2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2001
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_PASSDB
30 /******************************************************************
31 get the default domain/netbios name to be used when
32 testing authentication. For example, if you connect
33 to a Windows member server using a bogus domain name, the
34 Windows box will map the BOGUS\user to DOMAIN\user. A
35 standalone box will map to WKS\user.
36 ******************************************************************/
38 const char *get_default_sam_name(void)
40 /* standalone servers can only use the local netbios name */
41 if ( lp_server_role() == ROLE_STANDALONE
)
42 return global_myname();
44 /* Windows domain members default to the DOMAIN
45 name when not specified */
46 return lp_workgroup();
49 /************************************************************
50 Fill the SAM_ACCOUNT with default values.
51 ***********************************************************/
53 void pdb_fill_default_sam(SAM_ACCOUNT
*user
)
55 ZERO_STRUCT(user
->private); /* Don't touch the talloc context */
57 /* no initial methods */
60 /* Don't change these timestamp settings without a good reason.
61 They are important for NT member server compatibility. */
63 user
->private.logon_time
= (time_t)0;
64 user
->private.pass_last_set_time
= (time_t)0;
65 user
->private.pass_can_change_time
= (time_t)0;
66 user
->private.logoff_time
=
67 user
->private.kickoff_time
=
68 user
->private.pass_must_change_time
= get_time_t_max();
69 user
->private.fields_present
= 0x00ffffff;
70 user
->private.logon_divs
= 168; /* hours per week */
71 user
->private.hours_len
= 21; /* 21 times 8 bits = 168 */
72 memset(user
->private.hours
, 0xff, user
->private.hours_len
); /* available at all hours */
73 user
->private.bad_password_count
= 0;
74 user
->private.logon_count
= 0;
75 user
->private.unknown_6
= 0x000004ec; /* don't know */
77 /* Some parts of samba strlen their pdb_get...() returns,
78 so this keeps the interface unchanged for now. */
80 user
->private.username
= "";
81 user
->private.domain
= "";
82 user
->private.nt_username
= "";
83 user
->private.full_name
= "";
84 user
->private.home_dir
= "";
85 user
->private.logon_script
= "";
86 user
->private.profile_path
= "";
87 user
->private.acct_desc
= "";
88 user
->private.workstations
= "";
89 user
->private.unknown_str
= "";
90 user
->private.munged_dial
= "";
92 user
->private.plaintext_pw
= NULL
;
95 Unless we know otherwise have a Account Control Bit
96 value of 'normal user'. This helps User Manager, which
97 asks for a filtered list of users.
100 user
->private.acct_ctrl
= ACB_NORMAL
;
103 static void destroy_pdb_talloc(SAM_ACCOUNT
**user
)
106 data_blob_clear_free(&((*user
)->private.lm_pw
));
107 data_blob_clear_free(&((*user
)->private.nt_pw
));
109 if((*user
)->private.plaintext_pw
!=NULL
)
110 memset((*user
)->private.plaintext_pw
,'\0',strlen((*user
)->private.plaintext_pw
));
111 talloc_destroy((*user
)->mem_ctx
);
117 /**********************************************************************
118 Allocates memory and initialises a struct sam_passwd on supplied mem_ctx.
119 ***********************************************************************/
121 NTSTATUS
pdb_init_sam_talloc(TALLOC_CTX
*mem_ctx
, SAM_ACCOUNT
**user
)
124 DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
126 smb_panic("non-NULL pointer passed to pdb_init_sam\n");
128 return NT_STATUS_UNSUCCESSFUL
;
132 DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
133 return NT_STATUS_UNSUCCESSFUL
;
136 *user
=(SAM_ACCOUNT
*)talloc(mem_ctx
, sizeof(SAM_ACCOUNT
));
139 DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
140 return NT_STATUS_NO_MEMORY
;
143 (*user
)->mem_ctx
= mem_ctx
;
145 (*user
)->free_fn
= NULL
;
147 pdb_fill_default_sam(*user
);
153 /*************************************************************
154 Allocates memory and initialises a struct sam_passwd.
155 ************************************************************/
157 NTSTATUS
pdb_init_sam(SAM_ACCOUNT
**user
)
162 mem_ctx
= talloc_init("passdb internal SAM_ACCOUNT allocation");
165 DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
166 return NT_STATUS_NO_MEMORY
;
169 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_talloc(mem_ctx
, user
))) {
170 talloc_destroy(mem_ctx
);
174 (*user
)->free_fn
= destroy_pdb_talloc
;
179 /**************************************************************************
180 * This function will take care of all the steps needed to correctly
181 * allocate and set the user SID, please do use this function to create new
182 * users, messing with SIDs is not good.
184 * account_data must be provided initialized, pwd may be null.
186 ***************************************************************************/
188 static NTSTATUS
pdb_set_sam_sids(SAM_ACCOUNT
*account_data
, const struct passwd
*pwd
)
190 const char *guest_account
= lp_guestaccount();
194 if (!account_data
|| !pwd
) {
195 return NT_STATUS_INVALID_PARAMETER
;
198 /* this is a hack this thing should not be set
200 if (!(guest_account
&& *guest_account
)) {
201 DEBUG(1, ("NULL guest account!?!?\n"));
202 return NT_STATUS_UNSUCCESSFUL
;
204 /* Ensure this *must* be set right */
205 if (strcmp(pwd
->pw_name
, guest_account
) == 0) {
206 if (!pdb_set_user_sid_from_rid(account_data
, DOMAIN_USER_RID_GUEST
, PDB_DEFAULT
)) {
207 return NT_STATUS_UNSUCCESSFUL
;
209 if (!pdb_set_group_sid_from_rid(account_data
, DOMAIN_GROUP_RID_GUESTS
, PDB_DEFAULT
)) {
210 return NT_STATUS_UNSUCCESSFUL
;
216 if (!pdb_set_user_sid_from_rid(account_data
, fallback_pdb_uid_to_user_rid(pwd
->pw_uid
), PDB_SET
)) {
217 DEBUG(0,("Can't set User SID from RID!\n"));
218 return NT_STATUS_INVALID_PARAMETER
;
221 /* call the mapping code here */
223 ret
= pdb_getgrgid(&map
, pwd
->pw_gid
);
227 if (!pdb_set_group_sid(account_data
, &map
.sid
, PDB_SET
)){
228 DEBUG(0,("Can't set Group SID!\n"));
229 return NT_STATUS_INVALID_PARAMETER
;
233 if (!pdb_set_group_sid_from_rid(account_data
, pdb_gid_to_group_rid(pwd
->pw_gid
), PDB_SET
)) {
234 DEBUG(0,("Can't set Group SID\n"));
235 return NT_STATUS_INVALID_PARAMETER
;
242 /*************************************************************
243 Initialises a struct sam_passwd with sane values.
244 ************************************************************/
246 NTSTATUS
pdb_fill_sam_pw(SAM_ACCOUNT
*sam_account
, const struct passwd
*pwd
)
251 return NT_STATUS_UNSUCCESSFUL
;
254 pdb_fill_default_sam(sam_account
);
256 pdb_set_username(sam_account
, pwd
->pw_name
, PDB_SET
);
257 pdb_set_fullname(sam_account
, pwd
->pw_gecos
, PDB_SET
);
259 pdb_set_unix_homedir(sam_account
, pwd
->pw_dir
, PDB_SET
);
261 pdb_set_domain (sam_account
, get_global_sam_name(), PDB_DEFAULT
);
263 /* When we get a proper uid -> SID and SID -> uid allocation
264 mechinism, we should call it here.
