This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
/**********************************************************************
***********************************************************************/
-static int samu_destroy(void *p)
+static int samu_destroy(struct samu *user)
{
- struct samu *user = (struct samu *)p;
-
data_blob_clear_free( &user->lm_pw );
data_blob_clear_free( &user->nt_pw );
attributes and a user SID.
*********************************************************************/
-static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, BOOL create)
+static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
{
const char *guest_account = lp_guestaccount();
const char *domain = global_myname();
- DOM_SID group_sid;
uint32 urid;
if ( !pwd ) {
pdb_set_username(user, pwd->pw_name, PDB_SET);
pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
+#if 0
+ /* This can lead to a primary group of S-1-22-2-XX which
+ will be rejected by other parts of the Samba code.
+ Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
+ --jerry */
+
gid_to_sid(&group_sid, pwd->pw_gid);
pdb_set_group_sid(user, &group_sid, PDB_SET);
+#endif
/* save the password structure for later use */
char *pdb_encode_acct_ctrl(uint32 acct_ctrl, size_t length)
{
- static fstring acct_str;
+ fstring acct_str;
+ char *result;
size_t i = 0;
acct_str[i++] = ']';
acct_str[i++] = '\0';
- return acct_str;
+ result = talloc_strdup(talloc_tos(), acct_str);
+ SMB_ASSERT(result != NULL);
+ return result;
}
/**********************************************************
uint32 pdb_decode_acct_ctrl(const char *p)
{
uint32 acct_ctrl = 0;
- BOOL finished = False;
+ bool finished = False;
/*
* Check if the account type bits have been encoded after the
Routine to set 32 hex password characters from a 16 byte array.
**************************************************************/
-void pdb_sethexpwd(char *p, const unsigned char *pwd, uint32 acct_ctrl)
+void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32 acct_ctrl)
{
if (pwd != NULL) {
int i;
slprintf(&p[i*2], 3, "%02X", pwd[i]);
} else {
if (acct_ctrl & ACB_PWNOTREQ)
- safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
+ safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
else
- safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
+ safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
}
}
into a 16 byte array.
**************************************************************/
-BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
+bool pdb_gethexpwd(const char *p, unsigned char *pwd)
{
int i;
unsigned char lonybble, hinybble;
into a 21 byte array.
**************************************************************/
-BOOL pdb_gethexhours(const char *p, unsigned char *hours)
+bool pdb_gethexhours(const char *p, unsigned char *hours)
{
int i;
unsigned char lonybble, hinybble;
there is not anymore a direct link between the gid and the rid.
********************************************************************/
-uint32 pdb_gid_to_group_rid(gid_t gid)
+uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
{
int rid_offset = algorithmic_rid_base();
return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
Decides if a RID is a well known RID.
********************************************************************/
-static BOOL rid_is_well_known(uint32 rid)
+static bool rid_is_well_known(uint32 rid)
{
/* Not using rid_offset here, because this is the actual
NT fixed value (1000) */
Decides if a RID is a user or group RID.
********************************************************************/
-BOOL algorithmic_pdb_rid_is_user(uint32 rid)
+bool algorithmic_pdb_rid_is_user(uint32 rid)
{
if ( rid_is_well_known(rid) ) {
/*
Convert a name into a SID. Used in the lookup name rpc.
********************************************************************/
-BOOL lookup_global_sam_name(const char *user, int flags, uint32_t *rid,
- enum SID_NAME_USE *type)
+bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
+ enum lsa_SidType *type)
{
GROUP_MAP map;
- BOOL ret;
+ bool ret;
/* Windows treats "MACHINE\None" as a special name for
rid 513 on non-DCs. You cannot create a user or group
name "None" on Windows. You will get an error that
the group already exists. */
- if ( strequal( user, "None" ) ) {
+ if ( strequal( name, "None" ) ) {
*rid = DOMAIN_GROUP_RID_USERS;
*type = SID_NAME_DOM_GRP;
}
become_root();
- ret = pdb_getsampwnam(sam_account, user);
+ ret = pdb_getsampwnam(sam_account, name);
unbecome_root();
if (ret) {
if (ret) {
if (!sid_check_is_in_our_domain(&user_sid)) {
DEBUG(0, ("User %s with invalid SID %s in passdb\n",
- user, sid_string_static(&user_sid)));
+ name, sid_string_dbg(&user_sid)));
return False;
}
*/
become_root();
- ret = pdb_getgrnam(&map, user);
+ ret = pdb_getgrnam(&map, name);
unbecome_root();
if (!ret) {
/* BUILTIN groups are looked up elsewhere */
if (!sid_check_is_in_our_domain(&map.sid)) {
DEBUG(10, ("Found group %s (%s) not in our domain -- "
- "ignoring.", user,
- sid_string_static(&map.sid)));
+ "ignoring.", name, sid_string_dbg(&map.sid)));
return False;
}
Change a password entry in the local smbpasswd file.
