2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2001
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_PASSDB
30 /******************************************************************
31 get the default domain/netbios name to be used when
32 testing authentication. For example, if you connect
33 to a Windows member server using a bogus domain name, the
34 Windows box will map the BOGUS\user to DOMAIN\user. A
35 standalone box will map to WKS\user.
36 ******************************************************************/
38 const char *get_default_sam_name(void)
40 /* standalone servers can only use the local netbios name */
41 if ( lp_server_role() == ROLE_STANDALONE
)
42 return global_myname();
44 /* Windows domain members default to the DOMAIN
45 name when not specified */
46 return lp_workgroup();
49 /************************************************************
50 Fill the SAM_ACCOUNT with default values.
51 ***********************************************************/
53 void pdb_fill_default_sam(SAM_ACCOUNT
*user
)
55 ZERO_STRUCT(user
->private); /* Don't touch the talloc context */
57 /* no initial methods */
60 /* Don't change these timestamp settings without a good reason.
61 They are important for NT member server compatibility. */
63 user
->private.logon_time
= (time_t)0;
64 user
->private.pass_last_set_time
= (time_t)0;
65 user
->private.pass_can_change_time
= (time_t)0;
66 user
->private.logoff_time
=
67 user
->private.kickoff_time
=
68 user
->private.pass_must_change_time
= get_time_t_max();
69 user
->private.fields_present
= 0x00ffffff;
70 user
->private.logon_divs
= 168; /* hours per week */
71 user
->private.hours_len
= 21; /* 21 times 8 bits = 168 */
72 memset(user
->private.hours
, 0xff, user
->private.hours_len
); /* available at all hours */
73 user
->private.bad_password_count
= 0;
74 user
->private.logon_count
= 0;
75 user
->private.unknown_6
= 0x000004ec; /* don't know */
77 /* Some parts of samba strlen their pdb_get...() returns,
78 so this keeps the interface unchanged for now. */
80 user
->private.username
= "";
81 user
->private.domain
= "";
82 user
->private.nt_username
= "";
83 user
->private.full_name
= "";
84 user
->private.home_dir
= "";
85 user
->private.logon_script
= "";
86 user
->private.profile_path
= "";
87 user
->private.acct_desc
= "";
88 user
->private.workstations
= "";
89 user
->private.unknown_str
= "";
90 user
->private.munged_dial
= "";
92 user
->private.plaintext_pw
= NULL
;
95 Unless we know otherwise have a Account Control Bit
96 value of 'normal user'. This helps User Manager, which
97 asks for a filtered list of users.
100 user
->private.acct_ctrl
= ACB_NORMAL
;
103 static void destroy_pdb_talloc(SAM_ACCOUNT
**user
)
106 data_blob_clear_free(&((*user
)->private.lm_pw
));
107 data_blob_clear_free(&((*user
)->private.nt_pw
));
109 if((*user
)->private.plaintext_pw
!=NULL
)
110 memset((*user
)->private.plaintext_pw
,'\0',strlen((*user
)->private.plaintext_pw
));
111 talloc_destroy((*user
)->mem_ctx
);
117 /**********************************************************************
118 Allocates memory and initialises a struct sam_passwd on supplied mem_ctx.
119 ***********************************************************************/
121 NTSTATUS
pdb_init_sam_talloc(TALLOC_CTX
*mem_ctx
, SAM_ACCOUNT
**user
)
124 DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
126 smb_panic("non-NULL pointer passed to pdb_init_sam\n");
128 return NT_STATUS_UNSUCCESSFUL
;
132 DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
133 return NT_STATUS_UNSUCCESSFUL
;
136 *user
=(SAM_ACCOUNT
*)talloc(mem_ctx
, sizeof(SAM_ACCOUNT
));
139 DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
140 return NT_STATUS_NO_MEMORY
;
143 (*user
)->mem_ctx
= mem_ctx
;
145 (*user
)->free_fn
= NULL
;
147 pdb_fill_default_sam(*user
);
153 /*************************************************************
154 Allocates memory and initialises a struct sam_passwd.
155 ************************************************************/
157 NTSTATUS
pdb_init_sam(SAM_ACCOUNT
**user
)
162 mem_ctx
= talloc_init("passdb internal SAM_ACCOUNT allocation");
165 DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
166 return NT_STATUS_NO_MEMORY
;
169 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_talloc(mem_ctx
, user
))) {
170 talloc_destroy(mem_ctx
);
174 (*user
)->free_fn
= destroy_pdb_talloc
;
179 /**************************************************************************
180 * This function will take care of all the steps needed to correctly
181 * allocate and set the user SID, please do use this function to create new
182 * users, messing with SIDs is not good.
184 * account_data must be provided initialized, pwd may be null.
186 ***************************************************************************/
188 static NTSTATUS
pdb_set_sam_sids(SAM_ACCOUNT
*account_data
, const struct passwd
*pwd
)
190 const char *guest_account
= lp_guestaccount();
194 if (!account_data
|| !pwd
) {
195 return NT_STATUS_INVALID_PARAMETER
;
198 /* this is a hack this thing should not be set
200 if (!(guest_account
&& *guest_account
)) {
201 DEBUG(1, ("NULL guest account!?!?\n"));
202 return NT_STATUS_UNSUCCESSFUL
;
204 /* Ensure this *must* be set right */
205 if (strcmp(pwd
->pw_name
, guest_account
) == 0) {
206 if (!pdb_set_user_sid_from_rid(account_data
, DOMAIN_USER_RID_GUEST
, PDB_DEFAULT
)) {
207 return NT_STATUS_UNSUCCESSFUL
;
209 if (!pdb_set_group_sid_from_rid(account_data
, DOMAIN_GROUP_RID_GUESTS
, PDB_DEFAULT
)) {
210 return NT_STATUS_UNSUCCESSFUL
;
216 if (!pdb_set_user_sid_from_rid(account_data
, algorithmic_pdb_uid_to_user_rid(pwd
->pw_uid
), PDB_SET
)) {
217 DEBUG(0,("Can't set User SID from RID!\n"));
218 return NT_STATUS_INVALID_PARAMETER
;
221 /* call the mapping code here */
223 ret
= pdb_getgrgid(&map
, pwd
->pw_gid
);
227 if (!pdb_set_group_sid(account_data
, &map
.sid
, PDB_SET
)){
228 DEBUG(0,("Can't set Group SID!\n"));
229 return NT_STATUS_INVALID_PARAMETER
;
233 if (!pdb_set_group_sid_from_rid(account_data
, pdb_gid_to_group_rid(pwd
->pw_gid
), PDB_SET
)) {
234 DEBUG(0,("Can't set Group SID\n"));
235 return NT_STATUS_INVALID_PARAMETER
;
242 /*************************************************************
243 Initialises a struct sam_passwd with sane values.
244 ************************************************************/
246 NTSTATUS
pdb_fill_sam_pw(SAM_ACCOUNT
*sam_account
, const struct passwd
*pwd
)
251 return NT_STATUS_UNSUCCESSFUL
;
254 pdb_fill_default_sam(sam_account
);
256 pdb_set_username(sam_account
, pwd
->pw_name
, PDB_SET
);
257 pdb_set_fullname(sam_account
, pwd
->pw_gecos
, PDB_SET
);
259 pdb_set_unix_homedir(sam_account
, pwd
->pw_dir
, PDB_SET
);
261 pdb_set_domain (sam_account
, get_global_sam_name(), PDB_DEFAULT
);
263 /* When we get a proper uid -> SID and SID -> uid allocation
264 mechinism, we should call it here.
266 We can't just set this to 0 or allow it only to be filled
267 in when added to the backend, because the user's SID
268 may already be in security descriptors etc.
