2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2001
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_PASSDB
30 /******************************************************************
31 get the default domain/netbios name to be used when
32 testing authentication. For example, if you connect
33 to a Windows member server using a bogus domain name, the
34 Windows box will map the BOGUS\user to DOMAIN\user. A
35 standalone box will map to WKS\user.
36 ******************************************************************/
38 const char *get_default_sam_name(void)
40 /* standalone servers can only use the local netbios name */
41 if ( lp_server_role() == ROLE_STANDALONE )
42 return global_myname();
44 /* Windows domain members default to the DOMAIN
45 name when not specified */
46 return lp_workgroup();
49 /************************************************************
50 Fill the SAM_ACCOUNT with default values.
51 ***********************************************************/
53 void pdb_fill_default_sam(SAM_ACCOUNT *user)
55 ZERO_STRUCT(user->private_u); /* Don't touch the talloc context */
57 /* no initial methods */
60 /* Don't change these timestamp settings without a good reason.
61 They are important for NT member server compatibility. */
63 user->private_u.logon_time = (time_t)0;
64 user->private_u.pass_last_set_time = (time_t)0;
65 user->private_u.pass_can_change_time = (time_t)0;
66 user->private_u.logoff_time =
67 user->private_u.kickoff_time =
68 user->private_u.pass_must_change_time = get_time_t_max();
69 user->private_u.fields_present = 0x00ffffff;
70 user->private_u.logon_divs = 168; /* hours per week */
71 user->private_u.hours_len = 21; /* 21 times 8 bits = 168 */
72 memset(user->private_u.hours, 0xff, user->private_u.hours_len); /* available at all hours */
73 user->private_u.bad_password_count = 0;
74 user->private_u.logon_count = 0;
75 user->private_u.unknown_6 = 0x000004ec; /* don't know */
77 /* Some parts of samba strlen their pdb_get...() returns,
78 so this keeps the interface unchanged for now. */
80 user->private_u.username = "";
81 user->private_u.domain = "";
82 user->private_u.nt_username = "";
83 user->private_u.full_name = "";
84 user->private_u.home_dir = "";
85 user->private_u.logon_script = "";
86 user->private_u.profile_path = "";
87 user->private_u.acct_desc = "";
88 user->private_u.workstations = "";
89 user->private_u.unknown_str = "";
90 user->private_u.munged_dial = "";
92 user->private_u.plaintext_pw = NULL;
95 Unless we know otherwise have a Account Control Bit
96 value of 'normal user'. This helps User Manager, which
97 asks for a filtered list of users.
100 user->private_u.acct_ctrl = ACB_NORMAL;
103 static void destroy_pdb_talloc(SAM_ACCOUNT **user)
106 data_blob_clear_free(&((*user)->private_u.lm_pw));
107 data_blob_clear_free(&((*user)->private_u.nt_pw));
109 if((*user)->private_u.plaintext_pw!=NULL)
110 memset((*user)->private_u.plaintext_pw,'\0',strlen((*user)->private_u.plaintext_pw));
111 talloc_destroy((*user)->mem_ctx);
117 /**********************************************************************
118 Allocates memory and initialises a struct sam_passwd on supplied mem_ctx.
119 ***********************************************************************/
121 NTSTATUS pdb_init_sam_talloc(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **user)
124 DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
126 smb_panic("non-NULL pointer passed to pdb_init_sam\n");
128 return NT_STATUS_UNSUCCESSFUL;
132 DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
133 return NT_STATUS_UNSUCCESSFUL;
136 *user=TALLOC_P(mem_ctx, SAM_ACCOUNT);
139 DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
140 return NT_STATUS_NO_MEMORY;
143 (*user)->mem_ctx = mem_ctx;
145 (*user)->free_fn = NULL;
147 pdb_fill_default_sam(*user);
153 /*************************************************************
154 Allocates memory and initialises a struct sam_passwd.
155 ************************************************************/
157 NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
162 mem_ctx = talloc_init("passdb internal SAM_ACCOUNT allocation");
165 DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
166 return NT_STATUS_NO_MEMORY;
169 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, user))) {
170 talloc_destroy(mem_ctx);
174 (*user)->free_fn = destroy_pdb_talloc;
179 /**************************************************************************
180 * This function will take care of all the steps needed to correctly
181 * allocate and set the user SID, please do use this function to create new
182 * users, messing with SIDs is not good.
184 * account_data must be provided initialized, pwd may be null.
186 ***************************************************************************/
188 static NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
190 const char *guest_account = lp_guestaccount();
194 if (!account_data || !pwd) {
195 return NT_STATUS_INVALID_PARAMETER;
198 /* this is a hack this thing should not be set
200 if (!(guest_account && *guest_account)) {
201 DEBUG(1, ("NULL guest account!?!?\n"));
202 return NT_STATUS_UNSUCCESSFUL;
204 /* Ensure this *must* be set right */
205 if (strcmp(pwd->pw_name, guest_account) == 0) {
206 if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
207 return NT_STATUS_UNSUCCESSFUL;
209 if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
210 return NT_STATUS_UNSUCCESSFUL;
216 if (!pdb_set_user_sid_from_rid(account_data, algorithmic_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
217 DEBUG(0,("Can't set User SID from RID!\n"));
218 return NT_STATUS_INVALID_PARAMETER;
221 /* call the mapping code here */
223 ret = pdb_getgrgid(&map, pwd->pw_gid);
227 if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
228 DEBUG(0,("Can't set Group SID!\n"));
229 return NT_STATUS_INVALID_PARAMETER;
233 if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
234 DEBUG(0,("Can't set Group SID\n"));
235 return NT_STATUS_INVALID_PARAMETER;
242 /*************************************************************
243 Initialises a struct sam_passwd with sane values.
244 ************************************************************/
246 NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
251 return NT_STATUS_UNSUCCESSFUL;
254 pdb_fill_default_sam(sam_account);
256 pdb_set_username(sam_account, pwd->pw_name, PDB_SET);
257 pdb_set_fullname(sam_account, pwd->pw_gecos, PDB_SET);
259 pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
261 pdb_set_domain (sam_account, get_global_sam_name(), PDB_DEFAULT);
263 /* When we get a proper uid -> SID and SID -> uid allocation
264 mechinism, we should call it here.
266 We can't just set this to 0 or allow it only to be filled
267 in when added to the backend, because the user's SID
268 may already be in security descriptors etc.
