2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 #define DBGC_CLASS DBGC_PASSDB
31 /******************************************************************
32 get the default domain/netbios name to be used when
33 testing authentication. For example, if you connect
34 to a Windows member server using a bogus domain name, the
35 Windows box will map the BOGUS\user to DOMAIN\user. A
36 standalone box will map to WKS\user.
37 ******************************************************************/
39 const char *my_sam_name(void)
41 /* standalone servers can only use the local netbios name */
42 if ( lp_server_role() == ROLE_STANDALONE )
43 return global_myname();
45 /* Windows domain members default to the DOMAIN
46 name when not specified */
47 return lp_workgroup();
50 /**********************************************************************
51 ***********************************************************************/
53 static int samu_destroy(void *p)
55 struct samu *user = (struct samu *)p;
57 data_blob_clear_free( &user->lm_pw );
58 data_blob_clear_free( &user->nt_pw );
60 if ( user->plaintext_pw )
61 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
66 /**********************************************************************
67 generate a new struct samuser
68 ***********************************************************************/
70 struct samu *samu_new( TALLOC_CTX *ctx )
74 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
75 DEBUG(0,("samuser_new: Talloc failed!\n"));
79 talloc_set_destructor( user, samu_destroy );
81 /* no initial methods */
85 /* Don't change these timestamp settings without a good reason.
86 They are important for NT member server compatibility. */
88 user->logon_time = (time_t)0;
89 user->pass_last_set_time = (time_t)0;
90 user->pass_can_change_time = (time_t)0;
91 user->logoff_time = get_time_t_max();
92 user->kickoff_time = get_time_t_max();
93 user->pass_must_change_time = get_time_t_max();
94 user->fields_present = 0x00ffffff;
95 user->logon_divs = 168; /* hours per week */
96 user->hours_len = 21; /* 21 times 8 bits = 168 */
97 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
98 user->bad_password_count = 0;
99 user->logon_count = 0;
100 user->unknown_6 = 0x000004ec; /* don't know */
102 /* Some parts of samba strlen their pdb_get...() returns,
103 so this keeps the interface unchanged for now. */
107 user->nt_username = "";
108 user->full_name = "";
110 user->logon_script = "";
111 user->profile_path = "";
112 user->acct_desc = "";
113 user->workstations = "";
115 user->munged_dial = "";
117 user->plaintext_pw = NULL;
119 /* Unless we know otherwise have a Account Control Bit
120 value of 'normal user'. This helps User Manager, which
121 asks for a filtered list of users. */
123 user->acct_ctrl = ACB_NORMAL;
129 /*********************************************************************
130 Initialize a struct samu from a struct passwd including the user
131 and group SIDs. The *user structure is filled out with the Unix
132 attributes and a user SID.
133 *********************************************************************/
135 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, BOOL create)
137 const char *guest_account = lp_guestaccount();
138 const char *domain = global_myname();
142 return NT_STATUS_NO_SUCH_USER;
145 /* Basic properties based upon the Unix account information */
147 pdb_set_username(user, pwd->pw_name, PDB_SET);
148 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
149 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
151 /* This can lead to a primary group of S-1-22-2-XX which
152 will be rejected by other parts of the Samba code.
