2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "system/passwd.h"
28 #include "../libcli/auth/libcli_auth.h"
30 #include "../libcli/security/security.h"
31 #include "../lib/util/util_pw.h"
35 #define DBGC_CLASS DBGC_PASSDB
37 /******************************************************************
38 Get the default domain/netbios name to be used when
39 testing authentication.
41 LEGACY: this function provides the legacy domain mapping used with
42 the lp_map_untrusted_to_domain() parameter
43 ******************************************************************/
45 const char *my_sam_name(void)
47 /* Standalone servers can only use the local netbios name */
48 if ( lp_server_role() == ROLE_STANDALONE
)
49 return lp_netbios_name();
51 /* Default to the DOMAIN name when not specified */
52 return lp_workgroup();
55 /**********************************************************************
56 ***********************************************************************/
58 static int samu_destroy(struct samu
*user
)
60 data_blob_clear_free( &user
->lm_pw
);
61 data_blob_clear_free( &user
->nt_pw
);
63 if ( user
->plaintext_pw
)
64 memset( user
->plaintext_pw
, 0x0, strlen(user
->plaintext_pw
) );
69 /**********************************************************************
70 generate a new struct samuser
71 ***********************************************************************/
73 struct samu
*samu_new( TALLOC_CTX
*ctx
)
77 if ( !(user
= talloc_zero( ctx
, struct samu
)) ) {
78 DEBUG(0,("samuser_new: Talloc failed!\n"));
82 talloc_set_destructor( user
, samu_destroy
);
84 /* no initial methods */
88 /* Don't change these timestamp settings without a good reason.
89 They are important for NT member server compatibility. */
91 user
->logon_time
= (time_t)0;
92 user
->pass_last_set_time
= (time_t)0;
93 user
->pass_can_change_time
= (time_t)0;
94 user
->logoff_time
= get_time_t_max();
95 user
->kickoff_time
= get_time_t_max();
96 user
->fields_present
= 0x00ffffff;
97 user
->logon_divs
= 168; /* hours per week */
98 user
->hours_len
= 21; /* 21 times 8 bits = 168 */
99 memset(user
->hours
, 0xff, user
->hours_len
); /* available at all hours */
100 user
->bad_password_count
= 0;
101 user
->logon_count
= 0;
102 user
->unknown_6
= 0x000004ec; /* don't know */
104 /* Some parts of samba strlen their pdb_get...() returns,
105 so this keeps the interface unchanged for now. */
109 user
->nt_username
= "";
110 user
->full_name
= "";
112 user
->logon_script
= "";
113 user
->profile_path
= "";
114 user
->acct_desc
= "";
115 user
->workstations
= "";
117 user
->munged_dial
= "";
119 user
->plaintext_pw
= NULL
;
121 /* Unless we know otherwise have a Account Control Bit
122 value of 'normal user'. This helps User Manager, which
123 asks for a filtered list of users. */
125 user
->acct_ctrl
= ACB_NORMAL
;
130 static int count_commas(const char *str
)
133 const char *comma
= str
;
135 while ((comma
= strchr(comma
, ',')) != NULL
) {
142 /*********************************************************************
143 Initialize a struct samu from a struct passwd including the user
144 and group SIDs. The *user structure is filled out with the Unix
145 attributes and a user SID.
146 *********************************************************************/
148 static NTSTATUS
samu_set_unix_internal(struct pdb_methods
*methods
,
149 struct samu
*user
, const struct passwd
*pwd
, bool create
)
151 const char *guest_account
= lp_guestaccount();
152 const char *domain
= lp_netbios_name();
157 return NT_STATUS_NO_SUCH_USER
;
160 /* Basic properties based upon the Unix account information */
162 pdb_set_username(user
, pwd
->pw_name
, PDB_SET
);
166 if (count_commas(pwd
->pw_gecos
) == 3) {
168 * Heuristic: This seems to be a gecos field that has been
169 * edited by chfn(1). Only use the part before the first
170 * comma. Fixes bug 5198.
172 fullname
= talloc_strndup(
173 talloc_tos(), pwd
->pw_gecos
,
174 strchr(pwd
->pw_gecos
, ',') - pwd
->pw_gecos
);
177 if (fullname
!= NULL
) {
178 pdb_set_fullname(user
, fullname
, PDB_SET
);
180 pdb_set_fullname(user
, pwd
->pw_gecos
, PDB_SET
);
182 TALLOC_FREE(fullname
);
184 pdb_set_domain (user
, get_global_sam_name(), PDB_DEFAULT
);
186 /* This can lead to a primary group of S-1-22-2-XX which
187 will be rejected by other parts of the Samba code.
188 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
191 gid_to_sid(&group_sid
, pwd
->pw_gid
);
192 pdb_set_group_sid(user
, &group_sid
, PDB_SET
);
195 /* save the password structure for later use */
197 user
->unix_pw
= tcopy_passwd( user
, pwd
);
199 /* Special case for the guest account which must have a RID of 501 */
201 if ( strequal( pwd
->pw_name
, guest_account
) ) {
202 if ( !pdb_set_user_sid_from_rid(user
, DOMAIN_RID_GUEST
, PDB_DEFAULT
)) {
203 return NT_STATUS_NO_SUCH_USER
;
208 /* Non-guest accounts...Check for a workstation or user account */
210 if (pwd
->pw_name
[strlen(pwd
->pw_name
)-1] == '$') {
213 if (!pdb_set_acct_ctrl(user
, ACB_WSTRUST
, PDB_DEFAULT
)) {
214 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
216 return NT_STATUS_INVALID_COMPUTER_NAME
;
222 if (!pdb_set_acct_ctrl(user
, ACB_NORMAL
, PDB_DEFAULT
)) {
223 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
225 return NT_STATUS_INVALID_ACCOUNT_NAME
;
228 /* set some basic attributes */
230 pdb_set_profile_path(user
, talloc_sub_specified(user
,
231 lp_logon_path(), pwd
->pw_name
, domain
, pwd
->pw_uid
, pwd
->pw_gid
),
233 pdb_set_homedir(user
, talloc_sub_specified(user
,
234 lp_logon_home(), pwd
->pw_name
, domain
, pwd
->pw_uid
, pwd
->pw_gid
),
236 pdb_set_dir_drive(user
, talloc_sub_specified(user
,
237 lp_logon_drive(), pwd
->pw_name
, domain
, pwd
->pw_uid
, pwd
->pw_gid
),
239 pdb_set_logon_script(user
, talloc_sub_specified(user
,
240 lp_logon_script(), pwd
->pw_name
, domain
, pwd
->pw_uid
, pwd
->pw_gid
),
244 /* Now deal with the user SID. If we have a backend that can generate
245 RIDs, then do so. But sometimes the caller just wanted a structure
246 initialized and will fill in these fields later (such as from a
247 netr_SamInfo3 structure) */
249 if ( create
&& (methods
->capabilities(methods
) & PDB_CAP_STORE_RIDS
)) {
251 struct dom_sid user_sid
;
253 if ( !methods
->new_rid(methods
, &user_rid
) ) {
254 DEBUG(3, ("Could not allocate a new RID\n"));
255 return NT_STATUS_ACCESS_DENIED
;
258 sid_compose(&user_sid
, get_global_sam_sid(), user_rid
);
260 if ( !pdb_set_user_sid(user
, &user_sid
, PDB_SET
) ) {
261 DEBUG(3, ("pdb_set_user_sid failed\n"));
262 return NT_STATUS_INTERNAL_ERROR
;
268 /* generate a SID for the user with the RID algorithm */
270 urid
= algorithmic_pdb_uid_to_user_rid( user
->unix_pw
->pw_uid
);
272 if ( !pdb_set_user_sid_from_rid( user
, urid
, PDB_SET
) ) {
273 return NT_STATUS_INTERNAL_ERROR
;
279 /********************************************************************
280 Set the Unix user attributes
281 ********************************************************************/
283 NTSTATUS
samu_set_unix(struct samu
*user
, const struct passwd
*pwd
)
285 return samu_set_unix_internal( NULL
, user
, pwd
, False
);
288 NTSTATUS
samu_alloc_rid_unix(struct pdb_methods
*methods
,
289 struct samu
*user
, const struct passwd
*pwd
)
291 return samu_set_unix_internal( methods
, user
, pwd
, True
);
294 /**********************************************************
295 Encode the account control bits into a string.
296 length = length of string to encode into (including terminating
297 null). length *MUST BE MORE THAN 2* !
