search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix bug #9085.
[Samba.git] / source3 / passdb / pdb_get_set.c
blob678dc613f2864ac042f7c55328d54d8fa7a88158
1 /*
2 Unix SMB/CIFS implementation.
3 struct samu access routines
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Stefan (metze) Metzmacher 2002
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "../libcli/auth/libcli_auth.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_PASSDB
29
30 /**
31 * @todo Redefine this to NULL, but this changes the API because
32 * much of samba assumes that the pdb_get...() funtions
33 * return strings. (ie not null-pointers).
34 * See also pdb_fill_default_sam().
35 */
36
37 #define PDB_NOT_QUITE_NULL ""
38
39 /*********************************************************************
40 Test if a change time is a max value. Copes with old and new values
41 of max.
42 ********************************************************************/
43
44 bool pdb_is_password_change_time_max(time_t test_time)
45 {
46 if (test_time == get_time_t_max()) {
47 return true;
48 }
49 #if (defined(SIZEOF_TIME_T) && (SIZEOF_TIME_T == 8))
50 if (test_time == 0x7FFFFFFFFFFFFFFFLL) {
51 return true;
52 }
53 #endif
54 if (test_time == 0x7FFFFFFF) {
55 return true;
56 }
57 return false;
58 }
59
60 /*********************************************************************
61 Return an unchanging version of max password change time - 0x7FFFFFFF.
62 ********************************************************************/
63
64 time_t pdb_password_change_time_max(void)
65 {
66 return 0x7FFFFFFF;
67 }
68
69 /*********************************************************************
70 Collection of get...() functions for struct samu.
71 ********************************************************************/
72
73 uint32 pdb_get_acct_ctrl(const struct samu *sampass)
74 {
75 return sampass->acct_ctrl;
76 }
77
78 time_t pdb_get_logon_time(const struct samu *sampass)
79 {
80 return sampass->logon_time;
81 }
82
83 time_t pdb_get_logoff_time(const struct samu *sampass)
84 {
85 return sampass->logoff_time;
86 }
87
88 time_t pdb_get_kickoff_time(const struct samu *sampass)
89 {
90 return sampass->kickoff_time;
91 }
92
93 time_t pdb_get_bad_password_time(const struct samu *sampass)
94 {
95 return sampass->bad_password_time;
96 }
97
98 time_t pdb_get_pass_last_set_time(const struct samu *sampass)
99 {
100 return sampass->pass_last_set_time;
101 }
102
103 time_t pdb_get_pass_can_change_time(const struct samu *sampass)
104 {
105 uint32 allow;
106
107 /* if the last set time is zero, it means the user cannot
108 change their password, and this time must be zero. jmcd
109 */
110 if (sampass->pass_last_set_time == 0)
111 return (time_t) 0;
112
113 /* if the time is max, and the field has been changed,
114 we're trying to update this real value from the sampass
115 to indicate that the user cannot change their password. jmcd
116 */
117 if (pdb_is_password_change_time_max(sampass->pass_can_change_time) &&
118 pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED)
119 return sampass->pass_can_change_time;
120
121 if (!pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &allow))
122 allow = 0;
123
124 /* in normal cases, just calculate it from policy */