270 -- abartlet 11-May-02
273 ret
= pdb_set_sam_sids(sam_account
, pwd
);
274 if (!NT_STATUS_IS_OK(ret
)) return ret
;
276 /* check if this is a user account or a machine account */
277 if (pwd
->pw_name
[strlen(pwd
->pw_name
)-1] != '$')
279 pdb_set_profile_path(sam_account
,
280 talloc_sub_specified((sam_account
)->mem_ctx
,
282 pwd
->pw_name
, global_myname(),
283 pwd
->pw_uid
, pwd
->pw_gid
),
286 pdb_set_homedir(sam_account
,
287 talloc_sub_specified((sam_account
)->mem_ctx
,
289 pwd
->pw_name
, global_myname(),
290 pwd
->pw_uid
, pwd
->pw_gid
),
293 pdb_set_dir_drive(sam_account
,
294 talloc_sub_specified((sam_account
)->mem_ctx
,
296 pwd
->pw_name
, global_myname(),
297 pwd
->pw_uid
, pwd
->pw_gid
),
300 pdb_set_logon_script(sam_account
,
301 talloc_sub_specified((sam_account
)->mem_ctx
,
303 pwd
->pw_name
, global_myname(),
304 pwd
->pw_uid
, pwd
->pw_gid
),
306 if (!pdb_set_acct_ctrl(sam_account
, ACB_NORMAL
, PDB_DEFAULT
)) {
307 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd
->pw_name
));
308 return NT_STATUS_UNSUCCESSFUL
;
311 if (!pdb_set_acct_ctrl(sam_account
, ACB_WSTRUST
, PDB_DEFAULT
)) {
312 DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd
->pw_name
));
313 return NT_STATUS_UNSUCCESSFUL
;
320 /*************************************************************
321 Initialises a struct sam_passwd with sane values.
322 ************************************************************/
324 NTSTATUS
pdb_init_sam_pw(SAM_ACCOUNT
**new_sam_acct
, const struct passwd
*pwd
)
330 return NT_STATUS_INVALID_PARAMETER
;
333 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam(new_sam_acct
))) {
338 if (!NT_STATUS_IS_OK(nt_status
= pdb_fill_sam_pw(*new_sam_acct
, pwd
))) {
339 pdb_free_sam(new_sam_acct
);
348 /*************************************************************
349 Initialises a SAM_ACCOUNT ready to add a new account, based
350 on the UNIX user. Pass in a RID if you have one
351 ************************************************************/
353 NTSTATUS
pdb_init_sam_new(SAM_ACCOUNT
**new_sam_acct
, const char *username
,
356 NTSTATUS nt_status
= NT_STATUS_NO_MEMORY
;
360 pwd
= Get_Pwnam(username
);
363 return NT_STATUS_NO_SUCH_USER
;
365 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_pw(new_sam_acct
, pwd
))) {
366 *new_sam_acct
= NULL
;
370 /* see if we need to generate a new rid using the 2.2 algorithm */
371 if ( rid
== 0 && lp_enable_rid_algorithm() ) {
372 DEBUG(10,("pdb_init_sam_new: no RID specified. Generating one via old algorithm\n"));
373 rid
= algorithmic_pdb_uid_to_user_rid(pwd
->pw_uid
);
376 /* set the new SID */
378 ret
= pdb_set_user_sid_from_rid( *new_sam_acct
, rid
, PDB_SET
);
380 return (ret
? NT_STATUS_OK
: NT_STATUS_NO_SUCH_USER
);
385 * Free the contets of the SAM_ACCOUNT, but not the structure.
387 * Also wipes the LM and NT hashes and plaintext password from
390 * @param user SAM_ACCOUNT to free members of.
393 static void pdb_free_sam_contents(SAM_ACCOUNT
*user
)
396 /* Kill off sensitive data. Free()ed by the
399 data_blob_clear_free(&(user
->private.lm_pw
));
400 data_blob_clear_free(&(user
->private.nt_pw
));
401 if (user
->private.plaintext_pw
!=NULL
)
402 memset(user
->private.plaintext_pw
,'\0',strlen(user
->private.plaintext_pw
));
404 if (user
->private.backend_private_data
&& user
->private.backend_private_data_free_fn
) {
405 user
->private.backend_private_data_free_fn(&user
->private.backend_private_data
);
410 /************************************************************
411 Reset the SAM_ACCOUNT and free the NT/LM hashes.
412 ***********************************************************/
414 NTSTATUS
pdb_reset_sam(SAM_ACCOUNT
*user
)
417 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
419 smb_panic("NULL pointer passed to pdb_free_sam\n");
421 return NT_STATUS_UNSUCCESSFUL
;
424 pdb_free_sam_contents(user
);
426 pdb_fill_default_sam(user
);
432 /************************************************************
433 Free the SAM_ACCOUNT and the member pointers.
434 ***********************************************************/
436 NTSTATUS
pdb_free_sam(SAM_ACCOUNT
**user
)
439 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
441 smb_panic("NULL pointer passed to pdb_free_sam\n");
443 return NT_STATUS_UNSUCCESSFUL
;
446 pdb_free_sam_contents(*user
);
448 if ((*user
)->free_fn
) {
449 (*user
)->free_fn(user
);
455 /**********************************************************
456 Encode the account control bits into a string.
457 length = length of string to encode into (including terminating
458 null). length *MUST BE MORE THAN 2* !
459 **********************************************************/
461 char *pdb_encode_acct_ctrl(uint16 acct_ctrl
, size_t length
)
463 static fstring acct_str
;
467 SMB_ASSERT(length
<= sizeof(acct_str
));
471 if (acct_ctrl
& ACB_PWNOTREQ
) acct_str
[i
++] = 'N';
472 if (acct_ctrl
& ACB_DISABLED
) acct_str
[i
++] = 'D';
473 if (acct_ctrl
& ACB_HOMDIRREQ
) acct_str
[i
++] = 'H';
474 if (acct_ctrl
& ACB_TEMPDUP
) acct_str
[i
++] = 'T';
475 if (acct_ctrl
& ACB_NORMAL
) acct_str
[i
++] = 'U';
476 if (acct_ctrl
& ACB_MNS
) acct_str
[i
++] = 'M';
477 if (acct_ctrl
& ACB_WSTRUST
) acct_str
[i
++] = 'W';
478 if (acct_ctrl
& ACB_SVRTRUST
) acct_str
[i
++] = 'S';
479 if (acct_ctrl
& ACB_AUTOLOCK
) acct_str
[i
++] = 'L';
480 if (acct_ctrl
& ACB_PWNOEXP
) acct_str
[i
++] = 'X';
481 if (acct_ctrl
& ACB_DOMTRUST
) acct_str
[i
++] = 'I';
483 for ( ; i
< length
- 2 ; i
++ )
488 acct_str
[i
++] = '\0';
493 /**********************************************************
494 Decode the account control bits from a string.
495 **********************************************************/
497 uint16
pdb_decode_acct_ctrl(const char *p
)
499 uint16 acct_ctrl
= 0;
500 BOOL finished
= False
;
503 * Check if the account type bits have been encoded after the
504 * NT password (in the form [NDHTUWSLXI]).
510 for (p
++; *p
&& !finished
; p
++) {
512 case 'N': { acct_ctrl
|= ACB_PWNOTREQ
; break; /* 'N'o password. */ }
513 case 'D': { acct_ctrl
|= ACB_DISABLED
; break; /* 'D'isabled. */ }
514 case 'H': { acct_ctrl
|= ACB_HOMDIRREQ
; break; /* 'H'omedir required. */ }
515 case 'T': { acct_ctrl
|= ACB_TEMPDUP
; break; /* 'T'emp account. */ }
516 case 'U': { acct_ctrl
|= ACB_NORMAL
; break; /* 'U'ser account (normal). */ }
517 case 'M': { acct_ctrl
|= ACB_MNS
; break; /* 'M'NS logon user account. What is this ? */ }
518 case 'W': { acct_ctrl
|= ACB_WSTRUST
; break; /* 'W'orkstation account. */ }
519 case 'S': { acct_ctrl
|= ACB_SVRTRUST
; break; /* 'S'erver account. */ }
520 case 'L': { acct_ctrl
|= ACB_AUTOLOCK
; break; /* 'L'ocked account. */ }
521 case 'X': { acct_ctrl
|= ACB_PWNOEXP
; break; /* No 'X'piry on password */ }
522 case 'I': { acct_ctrl
|= ACB_DOMTRUST
; break; /* 'I'nterdomain trust account. */ }
528 default: { finished
= True
; }
535 /*************************************************************
536 Routine to set 32 hex password characters from a 16 byte array.
537 **************************************************************/
539 void pdb_sethexpwd(char *p
, const unsigned char *pwd
, uint16 acct_ctrl
)
543 for (i
= 0; i
< 16; i
++)
544 slprintf(&p
[i
*2], 3, "%02X", pwd
[i
]);
546 if (acct_ctrl
& ACB_PWNOTREQ
)
547 safe_strcpy(p
, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
549 safe_strcpy(p
, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
553 /*************************************************************
554 Routine to get the 32 hex characters and turn them
555 into a 16 byte array.
