search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
net_rpc_registry: use split_hive_key to normalize hive befor open.
[Samba.git] / source / lib / account_pol.c
blob2540b49314934ff9602c2001992a4c9c97f8987f
1 /*
2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 static TDB_CONTEXT *tdb;
24
25 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
26 * after this period if admins do not use pdbedit or usermanager but manipulate
27 * ldap directly) - gd */
28
29 #define DATABASE_VERSION 3
30 #define AP_TTL 60
31
32
33 struct ap_table {
34 int field;
35 const char *string;
36 uint32 default_val;
37 const char *description;
38 const char *ldap_attr;
39 };
40
41 static const struct ap_table account_policy_names[] = {
42 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
43 "Minimal password length (default: 5)",
44 "sambaMinPwdLength" },
45
46 {AP_PASSWORD_HISTORY, "password history", 0,
47 "Length of Password History Entries (default: 0 => off)",
48 "sambaPwdHistoryLength" },
49
50 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
51 "Force Users to logon for password change (default: 0 => off, 2 => on)",
52 "sambaLogonToChgPwd" },
53
54 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
55 "Maximum password age, in seconds (default: -1 => never expire passwords)",
56 "sambaMaxPwdAge" },
57
58 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
59 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
60 "sambaMinPwdAge" },
61
62 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
63 "Lockout duration in minutes (default: 30, -1 => forever)",
64 "sambaLockoutDuration" },
65
66 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
67 "Reset time after lockout in minutes (default: 30)",
68 "sambaLockoutObservationWindow" },
69
70 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
71 "Lockout users after bad logon attempts (default: 0 => off)",
72 "sambaLockoutThreshold" },
73
74 {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
75 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
76 "sambaForceLogoff" },
77
78 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
79 "Allow Machine Password changes (default: 0 => off)",
80 "sambaRefuseMachinePwdChange" },
81
82 {0, NULL, 0, "", NULL}
83 };
84
85 void account_policy_names_list(const char ***names, int *num_names)
86 {
87 const char **nl;
88 int i, count;
89
90 for (count=0; account_policy_names[count].string; count++) {
91 }
92 nl = SMB_MALLOC_ARRAY(const char *, count);
93 if (!nl) {
94 *num_names = 0;
95 return;
96 }
97 for (i=0; account_policy_names[i].string; i++) {
98 nl[i] = account_policy_names[i].string;
99 }
100 *num_names = count;
101 *names = nl;
102 return;
103 }
104
105 /****************************************************************************
106 Get the account policy name as a string from its #define'ed number
107 ****************************************************************************/
108
109 const char *decode_account_policy_name(int field)
110 {
111 int i;
112 for (i=0; account_policy_names[i].string; i++) {
113 if (field == account_policy_names[i].field) {
114 return account_policy_names[i].string;
115 }
116 }
117 return NULL;
118 }
119
120 /****************************************************************************
121 Get the account policy LDAP attribute as a string from its #define'ed number
122 ****************************************************************************/
123
124 const char *get_account_policy_attr(int field)
125 {
126 int i;
127 for (i=0; account_policy_names[i].field; i++) {
128 if (field == account_policy_names[i].field) {
129 return account_policy_names[i].ldap_attr;
130 }
131 }
132 return NULL;
133 }
134
135 /****************************************************************************
136 Get the account policy description as a string from its #define'ed number
137 ****************************************************************************/
138
139 const char *account_policy_get_desc(int field)
140 {
141 int i;
142 for (i=0; account_policy_names[i].string; i++) {
143 if (field == account_policy_names[i].field) {
144 return account_policy_names[i].description;
145 }
146 }
147 return NULL;
148 }
149
150 /****************************************************************************
151 Get the account policy name as a string from its #define'ed number
152 ****************************************************************************/
153
154 int account_policy_name_to_fieldnum(const char *name)
155 {
156 int i;
157 for (i=0; account_policy_names[i].string; i++) {
158 if (strcmp(name, account_policy_names[i].string) == 0) {
159 return account_policy_names[i].field;
160 }
161 }
162 return 0;
163 }
164
165 /*****************************************************************************
166 Get default value for account policy
167 *****************************************************************************/
168
169 bool account_policy_get_default(int account_policy, uint32 *val)
170 {
171 int i;
172 for (i=0; account_policy_names[i].field; i++) {
173 if (account_policy_names[i].field == account_policy) {
174 *val = account_policy_names[i].default_val;
175 return True;
176 }
177 }
178 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
179 account_policy));
180 return False;
181 }
182
183 /*****************************************************************************
184 Set default for a field if it is empty
185 *****************************************************************************/
186
187 static bool account_policy_set_default_on_empty(int account_policy)
188 {
189
190 uint32 value;
191
192 if (!account_policy_get(account_policy, &value) &&
193 !account_policy_get_default(account_policy, &value)) {
194 return False;
195 }
196
197 return account_policy_set(account_policy, value);
198 }
199
200 /*****************************************************************************