153 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
156 gid_to_sid(&group_sid, pwd->pw_gid);
157 pdb_set_group_sid(user, &group_sid, PDB_SET);
160 /* save the password structure for later use */
162 user->unix_pw = tcopy_passwd( user, pwd );
164 /* Special case for the guest account which must have a RID of 501 */
166 if ( strequal( pwd->pw_name, guest_account ) ) {
167 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
168 return NT_STATUS_NO_SUCH_USER;
173 /* Non-guest accounts...Check for a workstation or user account */
175 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
178 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
179 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
181 return NT_STATUS_INVALID_COMPUTER_NAME;
187 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
188 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
190 return NT_STATUS_INVALID_ACCOUNT_NAME;
193 /* set some basic attributes */
195 pdb_set_profile_path(user, talloc_sub_specified(user,
196 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
198 pdb_set_homedir(user, talloc_sub_specified(user,
199 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
201 pdb_set_dir_drive(user, talloc_sub_specified(user,
202 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
204 pdb_set_logon_script(user, talloc_sub_specified(user,
205 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
209 /* Now deal with the user SID. If we have a backend that can generate
210 RIDs, then do so. But sometimes the caller just wanted a structure
211 initialized and will fill in these fields later (such as from a
212 NET_USER_INFO_3 structure) */
214 if ( create && !pdb_rid_algorithm() ) {
218 if ( !pdb_new_rid( &user_rid ) ) {
219 DEBUG(3, ("Could not allocate a new RID\n"));
220 return NT_STATUS_ACCESS_DENIED;
223 sid_copy( &user_sid, get_global_sam_sid() );
224 sid_append_rid( &user_sid, user_rid );
226 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
227 DEBUG(3, ("pdb_set_user_sid failed\n"));
228 return NT_STATUS_INTERNAL_ERROR;
234 /* generate a SID for the user with the RID algorithm */
236 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
238 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
239 return NT_STATUS_INTERNAL_ERROR;
245 /********************************************************************
246 Set the Unix user attributes
247 ********************************************************************/
249 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
251 return samu_set_unix_internal( user, pwd, False );
254 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
256 return samu_set_unix_internal( user, pwd, True );
259 /**********************************************************
260 Encode the account control bits into a string.
261 length = length of string to encode into (including terminating
262 null). length *MUST BE MORE THAN 2* !
263 **********************************************************/
265 char *pdb_encode_acct_ctrl(uint32 acct_ctrl, size_t length)
267 static fstring acct_str;
271 SMB_ASSERT(length <= sizeof(acct_str));
275 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
276 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
277 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
278 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
279 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
280 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
281 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
282 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
283 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
284 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
285 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
287 for ( ; i < length - 2 ; i++ )
292 acct_str[i++] = '\0';
297 /**********************************************************
298 Decode the account control bits from a string.
299 **********************************************************/
301 uint32 pdb_decode_acct_ctrl(const char *p)
303 uint32 acct_ctrl = 0;
304 BOOL finished = False;
307 * Check if the account type bits have been encoded after the
308 * NT password (in the form [NDHTUWSLXI]).
314 for (p++; *p && !finished; p++) {
316 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
317 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
318 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
319 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
320 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
321 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
322 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
323 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
324 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
325 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
326 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
332 default: { finished = True; }
339 /*************************************************************
340 Routine to set 32 hex password characters from a 16 byte array.
341 **************************************************************/
343 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint32 acct_ctrl)
347 for (i = 0; i < 16; i++)
348 slprintf(&p[i*2], 3, "%02X", pwd[i]);
350 if (acct_ctrl & ACB_PWNOTREQ)
351 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
353 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
357 /*************************************************************
358 Routine to get the 32 hex characters and turn them
359 into a 16 byte array.
360 **************************************************************/
362 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
365 unsigned char lonybble, hinybble;
366 const char *hexchars = "0123456789ABCDEF";
372 for (i = 0; i < 32; i += 2) {
373 hinybble = toupper_ascii(p[i]);
374 lonybble = toupper_ascii(p[i + 1]);
376 p1 = strchr(hexchars, hinybble);
377 p2 = strchr(hexchars, lonybble);
382 hinybble = PTR_DIFF(p1, hexchars);
383 lonybble = PTR_DIFF(p2, hexchars);
385 pwd[i / 2] = (hinybble << 4) | lonybble;
390 /*************************************************************
391 Routine to set 42 hex hours characters from a 21 byte array.
392 **************************************************************/
394 void pdb_sethexhours(char *p, const unsigned char *hours)
398 for (i = 0; i < 21; i++) {
399 slprintf(&p[i*2], 3, "%02X", hours[i]);
402 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
406 /*************************************************************
407 Routine to get the 42 hex characters and turn them
408 into a 21 byte array.
