2001-09-27 13:36:38 +04:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2001-09-27 13:36:38 +04:00
passdb editing frontend
Copyright ( C ) Simo Sorce 2000
Copyright ( C ) Andrew Bartlett 2001
2002-07-15 14:35:28 +04:00
Copyright ( C ) Jelmer Vernooij 2002
2001-09-27 13:36:38 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
2000-12-06 21:18:48 +03:00
# include "includes.h"
2002-08-17 18:45:04 +04:00
# define BIT_BACKEND 0x00000004
# define BIT_VERBOSE 0x00000008
# define BIT_SPSTYLE 0x00000010
# define BIT_RESERV_1 0x00000020
# define BIT_RESERV_2 0x00000040
# define BIT_RESERV_3 0x00000080
# define BIT_FULLNAME 0x00000100
# define BIT_HOMEDIR 0x00000200
# define BIT_HDIRDRIVE 0x00000400
# define BIT_LOGSCRIPT 0x00000800
# define BIT_PROFILE 0x00001000
# define BIT_MACHINE 0x00002000
# define BIT_RESERV_4 0x00004000
# define BIT_USER 0x00008000
# define BIT_LIST 0x00010000
# define BIT_MODIFY 0x00020000
# define BIT_CREATE 0x00040000
# define BIT_DELETE 0x00080000
# define BIT_ACCPOLICY 0x00100000
# define BIT_ACCPOLVAL 0x00200000
2003-02-06 20:10:38 +03:00
# define BIT_ACCTCTRL 0x00400000
2002-08-17 18:45:04 +04:00
# define BIT_RESERV_7 0x00800000
# define BIT_IMPORT 0x01000000
# define BIT_EXPORT 0x02000000
2004-01-30 01:16:58 +03:00
# define BIT_FIX_INIT 0x04000000
2004-02-19 19:00:29 +03:00
# define BIT_BADPWRESET 0x08000000
2002-08-17 18:45:04 +04:00
# define MASK_ALWAYS_GOOD 0x0000001F
2003-02-06 20:10:38 +03:00
# define MASK_USER_GOOD 0x00401F00
2000-12-06 21:18:48 +03:00
/*********************************************************
2002-07-15 14:35:28 +04:00
Add all currently available users to another db
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-08-17 18:45:04 +04:00
static int export_database ( struct pdb_context * in , struct pdb_context * out ) {
2002-07-15 14:35:28 +04:00
SAM_ACCOUNT * user = NULL ;
2002-09-26 22:58:34 +04:00
if ( NT_STATUS_IS_ERR ( in - > pdb_setsampwent ( in , 0 ) ) ) {
2002-07-15 14:35:28 +04:00
fprintf ( stderr , " Can't sampwent! \n " ) ;
return 1 ;
}
2002-08-17 18:45:04 +04:00
if ( ! NT_STATUS_IS_OK ( pdb_init_sam ( & user ) ) ) {
2002-07-15 14:35:28 +04:00
fprintf ( stderr , " Can't initialize new SAM_ACCOUNT! \n " ) ;
return 1 ;
}
2002-09-26 22:58:34 +04:00
while ( NT_STATUS_IS_OK ( in - > pdb_getsampwent ( in , user ) ) ) {
2002-08-17 18:45:04 +04:00
out - > pdb_add_sam_account ( out , user ) ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( pdb_reset_sam ( user ) ) ) {
fprintf ( stderr , " Can't reset SAM_ACCOUNT! \n " ) ;
return 1 ;
}
2000-12-06 21:18:48 +03:00
}
2002-07-15 14:35:28 +04:00
in - > pdb_endsampwent ( in ) ;
return 0 ;
2000-12-06 21:18:48 +03:00
}
2001-09-28 01:20:14 +04:00
2003-03-23 14:50:16 +03:00
/*********************************************************
Add all currently available group mappings to another db
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static int export_groups ( struct pdb_context * in , struct pdb_context * out ) {
GROUP_MAP * maps = NULL ;
int i , entries = 0 ;
if ( NT_STATUS_IS_ERR ( in - > pdb_enum_group_mapping ( in , SID_NAME_UNKNOWN ,
& maps , & entries ,
2003-06-18 19:24:10 +04:00
False ) ) ) {
2003-03-23 14:50:16 +03:00
fprintf ( stderr , " Can't get group mappings! \n " ) ;
return 1 ;
}
for ( i = 0 ; i < entries ; i + + ) {
out - > pdb_add_group_mapping_entry ( out , & ( maps [ i ] ) ) ;
}
SAFE_FREE ( maps ) ;
return 0 ;
}
2000-12-06 21:18:48 +03:00
/*********************************************************
Print info from sam structure
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2000-12-06 21:18:48 +03:00
static int print_sam_info ( SAM_ACCOUNT * sam_pwent , BOOL verbosity , BOOL smbpwdstyle )
{
2001-12-31 17:39:26 +03:00
uid_t uid ;
2002-07-15 14:35:28 +04:00
time_t tmp ;
2001-12-31 17:39:26 +03:00
2000-12-06 21:18:48 +03:00
/* TODO: chaeck if entry is a user or a workstation */
if ( ! sam_pwent ) return - 1 ;
2001-09-28 01:20:14 +04:00
if ( verbosity ) {
2002-07-15 14:35:28 +04:00
printf ( " Unix username: %s \n " , pdb_get_username ( sam_pwent ) ) ;
printf ( " NT username: %s \n " , pdb_get_nt_username ( sam_pwent ) ) ;
printf ( " Account Flags: %s \n " , pdb_encode_acct_ctrl ( pdb_get_acct_ctrl ( sam_pwent ) , NEW_PW_FORMAT_SPACE_PADDED_LEN ) ) ;
printf ( " User SID: %s \n " ,
sid_string_static ( pdb_get_user_sid ( sam_pwent ) ) ) ;
printf ( " Primary Group SID: %s \n " ,
sid_string_static ( pdb_get_group_sid ( sam_pwent ) ) ) ;
printf ( " Full Name: %s \n " , pdb_get_fullname ( sam_pwent ) ) ;
printf ( " Home Directory: %s \n " , pdb_get_homedir ( sam_pwent ) ) ;