125 return sampass->pass_last_set_time + allow;
126 }
127
128 /* we need this for loading from the backend, so that we don't overwrite
129 non-changed max times, otherwise the pass_can_change checking won't work */
130 time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
131 {
132 return sampass->pass_can_change_time;
133 }
134
135 time_t pdb_get_pass_must_change_time(const struct samu *sampass)
136 {
137 uint32 expire;
138
139 if (sampass->pass_last_set_time == 0)
140 return (time_t) 0;
141
142 if (sampass->acct_ctrl & ACB_PWNOEXP)
143 return pdb_password_change_time_max();
144
145 if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire)
146 || expire == (uint32)-1 || expire == 0)
147 return pdb_password_change_time_max();
148
149 return sampass->pass_last_set_time + expire;
150 }
151
152 bool pdb_get_pass_can_change(const struct samu *sampass)
153 {
154 if (pdb_is_password_change_time_max(sampass->pass_can_change_time) &&
155 sampass->pass_last_set_time != 0)
156 return False;
157 return True;
158 }
159
160 uint16 pdb_get_logon_divs(const struct samu *sampass)
161 {
162 return sampass->logon_divs;
163 }
164
165 uint32 pdb_get_hours_len(const struct samu *sampass)
166 {
167 return sampass->hours_len;
168 }
169
170 const uint8 *pdb_get_hours(const struct samu *sampass)
171 {
172 return (sampass->hours);
173 }
174
175 const uint8 *pdb_get_nt_passwd(const struct samu *sampass)
176 {
177 SMB_ASSERT((!sampass->nt_pw.data)
178 || sampass->nt_pw.length == NT_HASH_LEN);
179 return (uint8 *)sampass->nt_pw.data;
180 }
181
182 const uint8 *pdb_get_lanman_passwd(const struct samu *sampass)
183 {
184 SMB_ASSERT((!sampass->lm_pw.data)
185 || sampass->lm_pw.length == LM_HASH_LEN);
186 return (uint8 *)sampass->lm_pw.data;
187 }
188
189 const uint8 *pdb_get_pw_history(const struct samu *sampass, uint32 *current_hist_len)
190 {
191 SMB_ASSERT((!sampass->nt_pw_his.data)
192 || ((sampass->nt_pw_his.length % PW_HISTORY_ENTRY_LEN) == 0));
193 *current_hist_len = sampass->nt_pw_his.length / PW_HISTORY_ENTRY_LEN;
194 return (uint8 *)sampass->nt_pw_his.data;
195 }
196
197 /* Return the plaintext password if known. Most of the time
198 it isn't, so don't assume anything magic about this function.
199
200 Used to pass the plaintext to passdb backends that might
201 want to store more than just the NTLM hashes.
202 */
203 const char *pdb_get_plaintext_passwd(const struct samu *sampass)
204 {
205 return sampass->plaintext_pw;
206 }
207
208 const DOM_SID *pdb_get_user_sid(const struct samu *sampass)
209 {
210 return &sampass->user_sid;
211 }
212
213 const DOM_SID *pdb_get_group_sid(struct samu *sampass)
214 {
215 DOM_SID *gsid;
216 struct passwd *pwd;
217 bool need_lookup_sid = false;
218
219 /* Return the cached group SID if we have that */
220 if ( sampass->group_sid ) {
221 return sampass->group_sid;
222 }
223
224 /* generate the group SID from the user's primary Unix group */
225
226 if ( !(gsid = TALLOC_ZERO_P( sampass, DOM_SID )) ) {
227 return NULL;
228 }
229
230 /* No algorithmic mapping, meaning that we have to figure out the
231 primary group SID according to group mapping and the user SID must
232 be a newly allocated one. We rely on the user's Unix primary gid.