556 **************************************************************/
558 BOOL
pdb_gethexpwd(const char *p
, unsigned char *pwd
)
561 unsigned char lonybble
, hinybble
;
562 const char *hexchars
= "0123456789ABCDEF";
568 for (i
= 0; i
< 32; i
+= 2) {
569 hinybble
= toupper(p
[i
]);
570 lonybble
= toupper(p
[i
+ 1]);
572 p1
= strchr(hexchars
, hinybble
);
573 p2
= strchr(hexchars
, lonybble
);
578 hinybble
= PTR_DIFF(p1
, hexchars
);
579 lonybble
= PTR_DIFF(p2
, hexchars
);
581 pwd
[i
/ 2] = (hinybble
<< 4) | lonybble
;
586 /*************************************************************
587 Routine to set 42 hex hours characters from a 21 byte array.
588 **************************************************************/
590 void pdb_sethexhours(char *p
, const unsigned char *hours
)
594 for (i
= 0; i
< 21; i
++) {
595 slprintf(&p
[i
*2], 3, "%02X", hours
[i
]);
598 safe_strcpy(p
, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
602 /*************************************************************
603 Routine to get the 42 hex characters and turn them
604 into a 21 byte array.
605 **************************************************************/
607 BOOL
pdb_gethexhours(const char *p
, unsigned char *hours
)
610 unsigned char lonybble
, hinybble
;
611 const char *hexchars
= "0123456789ABCDEF";
618 for (i
= 0; i
< 42; i
+= 2) {
619 hinybble
= toupper(p
[i
]);
620 lonybble
= toupper(p
[i
+ 1]);
622 p1
= strchr(hexchars
, hinybble
);
623 p2
= strchr(hexchars
, lonybble
);
629 hinybble
= PTR_DIFF(p1
, hexchars
);
630 lonybble
= PTR_DIFF(p2
, hexchars
);
632 hours
[i
/ 2] = (hinybble
<< 4) | lonybble
;
637 int algorithmic_rid_base(void)
639 static int rid_offset
= 0;
644 rid_offset
= lp_algorithmic_rid_base();
646 if (rid_offset
< BASE_RID
) {
647 /* Try to prevent admin foot-shooting, we can't put algorithmic
648 rids below 1000, that's the 'well known RIDs' on NT */
649 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID
));
650 rid_offset
= BASE_RID
;
652 if (rid_offset
& 1) {
653 DEBUG(0, ("algorithmic rid base must be even\n"));
659 /*******************************************************************
660 Converts NT user RID to a UNIX uid.
661 ********************************************************************/
663 uid_t
algorithmic_pdb_user_rid_to_uid(uint32 user_rid
)
665 int rid_offset
= algorithmic_rid_base();
666 return (uid_t
)(((user_rid
& (~USER_RID_TYPE
)) - rid_offset
)/RID_MULTIPLIER
);
669 /*******************************************************************
670 converts UNIX uid to an NT User RID.
671 ********************************************************************/
673 uint32
algorithmic_pdb_uid_to_user_rid(uid_t uid
)
675 int rid_offset
= algorithmic_rid_base();
676 return (((((uint32
)uid
)*RID_MULTIPLIER
) + rid_offset
) | USER_RID_TYPE
);
679 /*******************************************************************
680 Converts NT group RID to a UNIX gid.
681 ********************************************************************/
683 gid_t
pdb_group_rid_to_gid(uint32 group_rid
)
685 int rid_offset
= algorithmic_rid_base();
686 return (gid_t
)(((group_rid
& (~GROUP_RID_TYPE
))- rid_offset
)/RID_MULTIPLIER
);
689 /*******************************************************************
690 converts NT Group RID to a UNIX uid.
692 warning: you must not call that function only
693 you must do a call to the group mapping first.
694 there is not anymore a direct link between the gid and the rid.
695 ********************************************************************/
697 uint32
pdb_gid_to_group_rid(gid_t gid
)
699 int rid_offset
= algorithmic_rid_base();
700 return (((((uint32
)gid
)*RID_MULTIPLIER
) + rid_offset
) | GROUP_RID_TYPE
);
703 /*******************************************************************
704 Decides if a RID is a well known RID.
705 ********************************************************************/
707 static BOOL
pdb_rid_is_well_known(uint32 rid
)
709 /* Not using rid_offset here, because this is the actual
710 NT fixed value (1000) */
712 return (rid
< BASE_RID
);
715 /*******************************************************************
716 Decides if a RID is a user or group RID.
717 ********************************************************************/
719 BOOL
algorithmic_pdb_rid_is_user(uint32 rid
)
721 if(pdb_rid_is_well_known(rid
)) {
723 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
724 * and DOMAIN_USER_RID_GUEST.
726 if(rid
== DOMAIN_USER_RID_ADMIN
|| rid
== DOMAIN_USER_RID_GUEST
)
728 } else if((rid
& RID_TYPE_MASK
) == USER_RID_TYPE
) {
734 /*******************************************************************
735 Convert a rid into a name. Used in the lookup SID rpc.
736 ********************************************************************/
738 BOOL
local_lookup_sid(const DOM_SID
*sid
, char *name
, enum SID_NAME_USE
*psid_name_use
)
741 SAM_ACCOUNT
*sam_account
= NULL
;
745 if (!sid_peek_check_rid(get_global_sam_sid(), sid
, &rid
)){
746 DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
747 sid_string_static(&map
.sid
)));
750 *psid_name_use
= SID_NAME_UNKNOWN
;
752 DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid
));
754 if (rid
== DOMAIN_USER_RID_ADMIN
) {
755 const char **admin_list
= lp_admin_users(-1);
756 *psid_name_use
= SID_NAME_USER
;
758 const char *p
= *admin_list
;
759 if(!next_token(&p
, name
, NULL
, sizeof(fstring
)))
760 fstrcpy(name
, "Administrator");
762 fstrcpy(name
, "Administrator");
767 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
771 /* see if the passdb can help us with the name of the user */
773 /* BEING ROOT BLLOCK */
775 if (pdb_getsampwsid(sam_account
, sid
)) {
776 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
777 fstrcpy(name
, pdb_get_username(sam_account
));
778 *psid_name_use
= SID_NAME_USER
;
780 pdb_free_sam(&sam_account
);
784 pdb_free_sam(&sam_account
);
786 ret
= pdb_getgrsid(&map
, *sid
);
788 /* END BECOME_ROOT BLOCK */
791 if (map
.gid
!=(gid_t
)-1) {
792 DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map
.nt_name
, (unsigned int)map
.gid
));
794 DEBUG(5,("local_lookup_sid: mapped group %s to no unix gid. Returning name.\n", map
.nt_name
));
797 fstrcpy(name
, map
.nt_name
);
798 *psid_name_use
= map
.sid_name_use
;
802 if (algorithmic_pdb_rid_is_user(rid
)) {
804 struct passwd
*pw
= NULL
;
806 DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid
));
808 uid
= algorithmic_pdb_user_rid_to_uid(rid
);
809 pw
= sys_getpwuid( uid
);
811 DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid
,
812 pw
? "succeeded" : "failed" ));
815 fstr_sprintf(name
, "unix_user.%u", (unsigned int)uid
);
817 fstrcpy( name
, pw
->pw_name
);
819 DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name
,
820 (unsigned int)rid
));
822 *psid_name_use
= SID_NAME_USER
;
824 return ( pw
!= NULL
);
829 DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid
));
831 gid
= pdb_group_rid_to_gid(rid
);
834 *psid_name_use
= SID_NAME_ALIAS
;
836 DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid
,
837 gr
? "succeeded" : "failed" ));
840 fstr_sprintf(name
, "unix_group.%u", (unsigned int)gid
);
842 fstrcpy( name
, gr
->gr_name
);
844 DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name
,
845 (unsigned int)rid
));
847 /* assume algorithmic groups are domain global groups */
849 *psid_name_use
= SID_NAME_DOM_GRP
;
851 return ( gr
!= NULL
);
855 /*******************************************************************
856 Convert a name into a SID. Used in the lookup name rpc.
857 ********************************************************************/
859 BOOL
local_lookup_name(const char *c_user
, DOM_SID
*psid
, enum SID_NAME_USE
*psid_name_use
)
864 SAM_ACCOUNT
*sam_account
= NULL
;
868 *psid_name_use
= SID_NAME_UNKNOWN
;
871 * user may be quoted a const string, and map_username and
872 * friends can modify it. Make a modifiable copy. JRA.