*************************************************************/
-NTSTATUS local_password_change(const char *user_name, int local_flags,
- const char *new_passwd,
- char *err_str, size_t err_str_len,
- char *msg_str, size_t msg_str_len)
+NTSTATUS local_password_change(const char *user_name,
+ int local_flags,
+ const char *new_passwd,
+ char **pp_err_str,
+ char **pp_msg_str)
{
struct samu *sam_pass=NULL;
uint32 other_acb;
NTSTATUS result;
- *err_str = '\0';
- *msg_str = '\0';
+ *pp_err_str = NULL;
+ *pp_msg_str = NULL;
/* Get the smb passwd entry for this user */
}
if (!NT_STATUS_IS_OK(result)) {
- slprintf(err_str, err_str_len-1, "Failed to " "initialize account for user %s: %s\n",
+ asprintf(pp_err_str, "Failed to " "initialize account for user %s: %s\n",
user_name, nt_errstr(result));
return result;
}
} else {
- slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to find entry for user %s.\n", user_name);
return NT_STATUS_NO_SUCH_USER;
}
} else {
}
/* the 'other' acb bits not being changed here */
- other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
+ other_acb = (pdb_get_acct_ctrl(sam_pass) & (~(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
if (local_flags & LOCAL_TRUST_ACCOUNT) {
if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
} else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
} else {
if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set 'normal account' flags for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
if (local_flags & LOCAL_DISABLE_USER) {
if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set 'disabled' flag for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
} else if (local_flags & LOCAL_ENABLE_USER) {
if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to unset 'disabled' flag for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
if (local_flags & LOCAL_SET_NO_PASSWORD) {
if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set 'no password required' flag for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
*/
if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to unset 'disabled' flag for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
}
if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to unset 'no password required' flag for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
- slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to set password for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
if (local_flags & LOCAL_ADD_USER) {
if (NT_STATUS_IS_OK(pdb_add_sam_account(sam_pass))) {
- slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
+ asprintf(pp_msg_str, "Added user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_OK;
} else {
- slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to add entry for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
} else if (local_flags & LOCAL_DELETE_USER) {
if (!NT_STATUS_IS_OK(pdb_delete_sam_account(sam_pass))) {
- slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to delete entry for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
- slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
+ asprintf(pp_msg_str, "Deleted user %s.\n", user_name);
} else {
result = pdb_update_sam_account(sam_pass);
if(!NT_STATUS_IS_OK(result)) {
- slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
+ asprintf(pp_err_str, "Failed to modify entry for user %s.\n", user_name);
TALLOC_FREE(sam_pass);
return result;
}
if(local_flags & LOCAL_DISABLE_USER)
- slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
+ asprintf(pp_msg_str, "Disabled user %s.\n", user_name);
else if (local_flags & LOCAL_ENABLE_USER)
- slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
+ asprintf(pp_msg_str, "Enabled user %s.\n", user_name);
else if (local_flags & LOCAL_SET_NO_PASSWORD)
- slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
+ asprintf(pp_msg_str, "User %s password set to none.\n", user_name);
}
TALLOC_FREE(sam_pass);
/*********************************************************************
*********************************************************************/
-BOOL init_sam_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
+bool init_sam_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
{
/* times are stored as 32bit integer
uint32 len = 0;
uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
uint32 pwHistLen = 0;
- BOOL ret = True;
- fstring tmpstring;
- BOOL expand_explicit = lp_passdb_expand_explicit();
+ bool ret = True;
+ fstring tmp_string;
+ bool expand_explicit = lp_passdb_expand_explicit();
if(sampass == NULL || buf == NULL) {
DEBUG(0, ("init_sam_from_buffer_v3: NULL parameters found!\n"));
/* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
/* unpack the buffer into variables */
- len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V3,