298 **********************************************************/
300 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl
, size_t length
)
307 SMB_ASSERT(length
<= sizeof(acct_str
));
311 if (acct_ctrl
& ACB_PWNOTREQ
) acct_str
[i
++] = 'N';
312 if (acct_ctrl
& ACB_DISABLED
) acct_str
[i
++] = 'D';
313 if (acct_ctrl
& ACB_HOMDIRREQ
) acct_str
[i
++] = 'H';
314 if (acct_ctrl
& ACB_TEMPDUP
) acct_str
[i
++] = 'T';
315 if (acct_ctrl
& ACB_NORMAL
) acct_str
[i
++] = 'U';
316 if (acct_ctrl
& ACB_MNS
) acct_str
[i
++] = 'M';
317 if (acct_ctrl
& ACB_WSTRUST
) acct_str
[i
++] = 'W';
318 if (acct_ctrl
& ACB_SVRTRUST
) acct_str
[i
++] = 'S';
319 if (acct_ctrl
& ACB_AUTOLOCK
) acct_str
[i
++] = 'L';
320 if (acct_ctrl
& ACB_PWNOEXP
) acct_str
[i
++] = 'X';
321 if (acct_ctrl
& ACB_DOMTRUST
) acct_str
[i
++] = 'I';
323 for ( ; i
< length
- 2 ; i
++ )
328 acct_str
[i
++] = '\0';
330 result
= talloc_strdup(talloc_tos(), acct_str
);
331 SMB_ASSERT(result
!= NULL
);
335 /**********************************************************
336 Decode the account control bits from a string.
337 **********************************************************/
339 uint32_t pdb_decode_acct_ctrl(const char *p
)
341 uint32_t acct_ctrl
= 0;
342 bool finished
= false;
345 * Check if the account type bits have been encoded after the
346 * NT password (in the form [NDHTUWSLXI]).
352 for (p
++; *p
&& !finished
; p
++) {
354 case 'N': { acct_ctrl
|= ACB_PWNOTREQ
; break; /* 'N'o password. */ }
355 case 'D': { acct_ctrl
|= ACB_DISABLED
; break; /* 'D'isabled. */ }
356 case 'H': { acct_ctrl
|= ACB_HOMDIRREQ
; break; /* 'H'omedir required. */ }
357 case 'T': { acct_ctrl
|= ACB_TEMPDUP
; break; /* 'T'emp account. */ }
358 case 'U': { acct_ctrl
|= ACB_NORMAL
; break; /* 'U'ser account (normal). */ }
359 case 'M': { acct_ctrl
|= ACB_MNS
; break; /* 'M'NS logon user account. What is this ? */ }
360 case 'W': { acct_ctrl
|= ACB_WSTRUST
; break; /* 'W'orkstation account. */ }
361 case 'S': { acct_ctrl
|= ACB_SVRTRUST
; break; /* 'S'erver account. */ }
362 case 'L': { acct_ctrl
|= ACB_AUTOLOCK
; break; /* 'L'ocked account. */ }
363 case 'X': { acct_ctrl
|= ACB_PWNOEXP
; break; /* No 'X'piry on password */ }
364 case 'I': { acct_ctrl
|= ACB_DOMTRUST
; break; /* 'I'nterdomain trust account. */ }
370 default: { finished
= true; }
377 /*************************************************************
378 Routine to set 32 hex password characters from a 16 byte array.
379 **************************************************************/
381 void pdb_sethexpwd(char p
[33], const unsigned char *pwd
, uint32_t acct_ctrl
)
384 hex_encode_buf(p
, pwd
, 16);
386 if (acct_ctrl
& ACB_PWNOTREQ
)
387 strlcpy(p
, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
389 strlcpy(p
, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
393 /*************************************************************
394 Routine to get the 32 hex characters and turn them
395 into a 16 byte array.
396 **************************************************************/
398 bool pdb_gethexpwd(const char *p
, unsigned char *pwd
)
401 unsigned char lonybble
, hinybble
;
402 const char *hexchars
= "0123456789ABCDEF";
408 for (i
= 0; i
< 32; i
+= 2) {
409 hinybble
= toupper_m(p
[i
]);
410 lonybble
= toupper_m(p
[i
+ 1]);
412 p1
= strchr(hexchars
, hinybble
);
413 p2
= strchr(hexchars
, lonybble
);
418 hinybble
= PTR_DIFF(p1
, hexchars
);
419 lonybble
= PTR_DIFF(p2
, hexchars
);
421 pwd
[i
/ 2] = (hinybble
<< 4) | lonybble
;
426 /*************************************************************
427 Routine to set 42 hex hours characters from a 21 byte array.
428 **************************************************************/
430 void pdb_sethexhours(char *p
, const unsigned char *hours
)
434 for (i
= 0; i
< 21; i
++) {
435 slprintf(&p
[i
*2], 3, "%02X", hours
[i
]);
438 strlcpy(p
, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 44);
442 /*************************************************************
443 Routine to get the 42 hex characters and turn them
444 into a 21 byte array.
445 **************************************************************/
447 bool pdb_gethexhours(const char *p
, unsigned char *hours
)
450 unsigned char lonybble
, hinybble
;
451 const char *hexchars
= "0123456789ABCDEF";
458 for (i
= 0; i
< 42; i
+= 2) {
459 hinybble
= toupper_m(p
[i
]);
460 lonybble
= toupper_m(p
[i
+ 1]);
462 p1
= strchr(hexchars
, hinybble
);
463 p2
= strchr(hexchars
, lonybble
);
469 hinybble
= PTR_DIFF(p1
, hexchars
);
470 lonybble
= PTR_DIFF(p2
, hexchars
);
472 hours
[i
/ 2] = (hinybble
<< 4) | lonybble
;
477 /********************************************************************
478 ********************************************************************/
480 int algorithmic_rid_base(void)
484 rid_offset
= lp_algorithmic_rid_base();
486 if (rid_offset
< BASE_RID
) {
487 /* Try to prevent admin foot-shooting, we can't put algorithmic
488 rids below 1000, that's the 'well known RIDs' on NT */
489 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID
));
490 rid_offset
= BASE_RID
;
492 if (rid_offset
& 1) {
493 DEBUG(0, ("algorithmic rid base must be even\n"));
499 /*******************************************************************
500 Converts NT user RID to a UNIX uid.
501 ********************************************************************/
503 uid_t
algorithmic_pdb_user_rid_to_uid(uint32_t user_rid
)
505 int rid_offset
= algorithmic_rid_base();
506 return (uid_t
)(((user_rid
& (~USER_RID_TYPE
)) - rid_offset
)/RID_MULTIPLIER
);
509 uid_t
max_algorithmic_uid(void)
511 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
514 /*******************************************************************
515 converts UNIX uid to an NT User RID.
516 ********************************************************************/
518 uint32_t algorithmic_pdb_uid_to_user_rid(uid_t uid
)
520 int rid_offset
= algorithmic_rid_base();
521 return (((((uint32_t)uid
)*RID_MULTIPLIER
) + rid_offset
) | USER_RID_TYPE
);
524 /*******************************************************************
525 Converts NT group RID to a UNIX gid.
526 ********************************************************************/
528 gid_t
pdb_group_rid_to_gid(uint32_t group_rid
)
530 int rid_offset
= algorithmic_rid_base();
531 return (gid_t
)(((group_rid
& (~GROUP_RID_TYPE
))- rid_offset
)/RID_MULTIPLIER
);
534 gid_t
max_algorithmic_gid(void)
536 return pdb_group_rid_to_gid(0xffffffff);
539 /*******************************************************************
540 converts NT Group RID to a UNIX uid.
542 warning: you must not call that function only
543 you must do a call to the group mapping first.
544 there is not anymore a direct link between the gid and the rid.
545 ********************************************************************/
547 uint32_t algorithmic_pdb_gid_to_group_rid(gid_t gid
)
549 int rid_offset
= algorithmic_rid_base();
550 return (((((uint32_t)gid
)*RID_MULTIPLIER
) + rid_offset
) | GROUP_RID_TYPE
);
553 /*******************************************************************
554 Decides if a RID is a well known RID.
555 ********************************************************************/
557 static bool rid_is_well_known(uint32_t rid
)
559 /* Not using rid_offset here, because this is the actual
560 NT fixed value (1000) */
562 return (rid
< BASE_RID
);
565 /*******************************************************************
566 Decides if a RID is a user or group RID.
567 ********************************************************************/
569 bool algorithmic_pdb_rid_is_user(uint32_t rid
)
571 if ( rid_is_well_known(rid
) ) {
573 * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
574 * and DOMAIN_RID_GUEST.
