2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2001
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_PASSDB
30 /******************************************************************
31 get the default domain/netbios name to be used when
32 testing authentication. For example, if you connect
33 to a Windows member server using a bogus domain name, the
34 Windows box will map the BOGUS\user to DOMAIN\user. A
35 standalone box will map to WKS\user.
36 ******************************************************************/
38 const char *get_default_sam_name(void)
40 /* standalone servers can only use the local netbios name */
41 if ( lp_server_role() == ROLE_STANDALONE
)
42 return global_myname();
44 /* Windows domain members default to the DOMAIN
45 name when not specified */
46 return lp_workgroup();
49 /******************************************************************
50 get the default domain/netbios name to be used when dealing
51 with our passdb list of accounts
52 ******************************************************************/
54 const char *get_global_sam_name(void)
56 if ((lp_server_role() == ROLE_DOMAIN_PDC
) || (lp_server_role() == ROLE_DOMAIN_BDC
)) {
57 return lp_workgroup();
59 return global_myname();
62 /************************************************************
63 Fill the SAM_ACCOUNT with default values.
64 ***********************************************************/
66 void pdb_fill_default_sam(SAM_ACCOUNT
*user
)
68 ZERO_STRUCT(user
->private); /* Don't touch the talloc context */
70 /* no initial methods */
73 /* Don't change these timestamp settings without a good reason.
74 They are important for NT member server compatibility. */
76 user
->private.logon_time
= (time_t)0;
77 user
->private.pass_last_set_time
= (time_t)0;
78 user
->private.pass_can_change_time
= (time_t)0;
79 user
->private.logoff_time
=
80 user
->private.kickoff_time
=
81 user
->private.pass_must_change_time
= get_time_t_max();
82 user
->private.fields_present
= 0x00ffffff;
83 user
->private.logon_divs
= 168; /* hours per week */
84 user
->private.hours_len
= 21; /* 21 times 8 bits = 168 */
85 memset(user
->private.hours
, 0xff, user
->private.hours_len
); /* available at all hours */
86 user
->private.bad_password_count
= 0;
87 user
->private.logon_count
= 0;
88 user
->private.unknown_6
= 0x000004ec; /* don't know */
90 /* Some parts of samba strlen their pdb_get...() returns,
91 so this keeps the interface unchanged for now. */
93 user
->private.username
= "";
94 user
->private.domain
= "";
95 user
->private.nt_username
= "";
96 user
->private.full_name
= "";
97 user
->private.home_dir
= "";
98 user
->private.logon_script
= "";
99 user
->private.profile_path
= "";
100 user
->private.acct_desc
= "";
101 user
->private.workstations
= "";
102 user
->private.unknown_str
= "";
103 user
->private.munged_dial
= "";
105 user
->private.plaintext_pw
= NULL
;
108 Unless we know otherwise have a Account Control Bit
109 value of 'normal user'. This helps User Manager, which
110 asks for a filtered list of users.
113 user
->private.acct_ctrl
= ACB_NORMAL
;
116 static void destroy_pdb_talloc(SAM_ACCOUNT
**user
)
119 data_blob_clear_free(&((*user
)->private.lm_pw
));
120 data_blob_clear_free(&((*user
)->private.nt_pw
));
122 if((*user
)->private.plaintext_pw
!=NULL
)
123 memset((*user
)->private.plaintext_pw
,'\0',strlen((*user
)->private.plaintext_pw
));
124 talloc_destroy((*user
)->mem_ctx
);
130 /**********************************************************************
131 Allocates memory and initialises a struct sam_passwd on supplied mem_ctx.
132 ***********************************************************************/
134 NTSTATUS
pdb_init_sam_talloc(TALLOC_CTX
*mem_ctx
, SAM_ACCOUNT
**user
)
137 DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
139 smb_panic("non-NULL pointer passed to pdb_init_sam\n");
141 return NT_STATUS_UNSUCCESSFUL
;
145 DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
146 return NT_STATUS_UNSUCCESSFUL
;
149 *user
=(SAM_ACCOUNT
*)talloc(mem_ctx
, sizeof(SAM_ACCOUNT
));
152 DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
153 return NT_STATUS_NO_MEMORY
;
156 (*user
)->mem_ctx
= mem_ctx
;
158 (*user
)->free_fn
= NULL
;
160 pdb_fill_default_sam(*user
);
166 /*************************************************************
167 Allocates memory and initialises a struct sam_passwd.
168 ************************************************************/
170 NTSTATUS
pdb_init_sam(SAM_ACCOUNT
**user
)
175 mem_ctx
= talloc_init("passdb internal SAM_ACCOUNT allocation");
178 DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
179 return NT_STATUS_NO_MEMORY
;
182 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_talloc(mem_ctx
, user
))) {
183 talloc_destroy(mem_ctx
);
187 (*user
)->free_fn
= destroy_pdb_talloc
;
192 /**************************************************************************
193 * This function will take care of all the steps needed to correctly
194 * allocate and set the user SID, please do use this function to create new
195 * users, messing with SIDs is not good.
197 * account_data must be provided initialized, pwd may be null.
199 ***************************************************************************/
201 static NTSTATUS
pdb_set_sam_sids(SAM_ACCOUNT
*account_data
, const struct passwd
*pwd
)
203 const char *guest_account
= lp_guestaccount();
207 if (!account_data
|| !pwd
) {
208 return NT_STATUS_INVALID_PARAMETER
;
211 /* this is a hack this thing should not be set
213 if (!(guest_account
&& *guest_account
)) {
214 DEBUG(1, ("NULL guest account!?!?\n"));
215 return NT_STATUS_UNSUCCESSFUL
;
217 /* Ensure this *must* be set right */
218 if (strcmp(pwd
->pw_name
, guest_account
) == 0) {
219 if (!pdb_set_user_sid_from_rid(account_data
, DOMAIN_USER_RID_GUEST
, PDB_DEFAULT
)) {
220 return NT_STATUS_UNSUCCESSFUL
;
222 if (!pdb_set_group_sid_from_rid(account_data
, DOMAIN_GROUP_RID_GUESTS
, PDB_DEFAULT
)) {
223 return NT_STATUS_UNSUCCESSFUL
;
229 if (!pdb_set_user_sid_from_rid(account_data
, fallback_pdb_uid_to_user_rid(pwd
->pw_uid
), PDB_SET
)) {
230 DEBUG(0,("Can't set User SID from RID!\n"));
231 return NT_STATUS_INVALID_PARAMETER
;
234 /* call the mapping code here */
236 ret
= pdb_getgrgid(&map
, pwd
->pw_gid
);
240 if (!pdb_set_group_sid(account_data
, &map
.sid
, PDB_SET
)){
241 DEBUG(0,("Can't set Group SID!\n"));
242 return NT_STATUS_INVALID_PARAMETER
;
246 if (!pdb_set_group_sid_from_rid(account_data
, pdb_gid_to_group_rid(pwd
->pw_gid
), PDB_SET
)) {
247 DEBUG(0,("Can't set Group SID\n"));
248 return NT_STATUS_INVALID_PARAMETER
;
255 /*************************************************************
256 Initialises a struct sam_passwd with sane values.
257 ************************************************************/
259 NTSTATUS
pdb_fill_sam_pw(SAM_ACCOUNT
*sam_account
, const struct passwd
*pwd
)
264 return NT_STATUS_UNSUCCESSFUL
;
267 pdb_fill_default_sam(sam_account
);
269 pdb_set_username(sam_account
, pwd
->pw_name
, PDB_SET
);
270 pdb_set_fullname(sam_account
, pwd
->pw_gecos
, PDB_SET
);
272 pdb_set_unix_homedir(sam_account
, pwd
->pw_dir
, PDB_SET
);
274 pdb_set_domain (sam_account
, get_global_sam_name(), PDB_DEFAULT
);
276 /* When we get a proper uid -> SID and SID -> uid allocation
277 mechinism, we should call it here.