409 **************************************************************/
411 BOOL pdb_gethexhours(const char *p, unsigned char *hours)
414 unsigned char lonybble, hinybble;
415 const char *hexchars = "0123456789ABCDEF";
422 for (i = 0; i < 42; i += 2) {
423 hinybble = toupper_ascii(p[i]);
424 lonybble = toupper_ascii(p[i + 1]);
426 p1 = strchr(hexchars, hinybble);
427 p2 = strchr(hexchars, lonybble);
433 hinybble = PTR_DIFF(p1, hexchars);
434 lonybble = PTR_DIFF(p2, hexchars);
436 hours[i / 2] = (hinybble << 4) | lonybble;
441 /********************************************************************
442 ********************************************************************/
444 int algorithmic_rid_base(void)
446 static int rid_offset = 0;
451 rid_offset = lp_algorithmic_rid_base();
453 if (rid_offset < BASE_RID) {
454 /* Try to prevent admin foot-shooting, we can't put algorithmic
455 rids below 1000, that's the 'well known RIDs' on NT */
456 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
457 rid_offset = BASE_RID;
459 if (rid_offset & 1) {
460 DEBUG(0, ("algorithmic rid base must be even\n"));
466 /*******************************************************************
467 Converts NT user RID to a UNIX uid.
468 ********************************************************************/
470 uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
472 int rid_offset = algorithmic_rid_base();
473 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
476 uid_t max_algorithmic_uid(void)
478 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
481 /*******************************************************************
482 converts UNIX uid to an NT User RID.
483 ********************************************************************/
485 uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
487 int rid_offset = algorithmic_rid_base();
488 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
491 /*******************************************************************
492 Converts NT group RID to a UNIX gid.
493 ********************************************************************/
495 gid_t pdb_group_rid_to_gid(uint32 group_rid)
497 int rid_offset = algorithmic_rid_base();
498 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
501 gid_t max_algorithmic_gid(void)
503 return pdb_group_rid_to_gid(0xffffffff);
506 /*******************************************************************
507 converts NT Group RID to a UNIX uid.
509 warning: you must not call that function only
510 you must do a call to the group mapping first.
511 there is not anymore a direct link between the gid and the rid.
512 ********************************************************************/
514 uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
516 int rid_offset = algorithmic_rid_base();
517 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
520 /*******************************************************************
521 Decides if a RID is a well known RID.
522 ********************************************************************/
524 static BOOL rid_is_well_known(uint32 rid)
526 /* Not using rid_offset here, because this is the actual
527 NT fixed value (1000) */
529 return (rid < BASE_RID);
532 /*******************************************************************
533 Decides if a RID is a user or group RID.
534 ********************************************************************/
536 BOOL algorithmic_pdb_rid_is_user(uint32 rid)
538 if ( rid_is_well_known(rid) ) {
540 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
541 * and DOMAIN_USER_RID_GUEST.
543 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
545 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
551 /*******************************************************************
552 Convert a name into a SID. Used in the lookup name rpc.
553 ********************************************************************/
555 BOOL lookup_global_sam_name(const char *user, int flags, uint32_t *rid,
556 enum SID_NAME_USE *type)
561 /* Windows treats "MACHINE\None" as a special name for
562 rid 513 on non-DCs. You cannot create a user or group
563 name "None" on Windows. You will get an error that
564 the group already exists. */
566 if ( strequal( user, "None" ) ) {
567 *rid = DOMAIN_GROUP_RID_USERS;
568 *type = SID_NAME_DOM_GRP;
573 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
574 * correctly in the case where foo also exists as a user. If the flag
575 * is set, don't look for users at all. */
577 if ((flags & LOOKUP_NAME_GROUP) == 0) {
578 struct samu *sam_account = NULL;
581 if ( !(sam_account = samu_new( NULL )) ) {
586 ret = pdb_getsampwnam(sam_account, user);
590 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
593 TALLOC_FREE(sam_account);
596 if (!sid_check_is_in_our_domain(&user_sid)) {
597 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
598 user, sid_string_static(&user_sid)));
602 sid_peek_rid(&user_sid, rid);
603 *type = SID_NAME_USER;
609 * Maybe it is a group ?