576 if(rid
== DOMAIN_RID_ADMINISTRATOR
|| rid
== DOMAIN_RID_GUEST
)
578 } else if((rid
& RID_TYPE_MASK
) == USER_RID_TYPE
) {
584 /*******************************************************************
585 Convert a name into a SID. Used in the lookup name rpc.
586 ********************************************************************/
588 bool lookup_global_sam_name(const char *name
, int flags
, uint32_t *rid
,
589 enum lsa_SidType
*type
)
594 /* Windows treats "MACHINE\None" as a special name for
595 rid 513 on non-DCs. You cannot create a user or group
596 name "None" on Windows. You will get an error that
597 the group already exists. */
599 if ( strequal( name
, "None" ) ) {
600 *rid
= DOMAIN_RID_USERS
;
601 *type
= SID_NAME_DOM_GRP
;
606 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
607 * correctly in the case where foo also exists as a user. If the flag
608 * is set, don't look for users at all. */
610 if ((flags
& LOOKUP_NAME_GROUP
) == 0) {
611 struct samu
*sam_account
= NULL
;
612 struct dom_sid user_sid
;
614 if ( !(sam_account
= samu_new( NULL
)) ) {
619 ret
= pdb_getsampwnam(sam_account
, name
);
623 sid_copy(&user_sid
, pdb_get_user_sid(sam_account
));
626 TALLOC_FREE(sam_account
);
629 if (!sid_check_is_in_our_domain(&user_sid
)) {
630 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
631 name
, sid_string_dbg(&user_sid
)));
635 sid_peek_rid(&user_sid
, rid
);
636 *type
= SID_NAME_USER
;
642 * Maybe it is a group ?
645 map
= talloc_zero(NULL
, GROUP_MAP
);
651 ret
= pdb_getgrnam(map
, name
);
659 /* BUILTIN groups are looked up elsewhere */
660 if (!sid_check_is_in_our_domain(&map
->sid
)) {
661 DEBUG(10, ("Found group %s (%s) not in our domain -- "
662 "ignoring.", name
, sid_string_dbg(&map
->sid
)));
667 /* yes it's a mapped group */
668 sid_peek_rid(&map
->sid
, rid
);
669 *type
= map
->sid_name_use
;
674 /*************************************************************
675 Change a password entry in the local passdb backend.
678 - always called as root
679 - ignores the account type except when adding a new account
680 - will create/delete the unix account if the relative
681 add/delete user script is configured
683 *************************************************************/
685 NTSTATUS
local_password_change(const char *user_name
,
687 const char *new_passwd
,
692 struct samu
*sam_pass
;
702 tosctx
= talloc_tos();
704 sam_pass
= samu_new(tosctx
);
706 result
= NT_STATUS_NO_MEMORY
;
710 /* Get the smb passwd entry for this user */
711 user_exists
= pdb_getsampwnam(sam_pass
, user_name
);
713 /* Check delete first, we don't need to do anything else if we
714 * are going to delete the acocunt */
715 if (user_exists
&& (local_flags
& LOCAL_DELETE_USER
)) {
717 result
= pdb_delete_user(tosctx
, sam_pass
);
718 if (!NT_STATUS_IS_OK(result
)) {
719 ret
= asprintf(pp_err_str
,
720 "Failed to delete entry for user %s.\n",
725 result
= NT_STATUS_UNSUCCESSFUL
;
727 ret
= asprintf(pp_msg_str
,
728 "Deleted user %s.\n",
737 if (user_exists
&& (local_flags
& LOCAL_ADD_USER
)) {
738 /* the entry already existed */
739 local_flags
&= ~LOCAL_ADD_USER
;
742 if (!user_exists
&& !(local_flags
& LOCAL_ADD_USER
)) {
743 ret
= asprintf(pp_err_str
,
744 "Failed to find entry for user %s.\n",
749 result
= NT_STATUS_NO_SUCH_USER
;
753 /* First thing add the new user if we are required to do so */
754 if (local_flags
& LOCAL_ADD_USER
) {
756 if (local_flags
& LOCAL_TRUST_ACCOUNT
) {
758 } else if (local_flags
& LOCAL_INTERDOM_ACCOUNT
) {
764 result
= pdb_create_user(tosctx
, user_name
, acb
, &rid
);
765 if (!NT_STATUS_IS_OK(result
)) {
766 ret
= asprintf(pp_err_str
,
767 "Failed to add entry for user %s.\n",
772 result
= NT_STATUS_UNSUCCESSFUL
;
776 sam_pass
= samu_new(tosctx
);
778 result
= NT_STATUS_NO_MEMORY
;
782 /* Now get back the smb passwd entry for this new user */
783 user_exists
= pdb_getsampwnam(sam_pass
, user_name
);
785 ret
= asprintf(pp_err_str
,
786 "Failed to add entry for user %s.\n",
791 result
= NT_STATUS_UNSUCCESSFUL
;
796 acb
= pdb_get_acct_ctrl(sam_pass
);
799 * We are root - just write the new password
800 * and the valid last change time.
802 if ((local_flags
& LOCAL_SET_NO_PASSWORD
) && !(acb
& ACB_PWNOTREQ
)) {
804 if (!pdb_set_acct_ctrl(sam_pass
, acb
, PDB_CHANGED
)) {
805 ret
= asprintf(pp_err_str
,
806 "Failed to set 'no password required' "
807 "flag for user %s.\n", user_name
);
811 result
= NT_STATUS_UNSUCCESSFUL
;
816 if (local_flags
& LOCAL_SET_PASSWORD
) {
818 * If we're dealing with setting a completely empty user account
819 * ie. One with a password of 'XXXX', but not set disabled (like
820 * an account created from scratch) then if the old password was
821 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
822 * We remove that as we're giving this user their first password
823 * and the decision hasn't really been made to disable them (ie.
824 * don't create them disabled). JRA.
826 if ((pdb_get_lanman_passwd(sam_pass
) == NULL
) &&
827 (acb
& ACB_DISABLED
)) {
828 acb
&= (~ACB_DISABLED
);
829 if (!pdb_set_acct_ctrl(sam_pass
, acb
, PDB_CHANGED
)) {
830 ret
= asprintf(pp_err_str
,
831 "Failed to unset 'disabled' "
832 "flag for user %s.\n",
837 result
= NT_STATUS_UNSUCCESSFUL
;
842 acb
&= (~ACB_PWNOTREQ
);
843 if (!pdb_set_acct_ctrl(sam_pass
, acb
, PDB_CHANGED
)) {
844 ret
= asprintf(pp_err_str
,
845 "Failed to unset 'no password required'"
846 " flag for user %s.\n", user_name
);
850 result
= NT_STATUS_UNSUCCESSFUL
;
854 if (!pdb_set_plaintext_passwd(sam_pass
, new_passwd
)) {
855 ret
= asprintf(pp_err_str
,
856 "Failed to set password for "
857 "user %s.\n", user_name
);
861 result
= NT_STATUS_UNSUCCESSFUL
;
866 if ((local_flags
& LOCAL_DISABLE_USER
) && !(acb
& ACB_DISABLED
)) {
868 if (!pdb_set_acct_ctrl(sam_pass
, acb
, PDB_CHANGED
)) {
869 ret
= asprintf(pp_err_str
,
870 "Failed to set 'disabled' flag for "
871 "user %s.\n", user_name
);
875 result
= NT_STATUS_UNSUCCESSFUL
;
880 if ((local_flags
& LOCAL_ENABLE_USER
) && (acb
& ACB_DISABLED
)) {
881 acb
&= (~ACB_DISABLED
);
882 if (!pdb_set_acct_ctrl(sam_pass
, acb
, PDB_CHANGED
)) {
883 ret
= asprintf(pp_err_str
,
884 "Failed to unset 'disabled' flag for "
885 "user %s.\n", user_name
);
889 result
= NT_STATUS_UNSUCCESSFUL
;
894 /* now commit changes if any */
895 result
= pdb_update_sam_account(sam_pass
);
896 if (!NT_STATUS_IS_OK(result
)) {
897 ret
= asprintf(pp_err_str
,
898 "Failed to modify entry for user %s.\n",
906 if (local_flags
& LOCAL_ADD_USER
) {
907 ret
= asprintf(pp_msg_str
, "Added user %s.\n", user_name
);
908 } else if (local_flags
& LOCAL_DISABLE_USER
) {
909 ret
= asprintf(pp_msg_str
, "Disabled user %s.\n", user_name
);
910 } else if (local_flags
& LOCAL_ENABLE_USER
) {
911 ret
= asprintf(pp_msg_str
, "Enabled user %s.\n", user_name
);
912 } else if (local_flags
& LOCAL_SET_NO_PASSWORD
) {
913 ret
= asprintf(pp_msg_str
,
914 "User %s password set to none.\n", user_name
);
921 result
= NT_STATUS_OK
;
924 TALLOC_FREE(sam_pass
);
