search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Samba 3: added Samba 3.0.24 sources
[tomato.git] / release / src / router / samba3 / source / lib / account_pol.c
blobd4e585f74f659b0a5c334bd6d6ee3b54c5b8b901
1 /*
2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 static TDB_CONTEXT *tdb;
25
26 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27 * after this period if admins do not use pdbedit or usermanager but manipulate
28 * ldap directly) - gd */
29
30 #define DATABASE_VERSION 3
31 #define AP_LASTSET "LAST_CACHE_UPDATE"
32 #define AP_TTL 60
33
34
35 struct ap_table {
36 int field;
37 const char *string;
38 uint32 default_val;
39 const char *description;
40 const char *ldap_attr;
41 };
42
43 static const struct ap_table account_policy_names[] = {
44 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
45 "Minimal password length (default: 5)",
46 "sambaMinPwdLength" },
47
48 {AP_PASSWORD_HISTORY, "password history", 0,
49 "Length of Password History Entries (default: 0 => off)",
50 "sambaPwdHistoryLength" },
51
52 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
53 "Force Users to logon for password change (default: 0 => off, 2 => on)",
54 "sambaLogonToChgPwd" },
55
56 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
57 "Maximum password age, in seconds (default: -1 => never expire passwords)",
58 "sambaMaxPwdAge" },
59
60 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
61 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
62 "sambaMinPwdAge" },
63
64 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
65 "Lockout duration in minutes (default: 30, -1 => forever)",
66 "sambaLockoutDuration" },
67
68 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
69 "Reset time after lockout in minutes (default: 30)",
70 "sambaLockoutObservationWindow" },
71
72 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
73 "Lockout users after bad logon attempts (default: 0 => off)",
74 "sambaLockoutThreshold" },
75
76 {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
77 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
78 "sambaForceLogoff" },
79
80 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
81 "Allow Machine Password changes (default: 0 => off)",
82 "sambaRefuseMachinePwdChange" },
83
84 {0, NULL, 0, "", NULL}
85 };
86
87 char *account_policy_names_list(void)
88 {
89 char *nl, *p;
90 int i;
91 size_t len = 0;
92
93 for (i=0; account_policy_names[i].string; i++) {
94 len += strlen(account_policy_names[i].string) + 1;
95 }
96 len++;
97 nl = SMB_MALLOC(len);
98 if (!nl) {
99 return NULL;
100 }
101 p = nl;
102 for (i=0; account_policy_names[i].string; i++) {
103 memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1);
104 p[strlen(account_policy_names[i].string)] = '\n';
105 p += strlen(account_policy_names[i].string) + 1;
106 }
107 *p = '\0';
108 return nl;
109 }
110
111 /****************************************************************************
112 Get the account policy name as a string from its #define'ed number
113 ****************************************************************************/
114
115 const char *decode_account_policy_name(int field)
116 {
117 int i;
118 for (i=0; account_policy_names[i].string; i++) {
119 if (field == account_policy_names[i].field) {
120 return account_policy_names[i].string;
121 }
122 }
123 return NULL;
124 }
125
126 /****************************************************************************
127 Get the account policy LDAP attribute as a string from its #define'ed number
128 ****************************************************************************/
129
130 const char *get_account_policy_attr(int field)
131 {
132 int i;
133 for (i=0; account_policy_names[i].field; i++) {
134 if (field == account_policy_names[i].field) {
135 return account_policy_names[i].ldap_attr;
136 }
137 }
138 return NULL;
139 }
140
141 /****************************************************************************
142 Get the account policy description as a string from its #define'ed number
143 ****************************************************************************/
144
145 const char *account_policy_get_desc(int field)
146 {
147 int i;
148 for (i=0; account_policy_names[i].string; i++) {
149 if (field == account_policy_names[i].field) {
150 return account_policy_names[i].description;
151 }
152 }
153 return NULL;
154 }
155
156 /****************************************************************************
157 Get the account policy name as a string from its #define'ed number
158 ****************************************************************************/
159
160 int account_policy_name_to_fieldnum(const char *name)
161 {
162 int i;
163 for (i=0; account_policy_names[i].string; i++) {
164 if (strcmp(name, account_policy_names[i].string) == 0) {
165 return account_policy_names[i].field;
166 }
167 }
168 return 0;
169 }
170
171 /*****************************************************************************
172 Update LAST-Set counter inside the cache
173 *****************************************************************************/
174
175 static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update,
176 const char *ap_name)
177 {
178 pstring key;
179 uint32 val = 0;
180 time_t now;
181
182 if (ap_name == NULL)
183 return False;
184
185 slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET);
186
187 if (!init_account_policy()) {
188 return False;
189 }
190
191 if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
192 DEBUG(10,("failed to get last set timestamp of cache\n"));
193 return False;
194 }
195
196 *value = val;
197
198 DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
199
200 if (update) {
201
202 now = time(NULL);
203
204 if (!tdb_store_uint32(tdb, key, (uint32)now)) {
205 DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
206 return False;
207 }
208 DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
209 *value = now;
210 }
211
212 return True;
213 }
214
215 /*****************************************************************************
216 Get default value for account policy
217 *****************************************************************************/
218
219 BOOL account_policy_get_default(int account_policy, uint32 *val)
220 {
221 int i;
222 for (i=0; account_policy_names[i].field; i++) {
223 if (account_policy_names[i].field == account_policy) {
224 *val = account_policy_names[i].default_val;
225 return True;
226 }
227 }
228 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
229 account_policy));
230 return False;
231 }
232
233 /*****************************************************************************
234 Set default for a field if it is empty
235 *****************************************************************************/
236
237 static BOOL account_policy_set_default_on_empty(int account_policy)
238 {
239
240 uint32 value;
241
242 if (!account_policy_get(account_policy, &value) &&
243 !account_policy_get_default(account_policy, &value)) {
244 return False;
245 }
246
247 return account_policy_set(account_policy, value);
248 }
249
250 /*****************************************************************************
