search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19801: grabbing minor changes (some missing pieces from jmcd's SAMR work as well)
[Samba.git] / source / lib / account_pol.c
blob4cb0b77e74666a35b0c8c10fc9cce7c7fbc31784
1 /*
2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 static TDB_CONTEXT *tdb;
25
26 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27 * after this period if admins do not use pdbedit or usermanager but manipulate
28 * ldap directly) - gd */
29
30 #define DATABASE_VERSION 3
31 #define AP_TTL 60
32
33
34 struct ap_table {
35 int field;
36 const char *string;
37 uint32 default_val;
38 const char *description;
39 const char *ldap_attr;
40 };
41
42 static const struct ap_table account_policy_names[] = {
43 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
44 "Minimal password length (default: 5)",
45 "sambaMinPwdLength" },
46
47 {AP_PASSWORD_HISTORY, "password history", 0,
48 "Length of Password History Entries (default: 0 => off)",
49 "sambaPwdHistoryLength" },
50
51 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
52 "Force Users to logon for password change (default: 0 => off, 2 => on)",
53 "sambaLogonToChgPwd" },
54
55 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
56 "Maximum password age, in seconds (default: -1 => never expire passwords)",
57 "sambaMaxPwdAge" },
58
59 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
60 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
61 "sambaMinPwdAge" },
62
63 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
64 "Lockout duration in minutes (default: 30, -1 => forever)",
65 "sambaLockoutDuration" },
66
67 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
68 "Reset time after lockout in minutes (default: 30)",
69 "sambaLockoutObservationWindow" },
70
71 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
72 "Lockout users after bad logon attempts (default: 0 => off)",
73 "sambaLockoutThreshold" },
74
75 {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
76 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
77 "sambaForceLogoff" },
78
79 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
80 "Allow Machine Password changes (default: 0 => off)",
81 "sambaRefuseMachinePwdChange" },
82
83 {0, NULL, 0, "", NULL}
84 };
85
86 char *account_policy_names_list(void)
87 {
88 char *nl, *p;
89 int i;
90 size_t len = 0;
91
92 for (i=0; account_policy_names[i].string; i++) {
93 len += strlen(account_policy_names[i].string) + 1;
94 }
95 len++;
96 nl = (char *)SMB_MALLOC(len);
97 if (!nl) {
98 return NULL;
99 }
100 p = nl;
101 for (i=0; account_policy_names[i].string; i++) {
102 memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1);
103 p[strlen(account_policy_names[i].string)] = '\n';
104 p += strlen(account_policy_names[i].string) + 1;
105 }
106 *p = '\0';
107 return nl;
108 }
109
110 /****************************************************************************
111 Get the account policy name as a string from its #define'ed number
112 ****************************************************************************/
113
114 const char *decode_account_policy_name(int field)
115 {
116 int i;
117 for (i=0; account_policy_names[i].string; i++) {
118 if (field == account_policy_names[i].field) {
119 return account_policy_names[i].string;
120 }
121 }
122 return NULL;
123 }
124
125 /****************************************************************************
126 Get the account policy LDAP attribute as a string from its #define'ed number
127 ****************************************************************************/
128
129 const char *get_account_policy_attr(int field)
130 {
131 int i;
132 for (i=0; account_policy_names[i].field; i++) {
133 if (field == account_policy_names[i].field) {
134 return account_policy_names[i].ldap_attr;
135 }
136 }
137 return NULL;
138 }
139
140 /****************************************************************************
141 Get the account policy description as a string from its #define'ed number
142 ****************************************************************************/
143
144 const char *account_policy_get_desc(int field)
145 {
146 int i;
147 for (i=0; account_policy_names[i].string; i++) {
148 if (field == account_policy_names[i].field) {
149 return account_policy_names[i].description;
150 }
151 }
152 return NULL;
153 }
154
155 /****************************************************************************
156 Get the account policy name as a string from its #define'ed number
157 ****************************************************************************/
158
159 int account_policy_name_to_fieldnum(const char *name)
160 {
161 int i;
162 for (i=0; account_policy_names[i].string; i++) {
163 if (strcmp(name, account_policy_names[i].string) == 0) {
164 return account_policy_names[i].field;
165 }
166 }
167 return 0;
168 }
169
170 /*****************************************************************************
171 Get default value for account policy
172 *****************************************************************************/
173
174 BOOL account_policy_get_default(int account_policy, uint32 *val)
175 {
176 int i;
177 for (i=0; account_policy_names[i].field; i++) {
178 if (account_policy_names[i].field == account_policy) {
179 *val = account_policy_names[i].default_val;
180 return True;
181 }
182 }
183 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
184 account_policy));
185 return False;
186 }
187
188 /*****************************************************************************
189 Set default for a field if it is empty
190 *****************************************************************************/
191
192 static BOOL account_policy_set_default_on_empty(int account_policy)
193 {
194
195 uint32 value;
196
197 if (!account_policy_get(account_policy, &value) &&
198 !account_policy_get_default(account_policy, &value)) {
199 return False;
200 }
201
202 return account_policy_set(account_policy, value);
203 }
204
205 /*****************************************************************************