928 /**********************************************************************
929 Marshall/unmarshall struct samu structs.
930 *********************************************************************/
932 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
933 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
934 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
935 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
936 /* nothing changed between V3 and V4 */
938 /*********************************************************************
939 *********************************************************************/
941 static bool init_samu_from_buffer_v0(struct samu
*sampass
, uint8_t *buf
, uint32_t buflen
)
944 /* times are stored as 32bit integer
945 take care on system with 64bit wide time_t
951 pass_can_change_time
,
952 pass_must_change_time
;
953 char *username
= NULL
;
955 char *nt_username
= NULL
;
956 char *dir_drive
= NULL
;
957 char *unknown_str
= NULL
;
958 char *munged_dial
= NULL
;
959 char *fullname
= NULL
;
960 char *homedir
= NULL
;
961 char *logon_script
= NULL
;
962 char *profile_path
= NULL
;
963 char *acct_desc
= NULL
;
964 char *workstations
= NULL
;
965 uint32_t username_len
, domain_len
, nt_username_len
,
966 dir_drive_len
, unknown_str_len
, munged_dial_len
,
967 fullname_len
, homedir_len
, logon_script_len
,
968 profile_path_len
, acct_desc_len
, workstations_len
;
970 uint32_t user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
971 uint16_t acct_ctrl
, logon_divs
;
972 uint16_t bad_password_count
, logon_count
;
973 uint8_t *hours
= NULL
;
974 uint8_t *lm_pw_ptr
= NULL
, *nt_pw_ptr
= NULL
;
976 uint32_t lm_pw_len
, nt_pw_len
, hourslen
;
979 if(sampass
== NULL
|| buf
== NULL
) {
980 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
984 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
986 /* unpack the buffer into variables */
987 len
= tdb_unpack (buf
, buflen
, SAMU_BUFFER_FORMAT_V0
,
989 &logoff_time
, /* d */
990 &kickoff_time
, /* d */
991 &pass_last_set_time
, /* d */
992 &pass_can_change_time
, /* d */
993 &pass_must_change_time
, /* d */
994 &username_len
, &username
, /* B */
995 &domain_len
, &domain
, /* B */
996 &nt_username_len
, &nt_username
, /* B */
997 &fullname_len
, &fullname
, /* B */
998 &homedir_len
, &homedir
, /* B */
999 &dir_drive_len
, &dir_drive
, /* B */
1000 &logon_script_len
, &logon_script
, /* B */
1001 &profile_path_len
, &profile_path
, /* B */
1002 &acct_desc_len
, &acct_desc
, /* B */
1003 &workstations_len
, &workstations
, /* B */
1004 &unknown_str_len
, &unknown_str
, /* B */
1005 &munged_dial_len
, &munged_dial
, /* B */
1008 &lm_pw_len
, &lm_pw_ptr
, /* B */
1009 &nt_pw_len
, &nt_pw_ptr
, /* B */
1011 &remove_me
, /* remove on the next TDB_FORMAT upgarde */ /* d */
1012 &logon_divs
, /* w */
1014 &hourslen
, &hours
, /* B */
1015 &bad_password_count
, /* w */
1016 &logon_count
, /* w */
1017 &unknown_6
); /* d */
1019 if (len
== (uint32_t) -1) {
1024 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1025 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1026 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1027 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1028 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1030 pdb_set_username(sampass
, username
, PDB_SET
);
1031 pdb_set_domain(sampass
, domain
, PDB_SET
);
1032 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1033 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1036 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1039 pdb_set_homedir(sampass
,
1040 talloc_sub_basic(sampass
, username
, domain
,
1046 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1048 pdb_set_dir_drive(sampass
,
1049 talloc_sub_basic(sampass
, username
, domain
,
1055 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1057 pdb_set_logon_script(sampass
,
1058 talloc_sub_basic(sampass
, username
, domain
,
1064 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1066 pdb_set_profile_path(sampass
,
1067 talloc_sub_basic(sampass
, username
, domain
,
1072 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1073 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1074 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1076 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1077 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1083 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1084 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1090 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1091 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1092 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1093 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1094 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1095 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1096 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1097 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1098 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1099 pdb_set_hours(sampass
, hours
, hours_len
, PDB_SET
);
1103 SAFE_FREE(username
);
1105 SAFE_FREE(nt_username
);
1106 SAFE_FREE(fullname
);
1108 SAFE_FREE(dir_drive
);
1109 SAFE_FREE(logon_script
);
1110 SAFE_FREE(profile_path
);
1111 SAFE_FREE(acct_desc
);
1112 SAFE_FREE(workstations
);
1113 SAFE_FREE(munged_dial
);
1114 SAFE_FREE(unknown_str
);
1115 SAFE_FREE(lm_pw_ptr
);
1116 SAFE_FREE(nt_pw_ptr
);
1122 /*********************************************************************
1123 *********************************************************************/
1125 static bool init_samu_from_buffer_v1(struct samu
*sampass
, uint8_t *buf
, uint32_t buflen
)
1128 /* times are stored as 32bit integer
1129 take care on system with 64bit wide time_t
1131 uint32_t logon_time
,
1136 pass_can_change_time
,
1137 pass_must_change_time
;
1138 char *username
= NULL
;
1139 char *domain
= NULL
;
1140 char *nt_username
= NULL
;
1141 char *dir_drive
= NULL
;
1142 char *unknown_str
= NULL
;
1143 char *munged_dial
= NULL
;
1144 char *fullname
= NULL
;
1145 char *homedir
= NULL
;
1146 char *logon_script
= NULL
;
1147 char *profile_path
= NULL
;
1148 char *acct_desc
= NULL
;
1149 char *workstations
= NULL
;
1150 uint32_t username_len
, domain_len
, nt_username_len
,
1151 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1152 fullname_len
, homedir_len
, logon_script_len
,
1153 profile_path_len
, acct_desc_len
, workstations_len
;
1155 uint32_t user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1156 uint16_t acct_ctrl
, logon_divs
;
1157 uint16_t bad_password_count
, logon_count
;
1158 uint8_t *hours
= NULL
;
1159 uint8_t *lm_pw_ptr
= NULL
, *nt_pw_ptr
= NULL
;
1161 uint32_t lm_pw_len
, nt_pw_len
, hourslen
;
1164 if(sampass
== NULL
|| buf
== NULL
) {
1165 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1169 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1171 /* unpack the buffer into variables */
1172 len
= tdb_unpack (buf
, buflen
, SAMU_BUFFER_FORMAT_V1
,
1173 &logon_time
, /* d */
1174 &logoff_time
, /* d */
1175 &kickoff_time
, /* d */
1176 /* Change from V0 is addition of bad_password_time field. */
1177 &bad_password_time
, /* d */
1178 &pass_last_set_time
, /* d */
1179 &pass_can_change_time
, /* d */
1180 &pass_must_change_time
, /* d */
1181 &username_len
, &username
, /* B */
1182 &domain_len
, &domain
, /* B */
1183 &nt_username_len
, &nt_username
, /* B */
1184 &fullname_len
, &fullname
, /* B */
1185 &homedir_len
, &homedir
, /* B */
1186 &dir_drive_len
, &dir_drive
, /* B */
1187 &logon_script_len
, &logon_script
, /* B */
1188 &profile_path_len
, &profile_path
, /* B */
1189 &acct_desc_len
, &acct_desc
, /* B */
1190 &workstations_len
, &workstations
, /* B */
1191 &unknown_str_len
, &unknown_str
, /* B */
1192 &munged_dial_len
, &munged_dial
, /* B */
1195 &lm_pw_len
, &lm_pw_ptr
, /* B */
1196 &nt_pw_len
, &nt_pw_ptr
, /* B */
1199 &logon_divs
, /* w */
1201 &hourslen
, &hours
, /* B */
1202 &bad_password_count