875 fstrcpy(user
, c_user
);
877 sid_copy(&local_sid
, get_global_sam_sid());
879 if (map_name_to_wellknown_sid(&sid
, psid_name_use
, user
)){
881 sid_copy( psid
, &sid
);
882 sid_to_string(sid_str
, &sid
);
883 DEBUG(10,("lookup_name: name %s = SID %s, type = %u\n", user
, sid_str
,
884 (unsigned int)*psid_name_use
));
888 (void)map_username(user
);
890 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
894 /* BEGIN ROOT BLOCK */
897 if (pdb_getsampwnam(sam_account
, user
)) {
899 sid_copy(psid
, pdb_get_user_sid(sam_account
));
900 *psid_name_use
= SID_NAME_USER
;
902 pdb_free_sam(&sam_account
);
906 pdb_free_sam(&sam_account
);
909 * Maybe it was a group ?
912 /* check if it's a mapped group */
913 if (pdb_getgrnam(&map
, user
)) {
914 /* yes it's a mapped group */
915 sid_copy(&local_sid
, &map
.sid
);
916 *psid_name_use
= map
.sid_name_use
;
918 /* it's not a mapped group */
919 grp
= getgrnam(user
);
921 unbecome_root(); /* ---> exit form block */
926 *check if it's mapped, if it is reply it doesn't exist
928 * that's to prevent this case:
930 * unix group ug is mapped to nt group ng
931 * someone does a lookup on ug
932 * we must not reply as it doesn't "exist" anymore
933 * for NT. For NT only ng exists.
937 if (pdb_getgrgid(&map
, grp
->gr_gid
)){
938 unbecome_root(); /* ---> exit form block */
942 sid_append_rid( &local_sid
, pdb_gid_to_group_rid(grp
->gr_gid
));
943 *psid_name_use
= SID_NAME_ALIAS
;
948 sid_copy( psid
, &local_sid
);
953 /*************************************************************
954 Change a password entry in the local smbpasswd file.
955 *************************************************************/
957 BOOL
local_password_change(const char *user_name
, int local_flags
,
958 const char *new_passwd
,
959 char *err_str
, size_t err_str_len
,
960 char *msg_str
, size_t msg_str_len
)
962 SAM_ACCOUNT
*sam_pass
=NULL
;
968 /* Get the smb passwd entry for this user */
969 pdb_init_sam(&sam_pass
);
972 if(!pdb_getsampwnam(sam_pass
, user_name
)) {
974 pdb_free_sam(&sam_pass
);
976 if ((local_flags
& LOCAL_ADD_USER
) || (local_flags
& LOCAL_DELETE_USER
)) {
977 /* Might not exist in /etc/passwd. Use rid algorithm here */
978 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass
, user_name
, 0))) {
979 slprintf(err_str
, err_str_len
-1, "Failed to initialise SAM_ACCOUNT for user %s. Does this user exist in the UNIX password database ?\n", user_name
);
983 slprintf(err_str
, err_str_len
-1,"Failed to find entry for user %s.\n", user_name
);
988 /* the entry already existed */
989 local_flags
&= ~LOCAL_ADD_USER
;
992 /* the 'other' acb bits not being changed here */
993 other_acb
= (pdb_get_acct_ctrl(sam_pass
) & (!(ACB_WSTRUST
|ACB_DOMTRUST
|ACB_SVRTRUST
|ACB_NORMAL
)));
994 if (local_flags
& LOCAL_TRUST_ACCOUNT
) {
995 if (!pdb_set_acct_ctrl(sam_pass
, ACB_WSTRUST
| other_acb
, PDB_CHANGED
) ) {
996 slprintf(err_str
, err_str_len
- 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name
);
997 pdb_free_sam(&sam_pass
);
1000 } else if (local_flags
& LOCAL_INTERDOM_ACCOUNT
) {
1001 if (!pdb_set_acct_ctrl(sam_pass
, ACB_DOMTRUST
| other_acb
, PDB_CHANGED
)) {
1002 slprintf(err_str
, err_str_len
- 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name
);
1003 pdb_free_sam(&sam_pass
);
1007 if (!pdb_set_acct_ctrl(sam_pass
, ACB_NORMAL
| other_acb
, PDB_CHANGED
)) {
1008 slprintf(err_str
, err_str_len
- 1, "Failed to set 'normal account' flags for user %s.\n", user_name
);
1009 pdb_free_sam(&sam_pass
);
1015 * We are root - just write the new password
1016 * and the valid last change time.
1019 if (local_flags
& LOCAL_DISABLE_USER
) {
1020 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_DISABLED
, PDB_CHANGED
)) {
1021 slprintf(err_str
, err_str_len
-1, "Failed to set 'disabled' flag for user %s.\n", user_name
);
1022 pdb_free_sam(&sam_pass
);
1025 } else if (local_flags
& LOCAL_ENABLE_USER
) {
1026 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
1027 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
1028 pdb_free_sam(&sam_pass
);
1033 if (local_flags
& LOCAL_SET_NO_PASSWORD
) {
1034 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_PWNOTREQ
, PDB_CHANGED
)) {
1035 slprintf(err_str
, err_str_len
-1, "Failed to set 'no password required' flag for user %s.\n", user_name
);
1036 pdb_free_sam(&sam_pass
);
1039 } else if (local_flags
& LOCAL_SET_PASSWORD
) {
1041 * If we're dealing with setting a completely empty user account
1042 * ie. One with a password of 'XXXX', but not set disabled (like
1043 * an account created from scratch) then if the old password was
1044 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1045 * We remove that as we're giving this user their first password
1046 * and the decision hasn't really been made to disable them (ie.
1047 * don't create them disabled). JRA.
1049 if ((pdb_get_lanman_passwd(sam_pass
)==NULL
) && (pdb_get_acct_ctrl(sam_pass
)&ACB_DISABLED
)) {
1050 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
1051 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
1052 pdb_free_sam(&sam_pass
);
1056 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_PWNOTREQ
), PDB_CHANGED
)) {
1057 slprintf(err_str
, err_str_len
-1, "Failed to unset 'no password required' flag for user %s.\n", user_name
);
1058 pdb_free_sam(&sam_pass
);
1062 if (!pdb_set_plaintext_passwd (sam_pass
, new_passwd
)) {
1063 slprintf(err_str
, err_str_len
-1, "Failed to set password for user %s.\n", user_name
);
1064 pdb_free_sam(&sam_pass
);
1069 if (local_flags
& LOCAL_ADD_USER
) {
1070 if (pdb_add_sam_account(sam_pass
)) {
1071 slprintf(msg_str
, msg_str_len
-1, "Added user %s.\n", user_name
);
1072 pdb_free_sam(&sam_pass
);
1075 slprintf(err_str
, err_str_len
-1, "Failed to add entry for user %s.\n", user_name
);
1076 pdb_free_sam(&sam_pass
);
1079 } else if (local_flags
& LOCAL_DELETE_USER
) {
1080 if (!pdb_delete_sam_account(sam_pass
)) {
1081 slprintf(err_str
,err_str_len
-1, "Failed to delete entry for user %s.\n", user_name
);
1082 pdb_free_sam(&sam_pass
);
1085 slprintf(msg_str
, msg_str_len
-1, "Deleted user %s.\n", user_name
);
1087 if(!pdb_update_sam_account(sam_pass
)) {
1088 slprintf(err_str
, err_str_len
-1, "Failed to modify entry for user %s.\n", user_name
);
1089 pdb_free_sam(&sam_pass
);
1092 if(local_flags
& LOCAL_DISABLE_USER
)
1093 slprintf(msg_str
, msg_str_len
-1, "Disabled user %s.\n", user_name
);
1094 else if (local_flags
& LOCAL_ENABLE_USER
)
1095 slprintf(msg_str
, msg_str_len
-1, "Enabled user %s.\n", user_name
);
1096 else if (local_flags
& LOCAL_SET_NO_PASSWORD
)
1097 slprintf(msg_str
, msg_str_len
-1, "User %s password set to none.\n", user_name
);
1100 pdb_free_sam(&sam_pass
);
1104 /****************************************************************************