279 We can't just set this to 0 or allow it only to be filled
280 in when added to the backend, because the user's SID
281 may already be in security descriptors etc.
283 -- abartlet 11-May-02
286 ret
= pdb_set_sam_sids(sam_account
, pwd
);
287 if (!NT_STATUS_IS_OK(ret
)) return ret
;
289 /* check if this is a user account or a machine account */
290 if (pwd
->pw_name
[strlen(pwd
->pw_name
)-1] != '$')
292 pdb_set_profile_path(sam_account
,
293 talloc_sub_specified((sam_account
)->mem_ctx
,
295 pwd
->pw_name
, global_myname(),
296 pwd
->pw_uid
, pwd
->pw_gid
),
299 pdb_set_homedir(sam_account
,
300 talloc_sub_specified((sam_account
)->mem_ctx
,
302 pwd
->pw_name
, global_myname(),
303 pwd
->pw_uid
, pwd
->pw_gid
),
306 pdb_set_dir_drive(sam_account
,
307 talloc_sub_specified((sam_account
)->mem_ctx
,
309 pwd
->pw_name
, global_myname(),
310 pwd
->pw_uid
, pwd
->pw_gid
),
313 pdb_set_logon_script(sam_account
,
314 talloc_sub_specified((sam_account
)->mem_ctx
,
316 pwd
->pw_name
, global_myname(),
317 pwd
->pw_uid
, pwd
->pw_gid
),
319 if (!pdb_set_acct_ctrl(sam_account
, ACB_NORMAL
, PDB_DEFAULT
)) {
320 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd
->pw_name
));
321 return NT_STATUS_UNSUCCESSFUL
;
324 if (!pdb_set_acct_ctrl(sam_account
, ACB_WSTRUST
, PDB_DEFAULT
)) {
325 DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd
->pw_name
));
326 return NT_STATUS_UNSUCCESSFUL
;
333 /*************************************************************
334 Initialises a struct sam_passwd with sane values.
335 ************************************************************/
337 NTSTATUS
pdb_init_sam_pw(SAM_ACCOUNT
**new_sam_acct
, const struct passwd
*pwd
)
343 return NT_STATUS_INVALID_PARAMETER
;
346 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam(new_sam_acct
))) {
351 if (!NT_STATUS_IS_OK(nt_status
= pdb_fill_sam_pw(*new_sam_acct
, pwd
))) {
352 pdb_free_sam(new_sam_acct
);
361 /*************************************************************
362 Initialises a SAM_ACCOUNT ready to add a new account, based
363 on the UNIX user. Pass in a RID if you have one
364 ************************************************************/
366 NTSTATUS
pdb_init_sam_new(SAM_ACCOUNT
**new_sam_acct
, const char *username
,
369 NTSTATUS nt_status
= NT_STATUS_NO_MEMORY
;
373 pwd
= Get_Pwnam(username
);
376 return NT_STATUS_NO_SUCH_USER
;
378 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_sam_pw(new_sam_acct
, pwd
))) {
379 *new_sam_acct
= NULL
;
383 /* see if we need to generate a new rid using the 2.2 algorithm */
384 if ( rid
== 0 && lp_enable_rid_algorithm() ) {
385 DEBUG(10,("pdb_init_sam_new: no RID specified. Generating one via old algorithm\n"));
386 rid
= fallback_pdb_uid_to_user_rid(pwd
->pw_uid
);
389 /* set the new SID */
391 ret
= pdb_set_user_sid_from_rid( *new_sam_acct
, rid
, PDB_SET
);
393 return (ret
? NT_STATUS_OK
: NT_STATUS_NO_SUCH_USER
);
398 * Free the contets of the SAM_ACCOUNT, but not the structure.
400 * Also wipes the LM and NT hashes and plaintext password from
403 * @param user SAM_ACCOUNT to free members of.
406 static void pdb_free_sam_contents(SAM_ACCOUNT
*user
)
409 /* Kill off sensitive data. Free()ed by the
412 data_blob_clear_free(&(user
->private.lm_pw
));
413 data_blob_clear_free(&(user
->private.nt_pw
));
414 if (user
->private.plaintext_pw
!=NULL
)
415 memset(user
->private.plaintext_pw
,'\0',strlen(user
->private.plaintext_pw
));
417 if (user
->private.backend_private_data
&& user
->private.backend_private_data_free_fn
) {
418 user
->private.backend_private_data_free_fn(&user
->private.backend_private_data
);
423 /************************************************************
424 Reset the SAM_ACCOUNT and free the NT/LM hashes.
425 ***********************************************************/
427 NTSTATUS
pdb_reset_sam(SAM_ACCOUNT
*user
)
430 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
432 smb_panic("NULL pointer passed to pdb_free_sam\n");
434 return NT_STATUS_UNSUCCESSFUL
;
437 pdb_free_sam_contents(user
);
439 pdb_fill_default_sam(user
);
445 /************************************************************
446 Free the SAM_ACCOUNT and the member pointers.
447 ***********************************************************/
449 NTSTATUS
pdb_free_sam(SAM_ACCOUNT
**user
)
452 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
454 smb_panic("NULL pointer passed to pdb_free_sam\n");
456 return NT_STATUS_UNSUCCESSFUL
;
459 pdb_free_sam_contents(*user
);
461 if ((*user
)->free_fn
) {
462 (*user
)->free_fn(user
);
468 /**********************************************************
469 Encode the account control bits into a string.
470 length = length of string to encode into (including terminating
471 null). length *MUST BE MORE THAN 2* !
472 **********************************************************/
474 char *pdb_encode_acct_ctrl(uint16 acct_ctrl
, size_t length
)
476 static fstring acct_str
;
480 SMB_ASSERT(length
<= sizeof(acct_str
));
484 if (acct_ctrl
& ACB_PWNOTREQ
) acct_str
[i
++] = 'N';
485 if (acct_ctrl
& ACB_DISABLED
) acct_str
[i
++] = 'D';
486 if (acct_ctrl
& ACB_HOMDIRREQ
) acct_str
[i
++] = 'H';
487 if (acct_ctrl
& ACB_TEMPDUP
) acct_str
[i
++] = 'T';
488 if (acct_ctrl
& ACB_NORMAL
) acct_str
[i
++] = 'U';
489 if (acct_ctrl
& ACB_MNS
) acct_str
[i
++] = 'M';
490 if (acct_ctrl
& ACB_WSTRUST
) acct_str
[i
++] = 'W';
491 if (acct_ctrl
& ACB_SVRTRUST
) acct_str
[i
++] = 'S';
492 if (acct_ctrl
& ACB_AUTOLOCK
) acct_str
[i
++] = 'L';
493 if (acct_ctrl
& ACB_PWNOEXP
) acct_str
[i
++] = 'X';
494 if (acct_ctrl
& ACB_DOMTRUST
) acct_str
[i
++] = 'I';
496 for ( ; i
< length
- 2 ; i
++ )
501 acct_str
[i
++] = '\0';
506 /**********************************************************
507 Decode the account control bits from a string.
508 **********************************************************/
510 uint16
pdb_decode_acct_ctrl(const char *p
)
512 uint16 acct_ctrl
= 0;
513 BOOL finished
= False
;
516 * Check if the account type bits have been encoded after the
517 * NT password (in the form [NDHTUWSLXI]).