266 We can't just set this to 0 or allow it only to be filled
267 in when added to the backend, because the user's SID
268 may already be in security descriptors etc.
270 -- abartlet 11-May-02
273 ret
= pdb_set_sam_sids(sam_account
, pwd
);
274 if (!NT_STATUS_IS_OK(ret
)) return ret
;
276 /* check if this is a user account or a machine account */
277 if (pwd
->pw_name
[strlen(pwd
->pw_name
)-1] != '$')
279 pdb_set_profile_path(sam_account
,
280 talloc_sub_specified((sam_account
)->mem_ctx
,
282 pwd
->pw_name
, global_myname(),
283 pwd
->pw_uid
, pwd
->pw_gid
),
286 pdb_set_homedir(sam_account
,
287 talloc_sub_specified((sam_account
)->mem_ctx
,
289 pwd
->pw_name
, global_myname(),
290 pwd
->pw_uid
, pwd
->pw_gid
),
293 pdb_set_dir_drive(sam_account
,
294 talloc_sub_specified((sam_account
)->mem_ctx
,
296 pwd
->pw_name
, global_myname(),
297 pwd
->pw_uid
, pwd
->pw_gid
),
300 pdb_set_logon_script(sam_account
,
301 talloc_sub_specified((sam_account
)->mem_ctx
,
303 pwd
->pw_name
, global_myname(),
304 pwd
->pw_uid
, pwd
->pw_gid
),
306 if (!pdb_set_acct_ctrl(sam_account
, ACB_NORMAL
, PDB_DEFAULT
)) {
307 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd
->pw_name
));
308 return NT_STATUS_UNSUCCESSFUL
;
311 if (!pdb_set_acct_ctrl(sam_account
, ACB_WSTRUST
, PDB_DEFAULT
)) {
312 DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd
->pw_name
));
313 return NT_STATUS_UNSUCCESSFUL
;
320 /*************************************************************
321 Initialises a struct sam_passwd with sane values.
322 ************************************************************/
324 NTSTATUS
pdb_init_sam_pw(SAM_ACCOUNT
**new_sam_acct
, const struct passwd
*pwd
)
330 return NT_STATUS_INVALID_PARAMETER
;
333 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam(new_sam_acct
))) {
338 if (!NT_STATUS_IS_OK(nt_status
= pdb_fill_sam_pw(*new_sam_acct
, pwd
))) {
339 pdb_free_sam(new_sam_acct
);
348 /*************************************************************
349 Initialises a SAM_ACCOUNT ready to add a new account, based
350 on the UNIX user. Pass in a RID if you have one
351 ************************************************************/
353 NTSTATUS
pdb_init_sam_new(SAM_ACCOUNT
**new_sam_acct
, const char *username
,
356 NTSTATUS nt_status
= NT_STATUS_NO_MEMORY
;
360 pwd
= Get_Pwnam(username
);
363 return NT_STATUS_NO_SUCH_USER
;
365 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_pw(new_sam_acct
, pwd
))) {
366 *new_sam_acct
= NULL
;
370 /* see if we need to generate a new rid using the 2.2 algorithm */
371 if ( rid
== 0 && lp_enable_rid_algorithm() ) {
372 DEBUG(10,("pdb_init_sam_new: no RID specified. Generating one via old algorithm\n"));
373 rid
= fallback_pdb_uid_to_user_rid(pwd
->pw_uid
);
376 /* set the new SID */
378 ret
= pdb_set_user_sid_from_rid( *new_sam_acct
, rid
, PDB_SET
);
380 return (ret
? NT_STATUS_OK
: NT_STATUS_NO_SUCH_USER
);
385 * Free the contets of the SAM_ACCOUNT, but not the structure.
387 * Also wipes the LM and NT hashes and plaintext password from
390 * @param user SAM_ACCOUNT to free members of.
393 static void pdb_free_sam_contents(SAM_ACCOUNT
*user
)
396 /* Kill off sensitive data. Free()ed by the
399 data_blob_clear_free(&(user
->private.lm_pw
));
400 data_blob_clear_free(&(user
->private.nt_pw
));
401 if (user
->private.plaintext_pw
!=NULL
)
402 memset(user
->private.plaintext_pw
,'\0',strlen(user
->private.plaintext_pw
));
404 if (user
->private.backend_private_data
&& user
->private.backend_private_data_free_fn
) {
405 user
->private.backend_private_data_free_fn(&user
->private.backend_private_data
);
410 /************************************************************
411 Reset the SAM_ACCOUNT and free the NT/LM hashes.
412 ***********************************************************/
414 NTSTATUS
pdb_reset_sam(SAM_ACCOUNT
*user
)
417 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
419 smb_panic("NULL pointer passed to pdb_free_sam\n");
421 return NT_STATUS_UNSUCCESSFUL
;
424 pdb_free_sam_contents(user
);
426 pdb_fill_default_sam(user
);
432 /************************************************************
433 Free the SAM_ACCOUNT and the member pointers.
434 ***********************************************************/
436 NTSTATUS
pdb_free_sam(SAM_ACCOUNT
**user
)
439 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
441 smb_panic("NULL pointer passed to pdb_free_sam\n");
443 return NT_STATUS_UNSUCCESSFUL
;
446 pdb_free_sam_contents(*user
);
448 if ((*user
)->free_fn
) {
449 (*user
)->free_fn(user
);
455 /**********************************************************
456 Encode the account control bits into a string.
457 length = length of string to encode into (including terminating
458 null). length *MUST BE MORE THAN 2* !
459 **********************************************************/
461 char *pdb_encode_acct_ctrl(uint16 acct_ctrl
, size_t length
)
463 static fstring acct_str
;
467 SMB_ASSERT(length
<= sizeof(acct_str
));
471 if (acct_ctrl
& ACB_PWNOTREQ
) acct_str
[i
++] = 'N';
472 if (acct_ctrl
& ACB_DISABLED
) acct_str
[i
++] = 'D';
473 if (acct_ctrl
& ACB_HOMDIRREQ
) acct_str
[i
++] = 'H';
474 if (acct_ctrl
& ACB_TEMPDUP
) acct_str
[i
++] = 'T';
475 if (acct_ctrl
& ACB_NORMAL
) acct_str
[i
++] = 'U';
476 if (acct_ctrl
& ACB_MNS
) acct_str
[i
++] = 'M';
477 if (acct_ctrl
& ACB_WSTRUST
) acct_str
[i
++] = 'W';
478 if (acct_ctrl
& ACB_SVRTRUST
) acct_str
[i
++] = 'S';
479 if (acct_ctrl
& ACB_AUTOLOCK
) acct_str
[i
++] = 'L';
480 if (acct_ctrl
& ACB_PWNOEXP
) acct_str
[i
++] = 'X';
481 if (acct_ctrl
& ACB_DOMTRUST
) acct_str
[i
++] = 'I';
483 for ( ; i
< length
- 2 ; i
++ )
488 acct_str
[i
++] = '\0';
493 /**********************************************************
494 Decode the account control bits from a string.
495 **********************************************************/
497 uint16
pdb_decode_acct_ctrl(const char *p
)
499 uint16 acct_ctrl
= 0;
500 BOOL finished
= False
;
503 * Check if the account type bits have been encoded after the
504 * NT password (in the form [NDHTUWSLXI]).
