 +03:00
2009-05-17 02:10:39 +04:00
result = pdb_create_user ( tosctx , user_name , acb , & rid ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
ret = asprintf ( pp_err_str ,
" Failed to add entry for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2002-09-25 19:19:00 +04:00
}
2009-05-17 02:10:39 +04:00
sam_pass = samu_new ( tosctx ) ;
if ( ! sam_pass ) {
result = NT_STATUS_NO_MEMORY ;
goto done ;
2002-09-25 19:19:00 +04:00
}
2009-05-17 02:10:39 +04:00
/* Now get back the smb passwd entry for this new user */
user_exists = pdb_getsampwnam ( sam_pass , user_name ) ;
if ( ! user_exists ) {
ret = asprintf ( pp_err_str ,
" Failed to add entry for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2002-09-25 19:19:00 +04:00
}
}
2009-05-17 02:10:39 +04:00
acb = pdb_get_acct_ctrl ( sam_pass ) ;
1999-12-13 16:27:58 +03:00
/*
2000-11-14 02:03:34 +03:00
* We are root - just write the new password
* and the valid last change time .
1999-12-13 16:27:58 +03:00
*/
2009-05-17 02:10:39 +04:00
if ( ( local_flags & LOCAL_SET_NO_PASSWORD ) & & ! ( acb & ACB_PWNOTREQ ) ) {
acb | = ACB_PWNOTREQ ;
if ( ! pdb_set_acct_ctrl ( sam_pass , acb , PDB_CHANGED ) ) {
ret = asprintf ( pp_err_str ,
" Failed to set 'no password required' "
" flag for user %s. \n " , user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2001-09-29 17:14:19 +04:00
}
}
2009-01-31 18:57:46 +03:00
2009-05-17 02:10:39 +04:00
if ( local_flags & LOCAL_SET_PASSWORD ) {
1999-12-13 16:27:58 +03:00
/*
2000-11-14 02:03:34 +03:00
* If we ' re dealing with setting a completely empty user account
* ie . One with a password of ' XXXX ' , but not set disabled ( like
* an account created from scratch ) then if the old password was
* ' XX ' s then getsmbpwent will have set the ACB_DISABLED flag .
* We remove that as we ' re giving this user their first password
* and the decision hasn ' t really been made to disable them ( ie .
* don ' t create them disabled ) . JRA .
1999-12-13 16:27:58 +03:00
*/
2009-05-17 02:10:39 +04:00
if ( ( pdb_get_lanman_passwd ( sam_pass ) = = NULL ) & &
( acb & ACB_DISABLED ) ) {
acb & = ( ~ ACB_DISABLED ) ;
if ( ! pdb_set_acct_ctrl ( sam_pass , acb , PDB_CHANGED ) ) {
ret = asprintf ( pp_err_str ,
" Failed to unset 'disabled' "
" flag for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2001-09-29 17:14:19 +04:00
}
}
2009-01-31 18:57:46 +03:00
2009-05-17 02:10:39 +04:00
acb & = ( ~ ACB_PWNOTREQ ) ;
if ( ! pdb_set_acct_ctrl ( sam_pass , acb , PDB_CHANGED ) ) {
ret = asprintf ( pp_err_str ,
" Failed to unset 'no password required' "
" flag for user %s. \n " , user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2001-09-29 17:14:19 +04:00
}
2009-05-17 02:10:39 +04:00
if ( ! pdb_set_plaintext_passwd ( sam_pass , new_passwd ) ) {
ret = asprintf ( pp_err_str ,
" Failed to set password for "
" user %s. \n " , user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2001-09-29 17:14:19 +04:00
}
2009-05-17 02:10:39 +04:00
}
if ( ( local_flags & LOCAL_DISABLE_USER ) & & ! ( acb & ACB_DISABLED ) ) {
acb | = ACB_DISABLED ;
if ( ! pdb_set_acct_ctrl ( sam_pass , acb , PDB_CHANGED ) ) {
ret = asprintf ( pp_err_str ,
" Failed to set 'disabled' flag for "
" user %s. \n " , user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2008-12-23 21:27:24 +03:00
}
2009-05-17 02:10:39 +04:00
}
if ( ( local_flags & LOCAL_ENABLE_USER ) & & ( acb & ACB_DISABLED ) ) {
acb & = ( ~ ACB_DISABLED ) ;
if ( ! pdb_set_acct_ctrl ( sam_pass , acb , PDB_CHANGED ) ) {
ret = asprintf ( pp_err_str ,
" Failed to unset 'disabled' flag for "
" user %s. \n " , user_name ) ;
if ( ret < 0 ) {
2008-12-23 21:27:24 +03:00
* pp_err_str = NULL ;
}
2009-05-17 02:10:39 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2000-11-14 02:03:34 +03:00
}
2009-05-17 02:10:39 +04:00
}
/* now commit changes if any */
result = pdb_update_sam_account ( sam_pass ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
ret = asprintf ( pp_err_str ,
" Failed to modify entry for user %s. \n " ,
user_name ) ;
if ( ret < 0 ) {
* pp_err_str = NULL ;
2008-12-23 21:27:24 +03:00
}
2009-05-17 02:10:39 +04:00
goto done ;
}
if ( local_flags & LOCAL_ADD_USER ) {
ret = asprintf ( pp_msg_str , " Added user %s. \n " , user_name ) ;
} else if ( local_flags & LOCAL_DISABLE_USER ) {
ret = asprintf ( pp_msg_str , " Disabled user %s. \n " , user_name ) ;
} else if ( local_flags & LOCAL_ENABLE_USER ) {
ret = asprintf ( pp_msg_str , " Enabled user %s. \n " , user_name ) ;
} else if ( local_flags & LOCAL_SET_NO_PASSWORD ) {
ret = asprintf ( pp_msg_str ,
" User %s password set to none. \n " , user_name ) ;
1999-03-03 23:48:48 +03:00
}
2000-11-14 02:03:34 +03:00
2009-05-17 02:10:39 +04:00
if ( ret < 0 ) {
* pp_msg_str = NULL ;
}
result = NT_STATUS_OK ;
done :
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sam_pass ) ;
2009-05-17 02:10:39 +04:00
return result ;
2003-07-07 09:11:10 +04:00
}
2003-07-09 01:58:29 +04:00
/**********************************************************************
2006-02-20 23:09:36 +03:00
Marshall / unmarshall struct samu structs .
2003-07-09 01:58:29 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-12-15 20:46:37 +03:00
# define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
# define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
# define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
# define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
2008-12-16 13:51:14 +03:00
/* nothing changed between V3 and V4 */
2003-07-09 01:58:29 +04:00
2006-02-21 22:02:22 +03:00
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-02-13 17:48:20 +03:00
2010-05-21 04:38:04 +04:00
static bool init_samu_from_buffer_v0 ( struct samu * sampass , uint8_t * buf , uint32_t buflen )
2008-12-15 20:46:37 +03:00
{
/* times are stored as 32bit integer
take care on system with 64 bit wide time_t
- - SSS */
2010-05-21 04:38:04 +04:00
uint32_t logon_time ,
2008-12-15 20:46:37 +03:00
logoff_time ,
kickoff_time ,
pass_last_set_time ,
pass_can_change_time ,
pass_must_change_time ;
char * username = NULL ;
char * domain = NULL ;
char * nt_username = NULL ;
char * dir_drive = NULL ;
char * unknown_str = NULL ;
char * munged_dial = NULL ;
char * fullname = NULL ;
char * homedir = NULL ;
char * logon_script = NULL ;
char * profile_path = NULL ;
char * acct_desc = NULL ;
char * workstations = NULL ;
2010-05-21 04:38:04 +04:00
uint32_t username_len , domain_len , nt_username_len ,
2008-12-15 20:46:37 +03:00
dir_drive_len , unknown_str_len , munged_dial_len ,
fullname_len , homedir_len , logon_script_len ,
profile_path_len , acct_desc_len , workstations_len ;
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
uint32_t user_rid , group_rid , remove_me , hours_len , unknown_6 ;
uint16_t acct_ctrl , logon_divs ;
uint16_t bad_password_count , logon_count ;
uint8_t * hours = NULL ;
uint8_t * lm_pw_ptr = NULL , * nt_pw_ptr = NULL ;
uint32_t len = 0 ;
uint32_t lm_pw_len , nt_pw_len , hourslen ;
2008-12-15 20:46:37 +03:00
bool ret = True ;
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( sampass = = NULL | | buf = = NULL ) {
DEBUG ( 0 , ( " init_samu_from_buffer_v0: NULL parameters found! \n " ) ) ;
return False ;
}
/* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
/* unpack the buffer into variables */
len = tdb_unpack ( buf , buflen , SAMU_BUFFER_FORMAT_V0 ,
& logon_time , /* d */
& logoff_time , /* d */
& kickoff_time , /* d */
& pass_last_set_time , /* d */
& pass_can_change_time , /* d */
& pass_must_change_time , /* d */