523 for (p
++; *p
&& !finished
; p
++) {
525 case 'N': { acct_ctrl
|= ACB_PWNOTREQ
; break; /* 'N'o password. */ }
526 case 'D': { acct_ctrl
|= ACB_DISABLED
; break; /* 'D'isabled. */ }
527 case 'H': { acct_ctrl
|= ACB_HOMDIRREQ
; break; /* 'H'omedir required. */ }
528 case 'T': { acct_ctrl
|= ACB_TEMPDUP
; break; /* 'T'emp account. */ }
529 case 'U': { acct_ctrl
|= ACB_NORMAL
; break; /* 'U'ser account (normal). */ }
530 case 'M': { acct_ctrl
|= ACB_MNS
; break; /* 'M'NS logon user account. What is this ? */ }
531 case 'W': { acct_ctrl
|= ACB_WSTRUST
; break; /* 'W'orkstation account. */ }
532 case 'S': { acct_ctrl
|= ACB_SVRTRUST
; break; /* 'S'erver account. */ }
533 case 'L': { acct_ctrl
|= ACB_AUTOLOCK
; break; /* 'L'ocked account. */ }
534 case 'X': { acct_ctrl
|= ACB_PWNOEXP
; break; /* No 'X'piry on password */ }
535 case 'I': { acct_ctrl
|= ACB_DOMTRUST
; break; /* 'I'nterdomain trust account. */ }
541 default: { finished
= True
; }
548 /*************************************************************
549 Routine to set 32 hex password characters from a 16 byte array.
550 **************************************************************/
552 void pdb_sethexpwd(char *p
, const unsigned char *pwd
, uint16 acct_ctrl
)
556 for (i
= 0; i
< 16; i
++)
557 slprintf(&p
[i
*2], 3, "%02X", pwd
[i
]);
559 if (acct_ctrl
& ACB_PWNOTREQ
)
560 safe_strcpy(p
, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
562 safe_strcpy(p
, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
566 /*************************************************************
567 Routine to get the 32 hex characters and turn them
568 into a 16 byte array.
569 **************************************************************/
571 BOOL
pdb_gethexpwd(const char *p
, unsigned char *pwd
)
574 unsigned char lonybble
, hinybble
;
575 const char *hexchars
= "0123456789ABCDEF";
581 for (i
= 0; i
< 32; i
+= 2) {
582 hinybble
= toupper(p
[i
]);
583 lonybble
= toupper(p
[i
+ 1]);
585 p1
= strchr(hexchars
, hinybble
);
586 p2
= strchr(hexchars
, lonybble
);
591 hinybble
= PTR_DIFF(p1
, hexchars
);
592 lonybble
= PTR_DIFF(p2
, hexchars
);
594 pwd
[i
/ 2] = (hinybble
<< 4) | lonybble
;
599 int algorithmic_rid_base(void)
601 static int rid_offset
= 0;
606 rid_offset
= lp_algorithmic_rid_base();
608 if (rid_offset
< BASE_RID
) {
609 /* Try to prevent admin foot-shooting, we can't put algorithmic
610 rids below 1000, that's the 'well known RIDs' on NT */
611 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID
));
612 rid_offset
= BASE_RID
;
614 if (rid_offset
& 1) {
615 DEBUG(0, ("algorithmic rid base must be even\n"));
621 /*******************************************************************
622 Converts NT user RID to a UNIX uid.
623 ********************************************************************/
625 uid_t
fallback_pdb_user_rid_to_uid(uint32 user_rid
)
627 int rid_offset
= algorithmic_rid_base();
628 return (uid_t
)(((user_rid
& (~USER_RID_TYPE
)) - rid_offset
)/RID_MULTIPLIER
);
631 /*******************************************************************
632 converts UNIX uid to an NT User RID.
633 ********************************************************************/
635 uint32
fallback_pdb_uid_to_user_rid(uid_t uid
)
637 int rid_offset
= algorithmic_rid_base();
638 return (((((uint32
)uid
)*RID_MULTIPLIER
) + rid_offset
) | USER_RID_TYPE
);
641 /*******************************************************************
642 Converts NT group RID to a UNIX gid.
643 ********************************************************************/
645 gid_t
pdb_group_rid_to_gid(uint32 group_rid
)
647 int rid_offset
= algorithmic_rid_base();
648 return (gid_t
)(((group_rid
& (~GROUP_RID_TYPE
))- rid_offset
)/RID_MULTIPLIER
);
651 /*******************************************************************
652 converts NT Group RID to a UNIX uid.
654 warning: you must not call that function only
655 you must do a call to the group mapping first.
656 there is not anymore a direct link between the gid and the rid.
657 ********************************************************************/
659 uint32
pdb_gid_to_group_rid(gid_t gid
)
661 int rid_offset
= algorithmic_rid_base();
662 return (((((uint32
)gid
)*RID_MULTIPLIER
) + rid_offset
) | GROUP_RID_TYPE
);
665 /*******************************************************************
666 Decides if a RID is a well known RID.
667 ********************************************************************/
669 static BOOL
pdb_rid_is_well_known(uint32 rid
)
671 /* Not using rid_offset here, because this is the actual
672 NT fixed value (1000) */
674 return (rid
< BASE_RID
);
677 /*******************************************************************
678 Decides if a RID is a user or group RID.
679 ********************************************************************/
681 BOOL
fallback_pdb_rid_is_user(uint32 rid
)
683 /* lkcl i understand that NT attaches an enumeration to a RID
684 * such that it can be identified as either a user, group etc
685 * type. there are 5 such categories, and they are documented.
687 /* However, they are not in the RID, just somthing you can query
688 seperatly. Sorry luke :-) */
690 if(pdb_rid_is_well_known(rid
)) {
692 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
693 * and DOMAIN_USER_RID_GUEST.
695 if(rid
== DOMAIN_USER_RID_ADMIN
|| rid
== DOMAIN_USER_RID_GUEST
)
697 } else if((rid
& RID_TYPE_MASK
) == USER_RID_TYPE
) {
703 /*******************************************************************
704 Convert a rid into a name. Used in the lookup SID rpc.
705 ********************************************************************/
707 BOOL
local_lookup_sid(DOM_SID
*sid
, char *name
, enum SID_NAME_USE
*psid_name_use
)
710 SAM_ACCOUNT
*sam_account
= NULL
;
714 if (!sid_peek_check_rid(get_global_sam_sid(), sid
, &rid
)){
715 DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
716 sid_string_static(&map
.sid
)));
719 *psid_name_use
= SID_NAME_UNKNOWN
;
721 DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid
));
723 if (rid
== DOMAIN_USER_RID_ADMIN
) {
724 const char **admin_list
= lp_admin_users(-1);
725 *psid_name_use
= SID_NAME_USER
;
727 const char *p
= *admin_list
;
728 if(!next_token(&p
, name
, NULL
, sizeof(fstring
)))
729 fstrcpy(name
, "Administrator");
731 fstrcpy(name
, "Administrator");
736 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
740 /* see if the passdb can help us with the name of the user */
742 /* BEING ROOT BLLOCK */
744 if (pdb_getsampwsid(sam_account
, sid
)) {
745 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
746 fstrcpy(name
, pdb_get_username(sam_account
));
747 *psid_name_use
= SID_NAME_USER
;
749 pdb_free_sam(&sam_account
);
753 pdb_free_sam(&sam_account
);
755 ret
= pdb_getgrsid(&map
, *sid
);
757 /* END BECOME_ROOT BLOCK */
760 if (map
.gid
!=(gid_t
)-1) {
761 DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map
.nt_name
, (unsigned int)map
.gid
));
763 DEBUG(5,("local_lookup_sid: mapped group %s to no unix gid. Returning name.\n", map
.nt_name
));
766 fstrcpy(name
, map
.nt_name
);
767 *psid_name_use
= map
.sid_name_use
;
771 if (fallback_pdb_rid_is_user(rid
)) {
773 struct passwd
*pw
= NULL
;
775 DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid
));
777 uid
= fallback_pdb_user_rid_to_uid(rid
);
778 pw
= sys_getpwuid( uid
);
780 DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid
,
781 pw
? "succeeded" : "failed" ));
784 fstr_sprintf(name
, "unix_user.%u", (unsigned int)uid
);
786 fstrcpy( name
, pw
->pw_name
);
788 DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name
,
789 (unsigned int)rid
));
791 *psid_name_use
= SID_NAME_USER
;
793 return ( pw
!= NULL
);
798 DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid
));
800 gid
= pdb_group_rid_to_gid(rid
);
803 *psid_name_use
= SID_NAME_ALIAS
;
805 DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid
,
806 gr
? "succeeded" : "failed" ));
809 fstr_sprintf(name
, "unix_group.%u", (unsigned int)gid
);
811 fstrcpy( name
, gr
->gr_name
);
813 DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name
,
814 (unsigned int)rid
));
816 /* assume fallback groups aer domain global groups */
818 *psid_name_use
= SID_NAME_DOM_GRP
;
820 return ( gr
!= NULL
);