510 for (p
++; *p
&& !finished
; p
++) {
512 case 'N': { acct_ctrl
|= ACB_PWNOTREQ
; break; /* 'N'o password. */ }
513 case 'D': { acct_ctrl
|= ACB_DISABLED
; break; /* 'D'isabled. */ }
514 case 'H': { acct_ctrl
|= ACB_HOMDIRREQ
; break; /* 'H'omedir required. */ }
515 case 'T': { acct_ctrl
|= ACB_TEMPDUP
; break; /* 'T'emp account. */ }
516 case 'U': { acct_ctrl
|= ACB_NORMAL
; break; /* 'U'ser account (normal). */ }
517 case 'M': { acct_ctrl
|= ACB_MNS
; break; /* 'M'NS logon user account. What is this ? */ }
518 case 'W': { acct_ctrl
|= ACB_WSTRUST
; break; /* 'W'orkstation account. */ }
519 case 'S': { acct_ctrl
|= ACB_SVRTRUST
; break; /* 'S'erver account. */ }
520 case 'L': { acct_ctrl
|= ACB_AUTOLOCK
; break; /* 'L'ocked account. */ }
521 case 'X': { acct_ctrl
|= ACB_PWNOEXP
; break; /* No 'X'piry on password */ }
522 case 'I': { acct_ctrl
|= ACB_DOMTRUST
; break; /* 'I'nterdomain trust account. */ }
528 default: { finished
= True
; }
535 /*************************************************************
536 Routine to set 32 hex password characters from a 16 byte array.
537 **************************************************************/
539 void pdb_sethexpwd(char *p
, const unsigned char *pwd
, uint16 acct_ctrl
)
543 for (i
= 0; i
< 16; i
++)
544 slprintf(&p
[i
*2], 3, "%02X", pwd
[i
]);
546 if (acct_ctrl
& ACB_PWNOTREQ
)
547 safe_strcpy(p
, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
549 safe_strcpy(p
, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
553 /*************************************************************
554 Routine to get the 32 hex characters and turn them
555 into a 16 byte array.
556 **************************************************************/
558 BOOL
pdb_gethexpwd(const char *p
, unsigned char *pwd
)
561 unsigned char lonybble
, hinybble
;
562 const char *hexchars
= "0123456789ABCDEF";
568 for (i
= 0; i
< 32; i
+= 2) {
569 hinybble
= toupper(p
[i
]);
570 lonybble
= toupper(p
[i
+ 1]);
572 p1
= strchr(hexchars
, hinybble
);
573 p2
= strchr(hexchars
, lonybble
);
578 hinybble
= PTR_DIFF(p1
, hexchars
);
579 lonybble
= PTR_DIFF(p2
, hexchars
);
581 pwd
[i
/ 2] = (hinybble
<< 4) | lonybble
;
586 int algorithmic_rid_base(void)
588 static int rid_offset
= 0;
593 rid_offset
= lp_algorithmic_rid_base();
595 if (rid_offset
< BASE_RID
) {
596 /* Try to prevent admin foot-shooting, we can't put algorithmic
597 rids below 1000, that's the 'well known RIDs' on NT */
598 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID
));
599 rid_offset
= BASE_RID
;
601 if (rid_offset
& 1) {
602 DEBUG(0, ("algorithmic rid base must be even\n"));
608 /*******************************************************************
609 Converts NT user RID to a UNIX uid.
610 ********************************************************************/
612 uid_t
fallback_pdb_user_rid_to_uid(uint32 user_rid
)
614 int rid_offset
= algorithmic_rid_base();
615 return (uid_t
)(((user_rid
& (~USER_RID_TYPE
)) - rid_offset
)/RID_MULTIPLIER
);
618 /*******************************************************************
619 converts UNIX uid to an NT User RID.
620 ********************************************************************/
622 uint32
fallback_pdb_uid_to_user_rid(uid_t uid
)
624 int rid_offset
= algorithmic_rid_base();
625 return (((((uint32
)uid
)*RID_MULTIPLIER
) + rid_offset
) | USER_RID_TYPE
);
628 /*******************************************************************
629 Converts NT group RID to a UNIX gid.
630 ********************************************************************/
632 gid_t
pdb_group_rid_to_gid(uint32 group_rid
)
634 int rid_offset
= algorithmic_rid_base();
635 return (gid_t
)(((group_rid
& (~GROUP_RID_TYPE
))- rid_offset
)/RID_MULTIPLIER
);
638 /*******************************************************************
639 converts NT Group RID to a UNIX uid.
641 warning: you must not call that function only
642 you must do a call to the group mapping first.
643 there is not anymore a direct link between the gid and the rid.
644 ********************************************************************/
646 uint32
pdb_gid_to_group_rid(gid_t gid
)
648 int rid_offset
= algorithmic_rid_base();
649 return (((((uint32
)gid
)*RID_MULTIPLIER
) + rid_offset
) | GROUP_RID_TYPE
);
652 /*******************************************************************
653 Decides if a RID is a well known RID.
654 ********************************************************************/
656 static BOOL
pdb_rid_is_well_known(uint32 rid
)
658 /* Not using rid_offset here, because this is the actual
659 NT fixed value (1000) */
661 return (rid
< BASE_RID
);
664 /*******************************************************************
665 Decides if a RID is a user or group RID.
666 ********************************************************************/
668 BOOL
fallback_pdb_rid_is_user(uint32 rid
)
670 /* lkcl i understand that NT attaches an enumeration to a RID
671 * such that it can be identified as either a user, group etc
672 * type. there are 5 such categories, and they are documented.
674 /* However, they are not in the RID, just somthing you can query
675 seperatly. Sorry luke :-) */
677 if(pdb_rid_is_well_known(rid
)) {
679 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
680 * and DOMAIN_USER_RID_GUEST.
682 if(rid
== DOMAIN_USER_RID_ADMIN
|| rid
== DOMAIN_USER_RID_GUEST
)
684 } else if((rid
& RID_TYPE_MASK
) == USER_RID_TYPE
) {
690 /*******************************************************************
691 Convert a rid into a name. Used in the lookup SID rpc.
692 ********************************************************************/
694 BOOL
local_lookup_sid(const DOM_SID
*sid
, char *name
, enum SID_NAME_USE
*psid_name_use
)
697 SAM_ACCOUNT
*sam_account
= NULL
;
701 if (!sid_peek_check_rid(get_global_sam_sid(), sid
, &rid
)){
702 DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
703 sid_string_static(&map
.sid
)));
706 *psid_name_use
= SID_NAME_UNKNOWN
;
708 DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid
));
710 if (rid
== DOMAIN_USER_RID_ADMIN
) {
711 const char **admin_list
= lp_admin_users(-1);
712 *psid_name_use
= SID_NAME_USER
;
714 const char *p
= *admin_list
;
715 if(!next_token(&p
, name
, NULL
, sizeof(fstring
)))
716 fstrcpy(name
, "Administrator");
718 fstrcpy(name
, "Administrator");
723 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
727 /* see if the passdb can help us with the name of the user */
729 /* BEING ROOT BLLOCK */
731 if (pdb_getsampwsid(sam_account
, sid
)) {
732 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
733 fstrcpy(name
, pdb_get_username(sam_account
));
734 *psid_name_use
= SID_NAME_USER
;
736 pdb_free_sam(&sam_account
);
740 pdb_free_sam(&sam_account
);
742 ret
= pdb_getgrsid(&map
, *sid
);
744 /* END BECOME_ROOT BLOCK */
747 if (map
.gid
!=(gid_t
)-1) {
748 DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map
.nt_name
, (unsigned int)map
.gid
));
750 DEBUG(5,("local_lookup_sid: mapped group %s to no unix gid. Returning name.\n", map
.nt_name
));
753 fstrcpy(name
, map
.nt_name
);
754 *psid_name_use
= map
.sid_name_use
;
758 if (fallback_pdb_rid_is_user(rid
)) {
760 struct passwd
*pw
= NULL
;
762 DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid
));
764 uid
= fallback_pdb_user_rid_to_uid(rid
);
765 pw
= sys_getpwuid( uid
);
767 DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid
,
768 pw
? "succeeded" : "failed" ));
771 fstr_sprintf(name
, "unix_user.%u", (unsigned int)uid
);
773 fstrcpy( name
, pw
->pw_name
);
775 DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name
,
776 (unsigned int)rid
));
778 *psid_name_use
= SID_NAME_USER
;
780 return ( pw
!= NULL
);
785 DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid
));
787 gid
= pdb_group_rid_to_gid(rid
);
790 *psid_name_use
= SID_NAME_ALIAS
;
792 DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid
,
793 gr
? "succeeded" : "failed" ));
796 fstr_sprintf(name
, "unix_group.%u", (unsigned int)gid
);
798 fstrcpy( name
, gr
->gr_name
);
800 DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name
,
801 (unsigned int)rid
));
803 /* assume fallback groups aer domain global groups */
805 *psid_name_use
= SID_NAME_DOM_GRP
;
807 return ( gr
!= NULL
);