& username_len , & username , /* B */
& domain_len , & domain , /* B */
& nt_username_len , & nt_username , /* B */
& fullname_len , & fullname , /* B */
& homedir_len , & homedir , /* B */
& dir_drive_len , & dir_drive , /* B */
& logon_script_len , & logon_script , /* B */
& profile_path_len , & profile_path , /* B */
& acct_desc_len , & acct_desc , /* B */
& workstations_len , & workstations , /* B */
& unknown_str_len , & unknown_str , /* B */
& munged_dial_len , & munged_dial , /* B */
& user_rid , /* d */
& group_rid , /* d */
& lm_pw_len , & lm_pw_ptr , /* B */
& nt_pw_len , & nt_pw_ptr , /* B */
& acct_ctrl , /* w */
& remove_me , /* remove on the next TDB_FORMAT upgarde */ /* d */
& logon_divs , /* w */
& hours_len , /* d */
& hourslen , & hours , /* B */
& bad_password_count , /* w */
& logon_count , /* w */
& unknown_6 ) ; /* d */
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
if ( len = = ( uint32_t ) - 1 ) {
2008-12-15 20:46:37 +03:00
ret = False ;
goto done ;
}
pdb_set_logon_time ( sampass , logon_time , PDB_SET ) ;
pdb_set_logoff_time ( sampass , logoff_time , PDB_SET ) ;
pdb_set_kickoff_time ( sampass , kickoff_time , PDB_SET ) ;
pdb_set_pass_can_change_time ( sampass , pass_can_change_time , PDB_SET ) ;
pdb_set_pass_must_change_time ( sampass , pass_must_change_time , PDB_SET ) ;
pdb_set_pass_last_set_time ( sampass , pass_last_set_time , PDB_SET ) ;
pdb_set_username ( sampass , username , PDB_SET ) ;
pdb_set_domain ( sampass , domain , PDB_SET ) ;
pdb_set_nt_username ( sampass , nt_username , PDB_SET ) ;
pdb_set_fullname ( sampass , fullname , PDB_SET ) ;
if ( homedir ) {
pdb_set_homedir ( sampass , homedir , PDB_SET ) ;
}
else {
pdb_set_homedir ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_home ( ) ) ,
PDB_DEFAULT ) ;
}
if ( dir_drive )
pdb_set_dir_drive ( sampass , dir_drive , PDB_SET ) ;
else {
pdb_set_dir_drive ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_drive ( ) ) ,
PDB_DEFAULT ) ;
}
if ( logon_script )
pdb_set_logon_script ( sampass , logon_script , PDB_SET ) ;
else {
pdb_set_logon_script ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_script ( ) ) ,
PDB_DEFAULT ) ;
}
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( profile_path ) {
pdb_set_profile_path ( sampass , profile_path , PDB_SET ) ;
} else {
pdb_set_profile_path ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_path ( ) ) ,
PDB_DEFAULT ) ;
}
pdb_set_acct_desc ( sampass , acct_desc , PDB_SET ) ;
pdb_set_workstations ( sampass , workstations , PDB_SET ) ;
pdb_set_munged_dial ( sampass , munged_dial , PDB_SET ) ;
if ( lm_pw_ptr & & lm_pw_len = = LM_HASH_LEN ) {
if ( ! pdb_set_lanman_passwd ( sampass , lm_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
if ( nt_pw_ptr & & nt_pw_len = = NT_HASH_LEN ) {
if ( ! pdb_set_nt_passwd ( sampass , nt_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
pdb_set_pw_history ( sampass , NULL , 0 , PDB_SET ) ;
pdb_set_user_sid_from_rid ( sampass , user_rid , PDB_SET ) ;
pdb_set_group_sid_from_rid ( sampass , group_rid , PDB_SET ) ;
pdb_set_hours_len ( sampass , hours_len , PDB_SET ) ;
pdb_set_bad_password_count ( sampass , bad_password_count , PDB_SET ) ;
pdb_set_logon_count ( sampass , logon_count , PDB_SET ) ;
pdb_set_unknown_6 ( sampass , unknown_6 , PDB_SET ) ;
pdb_set_acct_ctrl ( sampass , acct_ctrl , PDB_SET ) ;
pdb_set_logon_divs ( sampass , logon_divs , PDB_SET ) ;
2011-02-16 18:47:23 +03:00
pdb_set_hours ( sampass , hours , hours_len , PDB_SET ) ;
2008-12-15 20:46:37 +03:00
done :
SAFE_FREE ( username ) ;
SAFE_FREE ( domain ) ;
SAFE_FREE ( nt_username ) ;
SAFE_FREE ( fullname ) ;
SAFE_FREE ( homedir ) ;
SAFE_FREE ( dir_drive ) ;
SAFE_FREE ( logon_script ) ;
SAFE_FREE ( profile_path ) ;
SAFE_FREE ( acct_desc ) ;
SAFE_FREE ( workstations ) ;
SAFE_FREE ( munged_dial ) ;
SAFE_FREE ( unknown_str ) ;
SAFE_FREE ( lm_pw_ptr ) ;
SAFE_FREE ( nt_pw_ptr ) ;
SAFE_FREE ( hours ) ;
return ret ;
}
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
static bool init_samu_from_buffer_v1 ( struct samu * sampass , uint8_t * buf , uint32_t buflen )
2008-12-15 20:46:37 +03:00
{
/* times are stored as 32bit integer
take care on system with 64 bit wide time_t
- - SSS */
2010-05-21 04:38:04 +04:00
uint32_t logon_time ,
2008-12-15 20:46:37 +03:00
logoff_time ,
kickoff_time ,
bad_password_time ,
pass_last_set_time ,
pass_can_change_time ,
pass_must_change_time ;
char * username = NULL ;
char * domain = NULL ;
char * nt_username = NULL ;
char * dir_drive = NULL ;
char * unknown_str = NULL ;
char * munged_dial = NULL ;
char * fullname = NULL ;
char * homedir = NULL ;
char * logon_script = NULL ;
char * profile_path = NULL ;
char * acct_desc = NULL ;
char * workstations = NULL ;
2010-05-21 04:38:04 +04:00
uint32_t username_len , domain_len , nt_username_len ,
2008-12-15 20:46:37 +03:00
dir_drive_len , unknown_str_len , munged_dial_len ,
fullname_len , homedir_len , logon_script_len ,
profile_path_len , acct_desc_len , workstations_len ;
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
uint32_t user_rid , group_rid , remove_me , hours_len , unknown_6 ;
uint16_t acct_ctrl , logon_divs ;
uint16_t bad_password_count , logon_count ;
uint8_t * hours = NULL ;
uint8_t * lm_pw_ptr = NULL , * nt_pw_ptr = NULL ;
uint32_t len = 0 ;
uint32_t lm_pw_len , nt_pw_len , hourslen ;
2008-12-15 20:46:37 +03:00
bool ret = True ;
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( sampass = = NULL | | buf = = NULL ) {
DEBUG ( 0 , ( " init_samu_from_buffer_v1: NULL parameters found! \n " ) ) ;
return False ;
}
/* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
/* unpack the buffer into variables */
len = tdb_unpack ( buf , buflen , SAMU_BUFFER_FORMAT_V1 ,
& logon_time , /* d */
& logoff_time , /* d */
& kickoff_time , /* d */
/* Change from V0 is addition of bad_password_time field. */
& bad_password_time , /* d */
& pass_last_set_time , /* d */
& pass_can_change_time , /* d */
& pass_must_change_time , /* d */
& username_len , & username , /* B */
& domain_len , & domain , /* B */
& nt_username_len , & nt_username , /* B */
& fullname_len , & fullname , /* B */
& homedir_len , & homedir , /* B */
& dir_drive_len , & dir_drive , /* B */
& logon_script_len , & logon_script , /* B */
& profile_path_len , & profile_path , /* B */
& acct_desc_len , & acct_desc , /* B */
& workstations_len , & workstations , /* B */
& unknown_str_len , & unknown_str , /* B */
& munged_dial_len , & munged_dial , /* B */
& user_rid , /* d */
& group_rid , /* d */
& lm_pw_len , & lm_pw_ptr , /* B */
& nt_pw_len , & nt_pw_ptr , /* B */
& acct_ctrl , /* w */
& remove_me , /* d */
& logon_divs , /* w */
& hours_len , /* d */
& hourslen , & hours , /* B */
& bad_password_count , /* w */
& logon_count , /* w */
& unknown_6 ) ; /* d */
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
if ( len = = ( uint32_t ) - 1 ) {
2008-12-15 20:46:37 +03:00
ret = False ;
goto done ;
}
pdb_set_logon_time ( sampass , logon_time , PDB_SET ) ;
pdb_set_logoff_time ( sampass , logoff_time , PDB_SET ) ;
pdb_set_kickoff_time ( sampass , kickoff_time , PDB_SET ) ;
/* Change from V0 is addition of bad_password_time field. */
pdb_set_bad_password_time ( sampass , bad_password_time , PDB_SET ) ;
pdb_set_pass_can_change_time ( sampass , pass_can_change_time , PDB_SET ) ;
pdb_set_pass_must_change_time ( sampass , pass_must_change_time , PDB_SET ) ;
pdb_set_pass_last_set_time ( sampass , pass_last_set_time , PDB_SET ) ;
