2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2001
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_PASSDB
30 /******************************************************************
31 get the default domain/netbios name to be used when
32 testing authentication. For example, if you connect
33 to a Windows member server using a bogus domain name, the
34 Windows box will map the BOGUS\user to DOMAIN\user. A
35 standalone box will map to WKS\user.
36 ******************************************************************/
38 const char *get_default_sam_name(void)
40 /* standalone servers can only use the local netbios name */
41 if ( lp_server_role() == ROLE_STANDALONE )
42 return global_myname();
44 /* Windows domain members default to the DOMAIN
45 name when not specified */
46 return lp_workgroup();
49 /******************************************************************
50 get the default domain/netbios name to be used when dealing
51 with our passdb list of accounts
52 ******************************************************************/
54 const char *get_global_sam_name(void)
56 if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
57 return lp_workgroup();
59 return global_myname();
62 /************************************************************
63 Fill the SAM_ACCOUNT with default values.
64 ***********************************************************/
66 void pdb_fill_default_sam(SAM_ACCOUNT *user)
68 ZERO_STRUCT(user->private); /* Don't touch the talloc context */
70 /* no initial methods */
73 /* Don't change these timestamp settings without a good reason.
74 They are important for NT member server compatibility. */
76 user->private.logon_time = (time_t)0;
77 user->private.pass_last_set_time = (time_t)0;
78 user->private.pass_can_change_time = (time_t)0;
79 user->private.logoff_time =
80 user->private.kickoff_time =
81 user->private.pass_must_change_time = get_time_t_max();
82 user->private.fields_present = 0x00ffffff;
83 user->private.logon_divs = 168; /* hours per week */
84 user->private.hours_len = 21; /* 21 times 8 bits = 168 */
85 memset(user->private.hours, 0xff, user->private.hours_len); /* available at all hours */
86 user->private.bad_password_count = 0;
87 user->private.logon_count = 0;
88 user->private.unknown_6 = 0x000004ec; /* don't know */
90 /* Some parts of samba strlen their pdb_get...() returns,
91 so this keeps the interface unchanged for now. */
93 user->private.username = "";
94 user->private.domain = "";
95 user->private.nt_username = "";
96 user->private.full_name = "";
97 user->private.home_dir = "";
98 user->private.logon_script = "";
99 user->private.profile_path = "";
100 user->private.acct_desc = "";
101 user->private.workstations = "";
102 user->private.unknown_str = "";
103 user->private.munged_dial = "";
105 user->private.plaintext_pw = NULL;
108 Unless we know otherwise have a Account Control Bit
109 value of 'normal user'. This helps User Manager, which
110 asks for a filtered list of users.
113 user->private.acct_ctrl = ACB_NORMAL;
116 static void destroy_pdb_talloc(SAM_ACCOUNT **user)
119 data_blob_clear_free(&((*user)->private.lm_pw));
120 data_blob_clear_free(&((*user)->private.nt_pw));
122 if((*user)->private.plaintext_pw!=NULL)
123 memset((*user)->private.plaintext_pw,'\0',strlen((*user)->private.plaintext_pw));
124 talloc_destroy((*user)->mem_ctx);
130 /**********************************************************************
131 Allocates memory and initialises a struct sam_passwd on supplied mem_ctx.
132 ***********************************************************************/
134 NTSTATUS pdb_init_sam_talloc(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **user)
137 DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
139 smb_panic("non-NULL pointer passed to pdb_init_sam\n");
141 return NT_STATUS_UNSUCCESSFUL;
145 DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
146 return NT_STATUS_UNSUCCESSFUL;
149 *user=(SAM_ACCOUNT *)talloc(mem_ctx, sizeof(SAM_ACCOUNT));
152 DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
153 return NT_STATUS_NO_MEMORY;
156 (*user)->mem_ctx = mem_ctx;
158 (*user)->free_fn = NULL;
160 pdb_fill_default_sam(*user);
166 /*************************************************************
167 Allocates memory and initialises a struct sam_passwd.
168 ************************************************************/
170 NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
175 mem_ctx = talloc_init("passdb internal SAM_ACCOUNT allocation");
178 DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
179 return NT_STATUS_NO_MEMORY;
182 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, user))) {
183 talloc_destroy(mem_ctx);
187 (*user)->free_fn = destroy_pdb_talloc;
192 /**************************************************************************
193 * This function will take care of all the steps needed to correctly
194 * allocate and set the user SID, please do use this function to create new
195 * users, messing with SIDs is not good.
197 * account_data must be provided initialized, pwd may be null.
199 ***************************************************************************/
201 static NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
203 const char *guest_account = lp_guestaccount();
207 if (!account_data || !pwd) {
208 return NT_STATUS_INVALID_PARAMETER;
211 /* this is a hack this thing should not be set
213 if (!(guest_account && *guest_account)) {
214 DEBUG(1, ("NULL guest account!?!?\n"));
215 return NT_STATUS_UNSUCCESSFUL;
217 /* Ensure this *must* be set right */
218 if (strcmp(pwd->pw_name, guest_account) == 0) {
219 if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
220 return NT_STATUS_UNSUCCESSFUL;
222 if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
223 return NT_STATUS_UNSUCCESSFUL;
229 if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
230 DEBUG(0,("Can't set User SID from RID!\n"));
231 return NT_STATUS_INVALID_PARAMETER;
234 /* call the mapping code here */
236 ret = pdb_getgrgid(&map, pwd->pw_gid);
240 if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
241 DEBUG(0,("Can't set Group SID!\n"));
242 return NT_STATUS_INVALID_PARAMETER;
246 if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
247 DEBUG(0,("Can't set Group SID\n"));
248 return NT_STATUS_INVALID_PARAMETER;
255 /*************************************************************
256 Initialises a struct sam_passwd with sane values.
257 ************************************************************/
259 NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
264 return NT_STATUS_UNSUCCESSFUL;
267 pdb_fill_default_sam(sam_account);
269 pdb_set_username(sam_account, pwd->pw_name, PDB_SET);
270 pdb_set_fullname(sam_account, pwd->pw_gecos, PDB_SET);
272 pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
274 pdb_set_domain (sam_account, get_global_sam_name(), PDB_DEFAULT);
276 /* When we get a proper uid -> SID and SID -> uid allocation
277 mechinism, we should call it here.