824 /*******************************************************************
825 Convert a name into a SID. Used in the lookup name rpc.
826 ********************************************************************/
828 BOOL
local_lookup_name(const char *c_user
, DOM_SID
*psid
, enum SID_NAME_USE
*psid_name_use
)
830 extern DOM_SID global_sid_World_Domain
;
833 SAM_ACCOUNT
*sam_account
= NULL
;
837 *psid_name_use
= SID_NAME_UNKNOWN
;
840 * user may be quoted a const string, and map_username and
841 * friends can modify it. Make a modifiable copy. JRA.
844 fstrcpy(user
, c_user
);
846 sid_copy(&local_sid
, get_global_sam_sid());
849 * Special case for MACHINE\Everyone. Map to the world_sid.
852 if(strequal(user
, "Everyone")) {
853 sid_copy( psid
, &global_sid_World_Domain
);
854 sid_append_rid(psid
, 0);
855 *psid_name_use
= SID_NAME_ALIAS
;
859 (void)map_username(user
);
861 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account
))) {
865 /* BEGIN ROOT BLOCK */
868 if (pdb_getsampwnam(sam_account
, user
)) {
870 sid_copy(psid
, pdb_get_user_sid(sam_account
));
871 *psid_name_use
= SID_NAME_USER
;
873 pdb_free_sam(&sam_account
);
877 pdb_free_sam(&sam_account
);
880 * Maybe it was a group ?
883 /* check if it's a mapped group */
884 if (pdb_getgrnam(&map
, user
)) {
885 /* yes it's a mapped group */
886 sid_copy(&local_sid
, &map
.sid
);
887 *psid_name_use
= map
.sid_name_use
;
889 /* it's not a mapped group */
890 grp
= getgrnam(user
);
892 unbecome_root(); /* ---> exit form block */
897 *check if it's mapped, if it is reply it doesn't exist
899 * that's to prevent this case:
901 * unix group ug is mapped to nt group ng
902 * someone does a lookup on ug
903 * we must not reply as it doesn't "exist" anymore
904 * for NT. For NT only ng exists.
908 if (pdb_getgrgid(&map
, grp
->gr_gid
)){
909 unbecome_root(); /* ---> exit form block */
913 sid_append_rid( &local_sid
, pdb_gid_to_group_rid(grp
->gr_gid
));
914 *psid_name_use
= SID_NAME_ALIAS
;
919 sid_copy( psid
, &local_sid
);
924 /*************************************************************
925 Change a password entry in the local smbpasswd file.
926 *************************************************************/
928 BOOL
local_password_change(const char *user_name
, int local_flags
,
929 const char *new_passwd
,
930 char *err_str
, size_t err_str_len
,
931 char *msg_str
, size_t msg_str_len
)
933 SAM_ACCOUNT
*sam_pass
=NULL
;
939 /* Get the smb passwd entry for this user */
940 pdb_init_sam(&sam_pass
);
943 if(!pdb_getsampwnam(sam_pass
, user_name
)) {
945 pdb_free_sam(&sam_pass
);
947 if ((local_flags
& LOCAL_ADD_USER
) || (local_flags
& LOCAL_DELETE_USER
)) {
948 /* Might not exist in /etc/passwd. Use rid algorithm here */
949 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass
, user_name
, 0))) {
950 slprintf(err_str
, err_str_len
-1, "Failed to initialise SAM_ACCOUNT for user %s.\n", user_name
);
954 slprintf(err_str
, err_str_len
-1,"Failed to find entry for user %s.\n", user_name
);
959 /* the entry already existed */
960 local_flags
&= ~LOCAL_ADD_USER
;
963 /* the 'other' acb bits not being changed here */
964 other_acb
= (pdb_get_acct_ctrl(sam_pass
) & (!(ACB_WSTRUST
|ACB_DOMTRUST
|ACB_SVRTRUST
|ACB_NORMAL
)));
965 if (local_flags
& LOCAL_TRUST_ACCOUNT
) {
966 if (!pdb_set_acct_ctrl(sam_pass
, ACB_WSTRUST
| other_acb
, PDB_CHANGED
) ) {
967 slprintf(err_str
, err_str_len
- 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name
);
968 pdb_free_sam(&sam_pass
);
971 } else if (local_flags
& LOCAL_INTERDOM_ACCOUNT
) {
972 if (!pdb_set_acct_ctrl(sam_pass
, ACB_DOMTRUST
| other_acb
, PDB_CHANGED
)) {
973 slprintf(err_str
, err_str_len
- 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name
);
974 pdb_free_sam(&sam_pass
);
978 if (!pdb_set_acct_ctrl(sam_pass
, ACB_NORMAL
| other_acb
, PDB_CHANGED
)) {
979 slprintf(err_str
, err_str_len
- 1, "Failed to set 'normal account' flags for user %s.\n", user_name
);
980 pdb_free_sam(&sam_pass
);
986 * We are root - just write the new password
987 * and the valid last change time.
990 if (local_flags
& LOCAL_DISABLE_USER
) {
991 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_DISABLED
, PDB_CHANGED
)) {
992 slprintf(err_str
, err_str_len
-1, "Failed to set 'disabled' flag for user %s.\n", user_name
);
993 pdb_free_sam(&sam_pass
);
996 } else if (local_flags
& LOCAL_ENABLE_USER
) {
997 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
998 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
999 pdb_free_sam(&sam_pass
);
1004 if (local_flags
& LOCAL_SET_NO_PASSWORD
) {
1005 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)|ACB_PWNOTREQ
, PDB_CHANGED
)) {
1006 slprintf(err_str
, err_str_len
-1, "Failed to set 'no password required' flag for user %s.\n", user_name
);
1007 pdb_free_sam(&sam_pass
);
1010 } else if (local_flags
& LOCAL_SET_PASSWORD
) {
1012 * If we're dealing with setting a completely empty user account
1013 * ie. One with a password of 'XXXX', but not set disabled (like
1014 * an account created from scratch) then if the old password was
1015 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1016 * We remove that as we're giving this user their first password
1017 * and the decision hasn't really been made to disable them (ie.
1018 * don't create them disabled). JRA.