pdb_set_username ( sampass , username , PDB_SET ) ;
pdb_set_domain ( sampass , domain , PDB_SET ) ;
pdb_set_nt_username ( sampass , nt_username , PDB_SET ) ;
pdb_set_fullname ( sampass , fullname , PDB_SET ) ;
if ( homedir ) {
pdb_set_homedir ( sampass , homedir , PDB_SET ) ;
}
else {
pdb_set_homedir ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_home ( ) ) ,
PDB_DEFAULT ) ;
}
if ( dir_drive )
pdb_set_dir_drive ( sampass , dir_drive , PDB_SET ) ;
else {
pdb_set_dir_drive ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_drive ( ) ) ,
PDB_DEFAULT ) ;
}
if ( logon_script )
pdb_set_logon_script ( sampass , logon_script , PDB_SET ) ;
else {
pdb_set_logon_script ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_script ( ) ) ,
PDB_DEFAULT ) ;
}
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( profile_path ) {
pdb_set_profile_path ( sampass , profile_path , PDB_SET ) ;
} else {
pdb_set_profile_path ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_path ( ) ) ,
PDB_DEFAULT ) ;
}
pdb_set_acct_desc ( sampass , acct_desc , PDB_SET ) ;
pdb_set_workstations ( sampass , workstations , PDB_SET ) ;
pdb_set_munged_dial ( sampass , munged_dial , PDB_SET ) ;
if ( lm_pw_ptr & & lm_pw_len = = LM_HASH_LEN ) {
if ( ! pdb_set_lanman_passwd ( sampass , lm_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
if ( nt_pw_ptr & & nt_pw_len = = NT_HASH_LEN ) {
if ( ! pdb_set_nt_passwd ( sampass , nt_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
pdb_set_pw_history ( sampass , NULL , 0 , PDB_SET ) ;
pdb_set_user_sid_from_rid ( sampass , user_rid , PDB_SET ) ;
pdb_set_group_sid_from_rid ( sampass , group_rid , PDB_SET ) ;
pdb_set_hours_len ( sampass , hours_len , PDB_SET ) ;
pdb_set_bad_password_count ( sampass , bad_password_count , PDB_SET ) ;
pdb_set_logon_count ( sampass , logon_count , PDB_SET ) ;
pdb_set_unknown_6 ( sampass , unknown_6 , PDB_SET ) ;
pdb_set_acct_ctrl ( sampass , acct_ctrl , PDB_SET ) ;
pdb_set_logon_divs ( sampass , logon_divs , PDB_SET ) ;
2011-02-16 18:47:23 +03:00
pdb_set_hours ( sampass , hours , hours_len , PDB_SET ) ;
2008-12-15 20:46:37 +03:00
done :
SAFE_FREE ( username ) ;
SAFE_FREE ( domain ) ;
SAFE_FREE ( nt_username ) ;
SAFE_FREE ( fullname ) ;
SAFE_FREE ( homedir ) ;
SAFE_FREE ( dir_drive ) ;
SAFE_FREE ( logon_script ) ;
SAFE_FREE ( profile_path ) ;
SAFE_FREE ( acct_desc ) ;
SAFE_FREE ( workstations ) ;
SAFE_FREE ( munged_dial ) ;
SAFE_FREE ( unknown_str ) ;
SAFE_FREE ( lm_pw_ptr ) ;
SAFE_FREE ( nt_pw_ptr ) ;
SAFE_FREE ( hours ) ;
return ret ;
}
2010-05-21 04:38:04 +04:00
static bool init_samu_from_buffer_v2 ( struct samu * sampass , uint8_t * buf , uint32_t buflen )
2008-12-15 20:46:37 +03:00
{
/* times are stored as 32bit integer
take care on system with 64 bit wide time_t
- - SSS */
2010-05-21 04:38:04 +04:00
uint32_t logon_time ,
2008-12-15 20:46:37 +03:00
logoff_time ,
kickoff_time ,
bad_password_time ,
pass_last_set_time ,
pass_can_change_time ,
pass_must_change_time ;
char * username = NULL ;
char * domain = NULL ;
char * nt_username = NULL ;
char * dir_drive = NULL ;
char * unknown_str = NULL ;
char * munged_dial = NULL ;
char * fullname = NULL ;
char * homedir = NULL ;
char * logon_script = NULL ;
char * profile_path = NULL ;
char * acct_desc = NULL ;
char * workstations = NULL ;
2010-05-21 04:38:04 +04:00
uint32_t username_len , domain_len , nt_username_len ,
2008-12-15 20:46:37 +03:00
dir_drive_len , unknown_str_len , munged_dial_len ,
fullname_len , homedir_len , logon_script_len ,
profile_path_len , acct_desc_len , workstations_len ;
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
uint32_t user_rid , group_rid , hours_len , unknown_6 ;
uint16_t acct_ctrl , logon_divs ;
uint16_t bad_password_count , logon_count ;
uint8_t * hours = NULL ;
uint8_t * lm_pw_ptr = NULL , * nt_pw_ptr = NULL , * nt_pw_hist_ptr = NULL ;
uint32_t len = 0 ;
uint32_t lm_pw_len , nt_pw_len , nt_pw_hist_len , hourslen ;
uint32_t pwHistLen = 0 ;
2008-12-15 20:46:37 +03:00
bool ret = True ;
fstring tmp_string ;
bool expand_explicit = lp_passdb_expand_explicit ( ) ;
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( sampass = = NULL | | buf = = NULL ) {
DEBUG ( 0 , ( " init_samu_from_buffer_v2: NULL parameters found! \n " ) ) ;
return False ;
}
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
/* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
/* unpack the buffer into variables */
len = tdb_unpack ( buf , buflen , SAMU_BUFFER_FORMAT_V2 ,
& logon_time , /* d */
& logoff_time , /* d */
& kickoff_time , /* d */
& bad_password_time , /* d */
& pass_last_set_time , /* d */
& pass_can_change_time , /* d */
& pass_must_change_time , /* d */
& username_len , & username , /* B */
& domain_len , & domain , /* B */
& nt_username_len , & nt_username , /* B */
& fullname_len , & fullname , /* B */
& homedir_len , & homedir , /* B */
& dir_drive_len , & dir_drive , /* B */
& logon_script_len , & logon_script , /* B */
& profile_path_len , & profile_path , /* B */
& acct_desc_len , & acct_desc , /* B */
& workstations_len , & workstations , /* B */
& unknown_str_len , & unknown_str , /* B */
& munged_dial_len , & munged_dial , /* B */
& user_rid , /* d */
& group_rid , /* d */
& lm_pw_len , & lm_pw_ptr , /* B */
& nt_pw_len , & nt_pw_ptr , /* B */
/* Change from V1 is addition of password history field. */
& nt_pw_hist_len , & nt_pw_hist_ptr , /* B */
& acct_ctrl , /* w */
/* Also "remove_me" field was removed. */
& logon_divs , /* w */
& hours_len , /* d */
& hourslen , & hours , /* B */
& bad_password_count , /* w */
& logon_count , /* w */
& unknown_6 ) ; /* d */
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
if ( len = = ( uint32_t ) - 1 ) {
2008-12-15 20:46:37 +03:00
ret = False ;
goto done ;
}
pdb_set_logon_time ( sampass , logon_time , PDB_SET ) ;
pdb_set_logoff_time ( sampass , logoff_time , PDB_SET ) ;
pdb_set_kickoff_time ( sampass , kickoff_time , PDB_SET ) ;
pdb_set_bad_password_time ( sampass , bad_password_time , PDB_SET ) ;
pdb_set_pass_can_change_time ( sampass , pass_can_change_time , PDB_SET ) ;
pdb_set_pass_must_change_time ( sampass , pass_must_change_time , PDB_SET ) ;
pdb_set_pass_last_set_time ( sampass , pass_last_set_time , PDB_SET ) ;
pdb_set_username ( sampass , username , PDB_SET ) ;
pdb_set_domain ( sampass , domain , PDB_SET ) ;
pdb_set_nt_username ( sampass , nt_username , PDB_SET ) ;
pdb_set_fullname ( sampass , fullname , PDB_SET ) ;
if ( homedir ) {
fstrcpy ( tmp_string , homedir ) ;
if ( expand_explicit ) {
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
}
pdb_set_homedir ( sampass , tmp_string , PDB_SET ) ;
}
else {
pdb_set_homedir ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_home ( ) ) ,
PDB_DEFAULT ) ;
}
if ( dir_drive )
pdb_set_dir_drive ( sampass , dir_drive , PDB_SET ) ;
else
pdb_set_dir_drive ( sampass , lp_logon_drive ( ) , PDB_DEFAULT ) ;
if ( logon_script ) {
fstrcpy ( tmp_string , logon_script ) ;
if ( expand_explicit ) {
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
}
pdb_set_logon_script ( sampass , tmp_string , PDB_SET ) ;
}
else {
pdb_set_logon_script ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_script ( ) ) ,
PDB_DEFAULT ) ;
}
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
if ( profile_path ) {
fstrcpy ( tmp_string , profile_path ) ;
if ( expand_explicit ) {
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
}
pdb_set_profile_path ( sampass , tmp_string , PDB_SET ) ;
}
else {
pdb_set_profile_path ( sampass ,