233 We have no choice but to fail if we can't find it. */
234
235 if ( sampass->unix_pw ) {
236 pwd = sampass->unix_pw;
237 } else {
238 pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) );
239 }
240
241 if ( !pwd ) {
242 DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
243 return NULL;
244 }
245
246 gid_to_sid(gsid, pwd->pw_gid);
247 if (!is_null_sid(gsid)) {
248 DOM_SID dgsid;
249 uint32_t rid;
250
251 sid_copy(&dgsid, gsid);
252 sid_split_rid(&dgsid, &rid);
253 if (sid_equal(&dgsid, get_global_sam_sid())) {
254 /*
255 * As shortcut for the expensive lookup_sid call
256 * compare the domain sid part
257 */
258 switch (rid) {
259 case DOMAIN_RID_ADMINS:
260 case DOMAIN_RID_USERS:
261 sampass->group_sid = gsid;
262 return sampass->group_sid;
263 default:
264 need_lookup_sid = true;
265 break;
266 }
267 } else {
268 ZERO_STRUCTP(gsid);
269 if (pdb_gid_to_sid(pwd->pw_gid, gsid)) {
270 need_lookup_sid = true;
271 }
272 }
273 }
274
275 if (need_lookup_sid) {
276 enum lsa_SidType type = SID_NAME_UNKNOWN;
277 TALLOC_CTX *mem_ctx;
278 bool lookup_ret;
279 const DOM_SID *usid = pdb_get_user_sid(sampass);
280
281 mem_ctx = talloc_init("pdb_get_group_sid");
282 if (!mem_ctx) {
283 return NULL;
284 }
285
286 DEBUG(10,("do lookup_sid(%s) for group of user %s\n",
287 sid_string_dbg(gsid), sid_string_dbg(usid)));
288
289 /* Now check that it's actually a domain group and not something else */
290
291 lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type);
292
293 TALLOC_FREE( mem_ctx );
294
295 if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) {
296 sampass->group_sid = gsid;
297 return sampass->group_sid;
298 }
299
300 DEBUG(3, ("Primary group %s for user %s is a %s and not a domain group\n",
301 sid_string_dbg(gsid), pwd->pw_name, sid_type_lookup(type)));
302 }
303
304 /* Just set it to the 'Domain Users' RID of 512 which will
305 always resolve to a name */
306
307 sid_copy( gsid, get_global_sam_sid() );
308 sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS );
309
310 sampass->group_sid = gsid;
311
312 return sampass->group_sid;
313 }
314
315 /**
316 * Get flags showing what is initalised in the struct samu
317 * @param sampass the struct samu in question
318 * @return the flags indicating the members initialised in the struct.
319 **/
320
321 enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
322 {
323 enum pdb_value_state ret = PDB_DEFAULT;
324
325 if (!sampass->change_flags || !sampass->set_flags)
326 return ret;
327
328 if (bitmap_query(sampass->set_flags, element)) {
329 DEBUG(11, ("element %d: SET\n", element));
330 ret = PDB_SET;
331 }
332
333 if (bitmap_query(sampass->change_flags, element)) {
334 DEBUG(11, ("element %d: CHANGED\n", element));
335 ret = PDB_CHANGED;
336 }
337
338 if (ret == PDB_DEFAULT) {
339 DEBUG(11, ("element %d: DEFAULT\n", element));
340 }
341
342 return ret;
343 }
344
345 const char *pdb_get_username(const struct samu *sampass)
346 {
347 return sampass->username;
348 }
349
350 const char *pdb_get_domain(const struct samu *sampass)
351 {
352 return sampass->domain;
353 }
354
355 const char *pdb_get_nt_username(const struct samu *sampass)
356 {
357 return sampass->nt_username;
358 }
359
360 const char *pdb_get_fullname(const struct samu *sampass)
361 {
362 return sampass->full_name;
363 }
364
365 const char *pdb_get_homedir(const struct samu *sampass)
366 {
367 return sampass->home_dir;
368 }
369
370 const char *pdb_get_dir_drive(const struct samu *sampass)
371 {
372 return sampass->dir_drive;
373 }
374
375 const char *pdb_get_logon_script(const struct samu *sampass)
376 {
377 return sampass->logon_script;
378 }
379
380 const char *pdb_get_profile_path(const struct samu *sampass)
381 {
382 return sampass->profile_path;
383 }
384
385 const char *pdb_get_acct_desc(const struct samu *sampass)
386 {
387 return sampass->acct_desc;
388 }
389
390 const char *pdb_get_workstations(const struct samu *sampass)
391 {
392 return sampass->workstations;
393 }
394
395 const char *pdb_get_comment(const struct samu *sampass)
396 {
397 return sampass->comment;
398 }
399
400 const char *pdb_get_munged_dial(const struct samu *sampass)
401 {
402 return sampass->munged_dial;
403 }
404
405 uint16 pdb_get_bad_password_count(const struct samu *sampass)
406 {
407 return sampass->bad_password_count;
408 }
409
410 uint16 pdb_get_logon_count(const struct samu *sampass)
411 {
412 return sampass->logon_count;
413 }
414
415 uint32 pdb_get_unknown_6(const struct samu *sampass)
416 {
417 return sampass->unknown_6;
418 }
419
420 void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_methods *my_methods)
421 {
422 if (my_methods == sampass->backend_private_methods) {
423 return sampass->backend_private_data;
424 } else {
425 return NULL;