1020 if ((pdb_get_lanman_passwd(sam_pass
)==NULL
) && (pdb_get_acct_ctrl(sam_pass
)&ACB_DISABLED
)) {
1021 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_DISABLED
), PDB_CHANGED
)) {
1022 slprintf(err_str
, err_str_len
-1, "Failed to unset 'disabled' flag for user %s.\n", user_name
);
1023 pdb_free_sam(&sam_pass
);
1027 if (!pdb_set_acct_ctrl (sam_pass
, pdb_get_acct_ctrl(sam_pass
)&(~ACB_PWNOTREQ
), PDB_CHANGED
)) {
1028 slprintf(err_str
, err_str_len
-1, "Failed to unset 'no password required' flag for user %s.\n", user_name
);
1029 pdb_free_sam(&sam_pass
);
1033 if (!pdb_set_plaintext_passwd (sam_pass
, new_passwd
)) {
1034 slprintf(err_str
, err_str_len
-1, "Failed to set password for user %s.\n", user_name
);
1035 pdb_free_sam(&sam_pass
);
1040 if (local_flags
& LOCAL_ADD_USER
) {
1041 if (pdb_add_sam_account(sam_pass
)) {
1042 slprintf(msg_str
, msg_str_len
-1, "Added user %s.\n", user_name
);
1043 pdb_free_sam(&sam_pass
);
1046 slprintf(err_str
, err_str_len
-1, "Failed to add entry for user %s.\n", user_name
);
1047 pdb_free_sam(&sam_pass
);
1050 } else if (local_flags
& LOCAL_DELETE_USER
) {
1051 if (!pdb_delete_sam_account(sam_pass
)) {
1052 slprintf(err_str
,err_str_len
-1, "Failed to delete entry for user %s.\n", user_name
);
1053 pdb_free_sam(&sam_pass
);
1056 slprintf(msg_str
, msg_str_len
-1, "Deleted user %s.\n", user_name
);
1058 if(!pdb_update_sam_account(sam_pass
)) {
1059 slprintf(err_str
, err_str_len
-1, "Failed to modify entry for user %s.\n", user_name
);
1060 pdb_free_sam(&sam_pass
);
1063 if(local_flags
& LOCAL_DISABLE_USER
)
1064 slprintf(msg_str
, msg_str_len
-1, "Disabled user %s.\n", user_name
);
1065 else if (local_flags
& LOCAL_ENABLE_USER
)
1066 slprintf(msg_str
, msg_str_len
-1, "Enabled user %s.\n", user_name
);
1067 else if (local_flags
& LOCAL_SET_NO_PASSWORD
)
1068 slprintf(msg_str
, msg_str_len
-1, "User %s password set to none.\n", user_name
);
1071 pdb_free_sam(&sam_pass
);
1075 /****************************************************************************
1076 Convert a uid to SID - algorithmic.
1077 ****************************************************************************/
1079 DOM_SID
*algorithmic_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1081 if ( !lp_enable_rid_algorithm() )
1084 DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
1085 sid_copy( psid
, get_global_sam_sid() );
1086 sid_append_rid( psid
, fallback_pdb_uid_to_user_rid(uid
) );
1087 DEBUG(10,("algorithmic_uid_to_sid: uid (%d) -> SID %s.\n",
1088 (unsigned int)uid
, sid_string_static(psid
) ));
1093 /****************************************************************************
1094 Convert a uid to SID - locally.
1095 ****************************************************************************/
1097 DOM_SID
*local_uid_to_sid(DOM_SID
*psid
, uid_t uid
)
1099 SAM_ACCOUNT
*sampw
= NULL
;
1100 struct passwd
*unix_pw
;
1103 unix_pw
= sys_getpwuid( uid
);
1106 DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid
));
1107 return algorithmic_uid_to_sid( psid
, uid
);
1110 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1111 DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
1116 ret
= pdb_getsampwnam( sampw
, unix_pw
->pw_name
);
1120 sid_copy( psid
, pdb_get_user_sid(sampw
) );
1122 DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
1123 unix_pw
->pw_name
, (unsigned long)uid
));
1125 return algorithmic_uid_to_sid( psid
, uid
);
1128 DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
1129 (unsigned int)uid
, sid_string_static(psid
), unix_pw
->pw_name
));
1134 /****************************************************************************
1135 Convert a SID to uid - locally.
1136 ****************************************************************************/
1138 BOOL
local_sid_to_uid(uid_t
*puid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1140 SAM_ACCOUNT
*sampw
= NULL
;
1141 struct passwd
*unix_pw
;
1142 const char *user_name
;
1144 *name_type
= SID_NAME_UNKNOWN
;
1147 * We can only convert to a uid if this is our local
1148 * Domain SID (ie. we are the controling authority).
1150 if (!sid_check_is_in_our_domain(psid
) ) {
1151 DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid
)));
1155 /* lookup the user account */
1157 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw
)) ) {
1158 DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
1163 if ( !pdb_getsampwsid(sampw
, psid
) ) {
1165 DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
1166 sid_string_static(psid
)));
1171 user_name
= pdb_get_username(sampw
);
1173 unix_pw
= sys_getpwnam( user_name
);
1176 DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
1178 pdb_free_sam( &sampw
);
1182 *puid
= unix_pw
->pw_uid
;
1184 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid
),
1185 (unsigned int)*puid
, user_name
));
1187 *name_type
= SID_NAME_USER
;
1192 /****************************************************************************
1193 Convert a gid to SID - locally.
1194 ****************************************************************************/
1196 DOM_SID
*local_gid_to_sid(DOM_SID
*psid
, gid_t gid
)
1201 /* we don't need to disable winbindd since the gid is stored in
1202 the GROUP_MAP object */
1204 /* done as root since ldap backend requires root to open a connection */
1207 ret
= pdb_getgrgid( &group
, gid
);
1212 /* fallback to rid mapping if enabled */
1214 if ( lp_enable_rid_algorithm() ) {
1215 sid_copy(psid
, get_global_sam_sid());
1216 sid_append_rid(psid
, pdb_gid_to_group_rid(gid
));
1218 DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
1219 (unsigned int)gid
, sid_string_static(psid
)));
1227 sid_copy( psid
, &group
.sid
);
1229 DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
1230 (unsigned int)gid
, sid_string_static(psid
)));
1235 /****************************************************************************
1236 Convert a SID to gid - locally.
1237 ****************************************************************************/
1239 BOOL
local_sid_to_gid(gid_t
*pgid
, const DOM_SID
*psid
, enum SID_NAME_USE
*name_type
)
1245 *name_type
= SID_NAME_UNKNOWN
;
1247 /* This call can enumerate group mappings for foreign sids as well.
1248 So don't check for a match against our domain SID */
1250 /* we don't need to disable winbindd since the gid is stored in
1251 the GROUP_MAP object */
1254 ret
= pdb_getgrsid(&group
, *psid
);
1259 /* fallback to rid mapping if enabled */
1261 if ( lp_enable_rid_algorithm() ) {
1263 if (!sid_check_is_in_our_domain(psid
) ) {
1264 DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid
)));
1268 if (!sid_peek_rid(psid
, &rid
)) {
1269 DEBUG(10,("local_sid_to_uid: invalid SID!\n"));
1273 DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
1275 if (fallback_pdb_rid_is_user(rid
)) {
1276 DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid
)));
1279 *pgid
= pdb_group_rid_to_gid(rid
);
1280 DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid
), (unsigned int)(*pgid
)));
1290 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid
),
1291 (unsigned int)*pgid
));