279 We can't just set this to 0 or allow it only to be filled
280 in when added to the backend, because the user's SID
281 may already be in security descriptors etc.
283 -- abartlet 11-May-02
286 ret = pdb_set_sam_sids(sam_account, pwd);
287 if (!NT_STATUS_IS_OK(ret)) return ret;
289 /* check if this is a user account or a machine account */
290 if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
292 pdb_set_profile_path(sam_account,
293 talloc_sub_specified((sam_account)->mem_ctx,
295 pwd->pw_name, global_myname(),
296 pwd->pw_uid, pwd->pw_gid),
299 pdb_set_homedir(sam_account,
300 talloc_sub_specified((sam_account)->mem_ctx,
302 pwd->pw_name, global_myname(),
303 pwd->pw_uid, pwd->pw_gid),
306 pdb_set_dir_drive(sam_account,
307 talloc_sub_specified((sam_account)->mem_ctx,
309 pwd->pw_name, global_myname(),
310 pwd->pw_uid, pwd->pw_gid),
313 pdb_set_logon_script(sam_account,
314 talloc_sub_specified((sam_account)->mem_ctx,
316 pwd->pw_name, global_myname(),
317 pwd->pw_uid, pwd->pw_gid),
319 if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) {
320 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd->pw_name));
321 return NT_STATUS_UNSUCCESSFUL;
324 if (!pdb_set_acct_ctrl(sam_account, ACB_WSTRUST, PDB_DEFAULT)) {
325 DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd->pw_name));
326 return NT_STATUS_UNSUCCESSFUL;
333 /*************************************************************
334 Initialises a struct sam_passwd with sane values.
335 ************************************************************/
337 NTSTATUS pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
343 return NT_STATUS_INVALID_PARAMETER;
346 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
351 if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*new_sam_acct, pwd))) {
352 pdb_free_sam(new_sam_acct);
361 /*************************************************************
362 Initialises a SAM_ACCOUNT ready to add a new account, based
363 on the UNIX user. Pass in a RID if you have one
364 ************************************************************/
366 NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username,
369 NTSTATUS nt_status = NT_STATUS_NO_MEMORY;
373 pwd = Get_Pwnam(username);
376 return NT_STATUS_NO_SUCH_USER;
378 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(new_sam_acct, pwd))) {
379 *new_sam_acct = NULL;
383 /* see if we need to generate a new rid using the 2.2 algorithm */
384 if ( rid == 0 && lp_enable_rid_algorithm() ) {
385 DEBUG(10,("pdb_init_sam_new: no RID specified. Generating one via old algorithm\n"));
386 rid = fallback_pdb_uid_to_user_rid(pwd->pw_uid);
389 /* set the new SID */
391 ret = pdb_set_user_sid_from_rid( *new_sam_acct, rid, PDB_SET );
393 return (ret ? NT_STATUS_OK : NT_STATUS_NO_SUCH_USER);
398 * Free the contets of the SAM_ACCOUNT, but not the structure.
400 * Also wipes the LM and NT hashes and plaintext password from
403 * @param user SAM_ACCOUNT to free members of.
406 static void pdb_free_sam_contents(SAM_ACCOUNT *user)
409 /* Kill off sensitive data. Free()ed by the
412 data_blob_clear_free(&(user->private.lm_pw));
413 data_blob_clear_free(&(user->private.nt_pw));
414 if (user->private.plaintext_pw!=NULL)
415 memset(user->private.plaintext_pw,'\0',strlen(user->private.plaintext_pw));
417 if (user->private.backend_private_data && user->private.backend_private_data_free_fn) {
418 user->private.backend_private_data_free_fn(&user->private.backend_private_data);
423 /************************************************************
424 Reset the SAM_ACCOUNT and free the NT/LM hashes.
425 ***********************************************************/
427 NTSTATUS pdb_reset_sam(SAM_ACCOUNT *user)
430 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
432 smb_panic("NULL pointer passed to pdb_free_sam\n");
434 return NT_STATUS_UNSUCCESSFUL;
437 pdb_free_sam_contents(user);
439 pdb_fill_default_sam(user);
445 /************************************************************
446 Free the SAM_ACCOUNT and the member pointers.
447 ***********************************************************/
449 NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
452 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
454 smb_panic("NULL pointer passed to pdb_free_sam\n");
456 return NT_STATUS_UNSUCCESSFUL;
459 pdb_free_sam_contents(*user);
461 if ((*user)->free_fn) {
462 (*user)->free_fn(user);
468 /**********************************************************
469 Encode the account control bits into a string.
470 length = length of string to encode into (including terminating
471 null). length *MUST BE MORE THAN 2* !
472 **********************************************************/
474 char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
476 static fstring acct_str;
480 SMB_ASSERT(length <= sizeof(acct_str));
484 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
485 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
486 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
487 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
488 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
489 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
490 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
491 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
492 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
493 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
494 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
496 for ( ; i < length - 2 ; i++ )
501 acct_str[i++] = '\0';
506 /**********************************************************
507 Decode the account control bits from a string.
508 **********************************************************/
510 uint16 pdb_decode_acct_ctrl(const char *p)
512 uint16 acct_ctrl = 0;
513 BOOL finished = False;
516 * Check if the account type bits have been encoded after the
517 * NT password (in the form [NDHTUWSLXI]).
523 for (p++; *p && !finished; p++) {
525 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
526 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
527 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
528 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
529 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
530 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
531 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
532 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
533 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
534 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
535 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
541 default: { finished = True; }
548 /*************************************************************
549 Routine to set 32 hex password characters from a 16 byte array.
550 **************************************************************/
552 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
556 for (i = 0; i < 16; i++)
557 slprintf(&p[i*2], 3, "%02X", pwd[i]);
559 if (acct_ctrl & ACB_PWNOTREQ)
560 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
562 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
566 /*************************************************************
567 Routine to get the 32 hex characters and turn them
568 into a 16 byte array.