426 }
427 }
428
429 /*********************************************************************
430 Collection of set...() functions for struct samu.
431 ********************************************************************/
432
433 bool pdb_set_acct_ctrl(struct samu *sampass, uint32 acct_ctrl, enum pdb_value_state flag)
434 {
435 sampass->acct_ctrl = acct_ctrl;
436 return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
437 }
438
439 bool pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
440 {
441 sampass->logon_time = mytime;
442 return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
443 }
444
445 bool pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
446 {
447 sampass->logoff_time = mytime;
448 return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
449 }
450
451 bool pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
452 {
453 sampass->kickoff_time = mytime;
454 return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
455 }
456
457 bool pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
458 {
459 sampass->bad_password_time = mytime;
460 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag);
461 }
462
463 bool pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
464 {
465 sampass->pass_can_change_time = mytime;
466 return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
467 }
468
469 bool pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
470 {
471 sampass->pass_must_change_time = mytime;
472 return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
473 }
474
475 bool pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
476 {
477 sampass->pass_last_set_time = mytime;
478 return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
479 }
480
481 bool pdb_set_hours_len(struct samu *sampass, uint32 len, enum pdb_value_state flag)
482 {
483 sampass->hours_len = len;
484 return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
485 }
486
487 bool pdb_set_logon_divs(struct samu *sampass, uint16 hours, enum pdb_value_state flag)
488 {
489 sampass->logon_divs = hours;
490 return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
491 }
492
493 /**
494 * Set flags showing what is initalised in the struct samu
495 * @param sampass the struct samu in question
496 * @param flag The *new* flag to be set. Old flags preserved
497 * this flag is only added.
498 **/
499
500 bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
501 {
502 if (!sampass->set_flags) {
503 if ((sampass->set_flags =
504 bitmap_talloc(sampass,
505 PDB_COUNT))==NULL) {
506 DEBUG(0,("bitmap_talloc failed\n"));
507 return False;
508 }
509 }
510 if (!sampass->change_flags) {
511 if ((sampass->change_flags =
512 bitmap_talloc(sampass,
513 PDB_COUNT))==NULL) {
514 DEBUG(0,("bitmap_talloc failed\n"));
515 return False;
516 }
517 }
518
519 switch(value_flag) {
520 case PDB_CHANGED:
521 if (!bitmap_set(sampass->change_flags, element)) {
522 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
523 return False;
524 }
525 if (!bitmap_set(sampass->set_flags, element)) {
526 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
527 return False;
528 }
529 DEBUG(11, ("element %d -> now CHANGED\n", element));
530 break;
531 case PDB_SET:
532 if (!bitmap_clear(sampass->change_flags, element)) {
533 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
534 return False;
535 }
536 if (!bitmap_set(sampass->set_flags, element)) {
537 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
538 return False;
539 }
540 DEBUG(11, ("element %d -> now SET\n", element));
541 break;
542 case PDB_DEFAULT:
543 default:
544 if (!bitmap_clear(sampass->change_flags, element)) {
545 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
546 return False;
547 }
548 if (!bitmap_clear(sampass->set_flags, element)) {
549 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
550 return False;
551 }
552 DEBUG(11, ("element %d -> now DEFAULT\n", element));
553 break;
554 }
555
556 return True;
557 }
558
559 bool pdb_set_user_sid(struct samu *sampass, const DOM_SID *u_sid, enum pdb_value_state flag)
560 {
561 if (!u_sid)
562 return False;
563
564 sid_copy(&sampass->user_sid, u_sid);
565
566 DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
567 sid_string_dbg(&sampass->user_sid)));
568
569 return pdb_set_init_flags(sampass, PDB_USERSID, flag);
570 }
571
572 bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
573 {
574 DOM_SID new_sid;
575
576 if (!u_sid)
577 return False;
578
579 DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
580 u_sid));
581
582 if (!string_to_sid(&new_sid, u_sid)) {
583 DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
584 return False;
585 }
586
587 if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
588 DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
589 return False;
590 }
591
592 return True;
593 }
594
595 /********************************************************************
596 We never fill this in from a passdb backend but rather set is
597 based on the user's primary group membership. However, the
598 struct samu* is overloaded and reused in domain memship code
599 as well and built from the netr_SamInfo3 or PAC so we
600 have to allow the explicitly setting of a group SID here.