talloc_sub_basic ( sampass , username , domain ,
lp_logon_path ( ) ) ,
PDB_DEFAULT ) ;
}
pdb_set_acct_desc ( sampass , acct_desc , PDB_SET ) ;
pdb_set_workstations ( sampass , workstations , PDB_SET ) ;
pdb_set_munged_dial ( sampass , munged_dial , PDB_SET ) ;
if ( lm_pw_ptr & & lm_pw_len = = LM_HASH_LEN ) {
if ( ! pdb_set_lanman_passwd ( sampass , lm_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
if ( nt_pw_ptr & & nt_pw_len = = NT_HASH_LEN ) {
if ( ! pdb_set_nt_passwd ( sampass , nt_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
/* Change from V1 is addition of password history field. */
2009-07-14 01:53:49 +04:00
pdb_get_account_policy ( PDB_POLICY_PASSWORD_HISTORY , & pwHistLen ) ;
2008-12-15 20:46:37 +03:00
if ( pwHistLen ) {
2010-05-21 04:38:04 +04:00
uint8_t * pw_hist = SMB_MALLOC_ARRAY ( uint8_t , pwHistLen * PW_HISTORY_ENTRY_LEN ) ;
2008-12-15 20:46:37 +03:00
if ( ! pw_hist ) {
ret = False ;
goto done ;
}
memset ( pw_hist , ' \0 ' , pwHistLen * PW_HISTORY_ENTRY_LEN ) ;
if ( nt_pw_hist_ptr & & nt_pw_hist_len ) {
int i ;
SMB_ASSERT ( ( nt_pw_hist_len % PW_HISTORY_ENTRY_LEN ) = = 0 ) ;
nt_pw_hist_len / = PW_HISTORY_ENTRY_LEN ;
for ( i = 0 ; ( i < pwHistLen ) & & ( i < nt_pw_hist_len ) ; i + + ) {
memcpy ( & pw_hist [ i * PW_HISTORY_ENTRY_LEN ] ,
& nt_pw_hist_ptr [ i * PW_HISTORY_ENTRY_LEN ] ,
PW_HISTORY_ENTRY_LEN ) ;
}
}
if ( ! pdb_set_pw_history ( sampass , pw_hist , pwHistLen , PDB_SET ) ) {
SAFE_FREE ( pw_hist ) ;
ret = False ;
goto done ;
}
SAFE_FREE ( pw_hist ) ;
} else {
pdb_set_pw_history ( sampass , NULL , 0 , PDB_SET ) ;
}
pdb_set_user_sid_from_rid ( sampass , user_rid , PDB_SET ) ;
pdb_set_group_sid_from_rid ( sampass , group_rid , PDB_SET ) ;
pdb_set_hours_len ( sampass , hours_len , PDB_SET ) ;
pdb_set_bad_password_count ( sampass , bad_password_count , PDB_SET ) ;
pdb_set_logon_count ( sampass , logon_count , PDB_SET ) ;
pdb_set_unknown_6 ( sampass , unknown_6 , PDB_SET ) ;
pdb_set_acct_ctrl ( sampass , acct_ctrl , PDB_SET ) ;
pdb_set_logon_divs ( sampass , logon_divs , PDB_SET ) ;
2011-02-16 18:47:23 +03:00
pdb_set_hours ( sampass , hours , hours_len , PDB_SET ) ;
2008-12-15 20:46:37 +03:00
done :
SAFE_FREE ( username ) ;
SAFE_FREE ( domain ) ;
SAFE_FREE ( nt_username ) ;
SAFE_FREE ( fullname ) ;
SAFE_FREE ( homedir ) ;
SAFE_FREE ( dir_drive ) ;
SAFE_FREE ( logon_script ) ;
SAFE_FREE ( profile_path ) ;
SAFE_FREE ( acct_desc ) ;
SAFE_FREE ( workstations ) ;
SAFE_FREE ( munged_dial ) ;
SAFE_FREE ( unknown_str ) ;
SAFE_FREE ( lm_pw_ptr ) ;
SAFE_FREE ( nt_pw_ptr ) ;
SAFE_FREE ( nt_pw_hist_ptr ) ;
SAFE_FREE ( hours ) ;
return ret ;
}
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
static bool init_samu_from_buffer_v3 ( struct samu * sampass , uint8_t * buf , uint32_t buflen )
2004-02-13 17:48:20 +03:00
{
/* times are stored as 32bit integer
take care on system with 64 bit wide time_t
- - SSS */
2010-05-21 04:38:04 +04:00
uint32_t logon_time ,
2004-02-13 17:48:20 +03:00
logoff_time ,
kickoff_time ,
bad_password_time ,
pass_last_set_time ,
pass_can_change_time ,
pass_must_change_time ;
2005-02-11 17:58:33 +03:00
char * username = NULL ;
char * domain = NULL ;
char * nt_username = NULL ;
char * dir_drive = NULL ;
2009-06-24 02:23:09 +04:00
char * comment = NULL ;
2005-02-11 17:58:33 +03:00
char * munged_dial = NULL ;
char * fullname = NULL ;
char * homedir = NULL ;
char * logon_script = NULL ;
char * profile_path = NULL ;
char * acct_desc = NULL ;
char * workstations = NULL ;
2010-05-21 04:38:04 +04:00
uint32_t username_len , domain_len , nt_username_len ,
2009-06-24 02:23:09 +04:00
dir_drive_len , comment_len , munged_dial_len ,
2004-02-13 17:48:20 +03:00
fullname_len , homedir_len , logon_script_len ,
profile_path_len , acct_desc_len , workstations_len ;
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
uint32_t user_rid , group_rid , hours_len , unknown_6 , acct_ctrl ;
uint16_t logon_divs ;
uint16_t bad_password_count , logon_count ;
uint8_t * hours = NULL ;
uint8_t * lm_pw_ptr = NULL , * nt_pw_ptr = NULL , * nt_pw_hist_ptr = NULL ;
uint32_t len = 0 ;
uint32_t lm_pw_len , nt_pw_len , nt_pw_hist_len , hourslen ;
uint32_t pwHistLen = 0 ;
2007-10-19 04:40:25 +04:00
bool ret = True ;
2007-11-21 04:18:16 +03:00
fstring tmp_string ;
2007-10-19 04:40:25 +04:00
bool expand_explicit = lp_passdb_expand_explicit ( ) ;
2009-01-31 18:57:46 +03:00
2004-02-13 17:48:20 +03:00
if ( sampass = = NULL | | buf = = NULL ) {
2008-12-15 20:46:37 +03:00
DEBUG ( 0 , ( " init_samu_from_buffer_v3: NULL parameters found! \n " ) ) ;
2004-02-13 17:48:20 +03:00
return False ;
}
2009-01-31 18:57:46 +03:00
2008-12-15 20:46:37 +03:00
/* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
2004-07-08 10:39:22 +04:00
2004-02-13 17:48:20 +03:00
/* unpack the buffer into variables */
2008-12-15 20:46:37 +03:00
len = tdb_unpack ( buf , buflen , SAMU_BUFFER_FORMAT_V3 ,
2004-07-08 10:39:22 +04:00
& logon_time , /* d */
& logoff_time , /* d */
& kickoff_time , /* d */
& bad_password_time , /* d */
& pass_last_set_time , /* d */
& pass_can_change_time , /* d */
& pass_must_change_time , /* d */
& username_len , & username , /* B */
& domain_len , & domain , /* B */
& nt_username_len , & nt_username , /* B */
& fullname_len , & fullname , /* B */
& homedir_len , & homedir , /* B */
& dir_drive_len , & dir_drive , /* B */
& logon_script_len , & logon_script , /* B */
& profile_path_len , & profile_path , /* B */
& acct_desc_len , & acct_desc , /* B */
& workstations_len , & workstations , /* B */
2009-06-24 02:23:09 +04:00
& comment_len , & comment , /* B */
2004-07-08 10:39:22 +04:00
& munged_dial_len , & munged_dial , /* B */
& user_rid , /* d */
& group_rid , /* d */
& lm_pw_len , & lm_pw_ptr , /* B */
& nt_pw_len , & nt_pw_ptr , /* B */
/* Change from V1 is addition of password history field. */
& nt_pw_hist_len , & nt_pw_hist_ptr , /* B */
2010-05-21 04:38:04 +04:00
/* Change from V2 is the uint32_t acb_mask */
2006-02-27 13:32:45 +03:00
& acct_ctrl , /* d */
2004-07-08 10:39:22 +04:00
/* Also "remove_me" field was removed. */
& logon_divs , /* w */
& hours_len , /* d */
& hourslen , & hours , /* B */
& bad_password_count , /* w */
& logon_count , /* w */
& unknown_6 ) ; /* d */
2009-01-31 18:57:46 +03:00
2010-05-21 04:38:04 +04:00
if ( len = = ( uint32_t ) - 1 ) {
2004-02-13 17:48:20 +03:00
ret = False ;
goto done ;
}
2010-05-21 04:38:04 +04:00
pdb_set_logon_time ( sampass , convert_uint32_t_to_time_t ( logon_time ) , PDB_SET ) ;
pdb_set_logoff_time ( sampass , convert_uint32_t_to_time_t ( logoff_time ) , PDB_SET ) ;
pdb_set_kickoff_time ( sampass , convert_uint32_t_to_time_t ( kickoff_time ) , PDB_SET ) ;
pdb_set_bad_password_time ( sampass , convert_uint32_t_to_time_t ( bad_password_time ) , PDB_SET ) ;
pdb_set_pass_can_change_time ( sampass , convert_uint32_t_to_time_t ( pass_can_change_time ) , PDB_SET ) ;
pdb_set_pass_must_change_time ( sampass , convert_uint32_t_to_time_t ( pass_must_change_time ) , PDB_SET ) ;
pdb_set_pass_last_set_time ( sampass , convert_uint32_t_to_time_t ( pass_last_set_time ) , PDB_SET ) ;
2004-02-13 17:48:20 +03:00
pdb_set_username ( sampass , username , PDB_SET ) ;
pdb_set_domain ( sampass , domain , PDB_SET ) ;
pdb_set_nt_username ( sampass , nt_username , PDB_SET ) ;
pdb_set_fullname ( sampass , fullname , PDB_SET ) ;
if ( homedir ) {
2007-11-21 04:18:16 +03:00
fstrcpy ( tmp_string , homedir ) ;
2005-12-01 17:46:56 +03:00
if ( expand_explicit ) {
2007-11-21 04:18:16 +03:00