811 /*******************************************************************
812 Convert a name into a SID. Used in the lookup name rpc.
813 ********************************************************************/
815 BOOL
local_lookup_name(const char *c_user
, DOM_SID
*psid
, enum SID_NAME_USE
*psid_name_use
)
817 extern DOM_SID global_sid_World_Domain
;
820 SAM_ACCOUNT
*sam_account
= NULL
;
824 *psid_name_use
= SID_NAME_UNKNOWN
;
827 * user may be quoted a const string, and map_username and
828 * friends can modify it. Make a modifiable copy. JRA.
831 fstrcpy(user
, c_user
);
833 sid_copy(&local_sid
, get_global_sam_sid());
836 * Special case for MACHINE\Everyone. Map to the world_sid.
839 if(strequal(user
, "Everyone")) {
840 sid_copy( psid
, &global_sid_World_Domain
);
841 sid_append_rid(psid
, 0);
842 *psid_name_use
= SID_NAME_ALIAS
;
846 (void)map_username(user
);
848 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
852 /* BEGIN ROOT BLOCK */
855 if (pdb_getsampwnam(sam_account
, user
)) {
857 sid_copy(psid
, pdb_get_user_sid(sam_account
));
858 *psid_name_use
= SID_NAME_USER
;
860 pdb_free_sam(&sam_account
);
864 pdb_free_sam(&sam_account
);
867 * Maybe it was a group ?
870 /* check if it's a mapped group */
871 if (pdb_getgrnam(&map
, user
)) {
872 /* yes it's a mapped group */
873 sid_copy(&local_sid
, &map
.sid
);
874 *psid_name_use
= map
.sid_name_use
;
876 /* it's not a mapped group */
877 grp
= getgrnam(user
);
879 unbecome_root(); /* ---> exit form block */
884 *check if it's mapped, if it is reply it doesn't exist
886 * that's to prevent this case:
888 * unix group ug is mapped to nt group ng
889 * someone does a lookup on ug
890 * we must not reply as it doesn't "exist" anymore
891 * for NT. For NT only ng exists.
895 if (pdb_getgrgid(&map
, grp
->gr_gid
)){
896 unbecome_root(); /* ---> exit form block */
900 sid_append_rid( &local_sid
, pdb_gid_to_group_rid(grp
->gr_gid
));
901 *psid_name_use
= SID_NAME_ALIAS
;
906 sid_copy( psid
, &local_sid
);
911 /*************************************************************
912 Change a password entry in the local smbpasswd file.
913 *************************************************************/
915 BOOL
local_password_change(const char *user_name
, int local_flags
,
916 const char *new_passwd
,
917 char *err_str
, size_t err_str_len
,
918 char *msg_str
, size_t msg_str_len
)
920 SAM_ACCOUNT
*sam_pass
=NULL
;
926 /* Get the smb passwd entry for this user */
927 pdb_init_sam(&sam_pass
);
930 if(!pdb_getsampwnam(sam_pass
, user_name
)) {
932 pdb_free_sam(&sam_pass
);
934 if ((local_flags
& LOCAL_ADD_USER
) || (local_flags
& LOCAL_DELETE_USER
)) {
935 /* Might not exist in /etc/passwd. Use rid algorithm here */
936 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass
, user_name
, 0))) {
937 slprintf(err_str
, err_str_len
-1, "Failed to initialise SAM_ACCOUNT for user %s.\n", user_name
);
941 slprintf(err_str
, err_str_len
-1,"Failed to find entry for user %s.\n", user_name
);
946 /* the entry already existed */
947 local_flags
&= ~LOCAL_ADD_USER
;
950 /* the 'other' acb bits not being changed here */
951 other_acb
= (pdb_get_acct_ctrl(sam_pass
) & (!(ACB_WSTRUST
|ACB_DOMTRUST
|ACB_SVRTRUST
|ACB_NORMAL
)));
952 if (local_flags
& LOCAL_TRUST_ACCOUNT
) {
953 if (!pdb_set_acct_ctrl(sam_pass
, ACB_WSTRUST
| other_acb
, PDB_CHANGED
) ) {
954 slprintf(err_str
, err_str_len
- 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name
);
955 pdb_free_sam(&sam_pass
);
958 } else if (local_flags
& LOCAL_INTERDOM_ACCOUNT
) {
959 if (!pdb_set_acct_ctrl(sam_pass
, ACB_DOMTRUST
| other_acb
, PDB_CHANGED
)) {
960 slprintf(err_str
, err_str_len
- 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name
);
961 pdb_free_sam(&sam_pass
);
965 if (!pdb_set_acct_ctrl(sam_pass
, ACB_NORMAL
| other_acb
, PDB_CHANGED
)) {
966 slprintf(err_str
, err_str_len
- 1, "Failed to set 'normal account' flags for user %s.\n", user_name
);
967 pdb_free_sam(&sam_pass
);
973 * We are root - just write the new password
974 * and the valid last change time.
977 if (local_flags
& LOCAL_DISABLE_USER
) {
978 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_DISABLED
, PDB_CHANGED
)) {
979 slprintf(err_str
, err_str_len
-1, "Failed to set 'disabled' flag for user %s.\n", user_name
);
980 pdb_free_sam(&sam_pass
);
983 } else if (local_flags
& LOCAL_ENABLE_USER
) {
984 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
985 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
986 pdb_free_sam(&sam_pass
);
991 if (local_flags
& LOCAL_SET_NO_PASSWORD
) {
992 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_PWNOTREQ
, PDB_CHANGED
)) {
993 slprintf(err_str
, err_str_len
-1, "Failed to set 'no password required' flag for user %s.\n", user_name
);
994 pdb_free_sam(&sam_pass
);
997 } else if (local_flags
& LOCAL_SET_PASSWORD
) {
999 * If we're dealing with setting a completely empty user account
1000 * ie. One with a password of 'XXXX', but not set disabled (like
1001 * an account created from scratch) then if the old password was
1002 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1003 * We remove that as we're giving this user their first password
1004 * and the decision hasn't really been made to disable them (ie.
1005 * don't create them disabled). JRA.