601 ********************************************************************/
602
603 bool pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_value_state flag)
604 {
605 gid_t gid;
606
607 if (!g_sid)
608 return False;
609
610 if ( !(sampass->group_sid = TALLOC_P( sampass, DOM_SID )) ) {
611 return False;
612 }
613
614 /* if we cannot resolve the SID to gid, then just ignore it and
615 store DOMAIN_USERS as the primary groupSID */
616
617 if ( sid_to_gid( g_sid, &gid ) ) {
618 sid_copy(sampass->group_sid, g_sid);
619 } else {
620 sid_copy( sampass->group_sid, get_global_sam_sid() );
621 sid_append_rid( sampass->group_sid, DOMAIN_GROUP_RID_USERS );
622 }
623
624 DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
625 sid_string_dbg(sampass->group_sid)));
626
627 return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
628 }
629
630 /*********************************************************************
631 Set the user's UNIX name.
632 ********************************************************************/
633
634 bool pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag)
635 {
636 if (username) {
637 DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
638 (sampass->username)?(sampass->username):"NULL"));
639
640 sampass->username = talloc_strdup(sampass, username);
641
642 if (!sampass->username) {
643 DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
644 return False;
645 }
646 } else {
647 sampass->username = PDB_NOT_QUITE_NULL;
648 }
649
650 return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
651 }
652
653 /*********************************************************************
654 Set the domain name.
655 ********************************************************************/
656
657 bool pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag)
658 {
659 if (domain) {
660 DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
661 (sampass->domain)?(sampass->domain):"NULL"));
662
663 sampass->domain = talloc_strdup(sampass, domain);
664
665 if (!sampass->domain) {
666 DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
667 return False;
668 }
669 } else {
670 sampass->domain = PDB_NOT_QUITE_NULL;
671 }
672
673 return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
674 }
675
676 /*********************************************************************
677 Set the user's NT name.
678 ********************************************************************/
679
680 bool pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag)
681 {
682 if (nt_username) {
683 DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
684 (sampass->nt_username)?(sampass->nt_username):"NULL"));
685
686 sampass->nt_username = talloc_strdup(sampass, nt_username);
687
688 if (!sampass->nt_username) {
689 DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
690 return False;
691 }
692 } else {
693 sampass->nt_username = PDB_NOT_QUITE_NULL;
694 }
695
696 return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
697 }
698
699 /*********************************************************************
700 Set the user's full name.
701 ********************************************************************/
702
703 bool pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag)
704 {
705 if (full_name) {
706 DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
707 (sampass->full_name)?(sampass->full_name):"NULL"));
708
709 sampass->full_name = talloc_strdup(sampass, full_name);
710
711 if (!sampass->full_name) {
712 DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
713 return False;
714 }
715 } else {
716 sampass->full_name = PDB_NOT_QUITE_NULL;