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
2005-12-01 17:46:56 +03:00
}
2007-11-21 04:18:16 +03:00
pdb_set_homedir ( sampass , tmp_string , PDB_SET ) ;
2004-02-13 17:48:20 +03:00
}
else {
pdb_set_homedir ( sampass ,
2006-07-11 22:01:26 +04:00
talloc_sub_basic ( sampass , username , domain ,
lp_logon_home ( ) ) ,
2004-02-13 17:48:20 +03:00
PDB_DEFAULT ) ;
}
if ( dir_drive )
pdb_set_dir_drive ( sampass , dir_drive , PDB_SET ) ;
2005-01-20 01:50:27 +03:00
else
pdb_set_dir_drive ( sampass , lp_logon_drive ( ) , PDB_DEFAULT ) ;
2004-02-13 17:48:20 +03:00
2005-01-20 01:50:27 +03:00
if ( logon_script ) {
2007-11-21 04:18:16 +03:00
fstrcpy ( tmp_string , logon_script ) ;
2005-12-01 17:46:56 +03:00
if ( expand_explicit ) {
2007-11-21 04:18:16 +03:00
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
2005-12-01 17:46:56 +03:00
}
2007-11-21 04:18:16 +03:00
pdb_set_logon_script ( sampass , tmp_string , PDB_SET ) ;
2005-01-20 01:50:27 +03:00
}
2004-02-13 17:48:20 +03:00
else {
pdb_set_logon_script ( sampass ,
2006-07-11 22:01:26 +04:00
talloc_sub_basic ( sampass , username , domain ,
lp_logon_script ( ) ) ,
2004-02-13 17:48:20 +03:00
PDB_DEFAULT ) ;
}
2009-01-31 18:57:46 +03:00
2004-02-13 17:48:20 +03:00
if ( profile_path ) {
2007-11-21 04:18:16 +03:00
fstrcpy ( tmp_string , profile_path ) ;
2005-12-01 17:46:56 +03:00
if ( expand_explicit ) {
2007-11-21 04:18:16 +03:00
standard_sub_basic ( username , domain , tmp_string ,
sizeof ( tmp_string ) ) ;
2005-12-01 17:46:56 +03:00
}
2007-11-21 04:18:16 +03:00
pdb_set_profile_path ( sampass , tmp_string , PDB_SET ) ;
2005-01-20 01:50:27 +03:00
}
else {
2004-02-13 17:48:20 +03:00
pdb_set_profile_path ( sampass ,
2006-07-11 22:01:26 +04:00
talloc_sub_basic ( sampass , username , domain , lp_logon_path ( ) ) ,
2004-02-13 17:48:20 +03:00
PDB_DEFAULT ) ;
}
pdb_set_acct_desc ( sampass , acct_desc , PDB_SET ) ;
2009-06-24 02:23:09 +04:00
pdb_set_comment ( sampass , comment , PDB_SET ) ;
2004-02-13 17:48:20 +03:00
pdb_set_workstations ( sampass , workstations , PDB_SET ) ;
pdb_set_munged_dial ( sampass , munged_dial , PDB_SET ) ;
if ( lm_pw_ptr & & lm_pw_len = = LM_HASH_LEN ) {
if ( ! pdb_set_lanman_passwd ( sampass , lm_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
if ( nt_pw_ptr & & nt_pw_len = = NT_HASH_LEN ) {
if ( ! pdb_set_nt_passwd ( sampass , nt_pw_ptr , PDB_SET ) ) {
ret = False ;
goto done ;
}
}
2009-07-14 01:53:49 +04:00
pdb_get_account_policy ( PDB_POLICY_PASSWORD_HISTORY , & pwHistLen ) ;
2004-07-09 01:01:30 +04:00
if ( pwHistLen ) {
2010-05-21 04:38:04 +04:00
uint8_t * pw_hist = ( uint8_t * ) SMB_MALLOC ( pwHistLen * PW_HISTORY_ENTRY_LEN ) ;
2004-07-09 01:01:30 +04:00
if ( ! pw_hist ) {
ret = False ;
goto done ;
}
2004-08-05 23:57:41 +04:00
memset ( pw_hist , ' \0 ' , pwHistLen * PW_HISTORY_ENTRY_LEN ) ;
2004-07-09 01:01:30 +04:00
if ( nt_pw_hist_ptr & & nt_pw_hist_len ) {
int i ;
2004-08-05 23:57:41 +04:00
SMB_ASSERT ( ( nt_pw_hist_len % PW_HISTORY_ENTRY_LEN ) = = 0 ) ;
nt_pw_hist_len / = PW_HISTORY_ENTRY_LEN ;
2004-07-09 01:01:30 +04:00
for ( i = 0 ; ( i < pwHistLen ) & & ( i < nt_pw_hist_len ) ; i + + ) {
2004-08-05 23:57:41 +04:00
memcpy ( & pw_hist [ i * PW_HISTORY_ENTRY_LEN ] ,
& nt_pw_hist_ptr [ i * PW_HISTORY_ENTRY_LEN ] ,
PW_HISTORY_ENTRY_LEN ) ;
2004-07-09 01:01:30 +04:00
}
}
if ( ! pdb_set_pw_history ( sampass , pw_hist , pwHistLen , PDB_SET ) ) {
SAFE_FREE ( pw_hist ) ;
2004-07-08 10:39:22 +04:00
ret = False ;
goto done ;
}
2004-07-09 01:01:30 +04:00
SAFE_FREE ( pw_hist ) ;
2004-07-08 10:39:22 +04:00
} else {
pdb_set_pw_history ( sampass , NULL , 0 , PDB_SET ) ;
}
2004-02-13 17:48:20 +03:00
pdb_set_user_sid_from_rid ( sampass , user_rid , PDB_SET ) ;
pdb_set_hours_len ( sampass , hours_len , PDB_SET ) ;
pdb_set_bad_password_count ( sampass , bad_password_count , PDB_SET ) ;
pdb_set_logon_count ( sampass , logon_count , PDB_SET ) ;
pdb_set_unknown_6 ( sampass , unknown_6 , PDB_SET ) ;
2010-05-21 04:38:04 +04:00
/* Change from V2 is the uint32_t acct_ctrl */
2004-02-13 17:48:20 +03:00
pdb_set_acct_ctrl ( sampass , acct_ctrl , PDB_SET ) ;
pdb_set_logon_divs ( sampass , logon_divs , PDB_SET ) ;
2011-02-16 18:47:23 +03:00
pdb_set_hours ( sampass , hours , hours_len , PDB_SET ) ;
2004-02-13 17:48:20 +03:00
done :
SAFE_FREE ( username ) ;
SAFE_FREE ( domain ) ;
SAFE_FREE ( nt_username ) ;
SAFE_FREE ( fullname ) ;
SAFE_FREE ( homedir ) ;
SAFE_FREE ( dir_drive ) ;
SAFE_FREE ( logon_script ) ;
SAFE_FREE ( profile_path ) ;
SAFE_FREE ( acct_desc ) ;
SAFE_FREE ( workstations ) ;
SAFE_FREE ( munged_dial ) ;
2009-06-24 02:23:09 +04:00
SAFE_FREE ( comment ) ;
2004-07-08 10:39:22 +04:00
SAFE_FREE ( lm_pw_ptr ) ;
SAFE_FREE ( nt_pw_ptr ) ;
SAFE_FREE ( nt_pw_hist_ptr ) ;
2004-02-13 17:48:20 +03:00
SAFE_FREE ( hours ) ;
return ret ;
}
2006-02-21 22:02:22 +03:00
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
static uint32_t init_buffer_from_samu_v3 ( uint8_t * * buf , struct samu * sampass , bool size_only )
2004-02-13 17:48:20 +03:00
{
size_t len , buflen ;
/* times are stored as 32bit integer
take care on system with 64 bit wide time_t
- - SSS */
2010-05-21 04:38:04 +04:00
uint32_t logon_time ,
2004-02-13 17:48:20 +03:00
logoff_time ,
kickoff_time ,
bad_password_time ,
pass_last_set_time ,
pass_can_change_time ,
pass_must_change_time ;
2010-05-21 04:38:04 +04:00
uint32_t user_rid , group_rid ;
2004-02-13 17:48:20 +03:00
const char * username ;
const char * domain ;
const char * nt_username ;
const char * dir_drive ;
2009-06-24 02:23:09 +04:00
const char * comment ;
2004-02-13 17:48:20 +03:00
const char * munged_dial ;
const char * fullname ;
const char * homedir ;
const char * logon_script ;
const char * profile_path ;
const char * acct_desc ;
const char * workstations ;
2010-05-21 04:38:04 +04:00
uint32_t username_len , domain_len , nt_username_len ,
2009-06-24 02:23:09 +04:00
dir_drive_len , comment_len , munged_dial_len ,
2004-02-13 17:48:20 +03:00
fullname_len , homedir_len , logon_script_len ,
profile_path_len , acct_desc_len , workstations_len ;
2010-05-21 04:38:04 +04:00
const uint8_t * lm_pw ;
const uint8_t * nt_pw ;
const uint8_t * nt_pw_hist ;
uint32_t lm_pw_len = 16 ;
uint32_t nt_pw_len = 16 ;
uint32_t nt_pw_hist_len ;
uint32_t pwHistLen = 0 ;
2004-02-13 17:48:20 +03:00
* buf = NULL ;
buflen = 0 ;
2010-05-21 04:38:04 +04:00
logon_time = convert_time_t_to_uint32_t ( pdb_get_logon_time ( sampass ) ) ;
logoff_time = convert_time_t_to_uint32_t ( pdb_get_logoff_time ( sampass ) ) ;
kickoff_time = convert_time_t_to_uint32_t ( pdb_get_kickoff_time ( sampass ) ) ;
bad_password_time = convert_time_t_to_uint32_t ( pdb_get_bad_password_time ( sampass ) ) ;
pass_can_change_time = convert_time_t_to_uint32_t ( pdb_get_pass_can_change_time_noncalc ( sampass ) ) ;
pass_must_change_time = convert_time_t_to_uint32_t ( pdb_get_pass_must_change_time ( sampass ) ) ;
pass_last_set_time = convert_time_t_to_uint32_t ( pdb_get_pass_last_set_time ( sampass ) ) ;
2004-02-13 17:48:20 +03:00
user_rid = pdb_get_user_rid ( sampass ) ;
group_rid = pdb_get_group_rid ( sampass ) ;
username = pdb_get_username ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( username ) {
2004-02-13 17:48:20 +03:00
username_len = strlen ( username ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
username_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
domain = pdb_get_domain ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( domain ) {
2004-02-13 17:48:20 +03:00
domain_len = strlen ( domain ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