, /* w */
1203 &logon_count
, /* w */
1204 &unknown_6
); /* d */
1206 if (len
== (uint32_t) -1) {
1211 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1212 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1213 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1215 /* Change from V0 is addition of bad_password_time field. */
1216 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1217 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1218 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1220 pdb_set_username(sampass
, username
, PDB_SET
);
1221 pdb_set_domain(sampass
, domain
, PDB_SET
);
1222 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1223 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1226 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1229 pdb_set_homedir(sampass
,
1230 talloc_sub_basic(sampass
, username
, domain
,
1236 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1238 pdb_set_dir_drive(sampass
,
1239 talloc_sub_basic(sampass
, username
, domain
,
1245 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1247 pdb_set_logon_script(sampass
,
1248 talloc_sub_basic(sampass
, username
, domain
,
1254 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1256 pdb_set_profile_path(sampass
,
1257 talloc_sub_basic(sampass
, username
, domain
,
1262 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1263 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1264 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1266 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1267 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1273 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1274 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1280 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1282 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1283 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1284 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1285 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1286 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1287 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1288 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1289 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1290 pdb_set_hours(sampass
, hours
, hours_len
, PDB_SET
);
1294 SAFE_FREE(username
);
1296 SAFE_FREE(nt_username
);
1297 SAFE_FREE(fullname
);
1299 SAFE_FREE(dir_drive
);
1300 SAFE_FREE(logon_script
);
1301 SAFE_FREE(profile_path
);
1302 SAFE_FREE(acct_desc
);
1303 SAFE_FREE(workstations
);
1304 SAFE_FREE(munged_dial
);
1305 SAFE_FREE(unknown_str
);
1306 SAFE_FREE(lm_pw_ptr
);
1307 SAFE_FREE(nt_pw_ptr
);
1313 static bool init_samu_from_buffer_v2(struct samu
*sampass
, uint8_t *buf
, uint32_t buflen
)
1316 /* times are stored as 32bit integer
1317 take care on system with 64bit wide time_t
1319 uint32_t logon_time
,
1324 pass_can_change_time
,
1325 pass_must_change_time
;
1326 char *username
= NULL
;
1327 char *domain
= NULL
;
1328 char *nt_username
= NULL
;
1329 char *dir_drive
= NULL
;
1330 char *unknown_str
= NULL
;
1331 char *munged_dial
= NULL
;
1332 char *fullname
= NULL
;
1333 char *homedir
= NULL
;
1334 char *logon_script
= NULL
;
1335 char *profile_path
= NULL
;
1336 char *acct_desc
= NULL
;
1337 char *workstations
= NULL
;
1338 uint32_t username_len
, domain_len
, nt_username_len
,
1339 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1340 fullname_len
, homedir_len
, logon_script_len
,
1341 profile_path_len
, acct_desc_len
, workstations_len
;
1343 uint32_t user_rid
, group_rid
, hours_len
, unknown_6
;
1344 uint16_t acct_ctrl
, logon_divs
;
1345 uint16_t bad_password_count
, logon_count
;
1346 uint8_t *hours
= NULL
;
1347 uint8_t *lm_pw_ptr
= NULL
, *nt_pw_ptr
= NULL
, *nt_pw_hist_ptr
= NULL
;
1349 uint32_t lm_pw_len
, nt_pw_len
, nt_pw_hist_len
, hourslen
;
1350 uint32_t pwHistLen
= 0;
1353 bool expand_explicit
= lp_passdb_expand_explicit();
1355 if(sampass
== NULL
|| buf
== NULL
) {
1356 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1360 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1362 /* unpack the buffer into variables */
1363 len
= tdb_unpack (buf
, buflen
, SAMU_BUFFER_FORMAT_V2
,
1364 &logon_time
, /* d */
1365 &logoff_time
, /* d */
1366 &kickoff_time
, /* d */
1367 &bad_password_time
, /* d */
1368 &pass_last_set_time
, /* d */
1369 &pass_can_change_time
, /* d */
1370 &pass_must_change_time
, /* d */
1371 &username_len
, &username
, /* B */
1372 &domain_len
, &domain
, /* B */
1373 &nt_username_len
, &nt_username
, /* B */
1374 &fullname_len
, &fullname
, /* B */
1375 &homedir_len
, &homedir
, /* B */
1376 &dir_drive_len
, &dir_drive
, /* B */
1377 &logon_script_len
, &logon_script
, /* B */
1378 &profile_path_len
, &profile_path
, /* B */
1379 &acct_desc_len
, &acct_desc
, /* B */
1380 &workstations_len
, &workstations
, /* B */
1381 &unknown_str_len
, &unknown_str
, /* B */
1382 &munged_dial_len
, &munged_dial
, /* B */
1385 &lm_pw_len
, &lm_pw_ptr
, /* B */
1386 &nt_pw_len
, &nt_pw_ptr
, /* B */
1387 /* Change from V1 is addition of password history field. */
1388 &nt_pw_hist_len
, &nt_pw_hist_ptr
, /* B */
1390 /* Also "remove_me" field was removed. */
1391 &logon_divs
, /* w */
1393 &hourslen
, &hours
, /* B */
1394 &bad_password_count
, /* w */
1395 &logon_count
, /* w */
1396 &unknown_6
); /* d */
1398 if (len
== (uint32_t) -1) {
1403 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1404 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1405 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1406 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1407 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1408 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1410 pdb_set_username(sampass
, username
, PDB_SET
);
1411 pdb_set_domain(sampass
, domain
, PDB_SET
);
1412 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1413 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1416 fstrcpy( tmp_string
, homedir
);
1417 if (expand_explicit
) {
1418 standard_sub_basic( username
, domain
, tmp_string
,
1419 sizeof(tmp_string
) );
1421 pdb_set_homedir(sampass
, tmp_string
, PDB_SET
);
1424 pdb_set_homedir(sampass
,
1425 talloc_sub_basic(sampass
, username
, domain
,
1431 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1433 pdb_set_dir_drive(sampass
, lp_logon_drive(), PDB_DEFAULT
);
1436 fstrcpy( tmp_string
, logon_script
);
1437 if (expand_explicit
) {
1438 standard_sub_basic( username
, domain
, tmp_string
,
1439 sizeof(tmp_string
) );
1441 pdb_set_logon_script(sampass
, tmp_string
, PDB_SET
);
1444 pdb_set_logon_script(sampass
,
1445 talloc_sub_basic(sampass
, username
, domain
,
1451 fstrcpy( tmp_string
, profile_path
);
1452 if (expand_explicit
) {
1453 standard_sub_basic( username
, domain
, tmp_string
,
1454 sizeof(tmp_string
) );
1456 pdb_set_profile_path(sampass
, tmp_string
, PDB_SET
);
1459 pdb_set_profile_path(sampass
,
1460 talloc_sub_basic(sampass
, username
, domain
,
1465 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1466 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1467 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1469 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1470 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1476 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1477 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1483 /* Change from V1 is addition of password history field. */
1484 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &pwHistLen
);
1486 uint8_t *pw_hist
= SMB_MALLOC_ARRAY(uint8_t, pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1491 memset(pw_hist
, '\0', pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1492 if (nt_pw_hist_ptr
&& nt_pw_hist_len
) {
1494 SMB_ASSERT((nt_pw_hist_len
% PW_HISTORY_ENTRY_LEN
) == 0);
1495 nt_pw_hist_len
/= PW_HISTORY_ENTRY_LEN
;
1496 for (i
= 0; (i
< pwHistLen
) && (i
< nt_pw_hist_len
); i
++) {
1497 memcpy(&pw_hist
[i
*PW_HISTORY_ENTRY_LEN
],
1498 &nt_pw_hist_ptr