1007 if ((pdb_get_lanman_passwd(sam_pass
)==NULL
) && (pdb_get_acct_ctrl(sam_pass
)&ACB_DISABLED
)) {
1008 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
1009 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
1010 pdb_free_sam(&sam_pass
);
1014 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_PWNOTREQ
), PDB_CHANGED
)) {
1015 slprintf(err_str
, err_str_len
-1, "Failed to unset 'no password required' flag for user %s.\n", user_name
);
1016 pdb_free_sam(&sam_pass
);
1020 if (!pdb_set_plaintext_passwd (sam_pass
, new_passwd
)) {
1021 slprintf(err_str
, err_str_len
-1, "Failed to set password for user %s.\n", user_name
);
1022 pdb_free_sam(&sam_pass
);
1027 if (local_flags
& LOCAL_ADD_USER
) {
1028 if (pdb_add_sam_account(sam_pass
)) {
1029 slprintf(msg_str
, msg_str_len
-1, "Added user %s.\n", user_name
);
1030 pdb_free_sam(&sam_pass
);
1033 slprintf(err_str
, err_str_len
-1, "Failed to add entry for user %s.\n", user_name
);
1034 pdb_free_sam(&sam_pass
);
1037 } else if (local_flags
& LOCAL_DELETE_USER
) {
1038 if (!pdb_delete_sam_account(sam_pass
)) {
1039 slprintf(err_str
,err_str_len
-1, "Failed to delete entry for user %s.\n", user_name
);
1040 pdb_free_sam(&sam_pass
);
1043 slprintf(msg_str
, msg_str_len
-1, "Deleted user %s.\n", user_name
);
1045 if(!pdb_update_sam_account(sam_pass
)) {
1046 slprintf(err_str
, err_str_len
-1, "Failed to modify entry for user %s.\n", user_name
);
1047 pdb_free_sam(&sam_pass
);
1050 if(local_flags
& LOCAL_DISABLE_USER
)
1051 slprintf(msg_str
, msg_str_len
-1, "Disabled user %s.\n", user_name
);
1052 else if (local_flags
& LOCAL_ENABLE_USER
)
1053 slprintf(msg_str
, msg_str_len
-1, "Enabled user %s.\n", user_name
);
1054 else if (local_flags
& LOCAL_SET_NO_PASSWORD
)
1055 slprintf(msg_str
, msg_str_len
-1, "User %s password set to none.\n", user_name
);
1058 pdb_free_sam(&sam_pass
);
1062 /****************************************************************************
1063 Convert a uid to SID - algorithmic.
1064 ****************************************************************************/
1066 DOM_SID
*algorithmic_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1068 if ( !lp_enable_rid_algorithm() )
1071 DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
1072 sid_copy( psid
, get_global_sam_sid() );
1073 sid_append_rid( psid
, fallback_pdb_uid_to_user_rid(uid
) );
1074 DEBUG(10,("algorithmic_uid_to_sid: uid (%d) -> SID %s.\n",
1075 (unsigned int)uid
, sid_string_static(psid
) ));
1080 /****************************************************************************
1081 Convert a uid to SID - locally.
1082 ****************************************************************************/
1084 DOM_SID
*local_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1086 SAM_ACCOUNT
*sampw
= NULL
;
1087 struct passwd
*unix_pw
;
1090 unix_pw
= sys_getpwuid( uid
);
1093 DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid
));
1094 return algorithmic_uid_to_sid( psid
, uid
);
1097 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1098 DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
1103 ret
= pdb_getsampwnam( sampw
, unix_pw
->pw_name
);
1107 sid_copy( psid
, pdb_get_user_sid(sampw
) );
1109 DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
1110 unix_pw
->pw_name
, (unsigned long)uid
));
1112 return algorithmic_uid_to_sid( psid
, uid
);
1115 DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
1116 (unsigned int)uid
, sid_string_static(psid
), unix_pw
->pw_name
));
1121 /****************************************************************************
1122 Convert a SID to uid - locally.
1123 ****************************************************************************/
1125 BOOL
local_sid_to_uid(uid_t
*puid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1127 SAM_ACCOUNT
*sampw
= NULL
;
1128 struct passwd
*unix_pw
;
1129 const char *user_name
;
1131 *name_type
= SID_NAME_UNKNOWN
;
1134 * We can only convert to a uid if this is our local
1135 * Domain SID (ie. we are the controling authority).
1137 if (!sid_check_is_in_our_domain(psid
) ) {
1138 DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid
)));
1142 /* lookup the user account */
1144 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1145 DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
1150 if ( !pdb_getsampwsid(sampw
, psid
) ) {
1152 DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
1153 sid_string_static(psid
)));
1158 user_name
= pdb_get_username(sampw
);
1160 unix_pw
= sys_getpwnam( user_name
);
1163 DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
1165 pdb_free_sam( &sampw
);
1169 *puid
= unix_pw
->pw_uid
;
1171 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid
),
1172 (unsigned int)*puid
, user_name
));
1174 *name_type
= SID_NAME_USER
;
1179 /****************************************************************************
1180 Convert a gid to SID - locally.
1181 ****************************************************************************/
1183 DOM_SID
*local_gid_to_sid(DOM_SID
*psid
, gid_t gid
)
1188 /* we don't need to disable winbindd since the gid is stored in
1189 the GROUP_MAP object */
1191 /* done as root since ldap backend requires root to open a connection */
1194 ret
= pdb_getgrgid( &group
, gid
);
1199 /* fallback to rid mapping if enabled */
1201 if ( lp_enable_rid_algorithm() ) {
1202 sid_copy(psid
, get_global_sam_sid());
1203 sid_append_rid(psid
, pdb_gid_to_group_rid(gid
));
1205 DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
1206 (unsigned int)gid
, sid_string_static(psid
)));
1214 sid_copy( psid
, &group
.sid
);
1216 DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
1217 (unsigned int)gid
, sid_string_static(psid
)));
1222 /****************************************************************************
1223 Convert a SID to gid - locally.
1224 ****************************************************************************/
1226 BOOL
local_sid_to_gid(gid_t
*pgid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1232 *name_type
= SID_NAME_UNKNOWN
;
1234 /* This call can enumerate group mappings for foreign sids as well.
1235 So don't check for a match against our domain SID */
1237 /* we don't need to disable winbindd since the gid is stored in
1238 the GROUP_MAP object */
1241 ret
= pdb_getgrsid(&group
, *psid
);
1246 /* fallback to rid mapping if enabled */
1248 if ( lp_enable_rid_algorithm() ) {
1250 if (!sid_check_is_in_our_domain(psid
) ) {
1251 DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid
)));
1255 if (!sid_peek_rid(psid
, &rid
)) {
1256 DEBUG(10,("local_sid_to_gid: invalid SID!\n"));
1260 DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
1262 if (fallback_pdb_rid_is_user(rid
)) {
1263 DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid
)));
1266 *pgid
= pdb_group_rid_to_gid(rid
);
1267 DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid
), (unsigned int)(*pgid
)));
1277 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid
),
1278 (unsigned int)*pgid
));