270 -- abartlet 11-May-02
273 ret = pdb_set_sam_sids(sam_account, pwd);
274 if (!NT_STATUS_IS_OK(ret)) return ret;
276 /* check if this is a user account or a machine account */
277 if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
279 pdb_set_profile_path(sam_account,
280 talloc_sub_specified((sam_account)->mem_ctx,
282 pwd->pw_name, global_myname(),
283 pwd->pw_uid, pwd->pw_gid),
286 pdb_set_homedir(sam_account,
287 talloc_sub_specified((sam_account)->mem_ctx,
289 pwd->pw_name, global_myname(),
290 pwd->pw_uid, pwd->pw_gid),
293 pdb_set_dir_drive(sam_account,
294 talloc_sub_specified((sam_account)->mem_ctx,
296 pwd->pw_name, global_myname(),
297 pwd->pw_uid, pwd->pw_gid),
300 pdb_set_logon_script(sam_account,
301 talloc_sub_specified((sam_account)->mem_ctx,
303 pwd->pw_name, global_myname(),
304 pwd->pw_uid, pwd->pw_gid),
306 if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) {
307 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd->pw_name));
308 return NT_STATUS_UNSUCCESSFUL;
311 if (!pdb_set_acct_ctrl(sam_account, ACB_WSTRUST, PDB_DEFAULT)) {
312 DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd->pw_name));
313 return NT_STATUS_UNSUCCESSFUL;
320 /*************************************************************
321 Initialises a struct sam_passwd with sane values.
322 ************************************************************/
324 NTSTATUS pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
330 return NT_STATUS_INVALID_PARAMETER;
333 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
338 if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*new_sam_acct, pwd))) {
339 pdb_free_sam(new_sam_acct);
348 /*************************************************************
349 Initialises a SAM_ACCOUNT ready to add a new account, based
350 on the UNIX user. Pass in a RID if you have one
351 ************************************************************/
353 NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username,
356 NTSTATUS nt_status = NT_STATUS_NO_MEMORY;
360 pwd = Get_Pwnam(username);
363 return NT_STATUS_NO_SUCH_USER;
365 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(new_sam_acct, pwd))) {
366 *new_sam_acct = NULL;
370 /* see if we need to generate a new rid using the 2.2 algorithm */
371 if ( rid == 0 && lp_enable_rid_algorithm() ) {
372 DEBUG(10,("pdb_init_sam_new: no RID specified. Generating one via old algorithm\n"));
373 rid = algorithmic_pdb_uid_to_user_rid(pwd->pw_uid);
376 /* set the new SID */
378 ret = pdb_set_user_sid_from_rid( *new_sam_acct, rid, PDB_SET );
380 return (ret ? NT_STATUS_OK : NT_STATUS_NO_SUCH_USER);
385 * Free the contets of the SAM_ACCOUNT, but not the structure.
387 * Also wipes the LM and NT hashes and plaintext password from
390 * @param user SAM_ACCOUNT to free members of.
393 static void pdb_free_sam_contents(SAM_ACCOUNT *user)
396 /* Kill off sensitive data. Free()ed by the
399 data_blob_clear_free(&(user->private_u.lm_pw));
400 data_blob_clear_free(&(user->private_u.nt_pw));
401 if (user->private_u.plaintext_pw!=NULL)
402 memset(user->private_u.plaintext_pw,'\0',strlen(user->private_u.plaintext_pw));
404 if (user->private_u.backend_private_data && user->private_u.backend_private_data_free_fn) {
405 user->private_u.backend_private_data_free_fn(&user->private_u.backend_private_data);
410 /************************************************************
411 Reset the SAM_ACCOUNT and free the NT/LM hashes.
412 ***********************************************************/
414 NTSTATUS pdb_reset_sam(SAM_ACCOUNT *user)
417 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
419 smb_panic("NULL pointer passed to pdb_free_sam\n");
421 return NT_STATUS_UNSUCCESSFUL;
424 pdb_free_sam_contents(user);
426 pdb_fill_default_sam(user);
432 /************************************************************
433 Free the SAM_ACCOUNT and the member pointers.
434 ***********************************************************/
436 NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
439 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
441 smb_panic("NULL pointer passed to pdb_free_sam\n");
443 return NT_STATUS_UNSUCCESSFUL;
446 pdb_free_sam_contents(*user);
448 if ((*user)->free_fn) {
449 (*user)->free_fn(user);
455 /**********************************************************
456 Encode the account control bits into a string.
457 length = length of string to encode into (including terminating
458 null). length *MUST BE MORE THAN 2* !
459 **********************************************************/
461 char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
463 static fstring acct_str;
467 SMB_ASSERT(length <= sizeof(acct_str));
471 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
472 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
473 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
474 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
475 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
476 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
477 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
478 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
479 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
480 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
481 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
483 for ( ; i < length - 2 ; i++ )
488 acct_str[i++] = '\0';
493 /**********************************************************
494 Decode the account control bits from a string.
495 **********************************************************/
497 uint16 pdb_decode_acct_ctrl(const char *p)
499 uint16 acct_ctrl = 0;
500 BOOL finished = False;
503 * Check if the account type bits have been encoded after the
504 * NT password (in the form [NDHTUWSLXI]).
510 for (p++; *p && !finished; p++) {
512 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
513 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
514 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
515 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
516 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
517 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
518 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
519 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
520 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
521 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
522 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
528 default: { finished = True; }
535 /*************************************************************
536 Routine to set 32 hex password characters from a 16 byte array.
537 **************************************************************/
539 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
543 for (i = 0; i < 16; i++)
544 slprintf(&p[i*2], 3, "%02X", pwd[i]);
546 if (acct_ctrl & ACB_PWNOTREQ)
547 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
549 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
553 /*************************************************************
554 Routine to get the 32 hex characters and turn them
555 into a 16 byte array.
556 **************************************************************/
558 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
561 unsigned char lonybble, hinybble;
562 const char *hexchars = "0123456789ABCDEF";
568 for (i = 0; i < 32; i += 2) {
569 hinybble = toupper_ascii(p[i]);
570 lonybble = toupper_ascii(p[i + 1]);
572 p1 = strchr(hexchars, hinybble);
573 p2 = strchr(hexchars, lonybble);
578 hinybble = PTR_DIFF(p1, hexchars);
579 lonybble = PTR_DIFF(p2, hexchars);
581 pwd[i / 2] = (hinybble << 4) | lonybble;
586 /*************************************************************
587 Routine to set 42 hex hours characters from a 21 byte array.
588 **************************************************************/
590 void pdb_sethexhours(char *p, const unsigned char *hours)
594 for (i = 0; i < 21; i++) {
595 slprintf(&p[i*2], 3, "%02X", hours[i]);
598 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
602 /*************************************************************
603 Routine to get the 42 hex characters and turn them
604 into a 21 byte array.