2002-08-17 18:45:04 +04:00
printf ( " HomeDir Drive: %s \n " , pdb_get_dir_drive ( sam_pwent ) ) ;
2002-07-15 14:35:28 +04:00
printf ( " Logon Script: %s \n " , pdb_get_logon_script ( sam_pwent ) ) ;
printf ( " Profile Path: %s \n " , pdb_get_profile_path ( sam_pwent ) ) ;
printf ( " Domain: %s \n " , pdb_get_domain ( sam_pwent ) ) ;
printf ( " Account desc: %s \n " , pdb_get_acct_desc ( sam_pwent ) ) ;
printf ( " Workstations: %s \n " , pdb_get_workstations ( sam_pwent ) ) ;
printf ( " Munged dial: %s \n " , pdb_get_munged_dial ( sam_pwent ) ) ;
tmp = pdb_get_logon_time ( sam_pwent ) ;
printf ( " Logon time: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
tmp = pdb_get_logoff_time ( sam_pwent ) ;
printf ( " Logoff time: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
tmp = pdb_get_kickoff_time ( sam_pwent ) ;
printf ( " Kickoff time: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
tmp = pdb_get_pass_last_set_time ( sam_pwent ) ;
printf ( " Password last set: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
tmp = pdb_get_pass_can_change_time ( sam_pwent ) ;
printf ( " Password can change: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
tmp = pdb_get_pass_must_change_time ( sam_pwent ) ;
printf ( " Password must change: %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
2004-02-19 19:00:29 +03:00
tmp = pdb_get_bad_password_time ( sam_pwent ) ;
printf ( " Last bad password : %s \n " , tmp ? http_timestring ( tmp ) : " 0 " ) ;
printf ( " Bad password count : %d \n " ,
pdb_get_bad_password_count ( sam_pwent ) ) ;
2002-07-15 14:35:28 +04:00
2001-09-28 01:20:14 +04:00
} else if ( smbpwdstyle ) {
2003-05-12 22:12:31 +04:00
char lm_passwd [ 33 ] ;
char nt_passwd [ 33 ] ;
2003-07-10 18:21:43 +04:00
uid = nametouid ( pdb_get_username ( sam_pwent ) ) ;
2003-05-12 22:12:31 +04:00
pdb_sethexpwd ( lm_passwd , pdb_get_lanman_passwd ( sam_pwent ) , pdb_get_acct_ctrl ( sam_pwent ) ) ;
pdb_sethexpwd ( nt_passwd , pdb_get_nt_passwd ( sam_pwent ) , pdb_get_acct_ctrl ( sam_pwent ) ) ;
2001-11-04 04:09:04 +03:00
2003-07-22 08:31:20 +04:00
printf ( " %s:%lu:%s:%s:%s:LCT-%08X: \n " ,
2003-05-12 22:12:31 +04:00
pdb_get_username ( sam_pwent ) ,
2003-07-22 08:31:20 +04:00
( unsigned long ) uid ,
2003-05-12 22:12:31 +04:00
lm_passwd ,
nt_passwd ,
pdb_encode_acct_ctrl ( pdb_get_acct_ctrl ( sam_pwent ) , NEW_PW_FORMAT_SPACE_PADDED_LEN ) ,
( uint32 ) pdb_get_pass_last_set_time ( sam_pwent ) ) ;
2001-12-31 17:39:26 +03:00
} else {
2003-07-10 18:21:43 +04:00
uid = nametouid ( pdb_get_username ( sam_pwent ) ) ;
2003-07-22 08:31:20 +04:00
printf ( " %s:%lu:%s \n " , pdb_get_username ( sam_pwent ) , ( unsigned long ) uid ,
pdb_get_fullname ( sam_pwent ) ) ;
2001-11-04 04:09:04 +03:00
}
2000-12-06 21:18:48 +03:00
return 0 ;
}
/*********************************************************
Get an Print User Info
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2002-11-13 02:20:50 +03:00
static int print_user_info ( struct pdb_context * in , const char * username , BOOL verbosity , BOOL smbpwdstyle )
2000-12-06 21:18:48 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sam_pwent = NULL ;
BOOL ret ;
2004-02-20 00:40:22 +03:00
BOOL updated_autolock = False , updated_badpw = False ;
2002-01-31 14:38:47 +03:00
if ( ! NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ) {
return - 1 ;
}
2004-02-20 00:40:22 +03:00
2002-09-26 22:58:34 +04:00
ret = NT_STATUS_IS_OK ( in - > pdb_getsampwnam ( in , sam_pwent , username ) ) ;
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
fprintf ( stderr , " Username not found! \n " ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pwent ) ;
2001-05-04 19:44:27 +04:00
return - 1 ;
}
2004-02-20 00:40:22 +03:00
if ( ! pdb_update_autolock_flag ( sam_pwent , & updated_autolock ) )
DEBUG ( 2 , ( " pdb_update_autolock_flag failed. \n " ) ) ;
if ( ! pdb_update_bad_password_count ( sam_pwent , & updated_badpw ) )
DEBUG ( 2 , ( " pdb_update_bad_password_count failed. \n " ) ) ;
if ( updated_autolock | | updated_badpw ) {
become_root ( ) ;
if ( ! pdb_update_sam_account ( sam_pwent ) )
DEBUG ( 1 , ( " Failed to modify entry. \n " ) ) ;
unbecome_root ( ) ;
}
2001-05-04 19:44:27 +04:00
ret = print_sam_info ( sam_pwent , verbosity , smbpwdstyle ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pwent ) ;
2001-05-04 19:44:27 +04:00
return ret ;
2000-12-06 21:18:48 +03:00
}
/*********************************************************
List Users
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 14:35:28 +04:00