613 ret = pdb_getgrnam(&map, user);
620 /* BUILTIN groups are looked up elsewhere */
621 if (!sid_check_is_in_our_domain(&map.sid)) {
622 DEBUG(10, ("Found group %s (%s) not in our domain -- "
624 sid_string_static(&map.sid)));
628 /* yes it's a mapped group */
629 sid_peek_rid(&map.sid, rid);
630 *type = map.sid_name_use;
634 /*************************************************************
635 Change a password entry in the local smbpasswd file.
636 *************************************************************/
638 NTSTATUS local_password_change(const char *user_name, int local_flags,
639 const char *new_passwd,
640 char *err_str, size_t err_str_len,
641 char *msg_str, size_t msg_str_len)
643 struct samu *sam_pass=NULL;
650 /* Get the smb passwd entry for this user */
652 if ( !(sam_pass = samu_new( NULL )) ) {
653 return NT_STATUS_NO_MEMORY;
657 if(!pdb_getsampwnam(sam_pass, user_name)) {
659 TALLOC_FREE(sam_pass);
661 if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
662 int tmp_debug = DEBUGLEVEL;
665 /* Might not exist in /etc/passwd. */
671 if ( !(pwd = getpwnam_alloc( NULL, user_name)) ) {
672 return NT_STATUS_NO_SUCH_USER;
675 /* create the struct samu and initialize the basic Unix properties */
677 if ( !(sam_pass = samu_new( NULL )) ) {
678 return NT_STATUS_NO_MEMORY;
681 result = samu_set_unix( sam_pass, pwd );
683 DEBUGLEVEL = tmp_debug;
687 if (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PRIMARY_GROUP)) {
691 if (!NT_STATUS_IS_OK(result)) {
692 slprintf(err_str, err_str_len-1, "Failed to " "initialize account for user %s: %s\n",
693 user_name, nt_errstr(result));
697 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
698 return NT_STATUS_NO_SUCH_USER;
702 /* the entry already existed */
703 local_flags &= ~LOCAL_ADD_USER;
706 /* the 'other' acb bits not being changed here */
707 other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
708 if (local_flags & LOCAL_TRUST_ACCOUNT) {
709 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
710 slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
711 TALLOC_FREE(sam_pass);
712 return NT_STATUS_UNSUCCESSFUL;
714 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
715 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
716 slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
717 TALLOC_FREE(sam_pass);
718 return NT_STATUS_UNSUCCESSFUL;
721 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
722 slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
723 TALLOC_FREE(sam_pass);
724 return NT_STATUS_UNSUCCESSFUL;
729 * We are root - just write the new password
730 * and the valid last change time.
733 if (local_flags & LOCAL_DISABLE_USER) {
734 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
735 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
736 TALLOC_FREE(sam_pass);
737 return NT_STATUS_UNSUCCESSFUL;
739 } else if (local_flags & LOCAL_ENABLE_USER) {
740 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
741 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
742 TALLOC_FREE(sam_pass);
743 return NT_STATUS_UNSUCCESSFUL;
747 if (local_flags & LOCAL_SET_NO_PASSWORD) {
748 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
749 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
750 TALLOC_FREE(sam_pass);
751 return NT_STATUS_UNSUCCESSFUL;
753 } else if (local_flags & LOCAL_SET_PASSWORD) {
755 * If we're dealing with setting a completely empty user account
756 * ie. One with a password of 'XXXX', but not set disabled (like
757 * an account created from scratch) then if the old password was
758 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
759 * We remove that as we're giving this user their first password
760 * and the decision hasn't really been made to disable them (ie.
761 * don't create them disabled). JRA.
