search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r23779: Change from v2 or later to v3 or later.
[Samba.git] / source / lib / account_pol.c
blobb0eb57f7600ec17596c9e911ecabd252273741ed
1 /*
2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 static TDB_CONTEXT *tdb;
25
26 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27 * after this period if admins do not use pdbedit or usermanager but manipulate
28 * ldap directly) - gd */
29
30 #define DATABASE_VERSION 3
31 #define AP_TTL 60
32
33
34 struct ap_table {
35 int field;
36 const char *string;
37 uint32 default_val;
38 const char *description;
39 const char *ldap_attr;
40 };
41
42 static const struct ap_table account_policy_names[] = {
43 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
44 "Minimal password length (default: 5)",
45 "sambaMinPwdLength" },
46
47 {AP_PASSWORD_HISTORY, "password history", 0,
48 "Length of Password History Entries (default: 0 => off)",
49 "sambaPwdHistoryLength" },
50
51 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
52 "Force Users to logon for password change (default: 0 => off, 2 => on)",
53 "sambaLogonToChgPwd" },
54
55 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
56 "Maximum password age, in seconds (default: -1 => never expire passwords)",
57 "sambaMaxPwdAge" },
58
59 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
60 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
61 "sambaMinPwdAge" },
62
63 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
64 "Lockout duration in minutes (default: 30, -1 => forever)",
65 "sambaLockoutDuration" },
66
67 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
68 "Reset time after lockout in minutes (default: 30)",
69 "sambaLockoutObservationWindow" },
70
71 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
72 "Lockout users after bad logon attempts (default: 0 => off)",
73 "sambaLockoutThreshold" },
74
75 {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
76 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
77 "sambaForceLogoff" },
78
79 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
80 "Allow Machine Password changes (default: 0 => off)",
81 "sambaRefuseMachinePwdChange" },
82
83 {0, NULL, 0, "", NULL}
84 };
85
86 void account_policy_names_list(const char ***names, int *num_names)
87 {
88 const char **nl;
89 int i, count;
90
91 for (count=0; account_policy_names[count].string; count++) {
92 }
93 nl = SMB_MALLOC_ARRAY(const char *, count);
94 if (!nl) {
95 *num_names = 0;
96 return;
97 }
98 for (i=0; account_policy_names[i].string; i++) {
99 nl[i] = account_policy_names[i].string;
100 }
101 *num_names = count;
102 *names = nl;
103 return;
104 }
105
106 /****************************************************************************
107 Get the account policy name as a string from its #define'ed number
108 ****************************************************************************/
109
110 const char *decode_account_policy_name(int field)
111 {
112 int i;
113 for (i=0; account_policy_names[i].string; i++) {
114 if (field == account_policy_names[i].field) {
115 return account_policy_names[i].string;
116 }
117 }
118 return NULL;
119 }
120
121 /****************************************************************************
122 Get the account policy LDAP attribute as a string from its #define'ed number
123 ****************************************************************************/
124
125 const char *get_account_policy_attr(int field)
126 {
127 int i;
128 for (i=0; account_policy_names[i].field; i++) {
129 if (field == account_policy_names[i].field) {
130 return account_policy_names[i].ldap_attr;
131 }
132 }
133 return NULL;
134 }
135
136 /****************************************************************************
137 Get the account policy description as a string from its #define'ed number
138 ****************************************************************************/
139
140 const char *account_policy_get_desc(int field)
141 {
142 int i;
143 for (i=0; account_policy_names[i].string; i++) {
144 if (field == account_policy_names[i].field) {
145 return account_policy_names[i].description;
146 }
147 }
148 return NULL;
149 }
150
151 /****************************************************************************
152 Get the account policy name as a string from its #define'ed number
153 ****************************************************************************/
154
155 int account_policy_name_to_fieldnum(const char *name)
156 {
157 int i;
158 for (i=0; account_policy_names[i].string; i++) {
159 if (strcmp(name, account_policy_names[i].string) == 0) {
160 return account_policy_names[i].field;
161 }
162 }
163 return 0;
164 }
165
166 /*****************************************************************************
167 Get default value for account policy
168 *****************************************************************************/
169
170 BOOL account_policy_get_default(int account_policy, uint32 *val)
171 {
172 int i;
173 for (i=0; account_policy_names[i].field; i++) {
174 if (account_policy_names[i].field == account_policy) {
175 *val = account_policy_names[i].default_val;
176 return True;
177 }
178 }
179 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
180 account_policy));
181 return False;
182 }
183
184 /*****************************************************************************
185 Set default for a field if it is empty
186 *****************************************************************************/
187
188 static BOOL account_policy_set_default_on_empty(int account_policy)
189 {
190
191 uint32 value;
192
193 if (!account_policy_get(account_policy, &value) &&
194 !account_policy_get_default(account_policy, &value)) {
195 return False;
196 }
197
198 return account_policy_set(account_policy, value);
199 }
200
201 /*****************************************************************************