1296 /**********************************************************************
1297 Marshall/unmarshall SAM_ACCOUNT structs.
1298 *********************************************************************/
1300 #define TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
1301 #define TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
1303 /**********************************************************************
1304 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
1305 *********************************************************************/
1307 BOOL
init_sam_from_buffer(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1309 return(init_sam_from_buffer_v1(sampass
, buf
, buflen
));
1312 /**********************************************************************
1313 Intialize a BYTE buffer from a SAM_ACCOUNT struct
1314 *********************************************************************/
1316 uint32
init_buffer_from_sam (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1318 return(init_buffer_from_sam_v1(buf
, sampass
, size_only
));
1322 BOOL
init_sam_from_buffer_v0(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1325 /* times are stored as 32bit integer
1326 take care on system with 64bit wide time_t
1332 pass_can_change_time
,
1333 pass_must_change_time
;
1346 uint32 username_len
, domain_len
, nt_username_len
,
1347 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1348 fullname_len
, homedir_len
, logon_script_len
,
1349 profile_path_len
, acct_desc_len
, workstations_len
;
1351 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1352 uint16 acct_ctrl
, logon_divs
;
1353 uint16 bad_password_count
, logon_count
;
1355 static uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1357 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1360 if(sampass
== NULL
|| buf
== NULL
) {
1361 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1365 /* unpack the buffer into variables */
1366 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V0
,
1370 &pass_last_set_time
,
1371 &pass_can_change_time
,
1372 &pass_must_change_time
,
1373 &username_len
, &username
,
1374 &domain_len
, &domain
,
1375 &nt_username_len
, &nt_username
,
1376 &fullname_len
, &fullname
,
1377 &homedir_len
, &homedir
,
1378 &dir_drive_len
, &dir_drive
,
1379 &logon_script_len
, &logon_script
,
1380 &profile_path_len
, &profile_path
,
1381 &acct_desc_len
, &acct_desc
,
1382 &workstations_len
, &workstations
,
1383 &unknown_str_len
, &unknown_str
,
1384 &munged_dial_len
, &munged_dial
,
1387 &lm_pw_len
, &lm_pw_ptr
,
1388 &nt_pw_len
, &nt_pw_ptr
,
1390 &remove_me
, /* remove on the next TDB_FORMAT upgarde */
1394 &bad_password_count
,
1398 if (len
== (uint32
) -1) {
1403 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1404 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1405 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1406 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1407 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1408 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1410 pdb_set_username(sampass
, username
, PDB_SET
);
1411 pdb_set_domain(sampass
, domain
, PDB_SET
);
1412 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1413 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1416 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1419 pdb_set_homedir(sampass
,
1420 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1425 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1427 pdb_set_dir_drive(sampass
,
1428 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1433 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1435 pdb_set_logon_script(sampass
,
1436 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1441 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1443 pdb_set_profile_path(sampass
,
1444 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1448 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1449 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1450 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1452 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1453 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1459 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1460 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1466 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1467 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1468 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1469 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1470 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1471 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1472 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1473 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1474 pdb_set_hours(sampass
, hours
, PDB_SET
);
1478 SAFE_FREE(username
);
1480 SAFE_FREE(nt_username
);
1481 SAFE_FREE(fullname
);
1483 SAFE_FREE(dir_drive
);
1484 SAFE_FREE(logon_script
);
1485 SAFE_FREE(profile_path
);
1486 SAFE_FREE(acct_desc
);
1487 SAFE_FREE(workstations
);
1488 SAFE_FREE(munged_dial
);
1489 SAFE_FREE(unknown_str
);
1496 uint32
init_buffer_from_sam_v0 (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1500 /* times are stored as 32bit integer
1501 take care on system with 64bit wide time_t
1507 pass_can_change_time
,
1508 pass_must_change_time
;
1510 uint32 user_rid
, group_rid
;
1512 const char *username
;
1514 const char *nt_username
;
1515 const char *dir_drive
;
1516 const char *unknown_str
;
1517 const char *munged_dial
;
1518 const char *fullname
;
1519 const char *homedir
;
1520 const char *logon_script
;
1521 const char *profile_path
;
1522 const char *acct_desc
;
1523 const char *workstations
;
1524 uint32 username_len
, domain_len
, nt_username_len
,
1525 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1526 fullname_len
, homedir_len
, logon_script_len
,
1527 profile_path_len
, acct_desc_len
, workstations_len
;
1531 uint32 lm_pw_len
= 16;
1532 uint32 nt_pw_len
= 16;
1534 /* do we have a valid SAM_ACCOUNT pointer? */
1535 if (sampass
== NULL
) {
1536 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1543 logon_time
= (uint32
)pdb_get_logon_time(sampass
);
1544 logoff_time
= (uint32
)pdb_get_logoff_time(sampass
);
1545 kickoff_time
= (uint32
)pdb_get_kickoff_time(sampass
);
1546 pass_can_change_time
= (uint32
)pdb_get_pass_can_change_time(sampass
);
1547 pass_must_change_time
= (uint32
)pdb_get_pass_must_change_time(sampass
);
1548 pass_last_set_time
= (uint32
)pdb_get_pass_last_set_time(sampass
);
1550 user_rid
= pdb_get_user_rid(sampass
);
1551 group_rid
= pdb_get_group_rid(sampass
);
1553 username
= pdb_get_username(sampass
);
1555 username_len
= strlen(username
) +1;
1559 domain
= pdb_get_domain(sampass
);
1561 domain_len
= strlen(domain
) +1;
1565 nt_username
= pdb_get_nt_username(sampass
);
1567 nt_username_len
= strlen(nt_username
) +1;
1569 nt_username_len
= 0;
1571 fullname
= pdb_get_fullname(sampass
);
1573 fullname_len
= strlen(fullname
) +1;
1578 * Only updates fields which have been set (not defaults from smb.conf)
1581 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
))
1582 dir_drive
= pdb_get_dir_drive(sampass
);
1586 dir_drive_len
= strlen(dir_drive
) +1;
1590 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
))
1591 homedir
= pdb_get_homedir(sampass
);
1595 homedir_len
= strlen(homedir
) +1;
1599 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
))
1600 logon_script
= pdb_get_logon_script(sampass
);
1602 logon_script
= NULL
;
1604 logon_script_len
= strlen(logon_script
) +1;
1606 logon_script_len
= 0;
1608 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
))
1609 profile_path
= pdb_get_profile_path(sampass
);
1611 profile_path
= NULL
;
1613 profile_path_len
= strlen(profile_path
) +1;
1615 profile_path_len
= 0;
1617 lm_pw
= pdb_get_lanman_passwd(sampass
);
1621 nt_pw
= pdb_get_nt_passwd(sampass
);
1625 acct_desc
= pdb_get_acct_desc(sampass
);
1627 acct_desc_len