[i
*PW_HISTORY_ENTRY_LEN
],
1499 PW_HISTORY_ENTRY_LEN
);
1502 if (!pdb_set_pw_history(sampass
, pw_hist
, pwHistLen
, PDB_SET
)) {
1509 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1512 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1513 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1514 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1515 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1516 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1517 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1518 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1519 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1520 pdb_set_hours(sampass
, hours
, hours_len
, PDB_SET
);
1524 SAFE_FREE(username
);
1526 SAFE_FREE(nt_username
);
1527 SAFE_FREE(fullname
);
1529 SAFE_FREE(dir_drive
);
1530 SAFE_FREE(logon_script
);
1531 SAFE_FREE(profile_path
);
1532 SAFE_FREE(acct_desc
);
1533 SAFE_FREE(workstations
);
1534 SAFE_FREE(munged_dial
);
1535 SAFE_FREE(unknown_str
);
1536 SAFE_FREE(lm_pw_ptr
);
1537 SAFE_FREE(nt_pw_ptr
);
1538 SAFE_FREE(nt_pw_hist_ptr
);
1544 /*********************************************************************
1545 *********************************************************************/
1547 static bool init_samu_from_buffer_v3(struct samu
*sampass
, uint8_t *buf
, uint32_t buflen
)
1550 /* times are stored as 32bit integer
1551 take care on system with 64bit wide time_t
1553 uint32_t logon_time
,
1558 pass_can_change_time
,
1559 pass_must_change_time
;
1560 char *username
= NULL
;
1561 char *domain
= NULL
;
1562 char *nt_username
= NULL
;
1563 char *dir_drive
= NULL
;
1564 char *comment
= NULL
;
1565 char *munged_dial
= NULL
;
1566 char *fullname
= NULL
;
1567 char *homedir
= NULL
;
1568 char *logon_script
= NULL
;
1569 char *profile_path
= NULL
;
1570 char *acct_desc
= NULL
;
1571 char *workstations
= NULL
;
1572 uint32_t username_len
, domain_len
, nt_username_len
,
1573 dir_drive_len
, comment_len
, munged_dial_len
,
1574 fullname_len
, homedir_len
, logon_script_len
,
1575 profile_path_len
, acct_desc_len
, workstations_len
;
1577 uint32_t user_rid
, group_rid
, hours_len
, unknown_6
, acct_ctrl
;
1578 uint16_t logon_divs
;
1579 uint16_t bad_password_count
, logon_count
;
1580 uint8_t *hours
= NULL
;
1581 uint8_t *lm_pw_ptr
= NULL
, *nt_pw_ptr
= NULL
, *nt_pw_hist_ptr
= NULL
;
1583 uint32_t lm_pw_len
, nt_pw_len
, nt_pw_hist_len
, hourslen
;
1584 uint32_t pwHistLen
= 0;
1587 bool expand_explicit
= lp_passdb_expand_explicit();
1589 if(sampass
== NULL
|| buf
== NULL
) {
1590 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1594 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1596 /* unpack the buffer into variables */
1597 len
= tdb_unpack (buf
, buflen
, SAMU_BUFFER_FORMAT_V3
,
1598 &logon_time
, /* d */
1599 &logoff_time
, /* d */
1600 &kickoff_time
, /* d */
1601 &bad_password_time
, /* d */
1602 &pass_last_set_time
, /* d */
1603 &pass_can_change_time
, /* d */
1604 &pass_must_change_time
, /* d */
1605 &username_len
, &username
, /* B */
1606 &domain_len
, &domain
, /* B */
1607 &nt_username_len
, &nt_username
, /* B */
1608 &fullname_len
, &fullname
, /* B */
1609 &homedir_len
, &homedir
, /* B */
1610 &dir_drive_len
, &dir_drive
, /* B */
1611 &logon_script_len
, &logon_script
, /* B */
1612 &profile_path_len
, &profile_path
, /* B */
1613 &acct_desc_len
, &acct_desc
, /* B */
1614 &workstations_len
, &workstations
, /* B */
1615 &comment_len
, &comment
, /* B */
1616 &munged_dial_len
, &munged_dial
, /* B */
1619 &lm_pw_len
, &lm_pw_ptr
, /* B */
1620 &nt_pw_len
, &nt_pw_ptr
, /* B */
1621 /* Change from V1 is addition of password history field. */
1622 &nt_pw_hist_len
, &nt_pw_hist_ptr
, /* B */
1623 /* Change from V2 is the uint32_t acb_mask */
1625 /* Also "remove_me" field was removed. */
1626 &logon_divs
, /* w */
1628 &hourslen
, &hours
, /* B */
1629 &bad_password_count
, /* w */
1630 &logon_count
, /* w */
1631 &unknown_6
); /* d */
1633 if (len
== (uint32_t) -1) {
1638 pdb_set_logon_time(sampass
, convert_uint32_t_to_time_t(logon_time
), PDB_SET
);
1639 pdb_set_logoff_time(sampass
, convert_uint32_t_to_time_t(logoff_time
), PDB_SET
);
1640 pdb_set_kickoff_time(sampass
, convert_uint32_t_to_time_t(kickoff_time
), PDB_SET
);
1641 pdb_set_bad_password_time(sampass
, convert_uint32_t_to_time_t(bad_password_time
), PDB_SET
);
1642 pdb_set_pass_can_change_time(sampass
, convert_uint32_t_to_time_t(pass_can_change_time
), PDB_SET
);
1643 pdb_set_pass_last_set_time(sampass
, convert_uint32_t_to_time_t(pass_last_set_time
), PDB_SET
);
1645 pdb_set_username(sampass
, username
, PDB_SET
);
1646 pdb_set_domain(sampass
, domain
, PDB_SET
);
1647 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1648 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1651 fstrcpy( tmp_string
, homedir
);
1652 if (expand_explicit
) {
1653 standard_sub_basic( username
, domain
, tmp_string
,
1654 sizeof(tmp_string
) );
1656 pdb_set_homedir(sampass
, tmp_string
, PDB_SET
);
1659 pdb_set_homedir(sampass
,
1660 talloc_sub_basic(sampass
, username
, domain
,
1666 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1668 pdb_set_dir_drive(sampass
, lp_logon_drive(), PDB_DEFAULT
);
1671 fstrcpy( tmp_string
, logon_script
);
1672 if (expand_explicit
) {
1673 standard_sub_basic( username
, domain
, tmp_string
,
1674 sizeof(tmp_string
) );
1676 pdb_set_logon_script(sampass
, tmp_string
, PDB_SET
);
1679 pdb_set_logon_script(sampass
,
1680 talloc_sub_basic(sampass
, username
, domain
,
1686 fstrcpy( tmp_string
, profile_path
);
1687 if (expand_explicit
) {
1688 standard_sub_basic( username
, domain
, tmp_string
,
1689 sizeof(tmp_string
) );
1691 pdb_set_profile_path(sampass
, tmp_string
, PDB_SET
);
1694 pdb_set_profile_path(sampass
,
1695 talloc_sub_basic(sampass
, username
, domain
, lp_logon_path()),
1699 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1700 pdb_set_comment(sampass
, comment
, PDB_SET
);
1701 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1702 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1704 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1705 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1711 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1712 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1718 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &pwHistLen
);
1720 uint8_t *pw_hist
= (uint8_t *)SMB_MALLOC(pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1725 memset(pw_hist
, '\0', pwHistLen
* PW_HISTORY_ENTRY_LEN
);
1726 if (nt_pw_hist_ptr
&& nt_pw_hist_len
) {
1728 SMB_ASSERT((nt_pw_hist_len
% PW_HISTORY_ENTRY_LEN
) == 0);
1729 nt_pw_hist_len
/= PW_HISTORY_ENTRY_LEN
;
1730 for (i
= 0; (i
< pwHistLen
) && (i
< nt_pw_hist_len
); i
++) {
1731 memcpy(&pw_hist
[i
*PW_HISTORY_ENTRY_LEN
],
1732 &nt_pw_hist_ptr
[i
*PW_HISTORY_ENTRY_LEN
],
1733 PW_HISTORY_ENTRY_LEN
);
1736 if (!pdb_set_pw_history(sampass
, pw_hist
, pwHistLen
, PDB_SET
)) {
1743 pdb_set_pw_history(sampass
, NULL
, 0, PDB_SET
);
1746 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1747 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1748 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1749 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1750 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1751 /* Change from V2 is the uint32_t acct_ctrl */
1752 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1753 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1754 pdb_set_hours(sampass
, hours
, hours_len
, PDB_SET
);
1758 SAFE_FREE(username
);
1760 SAFE_FREE(nt_username
);
1761 SAFE_FREE(fullname
);
1763 SAFE_FREE(dir_drive
);
1764 SAFE_FREE(logon_script
);
1765 SAFE_FREE(profile_path
);
1766 SAFE_FREE(acct_desc
);
1767 SAFE_FREE(workstations
);
1768 SAFE_FREE(munged_dial
);
1770 SAFE_FREE(lm_pw_ptr
);
1771 SAFE_FREE(nt_pw_ptr
);
1772 SAFE_FREE(nt_pw_hist_ptr
);
1778 /*********************************************************************