static int print_users_list ( struct pdb_context * in , BOOL verbosity , BOOL smbpwdstyle )
2000-12-06 21:18:48 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sam_pwent = NULL ;
2002-03-19 02:57:14 +03:00
BOOL check , ret ;
2000-12-06 21:18:48 +03:00
2002-09-26 22:58:34 +04:00
check = NT_STATUS_IS_OK ( in - > pdb_setsampwent ( in , False ) ) ;
2002-07-15 14:35:28 +04:00
if ( ! check ) {
return 1 ;
2000-12-06 21:18:48 +03:00
}
2002-03-19 02:57:14 +03:00
check = True ;
if ( ! ( NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ) ) return 1 ;
2002-09-26 22:58:34 +04:00
while ( check & & ( ret = NT_STATUS_IS_OK ( in - > pdb_getsampwent ( in , sam_pwent ) ) ) ) {
2001-09-28 01:20:14 +04:00
if ( verbosity )
printf ( " --------------- \n " ) ;
2000-12-06 21:18:48 +03:00
print_sam_info ( sam_pwent , verbosity , smbpwdstyle ) ;
2002-01-27 06:00:56 +03:00
pdb_free_sam ( & sam_pwent ) ;
2002-03-19 02:57:14 +03:00
check = NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ;
2000-12-06 21:18:48 +03:00
}
2002-03-19 02:57:14 +03:00
if ( check ) pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
2002-07-15 14:35:28 +04:00
in - > pdb_endsampwent ( in ) ;
2000-12-06 21:18:48 +03:00
return 0 ;
}
2004-01-30 01:16:58 +03:00
/*********************************************************
Fix a list of Users for uninitialised passwords
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static int fix_users_list ( struct pdb_context * in )
{
SAM_ACCOUNT * sam_pwent = NULL ;
BOOL check , ret ;
check = NT_STATUS_IS_OK ( in - > pdb_setsampwent ( in , False ) ) ;
if ( ! check ) {
return 1 ;
}
check = True ;
if ( ! ( NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ) ) return 1 ;
while ( check & & ( ret = NT_STATUS_IS_OK ( in - > pdb_getsampwent ( in , sam_pwent ) ) ) ) {
2004-02-12 00:10:04 +03:00
printf ( " Updating record for user %s \n " , pdb_get_username ( sam_pwent ) ) ;
2004-01-30 01:16:58 +03:00
if ( ! pdb_update_sam_account ( sam_pwent ) ) {
2004-02-12 00:10:04 +03:00
printf ( " Update of user %s failed! \n " , pdb_get_username ( sam_pwent ) ) ;
2004-01-30 01:16:58 +03:00
}
pdb_free_sam ( & sam_pwent ) ;
check = NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ;
if ( ! check ) {
2004-02-12 00:10:04 +03:00
fprintf ( stderr , " Failed to initialise new SAM_ACCOUNT structure (out of memory?) \n " ) ;
2004-01-30 01:16:58 +03:00
}
}
if ( check ) pdb_free_sam ( & sam_pwent ) ;
in - > pdb_endsampwent ( in ) ;
return 0 ;
}
2000-12-06 21:18:48 +03:00
/*********************************************************
Set User Info
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2003-01-03 11:28:12 +03:00
static int set_user_info ( struct pdb_context * in , const char * username ,
const char * fullname , const char * homedir ,
const char * drive , const char * script ,
2003-04-26 05:15:57 +04:00
const char * profile , const char * account_control ,
2004-02-19 19:00:29 +03:00
const char * user_sid , const char * group_sid ,
const BOOL badpw )
2000-12-06 21:18:48 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sam_pwent = NULL ;
BOOL ret ;
pdb_init_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
2002-09-26 22:58:34 +04:00
ret = NT_STATUS_IS_OK ( in - > pdb_getsampwnam ( in , sam_pwent , username ) ) ;
2001-09-28 01:20:14 +04:00
if ( ret = = False ) {
2000-12-06 21:18:48 +03:00
fprintf ( stderr , " Username not found! \n " ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return - 1 ;
}
2001-09-28 01:20:14 +04:00
if ( fullname )
2002-11-02 06:47:48 +03:00
pdb_set_fullname ( sam_pwent , fullname , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( homedir )
2002-11-02 06:47:48 +03:00
pdb_set_homedir ( sam_pwent , homedir , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( drive )
2002-11-02 06:47:48 +03:00
pdb_set_dir_drive ( sam_pwent , drive , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( script )
2002-11-02 06:47:48 +03:00
pdb_set_logon_script ( sam_pwent , script , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( profile )
2002-11-02 06:47:48 +03:00
pdb_set_profile_path ( sam_pwent , profile , PDB_CHANGED ) ;
2003-02-06 20:10:38 +03:00
if ( account_control ) {
2003-02-07 11:03:37 +03:00
uint16 not_settable = ~ ( ACB_DISABLED | ACB_HOMDIRREQ | ACB_PWNOTREQ |
ACB_PWNOEXP | ACB_AUTOLOCK ) ;
2003-02-06 20:10:38 +03:00
uint16 newflag = pdb_decode_acct_ctrl ( account_control ) ;
2003-02-07 11:03:37 +03:00
if ( newflag & not_settable ) {
2003-02-06 20:10:38 +03:00
fprintf ( stderr , " Can only set [NDHLX] flags \n " ) ;
pdb_free_sam ( & sam_pwent ) ;
return - 1 ;
}