202 Open the account policy tdb.
203 ***`*************************************************************************/
204
205 BOOL init_account_policy(void)
206 {
207
208 const char *vstring = "INFO/version";
209 uint32 version;
210 int i;
211
212 if (tdb) {
213 return True;
214 }
215
216 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
217 if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
218 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
219 if (!tdb) {
220 DEBUG(0,("Failed to open account policy database\n"));
221 return False;
222 }
223 }
224
225 /* handle a Samba upgrade */
226 tdb_lock_bystring(tdb, vstring);
227 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
228
229 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
230
231 for (i=0; account_policy_names[i].field; i++) {
232
233 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
234 DEBUG(0,("failed to set default value in account policy tdb\n"));
235 return False;
236 }
237 }
238 }
239
240 tdb_unlock_bystring(tdb, vstring);
241
242 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
243
244 privilege_create_account( &global_sid_World );
245 privilege_create_account( &global_sid_Builtin_Account_Operators );
246 privilege_create_account( &global_sid_Builtin_Server_Operators );
247 privilege_create_account( &global_sid_Builtin_Print_Operators );
248 privilege_create_account( &global_sid_Builtin_Backup_Operators );
249
250 /* BUILTIN\Administrators get everything -- *always* */
251
252 if ( lp_enable_privileges() ) {
253 if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
254 DEBUG(1,("init_account_policy: Failed to grant privileges "
255 "to BUILTIN\\Administrators!\n"));
256 }
257 }
258
259 return True;
260 }
261
262 /*****************************************************************************
263 Get an account policy (from tdb)
264 *****************************************************************************/
265
266 BOOL account_policy_get(int field, uint32 *value)
267 {
268 const char *name;
269 uint32 regval;
270
271 if (!init_account_policy()) {
272 return False;
273 }
274
275 if (value) {
276 *value = 0;
277 }
278
279 name = decode_account_policy_name(field);
280 if (name == NULL) {
281 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
282 return False;
283 }
284
285 if (!tdb_fetch_uint32(tdb, name, &regval)) {
286 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
287 return False;
288 }
289
290 if (value) {
291 *value = regval;
292 }
293
294 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
295 return True;
296 }
297
298
299 /****************************************************************************
300 Set an account policy (in tdb)
301 ****************************************************************************/
302
303 BOOL account_policy_set(int field, uint32 value)
304 {
305 const char *name;
306
307 if (!init_account_policy()) {
308 return False;
309 }
310
311 name = decode_account_policy_name(field);
312 if (name == NULL) {
313 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
314 return False;
315 }
316
317 if (!tdb_store_uint32(tdb, name, value)) {
318 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
319 return False;
320 }
321
322 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
323
324 return True;
325 }
326
327 /****************************************************************************
328 Set an account policy in the cache
329 ****************************************************************************/
330
331 BOOL cache_account_policy_set(int field, uint32 value)
332 {
333 const char *policy_name = NULL;
334 char *cache_key = NULL;
335 char *cache_value = NULL;
336 BOOL ret = False;
337
338 policy_name = decode_account_policy_name(field);
339 if (policy_name == NULL) {
340 DEBUG(0,("cache_account_policy_set: no policy found\n"));
341 return False;
342 }
343
344 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
345 DEBUG(0, ("asprintf failed\n"));
346 goto done;
347 }
348
349 if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
350 DEBUG(0, ("asprintf failed\n"));
351 goto done;
352 }
353
354 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
355
356 ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
357
358 done:
359 SAFE_FREE(cache_key);
360 SAFE_FREE(cache_value);
361 return ret;
362 }
363
364 /*****************************************************************************
365 Get an account policy from the cache
366 *****************************************************************************/
367
368 BOOL cache_account_policy_get(int field, uint32 *value)
369 {
370 const char *policy_name = NULL;
371 char *cache_key = NULL;
372 char *cache_value = NULL;
373 BOOL ret = False;
374
375 policy_name = decode_account_policy_name(field);
376 if (policy_name == NULL) {
377 DEBUG(0,("cache_account_policy_set: no policy found\n"));
378 return False;
379 }
380
381 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
382 DEBUG(0, ("asprintf failed\n"));
383 goto done;
384 }
385
386 if (gencache_get(cache_key, &cache_value, NULL)) {
387 uint32 tmp = strtoul(cache_value, NULL, 10);
388 *value = tmp;
389 ret = True;
390 }
391
392 done:
393 SAFE_FREE(cache_key);
394 SAFE_FREE(cache_value);
395 return ret;
396 }
397
398 /****************************************************************************
399 ****************************************************************************/
400
401 TDB_CONTEXT *get_account_pol_tdb( void )
402 {
403
404 if ( !tdb ) {
405 if ( !init_account_policy() ) {
406 return NULL;
407 }
408 }
409
410 return tdb;
411 }
412
Samba GIT mirror