763 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
764 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
765 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
766 TALLOC_FREE(sam_pass);
767 return NT_STATUS_UNSUCCESSFUL;
770 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
771 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
772 TALLOC_FREE(sam_pass);
773 return NT_STATUS_UNSUCCESSFUL;
776 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
777 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
778 TALLOC_FREE(sam_pass);
779 return NT_STATUS_UNSUCCESSFUL;
783 if (local_flags & LOCAL_ADD_USER) {
784 if (NT_STATUS_IS_OK(pdb_add_sam_account(sam_pass))) {
785 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
786 TALLOC_FREE(sam_pass);
789 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
790 TALLOC_FREE(sam_pass);
791 return NT_STATUS_UNSUCCESSFUL;
793 } else if (local_flags & LOCAL_DELETE_USER) {
794 if (!NT_STATUS_IS_OK(pdb_delete_sam_account(sam_pass))) {
795 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
796 TALLOC_FREE(sam_pass);
797 return NT_STATUS_UNSUCCESSFUL;
799 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
801 result = pdb_update_sam_account(sam_pass);
802 if(!NT_STATUS_IS_OK(result)) {
803 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
804 TALLOC_FREE(sam_pass);
807 if(local_flags & LOCAL_DISABLE_USER)
808 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
809 else if (local_flags & LOCAL_ENABLE_USER)
810 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
811 else if (local_flags & LOCAL_SET_NO_PASSWORD)
812 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
815 TALLOC_FREE(sam_pass);
819 /**********************************************************************
820 Marshall/unmarshall struct samu structs.
821 *********************************************************************/
823 #define TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
825 /*********************************************************************
826 *********************************************************************/
828 BOOL init_sam_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
831 /* times are stored as 32bit integer
832 take care on system with 64bit wide time_t
839 pass_can_change_time,
840 pass_must_change_time;
841 char *username = NULL;
843 char *nt_username = NULL;
844 char *dir_drive = NULL;
845 char *unknown_str = NULL;
846 char *munged_dial = NULL;
847 char *fullname = NULL;
848 char *homedir = NULL;
849 char *logon_script = NULL;
850 char *profile_path = NULL;
851 char *acct_desc = NULL;
852 char *workstations = NULL;
853 uint32 username_len, domain_len, nt_username_len,
854 dir_drive_len, unknown_str_len, munged_dial_len,
855 fullname_len, homedir_len, logon_script_len,
856 profile_path_len, acct_desc_len, workstations_len;
858 uint32 user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
860 uint16 bad_password_count, logon_count;
862 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
864 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
865 uint32 pwHistLen = 0;
868 BOOL expand_explicit = lp_passdb_expand_explicit();
870 if(sampass == NULL || buf == NULL) {
871 DEBUG(0, ("init_sam_from_buffer_v3: NULL parameters found!\n"));
875 /* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
877 /* unpack the buffer into variables */
878 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V3,
880 &logoff_time, /* d */
881 &kickoff_time, /* d */
882 &bad_password_time, /* d */
883 &pass_last_set_time, /* d */
884 &pass_can_change_time, /* d */
885 &pass_must_change_time, /* d */
886 &username_len, &username, /* B */
887 &domain_len, &domain, /* B */
888 &nt_username_len, &nt_username, /* B */
889 &fullname_len, &fullname, /* B */
890 &homedir_len, &homedir, /* B */
891 &dir_drive_len, &dir_drive, /* B */
892 &logon_script_len, &logon_script, /* B */
893 &profile_path_len, &profile_path, /* B */
894 &acct_desc_len, &acct_desc, /* B */
895 &workstations_len, &workstations, /* B */
896 &unknown_str_len, &unknown_str, /* B */
897 &munged_dial_len, &munged_dial, /* B */
900 &lm_pw_len, &lm_pw_ptr, /* B */
901 &nt_pw_len, &nt_pw_ptr, /* B */
902 /* Change from V1 is addition of password history field. */
903 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
904 /* Change from V2 is the uint32 acb_mask */
906 /* Also "remove_me" field was removed. */
909 &hourslen, &hours, /* B */
910 &bad_password_count, /* w */
911 &logon_count, /* w */
914 if (len == (uint32) -1) {
919 pdb_set_logon_time(sampass, logon_time, PDB_SET);
920 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
921 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