569 **************************************************************/
571 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
574 unsigned char lonybble, hinybble;
575 const char *hexchars = "0123456789ABCDEF";
581 for (i = 0; i < 32; i += 2) {
582 hinybble = toupper(p[i]);
583 lonybble = toupper(p[i + 1]);
585 p1 = strchr(hexchars, hinybble);
586 p2 = strchr(hexchars, lonybble);
591 hinybble = PTR_DIFF(p1, hexchars);
592 lonybble = PTR_DIFF(p2, hexchars);
594 pwd[i / 2] = (hinybble << 4) | lonybble;
599 int algorithmic_rid_base(void)
601 static int rid_offset = 0;
606 rid_offset = lp_algorithmic_rid_base();
608 if (rid_offset < BASE_RID) {
609 /* Try to prevent admin foot-shooting, we can't put algorithmic
610 rids below 1000, that's the 'well known RIDs' on NT */
611 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
612 rid_offset = BASE_RID;
614 if (rid_offset & 1) {
615 DEBUG(0, ("algorithmic rid base must be even\n"));
621 /*******************************************************************
622 Converts NT user RID to a UNIX uid.
623 ********************************************************************/
625 uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
627 int rid_offset = algorithmic_rid_base();
628 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
631 /*******************************************************************
632 converts UNIX uid to an NT User RID.
633 ********************************************************************/
635 uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
637 int rid_offset = algorithmic_rid_base();
638 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
641 /*******************************************************************
642 Converts NT group RID to a UNIX gid.
643 ********************************************************************/
645 gid_t pdb_group_rid_to_gid(uint32 group_rid)
647 int rid_offset = algorithmic_rid_base();
648 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
651 /*******************************************************************
652 converts NT Group RID to a UNIX uid.
654 warning: you must not call that function only
655 you must do a call to the group mapping first.
656 there is not anymore a direct link between the gid and the rid.
657 ********************************************************************/
659 uint32 pdb_gid_to_group_rid(gid_t gid)
661 int rid_offset = algorithmic_rid_base();
662 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
665 /*******************************************************************
666 Decides if a RID is a well known RID.
667 ********************************************************************/
669 static BOOL pdb_rid_is_well_known(uint32 rid)
671 /* Not using rid_offset here, because this is the actual
672 NT fixed value (1000) */
674 return (rid < BASE_RID);
677 /*******************************************************************
678 Decides if a RID is a user or group RID.
679 ********************************************************************/
681 BOOL fallback_pdb_rid_is_user(uint32 rid)
683 /* lkcl i understand that NT attaches an enumeration to a RID
684 * such that it can be identified as either a user, group etc
685 * type. there are 5 such categories, and they are documented.
687 /* However, they are not in the RID, just somthing you can query
688 seperatly. Sorry luke :-) */
690 if(pdb_rid_is_well_known(rid)) {
692 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
693 * and DOMAIN_USER_RID_GUEST.
695 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
697 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
703 /*******************************************************************
704 Convert a rid into a name. Used in the lookup SID rpc.
705 ********************************************************************/
707 BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use)
710 SAM_ACCOUNT *sam_account = NULL;
714 if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
715 DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
716 sid_string_static(&map.sid)));
719 *psid_name_use = SID_NAME_UNKNOWN;
721 DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
723 if (rid == DOMAIN_USER_RID_ADMIN) {
724 const char **admin_list = lp_admin_users(-1);
725 *psid_name_use = SID_NAME_USER;
727 const char *p = *admin_list;
728 if(!next_token(&p, name, NULL, sizeof(fstring)))
729 fstrcpy(name, "Administrator");
731 fstrcpy(name, "Administrator");
736 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
740 /* see if the passdb can help us with the name of the user */
742 /* BEING ROOT BLLOCK */
744 if (pdb_getsampwsid(sam_account, sid)) {
745 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
746 fstrcpy(name, pdb_get_username(sam_account));
747 *psid_name_use = SID_NAME_USER;
749 pdb_free_sam(&sam_account);
753 pdb_free_sam(&sam_account);
755 ret = pdb_getgrsid(&map, *sid);
757 /* END BECOME_ROOT BLOCK */
760 if (map.gid!=(gid_t)-1) {
761 DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
763 DEBUG(5,("local_lookup_sid: mapped group %s to no unix gid. Returning name.\n", map.nt_name));
766 fstrcpy(name, map.nt_name);
767 *psid_name_use = map.sid_name_use;
771 if (fallback_pdb_rid_is_user(rid)) {
773 struct passwd *pw = NULL;
775 DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
777 uid = fallback_pdb_user_rid_to_uid(rid);
778 pw = sys_getpwuid( uid );
780 DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid,
781 pw ? "succeeded" : "failed" ));
784 fstr_sprintf(name, "unix_user.%u", (unsigned int)uid);
786 fstrcpy( name, pw->pw_name );
788 DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name,
789 (unsigned int)rid ));
791 *psid_name_use = SID_NAME_USER;
793 return ( pw != NULL );
798 DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));
800 gid = pdb_group_rid_to_gid(rid);
803 *psid_name_use = SID_NAME_ALIAS;
805 DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid,
806 gr ? "succeeded" : "failed" ));
809 fstr_sprintf(name, "unix_group.%u", (unsigned int)gid);
811 fstrcpy( name, gr->gr_name);
813 DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name,
814 (unsigned int)rid ));
816 /* assume fallback groups aer domain global groups */
818 *psid_name_use = SID_NAME_DOM_GRP;
820 return ( gr != NULL );
824 /*******************************************************************
825 Convert a name into a SID. Used in the lookup name rpc.
826 ********************************************************************/
828 BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
830 extern DOM_SID global_sid_World_Domain;
833 SAM_ACCOUNT *sam_account = NULL;
837 *psid_name_use = SID_NAME_UNKNOWN;
840 * user may be quoted a const string, and map_username and
841 * friends can modify it. Make a modifiable copy. JRA.