605 **************************************************************/
607 BOOL pdb_gethexhours(const char *p, unsigned char *hours)
610 unsigned char lonybble, hinybble;
611 const char *hexchars = "0123456789ABCDEF";
618 for (i = 0; i < 42; i += 2) {
619 hinybble = toupper_ascii(p[i]);
620 lonybble = toupper_ascii(p[i + 1]);
622 p1 = strchr(hexchars, hinybble);
623 p2 = strchr(hexchars, lonybble);
629 hinybble = PTR_DIFF(p1, hexchars);
630 lonybble = PTR_DIFF(p2, hexchars);
632 hours[i / 2] = (hinybble << 4) | lonybble;
637 int algorithmic_rid_base(void)
639 static int rid_offset = 0;
644 rid_offset = lp_algorithmic_rid_base();
646 if (rid_offset < BASE_RID) {
647 /* Try to prevent admin foot-shooting, we can't put algorithmic
648 rids below 1000, that's the 'well known RIDs' on NT */
649 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
650 rid_offset = BASE_RID;
652 if (rid_offset & 1) {
653 DEBUG(0, ("algorithmic rid base must be even\n"));
659 /*******************************************************************
660 Converts NT user RID to a UNIX uid.
661 ********************************************************************/
663 uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
665 int rid_offset = algorithmic_rid_base();
666 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
669 /*******************************************************************
670 converts UNIX uid to an NT User RID.
671 ********************************************************************/
673 uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
675 int rid_offset = algorithmic_rid_base();
676 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
679 /*******************************************************************
680 Converts NT group RID to a UNIX gid.
681 ********************************************************************/
683 gid_t pdb_group_rid_to_gid(uint32 group_rid)
685 int rid_offset = algorithmic_rid_base();
686 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
689 /*******************************************************************
690 converts NT Group RID to a UNIX uid.
692 warning: you must not call that function only
693 you must do a call to the group mapping first.
694 there is not anymore a direct link between the gid and the rid.
695 ********************************************************************/
697 uint32 pdb_gid_to_group_rid(gid_t gid)
699 int rid_offset = algorithmic_rid_base();
700 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
703 /*******************************************************************
704 Decides if a RID is a well known RID.
705 ********************************************************************/
707 static BOOL pdb_rid_is_well_known(uint32 rid)
709 /* Not using rid_offset here, because this is the actual
710 NT fixed value (1000) */
712 return (rid < BASE_RID);
715 /*******************************************************************
716 Decides if a RID is a user or group RID.
717 ********************************************************************/
719 BOOL algorithmic_pdb_rid_is_user(uint32 rid)
721 if(pdb_rid_is_well_known(rid)) {
723 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
724 * and DOMAIN_USER_RID_GUEST.
726 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
728 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
734 /*******************************************************************
735 Look up a rid in the SAM we're responsible for (i.e. passdb)
736 ********************************************************************/
738 BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, const char **name,
739 enum SID_NAME_USE *psid_name_use)
741 SAM_ACCOUNT *sam_account = NULL;
746 *psid_name_use = SID_NAME_UNKNOWN;
748 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
751 sid_copy(&sid, get_global_sam_sid());
752 sid_append_rid(&sid, rid);
754 /* see if the passdb can help us with the name of the user */
755 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
759 /* BEING ROOT BLLOCK */
761 if (pdb_getsampwsid(sam_account, &sid)) {
762 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
763 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
764 *psid_name_use = SID_NAME_USER;
766 pdb_free_sam(&sam_account);
770 pdb_free_sam(&sam_account);
772 ret = pdb_getgrsid(&map, sid);
774 /* END BECOME_ROOT BLOCK */
777 if (map.gid!=(gid_t)-1) {
778 DEBUG(5,("lookup_global_sam_rid: mapped group %s to "
779 "gid %u\n", map.nt_name,
780 (unsigned int)map.gid));
782 DEBUG(5,("lookup_global_sam_rid: mapped group %s to "
783 "no unix gid. Returning name.\n",
787 *name = talloc_strdup(mem_ctx, map.nt_name);
788 *psid_name_use = map.sid_name_use;
792 if (rid == DOMAIN_USER_RID_ADMIN) {
793 *psid_name_use = SID_NAME_USER;
794 *name = talloc_strdup(mem_ctx, "Administrator");
798 if (algorithmic_pdb_rid_is_user(rid)) {
800 struct passwd *pw = NULL;
802 DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
804 uid = algorithmic_pdb_user_rid_to_uid(rid);
805 pw = sys_getpwuid( uid );
807 DEBUG(5,("lookup_global_sam_rid: looking up uid %u %s\n",
808 (unsigned int)uid, pw ? "succeeded" : "failed" ));
811 *name = talloc_asprintf(mem_ctx, "unix_user.%u",
814 *name = talloc_strdup(mem_ctx, pw->pw_name );
817 DEBUG(5,("lookup_global_sam_rid: found user %s for rid %u\n",
818 *name, (unsigned int)rid ));
820 *psid_name_use = SID_NAME_USER;
822 return ( pw != NULL );
827 DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));
829 gid = pdb_group_rid_to_gid(rid);
832 DEBUG(5,("lookup_global_sam_rid: looking up gid %u %s\n",
833 (unsigned int)gid, gr ? "succeeded" : "failed" ));
836 *name = talloc_asprintf(mem_ctx, "unix_group.%u",
839 *name = talloc_strdup(mem_ctx, gr->gr_name);
842 DEBUG(5,("lookup_global_sam_rid: found group %s for rid %u\n",
843 *name, (unsigned int)rid ));
845 /* assume algorithmic groups are domain global groups */
847 *psid_name_use = SID_NAME_DOM_GRP;
849 return ( gr != NULL );
853 /*******************************************************************
854 Convert a name into a SID. Used in the lookup name rpc.
855 ********************************************************************/
857 BOOL lookup_global_sam_name(const char *c_user, uint32_t *rid, enum SID_NAME_USE *type)
860 SAM_ACCOUNT *sam_account = NULL;
865 * user may be quoted a const string, and map_username and
866 * friends can modify it. Make a modifiable copy. JRA.
869 fstrcpy(user, c_user);
871 (void)map_username(user);
873 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
877 /* BEGIN ROOT BLOCK */
880 if (pdb_getsampwnam(sam_account, user)) {
881 const DOM_SID *user_sid;
885 user_sid = pdb_get_user_sid(sam_account);
887 if (!sid_check_is_in_our_domain(user_sid)) {
888 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
889 user, sid_string_static(user_sid)));
893 sid_peek_rid(user_sid, rid);
895 if (pdb_get_acct_ctrl(sam_account) &
896 (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST)) {
897 /* We have to filter them out in lsa_lookupnames,
898 * indicate that this is not a real user. */
899 *type = SID_NAME_COMPUTER;
901 *type = SID_NAME_USER;
903 pdb_free_sam(&sam_account);
907 pdb_free_sam(&sam_account);
910 * Maybe it was a group ?