251 Open the account policy tdb.
252 ***`*************************************************************************/
253
254 BOOL init_account_policy(void)
255 {
256
257 const char *vstring = "INFO/version";
258 uint32 version;
259 int i;
260
261 if (tdb) {
262 return True;
263 }
264
265 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
266 if (!tdb) {
267 DEBUG(0,("Failed to open account policy database\n"));
268 return False;
269 }
270
271 /* handle a Samba upgrade */
272 tdb_lock_bystring(tdb, vstring);
273 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
274
275 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
276
277 for (i=0; account_policy_names[i].field; i++) {
278
279 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
280 DEBUG(0,("failed to set default value in account policy tdb\n"));
281 return False;
282 }
283 }
284 }
285
286 tdb_unlock_bystring(tdb, vstring);
287
288 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
289
290 privilege_create_account( &global_sid_World );
291 privilege_create_account( &global_sid_Builtin_Account_Operators );
292 privilege_create_account( &global_sid_Builtin_Server_Operators );
293 privilege_create_account( &global_sid_Builtin_Print_Operators );
294 privilege_create_account( &global_sid_Builtin_Backup_Operators );
295
296 /* BUILTIN\Administrators get everything -- *always* */
297
298 if ( lp_enable_privileges() ) {
299 if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
300 DEBUG(1,("init_account_policy: Failed to grant privileges "
301 "to BUILTIN\\Administrators!\n"));
302 }
303 }
304
305 return True;
306 }
307
308 /*****************************************************************************
309 Get an account policy (from tdb)
310 *****************************************************************************/
311
312 BOOL account_policy_get(int field, uint32 *value)
313 {
314 fstring name;
315 uint32 regval;
316
317 if (!init_account_policy()) {
318 return False;
319 }
320
321 if (value) {
322 *value = 0;
323 }
324
325 fstrcpy(name, decode_account_policy_name(field));
326 if (!*name) {
327 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
328 return False;
329 }
330
331 if (!tdb_fetch_uint32(tdb, name, &regval)) {
332 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
333 return False;
334 }
335
336 if (value) {
337 *value = regval;
338 }
339
340 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
341 return True;
342 }
343
344
345 /****************************************************************************
346 Set an account policy (in tdb)
347 ****************************************************************************/
348
349 BOOL account_policy_set(int field, uint32 value)
350 {
351 fstring name;
352
353 if (!init_account_policy()) {
354 return False;
355 }
356
357 fstrcpy(name, decode_account_policy_name(field));
358 if (!*name) {
359 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
360 return False;
361 }
362
363 if (!tdb_store_uint32(tdb, name, value)) {
364 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
365 return False;
366 }
367
368 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
369
370 return True;
371 }
372
373 /****************************************************************************
374 Set an account policy in the cache
375 ****************************************************************************/
376
377 BOOL cache_account_policy_set(int field, uint32 value)
378 {
379 uint32 lastset;
380 const char *policy_name = NULL;
381
382 policy_name = decode_account_policy_name(field);
383 if (policy_name == NULL) {
384 DEBUG(0,("cache_account_policy_set: no policy found\n"));
385 return False;
386 }
387
388 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
389
390 if (!account_policy_set(field, value)) {
391 return False;
392 }
393
394 if (!account_policy_cache_timestamp(&lastset, True, policy_name))
395 {
396 DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
397 return False;
398 }
399
400 DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
401
402 return True;
403 }
404
405 /*****************************************************************************
406 Check whether account policies have been migrated to passdb
407 *****************************************************************************/
408
409 BOOL account_policy_migrated(BOOL init)
410 {
411 pstring key;
412 uint32 val;
413 time_t now;
414
415 slprintf(key, sizeof(key)-1, "AP_MIGRATED_TO_PASSDB");
416
417 if (!init_account_policy()) {
418 return False;
419 }
420
421 if (init) {
422 now = time(NULL);
423
424 if (!tdb_store_uint32(tdb, key, (uint32)now)) {
425 DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
426 return False;
427 }
428
429 return True;
430 }
431
432 if (!tdb_fetch_uint32(tdb, key, &val)) {
433 return False;
434 }
435
436 return True;
437 }
438
439 /*****************************************************************************
440 Remove marker that informs that account policies have been migrated to passdb
441 *****************************************************************************/
442
443 BOOL remove_account_policy_migrated(void)
444 {
445 if (!init_account_policy()) {
446 return False;
447 }
448
449 return tdb_delete_bystring(tdb, "AP_MIGRATED_TO_PASSDB");
450 }
451
452
453 /*****************************************************************************
454 Get an account policy from the cache
455 *****************************************************************************/
456
457 BOOL cache_account_policy_get(int field, uint32 *value)
458 {
459 uint32 lastset;
460
461 if (!account_policy_cache_timestamp(&lastset, False,
462 decode_account_policy_name(field)))
463 {
464 DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
465 return False;
466 }
467
468 if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
469 DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
470 return False;
471 }
472
473 return account_policy_get(field, value);
474 }
475
476
477 /****************************************************************************
478 ****************************************************************************/
479
480 TDB_CONTEXT *get_account_pol_tdb( void )
481 {
482
483 if ( !tdb ) {
484 if ( !init_account_policy() ) {
485 return NULL;
486 }
487 }
488
489 return tdb;
490 }
491
Tomato firmware and modifications.