844 fstrcpy(user, c_user);
846 sid_copy(&local_sid, get_global_sam_sid());
849 * Special case for MACHINE\Everyone. Map to the world_sid.
852 if(strequal(user, "Everyone")) {
853 sid_copy( psid, &global_sid_World_Domain);
854 sid_append_rid(psid, 0);
855 *psid_name_use = SID_NAME_ALIAS;
859 (void)map_username(user);
861 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
865 /* BEGIN ROOT BLOCK */
868 if (pdb_getsampwnam(sam_account, user)) {
870 sid_copy(psid, pdb_get_user_sid(sam_account));
871 *psid_name_use = SID_NAME_USER;
873 pdb_free_sam(&sam_account);
877 pdb_free_sam(&sam_account);
880 * Maybe it was a group ?
883 /* check if it's a mapped group */
884 if (pdb_getgrnam(&map, user)) {
885 /* yes it's a mapped group */
886 sid_copy(&local_sid, &map.sid);
887 *psid_name_use = map.sid_name_use;
889 /* it's not a mapped group */
890 grp = getgrnam(user);
892 unbecome_root(); /* ---> exit form block */
897 *check if it's mapped, if it is reply it doesn't exist
899 * that's to prevent this case:
901 * unix group ug is mapped to nt group ng
902 * someone does a lookup on ug
903 * we must not reply as it doesn't "exist" anymore
904 * for NT. For NT only ng exists.
908 if (pdb_getgrgid(&map, grp->gr_gid)){
909 unbecome_root(); /* ---> exit form block */
913 sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
914 *psid_name_use = SID_NAME_ALIAS;
919 sid_copy( psid, &local_sid);
924 /*************************************************************
925 Change a password entry in the local smbpasswd file.
926 *************************************************************/
928 BOOL local_password_change(const char *user_name, int local_flags,
929 const char *new_passwd,
930 char *err_str, size_t err_str_len,
931 char *msg_str, size_t msg_str_len)
933 SAM_ACCOUNT *sam_pass=NULL;
939 /* Get the smb passwd entry for this user */
940 pdb_init_sam(&sam_pass);
943 if(!pdb_getsampwnam(sam_pass, user_name)) {
945 pdb_free_sam(&sam_pass);
947 if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
948 /* Might not exist in /etc/passwd. Use rid algorithm here */
949 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, user_name, 0))) {
950 slprintf(err_str, err_str_len-1, "Failed to initialise SAM_ACCOUNT for user %s.\n", user_name);
954 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
959 /* the entry already existed */
960 local_flags &= ~LOCAL_ADD_USER;
963 /* the 'other' acb bits not being changed here */
964 other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
965 if (local_flags & LOCAL_TRUST_ACCOUNT) {
966 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
967 slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
968 pdb_free_sam(&sam_pass);
971 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
972 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
973 slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
974 pdb_free_sam(&sam_pass);
978 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
979 slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
980 pdb_free_sam(&sam_pass);
986 * We are root - just write the new password
987 * and the valid last change time.
990 if (local_flags & LOCAL_DISABLE_USER) {
991 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
992 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
993 pdb_free_sam(&sam_pass);
996 } else if (local_flags & LOCAL_ENABLE_USER) {
997 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
998 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
999 pdb_free_sam(&sam_pass);
1004 if (local_flags & LOCAL_SET_NO_PASSWORD) {
1005 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
1006 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
1007 pdb_free_sam(&sam_pass);
1010 } else if (local_flags & LOCAL_SET_PASSWORD) {
1012 * If we're dealing with setting a completely empty user account
1013 * ie. One with a password of 'XXXX', but not set disabled (like
1014 * an account created from scratch) then if the old password was
1015 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1016 * We remove that as we're giving this user their first password
1017 * and the decision hasn't really been made to disable them (ie.
1018 * don't create them disabled). JRA.
1020 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
1021 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
1022 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
1023 pdb_free_sam(&sam_pass);
1027 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
1028 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
1029 pdb_free_sam(&sam_pass);
1033 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
1034 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
1035 pdb_free_sam(&sam_pass);
1040 if (local_flags & LOCAL_ADD_USER) {
1041 if (pdb_add_sam_account(sam_pass)) {
1042 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
1043 pdb_free_sam(&sam_pass);
1046 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
1047 pdb_free_sam(&sam_pass);
1050 } else if (local_flags & LOCAL_DELETE_USER) {
1051 if (!pdb_delete_sam_account(sam_pass)) {
1052 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
1053 pdb_free_sam(&sam_pass);
1056 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
1058 if(!pdb_update_sam_account(sam_pass)) {
1059 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
1060 pdb_free_sam(&sam_pass);
1063 if(local_flags & LOCAL_DISABLE_USER)
1064 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
1065 else if (local_flags & LOCAL_ENABLE_USER)
1066 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
1067 else if (local_flags & LOCAL_SET_NO_PASSWORD)
1068 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
1071 pdb_free_sam(&sam_pass);
1075 /****************************************************************************
1076 Convert a uid to SID - algorithmic.
1077 ****************************************************************************/
1079 DOM_SID *algorithmic_uid_to_sid(DOM_SID *psid, uid_t uid)
1081 if ( !lp_enable_rid_algorithm() )
1084 DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
1085 sid_copy( psid, get_global_sam_sid() );
1086 sid_append_rid( psid, fallback_pdb_uid_to_user_rid(uid) );
1087 DEBUG(10,("algorithmic_uid_to_sid: uid (%d) -> SID %s.\n",
1088 (unsigned int)uid, sid_string_static(psid) ));
1093 /****************************************************************************
1094 Convert a uid to SID - locally.
1095 ****************************************************************************/
1097 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
1099 SAM_ACCOUNT *sampw = NULL;
1100 struct passwd *unix_pw;
1103 unix_pw = sys_getpwuid( uid );
1106 DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid));
1107 return algorithmic_uid_to_sid( psid, uid);
1110 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
1111 DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
1116 ret = pdb_getsampwnam( sampw, unix_pw->pw_name );
1120 sid_copy( psid, pdb_get_user_sid(sampw) );
1122 DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
1123 unix_pw->pw_name, (unsigned long)uid));
1125 return algorithmic_uid_to_sid( psid, uid);
1128 DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
1129 (unsigned int)uid, sid_string_static(psid), unix_pw->pw_name));
1134 /****************************************************************************
1135 Convert a SID to uid - locally.
1136 ****************************************************************************/
1138 BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
1140 SAM_ACCOUNT *sampw = NULL;
1141 struct passwd *unix_pw;
1142 const char *user_name;
1144 *name_type = SID_NAME_UNKNOWN;
1147 * We can only convert to a uid if this is our local
1148 * Domain SID (ie. we are the controling authority).