922 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
923 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
924 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
925 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
927 pdb_set_username(sampass, username, PDB_SET);
928 pdb_set_domain(sampass, domain, PDB_SET);
929 pdb_set_nt_username(sampass, nt_username, PDB_SET);
930 pdb_set_fullname(sampass, fullname, PDB_SET);
933 fstrcpy( tmpstring, homedir );
934 if (expand_explicit) {
935 standard_sub_basic( username, domain, tmpstring,
938 pdb_set_homedir(sampass, tmpstring, PDB_SET);
941 pdb_set_homedir(sampass,
942 talloc_sub_basic(sampass, username, domain,
948 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
950 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
953 fstrcpy( tmpstring, logon_script );
954 if (expand_explicit) {
955 standard_sub_basic( username, domain, tmpstring,
958 pdb_set_logon_script(sampass, tmpstring, PDB_SET);
961 pdb_set_logon_script(sampass,
962 talloc_sub_basic(sampass, username, domain,
968 fstrcpy( tmpstring, profile_path );
969 if (expand_explicit) {
970 standard_sub_basic( username, domain, tmpstring,
973 pdb_set_profile_path(sampass, tmpstring, PDB_SET);
976 pdb_set_profile_path(sampass,
977 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
981 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
982 pdb_set_workstations(sampass, workstations, PDB_SET);
983 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
985 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
986 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
992 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
993 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
999 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1001 uint8 *pw_hist = (uint8 *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1006 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1007 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1009 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1010 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1011 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1012 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1013 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1014 PW_HISTORY_ENTRY_LEN);
1017 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1024 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1027 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1028 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1029 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1030 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1031 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1032 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1033 /* Change from V2 is the uint32 acct_ctrl */
1034 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1035 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1036 pdb_set_hours(sampass, hours, PDB_SET);
1040 SAFE_FREE(username);
1042 SAFE_FREE(nt_username);
1043 SAFE_FREE(fullname);
1045 SAFE_FREE(dir_drive);
1046 SAFE_FREE(logon_script);
1047 SAFE_FREE(profile_path);
1048 SAFE_FREE(acct_desc);
1049 SAFE_FREE(workstations);
1050 SAFE_FREE(munged_dial);
1051 SAFE_FREE(unknown_str);
1052 SAFE_FREE(lm_pw_ptr);
1053 SAFE_FREE(nt_pw_ptr);
1054 SAFE_FREE(nt_pw_hist_ptr);
1060 /*********************************************************************
1061 *********************************************************************/
1063 uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, BOOL size_only)
1067 /* times are stored as 32bit integer
1068 take care on system with 64bit wide time_t
1075 pass_can_change_time,
1076 pass_must_change_time;
1078 uint32 user_rid, group_rid;
1080 const char *username;
1082 const char *nt_username;
1083 const char *dir_drive;
1084 const char *unknown_str;
1085 const char *munged_dial;
1086 const char *fullname;
1087 const char *homedir;
1088 const char *logon_script;
1089 const char *profile_path;
1090 const char *acct_desc;
1091 const char *workstations;
1092 uint32 username_len, domain_len, nt_username_len,
1093 dir_drive_len, unknown_str_len, munged_dial_len,
1094 fullname_len, homedir_len, logon_script_len,
1095 profile_path_len, acct_desc_len, workstations_len;
1099 const uint8 *nt_pw_hist;
1100 uint32 lm_pw_len = 16;
1101 uint32 nt_pw_len = 16;
1102 uint32 nt_pw_hist_len;
1103 uint32 pwHistLen = 0;
1108 logon_time = (uint32)pdb_get_logon_time(sampass);
1109 logoff_time = (uint32)pdb_get_logoff_time(sampass);
1110 kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
1111 bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
1112 pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