1105 Convert a uid to SID - algorithmic.
1106 ****************************************************************************/
1108 DOM_SID
*algorithmic_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1110 if ( !lp_enable_rid_algorithm() )
1113 DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
1114 sid_copy( psid
, get_global_sam_sid() );
1115 sid_append_rid( psid
, algorithmic_pdb_uid_to_user_rid(uid
) );
1116 DEBUG(10,("algorithmic_uid_to_sid: uid (%d) -> SID %s.\n",
1117 (unsigned int)uid
, sid_string_static(psid
) ));
1122 /****************************************************************************
1123 Convert a uid to SID - locally.
1124 ****************************************************************************/
1126 DOM_SID
*local_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1128 SAM_ACCOUNT
*sampw
= NULL
;
1129 struct passwd
*unix_pw
;
1132 unix_pw
= sys_getpwuid( uid
);
1135 DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid
));
1136 return algorithmic_uid_to_sid( psid
, uid
);
1139 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1140 DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
1145 ret
= pdb_getsampwnam( sampw
, unix_pw
->pw_name
);
1149 sid_copy( psid
, pdb_get_user_sid(sampw
) );
1151 DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
1152 unix_pw
->pw_name
, (unsigned long)uid
));
1154 return algorithmic_uid_to_sid( psid
, uid
);
1157 DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
1158 (unsigned int)uid
, sid_string_static(psid
), unix_pw
->pw_name
));
1163 /****************************************************************************
1164 Convert a SID to uid - locally.
1165 ****************************************************************************/
1167 BOOL
local_sid_to_uid(uid_t
*puid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1169 SAM_ACCOUNT
*sampw
= NULL
;
1170 struct passwd
*unix_pw
;
1171 const char *user_name
;
1173 *name_type
= SID_NAME_UNKNOWN
;
1176 * We can only convert to a uid if this is our local
1177 * Domain SID (ie. we are the controling authority).
1179 if (!sid_check_is_in_our_domain(psid
) ) {
1180 DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid
)));
1184 /* lookup the user account */
1186 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1187 DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
1192 if ( !pdb_getsampwsid(sampw
, psid
) ) {
1194 DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
1195 sid_string_static(psid
)));
1200 user_name
= pdb_get_username(sampw
);
1202 unix_pw
= sys_getpwnam( user_name
);
1205 DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
1207 pdb_free_sam( &sampw
);
1211 *puid
= unix_pw
->pw_uid
;
1213 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid
),
1214 (unsigned int)*puid
, user_name
));
1216 *name_type
= SID_NAME_USER
;
1221 /****************************************************************************
1222 Convert a gid to SID - algorithmic.
1223 ****************************************************************************/
1225 DOM_SID
*algorithmic_gid_to_sid(DOM_SID
*psid
, uid_t gid
)
1227 if ( !lp_enable_rid_algorithm() )
1230 DEBUG(8,("algorithmic_gid_to_sid: falling back to RID algorithm\n"));
1231 sid_copy( psid
, get_global_sam_sid() );
1232 sid_append_rid( psid
, pdb_gid_to_group_rid(gid
) );
1233 DEBUG(10,("algorithmic_gid_to_sid: gid (%d) -> SID %s.\n",
1234 (unsigned int)gid
, sid_string_static(psid
) ));
1239 /****************************************************************************
1240 Convert a gid to SID - locally.
1241 ****************************************************************************/
1243 DOM_SID
*local_gid_to_sid(DOM_SID
*psid
, gid_t gid
)
1248 /* we don't need to disable winbindd since the gid is stored in
1249 the GROUP_MAP object */
1251 /* done as root since ldap backend requires root to open a connection */
1254 ret
= pdb_getgrgid( &group
, gid
);
1259 /* algorithmic to rid mapping if enabled */
1261 if ( lp_enable_rid_algorithm() ) {
1263 DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
1264 (unsigned int)gid
, sid_string_static(psid
)));
1266 return algorithmic_gid_to_sid(psid
, gid
);
1272 sid_copy( psid
, &group
.sid
);
1274 DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
1275 (unsigned int)gid
, sid_string_static(psid
)));
1280 /****************************************************************************
1281 Convert a SID to gid - locally.
1282 ****************************************************************************/
1284 BOOL
local_sid_to_gid(gid_t
*pgid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1290 *name_type
= SID_NAME_UNKNOWN
;
1292 /* This call can enumerate group mappings for foreign sids as well.
1293 So don't check for a match against our domain SID */
1295 /* we don't need to disable winbindd since the gid is stored in
1296 the GROUP_MAP object */
1299 ret
= pdb_getgrsid(&group
, *psid
);
1304 /* Fallback to algorithmic rid mapping if enabled */
1306 if ( lp_enable_rid_algorithm() ) {
1308 if (!sid_check_is_in_our_domain(psid
) ) {
1309 DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid
)));
1313 if (!sid_peek_rid(psid
, &rid
)) {
1314 DEBUG(10,("local_sid_to_gid: invalid SID!\n"));
1318 DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
1320 if (algorithmic_pdb_rid_is_user(rid
)) {
1321 DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid
)));
1324 *pgid
= pdb_group_rid_to_gid(rid
);
1325 DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid
), (unsigned int)(*pgid
)));
1334 *name_type
= group
.sid_name_use
;
1336 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid
),
1337 (unsigned int)*pgid
));