pdb_set_acct_ctrl ( sam_pwent ,
2003-02-07 11:03:37 +03:00
( pdb_get_acct_ctrl ( sam_pwent ) & not_settable ) | newflag ,
2003-02-06 20:10:38 +03:00
PDB_CHANGED ) ;
}
2003-04-26 05:15:57 +04:00
if ( user_sid ) {
DOM_SID u_sid ;
if ( ! string_to_sid ( & u_sid , user_sid ) ) {
/* not a complete sid, may be a RID, try building a SID */
int u_rid ;
if ( sscanf ( user_sid , " %d " , & u_rid ) ! = 1 ) {
fprintf ( stderr , " Error passed string is not a complete user SID or RID! \n " ) ;
return - 1 ;
}
sid_copy ( & u_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & u_sid , u_rid ) ;
}
pdb_set_user_sid ( sam_pwent , & u_sid , PDB_CHANGED ) ;
}
if ( group_sid ) {
DOM_SID g_sid ;
if ( ! string_to_sid ( & g_sid , group_sid ) ) {
/* not a complete sid, may be a RID, try building a SID */
int g_rid ;
if ( sscanf ( group_sid , " %d " , & g_rid ) ! = 1 ) {
fprintf ( stderr , " Error passed string is not a complete group SID or RID! \n " ) ;
return - 1 ;
}
sid_copy ( & g_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & g_sid , g_rid ) ;
}
pdb_set_group_sid ( sam_pwent , & g_sid , PDB_CHANGED ) ;
}
2004-02-19 19:00:29 +03:00
if ( badpw ) {
pdb_set_bad_password_count ( sam_pwent , 0 , PDB_CHANGED ) ;
pdb_set_bad_password_time ( sam_pwent , 0 , PDB_CHANGED ) ;
}
2001-09-28 01:20:14 +04:00
2002-09-26 22:58:34 +04:00
if ( NT_STATUS_IS_OK ( in - > pdb_update_sam_account ( in , sam_pwent ) ) )
2002-07-15 14:35:28 +04:00
print_user_info ( in , username , True , False ) ;
2001-09-28 01:20:14 +04:00
else {
2000-12-06 21:18:48 +03:00
fprintf ( stderr , " Unable to modify entry! \n " ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return - 1 ;
}
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return 0 ;
}
/*********************************************************
Add New User
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-04-26 05:15:57 +04:00
static int new_user ( struct pdb_context * in , const char * username ,
const char * fullname , const char * homedir ,
const char * drive , const char * script ,
const char * profile , char * user_sid , char * group_sid )
2000-12-06 21:18:48 +03:00
{
2001-09-26 15:28:26 +04:00
SAM_ACCOUNT * sam_pwent = NULL ;
2003-04-29 13:43:17 +04:00
NTSTATUS nt_status ;
2002-08-17 18:45:04 +04:00
char * password1 , * password2 , * staticpass ;
2000-12-06 21:18:48 +03:00
2004-02-23 23:12:31 +03:00
get_global_sam_sid ( ) ;
2003-07-11 09:33:40 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status = pdb_init_sam_new ( & sam_pwent , username , 0 ) ) ) {
2003-04-29 13:43:17 +04:00
DEBUG ( 0 , ( " could not create account to add new user %s \n " , username ) ) ;
return - 1 ;
2002-01-23 15:59:24 +03:00
}
2001-12-31 17:39:26 +03:00
2002-08-17 18:45:04 +04:00
staticpass = getpass ( " new password: " ) ;
password1 = strdup ( staticpass ) ;
memset ( staticpass , 0 , strlen ( staticpass ) ) ;
staticpass = getpass ( " retype new password: " ) ;
password2 = strdup ( staticpass ) ;
memset ( staticpass , 0 , strlen ( staticpass ) ) ;
2001-12-31 17:39:26 +03:00
if ( strcmp ( password1 , password2 ) ) {
2002-08-17 18:45:04 +04:00
fprintf ( stderr , " Passwords does not match! \n " ) ;
memset ( password1 , 0 , strlen ( password1 ) ) ;
SAFE_FREE ( password1 ) ;
memset ( password2 , 0 , strlen ( password2 ) ) ;
SAFE_FREE ( password2 ) ;
pdb_free_sam ( & sam_pwent ) ;
return - 1 ;
2000-12-06 21:18:48 +03:00
}
2001-09-26 15:28:26 +04:00
2001-12-31 17:39:26 +03:00
pdb_set_plaintext_passwd ( sam_pwent , password1 ) ;
2002-08-17 18:45:04 +04:00
memset ( password1 , 0 , strlen ( password1 ) ) ;
SAFE_FREE ( password1 ) ;
memset ( password2 , 0 , strlen ( password2 ) ) ;
SAFE_FREE ( password2 ) ;
2001-09-26 15:28:26 +04:00
2001-09-28 01:20:14 +04:00
if ( fullname )
2002-11-02 06:47:48 +03:00
pdb_set_fullname ( sam_pwent , fullname , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( homedir )
2002-11-02 06:47:48 +03:00
pdb_set_homedir ( sam_pwent , homedir , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( drive )
2002-11-02 06:47:48 +03:00
pdb_set_dir_drive ( sam_pwent , drive , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( script )
2002-11-02 06:47:48 +03:00
pdb_set_logon_script ( sam_pwent , script , PDB_CHANGED ) ;
2001-09-28 01:20:14 +04:00
if ( profile )
2002-11-02 06:47:48 +03:00
pdb_set_profile_path ( sam_pwent , profile , PDB_CHANGED ) ;
2003-04-26 05:15:57 +04:00
if ( user_sid ) {
DOM_SID u_sid ;
if ( ! string_to_sid ( & u_sid , user_sid ) ) {
/* not a complete sid, may be a RID, try building a SID */
int u_rid ;
if ( sscanf ( user_sid , " %d " , & u_rid ) ! = 1 ) {