717 }
718
719 return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
720 }
721
722 /*********************************************************************
723 Set the user's logon script.
724 ********************************************************************/
725
726 bool pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag)
727 {
728 if (logon_script) {
729 DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
730 (sampass->logon_script)?(sampass->logon_script):"NULL"));
731
732 sampass->logon_script = talloc_strdup(sampass, logon_script);
733
734 if (!sampass->logon_script) {
735 DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
736 return False;
737 }
738 } else {
739 sampass->logon_script = PDB_NOT_QUITE_NULL;
740 }
741
742 return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
743 }
744
745 /*********************************************************************
746 Set the user's profile path.
747 ********************************************************************/
748
749 bool pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag)
750 {
751 if (profile_path) {
752 DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
753 (sampass->profile_path)?(sampass->profile_path):"NULL"));
754
755 sampass->profile_path = talloc_strdup(sampass, profile_path);
756
757 if (!sampass->profile_path) {
758 DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
759 return False;
760 }
761 } else {
762 sampass->profile_path = PDB_NOT_QUITE_NULL;
763 }
764
765 return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
766 }
767
768 /*********************************************************************
769 Set the user's directory drive.
770 ********************************************************************/
771
772 bool pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag)
773 {
774 if (dir_drive) {
775 DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
776 (sampass->dir_drive)?(sampass->dir_drive):"NULL"));
777
778 sampass->dir_drive = talloc_strdup(sampass, dir_drive);
779
780 if (!sampass->dir_drive) {
781 DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
782 return False;
783 }
784
785 } else {
786 sampass->dir_drive = PDB_NOT_QUITE_NULL;
787 }
788
789 return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
790 }
791
792 /*********************************************************************
793 Set the user's home directory.
794 ********************************************************************/
795
796 bool pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag)
797 {
798 if (home_dir) {
799 DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
800 (sampass->home_dir)?(sampass->home_dir):"NULL"));
801
802 sampass->home_dir = talloc_strdup(sampass, home_dir);
803
804 if (!sampass->home_dir) {
805 DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
806 return False;
807 }
808 } else {
809 sampass->home_dir = PDB_NOT_QUITE_NULL;
810 }
811
812 return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
813 }
814
815 /*********************************************************************
816 Set the user's account description.
817 ********************************************************************/
818
819 bool pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag)
820 {
821 if (acct_desc) {
822 sampass->acct_desc = talloc_strdup(sampass, acct_desc);
823
824 if (!sampass->acct_desc) {
825 DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
826 return False;
827 }
828 } else {
829 sampass->acct_desc = PDB_NOT_QUITE_NULL;
830 }
831
832 return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
833 }
834
835 /*********************************************************************
836 Set the user's workstation allowed list.
837 ********************************************************************/
838
839 bool pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag)
840 {
841 if (workstations) {
842 DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
843 (sampass->workstations)?(sampass->workstations):"NULL"));
844
845 sampass->workstations = talloc_strdup(sampass, workstations);
846
847 if (!sampass->workstations) {
848 DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
849 return False;
850 }
851 } else {
852 sampass->workstations = PDB_NOT_QUITE_NULL;
853 }
854
855 return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
856 }
857
858 /*********************************************************************
859 ********************************************************************/
860
861 bool pdb_set_comment(struct samu *sampass, const char *comment, enum pdb_value_state flag)
862 {
863 if (comment) {
864 sampass->comment = talloc_strdup(sampass, comment);
865
866 if (!sampass->comment) {
867 DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
868 return False;
869 }
870 } else {
871 sampass->comment = PDB_NOT_QUITE_NULL;
872 }
873
874 return pdb_set_init_flags(sampass, PDB_COMMENT, flag);