201 Open the account policy tdb.
202 ***`*************************************************************************/
203
204 bool init_account_policy(void)
205 {
206
207 const char *vstring = "INFO/version";
208 uint32 version;
209 int i;
210
211 if (tdb) {
212 return True;
213 }
214
215 tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
216 if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
217 tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
218 if (!tdb) {
219 DEBUG(0,("Failed to open account policy database\n"));
220 return False;
221 }
222 }
223
224 /* handle a Samba upgrade */
225 tdb_lock_bystring(tdb, vstring);
226 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
227
228 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
229
230 for (i=0; account_policy_names[i].field; i++) {
231
232 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
233 DEBUG(0,("failed to set default value in account policy tdb\n"));
234 return False;
235 }
236 }
237 }
238
239 tdb_unlock_bystring(tdb, vstring);
240
241 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
242
243 privilege_create_account( &global_sid_World );
244 privilege_create_account( &global_sid_Builtin_Account_Operators );
245 privilege_create_account( &global_sid_Builtin_Server_Operators );
246 privilege_create_account( &global_sid_Builtin_Print_Operators );
247 privilege_create_account( &global_sid_Builtin_Backup_Operators );
248
249 /* BUILTIN\Administrators get everything -- *always* */
250
251 if ( lp_enable_privileges() ) {
252 if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
253 DEBUG(1,("init_account_policy: Failed to grant privileges "
254 "to BUILTIN\\Administrators!\n"));
255 }
256 }
257
258 return True;
259 }
260
261 /*****************************************************************************
262 Get an account policy (from tdb)
263 *****************************************************************************/
264
265 bool account_policy_get(int field, uint32 *value)
266 {
267 const char *name;
268 uint32 regval;
269
270 if (!init_account_policy()) {
271 return False;
272 }
273
274 if (value) {
275 *value = 0;
276 }
277
278 name = decode_account_policy_name(field);
279 if (name == NULL) {
280 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
281 return False;
282 }
283
284 if (!tdb_fetch_uint32(tdb, name, &regval)) {
285 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
286 return False;
287 }
288
289 if (value) {
290 *value = regval;
291 }
292
293 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
294 return True;
295 }
296
297
298 /****************************************************************************
299 Set an account policy (in tdb)
300 ****************************************************************************/
301
302 bool account_policy_set(int field, uint32 value)
303 {
304 const char *name;
305
306 if (!init_account_policy()) {
307 return False;
308 }
309
310 name = decode_account_policy_name(field);
311 if (name == NULL) {
312 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
313 return False;
314 }
315
316 if (!tdb_store_uint32(tdb, name, value)) {
317 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
318 return False;
319 }
320
321 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
322
323 return True;
324 }
325
326 /****************************************************************************
327 Set an account policy in the cache
328 ****************************************************************************/
329
330 bool cache_account_policy_set(int field, uint32 value)
331 {
332 const char *policy_name = NULL;
333 char *cache_key = NULL;
334 char *cache_value = NULL;
335 bool ret = False;
336
337 policy_name = decode_account_policy_name(field);
338 if (policy_name == NULL) {
339 DEBUG(0,("cache_account_policy_set: no policy found\n"));
340 return False;
341 }
342
343 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
344 DEBUG(0, ("asprintf failed\n"));
345 goto done;
346 }
347
348 if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
349 DEBUG(0, ("asprintf failed\n"));
350 goto done;
351 }
352
353 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
354
355 ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
356
357 done:
358 SAFE_FREE(cache_key);
359 SAFE_FREE(cache_value);
360 return ret;
361 }
362
363 /*****************************************************************************
364 Get an account policy from the cache
365 *****************************************************************************/
366
367 bool cache_account_policy_get(int field, uint32 *value)
368 {
369 const char *policy_name = NULL;
370 char *cache_key = NULL;
371 char *cache_value = NULL;
372 bool ret = False;
373
374 policy_name = decode_account_policy_name(field);
375 if (policy_name == NULL) {
376 DEBUG(0,("cache_account_policy_set: no policy found\n"));
377 return False;
378 }
379
380 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
381 DEBUG(0, ("asprintf failed\n"));
382 goto done;
383 }
384
385 if (gencache_get(cache_key, &cache_value, NULL)) {
386 uint32 tmp = strtoul(cache_value, NULL, 10);
387 *value = tmp;
388 ret = True;
389 }
390
391 done:
392 SAFE_FREE(cache_key);
393 SAFE_FREE(cache_value);
394 return ret;
395 }
396
397 /****************************************************************************
398 ****************************************************************************/
399
400 TDB_CONTEXT *get_account_pol_tdb( void )
401 {
402
403 if ( !tdb ) {
404 if ( !init_account_policy() ) {
405 return NULL;
406 }
407 }
408
409 return tdb;
410 }
411
Samba GIT mirror