= strlen(acct_desc
) +1;
1631 workstations
= pdb_get_workstations(sampass
);
1633 workstations_len
= strlen(workstations
) +1;
1635 workstations_len
= 0;
1638 unknown_str_len
= 0;
1640 munged_dial
= pdb_get_munged_dial(sampass
);
1642 munged_dial_len
= strlen(munged_dial
) +1;
1644 munged_dial_len
= 0;
1646 /* one time to get the size needed */
1647 len
= tdb_pack(NULL
, 0, TDB_FORMAT_STRING_V0
,
1652 pass_can_change_time
,
1653 pass_must_change_time
,
1654 username_len
, username
,
1656 nt_username_len
, nt_username
,
1657 fullname_len
, fullname
,
1658 homedir_len
, homedir
,
1659 dir_drive_len
, dir_drive
,
1660 logon_script_len
, logon_script
,
1661 profile_path_len
, profile_path
,
1662 acct_desc_len
, acct_desc
,
1663 workstations_len
, workstations
,
1664 unknown_str_len
, unknown_str
,
1665 munged_dial_len
, munged_dial
,
1670 pdb_get_acct_ctrl(sampass
),
1671 0, /* was: fileds_present, to be removed on format change */
1672 pdb_get_logon_divs(sampass
),
1673 pdb_get_hours_len(sampass
),
1674 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
1675 pdb_get_bad_password_count(sampass
),
1676 pdb_get_logon_count(sampass
),
1677 pdb_get_unknown_6(sampass
));
1683 /* malloc the space needed */
1684 if ( (*buf
=(uint8
*)malloc(len
)) == NULL
) {
1685 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
1689 /* now for the real call to tdb_pack() */
1690 buflen
= tdb_pack((char *)*buf
, len
, TDB_FORMAT_STRING_V0
,
1695 pass_can_change_time
,
1696 pass_must_change_time
,
1697 username_len
, username
,
1699 nt_username_len
, nt_username
,
1700 fullname_len
, fullname
,
1701 homedir_len
, homedir
,
1702 dir_drive_len
, dir_drive
,
1703 logon_script_len
, logon_script
,
1704 profile_path_len
, profile_path
,
1705 acct_desc_len
, acct_desc
,
1706 workstations_len
, workstations
,
1707 unknown_str_len
, unknown_str
,
1708 munged_dial_len
, munged_dial
,
1713 pdb_get_acct_ctrl(sampass
),
1714 0, /* was: fileds_present, to be removed on format change */
1715 pdb_get_logon_divs(sampass
),
1716 pdb_get_hours_len(sampass
),
1717 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
1718 pdb_get_bad_password_count(sampass
),
1719 pdb_get_logon_count(sampass
),
1720 pdb_get_unknown_6(sampass
));
1723 /* check to make sure we got it correct */
1724 if (buflen
!= len
) {
1725 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1726 (unsigned long)buflen
, (unsigned long)len
));
1736 BOOL
init_sam_from_buffer_v1(SAM_ACCOUNT
*sampass
, uint8
*buf
, uint32 buflen
)
1739 /* times are stored as 32bit integer
1740 take care on system with 64bit wide time_t
1747 pass_can_change_time
,
1748 pass_must_change_time
;
1761 uint32 username_len
, domain_len
, nt_username_len
,
1762 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1763 fullname_len
, homedir_len
, logon_script_len
,
1764 profile_path_len
, acct_desc_len
, workstations_len
;
1766 uint32 user_rid
, group_rid
, remove_me
, hours_len
, unknown_6
;
1767 uint16 acct_ctrl
, logon_divs
;
1768 uint16 bad_password_count
, logon_count
;
1770 static uint8
*lm_pw_ptr
, *nt_pw_ptr
;
1772 uint32 lm_pw_len
, nt_pw_len
, hourslen
;
1775 if(sampass
== NULL
|| buf
== NULL
) {
1776 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1780 /* unpack the buffer into variables */
1781 len
= tdb_unpack ((char *)buf
, buflen
, TDB_FORMAT_STRING_V1
,
1786 &pass_last_set_time
,
1787 &pass_can_change_time
,
1788 &pass_must_change_time
,
1789 &username_len
, &username
,
1790 &domain_len
, &domain
,
1791 &nt_username_len
, &nt_username
,
1792 &fullname_len
, &fullname
,
1793 &homedir_len
, &homedir
,
1794 &dir_drive_len
, &dir_drive
,
1795 &logon_script_len
, &logon_script
,
1796 &profile_path_len
, &profile_path
,
1797 &acct_desc_len
, &acct_desc
,
1798 &workstations_len
, &workstations
,
1799 &unknown_str_len
, &unknown_str
,
1800 &munged_dial_len
, &munged_dial
,
1803 &lm_pw_len
, &lm_pw_ptr
,
1804 &nt_pw_len
, &nt_pw_ptr
,
1810 &bad_password_count
,
1814 if (len
== (uint32
) -1) {
1819 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
1820 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
1821 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
1822 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
1823 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
1824 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
1825 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
1827 pdb_set_username(sampass
, username
, PDB_SET
);
1828 pdb_set_domain(sampass
, domain
, PDB_SET
);
1829 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
1830 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
1833 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
1836 pdb_set_homedir(sampass
,
1837 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
1842 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
1844 pdb_set_dir_drive(sampass
,
1845 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
1850 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
1852 pdb_set_logon_script(sampass
,
1853 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
1858 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
1860 pdb_set_profile_path(sampass
,
1861 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_path()),
1865 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
1866 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
1867 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
1869 if (lm_pw_ptr
&& lm_pw_len
== LM_HASH_LEN
) {
1870 if (!pdb_set_lanman_passwd(sampass
, lm_pw_ptr
, PDB_SET
)) {
1876 if (nt_pw_ptr
&& nt_pw_len
== NT_HASH_LEN
) {
1877 if (!pdb_set_nt_passwd(sampass
, nt_pw_ptr
, PDB_SET
)) {
1883 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
1884 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
1885 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
1886 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
1887 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
1888 pdb_set_unknown_6(sampass
, unknown_6
, PDB_SET
);
1889 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
1890 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
1891 pdb_set_hours(sampass
, hours
, PDB_SET
);
1895 SAFE_FREE(username
);
1897 SAFE_FREE(nt_username
);
1898 SAFE_FREE(fullname
);
1900 SAFE_FREE(dir_drive
);
1901 SAFE_FREE(logon_script
);
1902 SAFE_FREE(profile_path
);
1903 SAFE_FREE(acct_desc
);
1904 SAFE_FREE(workstations
);
1905 SAFE_FREE(munged_dial
);
1906 SAFE_FREE(unknown_str
);
1913 uint32
init_buffer_from_sam_v1 (uint8
**buf
, const SAM_ACCOUNT
*sampass
, BOOL size_only
)
1917 /* times are stored as 32bit integer
1918 take care on system with 64bit wide time_t
1925 pass_can_change_time
,
1926 pass_must_change_time
;
1928 uint32 user_rid
, group_rid
;
1930 const char *username
;
1932 const char *nt_username
;
1933 const char *dir_drive
;
1934 const char *unknown_str
;
1935 const char *munged_dial
;
1936 const char *fullname
;
1937 const char *homedir
;
1938 const char *logon_script
;
1939 const char *profile_path
;
1940 const char *acct_desc
;
1941 const char *workstations
;
1942 uint32 username_len
, domain_len
, nt_username_len
,
1943 dir_drive_len
, unknown_str_len
, munged_dial_len
,
1944 fullname_len
, homedir_len
, logon_script_len
,
1945 profile_path_len
, acct_desc_len
, workstations_len
;
1949 uint32 lm_pw_len
= 16;
1950 uint32 nt_pw_len
= 16;
1952 /* do we have a valid SAM_ACCOUNT pointer? */
1953 if (sampass
== NULL
) {
1954 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1961 logon_time
= (uint32
)pdb_get_logon_time(sampass
);
1962 logoff_time
= (uint32
)pdb_get_logoff_time(sampass
);
1963 kickoff_time
= (uint32
)pdb_get_kickoff_time(sampass
);
1964 bad_password_time
= (uint32
)pdb_get_bad_password_time(sampass
);
1965 pass_can_change_time
= (uint32
)pdb_get_pass_can_change_time(sampass
);
1966 pass_must_change_time
= (uint32
)pdb_get_pass_must_change_time(sampass
);
1967 pass_last_set_time
= (uint32
)pdb_get_pass_last_set_time(sampass