+ len = tdb_unpack (buf, buflen, TDB_FORMAT_STRING_V3,
&logon_time, /* d */
&logoff_time, /* d */
&kickoff_time, /* d */
goto done;
}
- pdb_set_logon_time(sampass, logon_time, PDB_SET);
- pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
- pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
- pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
- pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
- pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
+ pdb_set_logon_time(sampass, convert_uint32_to_time_t(logon_time), PDB_SET);
+ pdb_set_logoff_time(sampass, convert_uint32_to_time_t(logoff_time), PDB_SET);
+ pdb_set_kickoff_time(sampass, convert_uint32_to_time_t(kickoff_time), PDB_SET);
+ pdb_set_bad_password_time(sampass, convert_uint32_to_time_t(bad_password_time), PDB_SET);
+ pdb_set_pass_can_change_time(sampass, convert_uint32_to_time_t(pass_can_change_time), PDB_SET);
+ pdb_set_pass_must_change_time(sampass, convert_uint32_to_time_t(pass_must_change_time), PDB_SET);
+ pdb_set_pass_last_set_time(sampass, convert_uint32_to_time_t(pass_last_set_time), PDB_SET);
pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
if (homedir) {
- fstrcpy( tmpstring, homedir );
+ fstrcpy( tmp_string, homedir );
if (expand_explicit) {
- standard_sub_basic( username, domain, tmpstring,
- sizeof(tmpstring) );
+ standard_sub_basic( username, domain, tmp_string,
+ sizeof(tmp_string) );
}
- pdb_set_homedir(sampass, tmpstring, PDB_SET);
+ pdb_set_homedir(sampass, tmp_string, PDB_SET);
}
else {
pdb_set_homedir(sampass,
pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
if (logon_script) {
- fstrcpy( tmpstring, logon_script );
+ fstrcpy( tmp_string, logon_script );
if (expand_explicit) {
- standard_sub_basic( username, domain, tmpstring,
- sizeof(tmpstring) );
+ standard_sub_basic( username, domain, tmp_string,
+ sizeof(tmp_string) );
}
- pdb_set_logon_script(sampass, tmpstring, PDB_SET);
+ pdb_set_logon_script(sampass, tmp_string, PDB_SET);
}
else {
pdb_set_logon_script(sampass,
}
if (profile_path) {
- fstrcpy( tmpstring, profile_path );
+ fstrcpy( tmp_string, profile_path );
if (expand_explicit) {
- standard_sub_basic( username, domain, tmpstring,
- sizeof(tmpstring) );
+ standard_sub_basic( username, domain, tmp_string,
+ sizeof(tmp_string) );
}
- pdb_set_profile_path(sampass, tmpstring, PDB_SET);
+ pdb_set_profile_path(sampass, tmp_string, PDB_SET);
}
else {
pdb_set_profile_path(sampass,
}
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
- pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
pdb_set_logon_count(sampass, logon_count, PDB_SET);
/*********************************************************************
*********************************************************************/
-uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, BOOL size_only)
+uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, bool size_only)
{
size_t len, buflen;
*buf = NULL;
buflen = 0;
- logon_time = (uint32)pdb_get_logon_time(sampass);
- logoff_time = (uint32)pdb_get_logoff_time(sampass);
- kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
- bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
- pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
- pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
- pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
+ logon_time = convert_time_t_to_uint32(pdb_get_logon_time(sampass));
+ logoff_time = convert_time_t_to_uint32(pdb_get_logoff_time(sampass));
+ kickoff_time = convert_time_t_to_uint32(pdb_get_kickoff_time(sampass));
+ bad_password_time = convert_time_t_to_uint32(pdb_get_bad_password_time(sampass));
+ pass_can_change_time = convert_time_t_to_uint32(pdb_get_pass_can_change_time_noncalc(sampass));
+ pass_must_change_time = convert_time_t_to_uint32(pdb_get_pass_must_change_time(sampass));
+ pass_last_set_time = convert_time_t_to_uint32(pdb_get_pass_last_set_time(sampass));
user_rid = pdb_get_user_rid(sampass);
group_rid = pdb_get_group_rid(sampass);
}
/* now for the real call to tdb_pack() */
- buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V3,
+ buflen = tdb_pack(*buf, len, TDB_FORMAT_STRING_V3,
logon_time, /* d */
logoff_time, /* d */
kickoff_time, /* d */
/*********************************************************************
*********************************************************************/
-BOOL pdb_copy_sam_account(struct samu *dst, struct samu *src )
+bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
{
uint8 *buf = NULL;
int len;
Update the bad password count checking the AP_RESET_COUNT_TIME
*********************************************************************/
-BOOL pdb_update_bad_password_count(struct samu *sampass, BOOL *updated)
+bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