fprintf ( stderr , " Error passed string is not a complete user SID or RID! \n " ) ;
return - 1 ;
}
sid_copy ( & u_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & u_sid , u_rid ) ;
}
pdb_set_user_sid ( sam_pwent , & u_sid , PDB_CHANGED ) ;
}
if ( group_sid ) {
DOM_SID g_sid ;
if ( ! string_to_sid ( & g_sid , group_sid ) ) {
/* not a complete sid, may be a RID, try building a SID */
int g_rid ;
if ( sscanf ( group_sid , " %d " , & g_rid ) ! = 1 ) {
fprintf ( stderr , " Error passed string is not a complete group SID or RID! \n " ) ;
return - 1 ;
}
sid_copy ( & g_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & g_sid , g_rid ) ;
}
pdb_set_group_sid ( sam_pwent , & g_sid , PDB_CHANGED ) ;
}
2001-12-31 03:06:51 +03:00
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl ( sam_pwent , ACB_NORMAL , PDB_CHANGED ) ;
2000-12-06 21:18:48 +03:00
2002-09-26 22:58:34 +04:00
if ( NT_STATUS_IS_OK ( in - > pdb_add_sam_account ( in , sam_pwent ) ) ) {
2002-07-15 14:35:28 +04:00
print_user_info ( in , username , True , False ) ;
2001-09-26 15:28:26 +04:00
} else {
2003-09-21 06:58:08 +04:00
fprintf ( stderr , " Unable to add user! (does it already exist?) \n " ) ;
2001-12-31 17:39:26 +03:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return - 1 ;
}
2001-12-31 17:39:26 +03:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return 0 ;
}
/*********************************************************
Add New Machine
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2003-01-03 11:28:12 +03:00
static int new_machine ( struct pdb_context * in , const char * machine_in )
2000-12-06 21:18:48 +03:00
{
2001-09-26 15:28:26 +04:00
SAM_ACCOUNT * sam_pwent = NULL ;
2003-01-03 11:28:12 +03:00
fstring machinename ;
2003-03-18 14:22:52 +03:00
fstring machineaccount ;
2003-01-07 13:39:23 +03:00
struct passwd * pwd = NULL ;
2001-09-26 15:28:26 +04:00
2004-02-23 23:12:31 +03:00
get_global_sam_sid ( ) ;
2003-01-03 11:28:12 +03:00
fstrcpy ( machinename , machine_in ) ;
2003-03-18 14:22:52 +03:00
machinename [ 15 ] = ' \0 ' ;
2003-01-03 11:28:12 +03:00
2001-09-28 01:20:14 +04:00
if ( machinename [ strlen ( machinename ) - 1 ] = = ' $ ' )
machinename [ strlen ( machinename ) - 1 ] = ' \0 ' ;
2000-12-06 21:18:48 +03:00
2003-01-03 11:28:12 +03:00
strlower_m ( machinename ) ;
2003-03-18 14:22:52 +03:00
fstrcpy ( machineaccount , machinename ) ;
fstrcat ( machineaccount , " $ " ) ;
2003-01-03 11:28:12 +03:00
2003-03-18 14:22:52 +03:00
if ( ( pwd = getpwnam_alloc ( machineaccount ) ) ) {
2003-01-07 13:39:23 +03:00
if ( ! NT_STATUS_IS_OK ( pdb_init_sam_pw ( & sam_pwent , pwd ) ) ) {
fprintf ( stderr , " Could not init sam from pw \n " ) ;
passwd_free ( & pwd ) ;
return - 1 ;
}
2003-01-07 23:55:43 +03:00
passwd_free ( & pwd ) ;
2003-01-07 13:39:23 +03:00
} else {
if ( ! NT_STATUS_IS_OK ( pdb_init_sam ( & sam_pwent ) ) ) {
fprintf ( stderr , " Could not init sam from pw \n " ) ;
return - 1 ;
}
}
2003-01-03 11:28:12 +03:00
pdb_set_plaintext_passwd ( sam_pwent , machinename ) ;
2001-09-26 15:28:26 +04:00
2003-03-18 14:22:52 +03:00
pdb_set_username ( sam_pwent , machineaccount , PDB_CHANGED ) ;
2001-05-04 19:44:27 +04:00
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl ( sam_pwent , ACB_WSTRUST , PDB_CHANGED ) ;
2000-12-06 21:18:48 +03:00
2002-11-02 06:47:48 +03:00
pdb_set_group_sid_from_rid ( sam_pwent , DOMAIN_GROUP_RID_COMPUTERS , PDB_CHANGED ) ;
2002-03-19 16:57:53 +03:00
2002-09-26 22:58:34 +04:00
if ( NT_STATUS_IS_OK ( in - > pdb_add_sam_account ( in , sam_pwent ) ) ) {
2003-03-18 14:22:52 +03:00
print_user_info ( in , machineaccount , True , False ) ;
2001-09-26 15:28:26 +04:00
} else {
2001-09-27 13:36:38 +04:00
fprintf ( stderr , " Unable to add machine! (does it already exist?) \n " ) ;
2001-12-31 17:39:26 +03:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return - 1 ;
}
2001-12-31 17:39:26 +03:00
pdb_free_sam ( & sam_pwent ) ;
2000-12-06 21:18:48 +03:00
return 0 ;
}
/*********************************************************
Delete user entry
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2003-01-03 11:28:12 +03:00
static int delete_user_entry ( struct pdb_context * in , const char * username )
2000-12-06 21:18:48 +03:00
{
2002-01-31 14:38:47 +03:00
SAM_ACCOUNT * samaccount = NULL ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2002-01-31 14:38:47 +03:00
if ( ! NT_STATUS_IS_OK ( pdb_init_sam ( & samaccount ) ) ) {
return - 1 ;
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2003-06-22 14:09:52 +04:00
if ( ! NT_STATUS_IS_OK ( in - > pdb_getsampwnam ( in , samaccount , username ) ) ) {