913 /* check if it's a mapped group */
914 if (pdb_getgrnam(&map, user)) {
918 /* BUILTIN groups are looked up elsewhere */
919 if (!sid_check_is_in_our_domain(&map.sid)) {
920 DEBUG(10, ("Found group %s (%s) not in our domain -- "
922 sid_string_static(&map.sid)));
926 /* yes it's a mapped group */
927 sid_peek_rid(&map.sid, rid);
928 *type = map.sid_name_use;
932 /* it's not a mapped group */
933 grp = getgrnam(user);
935 unbecome_root(); /* ---> exit form block */
940 *check if it's mapped, if it is reply it doesn't exist
942 * that's to prevent this case:
944 * unix group ug is mapped to nt group ng
945 * someone does a lookup on ug
946 * we must not reply as it doesn't "exist" anymore
947 * for NT. For NT only ng exists.
951 if (pdb_getgrgid(&map, grp->gr_gid)) {
952 unbecome_root(); /* ---> exit form block */
958 *rid = pdb_gid_to_group_rid(grp->gr_gid);
959 *type = SID_NAME_ALIAS;
964 /*************************************************************
965 Change a password entry in the local smbpasswd file.
966 *************************************************************/
968 BOOL local_password_change(const char *user_name, int local_flags,
969 const char *new_passwd,
970 char *err_str, size_t err_str_len,
971 char *msg_str, size_t msg_str_len)
973 SAM_ACCOUNT *sam_pass=NULL;
979 /* Get the smb passwd entry for this user */
980 pdb_init_sam(&sam_pass);
983 if(!pdb_getsampwnam(sam_pass, user_name)) {
985 pdb_free_sam(&sam_pass);
987 if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
988 /* Might not exist in /etc/passwd. Use rid algorithm here */
989 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, user_name, 0))) {
990 slprintf(err_str, err_str_len-1, "Failed to initialise SAM_ACCOUNT for user %s. Does this user exist in the UNIX password database ?\n", user_name);
994 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
999 /* the entry already existed */
1000 local_flags &= ~LOCAL_ADD_USER;
1003 /* the 'other' acb bits not being changed here */
1004 other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
1005 if (local_flags & LOCAL_TRUST_ACCOUNT) {
1006 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
1007 slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
1008 pdb_free_sam(&sam_pass);
1011 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
1012 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
1013 slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
1014 pdb_free_sam(&sam_pass);
1018 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
1019 slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
1020 pdb_free_sam(&sam_pass);
1026 * We are root - just write the new password
1027 * and the valid last change time.
1030 if (local_flags & LOCAL_DISABLE_USER) {
1031 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
1032 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
1033 pdb_free_sam(&sam_pass);
1036 } else if (local_flags & LOCAL_ENABLE_USER) {
1037 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
1038 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
1039 pdb_free_sam(&sam_pass);
1044 if (local_flags & LOCAL_SET_NO_PASSWORD) {
1045 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
1046 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
1047 pdb_free_sam(&sam_pass);
1050 } else if (local_flags & LOCAL_SET_PASSWORD) {
1052 * If we're dealing with setting a completely empty user account
1053 * ie. One with a password of 'XXXX', but not set disabled (like
1054 * an account created from scratch) then if the old password was
1055 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1056 * We remove that as we're giving this user their first password
1057 * and the decision hasn't really been made to disable them (ie.
1058 * don't create them disabled). JRA.
1060 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
1061 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
1062 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
1063 pdb_free_sam(&sam_pass);
1067 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
1068 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
1069 pdb_free_sam(&sam_pass);
1073 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
1074 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
1075 pdb_free_sam(&sam_pass);
1080 if (local_flags & LOCAL_ADD_USER) {
1081 if (pdb_add_sam_account(sam_pass)) {
1082 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
1083 pdb_free_sam(&sam_pass);
1086 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
1087 pdb_free_sam(&sam_pass);
1090 } else if (local_flags & LOCAL_DELETE_USER) {
1091 if (!pdb_delete_sam_account(sam_pass)) {
1092 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
1093 pdb_free_sam(&sam_pass);
1096 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
1098 if(!pdb_update_sam_account(sam_pass)) {
1099 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
1100 pdb_free_sam(&sam_pass);
1103 if(local_flags & LOCAL_DISABLE_USER)
1104 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
1105 else if (local_flags & LOCAL_ENABLE_USER)
1106 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
1107 else if (local_flags & LOCAL_SET_NO_PASSWORD)
1108 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
1111 pdb_free_sam(&sam_pass);
1115 /****************************************************************************
1116 Convert a uid to SID - algorithmic.
1117 ****************************************************************************/
1119 DOM_SID *algorithmic_uid_to_sid(DOM_SID *psid, uid_t uid)
1121 if ( !lp_enable_rid_algorithm() )
1124 DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
1125 sid_copy( psid, get_global_sam_sid() );
1126 sid_append_rid( psid, algorithmic_pdb_uid_to_user_rid(uid) );
1127 DEBUG(10,("algorithmic_uid_to_sid: uid (%d) -> SID %s.\n",
1128 (unsigned int)uid, sid_string_static(psid) ));
1133 /****************************************************************************
1134 Convert a uid to SID - locally.
1135 ****************************************************************************/
1137 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
1139 SAM_ACCOUNT *sampw = NULL;
1140 struct passwd *unix_pw;
1143 unix_pw = sys_getpwuid( uid );
1146 DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid));
1147 return algorithmic_uid_to_sid( psid, uid);
1150 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
1151 DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
1156 ret = pdb_getsampwnam( sampw, unix_pw->pw_name );
1160 sid_copy( psid, pdb_get_user_sid(sampw) );
1162 DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
1163 unix_pw->pw_name, (unsigned long)uid));
1165 algorithmic_uid_to_sid( psid, uid);
1168 pdb_free_sam(&sampw);
1170 DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
1171 (unsigned int)uid, sid_string_static(psid), unix_pw->pw_name));
1176 /****************************************************************************
1177 Convert a SID to uid - locally.
1178 ****************************************************************************/
1180 BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
1182 SAM_ACCOUNT *sampw = NULL;
1183 struct passwd *unix_pw;
1184 const char *user_name;
1186 *name_type = SID_NAME_UNKNOWN;
1189 * We can only convert to a uid if this is our local
1190 * Domain SID (ie. we are the controling authority).