1342 /**********************************************************************
1343 Marshall/unmarshall SAM_ACCOUNT structs.
1344 *********************************************************************/
1346 #define TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
1347 #define TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
1348 #define TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
1350 /**********************************************************************
1351 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
1352 *********************************************************************/
1354 BOOL
init_sam_from_buffer(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1356 return(init_sam_from_buffer_v2(sampass
, buf
, buflen
));
1359 /**********************************************************************
1360 Intialize a BYTE buffer from a SAM_ACCOUNT struct
1361 *********************************************************************/
1363 uint32
init_buffer_from_sam (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1365 return(init_buffer_from_sam_v2(buf
, sampass
, size_only
));
1369 BOOL
init_sam_from_buffer_v0(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1372 /* times are stored as 32bit integer
1373 take care on system with 64bit wide time_t
1379 pass_can_change_time
,
1380 pass_must_change_time
;
1393 uint32 username_len
, domain_len
, nt_username_len
,
1394 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1395 fullname_len
, homedir_len
, logon_script_len
,
1396 profile_path_len
, acct_desc_len
, workstations_len
;
1398 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1399 uint16 acct_ctrl
, logon_divs
;
1400 uint16 bad_password_count
, logon_count
;
1402 uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1404 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1407 if(sampass
== NULL
|| buf
== NULL
) {
1408 DEBUG(0, ("init_sam_from_buffer_v0: NULL parameters found!\n"));
1412 /* TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1414 /* unpack the buffer into variables */
1415 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V0
,
1416 &logon_time
, /* d */
1417 &logoff_time
, /* d */
1418 &kickoff_time
, /* d */
1419 &pass_last_set_time
, /* d */
1420 &pass_can_change_time
, /* d */
1421 &pass_must_change_time
, /* d */
1422 &username_len
, &username
, /* B */
1423 &domain_len
, &domain
, /* B */
1424 &nt_username_len
, &nt_username
, /* B */
1425 &fullname_len
, &fullname
, /* B */
1426 &homedir_len
, &homedir
, /* B */
1427 &dir_drive_len
, &dir_drive
, /* B */
1428 &logon_script_len
, &logon_script
, /* B */
1429 &profile_path_len
, &profile_path
, /* B */
1430 &acct_desc_len
, &acct_desc
, /* B */
1431 &workstations_len
, &workstations
, /* B */
1432 &unknown_str_len
, &unknown_str
, /* B */
1433 &munged_dial_len
, &munged_dial
, /* B */
1436 &lm_pw_len
, &lm_pw_ptr
, /* B */
1437 &nt_pw_len
, &nt_pw_ptr
, /* B */
1439 &remove_me
, /* remove on the next TDB_FORMAT upgarde */ /* d */
1440 &logon_divs
, /* w */
1442 &hourslen
, &hours
, /* B */
1443 &bad_password_count
, /* w */
1444 &logon_count
, /* w */
1445 &unknown_6
); /* d */
1447 if (len
== (uint32
) -1) {
1452 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1453 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1454 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1455 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1456 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1457 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1459 pdb_set_username(sampass
, username
, PDB_SET
);
1460 pdb_set_domain(sampass
, domain
, PDB_SET
);
1461 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1462 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1465 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1468 pdb_set_homedir(sampass
,
1469 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1474 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1476 pdb_set_dir_drive(sampass
,
1477 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1482 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1484 pdb_set_logon_script(sampass
,
1485 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1490 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1492 pdb_set_profile_path(sampass
,
1493 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1497 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1498 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1499 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1501 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1502 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1508 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1509 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1515 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1516 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1517 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1518 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1519 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1520 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1521 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1522 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1523 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1524 pdb_set_hours(sampass
, hours
, PDB_SET
);
1528 SAFE_FREE(username
);
1530 SAFE_FREE(nt_username
);
1531 SAFE_FREE(fullname
);
1533 SAFE_FREE(dir_drive
);
1534 SAFE_FREE(logon_script
);
1535 SAFE_FREE(profile_path
);
1536 SAFE_FREE(acct_desc
);
1537 SAFE_FREE(workstations
);
1538 SAFE_FREE(munged_dial
);
1539 SAFE_FREE(unknown_str
);
1540 SAFE_FREE(lm_pw_ptr
);
1541 SAFE_FREE(nt_pw_ptr
);
1547 BOOL
init_sam_from_buffer_v1(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1550 /* times are stored as 32bit integer
1551 take care on system with 64bit wide time_t
1558 pass_can_change_time
,
1559 pass_must_change_time
;
1572 uint32 username_len
, domain_len
, nt_username_len
,
1573 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1574 fullname_len
, homedir_len
, logon_script_len
,
1575 profile_path_len
, acct_desc_len
, workstations_len
;
1577 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1578 uint16 acct_ctrl
, logon_divs
;
1579 uint16 bad_password_count
, logon_count
;
1581 uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1583 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1586 if(sampass
== NULL
|| buf
== NULL
) {
1587 DEBUG(0, ("init_sam_from_buffer_v1: NULL parameters found!\n"));
1591 /* TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1593 /* unpack the buffer into variables */
1594 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V1
,
1595 &logon_time
, /* d */
1596 &logoff_time
, /* d */
1597 &kickoff_time
, /* d */
1598 /* Change from V0 is addition of bad_password_time field. */
1599 &bad_password_time
, /* d */
1600 &pass_last_set_time
, /* d */
1601 &pass_can_change_time
, /* d */
1602 &pass_must_change_time
, /* d */
1603 &username_len
, &username
, /* B */
1604 &domain_len
, &domain
, /* B */
1605 &nt_username_len
, &nt_username
, /* B */
1606 &fullname_len
, &fullname
, /* B */
1607 &homedir_len
, &homedir
, /* B */
1608 &dir_drive_len
, &dir_drive
, /* B */
1609 &logon_script_len
, &logon_script
, /* B */
1610 &profile_path_len
, &profile_path
, /* B */
1611 &acct_desc_len
, &acct_desc
, /* B */
1612 &workstations_len
, &workstations
, /* B */
1613 &unknown_str_len
, &unknown_str
, /* B */
1614 &munged_dial_len
, &munged_dial
, /* B */
1617 &lm_pw_len
, &lm_pw_ptr
, /* B */
1618 &nt_pw_len
, &nt_pw_ptr
, /* B */
1621 &logon_divs
, /* w */
1623 &hourslen
, &hours
, /* B */
1624 &bad_password_count
, /* w */
1625 &logon_count
, /* w */
1626 &unknown_6
); /* d */
1628 if (len
== (uint32
) -1) {
1633 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1634 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1635 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1637 /* Change from V0 is addition of bad_password_time field. */
1638 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1639 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1640 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1641 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1643 pdb_set_username(sampass
, username
, PDB_SET
);
1644 pdb_set_domain(sampass
, domain
, PDB_SET
);
1645 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1646 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1649 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1652 pdb_set_homedir(sampass
,
1653 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1658 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1660 pdb_set_dir_drive(sampass
,
1661 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1666 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1668 pdb_set_logon_script(sampass
,
1669 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1674 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1676 pdb_set_profile_path(sampass
,