1150 if (!sid_check_is_in_our_domain(psid) ) {
1151 DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid)));
1155 /* lookup the user account */
1157 if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
1158 DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
1163 if ( !pdb_getsampwsid(sampw, psid) ) {
1165 DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
1166 sid_string_static(psid)));
1171 user_name = pdb_get_username(sampw);
1173 unix_pw = sys_getpwnam( user_name );
1176 DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
1178 pdb_free_sam( &sampw );
1182 *puid = unix_pw->pw_uid;
1184 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid),
1185 (unsigned int)*puid, user_name ));
1187 *name_type = SID_NAME_USER;
1192 /****************************************************************************
1193 Convert a gid to SID - locally.
1194 ****************************************************************************/
1196 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
1201 /* we don't need to disable winbindd since the gid is stored in
1202 the GROUP_MAP object */
1204 /* done as root since ldap backend requires root to open a connection */
1207 ret = pdb_getgrgid( &group, gid );
1212 /* fallback to rid mapping if enabled */
1214 if ( lp_enable_rid_algorithm() ) {
1215 sid_copy(psid, get_global_sam_sid());
1216 sid_append_rid(psid, pdb_gid_to_group_rid(gid));
1218 DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
1219 (unsigned int)gid, sid_string_static(psid)));
1227 sid_copy( psid, &group.sid );
1229 DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
1230 (unsigned int)gid, sid_string_static(psid)));
1235 /****************************************************************************
1236 Convert a SID to gid - locally.
1237 ****************************************************************************/
1239 BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
1245 *name_type = SID_NAME_UNKNOWN;
1247 /* This call can enumerate group mappings for foreign sids as well.
1248 So don't check for a match against our domain SID */
1250 /* we don't need to disable winbindd since the gid is stored in
1251 the GROUP_MAP object */
1254 ret = pdb_getgrsid(&group, *psid);
1259 /* fallback to rid mapping if enabled */
1261 if ( lp_enable_rid_algorithm() ) {
1263 if (!sid_check_is_in_our_domain(psid) ) {
1264 DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid)));
1268 if (!sid_peek_rid(psid, &rid)) {
1269 DEBUG(10,("local_sid_to_uid: invalid SID!\n"));
1273 DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
1275 if (fallback_pdb_rid_is_user(rid)) {
1276 DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid)));
1279 *pgid = pdb_group_rid_to_gid(rid);
1280 DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid)));
1290 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid),
1291 (unsigned int)*pgid));
1296 /**********************************************************************
1297 Marshall/unmarshall SAM_ACCOUNT structs.
1298 *********************************************************************/
1300 #define TDB_FORMAT_STRING_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
1301 #define TDB_FORMAT_STRING_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
1303 /**********************************************************************
1304 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
1305 *********************************************************************/
1307 BOOL init_sam_from_buffer(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1309 return(init_sam_from_buffer_v1(sampass, buf, buflen));
1312 /**********************************************************************
1313 Intialize a BYTE buffer from a SAM_ACCOUNT struct
1314 *********************************************************************/
1316 uint32 init_buffer_from_sam (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
1318 return(init_buffer_from_sam_v1(buf, sampass, size_only));
1322 BOOL init_sam_from_buffer_v0(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1325 /* times are stored as 32bit integer
1326 take care on system with 64bit wide time_t
1332 pass_can_change_time,
1333 pass_must_change_time;
1346 uint32 username_len, domain_len, nt_username_len,
1347 dir_drive_len, unknown_str_len, munged_dial_len,
1348 fullname_len, homedir_len, logon_script_len,
1349 profile_path_len, acct_desc_len, workstations_len;
1351 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1352 uint16 acct_ctrl, logon_divs;
1353 uint16 bad_password_count, logon_count;
1355 static uint8 *lm_pw_ptr, *nt_pw_ptr;
1357 uint32 lm_pw_len, nt_pw_len, hourslen;
1360 if(sampass == NULL || buf == NULL) {
1361 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1365 /* unpack the buffer into variables */
1366 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V0,
1370 &pass_last_set_time,
1371 &pass_can_change_time,
1372 &pass_must_change_time,
1373 &username_len, &username,
1374 &domain_len, &domain,
1375 &nt_username_len, &nt_username,
1376 &fullname_len, &fullname,
1377 &homedir_len, &homedir,
1378 &dir_drive_len, &dir_drive,
1379 &logon_script_len, &logon_script,
1380 &profile_path_len, &profile_path,
1381 &acct_desc_len, &acct_desc,
1382 &workstations_len, &workstations,
1383 &unknown_str_len, &unknown_str,
1384 &munged_dial_len, &munged_dial,
1387 &lm_pw_len, &lm_pw_ptr,
1388 &nt_pw_len, &nt_pw_ptr,
1390 &remove_me, /* remove on the next TDB_FORMAT upgarde */
1394 &bad_password_count,
1398 if (len == (uint32) -1) {
1403 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1404 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1405 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1406 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1407 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1408 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1410 pdb_set_username(sampass, username, PDB_SET);
1411 pdb_set_domain(sampass, domain, PDB_SET);
1412 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1413 pdb_set_fullname(sampass, fullname, PDB_SET);
1416 pdb_set_homedir(sampass, homedir, PDB_SET);
1419 pdb_set_homedir(sampass,
1420 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
1425 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1427 pdb_set_dir_drive(sampass,
1428 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
1433 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1435 pdb_set_logon_script(sampass,
1436 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
1441 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1443 pdb_set_profile_path(sampass,
1444 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_path()),