domain_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
nt_username = pdb_get_nt_username ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( nt_username ) {
2004-02-13 17:48:20 +03:00
nt_username_len = strlen ( nt_username ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
nt_username_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
fullname = pdb_get_fullname ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( fullname ) {
2004-02-13 17:48:20 +03:00
fullname_len = strlen ( fullname ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
fullname_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
/*
* Only updates fields which have been set ( not defaults from smb . conf )
*/
2004-07-08 10:39:22 +04:00
if ( ! IS_SAM_DEFAULT ( sampass , PDB_DRIVE ) ) {
2004-02-13 17:48:20 +03:00
dir_drive = pdb_get_dir_drive ( sampass ) ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
dir_drive = NULL ;
2004-07-08 10:39:22 +04:00
}
if ( dir_drive ) {
2004-02-13 17:48:20 +03:00
dir_drive_len = strlen ( dir_drive ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
dir_drive_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
2004-07-08 10:39:22 +04:00
if ( ! IS_SAM_DEFAULT ( sampass , PDB_SMBHOME ) ) {
2004-02-13 17:48:20 +03:00
homedir = pdb_get_homedir ( sampass ) ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
homedir = NULL ;
2004-07-08 10:39:22 +04:00
}
if ( homedir ) {
2004-02-13 17:48:20 +03:00
homedir_len = strlen ( homedir ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
homedir_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
2004-07-08 10:39:22 +04:00
if ( ! IS_SAM_DEFAULT ( sampass , PDB_LOGONSCRIPT ) ) {
2004-02-13 17:48:20 +03:00
logon_script = pdb_get_logon_script ( sampass ) ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
logon_script = NULL ;
2004-07-08 10:39:22 +04:00
}
if ( logon_script ) {
2004-02-13 17:48:20 +03:00
logon_script_len = strlen ( logon_script ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
logon_script_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
2004-07-08 10:39:22 +04:00
if ( ! IS_SAM_DEFAULT ( sampass , PDB_PROFILE ) ) {
2004-02-13 17:48:20 +03:00
profile_path = pdb_get_profile_path ( sampass ) ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
profile_path = NULL ;
2004-07-08 10:39:22 +04:00
}
if ( profile_path ) {
2004-02-13 17:48:20 +03:00
profile_path_len = strlen ( profile_path ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
profile_path_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2009-01-31 18:57:46 +03:00
2004-02-13 17:48:20 +03:00
lm_pw = pdb_get_lanman_passwd ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( ! lm_pw ) {
2004-02-13 17:48:20 +03:00
lm_pw_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2009-01-31 18:57:46 +03:00
2004-02-13 17:48:20 +03:00
nt_pw = pdb_get_nt_passwd ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( ! nt_pw ) {
2004-02-13 17:48:20 +03:00
nt_pw_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2009-07-14 01:53:49 +04:00
pdb_get_account_policy ( PDB_POLICY_PASSWORD_HISTORY , & pwHistLen ) ;
2004-07-08 10:39:22 +04:00
nt_pw_hist = pdb_get_pw_history ( sampass , & nt_pw_hist_len ) ;
if ( pwHistLen & & nt_pw_hist & & nt_pw_hist_len ) {
2004-08-05 23:57:41 +04:00
nt_pw_hist_len * = PW_HISTORY_ENTRY_LEN ;
2004-07-08 10:39:22 +04:00
} else {
nt_pw_hist_len = 0 ;
}
2004-02-13 17:48:20 +03:00
acct_desc = pdb_get_acct_desc ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( acct_desc ) {
2004-02-13 17:48:20 +03:00
acct_desc_len = strlen ( acct_desc ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
acct_desc_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
workstations = pdb_get_workstations ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( workstations ) {
2004-02-13 17:48:20 +03:00
workstations_len = strlen ( workstations ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
workstations_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
2009-06-24 02:23:09 +04:00
comment = pdb_get_comment ( sampass ) ;
if ( comment ) {
comment_len = strlen ( comment ) + 1 ;
} else {
comment_len = 0 ;
}
2004-02-13 17:48:20 +03:00
munged_dial = pdb_get_munged_dial ( sampass ) ;
2004-07-08 10:39:22 +04:00
if ( munged_dial ) {
2004-02-13 17:48:20 +03:00
munged_dial_len = strlen ( munged_dial ) + 1 ;
2004-07-08 10:39:22 +04:00
} else {
2004-02-13 17:48:20 +03:00
munged_dial_len = 0 ;
2004-07-08 10:39:22 +04:00
}
2008-12-15 20:46:37 +03:00
/* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
2004-07-08 10:39:22 +04:00
2004-02-13 17:48:20 +03:00
/* one time to get the size needed */
2008-12-15 20:46:37 +03:00
len = tdb_pack ( NULL , 0 , SAMU_BUFFER_FORMAT_V3 ,
2004-07-08 10:39:22 +04:00
logon_time , /* d */
logoff_time , /* d */
kickoff_time , /* d */
bad_password_time , /* d */
pass_last_set_time , /* d */
pass_can_change_time , /* d */
pass_must_change_time , /* d */
username_len , username , /* B */
domain_len , domain , /* B */
nt_username_len , nt_username , /* B */
fullname_len , fullname , /* B */
homedir_len , homedir , /* B */
dir_drive_len , dir_drive , /* B */
logon_script_len , logon_script , /* B */
profile_path_len , profile_path , /* B */
acct_desc_len , acct_desc , /* B */
workstations_len , workstations , /* B */
2009-06-24 02:23:09 +04:00
comment_len , comment , /* B */
2004-07-08 10:39:22 +04:00
munged_dial_len , munged_dial , /* B */
user_rid , /* d */
group_rid , /* d */
lm_pw_len , lm_pw , /* B */
nt_pw_len , nt_pw , /* B */
nt_pw_hist_len , nt_pw_hist , /* B */
2006-02-27 13:32:45 +03:00
pdb_get_acct_ctrl ( sampass ) , /* d */
2004-07-08 10:39:22 +04:00
pdb_get_logon_divs ( sampass ) , /* w */
pdb_get_hours_len ( sampass ) , /* d */
MAX_HOURS_LEN , pdb_get_hours ( sampass ) , /* B */
pdb_get_bad_password_count ( sampass ) , /* w */
pdb_get_logon_count ( sampass ) , /* w */
pdb_get_unknown_6 ( sampass ) ) ; /* d */
if ( size_only ) {
2004-02-13 17:48:20 +03:00
return buflen ;
2004-07-08 10:39:22 +04:00
}
2004-02-13 17:48:20 +03:00
/* malloc the space needed */
2010-05-21 04:38:04 +04:00
if ( ( * buf = ( uint8_t * ) SMB_MALLOC ( len ) ) = = NULL ) {
2008-12-15 20:46:37 +03:00
DEBUG ( 0 , ( " init_buffer_from_samu_v3: Unable to malloc() memory for buffer! \n " ) ) ;
2004-02-13 17:48:20 +03:00
return ( - 1 ) ;
}
2009-01-31 18:57:46 +03:00
2004-02-13 17:48:20 +03:00
/* now for the real call to tdb_pack() */
2008-12-15 20:46:37 +03:00
buflen = tdb_pack ( * buf , len , SAMU_BUFFER_FORMAT_V3 ,
2004-07-08 10:39:22 +04:00
logon_time , /* d */
logoff_time , /* d */
kickoff_time , /* d */
bad_password_time , /* d */
pass_last_set_time , /* d */
pass_can_change_time , /* d */
pass_must_change_time , /* d */
username_len , username , /* B */
domain_len , domain , /* B */
nt_username_len , nt_username , /* B */
fullname_len , fullname , /* B */
homedir_len , homedir , /* B */
dir_drive_len , dir_drive , /* B */
logon_script_len , logon_script , /* B */
profile_path_len , profile_path , /* B */
acct_desc_len , acct_desc , /* B */
workstations_len , workstations , /* B */
2009-06-24 02:23:09 +04:00
comment_len , comment , /* B */
2004-07-08 10:39:22 +04:00
munged_dial_len , munged_dial , /* B */
user_rid , /* d */
group_rid , /* d */
lm_pw_len , lm_pw , /* B */
nt_pw_len , nt_pw , /* B */
nt_pw_hist_len , nt_pw_hist , /* B */
2006-02-27 13:32:45 +03:00
pdb_get_acct_ctrl ( sampass ) , /* d */
2004-07-08 10:39:22 +04:00
pdb_get_logon_divs ( sampass ) , /* w */