1677 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1681 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1682 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1683 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1685 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1686 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1692 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1693 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1699 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1701 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1702 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1703 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1704 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1705 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1706 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1707 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1708 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1709 pdb_set_hours(sampass
, hours
, PDB_SET
);
1713 SAFE_FREE(username
);
1715 SAFE_FREE(nt_username
);
1716 SAFE_FREE(fullname
);
1718 SAFE_FREE(dir_drive
);
1719 SAFE_FREE(logon_script
);
1720 SAFE_FREE(profile_path
);
1721 SAFE_FREE(acct_desc
);
1722 SAFE_FREE(workstations
);
1723 SAFE_FREE(munged_dial
);
1724 SAFE_FREE(unknown_str
);
1725 SAFE_FREE(lm_pw_ptr
);
1726 SAFE_FREE(nt_pw_ptr
);
1733 BOOL
init_sam_from_buffer_v2(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1736 /* times are stored as 32bit integer
1737 take care on system with 64bit wide time_t
1744 pass_can_change_time
,
1745 pass_must_change_time
;
1758 uint32 username_len
, domain_len
, nt_username_len
,
1759 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1760 fullname_len
, homedir_len
, logon_script_len
,
1761 profile_path_len
, acct_desc_len
, workstations_len
;
1763 uint32 user_rid
, group_rid
, hours_len
, unknown_6
;
1764 uint16 acct_ctrl
, logon_divs
;
1765 uint16 bad_password_count
, logon_count
;
1767 uint8
*lm_pw_ptr
, *nt_pw_ptr
, *nt_pw_hist_ptr
;
1769 uint32 lm_pw_len
, nt_pw_len
, nt_pw_hist_len
, hourslen
;
1770 uint32 pwHistLen
= 0;
1773 if(sampass
== NULL
|| buf
== NULL
) {
1774 DEBUG(0, ("init_sam_from_buffer_v2: NULL parameters found!\n"));
1778 /* TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1780 /* unpack the buffer into variables */
1781 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V2
,
1782 &logon_time
, /* d */
1783 &logoff_time
, /* d */
1784 &kickoff_time
, /* d */
1785 &bad_password_time
, /* d */
1786 &pass_last_set_time
, /* d */
1787 &pass_can_change_time
, /* d */
1788 &pass_must_change_time
, /* d */
1789 &username_len
, &username
, /* B */
1790 &domain_len
, &domain
, /* B */
1791 &nt_username_len
, &nt_username
, /* B */
1792 &fullname_len
, &fullname
, /* B */
1793 &homedir_len
, &homedir
, /* B */
1794 &dir_drive_len
, &dir_drive
, /* B */
1795 &logon_script_len
, &logon_script
, /* B */
1796 &profile_path_len
, &profile_path
, /* B */
1797 &acct_desc_len
, &acct_desc
, /* B */
1798 &workstations_len
, &workstations
, /* B */
1799 &unknown_str_len
, &unknown_str
, /* B */
1800 &munged_dial_len
, &munged_dial
, /* B */
1803 &lm_pw_len
, &lm_pw_ptr
, /* B */
1804 &nt_pw_len
, &nt_pw_ptr
, /* B */
1805 /* Change from V1 is addition of password history field. */
1806 &nt_pw_hist_len
, &nt_pw_hist_ptr
, /* B */
1808 /* Also "remove_me" field was removed. */
1809 &logon_divs
, /* w */
1811 &hourslen
, &hours
, /* B */
1812 &bad_password_count
, /* w */
1813 &logon_count
, /* w */
1814 &unknown_6
); /* d */
1816 if (len
== (uint32
) -1) {
1821 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1822 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1823 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1824 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1825 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1826 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1827 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1829 pdb_set_username(sampass
, username
, PDB_SET
);
1830 pdb_set_domain(sampass
, domain
, PDB_SET
);
1831 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1832 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1835 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1838 pdb_set_homedir(sampass
,
1839 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1844 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1846 pdb_set_dir_drive(sampass
,
1847 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1852 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1854 pdb_set_logon_script(sampass
,
1855 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1860 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1862 pdb_set_profile_path(sampass
,
1863 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1867 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1868 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1869 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1871 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1872 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1878 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1879 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1885 /* Change from V1 is addition of password history field. */
1886 account_policy_get(AP_PASSWORD_HISTORY
, &pwHistLen
);
1888 char *pw_hist
= malloc(pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1893 memset(pw_hist
, '\0', pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1894 if (nt_pw_hist_ptr
&& nt_pw_hist_len
) {
1896 SMB_ASSERT((nt_pw_hist_len
% PW_HISTORY_ENTRY_LEN
) == 0);
1897 nt_pw_hist_len
/= PW_HISTORY_ENTRY_LEN
;
1898 for (i
= 0; (i
< pwHistLen
) && (i
< nt_pw_hist_len
); i
++) {
1899 memcpy(&pw_hist
[i
*PW_HISTORY_ENTRY_LEN
],
1900 &nt_pw_hist_ptr
[i
*PW_HISTORY_ENTRY_LEN
],
1901 PW_HISTORY_ENTRY_LEN
);
1904 if (!pdb_set_pw_history(sampass
, pw_hist
, pwHistLen
, PDB_SET
)) {
1911 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1914 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1915 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1916 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1917 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1918 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1919 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1920 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1921 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1922 pdb_set_hours(sampass
, hours
, PDB_SET
);
1926 SAFE_FREE(username
);
1928 SAFE_FREE(nt_username
);
1929 SAFE_FREE(fullname
);
1931 SAFE_FREE(dir_drive
);
1932 SAFE_FREE(logon_script
);
1933 SAFE_FREE(profile_path
);
1934 SAFE_FREE(acct_desc
);
1935 SAFE_FREE(workstations
);
1936 SAFE_FREE(munged_dial
);
1937 SAFE_FREE(unknown_str
);
1938 SAFE_FREE(lm_pw_ptr
);
1939 SAFE_FREE(nt_pw_ptr
);
1940 SAFE_FREE(nt_pw_hist_ptr
);
1946 uint32
init_buffer_from_sam_v2 (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1950 /* times are stored as 32bit integer
1951 take care on system with 64bit wide time_t
1958 pass_can_change_time
,
1959 pass_must_change_time
;
1961 uint32 user_rid
, group_rid
;
1963 const char *username
;
1965 const char *nt_username
;
1966 const char *dir_drive
;
1967 const char *unknown_str
;
1968 const char *munged_dial
;
1969 const char *fullname
;
1970 const char *homedir
;
1971 const char *logon_script
;
1972 const char *profile_path
;
1973 const char *acct_desc
;
1974 const char *workstations
;
1975 uint32 username_len
, domain_len
, nt_username_len
,
1976 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1977 fullname_len
, homedir_len
, logon_script_len
,
1978 profile_path_len
, acct_desc_len
, workstations_len
;
1982 const uint8
*nt_pw_hist
;
1983 uint32 lm_pw_len
= 16;
1984 uint32 nt_pw_len
= 16;
1985 uint32 nt_pw_hist_len
;
1986 uint32 pwHistLen
= 0;
1988 /* do we have a valid SAM_ACCOUNT pointer? */
1989 if (sampass
== NULL
) {
1990 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1997 logon_time
= (uint32
)pdb_get_logon_time(sampass
);
1998 logoff_time
= (uint32
)pdb_get_logoff_time(sampass
);
1999 kickoff_time
= (uint32
)pdb_get_kickoff_time(sampass
);
2000 bad_password_time
= (uint32
)pdb_get_bad_password_time(sampass
);
2001 pass_can_change_time
= (uint32
)pdb_get_pass_can_change_time(sampass
);
2002 pass_must_change_time
= (uint32
)pdb_get_pass_must_change_time(sampass
);
2003 pass_last_set_time
= (uint32
)pdb_get_pass_last_set_time(sampass
);
2005 user_rid
= pdb_get_user_rid(sampass
);
2006 group_rid
= pdb_get_group_rid(sampass
);
2008 username
= pdb_get_username(sampass
);
2010 username_len
= strlen(username
) +1;
2015 domain
= pdb_get_domain(sampass
);
2017 domain_len
= strlen(domain
) +1;
2022 nt_username
= pdb_get_nt_username(sampass
);
2024 nt_username_len
= strlen(nt_username
) +1;
2026 nt_username_len
= 0;
2029 fullname
= pdb_get_fullname(sampass
);
2031 fullname_len
= strlen(fullname
) +1;
2037 * Only updates fields which have been set (not defaults from smb.conf)
2040 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
)) {
2041 dir_drive
= pdb_get_dir_drive(sampass
);
2046 dir_drive_len
= strlen(dir_drive
) +1;
2051 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
)) {
2052 homedir
= pdb_get_homedir(sampass
);
2057 homedir_len
= strlen(homedir
) +1;
2062 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
)) {
2063 logon_script