1448 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1449 pdb_set_workstations(sampass, workstations, PDB_SET);
1450 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1452 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1453 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1459 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1460 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1466 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1467 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1468 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1469 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1470 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1471 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1472 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1473 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1474 pdb_set_hours(sampass, hours, PDB_SET);
1478 SAFE_FREE(username);
1480 SAFE_FREE(nt_username);
1481 SAFE_FREE(fullname);
1483 SAFE_FREE(dir_drive);
1484 SAFE_FREE(logon_script);
1485 SAFE_FREE(profile_path);
1486 SAFE_FREE(acct_desc);
1487 SAFE_FREE(workstations);
1488 SAFE_FREE(munged_dial);
1489 SAFE_FREE(unknown_str);
1496 uint32 init_buffer_from_sam_v0 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
1500 /* times are stored as 32bit integer
1501 take care on system with 64bit wide time_t
1507 pass_can_change_time,
1508 pass_must_change_time;
1510 uint32 user_rid, group_rid;
1512 const char *username;
1514 const char *nt_username;
1515 const char *dir_drive;
1516 const char *unknown_str;
1517 const char *munged_dial;
1518 const char *fullname;
1519 const char *homedir;
1520 const char *logon_script;
1521 const char *profile_path;
1522 const char *acct_desc;
1523 const char *workstations;
1524 uint32 username_len, domain_len, nt_username_len,
1525 dir_drive_len, unknown_str_len, munged_dial_len,
1526 fullname_len, homedir_len, logon_script_len,
1527 profile_path_len, acct_desc_len, workstations_len;
1531 uint32 lm_pw_len = 16;
1532 uint32 nt_pw_len = 16;
1534 /* do we have a valid SAM_ACCOUNT pointer? */
1535 if (sampass == NULL) {
1536 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1543 logon_time = (uint32)pdb_get_logon_time(sampass);
1544 logoff_time = (uint32)pdb_get_logoff_time(sampass);
1545 kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
1546 pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
1547 pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
1548 pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
1550 user_rid = pdb_get_user_rid(sampass);
1551 group_rid = pdb_get_group_rid(sampass);
1553 username = pdb_get_username(sampass);
1555 username_len = strlen(username) +1;
1559 domain = pdb_get_domain(sampass);
1561 domain_len = strlen(domain) +1;
1565 nt_username = pdb_get_nt_username(sampass);
1567 nt_username_len = strlen(nt_username) +1;
1569 nt_username_len = 0;
1571 fullname = pdb_get_fullname(sampass);
1573 fullname_len = strlen(fullname) +1;
1578 * Only updates fields which have been set (not defaults from smb.conf)
1581 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE))
1582 dir_drive = pdb_get_dir_drive(sampass);
1586 dir_drive_len = strlen(dir_drive) +1;
1590 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME))
1591 homedir = pdb_get_homedir(sampass);
1595 homedir_len = strlen(homedir) +1;
1599 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT))
1600 logon_script = pdb_get_logon_script(sampass);
1602 logon_script = NULL;
1604 logon_script_len = strlen(logon_script) +1;
1606 logon_script_len = 0;
1608 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE))
1609 profile_path = pdb_get_profile_path(sampass);
1611 profile_path = NULL;
1613 profile_path_len = strlen(profile_path) +1;
1615 profile_path_len = 0;
1617 lm_pw = pdb_get_lanman_passwd(sampass);
1621 nt_pw = pdb_get_nt_passwd(sampass);
1625 acct_desc = pdb_get_acct_desc(sampass);
1627 acct_desc_len = strlen(acct_desc) +1;
1631 workstations = pdb_get_workstations(sampass);
1633 workstations_len = strlen(workstations) +1;
1635 workstations_len = 0;
1638 unknown_str_len = 0;
1640 munged_dial = pdb_get_munged_dial(sampass);
1642 munged_dial_len = strlen(munged_dial) +1;
1644 munged_dial_len = 0;
1646 /* one time to get the size needed */
1647 len = tdb_pack(NULL, 0, TDB_FORMAT_STRING_V0,
1652 pass_can_change_time,
1653 pass_must_change_time,
1654 username_len, username,
1656 nt_username_len, nt_username,
1657 fullname_len, fullname,
1658 homedir_len, homedir,
1659 dir_drive_len, dir_drive,
1660 logon_script_len, logon_script,
1661 profile_path_len, profile_path,
1662 acct_desc_len, acct_desc,
1663 workstations_len, workstations,
1664 unknown_str_len, unknown_str,
1665 munged_dial_len, munged_dial,
1670 pdb_get_acct_ctrl(sampass),
1671 0, /* was: fileds_present, to be removed on format change */
1672 pdb_get_logon_divs(sampass),
1673 pdb_get_hours_len(sampass),
1674 MAX_HOURS_LEN, pdb_get_hours(sampass),
1675 pdb_get_bad_password_count(sampass),
1676 pdb_get_logon_count(sampass),
1677 pdb_get_unknown_6(sampass));
1683 /* malloc the space needed */
1684 if ( (*buf=(uint8*)malloc(len)) == NULL) {
1685 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
1689 /* now for the real call to tdb_pack() */
1690 buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V0,
1695 pass_can_change_time,
1696 pass_must_change_time,
1697 username_len, username,
1699 nt_username_len, nt_username,
1700 fullname_len, fullname,
1701 homedir_len, homedir,
1702 dir_drive_len, dir_drive,
1703 logon_script_len, logon_script,
1704 profile_path_len, profile_path,
1705 acct_desc_len, acct_desc,
1706 workstations_len, workstations,
1707 unknown_str_len, unknown_str,
1708 munged_dial_len, munged_dial,
1713 pdb_get_acct_ctrl(sampass),
1714 0, /* was: fileds_present, to be removed on format change */
1715 pdb_get_logon_divs(sampass),
1716 pdb_get_hours_len(sampass),
1717 MAX_HOURS_LEN, pdb_get_hours(sampass),
1718 pdb_get_bad_password_count(sampass),
1719 pdb_get_logon_count(sampass),
1720 pdb_get_unknown_6(sampass));
1723 /* check to make sure we got it correct */
1724 if (buflen != len) {
1725 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1726 (unsigned long)buflen, (unsigned long)len));
1736 BOOL init_sam_from_buffer_v1(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
1739 /* times are stored as 32bit integer
1740 take care on system with 64bit wide time_t
1747 pass_can_change_time,
1748 pass_must_change_time;
1761 uint32 username_len, domain_len, nt_username_len,
1762 dir_drive_len, unknown_str_len, munged_dial_len,
1763 fullname_len, homedir_len, logon_script_len,
1764 profile_path_len, acct_desc_len, workstations_len;