{
time_t LastBadPassword;
uint16 BadPasswordCount;
uint32 resettime;
+ bool res;
BadPasswordCount = pdb_get_bad_password_count(sampass);
if (!BadPasswordCount) {
return True;
}
- if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
+ become_root();
+ res = pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime);
+ unbecome_root();
+
+ if (!res) {
DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
return False;
}
LastBadPassword = pdb_get_bad_password_time(sampass);
DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
(uint32) LastBadPassword, resettime, (uint32)time(NULL)));
- if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
+ if (time(NULL) > (LastBadPassword + convert_uint32_to_time_t(resettime)*60)){
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
if (updated) {
Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
*********************************************************************/
-BOOL pdb_update_autolock_flag(struct samu *sampass, BOOL *updated)
+bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
{
uint32 duration;
time_t LastBadPassword;
+ bool res;
if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
return True;
}
- if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+ become_root();
+ res = pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration);
+ unbecome_root();
+
+ if (!res) {
DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
return False;
}
pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
if (LastBadPassword == (time_t)0) {
- DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
-bad password time. Leaving locked out.\n",
- pdb_get_username(sampass) ));
- return True;
+ DEBUG(1,("pdb_update_autolock_flag: Account %s "
+ "administratively locked out with no bad password "
+ "time. Leaving locked out.\n",
+ pdb_get_username(sampass) ));
+ return True;
}
- if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
+ if ((time(NULL) > (LastBadPassword + convert_uint32_to_time_t(duration) * 60))) {
pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
PDB_CHANGED);
Increment the bad_password_count
*********************************************************************/
-BOOL pdb_increment_bad_password_count(struct samu *sampass)
+bool pdb_increment_bad_password_count(struct samu *sampass)
{
uint32 account_policy_lockout;
- BOOL autolock_updated = False, badpw_updated = False;
- BOOL ret;
+ bool autolock_updated = False, badpw_updated = False;
+ bool ret;
/* Retrieve the account lockout policy */
become_root();
return True;
}
+
+bool is_trusted_domain_situation(const char *domain_name)
+{
+ return IS_DC &&
+ lp_allow_trusted_domains() &&
+ !strequal(domain_name, lp_workgroup());
+}
+
+/*******************************************************************
+ Wrapper around retrieving the clear text trust account password.
+ appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
+*******************************************************************/
+
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name, uint32 *channel)
+{
+ char *pwd;
+ time_t last_set_time;
+
+ /* if we are a DC and this is not our domain, then lookup an account
+ * for the domain trust */
+
+ if (is_trusted_domain_situation(domain)) {
+ if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+ &last_set_time))
+ {
+ DEBUG(0, ("get_trust_pw: could not fetch trust "
+ "account password for trusted domain %s\n",
+ domain));
+ return false;
+ }
+
+ *channel = SEC_CHAN_DOMAIN;
+
+ if (account_name != NULL) {
+ *account_name = lp_workgroup();
+ }
+
+ return true;
+ }
+
+ /* Just get the account for the requested domain. In the future this
+ * might also cover to be member of more than one domain. */
+
+ pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+
+ if (pwd != NULL) {
+ *ret_pwd = pwd;
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
+
+ DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ "account password for domain %s\n", domain));
+ return false;
+}
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
+*******************************************************************/
+
+bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
+ const char **account_name, uint32 *channel)
+{
+ char *pwd = NULL;
+ time_t last_set_time;
+
+ if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+ return true;
+ } else if (is_trusted_domain_situation(domain)) {
+ return false;
+ }
+
+ /* as a fallback, try to get the hashed pwd directly from the tdb... */
+
+ if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ &last_set_time,
+ channel))
+ {
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
+
+ DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
+ "password for domain %s\n", domain));
+ return False;
+}
+
git.samba.org / amitay / samba.git / blobdiff