1113 pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
1114 pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
1116 user_rid = pdb_get_user_rid(sampass);
1117 group_rid = pdb_get_group_rid(sampass);
1119 username = pdb_get_username(sampass);
1121 username_len = strlen(username) +1;
1126 domain = pdb_get_domain(sampass);
1128 domain_len = strlen(domain) +1;
1133 nt_username = pdb_get_nt_username(sampass);
1135 nt_username_len = strlen(nt_username) +1;
1137 nt_username_len = 0;
1140 fullname = pdb_get_fullname(sampass);
1142 fullname_len = strlen(fullname) +1;
1148 * Only updates fields which have been set (not defaults from smb.conf)
1151 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1152 dir_drive = pdb_get_dir_drive(sampass);
1157 dir_drive_len = strlen(dir_drive) +1;
1162 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1163 homedir = pdb_get_homedir(sampass);
1168 homedir_len = strlen(homedir) +1;
1173 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1174 logon_script = pdb_get_logon_script(sampass);
1176 logon_script = NULL;
1179 logon_script_len = strlen(logon_script) +1;
1181 logon_script_len = 0;
1184 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1185 profile_path = pdb_get_profile_path(sampass);
1187 profile_path = NULL;
1190 profile_path_len = strlen(profile_path) +1;
1192 profile_path_len = 0;
1195 lm_pw = pdb_get_lanman_passwd(sampass);
1200 nt_pw = pdb_get_nt_passwd(sampass);
1205 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1206 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1207 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1208 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1213 acct_desc = pdb_get_acct_desc(sampass);
1215 acct_desc_len = strlen(acct_desc) +1;
1220 workstations = pdb_get_workstations(sampass);
1222 workstations_len = strlen(workstations) +1;
1224 workstations_len = 0;
1228 unknown_str_len = 0;
1230 munged_dial = pdb_get_munged_dial(sampass);
1232 munged_dial_len = strlen(munged_dial) +1;
1234 munged_dial_len = 0;
1237 /* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1239 /* one time to get the size needed */
1240 len = tdb_pack(NULL, 0, TDB_FORMAT_STRING_V3,
1242 logoff_time, /* d */
1243 kickoff_time, /* d */
1244 bad_password_time, /* d */
1245 pass_last_set_time, /* d */
1246 pass_can_change_time, /* d */
1247 pass_must_change_time, /* d */
1248 username_len, username, /* B */
1249 domain_len, domain, /* B */
1250 nt_username_len, nt_username, /* B */
1251 fullname_len, fullname, /* B */
1252 homedir_len, homedir, /* B */
1253 dir_drive_len, dir_drive, /* B */
1254 logon_script_len, logon_script, /* B */
1255 profile_path_len, profile_path, /* B */
1256 acct_desc_len, acct_desc, /* B */
1257 workstations_len, workstations, /* B */
1258 unknown_str_len, unknown_str, /* B */
1259 munged_dial_len, munged_dial, /* B */
1262 lm_pw_len, lm_pw, /* B */
1263 nt_pw_len, nt_pw, /* B */
1264 nt_pw_hist_len, nt_pw_hist, /* B */
1265 pdb_get_acct_ctrl(sampass), /* d */
1266 pdb_get_logon_divs(sampass), /* w */
1267 pdb_get_hours_len(sampass), /* d */
1268 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1269 pdb_get_bad_password_count(sampass), /* w */
1270 pdb_get_logon_count(sampass), /* w */
1271 pdb_get_unknown_6(sampass)); /* d */
1277 /* malloc the space needed */
1278 if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
1279 DEBUG(0,("init_buffer_from_sam_v3: Unable to malloc() memory for buffer!\n"));
1283 /* now for the real call to tdb_pack() */
1284 buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V3,
1286 logoff_time, /* d */
1287 kickoff_time, /* d */
1288 bad_password_time, /* d */
1289 pass_last_set_time, /* d */
1290 pass_can_change_time, /* d */
1291 pass_must_change_time, /* d */
1292 username_len, username, /* B */
1293 domain_len, domain, /* B */
1294 nt_username_len, nt_username, /* B */
1295 fullname_len, fullname, /* B */
1296 homedir_len, homedir, /* B */
1297 dir_drive_len, dir_drive, /* B */
1298 logon_script_len, logon_script, /* B */
1299 profile_path_len, profile_path, /* B */
1300 acct_desc_len, acct_desc, /* B */
1301 workstations_len, workstations, /* B */
1302 unknown_str_len, unknown_str, /* B */
1303 munged_dial_len, munged_dial, /* B */
1306 lm_pw_len, lm_pw, /* B */
1307 nt_pw_len, nt_pw, /* B */
1308 nt_pw_hist_len, nt_pw_hist, /* B */
1309 pdb_get_acct_ctrl(sampass), /* d */
1310 pdb_get_logon_divs(sampass), /* w */
1311 pdb_get_hours_len(sampass), /* d */
1312 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1313 pdb_get_bad_password_count(sampass), /* w */
1314 pdb_get_logon_count(sampass), /* w */
1315 pdb_get_unknown_6(sampass)); /* d */