1283 /**********************************************************************
1284 Marshall/unmarshall SAM_ACCOUNT structs.
1285 *********************************************************************/
1287 #define TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
1288 #define TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
1290 /**********************************************************************
1291 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
1292 *********************************************************************/
1294 BOOL
init_sam_from_buffer(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1296 return(init_sam_from_buffer_v1(sampass
, buf
, buflen
));
1299 /**********************************************************************
1300 Intialize a BYTE buffer from a SAM_ACCOUNT struct
1301 *********************************************************************/
1303 uint32
init_buffer_from_sam (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1305 return(init_buffer_from_sam_v1(buf
, sampass
, size_only
));
1309 BOOL
init_sam_from_buffer_v0(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1312 /* times are stored as 32bit integer
1313 take care on system with 64bit wide time_t
1319 pass_can_change_time
,
1320 pass_must_change_time
;
1333 uint32 username_len
, domain_len
, nt_username_len
,
1334 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1335 fullname_len
, homedir_len
, logon_script_len
,
1336 profile_path_len
, acct_desc_len
, workstations_len
;
1338 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1339 uint16 acct_ctrl
, logon_divs
;
1340 uint16 bad_password_count
, logon_count
;
1342 static uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1344 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1347 if(sampass
== NULL
|| buf
== NULL
) {
1348 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1352 /* unpack the buffer into variables */
1353 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V0
,
1357 &pass_last_set_time
,
1358 &pass_can_change_time
,
1359 &pass_must_change_time
,
1360 &username_len
, &username
,
1361 &domain_len
, &domain
,
1362 &nt_username_len
, &nt_username
,
1363 &fullname_len
, &fullname
,
1364 &homedir_len
, &homedir
,
1365 &dir_drive_len
, &dir_drive
,
1366 &logon_script_len
, &logon_script
,
1367 &profile_path_len
, &profile_path
,
1368 &acct_desc_len
, &acct_desc
,
1369 &workstations_len
, &workstations
,
1370 &unknown_str_len
, &unknown_str
,
1371 &munged_dial_len
, &munged_dial
,
1374 &lm_pw_len
, &lm_pw_ptr
,
1375 &nt_pw_len
, &nt_pw_ptr
,
1377 &remove_me
, /* remove on the next TDB_FORMAT upgarde */
1381 &bad_password_count
,
1385 if (len
== (uint32
) -1) {
1390 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1391 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1392 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1393 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1394 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1395 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1397 pdb_set_username(sampass
, username
, PDB_SET
);
1398 pdb_set_domain(sampass
, domain
, PDB_SET
);
1399 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1400 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1403 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1406 pdb_set_homedir(sampass
,
1407 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1412 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1414 pdb_set_dir_drive(sampass
,
1415 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1420 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1422 pdb_set_logon_script(sampass
,
1423 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1428 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1430 pdb_set_profile_path(sampass
,
1431 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1435 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1436 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1437 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1439 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1440 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1446 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1447 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1453 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1454 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1455 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1456 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1457 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1458 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1459 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1460 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1461 pdb_set_hours(sampass
, hours
, PDB_SET
);
1465 SAFE_FREE(username
);
1467 SAFE_FREE(nt_username
);
1468 SAFE_FREE(fullname
);
1470 SAFE_FREE(dir_drive
);
1471 SAFE_FREE(logon_script
);
1472 SAFE_FREE(profile_path
);
1473 SAFE_FREE(acct_desc
);
1474 SAFE_FREE(workstations
);
1475 SAFE_FREE(munged_dial
);
1476 SAFE_FREE(unknown_str
);
1483 uint32
init_buffer_from_sam_v0 (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1487 /* times are stored as 32bit integer
1488 take care on system with 64bit wide time_t
1494 pass_can_change_time
,
1495 pass_must_change_time
;
1497 uint32 user_rid
, group_rid
;
1499 const char *username
;
1501 const char *nt_username
;
1502 const char *dir_drive
;
1503 const char *unknown_str
;
1504 const char *munged_dial
;
1505 const char *fullname
;
1506 const char *homedir
;
1507 const char *logon_script
;
1508 const char *profile_path
;
1509 const char *acct_desc
;
1510 const char *workstations
;
1511 uint32 username_len
, domain_len
, nt_username_len
,
1512 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1513 fullname_len
, homedir_len
, logon_script_len
,
1514 profile_path_len
, acct_desc_len
, workstations_len
;
1518 uint32 lm_pw_len
= 16;
1519 uint32 nt_pw_len
= 16;
1521 /* do we have a valid SAM_ACCOUNT pointer? */
1522 if (sampass
== NULL
) {
1523 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1530 logon_time
= (uint32
)pdb_get_logon_time(sampass
);
1531 logoff_time
= (uint32
)pdb_get_logoff_time(sampass
);
1532 kickoff_time
= (uint32
)pdb_get_kickoff_time(sampass
);
1533 pass_can_change_time
= (uint32
)pdb_get_pass_can_change_time(sampass
);
1534 pass_must_change_time
= (uint32
)pdb_get_pass_must_change_time(sampass
);
1535 pass_last_set_time
= (uint32
)pdb_get_pass_last_set_time(sampass
);
1537 user_rid
= pdb_get_user_rid(sampass
);
1538 group_rid
= pdb_get_group_rid(sampass
);
1540 username
= pdb_get_username(sampass
);
1542 username_len
= strlen(username
) +1;
1546 domain
= pdb_get_domain(sampass
);
1548 domain_len
= strlen(domain
) +1;
1552 nt_username
= pdb_get_nt_username(sampass
);
1554 nt_username_len
= strlen(nt_username
) +1;
1556 nt_username_len
= 0;
1558 fullname
= pdb_get_fullname(sampass
);
1560 fullname_len
= strlen(fullname
) +1;
1565 * Only updates fields which have been set (not defaults from smb.conf)
1568 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
))
1569 dir_drive
= pdb_get_dir_drive(sampass
);
1573 dir_drive_len
= strlen(dir_drive
) +1;
1577 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
))
1578 homedir
= pdb_get_homedir(sampass
);
1582 homedir_len
= strlen(homedir
) +1;
1586 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
))
1587 logon_script
= pdb_get_logon_script(sampass
);
1589 logon_script
= NULL
;
1591 logon_script_len
= strlen(logon_script
) +1;
1593 logon_script_len
= 0;
1595 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
))
1596 profile_path
= pdb_get_profile_path(sampass
);
1598 profile_path
= NULL
;
1600 profile_path_len
= strlen(profile_path
) +1;
1602 profile_path_len
= 0;
1604 lm_pw
= pdb_get_lanman_passwd(sampass
);
1608 nt_pw
= pdb_get_nt_passwd(sampass
);
1612 acct_desc
= pdb_get_acct_desc(sampass
);
1614 acct_desc_len
= strlen(acct_desc
) +1;
1618 workstations
= pdb_get_workstations(sampass
);
1620 workstations_len
= strlen(workstations
) +1;
1622 workstations_len
= 0;
1625 unknown_str_len
= 0;
1627 munged_dial
= pdb_get_munged_dial(sampass
);
1629 munged_dial_len
= strlen(munged_dial
) +1;
1631 munged_dial_len