1779 *********************************************************************/
1781 static uint32_t init_buffer_from_samu_v3 (uint8_t **buf
, struct samu
*sampass
, bool size_only
)
1785 /* times are stored as 32bit integer
1786 take care on system with 64bit wide time_t
1788 uint32_t logon_time
,
1793 pass_can_change_time
,
1794 pass_must_change_time
;
1796 uint32_t user_rid
, group_rid
;
1798 const char *username
;
1800 const char *nt_username
;
1801 const char *dir_drive
;
1802 const char *comment
;
1803 const char *munged_dial
;
1804 const char *fullname
;
1805 const char *homedir
;
1806 const char *logon_script
;
1807 const char *profile_path
;
1808 const char *acct_desc
;
1809 const char *workstations
;
1810 uint32_t username_len
, domain_len
, nt_username_len
,
1811 dir_drive_len
, comment_len
, munged_dial_len
,
1812 fullname_len
, homedir_len
, logon_script_len
,
1813 profile_path_len
, acct_desc_len
, workstations_len
;
1815 const uint8_t *lm_pw
;
1816 const uint8_t *nt_pw
;
1817 const uint8_t *nt_pw_hist
;
1818 uint32_t lm_pw_len
= 16;
1819 uint32_t nt_pw_len
= 16;
1820 uint32_t nt_pw_hist_len
;
1821 uint32_t pwHistLen
= 0;
1826 logon_time
= convert_time_t_to_uint32_t(pdb_get_logon_time(sampass
));
1827 logoff_time
= convert_time_t_to_uint32_t(pdb_get_logoff_time(sampass
));
1828 kickoff_time
= convert_time_t_to_uint32_t(pdb_get_kickoff_time(sampass
));
1829 bad_password_time
= convert_time_t_to_uint32_t(pdb_get_bad_password_time(sampass
));
1830 pass_can_change_time
= convert_time_t_to_uint32_t(pdb_get_pass_can_change_time_noncalc(sampass
));
1831 pass_must_change_time
= convert_time_t_to_uint32_t(pdb_get_pass_must_change_time(sampass
));
1832 pass_last_set_time
= convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sampass
));
1834 user_rid
= pdb_get_user_rid(sampass
);
1835 group_rid
= pdb_get_group_rid(sampass
);
1837 username
= pdb_get_username(sampass
);
1839 username_len
= strlen(username
) +1;
1844 domain
= pdb_get_domain(sampass
);
1846 domain_len
= strlen(domain
) +1;
1851 nt_username
= pdb_get_nt_username(sampass
);
1853 nt_username_len
= strlen(nt_username
) +1;
1855 nt_username_len
= 0;
1858 fullname
= pdb_get_fullname(sampass
);
1860 fullname_len
= strlen(fullname
) +1;
1866 * Only updates fields which have been set (not defaults from smb.conf)
1869 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
)) {
1870 dir_drive
= pdb_get_dir_drive(sampass
);
1875 dir_drive_len
= strlen(dir_drive
) +1;
1880 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
)) {
1881 homedir
= pdb_get_homedir(sampass
);
1886 homedir_len
= strlen(homedir
) +1;
1891 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
)) {
1892 logon_script
= pdb_get_logon_script(sampass
);
1894 logon_script
= NULL
;
1897 logon_script_len
= strlen(logon_script
) +1;
1899 logon_script_len
= 0;
1902 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
)) {
1903 profile_path
= pdb_get_profile_path(sampass
);
1905 profile_path
= NULL
;
1908 profile_path_len
= strlen(profile_path
) +1;
1910 profile_path_len
= 0;
1913 lm_pw
= pdb_get_lanman_passwd(sampass
);
1918 nt_pw
= pdb_get_nt_passwd(sampass
);
1923 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &pwHistLen
);
1924 nt_pw_hist
= pdb_get_pw_history(sampass
, &nt_pw_hist_len
);
1925 if (pwHistLen
&& nt_pw_hist
&& nt_pw_hist_len
) {
1926 nt_pw_hist_len
*= PW_HISTORY_ENTRY_LEN
;
1931 acct_desc
= pdb_get_acct_desc(sampass
);
1933 acct_desc_len
= strlen(acct_desc
) +1;
1938 workstations
= pdb_get_workstations(sampass
);
1940 workstations_len
= strlen(workstations
) +1;
1942 workstations_len
= 0;
1945 comment
= pdb_get_comment(sampass
);
1947 comment_len
= strlen(comment
) +1;
1952 munged_dial
= pdb_get_munged_dial(sampass
);
1954 munged_dial_len
= strlen(munged_dial
) +1;
1956 munged_dial_len
= 0;
1959 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1961 /* one time to get the size needed */
1962 len
= tdb_pack(NULL
, 0, SAMU_BUFFER_FORMAT_V3
,
1964 logoff_time
, /* d */
1965 kickoff_time
, /* d */
1966 bad_password_time
, /* d */
1967 pass_last_set_time
, /* d */
1968 pass_can_change_time
, /* d */
1969 pass_must_change_time
, /* d */
1970 username_len
, username
, /* B */
1971 domain_len
, domain
, /* B */
1972 nt_username_len
, nt_username
, /* B */
1973 fullname_len
, fullname
, /* B */
1974 homedir_len
, homedir
, /* B */
1975 dir_drive_len
, dir_drive
, /* B */
1976 logon_script_len
, logon_script
, /* B */
1977 profile_path_len
, profile_path
, /* B */
1978 acct_desc_len
, acct_desc
, /* B */
1979 workstations_len
, workstations
, /* B */
1980 comment_len
, comment
, /* B */
1981 munged_dial_len
, munged_dial
, /* B */
1984 lm_pw_len
, lm_pw
, /* B */
1985 nt_pw_len
, nt_pw
, /* B */
1986 nt_pw_hist_len
, nt_pw_hist
, /* B */
1987 pdb_get_acct_ctrl(sampass
), /* d */
1988 pdb_get_logon_divs(sampass
), /* w */
1989 pdb_get_hours_len(sampass
), /* d */
1990 MAX_HOURS_LEN
, pdb_get_hours(sampass
), /* B */
1991 pdb_get_bad_password_count(sampass
), /* w */
1992 pdb_get_logon_count(sampass
), /* w */
1993 pdb_get_unknown_6(sampass
)); /* d */
1999 /* malloc the space needed */
2000 if ( (*buf
=(uint8_t*)SMB_MALLOC(len
)) == NULL
) {
2001 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
2005 /* now for the real call to tdb_pack() */
2006 buflen
= tdb_pack(*buf
, len
, SAMU_BUFFER_FORMAT_V3
,
2008 logoff_time
, /* d */
2009 kickoff_time
, /* d */
2010 bad_password_time
, /* d */
2011 pass_last_set_time
, /* d */
2012 pass_can_change_time
, /* d */
2013 pass_must_change_time
, /* d */
2014 username_len
, username
, /* B */
2015 domain_len
, domain
, /* B */
2016 nt_username_len
, nt_username
, /* B */
2017 fullname_len
, fullname
, /* B */
2018 homedir_len
, homedir
, /* B */
2019 dir_drive_len
, dir_drive
, /* B */
2020 logon_script_len
, logon_script
, /* B */
2021 profile_path_len
, profile_path
, /* B */
2022 acct_desc_len
, acct_desc
, /* B */
2023 workstations_len
, workstations
, /* B */
2024 comment_len
, comment
, /* B */
2025 munged_dial_len
, munged_dial
, /* B */
2028 lm_pw_len
, lm_pw
, /* B */
2029 nt_pw_len
, nt_pw
, /* B */
2030 nt_pw_hist_len
, nt_pw_hist
, /* B */
2031 pdb_get_acct_ctrl(sampass
), /* d */
2032 pdb_get_logon_divs(sampass
), /* w */
2033 pdb_get_hours_len(sampass
), /* d */
2034 MAX_HOURS_LEN
, pdb_get_hours(sampass
), /* B */
2035 pdb_get_bad_password_count(sampass
), /* w */
2036 pdb_get_logon_count(sampass
), /* w */
2037 pdb_get_unknown_6(sampass
)); /* d */
2039 /* check to make sure we got it correct */
2040 if (buflen
!= len
) {
2041 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2042 (unsigned long)buflen
, (unsigned long)len
));
2051 static bool init_samu_from_buffer_v4(struct samu
*sampass
, uint8_t *buf
, uint32_t buflen
)
2053 /* nothing changed between V3 and V4 */
2054 return init_samu_from_buffer_v3(sampass
, buf
, buflen
);
2057 static uint32_t init_buffer_from_samu_v4(uint8_t **buf
, struct samu
*sampass
, bool size_only
)
2059 /* nothing changed between V3 and V4 */
2060 return init_buffer_from_samu_v3(buf
, sampass
, size_only
);
2063 /**********************************************************************
2064 Intialize a struct samu struct from a BYTE buffer of size len
2065 *********************************************************************/
2067 bool init_samu_from_buffer(struct samu
*sampass
, uint32_t level
,
2068 uint8_t *buf
, uint32_t buflen
)
2071 case SAMU_BUFFER_V0
:
2072 return init_samu_from_buffer_v0(sampass
, buf
, buflen
);
2073 case SAMU_BUFFER_V1
:
2074 return init_samu_from_buffer_v1(sampass
, buf
, buflen
);
2075 case SAMU_BUFFER_V2
:
2076 return init_samu_from_buffer_v2(sampass
, buf
, buflen
);
2077 case SAMU_BUFFER_V3
:
2078 return init_samu_from_buffer_v3(sampass
, buf
, buflen
);
2079 case SAMU_BUFFER_V4
:
2080 return init_samu_from_buffer_v4(sampass
, buf
, buflen
);
2086 /**********************************************************************
2087 Intialize a BYTE buffer from a struct samu struct