875 }
876
877 /*********************************************************************
878 Set the user's dial string.
879 ********************************************************************/
880
881 bool pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag)
882 {
883 if (munged_dial) {
884 sampass->munged_dial = talloc_strdup(sampass, munged_dial);
885
886 if (!sampass->munged_dial) {
887 DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
888 return False;
889 }
890 } else {
891 sampass->munged_dial = PDB_NOT_QUITE_NULL;
892 }
893
894 return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
895 }
896
897 /*********************************************************************
898 Set the user's NT hash.
899 ********************************************************************/
900
901 bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
902 {
903 data_blob_clear_free(&sampass->nt_pw);
904
905 if (pwd) {
906 sampass->nt_pw =
907 data_blob_talloc(sampass, pwd, NT_HASH_LEN);
908 } else {
909 sampass->nt_pw = data_blob_null;
910 }
911
912 return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
913 }
914
915 /*********************************************************************
916 Set the user's LM hash.
917 ********************************************************************/
918
919 bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
920 {
921 data_blob_clear_free(&sampass->lm_pw);
922
923 /* on keep the password if we are allowing LANMAN authentication */
924
925 if (pwd && lp_lanman_auth() ) {
926 sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
927 } else {
928 sampass->lm_pw = data_blob_null;
929 }
930
931 return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
932 }
933
934 /*********************************************************************
935 Set the user's password history hash. historyLen is the number of
936 PW_HISTORY_SALT_LEN+SALTED_MD5_HASH_LEN length
937 entries to store in the history - this must match the size of the uint8 array
938 in pwd.
939 ********************************************************************/
940
941 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag)
942 {
943 if (historyLen && pwd){
944 sampass->nt_pw_his = data_blob_talloc(sampass,
945 pwd, historyLen*PW_HISTORY_ENTRY_LEN);
946 if (!sampass->nt_pw_his.length) {
947 DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
948 return False;
949 }
950 } else {
951 sampass->nt_pw_his = data_blob_talloc(sampass, NULL, 0);
952 }
953
954 return pdb_set_init_flags(sampass, PDB_PWHISTORY, flag);
955 }
956
957 /*********************************************************************
958 Set the user's plaintext password only (base procedure, see helper
959 below)
960 ********************************************************************/
961
962 bool pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag)
963 {
964 if (password) {
965 if (sampass->plaintext_pw!=NULL)
966 memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
967
968 sampass->plaintext_pw = talloc_strdup(sampass, password);
969
970 if (!sampass->plaintext_pw) {
971 DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
972 return False;
973 }
974 } else {
975 sampass->plaintext_pw = NULL;
976 }
977
978 return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
979 }
980
981 bool pdb_set_bad_password_count(struct samu *sampass, uint16 bad_password_count, enum pdb_value_state flag)
982 {
983 sampass->bad_password_count = bad_password_count;
984 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag);
985 }
986
987 bool pdb_set_logon_count(struct samu *sampass, uint16 logon_count, enum pdb_value_state flag)
988 {
989 sampass->logon_count = logon_count;
990 return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag);
991 }
992
993 bool pdb_set_unknown_6(struct samu *sampass, uint32 unkn, enum pdb_value_state flag)
994 {
995 sampass->unknown_6 = unkn;
996 return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
997 }
998
999 bool pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag)
1000 {
1001 if (!hours) {
1002 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
1003 } else {
1004 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
1005 }
1006
1007 return pdb_set_init_flags(sampass, PDB_HOURS, flag);
1008 }
1009
1010 bool pdb_set_backend_private_data(struct samu *sampass, void *private_data,
1011 void (*free_fn)(void **),
1012 const struct pdb_methods *my_methods,
1013 enum pdb_value_state flag)
1014 {
1015 if (sampass->backend_private_data &&
1016 sampass->backend_private_data_free_fn) {
1017 sampass->backend_private_data_free_fn(
1018 &sampass->backend_private_data);
1019 }
1020
1021 sampass->backend_private_data = private_data;
1022 sampass->backend_private_data_free_fn = free_fn;
1023 sampass->backend_private_methods = my_methods;
1024
1025 return pdb_set_init_flags(sampass, PDB_BACKEND_PRIVATE_DATA, flag);
1026 }
1027
1028
1029 /* Helpful interfaces to the above */
1030
1031 bool pdb_set_pass_can_change(struct samu *sampass, bool canchange)