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
fprintf ( stderr , " user %s does not exist in the passdb \n " , username ) ;
return - 1 ;
}
2003-11-27 21:34:42 +03:00
if ( ! NT_STATUS_IS_OK ( in - > pdb_delete_sam_account ( in , samaccount ) ) ) {
fprintf ( stderr , " Unable to delete user %s \n " , username ) ;
return - 1 ;
}
return 0 ;
2000-12-06 21:18:48 +03:00
}
/*********************************************************
Delete machine entry
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2003-01-03 11:28:12 +03:00
static int delete_machine_entry ( struct pdb_context * in , const char * machinename )
2000-12-06 21:18:48 +03:00
{
2003-03-18 14:22:52 +03:00
fstring name ;
2002-01-31 14:38:47 +03:00
SAM_ACCOUNT * samaccount = NULL ;
2000-12-06 21:18:48 +03:00
2003-03-18 14:22:52 +03:00
fstrcpy ( name , machinename ) ;
name [ 15 ] = ' \0 ' ;
if ( name [ strlen ( name ) - 1 ] ! = ' $ ' )
fstrcat ( name , " $ " ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2002-01-31 14:38:47 +03:00
if ( ! NT_STATUS_IS_OK ( pdb_init_sam ( & samaccount ) ) ) {
return - 1 ;
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2003-06-22 14:09:52 +04:00
if ( ! NT_STATUS_IS_OK ( in - > pdb_getsampwnam ( in , samaccount , name ) ) ) {
2002-08-17 18:45:04 +04:00
fprintf ( stderr , " machine %s does not exist in the passdb \n " , name ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
return - 1 ;
}
2003-11-27 21:34:42 +03:00
if ( ! NT_STATUS_IS_OK ( in - > pdb_delete_sam_account ( in , samaccount ) ) ) {
fprintf ( stderr , " Unable to delete machine %s \n " , name ) ;
return - 1 ;
}
return 0 ;
2000-12-06 21:18:48 +03:00
}
/*********************************************************
Start here .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-09-28 01:20:14 +04:00
2000-12-06 21:18:48 +03:00
int main ( int argc , char * * argv )
{
2002-07-15 14:35:28 +04:00
static BOOL list_users = False ;
static BOOL verbose = False ;
static BOOL spstyle = False ;
static BOOL machine = False ;
static BOOL add_user = False ;
static BOOL delete_user = False ;
2002-08-17 18:45:04 +04:00
static BOOL modify_user = False ;
uint32 setparms , checkparms ;
2002-07-15 14:35:28 +04:00
int opt ;
static char * full_name = NULL ;
2003-01-03 11:28:12 +03:00
static const char * user_name = NULL ;
2002-07-15 14:35:28 +04:00
static char * home_dir = NULL ;
static char * home_drive = NULL ;
2002-08-17 18:45:04 +04:00
static char * backend = NULL ;
2002-07-15 14:35:28 +04:00
static char * backend_in = NULL ;
static char * backend_out = NULL ;
2003-03-23 14:50:16 +03:00
static BOOL transfer_groups = False ;
2004-01-30 01:16:58 +03:00
static BOOL force_initialised_password = False ;
2002-07-15 14:35:28 +04:00
static char * logon_script = NULL ;
static char * profile_path = NULL ;
2003-02-06 20:10:38 +03:00
static char * account_control = NULL ;
2002-08-17 18:45:04 +04:00
static char * account_policy = NULL ;
2003-04-26 05:15:57 +04:00
static char * user_sid = NULL ;
static char * group_sid = NULL ;
2002-08-17 18:45:04 +04:00
static long int account_policy_value = 0 ;
BOOL account_policy_value_set = False ;
2004-02-19 19:00:29 +03:00
static BOOL badpw_reset = False ;
2002-07-15 14:35:28 +04:00
2002-08-17 18:45:04 +04:00
struct pdb_context * bin ;
struct pdb_context * bout ;
struct pdb_context * bdef ;
2002-07-15 14:35:28 +04:00
poptContext pc ;
struct poptOption long_options [ ] = {
POPT_AUTOHELP
2003-04-14 07:30:20 +04:00
{ " list " , ' L ' , POPT_ARG_NONE , & list_users , 0 , " list all users " , NULL } ,
2002-08-17 18:45:04 +04:00
{ " verbose " , ' v ' , POPT_ARG_NONE , & verbose , 0 , " be verbose " , NULL } ,
{ " smbpasswd-style " , ' w ' , POPT_ARG_NONE , & spstyle , 0 , " give output in smbpasswd style " , NULL } ,
{ " user " , ' u ' , POPT_ARG_STRING , & user_name , 0 , " use username " , " USER " } ,
{ " fullname " , ' f ' , POPT_ARG_STRING , & full_name , 0 , " set full name " , NULL } ,
{ " homedir " , ' h ' , POPT_ARG_STRING , & home_dir , 0 , " set home directory " , NULL } ,
2002-10-28 22:48:00 +03:00
{ " drive " , ' D ' , POPT_ARG_STRING , & home_drive , 0 , " set home drive " , NULL } ,
{ " script " , ' S ' , POPT_ARG_STRING , & logon_script , 0 , " set logon script " , NULL } ,
2002-08-17 18:45:04 +04:00
{ " profile " , ' p ' , POPT_ARG_STRING , & profile_path , 0 , " set profile path " , NULL } ,
2003-05-12 22:12:31 +04:00
{ " user SID " , ' U ' , POPT_ARG_STRING , & user_sid , 0 , " set user SID or RID " , NULL } ,