1192 if (!sid_check_is_in_our_domain(psid) ) {
1193 DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid)));
1197 /* lookup the user account */
1199 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
1200 DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
1205 if ( !pdb_getsampwsid(sampw, psid) ) {
1207 pdb_free_sam(&sampw);
1208 DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
1209 sid_string_static(psid)));
1214 user_name = pdb_get_username(sampw);
1216 unix_pw = sys_getpwnam( user_name );
1219 DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
1221 pdb_free_sam( &sampw );
1225 *puid = unix_pw->pw_uid;
1227 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid),
1228 (unsigned int)*puid, user_name ));
1230 *name_type = SID_NAME_USER;
1231 pdb_free_sam( &sampw );
1235 /****************************************************************************
1236 Convert a gid to SID - locally.
1237 ****************************************************************************/
1239 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
1244 /* we don't need to disable winbindd since the gid is stored in
1245 the GROUP_MAP object */
1247 /* done as root since ldap backend requires root to open a connection */
1250 ret = pdb_getgrgid( &group, gid );
1255 /* fallback to rid mapping if enabled */
1257 if ( lp_enable_rid_algorithm() ) {
1258 sid_copy(psid, get_global_sam_sid());
1259 sid_append_rid(psid, pdb_gid_to_group_rid(gid));
1261 DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
1262 (unsigned int)gid, sid_string_static(psid)));
1270 sid_copy( psid, &group.sid );
1272 DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
1273 (unsigned int)gid, sid_string_static(psid)));
1278 /****************************************************************************
1279 Convert a SID to gid - locally.
1280 ****************************************************************************/
1282 BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
1288 *name_type = SID_NAME_UNKNOWN;
1290 /* This call can enumerate group mappings for foreign sids as well.
1291 So don't check for a match against our domain SID */
1293 /* we don't need to disable winbindd since the gid is stored in
1294 the GROUP_MAP object */
1297 ret = pdb_getgrsid(&group, *psid);
1302 /* Fallback to algorithmic rid mapping if enabled */
1304 if ( lp_enable_rid_algorithm() ) {
1306 if (!sid_check_is_in_our_domain(psid) ) {
1307 DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid)));
1311 if (!sid_peek_rid(psid, &rid)) {
1312 DEBUG(10,("local_sid_to_gid: invalid SID!\n"));
1316 DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
1318 if (algorithmic_pdb_rid_is_user(rid)) {
1319 DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid)));
1322 *pgid = pdb_group_rid_to_gid(rid);
1323 DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid)));
1332 *name_type = group.sid_name_use;
1334 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid),
1335 (unsigned int)*pgid));
1340 /**********************************************************************
1341 Marshall/unmarshall SAM_ACCOUNT structs.
1342 *********************************************************************/
1344 #define TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
1345 #define TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
1346 #define TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
1348 /**********************************************************************
1349 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
1350 *********************************************************************/
1352 BOOL init_sam_from_buffer(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1354 return(init_sam_from_buffer_v2(sampass, buf, buflen));
1357 /**********************************************************************
1358 Intialize a BYTE buffer from a SAM_ACCOUNT struct
1359 *********************************************************************/
1361 uint32 init_buffer_from_sam (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
1363 return(init_buffer_from_sam_v2(buf, sampass, size_only));
1367 BOOL init_sam_from_buffer_v0(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1370 /* times are stored as 32bit integer
1371 take care on system with 64bit wide time_t
1377 pass_can_change_time,
1378 pass_must_change_time;
1379 char *username = NULL;
1380 char *domain = NULL;
1381 char *nt_username = NULL;
1382 char *dir_drive = NULL;
1383 char *unknown_str = NULL;
1384 char *munged_dial = NULL;
1385 char *fullname = NULL;
1386 char *homedir = NULL;
1387 char *logon_script = NULL;
1388 char *profile_path = NULL;
1389 char *acct_desc = NULL;
1390 char *workstations = NULL;
1391 uint32 username_len, domain_len, nt_username_len,
1392 dir_drive_len, unknown_str_len, munged_dial_len,
1393 fullname_len, homedir_len, logon_script_len,
1394 profile_path_len, acct_desc_len, workstations_len;
1396 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1397 uint16 acct_ctrl, logon_divs;
1398 uint16 bad_password_count, logon_count;
1399 uint8 *hours = NULL;
1400 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1402 uint32 lm_pw_len, nt_pw_len, hourslen;
1405 if(sampass == NULL || buf == NULL) {
1406 DEBUG(0, ("init_sam_from_buffer_v0: NULL parameters found!\n"));
1410 /* TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1412 /* unpack the buffer into variables */
1413 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V0,
1414 &logon_time, /* d */
1415 &logoff_time, /* d */
1416 &kickoff_time, /* d */
1417 &pass_last_set_time, /* d */
1418 &pass_can_change_time, /* d */
1419 &pass_must_change_time, /* d */
1420 &username_len, &username, /* B */
1421 &domain_len, &domain, /* B */
1422 &nt_username_len, &nt_username, /* B */
1423 &fullname_len, &fullname, /* B */
1424 &homedir_len, &homedir, /* B */
1425 &dir_drive_len, &dir_drive, /* B */
1426 &logon_script_len, &logon_script, /* B */
1427 &profile_path_len, &profile_path, /* B */
1428 &acct_desc_len, &acct_desc, /* B */
1429 &workstations_len, &workstations, /* B */
1430 &unknown_str_len, &unknown_str, /* B */
1431 &munged_dial_len, &munged_dial, /* B */
1434 &lm_pw_len, &lm_pw_ptr, /* B */
1435 &nt_pw_len, &nt_pw_ptr, /* B */
1437 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
1438 &logon_divs, /* w */
1440 &hourslen, &hours, /* B */
1441 &bad_password_count, /* w */
1442 &logon_count, /* w */
1443 &unknown_6); /* d */
1445 if (len == (uint32) -1) {
1450 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1451 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1452 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1453 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1454 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1455 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1457 pdb_set_username(sampass, username, PDB_SET);
1458 pdb_set_domain(sampass, domain, PDB_SET);
1459 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1460 pdb_set_fullname(sampass, fullname, PDB_SET);
1463 pdb_set_homedir(sampass, homedir, PDB_SET);
1466 pdb_set_homedir(sampass,
1467 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
1472 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1474 pdb_set_dir_drive(sampass,
1475 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
1480 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1482 pdb_set_logon_script(sampass,
1483 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
1488 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1490 pdb_set_profile_path(sampass,
1491 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_path()),
1495 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1496 pdb_set_workstations(sampass, workstations, PDB_SET);