= 0;
1633 /* one time to get the size needed */
1634 len
= tdb_pack(NULL
, 0, TDB_FORMAT_STRING_V0
,
1639 pass_can_change_time
,
1640 pass_must_change_time
,
1641 username_len
, username
,
1643 nt_username_len
, nt_username
,
1644 fullname_len
, fullname
,
1645 homedir_len
, homedir
,
1646 dir_drive_len
, dir_drive
,
1647 logon_script_len
, logon_script
,
1648 profile_path_len
, profile_path
,
1649 acct_desc_len
, acct_desc
,
1650 workstations_len
, workstations
,
1651 unknown_str_len
, unknown_str
,
1652 munged_dial_len
, munged_dial
,
1657 pdb_get_acct_ctrl(sampass
),
1658 0, /* was: fileds_present, to be removed on format change */
1659 pdb_get_logon_divs(sampass
),
1660 pdb_get_hours_len(sampass
),
1661 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
1662 pdb_get_bad_password_count(sampass
),
1663 pdb_get_logon_count(sampass
),
1664 pdb_get_unknown_6(sampass
));
1670 /* malloc the space needed */
1671 if ( (*buf
=(uint8
*)malloc(len
)) == NULL
) {
1672 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
1676 /* now for the real call to tdb_pack() */
1677 buflen
= tdb_pack((char *)*buf
, len
, TDB_FORMAT_STRING_V0
,
1682 pass_can_change_time
,
1683 pass_must_change_time
,
1684 username_len
, username
,
1686 nt_username_len
, nt_username
,
1687 fullname_len
, fullname
,
1688 homedir_len
, homedir
,
1689 dir_drive_len
, dir_drive
,
1690 logon_script_len
, logon_script
,
1691 profile_path_len
, profile_path
,
1692 acct_desc_len
, acct_desc
,
1693 workstations_len
, workstations
,
1694 unknown_str_len
, unknown_str
,
1695 munged_dial_len
, munged_dial
,
1700 pdb_get_acct_ctrl(sampass
),
1701 0, /* was: fileds_present, to be removed on format change */
1702 pdb_get_logon_divs(sampass
),
1703 pdb_get_hours_len(sampass
),
1704 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
1705 pdb_get_bad_password_count(sampass
),
1706 pdb_get_logon_count(sampass
),
1707 pdb_get_unknown_6(sampass
));
1710 /* check to make sure we got it correct */
1711 if (buflen
!= len
) {
1712 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1713 (unsigned long)buflen
, (unsigned long)len
));
1723 BOOL
init_sam_from_buffer_v1(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1726 /* times are stored as 32bit integer
1727 take care on system with 64bit wide time_t
1734 pass_can_change_time
,
1735 pass_must_change_time
;
1748 uint32 username_len
, domain_len
, nt_username_len
,
1749 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1750 fullname_len
, homedir_len
, logon_script_len
,
1751 profile_path_len
, acct_desc_len
, workstations_len
;
1753 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1754 uint16 acct_ctrl
, logon_divs
;
1755 uint16 bad_password_count
, logon_count
;
1757 static uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1759 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1762 if(sampass
== NULL
|| buf
== NULL
) {
1763 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1767 /* unpack the buffer into variables */
1768 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V1
,
1773 &pass_last_set_time
,
1774 &pass_can_change_time
,
1775 &pass_must_change_time
,
1776 &username_len
, &username
,
1777 &domain_len
, &domain
,
1778 &nt_username_len
, &nt_username
,
1779 &fullname_len
, &fullname
,
1780 &homedir_len
, &homedir
,
1781 &dir_drive_len
, &dir_drive
,
1782 &logon_script_len
, &logon_script
,
1783 &profile_path_len
, &profile_path
,
1784 &acct_desc_len
, &acct_desc
,
1785 &workstations_len
, &workstations
,
1786 &unknown_str_len
, &unknown_str
,
1787 &munged_dial_len
, &munged_dial
,
1790 &lm_pw_len
, &lm_pw_ptr
,
1791 &nt_pw_len
, &nt_pw_ptr
,
1797 &bad_password_count
,
1801 if (len
== (uint32
) -1) {
1806 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1807 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1808 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1809 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1810 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1811 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1812 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1814 pdb_set_username(sampass
, username
, PDB_SET
);
1815 pdb_set_domain(sampass
, domain
, PDB_SET
);
1816 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1817 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1820 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1823 pdb_set_homedir(sampass
,
1824 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1829 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1831 pdb_set_dir_drive(sampass
,
1832 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1837 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1839 pdb_set_logon_script(sampass
,
1840 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1845 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1847 pdb_set_profile_path(sampass
,
1848 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1852 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1853 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1854 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1856 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1857 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1863 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1864 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1870 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1871 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1872 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1873 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1874 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1875 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1876 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1877 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1878 pdb_set_hours(sampass
, hours
, PDB_SET
);
1882 SAFE_FREE(username
);
1884 SAFE_FREE(nt_username
);
1885 SAFE_FREE(fullname
);
1887 SAFE_FREE(dir_drive
);
1888 SAFE_FREE(logon_script
);
1889 SAFE_FREE(profile_path
);
1890 SAFE_FREE(acct_desc
);
1891 SAFE_FREE(workstations
);
1892 SAFE_FREE(munged_dial
);
1893 SAFE_FREE(unknown_str
);
1900 uint32
init_buffer_from_sam_v1 (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1904 /* times are stored as 32bit integer
1905 take care on system with 64bit wide time_t
1912 pass_can_change_time
,
1913 pass_must_change_time
;
1915 uint32 user_rid
, group_rid
;
1917 const char *username
;
1919 const char *nt_username
;
1920 const char *dir_drive
;
1921 const char *unknown_str
;
1922 const char *munged_dial
;
1923 const char *fullname
;
1924 const char *homedir
;
1925 const char *logon_script
;
1926 const char *profile_path
;
1927 const char *acct_desc
;
1928 const char *workstations
;
1929 uint32 username_len
, domain_len
, nt_username_len
,
1930 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1931 fullname_len
, homedir_len
, logon_script_len
,
1932 profile_path_len
, acct_desc_len
, workstations_len
;
1936 uint32 lm_pw_len
= 16;
1937 uint32 nt_pw_len
= 16;
1939 /* do we have a valid SAM_ACCOUNT pointer? */
1940 if (sampass
== NULL
) {
1941 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1948 logon_time
= (uint32
)pdb_get_logon_time(sampass
);
1949 logoff_time
= (uint32
)pdb_get_logoff_time(sampass
);
1950 kickoff_time
= (uint32
)pdb_get_kickoff_time(sampass
);
1951 bad_password_time
= (uint32
)pdb_get_bad_password_time(sampass
);
1952 pass_can_change_time
= (uint32
)pdb_get_pass_can_change_time(sampass
);
1953 pass_must_change_time
= (uint32
)pdb_get_pass_must_change_time(sampass
);
1954 pass_last_set_time
= (uint32
)pdb_get_pass_last_set_time(sampass
);
1956 user_rid
= pdb_get_user_rid(sampass
);
1957 group_rid
= pdb_get_group_rid(sampass
);
1959 username
= pdb_get_username(sampass
);
1961 username_len
= strlen(username
) +1;
1965 domain
= pdb_get_domain(sampass
);
1967 domain_len
= strlen(domain
) +1;
1971 nt_username
= pdb_get_nt_username(sampass
);
1973 nt_username_len
= strlen(nt_username
) +1;
1975 nt_username_len
= 0;
1977 fullname
= pdb_get_fullname(sampass
);
1979 fullname_len
= strlen(fullname
) +1;
1984 * Only updates fields which have been set (not defaults from smb.conf)
1987 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