{ " group SID " , ' G ' , POPT_ARG_STRING , & group_sid , 0 , " set group SID or RID " , NULL } ,
2002-08-17 18:45:04 +04:00
{ " create " , ' a ' , POPT_ARG_NONE , & add_user , 0 , " create user " , NULL } ,
{ " modify " , ' r ' , POPT_ARG_NONE , & modify_user , 0 , " modify user " , NULL } ,
{ " machine " , ' m ' , POPT_ARG_NONE , & machine , 0 , " account is a machine account " , NULL } ,
{ " delete " , ' x ' , POPT_ARG_NONE , & delete_user , 0 , " delete user " , NULL } ,
{ " backend " , ' b ' , POPT_ARG_STRING , & backend , 0 , " use different passdb backend as default backend " , NULL } ,
{ " import " , ' i ' , POPT_ARG_STRING , & backend_in , 0 , " import user accounts from this backend " , NULL } ,
{ " export " , ' e ' , POPT_ARG_STRING , & backend_out , 0 , " export user accounts to this backend " , NULL } ,
2003-03-23 14:50:16 +03:00
{ " group " , ' g ' , POPT_ARG_NONE , & transfer_groups , 0 , " use -i and -e for groups " , NULL } ,
2002-08-17 18:45:04 +04:00
{ " account-policy " , ' P ' , POPT_ARG_STRING , & account_policy , 0 , " value of an account policy (like maximum password age) " , NULL } ,
2003-04-14 07:30:20 +04:00
{ " value " , ' C ' , POPT_ARG_LONG , & account_policy_value , ' C ' , " set the account policy to this value " , NULL } ,
2003-02-06 20:10:38 +03:00
{ " account-control " , ' c ' , POPT_ARG_STRING , & account_control , 0 , " Values of account control " , NULL } ,
2004-01-30 01:16:58 +03:00
{ " force-initialized-passwords " , 0 , POPT_ARG_NONE , & force_initialised_password , 0 , " Force initialization of corrupt password strings in a passdb backend " , NULL } ,
2004-02-19 19:00:29 +03:00
{ " bad-password-count-reset " , ' z ' , POPT_ARG_NONE , & badpw_reset , 0 , " reset bad password count " , NULL } ,
2003-04-14 07:30:20 +04:00
POPT_COMMON_SAMBA
POPT_TABLEEND
2002-07-15 14:35:28 +04:00
} ;
2002-08-17 18:45:04 +04:00
2001-11-25 21:54:04 +03:00
setup_logging ( " pdbedit " , True ) ;
2002-08-17 18:45:04 +04:00
2002-07-15 14:35:28 +04:00
pc = poptGetContext ( NULL , argc , ( const char * * ) argv , long_options ,
2002-08-17 18:45:04 +04:00
POPT_CONTEXT_KEEP_FIRST ) ;
while ( ( opt = poptGetNextOpt ( pc ) ) ! = - 1 ) {
switch ( opt ) {
2003-05-30 02:00:54 +04:00
case ' C ' :
2002-08-17 18:45:04 +04:00
account_policy_value_set = True ;
break ;
}
}
2002-10-28 22:48:00 +03:00
poptGetArg ( pc ) ; /* Drop argv[0], the program name */
2002-12-28 22:48:59 +03:00
if ( user_name = = NULL )
user_name = poptGetArg ( pc ) ;
2002-10-28 22:48:00 +03:00
if ( ! lp_load ( dyn_CONFIGFILE , True , False , False ) ) {
fprintf ( stderr , " Can't load %s - run testparm to debug it \n " , dyn_CONFIGFILE ) ;
2001-12-31 17:39:26 +03:00
exit ( 1 ) ;
}
2002-07-15 14:35:28 +04:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( ! initialize_password_db ( False ) )
exit ( 1 ) ;
2002-11-13 02:20:50 +03:00
if ( ! init_names ( ) )
exit ( 1 ) ;
2002-09-25 19:19:00 +04:00
2002-10-28 22:48:00 +03:00
setparms = ( backend ? BIT_BACKEND : 0 ) +
2002-08-17 18:45:04 +04:00
( verbose ? BIT_VERBOSE : 0 ) +
( spstyle ? BIT_SPSTYLE : 0 ) +
( full_name ? BIT_FULLNAME : 0 ) +
( home_dir ? BIT_HOMEDIR : 0 ) +
( home_drive ? BIT_HDIRDRIVE : 0 ) +
( logon_script ? BIT_LOGSCRIPT : 0 ) +
( profile_path ? BIT_PROFILE : 0 ) +
( machine ? BIT_MACHINE : 0 ) +
( user_name ? BIT_USER : 0 ) +
( list_users ? BIT_LIST : 0 ) +
2004-01-30 01:16:58 +03:00
( force_initialised_password ? BIT_FIX_INIT : 0 ) +
2002-08-17 18:45:04 +04:00
( modify_user ? BIT_MODIFY : 0 ) +
( add_user ? BIT_CREATE : 0 ) +
( delete_user ? BIT_DELETE : 0 ) +
2003-02-06 20:10:38 +03:00
( account_control ? BIT_ACCTCTRL : 0 ) +
2002-08-17 18:45:04 +04:00
( account_policy ? BIT_ACCPOLICY : 0 ) +
( account_policy_value_set ? BIT_ACCPOLVAL : 0 ) +
( backend_in ? BIT_IMPORT : 0 ) +
2004-02-19 19:00:29 +03:00
( backend_out ? BIT_EXPORT : 0 ) +
( badpw_reset ? BIT_BADPWRESET : 0 ) ;
2002-08-17 18:45:04 +04:00
if ( setparms & BIT_BACKEND ) {
if ( ! NT_STATUS_IS_OK ( make_pdb_context_string ( & bdef , backend ) ) ) {
2002-07-15 14:35:28 +04:00
fprintf ( stderr , " Can't initialize passdb backend. \n " ) ;
return 1 ;
}
} else {
2002-08-17 18:45:04 +04:00
if ( ! NT_STATUS_IS_OK ( make_pdb_context_list ( & bdef , lp_passdb_backend ( ) ) ) ) {
2002-07-15 14:35:28 +04:00
fprintf ( stderr , " Can't initialize passdb backend. \n " ) ;
return 1 ;
2000-12-06 21:18:48 +03:00
}
}
2002-08-17 18:45:04 +04:00
/* the lowest bit options are always accepted */
checkparms = setparms & ~ MASK_ALWAYS_GOOD ;
2004-01-30 01:16:58 +03:00
if ( checkparms & BIT_FIX_INIT ) {
return fix_users_list ( bdef ) ;