pdb_get_hours_len ( sampass ) , /* d */
MAX_HOURS_LEN , pdb_get_hours ( sampass ) , /* B */
pdb_get_bad_password_count ( sampass ) , /* w */
pdb_get_logon_count ( sampass ) , /* w */
pdb_get_unknown_6 ( sampass ) ) ; /* d */
2009-01-31 18:57:46 +03:00
2003-07-09 01:58:29 +04:00
/* check to make sure we got it correct */
if ( buflen ! = len ) {
2008-12-15 20:46:37 +03:00
DEBUG ( 0 , ( " init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations! \n " ,
2003-07-25 08:24:40 +04:00
( unsigned long ) buflen , ( unsigned long ) len ) ) ;
2003-07-09 01:58:29 +04:00
/* error */
SAFE_FREE ( * buf ) ;
return ( - 1 ) ;
}
return ( buflen ) ;
}
2003-08-13 04:08:28 +04:00
2010-05-21 04:38:04 +04:00
static bool init_samu_from_buffer_v4 ( struct samu * sampass , uint8_t * buf , uint32_t buflen )
2008-12-16 13:51:14 +03:00
{
/* nothing changed between V3 and V4 */
return init_samu_from_buffer_v3 ( sampass , buf , buflen ) ;
}
2010-05-21 04:38:04 +04:00
static uint32_t init_buffer_from_samu_v4 ( uint8_t * * buf , struct samu * sampass , bool size_only )
2008-12-16 13:51:14 +03:00
{
/* nothing changed between V3 and V4 */
return init_buffer_from_samu_v3 ( buf , sampass , size_only ) ;
}
2008-12-15 20:46:37 +03:00
/**********************************************************************
Intialize a struct samu struct from a BYTE buffer of size len
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
bool init_samu_from_buffer ( struct samu * sampass , uint32_t level ,
2010-05-21 04:38:04 +04:00
uint8_t * buf , uint32_t buflen )
2008-12-15 20:46:37 +03:00
{
switch ( level ) {
case SAMU_BUFFER_V0 :
return init_samu_from_buffer_v0 ( sampass , buf , buflen ) ;
case SAMU_BUFFER_V1 :
return init_samu_from_buffer_v1 ( sampass , buf , buflen ) ;
case SAMU_BUFFER_V2 :
return init_samu_from_buffer_v2 ( sampass , buf , buflen ) ;
case SAMU_BUFFER_V3 :
return init_samu_from_buffer_v3 ( sampass , buf , buflen ) ;
2008-12-16 13:51:14 +03:00
case SAMU_BUFFER_V4 :
return init_samu_from_buffer_v4 ( sampass , buf , buflen ) ;
2008-12-15 20:46:37 +03:00
}
return false ;
}
/**********************************************************************
Intialize a BYTE buffer from a struct samu struct
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
uint32_t init_buffer_from_samu ( uint8_t * * buf , struct samu * sampass , bool size_only )
2008-12-15 20:46:37 +03:00
{
2008-12-16 13:51:14 +03:00
return init_buffer_from_samu_v4 ( buf , sampass , size_only ) ;
2008-12-15 20:46:37 +03:00
}
2006-02-21 22:02:22 +03:00
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_copy_sam_account ( struct samu * dst , struct samu * src )
2004-11-06 01:53:35 +03:00
{
2010-05-21 04:38:04 +04:00
uint8_t * buf = NULL ;
2004-11-06 01:53:35 +03:00
int len ;
2008-12-15 20:46:37 +03:00
len = init_buffer_from_samu ( & buf , src , False ) ;
2006-06-15 05:54:09 +04:00
if ( len = = - 1 | | ! buf ) {
2006-06-28 05:52:01 +04:00
SAFE_FREE ( buf ) ;
2006-06-15 05:54:09 +04:00
return False ;
}
2004-11-06 01:53:35 +03:00
2008-12-15 20:46:37 +03:00
if ( ! init_samu_from_buffer ( dst , SAMU_BUFFER_LATEST , buf , len ) ) {
2006-06-15 05:54:09 +04:00
free ( buf ) ;
2004-11-06 01:53:35 +03:00
return False ;
2006-06-15 05:54:09 +04:00
}
2004-11-06 01:53:35 +03:00
2006-02-25 00:36:40 +03:00
dst - > methods = src - > methods ;
2009-01-31 18:57:46 +03:00
2006-06-15 05:54:09 +04:00
if ( src - > unix_pw ) {
2006-02-25 00:36:40 +03:00
dst - > unix_pw = tcopy_passwd ( dst , src - > unix_pw ) ;
2006-06-15 05:54:09 +04:00
if ( ! dst - > unix_pw ) {
free ( buf ) ;
return False ;
}
}
2004-11-06 01:53:35 +03:00
2010-01-31 17:18:51 +03:00
if ( src - > group_sid ) {
pdb_set_group_sid ( dst , src - > group_sid , PDB_SET ) ;
}
2004-11-06 01:53:35 +03:00
free ( buf ) ;
2006-06-15 05:54:09 +04:00
return True ;
2004-11-06 01:53:35 +03:00
}
2004-02-19 21:35:43 +03:00
/*********************************************************************
2009-07-14 01:53:49 +04:00
Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2004-02-19 21:35:43 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_update_bad_password_count ( struct samu * sampass , bool * updated )
2004-02-19 21:35:43 +03:00
{
time_t LastBadPassword ;
2010-05-21 04:38:04 +04:00
uint16_t BadPasswordCount ;
uint32_t resettime ;
2007-10-19 04:40:25 +04:00
bool res ;
2004-02-19 21:35:43 +03:00
BadPasswordCount = pdb_get_bad_password_count ( sampass ) ;
2004-02-20 00:37:24 +03:00
if ( ! BadPasswordCount ) {
DEBUG ( 9 , ( " No bad password attempts. \n " ) ) ;
return True ;
}
2007-04-06 03:56:10 +04:00
become_root ( ) ;
2009-07-14 01:53:49 +04:00
res = pdb_get_account_policy ( PDB_POLICY_RESET_COUNT_TIME , & resettime ) ;
2007-04-06 03:56:10 +04:00
unbecome_root ( ) ;
2007-01-17 18:47:36 +03:00
if ( ! res ) {
2005-09-30 21:13:37 +04:00
DEBUG ( 0 , ( " pdb_update_bad_password_count: pdb_get_account_policy failed. \n " ) ) ;
2004-02-20 00:37:24 +03:00
return False ;
}
/* First, check if there is a reset time to compare */
2010-05-21 04:38:04 +04:00
if ( ( resettime = = ( uint32_t ) - 1 ) | | ( resettime = = 0 ) ) {
2004-02-20 19:00:25 +03:00
DEBUG ( 9 , ( " No reset time, can't reset bad pw count \n " ) ) ;
2004-02-20 00:37:24 +03:00
return True ;
}
LastBadPassword = pdb_get_bad_password_time ( sampass ) ;
DEBUG ( 7 , ( " LastBadPassword=%d, resettime=%d, current time=%d. \n " ,
2010-05-21 04:38:04 +04:00
( uint32_t ) LastBadPassword , resettime , ( uint32_t ) time ( NULL ) ) ) ;
if ( time ( NULL ) > ( LastBadPassword + convert_uint32_t_to_time_t ( resettime ) * 60 ) ) {
2004-02-20 00:37:24 +03:00
pdb_set_bad_password_count ( sampass , 0 , PDB_CHANGED ) ;
pdb_set_bad_password_time ( sampass , 0 , PDB_CHANGED ) ;
2004-07-17 05:37:04 +04:00
if ( updated ) {
* updated = True ;
}
2004-02-19 21:35:43 +03:00
}
2004-02-20 00:37:24 +03:00
2004-02-19 21:35:43 +03:00
return True ;
}
/*********************************************************************
2009-07-14 01:53:49 +04:00
Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2004-02-19 21:35:43 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_update_autolock_flag ( struct samu * sampass , bool * updated )
2004-02-19 21:35:43 +03:00
{
2010-05-21 04:38:04 +04:00
uint32_t duration ;
2004-02-19 21:35:43 +03:00
time_t LastBadPassword ;
2007-10-19 04:40:25 +04:00
bool res ;
2004-02-19 21:35:43 +03:00
2004-02-20 00:37:24 +03:00
if ( ! ( pdb_get_acct_ctrl ( sampass ) & ACB_AUTOLOCK ) ) {
2004-07-17 05:37:04 +04:00
DEBUG ( 9 , ( " pdb_update_autolock_flag: Account %s not autolocked, no check needed \n " ,
pdb_get_username ( sampass ) ) ) ;
2004-02-20 00:37:24 +03:00
return True ;
2004-02-19 21:35:43 +03:00
}
2007-04-06 03:56:10 +04:00
become_root ( ) ;
2009-07-14 01:53:49 +04:00
res = pdb_get_account_policy ( PDB_POLICY_LOCK_ACCOUNT_DURATION , & duration ) ;
2007-04-06 03:56:10 +04:00
unbecome_root ( ) ;
2007-01-17 18:47:36 +03:00
if ( ! res ) {
2005-09-30 21:13:37 +04:00
DEBUG ( 0 , ( " pdb_update_autolock_flag: pdb_get_account_policy failed. \n " ) ) ;
2004-02-20 00:37:24 +03:00
return False ;
}
/* First, check if there is a duration to compare */
2010-05-21 04:38:04 +04:00
if ( ( duration = = ( uint32_t ) - 1 ) | | ( duration = = 0 ) ) {
2004-07-17 05:37:04 +04:00
DEBUG ( 9 , ( " pdb_update_autolock_flag: No reset duration, can't reset autolock \n " ) ) ;
2004-02-20 00:37:24 +03:00
return True ;
}
2009-01-31 18:57:46 +03:00
2004-02-20 00:37:24 +03:00
LastBadPassword = pdb_get_bad_password_time ( sampass ) ;