1766 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1767 uint16 acct_ctrl, logon_divs;
1768 uint16 bad_password_count, logon_count;
1770 static uint8 *lm_pw_ptr, *nt_pw_ptr;
1772 uint32 lm_pw_len, nt_pw_len, hourslen;
1775 if(sampass == NULL || buf == NULL) {
1776 DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
1780 /* unpack the buffer into variables */
1781 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V1,
1786 &pass_last_set_time,
1787 &pass_can_change_time,
1788 &pass_must_change_time,
1789 &username_len, &username,
1790 &domain_len, &domain,
1791 &nt_username_len, &nt_username,
1792 &fullname_len, &fullname,
1793 &homedir_len, &homedir,
1794 &dir_drive_len, &dir_drive,
1795 &logon_script_len, &logon_script,
1796 &profile_path_len, &profile_path,
1797 &acct_desc_len, &acct_desc,
1798 &workstations_len, &workstations,
1799 &unknown_str_len, &unknown_str,
1800 &munged_dial_len, &munged_dial,
1803 &lm_pw_len, &lm_pw_ptr,
1804 &nt_pw_len, &nt_pw_ptr,
1810 &bad_password_count,
1814 if (len == (uint32) -1) {
1819 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1820 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1821 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1822 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1823 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1824 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1825 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1827 pdb_set_username(sampass, username, PDB_SET);
1828 pdb_set_domain(sampass, domain, PDB_SET);
1829 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1830 pdb_set_fullname(sampass, fullname, PDB_SET);
1833 pdb_set_homedir(sampass, homedir, PDB_SET);
1836 pdb_set_homedir(sampass,
1837 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
1842 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1844 pdb_set_dir_drive(sampass,
1845 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
1850 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1852 pdb_set_logon_script(sampass,
1853 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
1858 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1860 pdb_set_profile_path(sampass,
1861 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_path()),
1865 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1866 pdb_set_workstations(sampass, workstations, PDB_SET);
1867 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1869 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1870 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1876 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1877 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1883 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1884 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1885 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1886 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1887 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1888 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1889 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1890 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1891 pdb_set_hours(sampass, hours, PDB_SET);
1895 SAFE_FREE(lm_pw_ptr);
1896 SAFE_FREE(nt_pw_ptr);
1897 SAFE_FREE(username);
1899 SAFE_FREE(nt_username);
1900 SAFE_FREE(fullname);
1902 SAFE_FREE(dir_drive);
1903 SAFE_FREE(logon_script);
1904 SAFE_FREE(profile_path);
1905 SAFE_FREE(acct_desc);
1906 SAFE_FREE(workstations);
1907 SAFE_FREE(munged_dial);
1908 SAFE_FREE(unknown_str);
1915 uint32 init_buffer_from_sam_v1 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
1919 /* times are stored as 32bit integer
1920 take care on system with 64bit wide time_t
1927 pass_can_change_time,
1928 pass_must_change_time;
1930 uint32 user_rid, group_rid;
1932 const char *username;
1934 const char *nt_username;
1935 const char *dir_drive;
1936 const char *unknown_str;
1937 const char *munged_dial;
1938 const char *fullname;
1939 const char *homedir;
1940 const char *logon_script;
1941 const char *profile_path;
1942 const char *acct_desc;
1943 const char *workstations;
1944 uint32 username_len, domain_len, nt_username_len,
1945 dir_drive_len, unknown_str_len, munged_dial_len,
1946 fullname_len, homedir_len, logon_script_len,
1947 profile_path_len, acct_desc_len, workstations_len;
1951 uint32 lm_pw_len = 16;
1952 uint32 nt_pw_len = 16;
1954 /* do we have a valid SAM_ACCOUNT pointer? */
1955 if (sampass == NULL) {
1956 DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
1963 logon_time = (uint32)pdb_get_logon_time(sampass);
1964 logoff_time = (uint32)pdb_get_logoff_time(sampass);
1965 kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
1966 bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
1967 pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
1968 pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
1969 pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
1971 user_rid = pdb_get_user_rid(sampass);
1972 group_rid = pdb_get_group_rid(sampass);
1974 username = pdb_get_username(sampass);
1976 username_len = strlen(username) +1;
1980 domain = pdb_get_domain(sampass);
1982 domain_len = strlen(domain) +1;
1986 nt_username = pdb_get_nt_username(sampass);
1988 nt_username_len = strlen(nt_username) +1;
1990 nt_username_len = 0;
1992 fullname = pdb_get_fullname(sampass);
1994 fullname_len = strlen(fullname) +1;
1999 * Only updates fields which have been set (not defaults from smb.conf)
2002 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE))
2003 dir_drive = pdb_get_dir_drive(sampass);
2007 dir_drive_len = strlen(dir_drive) +1;
2011 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME))
2012 homedir = pdb_get_homedir(sampass);
2016 homedir_len = strlen(homedir) +1;
2020 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT))
2021 logon_script = pdb_get_logon_script(sampass);
2023 logon_script = NULL;
2025 logon_script_len = strlen(logon_script) +1;
2027 logon_script_len = 0;
2029 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE))
2030 profile_path = pdb_get_profile_path(sampass);
2032 profile_path = NULL;
2034 profile_path_len = strlen(profile_path) +1;
2036 profile_path_len = 0;
2038 lm_pw = pdb_get_lanman_passwd(sampass);
2042 nt_pw = pdb_get_nt_passwd(sampass);
2046 acct_desc = pdb_get_acct_desc(sampass);
2048 acct_desc_len = strlen(acct_desc) +1;
2052 workstations = pdb_get_workstations(sampass);
2054 workstations_len = strlen(workstations) +1;
2056 workstations_len = 0;
2059 unknown_str_len = 0;
2061 munged_dial = pdb_get_munged_dial(sampass);
2063 munged_dial_len = strlen(munged_dial) +1;
2065 munged_dial_len = 0;
2067 /* one time to get the size needed */