206 Open the account policy tdb.
207 ***`*************************************************************************/
208
209 BOOL init_account_policy(void)
210 {
211
212 const char *vstring = "INFO/version";
213 uint32 version;
214 int i;
215
216 if (tdb) {
217 return True;
218 }
219
220 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
221 if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
222 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
223 if (!tdb) {
224 DEBUG(0,("Failed to open account policy database\n"));
225 return False;
226 }
227 }
228
229 /* handle a Samba upgrade */
230 tdb_lock_bystring(tdb, vstring);
231 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
232
233 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
234
235 for (i=0; account_policy_names[i].field; i++) {
236
237 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
238 DEBUG(0,("failed to set default value in account policy tdb\n"));
239 return False;
240 }
241 }
242 }
243
244 tdb_unlock_bystring(tdb, vstring);
245
246 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
247
248 privilege_create_account( &global_sid_World );
249 privilege_create_account( &global_sid_Builtin_Account_Operators );
250 privilege_create_account( &global_sid_Builtin_Server_Operators );
251 privilege_create_account( &global_sid_Builtin_Print_Operators );
252 privilege_create_account( &global_sid_Builtin_Backup_Operators );
253
254 /* BUILTIN\Administrators get everything -- *always* */
255
256 if ( lp_enable_privileges() ) {
257 if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
258 DEBUG(1,("init_account_policy: Failed to grant privileges "
259 "to BUILTIN\\Administrators!\n"));
260 }
261 }
262
263 return True;
264 }
265
266 /*****************************************************************************
267 Get an account policy (from tdb)
268 *****************************************************************************/
269
270 BOOL account_policy_get(int field, uint32 *value)
271 {
272 const char *name;
273 uint32 regval;
274
275 if (!init_account_policy()) {
276 return False;
277 }
278
279 if (value) {
280 *value = 0;
281 }
282
283 name = decode_account_policy_name(field);
284 if (name == NULL) {
285 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
286 return False;
287 }
288
289 if (!tdb_fetch_uint32(tdb, name, &regval)) {
290 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
291 return False;
292 }
293
294 if (value) {
295 *value = regval;
296 }
297
298 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
299 return True;
300 }
301
302
303 /****************************************************************************
304 Set an account policy (in tdb)
305 ****************************************************************************/
306
307 BOOL account_policy_set(int field, uint32 value)
308 {
309 const char *name;
310
311 if (!init_account_policy()) {
312 return False;
313 }
314
315 name = decode_account_policy_name(field);
316 if (name == NULL) {
317 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
318 return False;
319 }
320
321 if (!tdb_store_uint32(tdb, name, value)) {
322 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
323 return False;
324 }
325
326 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
327
328 return True;
329 }
330
331 /****************************************************************************
332 Set an account policy in the cache
333 ****************************************************************************/
334
335 BOOL cache_account_policy_set(int field, uint32 value)
336 {
337 const char *policy_name = NULL;
338 char *cache_key = NULL;
339 char *cache_value = NULL;
340 BOOL ret = False;
341
342 policy_name = decode_account_policy_name(field);
343 if (policy_name == NULL) {
344 DEBUG(0,("cache_account_policy_set: no policy found\n"));
345 return False;
346 }
347
348 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
349 DEBUG(0, ("asprintf failed\n"));
350 goto done;
351 }
352
353 if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
354 DEBUG(0, ("asprintf failed\n"));
355 goto done;
356 }
357
358 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
359
360 ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
361
362 done:
363 SAFE_FREE(cache_key);
364 SAFE_FREE(cache_value);
365 return ret;
366 }
367
368 /*****************************************************************************
369 Get an account policy from the cache
370 *****************************************************************************/
371
372 BOOL cache_account_policy_get(int field, uint32 *value)
373 {
374 const char *policy_name = NULL;
375 char *cache_key = NULL;
376 char *cache_value = NULL;
377 BOOL ret = False;
378
379 policy_name = decode_account_policy_name(field);
380 if (policy_name == NULL) {
381 DEBUG(0,("cache_account_policy_set: no policy found\n"));
382 return False;
383 }
384
385 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
386 DEBUG(0, ("asprintf failed\n"));
387 goto done;
388 }
389
390 if (gencache_get(cache_key, &cache_value, NULL)) {
391 uint32 tmp = strtoul(cache_value, NULL, 10);
392 *value = tmp;
393 ret = True;
394 }
395
396 done:
397 SAFE_FREE(cache_key);
398 SAFE_FREE(cache_value);
399 return ret;
400 }
401
402 /****************************************************************************
403 ****************************************************************************/
404
405 TDB_CONTEXT *get_account_pol_tdb( void )
406 {
407
408 if ( !tdb ) {
409 if ( !init_account_policy() ) {
410 return NULL;
411 }
412 }
413
414 return tdb;
415 }
416
Samba GIT mirror