1032 {
1033 return pdb_set_pass_can_change_time(sampass,
1034 canchange ? 0 : pdb_password_change_time_max(),
1035 PDB_CHANGED);
1036 }
1037
1038
1039 /*********************************************************************
1040 Set the user's PLAINTEXT password. Used as an interface to the above.
1041 Also sets the last change time to NOW.
1042 ********************************************************************/
1043
1044 bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
1045 {
1046 uchar new_lanman_p16[LM_HASH_LEN];
1047 uchar new_nt_p16[NT_HASH_LEN];
1048 uchar *pwhistory;
1049 uint32 pwHistLen;
1050 uint32 current_history_len;
1051
1052 if (!plaintext)
1053 return False;
1054
1055 /* Calculate the MD4 hash (NT compatible) of the password */
1056 E_md4hash(plaintext, new_nt_p16);
1057
1058 if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
1059 return False;
1060
1061 if (!E_deshash(plaintext, new_lanman_p16)) {
1062 /* E_deshash returns false for 'long' passwords (> 14
1063 DOS chars). This allows us to match Win2k, which
1064 does not store a LM hash for these passwords (which
1065 would reduce the effective password length to 14 */
1066
1067 if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
1068 return False;
1069 } else {
1070 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
1071 return False;
1072 }
1073
1074 if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
1075 return False;
1076
1077 if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
1078 return False;
1079
1080 if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
1081 /*
1082 * No password history for non-user accounts
1083 */
1084 return true;
1085 }
1086
1087 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1088
1089 if (pwHistLen == 0) {
1090 /* Set the history length to zero. */
1091 pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
1092 return true;
1093 }
1094
1095 /*
1096 * We need to make sure we don't have a race condition here -
1097 * the account policy history length can change between when
1098 * the pw_history was first loaded into the struct samu struct
1099 * and now.... JRA.
1100 */
1101 pwhistory = (uchar *)pdb_get_pw_history(sampass, &current_history_len);
1102
1103 if ((current_history_len != 0) && (pwhistory == NULL)) {
1104 DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
1105 return false;
1106 }
1107
1108 if (current_history_len < pwHistLen) {
1109 /*
1110 * Ensure we have space for the needed history. This
1111 * also takes care of an account which did not have
1112 * any history at all so far, i.e. pwhistory==NULL
1113 */
1114 uchar *new_history = talloc_zero_array(
1115 sampass, uchar,
1116 pwHistLen*PW_HISTORY_ENTRY_LEN);
1117
1118 if (!new_history) {
1119 return False;
1120 }
1121
1122 memcpy(new_history, pwhistory,
1123 current_history_len*PW_HISTORY_ENTRY_LEN);
1124
1125 pwhistory = new_history;
1126 }
1127
1128 /*
1129 * Make room for the new password in the history list.
1130 */
1131 if (pwHistLen > 1) {
1132 memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
1133 (pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
1134 }
1135
1136 /*
1137 * Fill the salt area with 0-s: this indicates that
1138 * a plain nt hash is stored in the has area.
1139 * The old format was to store a 16 byte salt and
1140 * then an md5hash of the nt_hash concatenated with
1141 * the salt.
1142 */
1143 memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
1144
1145 /*
1146 * Store the plain nt hash in the second 16 bytes.
1147 * The old format was to store the md5 hash of
1148 * the salt+newpw.
1149 */
1150 memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
1151
1152 pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
1153
1154 return True;
1155 }
1156
1157 /* check for any PDB_SET/CHANGED field and fill the appropriate mask bit */
1158 uint32 pdb_build_fields_present(struct samu *sampass)
1159 {
1160 /* value set to all for testing */
1161 return 0x00ffffff;
1162 }
Samba GIT mirror