2068 len = tdb_pack(NULL, 0, TDB_FORMAT_STRING_V1,
2074 pass_can_change_time,
2075 pass_must_change_time,
2076 username_len, username,
2078 nt_username_len, nt_username,
2079 fullname_len, fullname,
2080 homedir_len, homedir,
2081 dir_drive_len, dir_drive,
2082 logon_script_len, logon_script,
2083 profile_path_len, profile_path,
2084 acct_desc_len, acct_desc,
2085 workstations_len, workstations,
2086 unknown_str_len, unknown_str,
2087 munged_dial_len, munged_dial,
2092 pdb_get_acct_ctrl(sampass),
2094 pdb_get_logon_divs(sampass),
2095 pdb_get_hours_len(sampass),
2096 MAX_HOURS_LEN, pdb_get_hours(sampass),
2097 pdb_get_bad_password_count(sampass),
2098 pdb_get_logon_count(sampass),
2099 pdb_get_unknown_6(sampass));
2105 /* malloc the space needed */
2106 if ( (*buf=(uint8*)malloc(len)) == NULL) {
2107 DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
2111 /* now for the real call to tdb_pack() */
2112 buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V1,
2118 pass_can_change_time,
2119 pass_must_change_time,
2120 username_len, username,
2122 nt_username_len, nt_username,
2123 fullname_len, fullname,
2124 homedir_len, homedir,
2125 dir_drive_len, dir_drive,
2126 logon_script_len, logon_script,
2127 profile_path_len, profile_path,
2128 acct_desc_len, acct_desc,
2129 workstations_len, workstations,
2130 unknown_str_len, unknown_str,
2131 munged_dial_len, munged_dial,
2136 pdb_get_acct_ctrl(sampass),
2138 pdb_get_logon_divs(sampass),
2139 pdb_get_hours_len(sampass),
2140 MAX_HOURS_LEN, pdb_get_hours(sampass),
2141 pdb_get_bad_password_count(sampass),
2142 pdb_get_logon_count(sampass),
2143 pdb_get_unknown_6(sampass));
2146 /* check to make sure we got it correct */
2147 if (buflen != len) {
2148 DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2149 (unsigned long)buflen, (unsigned long)len));
2159 /**********************************************************************
2160 **********************************************************************/
2162 static BOOL get_free_ugid_range(uint32 *low, uint32 *high)
2164 uid_t u_low, u_high;
2165 gid_t g_low, g_high;
2167 if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
2171 *low = (u_low < g_low) ? u_low : g_low;
2172 *high = (u_high < g_high) ? u_high : g_high;
2177 /******************************************************************
2178 Get the the non-algorithmic RID range if idmap range are defined
2179 ******************************************************************/
2181 BOOL get_free_rid_range(uint32 *low, uint32 *high)
2183 uint32 id_low, id_high;
2185 if (!lp_enable_rid_algorithm()) {
2190 if (!get_free_ugid_range(&id_low, &id_high)) {
2194 *low = fallback_pdb_uid_to_user_rid(id_low);
2195 if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) {
2198 *high = fallback_pdb_uid_to_user_rid(id_high);
2204 /*********************************************************************
2205 Update the bad password count checking the AP_RESET_COUNT_TIME
2206 *********************************************************************/
2208 BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
2210 time_t LastBadPassword;
2211 uint16 BadPasswordCount;
2214 if (!sampass) return False;
2216 BadPasswordCount = pdb_get_bad_password_count(sampass);
2217 if (!BadPasswordCount) {
2218 DEBUG(9, ("No bad password attempts.\n"));
2222 if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
2223 DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
2227 /* First, check if there is a reset time to compare */
2228 if ((resettime == (uint32) -1) || (resettime == 0)) {
2229 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2233 LastBadPassword = pdb_get_bad_password_time(sampass);
2234 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2235 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
2236 if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
2237 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2238 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2239 if (updated) *updated = True;
2245 /*********************************************************************
2246 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2247 *********************************************************************/
2249 BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
2252 time_t LastBadPassword;
2254 if (!sampass) return False;
2256 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2257 DEBUG(9, ("Account not autolocked, no check needed\n"));
2261 if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
2262 DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
2266 /* First, check if there is a duration to compare */
2267 if ((duration == (uint32) -1) || (duration == 0)) {
2268 DEBUG(9, ("No reset duration, can't reset autolock\n"));
2272 LastBadPassword = pdb_get_bad_password_time(sampass);
2273 DEBUG(7, ("LastBadPassword=%d, duration=%d, current time =%d.\n",
2274 (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
2275 if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
2276 pdb_set_acct_ctrl(sampass,
2277 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2279 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2280 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2281 if (updated) *updated = True;
2287 /*********************************************************************
2288 Increment the bad_password_count
2289 *********************************************************************/
2291 BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
2293 uint32 account_policy_lockout;
2294 BOOL autolock_updated = False, badpw_updated = False;
2299 /* Retrieve the account lockout policy */
2300 if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
2301 &account_policy_lockout)) {
2302 DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
2306 /* If there is no policy, we don't need to continue checking */
2307 if (!account_policy_lockout) {
2308 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2312 /* Check if the autolock needs to be cleared */
2313 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2316 /* Check if the badpw count needs to be reset */
2317 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2321 Ok, now we can assume that any resetting that needs to be
2322 done has been done, and just get on with incrementing
2323 and autolocking if necessary
2326 pdb_set_bad_password_count(sampass,
2327 pdb_get_bad_password_count(sampass)+1,
2329 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2332 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2335 if (!pdb_set_acct_ctrl(sampass,
2336 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2338 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));