);
1969 user_rid
= pdb_get_user_rid(sampass
);
1970 group_rid
= pdb_get_group_rid(sampass
);
1972 username
= pdb_get_username(sampass
);
1974 username_len
= strlen(username
) +1;
1978 domain
= pdb_get_domain(sampass
);
1980 domain_len
= strlen(domain
) +1;
1984 nt_username
= pdb_get_nt_username(sampass
);
1986 nt_username_len
= strlen(nt_username
) +1;
1988 nt_username_len
= 0;
1990 fullname
= pdb_get_fullname(sampass
);
1992 fullname_len
= strlen(fullname
) +1;
1997 * Only updates fields which have been set (not defaults from smb.conf)
2000 if (!IS_SAM_DEFAULT(sampass
, PDB_DRIVE
))
2001 dir_drive
= pdb_get_dir_drive(sampass
);
2005 dir_drive_len
= strlen(dir_drive
) +1;
2009 if (!IS_SAM_DEFAULT(sampass
, PDB_SMBHOME
))
2010 homedir
= pdb_get_homedir(sampass
);
2014 homedir_len
= strlen(homedir
) +1;
2018 if (!IS_SAM_DEFAULT(sampass
, PDB_LOGONSCRIPT
))
2019 logon_script
= pdb_get_logon_script(sampass
);
2021 logon_script
= NULL
;
2023 logon_script_len
= strlen(logon_script
) +1;
2025 logon_script_len
= 0;
2027 if (!IS_SAM_DEFAULT(sampass
, PDB_PROFILE
))
2028 profile_path
= pdb_get_profile_path(sampass
);
2030 profile_path
= NULL
;
2032 profile_path_len
= strlen(profile_path
) +1;
2034 profile_path_len
= 0;
2036 lm_pw
= pdb_get_lanman_passwd(sampass
);
2040 nt_pw
= pdb_get_nt_passwd(sampass
);
2044 acct_desc
= pdb_get_acct_desc(sampass
);
2046 acct_desc_len
= strlen(acct_desc
) +1;
2050 workstations
= pdb_get_workstations(sampass
);
2052 workstations_len
= strlen(workstations
) +1;
2054 workstations_len
= 0;
2057 unknown_str_len
= 0;
2059 munged_dial
= pdb_get_munged_dial(sampass
);
2061 munged_dial_len
= strlen(munged_dial
) +1;
2063 munged_dial_len
= 0;
2065 /* one time to get the size needed */
2066 len
= tdb_pack(NULL
, 0, TDB_FORMAT_STRING_V1
,
2072 pass_can_change_time
,
2073 pass_must_change_time
,
2074 username_len
, username
,
2076 nt_username_len
, nt_username
,
2077 fullname_len
, fullname
,
2078 homedir_len
, homedir
,
2079 dir_drive_len
, dir_drive
,
2080 logon_script_len
, logon_script
,
2081 profile_path_len
, profile_path
,
2082 acct_desc_len
, acct_desc
,
2083 workstations_len
, workstations
,
2084 unknown_str_len
, unknown_str
,
2085 munged_dial_len
, munged_dial
,
2090 pdb_get_acct_ctrl(sampass
),
2092 pdb_get_logon_divs(sampass
),
2093 pdb_get_hours_len(sampass
),
2094 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
2095 pdb_get_bad_password_count(sampass
),
2096 pdb_get_logon_count(sampass
),
2097 pdb_get_unknown_6(sampass
));
2103 /* malloc the space needed */
2104 if ( (*buf
=(uint8
*)malloc(len
)) == NULL
) {
2105 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
2109 /* now for the real call to tdb_pack() */
2110 buflen
= tdb_pack((char *)*buf
, len
, TDB_FORMAT_STRING_V1
,
2116 pass_can_change_time
,
2117 pass_must_change_time
,
2118 username_len
, username
,
2120 nt_username_len
, nt_username
,
2121 fullname_len
, fullname
,
2122 homedir_len
, homedir
,
2123 dir_drive_len
, dir_drive
,
2124 logon_script_len
, logon_script
,
2125 profile_path_len
, profile_path
,
2126 acct_desc_len
, acct_desc
,
2127 workstations_len
, workstations
,
2128 unknown_str_len
, unknown_str
,
2129 munged_dial_len
, munged_dial
,
2134 pdb_get_acct_ctrl(sampass
),
2136 pdb_get_logon_divs(sampass
),
2137 pdb_get_hours_len(sampass
),
2138 MAX_HOURS_LEN
, pdb_get_hours(sampass
),
2139 pdb_get_bad_password_count(sampass
),
2140 pdb_get_logon_count(sampass
),
2141 pdb_get_unknown_6(sampass
));
2144 /* check to make sure we got it correct */
2145 if (buflen
!= len
) {
2146 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2147 (unsigned long)buflen
, (unsigned long)len
));
2157 /**********************************************************************
2158 **********************************************************************/
2160 static BOOL
get_free_ugid_range(uint32
*low
, uint32
*high
)
2162 uid_t u_low
, u_high
;
2163 gid_t g_low
, g_high
;
2165 if (!lp_idmap_uid(&u_low
, &u_high
) || !lp_idmap_gid(&g_low
, &g_high
)) {
2169 *low
= (u_low
< g_low
) ? u_low
: g_low
;
2170 *high
= (u_high
< g_high
) ? u_high
: g_high
;
2175 /******************************************************************
2176 Get the the non-algorithmic RID range if idmap range are defined
2177 ******************************************************************/
2179 BOOL
get_free_rid_range(uint32
*low
, uint32
*high
)
2181 uint32 id_low
, id_high
;
2183 if (!lp_enable_rid_algorithm()) {
2188 if (!get_free_ugid_range(&id_low
, &id_high
)) {
2192 *low
= fallback_pdb_uid_to_user_rid(id_low
);
2193 if (fallback_pdb_user_rid_to_uid((uint32
)-1) < id_high
) {
2196 *high
= fallback_pdb_uid_to_user_rid(id_high
);
2202 /*********************************************************************
2203 Update the bad password count checking the AP_RESET_COUNT_TIME
2204 *********************************************************************/
2206 BOOL
pdb_update_bad_password_count(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2208 time_t LastBadPassword
;
2209 uint16 BadPasswordCount
;
2212 BadPasswordCount
= pdb_get_bad_password_count(sampass
);
2213 if(BadPasswordCount
> 0){
2214 if (!account_policy_get(AP_RESET_COUNT_TIME
, &resettime
)) {
2215 DEBUG(0, ("account_policy_get failed.\n"));
2218 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2219 DEBUG(10, ("LastBadPassword=%d, resettime=%d.\n",
2220 (uint32
) LastBadPassword
, resettime
));
2222 (time(NULL
) > (LastBadPassword
+
2223 (time_t)resettime
*60))){
2224 pdb_set_bad_password_count(sampass
,
2226 pdb_set_bad_password_time(sampass
, 0,
2235 /*********************************************************************
2236 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2237 *********************************************************************/
2239 BOOL
pdb_update_autolock_flag(SAM_ACCOUNT
*sampass
, BOOL
*updated
)
2242 time_t LastBadPassword
;
2247 if (pdb_get_acct_ctrl(sampass
) & ACB_AUTOLOCK
) {
2248 if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION
,
2250 DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
2253 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2254 DEBUG(10, ("LastBadPassword=%d, duration=%d.\n",
2255 (uint32
) LastBadPassword
, duration
*60 ));
2258 (LastBadPassword
+ (time_t)duration
*60))){
2259 DEBUG(10, ("LastBadPassword=%d, duration=%d.\n",
2260 (uint32
) LastBadPassword
,
2262 pdb_set_acct_ctrl(sampass
,
2263 pdb_get_acct_ctrl(sampass
) & ~ACB_AUTOLOCK
,
2265 pdb_set_bad_password_count(sampass
,
2267 pdb_set_bad_password_time(sampass
, 0,
2277 /*********************************************************************
2278 Increment the bad_password_count
2279 *********************************************************************/
2281 BOOL
pdb_increment_bad_password_count(SAM_ACCOUNT
*sampass
)
2284 uint32 account_policy_lockout
;
2285 time_t LastBadPassword
;
2290 if (!account_policy_get(AP_RESET_COUNT_TIME
, &resettime
)) {
2291 DEBUG(0, ("account_policy_get failed.\n"));
2294 LastBadPassword
= pdb_get_bad_password_time(sampass
);
2295 DEBUG(10, ("LastBadPassword=%d, resettime=%d.\n",
2296 (uint32
) LastBadPassword
, resettime
));
2297 DEBUG(10, ("time(null) = %d\n", (uint32
) time(NULL
)));
2298 if ((resettime
) && (LastBadPassword
) &&
2299 (time(NULL
) > (LastBadPassword
+ (time_t)resettime
*60))){
2300 pdb_set_bad_password_count(sampass
, 1, PDB_CHANGED
);
2302 pdb_set_bad_password_count(sampass
,
2303 pdb_get_bad_password_count(sampass
)+1,
2306 pdb_set_bad_password_time(sampass
, time(NULL
), PDB_CHANGED
);
2308 if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
,
2309 &account_policy_lockout
)) {
2310 DEBUG(0, ("account_policy_get failed.\n"));
2313 if (account_policy_lockout
&&
2314 (pdb_get_bad_password_count(sampass
) >= account_policy_lockout
)) {
2315 if (!pdb_set_acct_ctrl (sampass
,
2316 pdb_get_acct_ctrl(sampass
) |ACB_AUTOLOCK
,
2318 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));