1317 /* check to make sure we got it correct */
1318 if (buflen != len) {
1319 DEBUG(0, ("init_buffer_from_sam_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1320 (unsigned long)buflen, (unsigned long)len));
1330 /*********************************************************************
1331 *********************************************************************/
1333 BOOL pdb_copy_sam_account(struct samu *dst, struct samu *src )
1338 len = init_buffer_from_sam_v3(&buf, src, False);
1339 if (len == -1 || !buf) {
1344 if (!init_sam_from_buffer_v3( dst, buf, len )) {
1349 dst->methods = src->methods;
1351 if ( src->unix_pw ) {
1352 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
1353 if (!dst->unix_pw) {
1363 /*********************************************************************
1364 Update the bad password count checking the AP_RESET_COUNT_TIME
1365 *********************************************************************/
1367 BOOL pdb_update_bad_password_count(struct samu *sampass, BOOL *updated)
1369 time_t LastBadPassword;
1370 uint16 BadPasswordCount;
1373 BadPasswordCount = pdb_get_bad_password_count(sampass);
1374 if (!BadPasswordCount) {
1375 DEBUG(9, ("No bad password attempts.\n"));
1379 if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
1380 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
1384 /* First, check if there is a reset time to compare */
1385 if ((resettime == (uint32) -1) || (resettime == 0)) {
1386 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
1390 LastBadPassword = pdb_get_bad_password_time(sampass);
1391 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
1392 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
1393 if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
1394 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
1395 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
1404 /*********************************************************************
1405 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
1406 *********************************************************************/
1408 BOOL pdb_update_autolock_flag(struct samu *sampass, BOOL *updated)
1411 time_t LastBadPassword;
1413 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
1414 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
1415 pdb_get_username(sampass)));
1419 if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
1420 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
1424 /* First, check if there is a duration to compare */
1425 if ((duration == (uint32) -1) || (duration == 0)) {
1426 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
1430 LastBadPassword = pdb_get_bad_password_time(sampass);
1431 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
1432 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
1434 if (LastBadPassword == (time_t)0) {
1435 DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
1436 bad password time. Leaving locked out.\n",
1437 pdb_get_username(sampass) ));
1441 if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
1442 pdb_set_acct_ctrl(sampass,
1443 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
1445 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
1446 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
1455 /*********************************************************************
1456 Increment the bad_password_count
1457 *********************************************************************/
1459 BOOL pdb_increment_bad_password_count(struct samu *sampass)
1461 uint32 account_policy_lockout;
1462 BOOL autolock_updated = False, badpw_updated = False;
1465 /* Retrieve the account lockout policy */
1467 ret = pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
1470 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
1474 /* If there is no policy, we don't need to continue checking */
1475 if (!account_policy_lockout) {
1476 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
1480 /* Check if the autolock needs to be cleared */
1481 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
1484 /* Check if the badpw count needs to be reset */
1485 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
1489 Ok, now we can assume that any resetting that needs to be
1490 done has been done, and just get on with incrementing
1491 and autolocking if necessary
1494 pdb_set_bad_password_count(sampass,
1495 pdb_get_bad_password_count(sampass)+1,
1497 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
1500 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
1503 if (!pdb_set_acct_ctrl(sampass,
1504 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
1506 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
git.samba.org / ira / wip.git / blob