1497 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1499 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1500 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1506 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1507 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1513 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1514 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1515 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1516 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1517 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1518 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1519 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1520 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1521 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1522 pdb_set_hours(sampass, hours, PDB_SET);
1526 SAFE_FREE(username);
1528 SAFE_FREE(nt_username);
1529 SAFE_FREE(fullname);
1531 SAFE_FREE(dir_drive);
1532 SAFE_FREE(logon_script);
1533 SAFE_FREE(profile_path);
1534 SAFE_FREE(acct_desc);
1535 SAFE_FREE(workstations);
1536 SAFE_FREE(munged_dial);
1537 SAFE_FREE(unknown_str);
1538 SAFE_FREE(lm_pw_ptr);
1539 SAFE_FREE(nt_pw_ptr);
1545 BOOL init_sam_from_buffer_v1(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1548 /* times are stored as 32bit integer
1549 take care on system with 64bit wide time_t
1556 pass_can_change_time,
1557 pass_must_change_time;
1558 char *username = NULL;
1559 char *domain = NULL;
1560 char *nt_username = NULL;
1561 char *dir_drive = NULL;
1562 char *unknown_str = NULL;
1563 char *munged_dial = NULL;
1564 char *fullname = NULL;
1565 char *homedir = NULL;
1566 char *logon_script = NULL;
1567 char *profile_path = NULL;
1568 char *acct_desc = NULL;
1569 char *workstations = NULL;
1570 uint32 username_len, domain_len, nt_username_len,
1571 dir_drive_len, unknown_str_len, munged_dial_len,
1572 fullname_len, homedir_len, logon_script_len,
1573 profile_path_len, acct_desc_len, workstations_len;
1575 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1576 uint16 acct_ctrl, logon_divs;
1577 uint16 bad_password_count, logon_count;
1578 uint8 *hours = NULL;
1579 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1581 uint32 lm_pw_len, nt_pw_len, hourslen;
1584 if(sampass == NULL || buf == NULL) {
1585 DEBUG(0, ("init_sam_from_buffer_v1: NULL parameters found!\n"));
1589 /* TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1591 /* unpack the buffer into variables */
1592 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V1,
1593 &logon_time, /* d */
1594 &logoff_time, /* d */
1595 &kickoff_time, /* d */
1596 /* Change from V0 is addition of bad_password_time field. */
1597 &bad_password_time, /* d */
1598 &pass_last_set_time, /* d */
1599 &pass_can_change_time, /* d */
1600 &pass_must_change_time, /* d */
1601 &username_len, &username, /* B */
1602 &domain_len, &domain, /* B */
1603 &nt_username_len, &nt_username, /* B */
1604 &fullname_len, &fullname, /* B */
1605 &homedir_len, &homedir, /* B */
1606 &dir_drive_len, &dir_drive, /* B */
1607 &logon_script_len, &logon_script, /* B */
1608 &profile_path_len, &profile_path, /* B */
1609 &acct_desc_len, &acct_desc, /* B */
1610 &workstations_len, &workstations, /* B */
1611 &unknown_str_len, &unknown_str, /* B */
1612 &munged_dial_len, &munged_dial, /* B */
1615 &lm_pw_len, &lm_pw_ptr, /* B */
1616 &nt_pw_len, &nt_pw_ptr, /* B */
1619 &logon_divs, /* w */
1621 &hourslen, &hours, /* B */
1622 &bad_password_count, /* w */
1623 &logon_count, /* w */
1624 &unknown_6); /* d */
1626 if (len == (uint32) -1) {
1631 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1632 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1633 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1635 /* Change from V0 is addition of bad_password_time field. */
1636 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1637 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1638 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1639 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1641 pdb_set_username(sampass, username, PDB_SET);
1642 pdb_set_domain(sampass, domain, PDB_SET);
1643 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1644 pdb_set_fullname(sampass, fullname, PDB_SET);
1647 pdb_set_homedir(sampass, homedir, PDB_SET);
1650 pdb_set_homedir(sampass,
1651 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
1656 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1658 pdb_set_dir_drive(sampass,
1659 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
1664 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1666 pdb_set_logon_script(sampass,
1667 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
1672 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1674 pdb_set_profile_path(sampass,
1675 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_path()),
1679 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1680 pdb_set_workstations(sampass, workstations, PDB_SET);
1681 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1683 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1684 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1690 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1691 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1697 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1699 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1700 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1701 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1702 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1703 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1704 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1705 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1706 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1707 pdb_set_hours(sampass, hours, PDB_SET);
1711 SAFE_FREE(username);
1713 SAFE_FREE(nt_username);
1714 SAFE_FREE(fullname);
1716 SAFE_FREE(dir_drive);
1717 SAFE_FREE(logon_script);
1718 SAFE_FREE(profile_path);
1719 SAFE_FREE(acct_desc);
1720 SAFE_FREE(workstations);
1721 SAFE_FREE(munged_dial);
1722 SAFE_FREE(unknown_str);
1723 SAFE_FREE(lm_pw_ptr);
1724 SAFE_FREE(nt_pw_ptr);
1731 BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1734 /* times are stored as 32bit integer
1735 take care on system with 64bit wide time_t
1742 pass_can_change_time,
1743 pass_must_change_time;
1744 char *username = NULL;
1745 char *domain = NULL;
1746 char *nt_username = NULL;
1747 char *dir_drive = NULL;
1748 char *unknown_str = NULL;
1749 char *munged_dial = NULL;
1750 char *fullname = NULL;
1751 char *homedir = NULL;
1752 char *logon_script = NULL;
1753 char *profile_path = NULL;
1754 char *acct_desc = NULL;
1755 char *workstations = NULL;
1756 uint32 username_len, domain_len, nt_username_len,
1757 dir_drive_len, unknown_str_len, munged_dial_len,
1758 fullname_len, homedir_len, logon_script_len,
1759 profile_path_len, acct_desc_len, workstations_len;
1761 uint32 user_rid, group_rid, hours_len, unknown_6;
1762 uint16 acct_ctrl, logon_divs;
1763 uint16 bad_password_count, logon_count;
1764 uint8 *hours = NULL;
1765 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1767 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1768 uint32 pwHistLen = 0;
1771 BOOL expand_explicit = lp_passdb_expand_explicit();
1773 if(sampass == NULL || buf == NULL) {
1774 DEBUG(0, ("init_sam_from_buffer_v2: NULL parameters found!\n"));
1778 /* TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1780 /* unpack the buffer into variables */
1781 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V2,
1782 &logon_time, /* d */
1783 &logoff_time, /* d */
1784 &kickoff_time, /* d */
1785 &bad_password_time, /* d */
1786 &pass_last_set_time, /* d */
1787 &pass_can_change_time, /* d */
1788 &pass_must_change_time, /* d */
1789 &username_len, &username, /* B */
1790 &domain_len, &domain, /* B */
1791 &nt_username_len, &nt_username, /* B */
1792 &fullname_len, &fullname, /* B */
1793 &homedir_len, &homedir, /* B */
1794 &dir_drive_len, &dir_drive, /* B */
1795 &logon_script_len, &logon_script, /* B */