2088 *********************************************************************/
2090 uint32_t init_buffer_from_samu (uint8_t **buf
, struct samu
*sampass
, bool size_only
)
2092 return init_buffer_from_samu_v4(buf
, sampass
, size_only
);
2095 /*********************************************************************
2096 *********************************************************************/
2098 bool pdb_copy_sam_account(struct samu
*dst
, struct samu
*src
)
2100 uint8_t *buf
= NULL
;
2103 len
= init_buffer_from_samu(&buf
, src
, False
);
2104 if (len
== -1 || !buf
) {
2109 if (!init_samu_from_buffer( dst
, SAMU_BUFFER_LATEST
, buf
, len
)) {
2114 dst
->methods
= src
->methods
;
2116 if ( src
->unix_pw
) {
2117 dst
->unix_pw
= tcopy_passwd( dst
, src
->unix_pw
);
2118 if (!dst
->unix_pw
) {
2124 if (src
->group_sid
) {
2125 pdb_set_group_sid(dst
, src
->group_sid
, PDB_SET
);
2132 /*********************************************************************
2133 Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2134 *********************************************************************/
2136 bool pdb_update_bad_password_count(struct samu
*sampass
, bool *updated
)
2138 time_t LastBadPassword
;
2139 uint16_t BadPasswordCount
;
2143 BadPasswordCount
= pdb_get_bad_password_count(sampass
);
2144 if (!BadPasswordCount
) {
2145 DEBUG(9, ("No bad password attempts.\n"));
2150 res
= pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME
, &resettime
);
2154 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2158 /* First, check if there is a reset time to compare */
2159 if ((resettime
== (uint32_t) -1) || (resettime
== 0)) {
2160 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2164 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2165 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2166 (uint32_t) LastBadPassword
, resettime
, (uint32_t)time(NULL
)));
2167 if (time(NULL
) > (LastBadPassword
+ convert_uint32_t_to_time_t(resettime
)*60)){
2168 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2169 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2178 /*********************************************************************
2179 Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2180 *********************************************************************/
2182 bool pdb_update_autolock_flag(struct samu
*sampass
, bool *updated
)
2185 time_t LastBadPassword
;
2188 if (!(pdb_get_acct_ctrl(sampass
) & ACB_AUTOLOCK
)) {
2189 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2190 pdb_get_username(sampass
)));
2195 res
= pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, &duration
);
2199 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2203 /* First, check if there is a duration to compare */
2204 if ((duration
== (uint32_t) -1) || (duration
== 0)) {
2205 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2209 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2210 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2211 pdb_get_username(sampass
), (uint32_t)LastBadPassword
, duration
*60, (uint32_t)time(NULL
)));
2213 if (LastBadPassword
== (time_t)0) {
2214 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2215 "administratively locked out with no bad password "
2216 "time. Leaving locked out.\n",
2217 pdb_get_username(sampass
) ));
2221 if ((time(NULL
) > (LastBadPassword
+ convert_uint32_t_to_time_t(duration
) * 60))) {
2222 pdb_set_acct_ctrl(sampass
,
2223 pdb_get_acct_ctrl(sampass
) & ~ACB_AUTOLOCK
,
2225 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2226 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2235 /*********************************************************************
2236 Increment the bad_password_count
2237 *********************************************************************/
2239 bool pdb_increment_bad_password_count(struct samu
*sampass
)
2241 uint32_t account_policy_lockout
;
2242 bool autolock_updated
= False
, badpw_updated
= False
;
2245 /* Retrieve the account lockout policy */
2247 ret
= pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
, &account_policy_lockout
);
2250 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2254 /* If there is no policy, we don't need to continue checking */
2255 if (!account_policy_lockout
) {
2256 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2260 /* Check if the autolock needs to be cleared */
2261 if (!pdb_update_autolock_flag(sampass
, &autolock_updated
))
2264 /* Check if the badpw count needs to be reset */
2265 if (!pdb_update_bad_password_count(sampass
, &badpw_updated
))
2269 Ok, now we can assume that any resetting that needs to be
2270 done has been done, and just get on with incrementing
2271 and autolocking if necessary
2274 pdb_set_bad_password_count(sampass
,
2275 pdb_get_bad_password_count(sampass
)+1,
2277 pdb_set_bad_password_time(sampass
, time(NULL
), PDB_CHANGED
);
2280 if (pdb_get_bad_password_count(sampass
) < account_policy_lockout
)
2283 if (!pdb_set_acct_ctrl(sampass
,
2284 pdb_get_acct_ctrl(sampass
) | ACB_AUTOLOCK
,
2286 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2293 bool is_dc_trusted_domain_situation(const char *domain_name
)
2295 return IS_DC
&& !strequal(domain_name
, lp_workgroup());
2298 /*******************************************************************
2299 Wrapper around retrieving the clear text trust account password.
2300 appropriate account name is stored in account_name.
2301 Caller must free password, but not account_name.
2302 *******************************************************************/
2304 bool get_trust_pw_clear(const char *domain
, char **ret_pwd
,
2305 const char **account_name
,
2306 enum netr_SchannelType
*channel
)
2309 time_t last_set_time
;
2311 /* if we are a DC and this is not our domain, then lookup an account
2312 * for the domain trust */
2314 if (is_dc_trusted_domain_situation(domain
)) {
2315 if (!lp_allow_trusted_domains()) {
2319 if (!pdb_get_trusteddom_pw(domain
, ret_pwd
, NULL
,
2322 DEBUG(0, ("get_trust_pw: could not fetch trust "
2323 "account password for trusted domain %s\n",
2328 if (channel
!= NULL
) {
2329 *channel
= SEC_CHAN_DOMAIN
;
2332 if (account_name
!= NULL
) {
2333 *account_name
= lp_workgroup();
2340 * Since we can only be member of one single domain, we are now
2341 * in a member situation:
2343 * - Either we are a DC (selfjoined) and the domain is our
2345 * - Or we are on a member and the domain is our own or some
2346 * other (potentially trusted) domain.
2348 * In both cases, we can only get the machine account password
2349 * for our own domain to connect to our own dc. (For a member,
2350 * request to trusted domains are performed through our dc.)
2352 * So we simply use our own domain name to retrieve the
2353 * machine account passowrd and ignore the request domain here.
2356 pwd
= secrets_fetch_machine_password(lp_workgroup(), &last_set_time
, channel
);
2360 if (account_name
!= NULL
) {
2361 *account_name
= lp_netbios_name();
2367 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2368 "account password for domain %s\n", domain
));
2372 /*******************************************************************
2373 Wrapper around retrieving the trust account password.
2374 appropriate account name is stored in account_name.
2375 *******************************************************************/
2377 bool get_trust_pw_hash(const char *domain
, uint8_t ret_pwd
[16],
2378 const char **account_name
,
2379 enum netr_SchannelType
*channel
)
2382 time_t last_set_time
;
2384 if (get_trust_pw_clear(domain
, &pwd
, account_name
, channel
)) {
2385 E_md4hash(pwd
, ret_pwd
);
2388 } else if (is_dc_trusted_domain_situation(domain
)) {
2392 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2394 if (secrets_fetch_trust_account_password_legacy(domain
, ret_pwd
,
2398 if (account_name
!= NULL
) {
2399 *account_name
= lp_netbios_name();
2405 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2406 "password for domain %s\n", domain
));