= pdb_get_logon_script(sampass
);
2065 logon_script
= NULL
;
2068 logon_script_len
= strlen(logon_script
) +1;
2070 logon_script_len
= 0;
2073 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
)) {
2074 profile_path
= pdb_get_profile_path(sampass
);
2076 profile_path
= NULL
;
2079 profile_path_len
= strlen(profile_path
) +1;
2081 profile_path_len
= 0;
2084 lm_pw
= pdb_get_lanman_passwd(sampass
);
2089 nt_pw
= pdb_get_nt_passwd(sampass
);
2094 account_policy_get(AP_PASSWORD_HISTORY
, &pwHistLen
);
2095 nt_pw_hist
= pdb_get_pw_history(sampass
, &nt_pw_hist_len
);
2096 if (pwHistLen
&& nt_pw_hist
&& nt_pw_hist_len
) {
2097 nt_pw_hist_len
*= PW_HISTORY_ENTRY_LEN
;
2102 acct_desc
= pdb_get_acct_desc(sampass
);
2104 acct_desc_len
= strlen(acct_desc
) +1;
2109 workstations
= pdb_get_workstations(sampass
);
2111 workstations_len
= strlen(workstations
) +1;
2113 workstations_len
= 0;
2117 unknown_str_len
= 0;
2119 munged_dial
= pdb_get_munged_dial(sampass
);
2121 munged_dial_len
= strlen(munged_dial
) +1;
2123 munged_dial_len
= 0;
2126 /* TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
2128 /* one time to get the size needed */
2129 len
= tdb_pack(NULL
, 0, TDB_FORMAT_STRING_V2
,
2131 logoff_time
, /* d */
2132 kickoff_time
, /* d */
2133 bad_password_time
, /* d */
2134 pass_last_set_time
, /* d */
2135 pass_can_change_time
, /* d */
2136 pass_must_change_time
, /* d */
2137 username_len
, username
, /* B */
2138 domain_len
, domain
, /* B */
2139 nt_username_len
, nt_username
, /* B */
2140 fullname_len
, fullname
, /* B */
2141 homedir_len
, homedir
, /* B */
2142 dir_drive_len
, dir_drive
, /* B */
2143 logon_script_len
, logon_script
, /* B */
2144 profile_path_len
, profile_path
, /* B */
2145 acct_desc_len
, acct_desc
, /* B */
2146 workstations_len
, workstations
, /* B */
2147 unknown_str_len
, unknown_str
, /* B */
2148 munged_dial_len
, munged_dial
, /* B */
2151 lm_pw_len
, lm_pw
, /* B */
2152 nt_pw_len
, nt_pw
, /* B */
2153 nt_pw_hist_len
, nt_pw_hist
, /* B */
2154 pdb_get_acct_ctrl(sampass
), /* w */
2155 pdb_get_logon_divs(sampass
), /* w */
2156 pdb_get_hours_len(sampass
), /* d */
2157 MAX_HOURS_LEN
, pdb_get_hours(sampass
), /* B */
2158 pdb_get_bad_password_count(sampass
), /* w */
2159 pdb_get_logon_count(sampass
), /* w */
2160 pdb_get_unknown_6(sampass
)); /* d */
2166 /* malloc the space needed */
2167 if ( (*buf
=(uint8
*)malloc(len
)) == NULL
) {
2168 DEBUG(0,("init_buffer_from_sam_v2: Unable to malloc() memory for buffer!\n"));
2172 /* now for the real call to tdb_pack() */
2173 buflen
= tdb_pack((char *)*buf
, len
, TDB_FORMAT_STRING_V2
,
2175 logoff_time
, /* d */
2176 kickoff_time
, /* d */
2177 bad_password_time
, /* d */
2178 pass_last_set_time
, /* d */
2179 pass_can_change_time
, /* d */
2180 pass_must_change_time
, /* d */
2181 username_len
, username
, /* B */
2182 domain_len
, domain
, /* B */
2183 nt_username_len
, nt_username
, /* B */
2184 fullname_len
, fullname
, /* B */
2185 homedir_len
, homedir
, /* B */
2186 dir_drive_len
, dir_drive
, /* B */
2187 logon_script_len
, logon_script
, /* B */
2188 profile_path_len
, profile_path
, /* B */
2189 acct_desc_len
, acct_desc
, /* B */
2190 workstations_len
, workstations
, /* B */
2191 unknown_str_len
, unknown_str
, /* B */
2192 munged_dial_len
, munged_dial
, /* B */
2195 lm_pw_len
, lm_pw
, /* B */
2196 nt_pw_len
, nt_pw
, /* B */
2197 nt_pw_hist_len
, nt_pw_hist
, /* B */
2198 pdb_get_acct_ctrl(sampass
), /* w */
2199 pdb_get_logon_divs(sampass
), /* w */
2200 pdb_get_hours_len(sampass
), /* d */
2201 MAX_HOURS_LEN
, pdb_get_hours(sampass
), /* B */
2202 pdb_get_bad_password_count(sampass
), /* w */
2203 pdb_get_logon_count(sampass
), /* w */
2204 pdb_get_unknown_6(sampass
)); /* d */
2206 /* check to make sure we got it correct */
2207 if (buflen
!= len
) {
2208 DEBUG(0, ("init_buffer_from_sam_v2: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2209 (unsigned long)buflen
, (unsigned long)len
));
2218 /**********************************************************************
2219 **********************************************************************/
2221 static BOOL
get_free_ugid_range(uint32
*low
, uint32
*high
)
2223 uid_t u_low
, u_high
;
2224 gid_t g_low
, g_high
;
2226 if (!lp_idmap_uid(&u_low
, &u_high
) || !lp_idmap_gid(&g_low
, &g_high
)) {
2230 *low
= (u_low
< g_low
) ? u_low
: g_low
;
2231 *high
= (u_high
< g_high
) ? u_high
: g_high
;
2236 /******************************************************************
2237 Get the the non-algorithmic RID range if idmap range are defined
2238 ******************************************************************/
2240 BOOL
get_free_rid_range(uint32
*low
, uint32
*high
)
2242 uint32 id_low
, id_high
;
2244 if (!lp_enable_rid_algorithm()) {
2249 if (!get_free_ugid_range(&id_low
, &id_high
)) {
2253 *low
= algorithmic_pdb_uid_to_user_rid(id_low
);
2254 if (algorithmic_pdb_user_rid_to_uid((uint32
)-1) < id_high
) {
2257 *high
= algorithmic_pdb_uid_to_user_rid(id_high
);
2263 /*********************************************************************
2264 Update the bad password count checking the AP_RESET_COUNT_TIME
2265 *********************************************************************/
2267 BOOL
pdb_update_bad_password_count(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2269 time_t LastBadPassword
;
2270 uint16 BadPasswordCount
;
2273 if (!sampass
) return False
;
2275 BadPasswordCount
= pdb_get_bad_password_count(sampass
);
2276 if (!BadPasswordCount
) {
2277 DEBUG(9, ("No bad password attempts.\n"));
2281 if (!account_policy_get(AP_RESET_COUNT_TIME
, &resettime
)) {
2282 DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
2286 /* First, check if there is a reset time to compare */
2287 if ((resettime
== (uint32
) -1) || (resettime
== 0)) {
2288 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2292 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2293 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2294 (uint32
) LastBadPassword
, resettime
, (uint32
)time(NULL
)));
2295 if (time(NULL
) > (LastBadPassword
+ (time_t)resettime
*60)){
2296 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2297 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2306 /*********************************************************************
2307 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2308 *********************************************************************/
2310 BOOL
pdb_update_autolock_flag(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2313 time_t LastBadPassword
;
2315 if (!sampass
) return False
;
2317 if (!(pdb_get_acct_ctrl(sampass
) & ACB_AUTOLOCK
)) {
2318 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2319 pdb_get_username(sampass
)));
2323 if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION
, &duration
)) {
2324 DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
2328 /* First, check if there is a duration to compare */
2329 if ((duration
== (uint32
) -1) || (duration
== 0)) {
2330 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2334 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2335 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2336 pdb_get_username(sampass
), (uint32
)LastBadPassword
, duration
*60, (uint32
)time(NULL
)));
2338 if (LastBadPassword
== (time_t)0) {
2339 DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
2340 bad password time. Leaving locked out.\n",
2341 pdb_get_username(sampass
) ));
2345 if ((time(NULL
) > (LastBadPassword
+ (time_t) duration
* 60))) {
2346 pdb_set_acct_ctrl(sampass
,
2347 pdb_get_acct_ctrl(sampass
) & ~ACB_AUTOLOCK
,
2349 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2350 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2359 /*********************************************************************
2360 Increment the bad_password_count
2361 *********************************************************************/
2363 BOOL
pdb_increment_bad_password_count(SAM_ACCOUNT
*sampass
)
2365 uint32 account_policy_lockout
;
2366 BOOL autolock_updated
= False
, badpw_updated
= False
;
2371 /* Retrieve the account lockout policy */
2372 if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
,
2373 &account_policy_lockout
)) {
2374 DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
2378 /* If there is no policy, we don't need to continue checking */
2379 if (!account_policy_lockout
) {
2380 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2384 /* Check if the autolock needs to be cleared */
2385 if (!pdb_update_autolock_flag(sampass
, &autolock_updated
))
2388 /* Check if the badpw count needs to be reset */
2389 if (!pdb_update_bad_password_count(sampass
, &badpw_updated
))
2393 Ok, now we can assume that any resetting that needs to be
2394 done has been done, and just get on with incrementing
2395 and autolocking if necessary
2398 pdb_set_bad_password_count(sampass
,
2399 pdb_get_bad_password_count(sampass
)+1,
2401 pdb_set_bad_password_time(sampass
, time(NULL
), PDB_CHANGED
);
2404 if (pdb_get_bad_password_count(sampass
) < account_policy_lockout
)
2407 if (!pdb_set_acct_ctrl(sampass
,
2408 pdb_get_acct_ctrl(sampass
) | ACB_AUTOLOCK
,
2410 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));