1796 &profile_path_len, &profile_path, /* B */
1797 &acct_desc_len, &acct_desc, /* B */
1798 &workstations_len, &workstations, /* B */
1799 &unknown_str_len, &unknown_str, /* B */
1800 &munged_dial_len, &munged_dial, /* B */
1803 &lm_pw_len, &lm_pw_ptr, /* B */
1804 &nt_pw_len, &nt_pw_ptr, /* B */
1805 /* Change from V1 is addition of password history field. */
1806 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1808 /* Also "remove_me" field was removed. */
1809 &logon_divs, /* w */
1811 &hourslen, &hours, /* B */
1812 &bad_password_count, /* w */
1813 &logon_count, /* w */
1814 &unknown_6); /* d */
1816 if (len == (uint32) -1) {
1821 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1822 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1823 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1824 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1825 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1826 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1827 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1829 pdb_set_username(sampass, username, PDB_SET);
1830 pdb_set_domain(sampass, domain, PDB_SET);
1831 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1832 pdb_set_fullname(sampass, fullname, PDB_SET);
1835 fstrcpy( tmpstring, homedir );
1836 if (expand_explicit) {
1837 standard_sub_basic( username, tmpstring,
1838 sizeof(tmpstring) );
1840 pdb_set_homedir(sampass, tmpstring, PDB_SET);
1843 pdb_set_homedir(sampass,
1844 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
1849 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1851 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1854 fstrcpy( tmpstring, logon_script );
1855 if (expand_explicit) {
1856 standard_sub_basic( username, tmpstring,
1857 sizeof(tmpstring) );
1859 pdb_set_logon_script(sampass, tmpstring, PDB_SET);
1862 pdb_set_logon_script(sampass,
1863 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
1868 fstrcpy( tmpstring, profile_path );
1869 if (expand_explicit) {
1870 standard_sub_basic( username, tmpstring,
1871 sizeof(tmpstring) );
1873 pdb_set_profile_path(sampass, tmpstring, PDB_SET);
1876 pdb_set_profile_path(sampass,
1877 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_path()),
1881 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1882 pdb_set_workstations(sampass, workstations, PDB_SET);
1883 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1885 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1886 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1892 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1893 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1899 /* Change from V1 is addition of password history field. */
1900 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1902 uint8 *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1907 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1908 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1910 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1911 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1912 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1913 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1914 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1915 PW_HISTORY_ENTRY_LEN);
1918 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1925 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1928 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1929 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1930 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1931 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1932 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1933 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1934 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1935 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1936 pdb_set_hours(sampass, hours, PDB_SET);
1940 SAFE_FREE(username);
1942 SAFE_FREE(nt_username);
1943 SAFE_FREE(fullname);
1945 SAFE_FREE(dir_drive);
1946 SAFE_FREE(logon_script);
1947 SAFE_FREE(profile_path);
1948 SAFE_FREE(acct_desc);
1949 SAFE_FREE(workstations);
1950 SAFE_FREE(munged_dial);
1951 SAFE_FREE(unknown_str);
1952 SAFE_FREE(lm_pw_ptr);
1953 SAFE_FREE(nt_pw_ptr);
1954 SAFE_FREE(nt_pw_hist_ptr);
1960 uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
1964 /* times are stored as 32bit integer
1965 take care on system with 64bit wide time_t
1972 pass_can_change_time,
1973 pass_must_change_time;
1975 uint32 user_rid, group_rid;
1977 const char *username;
1979 const char *nt_username;
1980 const char *dir_drive;
1981 const char *unknown_str;
1982 const char *munged_dial;
1983 const char *fullname;
1984 const char *homedir;
1985 const char *logon_script;
1986 const char *profile_path;
1987 const char *acct_desc;
1988 const char *workstations;
1989 uint32 username_len, domain_len, nt_username_len,
1990 dir_drive_len, unknown_str_len, munged_dial_len,
1991 fullname_len, homedir_len, logon_script_len,
1992 profile_path_len, acct_desc_len, workstations_len;
1996 const uint8 *nt_pw_hist;
1997 uint32 lm_pw_len = 16;
1998 uint32 nt_pw_len = 16;
1999 uint32 nt_pw_hist_len;
2000 uint32 pwHistLen = 0;
2002 /* do we have a valid SAM_ACCOUNT pointer? */
2003 if (sampass == NULL) {
2004 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
2011 logon_time = (uint32)pdb_get_logon_time(sampass);
2012 logoff_time = (uint32)pdb_get_logoff_time(sampass);
2013 kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
2014 bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
2015 pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
2016 pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
2017 pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
2019 user_rid = pdb_get_user_rid(sampass);
2020 group_rid = pdb_get_group_rid(sampass);
2022 username = pdb_get_username(sampass);
2024 username_len = strlen(username) +1;
2029 domain = pdb_get_domain(sampass);
2031 domain_len = strlen(domain) +1;
2036 nt_username = pdb_get_nt_username(sampass);
2038 nt_username_len = strlen(nt_username) +1;
2040 nt_username_len = 0;
2043 fullname = pdb_get_fullname(sampass);
2045 fullname_len = strlen(fullname) +1;
2051 * Only updates fields which have been set (not defaults from smb.conf)
2054 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
2055 dir_drive = pdb_get_dir_drive(sampass);
2060 dir_drive_len = strlen(dir_drive) +1;
2065 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
2066 homedir = pdb_get_homedir(sampass);
2071 homedir_len = strlen(homedir) +1;
2076 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
2077 logon_script = pdb_get_logon_script(sampass);
2079 logon_script = NULL;
2082 logon_script_len = strlen(logon_script) +1;
2084 logon_script_len = 0;
2087 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
2088 profile_path = pdb_get_profile_path(sampass);
2090 profile_path = NULL;
2093 profile_path_len = strlen(profile_path) +1;
2095 profile_path_len = 0;
2098 lm_pw = pdb_get_lanman_passwd(sampass);
2103 nt_pw = pdb_get_nt_passwd(sampass);
2108 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
2109 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
2110 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
2111 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
2116 acct_desc = pdb_get_acct_desc(sampass);
2118 acct_desc_len = strlen(acct_desc) +1;
2123 workstations = pdb_get_workstations(sampass);
2125 workstations_len = strlen(workstations) +1;
2127 workstations_len = 0;
2131 unknown_str_len = 0;
2133 munged_dial = pdb_get_munged_dial(sampass);
2135 munged_dial_len = strlen(munged_dial) +1;
2137 munged_dial_len = 0;
2140 /* TDB_FORMAT_STRING_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
2142 /* one time to get the size needed */
2143 len = tdb_pack(NULL, 0, TDB_FORMAT_STRING_V2,
2145 logoff_time, /* d */
2146 kickoff_time, /* d */
2147 bad_password_time, /* d */