2004-07-17 05:37:04 +04:00
DEBUG ( 7 , ( " pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d. \n " ,
2010-05-21 04:38:04 +04:00
pdb_get_username ( sampass ) , ( uint32_t ) LastBadPassword , duration * 60 , ( uint32_t ) time ( NULL ) ) ) ;
2004-07-17 05:37:04 +04:00
if ( LastBadPassword = = ( time_t ) 0 ) {
2007-01-08 19:52:58 +03:00
DEBUG ( 1 , ( " pdb_update_autolock_flag: Account %s "
" administratively locked out with no bad password "
" time. Leaving locked out. \n " ,
pdb_get_username ( sampass ) ) ) ;
return True ;
2004-07-17 05:37:04 +04:00
}
2010-05-21 04:38:04 +04:00
if ( ( time ( NULL ) > ( LastBadPassword + convert_uint32_t_to_time_t ( duration ) * 60 ) ) ) {
2004-02-20 00:37:24 +03:00
pdb_set_acct_ctrl ( sampass ,
pdb_get_acct_ctrl ( sampass ) & ~ ACB_AUTOLOCK ,
PDB_CHANGED ) ;
pdb_set_bad_password_count ( sampass , 0 , PDB_CHANGED ) ;
pdb_set_bad_password_time ( sampass , 0 , PDB_CHANGED ) ;
2004-07-17 05:37:04 +04:00
if ( updated ) {
* updated = True ;
}
2004-02-20 00:37:24 +03:00
}
2009-01-31 18:57:46 +03:00
2004-02-19 21:35:43 +03:00
return True ;
}
/*********************************************************************
Increment the bad_password_count
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool pdb_increment_bad_password_count ( struct samu * sampass )
2004-02-19 21:35:43 +03:00
{
2010-05-21 04:38:04 +04:00
uint32_t account_policy_lockout ;
2007-10-19 04:40:25 +04:00
bool autolock_updated = False , badpw_updated = False ;
bool ret ;
2004-02-19 21:35:43 +03:00
2004-02-20 00:37:24 +03:00
/* Retrieve the account lockout policy */
2006-01-13 22:38:09 +03:00
become_root ( ) ;
2009-07-14 01:53:49 +04:00
ret = pdb_get_account_policy ( PDB_POLICY_BAD_ATTEMPT_LOCKOUT , & account_policy_lockout ) ;
2006-01-13 22:38:09 +03:00
unbecome_root ( ) ;
if ( ! ret ) {
2005-09-30 21:13:37 +04:00
DEBUG ( 0 , ( " pdb_increment_bad_password_count: pdb_get_account_policy failed. \n " ) ) ;
2004-02-19 21:35:43 +03:00
return False ;
2004-02-20 00:37:24 +03:00
}
2004-02-19 21:35:43 +03:00
2004-02-20 00:37:24 +03:00
/* If there is no policy, we don't need to continue checking */
if ( ! account_policy_lockout ) {
DEBUG ( 9 , ( " No lockout policy, don't track bad passwords \n " ) ) ;
2004-02-19 21:35:43 +03:00
return True ;
}
2004-02-20 00:37:24 +03:00
/* Check if the autolock needs to be cleared */
if ( ! pdb_update_autolock_flag ( sampass , & autolock_updated ) )
return False ;
/* Check if the badpw count needs to be reset */
if ( ! pdb_update_bad_password_count ( sampass , & badpw_updated ) )
return False ;
/*
Ok , now we can assume that any resetting that needs to be
done has been done , and just get on with incrementing
and autolocking if necessary
*/
pdb_set_bad_password_count ( sampass ,
pdb_get_bad_password_count ( sampass ) + 1 ,
PDB_CHANGED ) ;
pdb_set_bad_password_time ( sampass , time ( NULL ) , PDB_CHANGED ) ;
if ( pdb_get_bad_password_count ( sampass ) < account_policy_lockout )
return True ;
if ( ! pdb_set_acct_ctrl ( sampass ,
pdb_get_acct_ctrl ( sampass ) | ACB_AUTOLOCK ,
PDB_CHANGED ) ) {
DEBUG ( 1 , ( " pdb_increment_bad_password_count:failed to set 'autolock' flag. \n " ) ) ;
return False ;
}
return True ;
2004-02-19 21:35:43 +03:00
}
2007-01-16 11:17:26 +03:00
2008-05-26 14:05:21 +04:00
bool is_dc_trusted_domain_situation ( const char * domain_name )
{
return IS_DC & & ! strequal ( domain_name , lp_workgroup ( ) ) ;
}
2007-01-16 11:17:26 +03:00
/*******************************************************************
2007-12-11 15:59:54 +03:00
Wrapper around retrieving the clear text trust account password .
2007-12-11 15:05:44 +03:00
appropriate account name is stored in account_name .
2007-12-11 15:59:54 +03:00
Caller must free password , but not account_name .
2007-01-16 11:17:26 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-12-11 15:59:54 +03:00
bool get_trust_pw_clear ( const char * domain , char * * ret_pwd ,
2009-10-13 12:15:34 +04:00
const char * * account_name ,
enum netr_SchannelType * channel )
2007-01-16 11:17:26 +03:00
{
char * pwd ;
time_t last_set_time ;
2007-09-07 12:54:48 +04:00
2007-01-16 11:17:26 +03:00
/* if we are a DC and this is not our domain, then lookup an account
2007-12-11 15:59:54 +03:00
* for the domain trust */
2007-09-07 12:54:48 +04:00
2008-05-26 14:11:21 +04:00
if ( is_dc_trusted_domain_situation ( domain ) ) {
if ( ! lp_allow_trusted_domains ( ) ) {
return false ;
}
2007-12-11 16:12:49 +03:00
if ( ! pdb_get_trusteddom_pw ( domain , ret_pwd , NULL ,
2007-12-11 15:59:54 +03:00
& last_set_time ) )
2007-09-07 12:54:48 +04:00
{
2007-01-16 11:17:26 +03:00
DEBUG ( 0 , ( " get_trust_pw: could not fetch trust "
" account password for trusted domain %s \n " ,
domain ) ) ;
2007-12-11 15:59:54 +03:00
return false ;
2007-01-16 11:17:26 +03:00
}
2007-09-07 12:54:48 +04:00
2007-12-18 03:30:52 +03:00
if ( channel ! = NULL ) {
* channel = SEC_CHAN_DOMAIN ;
}
2007-01-16 11:17:26 +03:00
2007-12-11 15:05:44 +03:00
if ( account_name ! = NULL ) {
* account_name = lp_workgroup ( ) ;
}
2007-12-11 15:59:54 +03:00
return true ;
2007-01-16 11:17:26 +03:00
}
2007-09-07 12:54:48 +04:00
2008-05-26 14:22:53 +04:00
/*
* Since we can only be member of one single domain , we are now
* in a member situation :
*
* - Either we are a DC ( selfjoined ) and the domain is our
* own domain .
* - Or we are on a member and the domain is our own or some
* other ( potentially trusted ) domain .
*
* In both cases , we can only get the machine account password
* for our own domain to connect to our own dc . ( For a member ,
* request to trusted domains are performed through our dc . )
*
* So we simply use our own domain name to retrieve the
* machine account passowrd and ignore the request domain here .
*/
2007-09-07 12:54:48 +04:00
2008-05-24 00:19:58 +04:00
pwd = secrets_fetch_machine_password ( lp_workgroup ( ) , & last_set_time , channel ) ;
2007-12-11 15:59:54 +03:00
if ( pwd ! = NULL ) {
* ret_pwd = pwd ;
if ( account_name ! = NULL ) {
* account_name = global_myname ( ) ;
}
return true ;
}
DEBUG ( 5 , ( " get_trust_pw_clear: could not fetch clear text trust "
" account password for domain %s \n " , domain ) ) ;
return false ;
}
/*******************************************************************
Wrapper around retrieving the trust account password .
appropriate account name is stored in account_name .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 04:38:04 +04:00
bool get_trust_pw_hash ( const char * domain , uint8_t ret_pwd [ 16 ] ,
2009-10-13 12:15:34 +04:00
const char * * account_name ,
enum netr_SchannelType * channel )
2007-12-11 15:59:54 +03:00
{
char * pwd = NULL ;
time_t last_set_time ;
if ( get_trust_pw_clear ( domain , & pwd , account_name , channel ) ) {
E_md4hash ( pwd , ret_pwd ) ;
SAFE_FREE ( pwd ) ;
return true ;
2008-05-26 14:31:44 +04:00
} else if ( is_dc_trusted_domain_situation ( domain ) ) {
2007-12-11 15:59:54 +03:00
return false ;
}
/* as a fallback, try to get the hashed pwd directly from the tdb... */
if ( secrets_fetch_trust_account_password_legacy ( domain , ret_pwd ,
& last_set_time ,
channel ) )
2007-12-11 15:05:44 +03:00
{
if ( account_name ! = NULL ) {
* account_name = global_myname ( ) ;
}
2007-12-11 15:59:54 +03:00
return true ;
2007-12-11 15:05:44 +03:00
}
2007-01-16 11:17:26 +03:00
2007-12-11 15:59:54 +03:00
DEBUG ( 5 , ( " get_trust_pw_hash: could not fetch trust account "
2007-01-16 11:17:26 +03:00
" password for domain %s \n " , domain ) ) ;
return False ;
}