This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
slprintf(&p[i*2], 3, "%02X", pwd[i]);
} else {
if (acct_ctrl & ACB_PWNOTREQ)
- safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
+ safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
else
- safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
+ safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
}
}
Convert a name into a SID. Used in the lookup name rpc.
********************************************************************/
-BOOL lookup_global_sam_name(const char *user, int flags, uint32_t *rid,
+BOOL lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
enum lsa_SidType *type)
{
GROUP_MAP map;
name "None" on Windows. You will get an error that
the group already exists. */
- if ( strequal( user, "None" ) ) {
+ if ( strequal( name, "None" ) ) {
*rid = DOMAIN_GROUP_RID_USERS;
*type = SID_NAME_DOM_GRP;
}
become_root();
- ret = pdb_getsampwnam(sam_account, user);
+ ret = pdb_getsampwnam(sam_account, name);
unbecome_root();
if (ret) {
if (ret) {
if (!sid_check_is_in_our_domain(&user_sid)) {
DEBUG(0, ("User %s with invalid SID %s in passdb\n",
- user, sid_string_static(&user_sid)));
+ name, sid_string_static(&user_sid)));
return False;
}
*/
become_root();
- ret = pdb_getgrnam(&map, user);
+ ret = pdb_getgrnam(&map, name);
unbecome_root();
if (!ret) {
/* BUILTIN groups are looked up elsewhere */
if (!sid_check_is_in_our_domain(&map.sid)) {
DEBUG(10, ("Found group %s (%s) not in our domain -- "
- "ignoring.", user,
+ "ignoring.", name,
sid_string_static(&map.sid)));
return False;
}
}
/* the 'other' acb bits not being changed here */
- other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
+ other_acb = (pdb_get_acct_ctrl(sam_pass) & (~(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
if (local_flags & LOCAL_TRUST_ACCOUNT) {
if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
/* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
/* unpack the buffer into variables */
- len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V3,
+ len = tdb_unpack (buf, buflen, TDB_FORMAT_STRING_V3,
&logon_time, /* d */
&logoff_time, /* d */
&kickoff_time, /* d */
goto done;
}
- pdb_set_logon_time(sampass, logon_time, PDB_SET);
- pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
- pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
- pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
- pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
- pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
+ pdb_set_logon_time(sampass, convert_uint32_to_time_t(logon_time), PDB_SET);
+ pdb_set_logoff_time(sampass, convert_uint32_to_time_t(logoff_time), PDB_SET);
+ pdb_set_kickoff_time(sampass, convert_uint32_to_time_t(kickoff_time), PDB_SET);
+ pdb_set_bad_password_time(sampass, convert_uint32_to_time_t(bad_password_time), PDB_SET);
+ pdb_set_pass_can_change_time(sampass, convert_uint32_to_time_t(pass_can_change_time), PDB_SET);
+ pdb_set_pass_must_change_time(sampass, convert_uint32_to_time_t(pass_must_change_time), PDB_SET);
+ pdb_set_pass_last_set_time(sampass, convert_uint32_to_time_t(pass_last_set_time), PDB_SET);
pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
*buf = NULL;
buflen = 0;
- logon_time = (uint32)pdb_get_logon_time(sampass);
- logoff_time = (uint32)pdb_get_logoff_time(sampass);
- kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
- bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
- pass_can_change_time = (uint32)pdb_get_pass_can_change_time_noncalc(sampass);
- pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
- pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
+ logon_time = convert_time_t_to_uint32(pdb_get_logon_time(sampass));
+ logoff_time = convert_time_t_to_uint32(pdb_get_logoff_time(sampass));
+ kickoff_time = convert_time_t_to_uint32(pdb_get_kickoff_time(sampass));
+ bad_password_time = convert_time_t_to_uint32(pdb_get_bad_password_time(sampass));
+ pass_can_change_time = convert_time_t_to_uint32(pdb_get_pass_can_change_time_noncalc(sampass));
+ pass_must_change_time = convert_time_t_to_uint32(pdb_get_pass_must_change_time(sampass));
+ pass_last_set_time = convert_time_t_to_uint32(pdb_get_pass_last_set_time(sampass));
user_rid = pdb_get_user_rid(sampass);
group_rid = pdb_get_group_rid(sampass);
}
/* now for the real call to tdb_pack() */
- buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V3,
+ buflen = tdb_pack(*buf, len, TDB_FORMAT_STRING_V3,
logon_time, /* d */
logoff_time, /* d */
kickoff_time, /* d */
time_t LastBadPassword;
uint16 BadPasswordCount;
uint32 resettime;
+ BOOL res;
BadPasswordCount = pdb_get_bad_password_count(sampass);
if (!BadPasswordCount) {
return True;
}
- if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
+ become_root();
+ res = pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime);
+ unbecome_root();
+
+ if (!res) {
DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
return False;
}
LastBadPassword = pdb_get_bad_password_time(sampass);
DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
(uint32) LastBadPassword, resettime, (uint32)time(NULL)));
- if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
+ if (time(NULL) > (LastBadPassword + convert_uint32_to_time_t(resettime)*60)){
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
if (updated) {
{
uint32 duration;
time_t LastBadPassword;
+ BOOL res;
if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
return True;
}
- if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+ become_root();
+ res = pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration);
+ unbecome_root();
+
+ if (!res) {
DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
return False;
}
pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
if (LastBadPassword == (time_t)0) {
- DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
-bad password time. Leaving locked out.\n",
- pdb_get_username(sampass) ));
- return True;
+ DEBUG(1,("pdb_update_autolock_flag: Account %s "
+ "administratively locked out with no bad password "
+ "time. Leaving locked out.\n",
+ pdb_get_username(sampass) ));
+ return True;
}
- if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
+ if ((time(NULL) > (LastBadPassword + convert_uint32_to_time_t(duration) * 60))) {
pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
PDB_CHANGED);
return True;
}
+
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password
+*******************************************************************/
+
+BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+{
+ DOM_SID sid;
+ char *pwd;
+ time_t last_set_time;
+
+ /* if we are a DC and this is not our domain, then lookup an account
+ for the domain trust */
+
+ if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) {
+ DEBUG(0, ("get_trust_pw: could not fetch trust "
+ "account password for trusted domain %s\n",
+ domain));
+ return False;
+ }
+
+ *channel = SEC_CHAN_DOMAIN;
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+
+ return True;
+ }
+
+ /* Just get the account for the requested domain. In the future this
+ * might also cover to be member of more than one domain. */
+
+ if (secrets_fetch_trust_account_password(domain, ret_pwd,
+ &last_set_time, channel))
+ return True;
+
+ DEBUG(5, ("get_trust_pw: could not fetch trust account "
+ "password for domain %s\n", domain));
+ return False;
+}
+
+/* END */