}
2002-09-25 19:19:00 +04:00
/* account policy operations */
2002-08-17 18:45:04 +04:00
if ( ( checkparms & BIT_ACCPOLICY ) & & ! ( checkparms & ~ ( BIT_ACCPOLICY + BIT_ACCPOLVAL ) ) ) {
uint32 value ;
int field = account_policy_name_to_fieldnum ( account_policy ) ;
if ( field = = 0 ) {
fprintf ( stderr , " No account policy by that name \n " ) ;
exit ( 1 ) ;
}
if ( ! account_policy_get ( field , & value ) ) {
fprintf ( stderr , " valid account policy, but unable to fetch value! \n " ) ;
exit ( 1 ) ;
}
if ( account_policy_value_set ) {
printf ( " account policy value for %s was %u \n " , account_policy , value ) ;
if ( ! account_policy_set ( field , account_policy_value ) ) {
fprintf ( stderr , " valid account policy, but unable to set value! \n " ) ;
exit ( 1 ) ;
}
printf ( " account policy value for %s is now %lu \n " , account_policy , account_policy_value ) ;
exit ( 0 ) ;
} else {
printf ( " account policy value for %s is %u \n " , account_policy , value ) ;
exit ( 0 ) ;
}
}
2000-12-06 21:18:48 +03:00
2002-08-17 18:45:04 +04:00
/* import and export operations */
if ( ( ( checkparms & BIT_IMPORT ) | | ( checkparms & BIT_EXPORT ) )
& & ! ( checkparms & ~ ( BIT_IMPORT + BIT_EXPORT ) ) ) {
if ( backend_in ) {
if ( ! NT_STATUS_IS_OK ( make_pdb_context_string ( & bin , backend_in ) ) ) {
fprintf ( stderr , " Can't initialize passdb backend. \n " ) ;
return 1 ;
}
} else {
bin = bdef ;
2000-12-06 21:18:48 +03:00
}
2002-08-17 18:45:04 +04:00
if ( backend_out ) {
if ( ! NT_STATUS_IS_OK ( make_pdb_context_string ( & bout , backend_out ) ) ) {
fprintf ( stderr , " Can't initialize %s. \n " , backend_out ) ;
return 1 ;
}
} else {
bout = bdef ;
}
2003-03-23 14:50:16 +03:00
if ( transfer_groups ) {
return export_groups ( bin , bout ) ;
} else {
return export_database ( bin , bout ) ;
}
2000-12-06 21:18:48 +03:00
}
2002-08-17 18:45:04 +04:00
/* if BIT_USER is defined but nothing else then threat it as -l -u for compatibility */
/* fake up BIT_LIST if only BIT_USER is defined */
if ( ( checkparms & BIT_USER ) & & ! ( checkparms & ~ BIT_USER ) ) {
checkparms + = BIT_LIST ;
}
/* modify flag is optional to maintain backwards compatibility */
/* fake up BIT_MODIFY if BIT_USER and at least one of MASK_USER_GOOD is defined */
if ( ! ( ( checkparms & ~ MASK_USER_GOOD ) & ~ BIT_USER ) & & ( checkparms & MASK_USER_GOOD ) ) {
checkparms + = BIT_MODIFY ;
}
/* list users operations */
if ( checkparms & BIT_LIST ) {
if ( ! ( checkparms & ~ BIT_LIST ) ) {
return print_users_list ( bdef , verbose , spstyle ) ;
}
if ( ! ( checkparms & ~ ( BIT_USER + BIT_LIST ) ) ) {
return print_user_info ( bdef , user_name , verbose , spstyle ) ;
}
}
/* mask out users options */
checkparms & = ~ MASK_USER_GOOD ;
2004-02-19 19:00:29 +03:00
/* if bad password count is reset, we must be modifying */
if ( checkparms & BIT_BADPWRESET ) {
checkparms | = BIT_MODIFY ;
checkparms & = ~ BIT_BADPWRESET ;
}
2002-08-17 18:45:04 +04:00
/* account operation */
if ( ( checkparms & BIT_CREATE ) | | ( checkparms & BIT_MODIFY ) | | ( checkparms & BIT_DELETE ) ) {
/* check use of -u option */
if ( ! ( checkparms & BIT_USER ) ) {
2000-12-06 21:18:48 +03:00
fprintf ( stderr , " Username not specified! (use -u option) \n " ) ;
return - 1 ;
}
2002-07-15 14:35:28 +04:00
2002-08-17 18:45:04 +04:00
/* account creation operations */
if ( ! ( checkparms & ~ ( BIT_CREATE + BIT_USER + BIT_MACHINE ) ) ) {
if ( checkparms & BIT_MACHINE ) {
return new_machine ( bdef , user_name ) ;
} else {
return new_user ( bdef , user_name , full_name , home_dir ,
home_drive , logon_script ,
2003-04-26 05:15:57 +04:00
profile_path , user_sid , group_sid ) ;
2002-08-17 18:45:04 +04:00
}
}
/* account deletion operations */
if ( ! ( checkparms & ~ ( BIT_DELETE + BIT_USER + BIT_MACHINE ) ) ) {
if ( checkparms & BIT_MACHINE ) {
return delete_machine_entry ( bdef , user_name ) ;
} else {
return delete_user_entry ( bdef , user_name ) ;
}
}
/* account modification operations */
if ( ! ( checkparms & ~ ( BIT_MODIFY + BIT_USER ) ) ) {
return set_user_info ( bdef , user_name , full_name ,
2002-07-15 14:35:28 +04:00
home_dir ,
home_drive ,
logon_script ,
2003-04-26 05:15:57 +04:00
profile_path , account_control ,
2004-02-19 19:00:29 +03:00
user_sid , group_sid ,
badpw_reset ) ;
2002-08-17 18:45:04 +04:00
}
2000-12-06 21:18:48 +03:00
}
2002-08-17 18:45:04 +04:00
if ( setparms > = 0x20 ) {
fprintf ( stderr , " Incompatible or insufficient options on command line! \n " ) ;
}
2002-07-15 14:35:28 +04:00
poptPrintHelp ( pc , stderr , 0 ) ;
return 1 ;
2000-12-06 21:18:48 +03:00
}