))
1988 dir_drive
= pdb_get_dir_drive(sampass
);
1992 dir_drive_len
= strlen(dir_drive
) +1;
1996 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
))
1997 homedir
= pdb_get_homedir(sampass
);
2001 homedir_len
= strlen(homedir
) +1;
2005 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
))
2006 logon_script
= pdb_get_logon_script(sampass
);
2008 logon_script
= NULL
;
2010 logon_script_len
= strlen(logon_script
) +1;
2012 logon_script_len
= 0;
2014 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
))
2015 profile_path
= pdb_get_profile_path(sampass
);
2017 profile_path
= NULL
;
2019 profile_path_len
= strlen(profile_path
) +1;
2021 profile_path_len
= 0;
2023 lm_pw
= pdb_get_lanman_passwd(sampass
);
2027 nt_pw
= pdb_get_nt_passwd(sampass
);
2031 acct_desc
= pdb_get_acct_desc(sampass
);
2033 acct_desc_len
= strlen(acct_desc
) +1;
2037 workstations
= pdb_get_workstations(sampass
);
2039 workstations_len
= strlen(workstations
) +1;
2041 workstations_len
= 0;
2044 unknown_str_len
= 0;
2046 munged_dial
= pdb_get_munged_dial(sampass
);
2048 munged_dial_len
= strlen(munged_dial
) +1;
2050 munged_dial_len
= 0;
2052 /* one time to get the size needed */
2053 len
= tdb_pack(NULL
, 0, TDB_FORMAT_STRING_V1
,
2059 pass_can_change_time
,
2060 pass_must_change_time
,
2061 username_len
, username
,
2063 nt_username_len
, nt_username
,
2064 fullname_len
, fullname
,
2065 homedir_len
, homedir
,
2066 dir_drive_len
, dir_drive
,
2067 logon_script_len
, logon_script
,
2068 profile_path_len
, profile_path
,
2069 acct_desc_len
, acct_desc
,
2070 workstations_len
, workstations
,
2071 unknown_str_len
, unknown_str
,
2072 munged_dial_len
, munged_dial
,
2077 pdb_get_acct_ctrl(sampass
),
2079 pdb_get_logon_divs(sampass
),
2080 pdb_get_hours_len(sampass
),
2081 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
2082 pdb_get_bad_password_count(sampass
),
2083 pdb_get_logon_count(sampass
),
2084 pdb_get_unknown_6(sampass
));
2090 /* malloc the space needed */
2091 if ( (*buf
=(uint8
*)malloc(len
)) == NULL
) {
2092 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
2096 /* now for the real call to tdb_pack() */
2097 buflen
= tdb_pack((char *)*buf
, len
, TDB_FORMAT_STRING_V1
,
2103 pass_can_change_time
,
2104 pass_must_change_time
,
2105 username_len
, username
,
2107 nt_username_len
, nt_username
,
2108 fullname_len
, fullname
,
2109 homedir_len
, homedir
,
2110 dir_drive_len
, dir_drive
,
2111 logon_script_len
, logon_script
,
2112 profile_path_len
, profile_path
,
2113 acct_desc_len
, acct_desc
,
2114 workstations_len
, workstations
,
2115 unknown_str_len
, unknown_str
,
2116 munged_dial_len
, munged_dial
,
2121 pdb_get_acct_ctrl(sampass
),
2123 pdb_get_logon_divs(sampass
),
2124 pdb_get_hours_len(sampass
),
2125 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
2126 pdb_get_bad_password_count(sampass
),
2127 pdb_get_logon_count(sampass
),
2128 pdb_get_unknown_6(sampass
));
2131 /* check to make sure we got it correct */
2132 if (buflen
!= len
) {
2133 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2134 (unsigned long)buflen
, (unsigned long)len
));
2144 /**********************************************************************
2145 **********************************************************************/
2147 static BOOL
get_free_ugid_range(uint32
*low
, uint32
*high
)
2149 uid_t u_low
, u_high
;
2150 gid_t g_low
, g_high
;
2152 if (!lp_idmap_uid(&u_low
, &u_high
) || !lp_idmap_gid(&g_low
, &g_high
)) {
2156 *low
= (u_low
< g_low
) ? u_low
: g_low
;
2157 *high
= (u_high
< g_high
) ? u_high
: g_high
;
2162 /******************************************************************
2163 Get the the non-algorithmic RID range if idmap range are defined
2164 ******************************************************************/
2166 BOOL
get_free_rid_range(uint32
*low
, uint32
*high
)
2168 uint32 id_low
, id_high
;
2170 if (!lp_enable_rid_algorithm()) {
2175 if (!get_free_ugid_range(&id_low
, &id_high
)) {
2179 *low
= fallback_pdb_uid_to_user_rid(id_low
);
2180 if (fallback_pdb_user_rid_to_uid((uint32
)-1) < id_high
) {
2183 *high
= fallback_pdb_uid_to_user_rid(id_high
);
2189 /*********************************************************************
2190 Update the bad password count checking the AP_RESET_COUNT_TIME
2191 *********************************************************************/
2193 BOOL
pdb_update_bad_password_count(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2195 time_t LastBadPassword
;
2196 uint16 BadPasswordCount
;
2199 if (!sampass
) return False
;
2201 BadPasswordCount
= pdb_get_bad_password_count(sampass
);
2202 if (!BadPasswordCount
) {
2203 DEBUG(9, ("No bad password attempts.\n"));
2207 if (!account_policy_get(AP_RESET_COUNT_TIME
, &resettime
)) {
2208 DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
2212 /* First, check if there is a reset time to compare */
2213 if ((resettime
== (uint32
) -1) || (resettime
== 0)) {
2214 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2218 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2219 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2220 (uint32
) LastBadPassword
, resettime
, (uint32
)time(NULL
)));
2221 if (time(NULL
) > (LastBadPassword
+ (time_t)resettime
*60)){
2222 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2223 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2224 if (updated
) *updated
= True
;
2230 /*********************************************************************
2231 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2232 *********************************************************************/
2234 BOOL
pdb_update_autolock_flag(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2237 time_t LastBadPassword
;
2239 if (!sampass
) return False
;
2241 if (!(pdb_get_acct_ctrl(sampass
) & ACB_AUTOLOCK
)) {
2242 DEBUG(9, ("Account not autolocked, no check needed\n"));
2246 if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION
, &duration
)) {
2247 DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
2251 /* First, check if there is a duration to compare */
2252 if ((duration
== (uint32
) -1) || (duration
== 0)) {
2253 DEBUG(9, ("No reset duration, can't reset autolock\n"));
2257 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2258 DEBUG(7, ("LastBadPassword=%d, duration=%d, current time =%d.\n",
2259 (uint32
)LastBadPassword
, duration
*60, (uint32
)time(NULL
)));
2260 if ((time(NULL
) > (LastBadPassword
+ (time_t) duration
* 60))) {
2261 pdb_set_acct_ctrl(sampass
,
2262 pdb_get_acct_ctrl(sampass
) & ~ACB_AUTOLOCK
,
2264 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
2265 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
2266 if (updated
) *updated
= True
;
2272 /*********************************************************************
2273 Increment the bad_password_count
2274 *********************************************************************/
2276 BOOL
pdb_increment_bad_password_count(SAM_ACCOUNT
*sampass
)
2278 uint32 account_policy_lockout
;
2279 BOOL autolock_updated
= False
, badpw_updated
= False
;
2284 /* Retrieve the account lockout policy */
2285 if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
,
2286 &account_policy_lockout
)) {
2287 DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
2291 /* If there is no policy, we don't need to continue checking */
2292 if (!account_policy_lockout
) {
2293 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2297 /* Check if the autolock needs to be cleared */
2298 if (!pdb_update_autolock_flag(sampass
, &autolock_updated
))
2301 /* Check if the badpw count needs to be reset */
2302 if (!pdb_update_bad_password_count(sampass
, &badpw_updated
))
2306 Ok, now we can assume that any resetting that needs to be
2307 done has been done, and just get on with incrementing
2308 and autolocking if necessary
2311 pdb_set_bad_password_count(sampass
,
2312 pdb_get_bad_password_count(sampass
)+1,
2314 pdb_set_bad_password_time(sampass
, time(NULL
), PDB_CHANGED
);
2317 if (pdb_get_bad_password_count(sampass
) < account_policy_lockout
)
2320 if (!pdb_set_acct_ctrl(sampass
,
2321 pdb_get_acct_ctrl(sampass
) | ACB_AUTOLOCK
,
2323 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));