2148 pass_last_set_time, /* d */
2149 pass_can_change_time, /* d */
2150 pass_must_change_time, /* d */
2151 username_len, username, /* B */
2152 domain_len, domain, /* B */
2153 nt_username_len, nt_username, /* B */
2154 fullname_len, fullname, /* B */
2155 homedir_len, homedir, /* B */
2156 dir_drive_len, dir_drive, /* B */
2157 logon_script_len, logon_script, /* B */
2158 profile_path_len, profile_path, /* B */
2159 acct_desc_len, acct_desc, /* B */
2160 workstations_len, workstations, /* B */
2161 unknown_str_len, unknown_str, /* B */
2162 munged_dial_len, munged_dial, /* B */
2165 lm_pw_len, lm_pw, /* B */
2166 nt_pw_len, nt_pw, /* B */
2167 nt_pw_hist_len, nt_pw_hist, /* B */
2168 pdb_get_acct_ctrl(sampass), /* w */
2169 pdb_get_logon_divs(sampass), /* w */
2170 pdb_get_hours_len(sampass), /* d */
2171 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
2172 pdb_get_bad_password_count(sampass), /* w */
2173 pdb_get_logon_count(sampass), /* w */
2174 pdb_get_unknown_6(sampass)); /* d */
2180 /* malloc the space needed */
2181 if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
2182 DEBUG(0,("init_buffer_from_sam_v2: Unable to malloc() memory for buffer!\n"));
2186 /* now for the real call to tdb_pack() */
2187 buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V2,
2189 logoff_time, /* d */
2190 kickoff_time, /* d */
2191 bad_password_time, /* d */
2192 pass_last_set_time, /* d */
2193 pass_can_change_time, /* d */
2194 pass_must_change_time, /* d */
2195 username_len, username, /* B */
2196 domain_len, domain, /* B */
2197 nt_username_len, nt_username, /* B */
2198 fullname_len, fullname, /* B */
2199 homedir_len, homedir, /* B */
2200 dir_drive_len, dir_drive, /* B */
2201 logon_script_len, logon_script, /* B */
2202 profile_path_len, profile_path, /* B */
2203 acct_desc_len, acct_desc, /* B */
2204 workstations_len, workstations, /* B */
2205 unknown_str_len, unknown_str, /* B */
2206 munged_dial_len, munged_dial, /* B */
2209 lm_pw_len, lm_pw, /* B */
2210 nt_pw_len, nt_pw, /* B */
2211 nt_pw_hist_len, nt_pw_hist, /* B */
2212 pdb_get_acct_ctrl(sampass), /* w */
2213 pdb_get_logon_divs(sampass), /* w */
2214 pdb_get_hours_len(sampass), /* d */
2215 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
2216 pdb_get_bad_password_count(sampass), /* w */
2217 pdb_get_logon_count(sampass), /* w */
2218 pdb_get_unknown_6(sampass)); /* d */
2220 /* check to make sure we got it correct */
2221 if (buflen != len) {
2222 DEBUG(0, ("init_buffer_from_sam_v2: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2223 (unsigned long)buflen, (unsigned long)len));
2232 BOOL pdb_copy_sam_account(const SAM_ACCOUNT *src, SAM_ACCOUNT **dst)
2238 if ((*dst == NULL) && (!NT_STATUS_IS_OK(pdb_init_sam(dst))))
2241 len = init_buffer_from_sam_v2(&buf, src, False);
2246 result = init_sam_from_buffer_v2(*dst, buf, len);
2247 (*dst)->methods = src->methods;
2254 /**********************************************************************
2255 **********************************************************************/
2257 static BOOL get_free_ugid_range(uint32 *low, uint32 *high)
2259 uid_t u_low, u_high;
2260 gid_t g_low, g_high;
2262 if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
2266 *low = (u_low < g_low) ? u_low : g_low;
2267 *high = (u_high < g_high) ? u_high : g_high;
2272 /******************************************************************
2273 Get the the non-algorithmic RID range if idmap range are defined
2274 ******************************************************************/
2276 BOOL get_free_rid_range(uint32 *low, uint32 *high)
2278 uint32 id_low, id_high;
2280 if (!lp_enable_rid_algorithm()) {
2285 if (!get_free_ugid_range(&id_low, &id_high)) {
2289 *low = algorithmic_pdb_uid_to_user_rid(id_low);
2290 if (algorithmic_pdb_user_rid_to_uid((uint32)-1) < id_high) {
2293 *high = algorithmic_pdb_uid_to_user_rid(id_high);
2299 /*********************************************************************
2300 Update the bad password count checking the AP_RESET_COUNT_TIME
2301 *********************************************************************/
2303 BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
2305 time_t LastBadPassword;
2306 uint16 BadPasswordCount;
2309 if (!sampass) return False;
2311 BadPasswordCount = pdb_get_bad_password_count(sampass);
2312 if (!BadPasswordCount) {
2313 DEBUG(9, ("No bad password attempts.\n"));
2317 if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
2318 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2322 /* First, check if there is a reset time to compare */
2323 if ((resettime == (uint32) -1) || (resettime == 0)) {
2324 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2328 LastBadPassword = pdb_get_bad_password_time(sampass);
2329 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2330 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
2331 if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
2332 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2333 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2342 /*********************************************************************
2343 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2344 *********************************************************************/
2346 BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
2349 time_t LastBadPassword;
2351 if (!sampass) return False;
2353 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2354 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2355 pdb_get_username(sampass)));
2359 if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
2360 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2364 /* First, check if there is a duration to compare */
2365 if ((duration == (uint32) -1) || (duration == 0)) {
2366 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2370 LastBadPassword = pdb_get_bad_password_time(sampass);
2371 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2372 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
2374 if (LastBadPassword == (time_t)0) {
2375 DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
2376 bad password time. Leaving locked out.\n",
2377 pdb_get_username(sampass) ));
2381 if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
2382 pdb_set_acct_ctrl(sampass,
2383 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2385 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2386 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2395 /*********************************************************************
2396 Increment the bad_password_count
2397 *********************************************************************/
2399 BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
2401 uint32 account_policy_lockout;
2402 BOOL autolock_updated = False, badpw_updated = False;
2408 /* Retrieve the account lockout policy */
2410 ret = pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2413 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2417 /* If there is no policy, we don't need to continue checking */
2418 if (!account_policy_lockout) {
2419 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2423 /* Check if the autolock needs to be cleared */
2424 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2427 /* Check if the badpw count needs to be reset */
2428 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2432 Ok, now we can assume that any resetting that needs to be
2433 done has been done, and just get on with incrementing
2434 and autolocking if necessary
2437 pdb_set_bad_password_count(sampass,
2438 pdb_get_bad_password_count(sampass)+1,
2440 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2443 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2446 if (!pdb_set_acct_ctrl(sampass,
2447 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2449 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
git.samba.org / mat / samba.git / blob