r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).

author Günther Deschner <gd@samba.org>

Sat, 22 Jan 2005 03:37:09 +0000 (03:37 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 15:55:08 +0000 (10:55 -0500)
author Günther Deschner <gd@samba.org>
Sat, 22 Jan 2005 03:37:09 +0000 (03:37 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:55:08 +0000 (10:55 -0500)
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema

index 7dc4de54b342e51532fc931f8a7b5a40e98f7451..997e79f6989d4327af64fbc0aea97f1ac5390118 100644 (file)
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -389,6 +389,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
         EQUALITY caseIgnoreIA5Match
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
  
+attributetype ( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName'
+       DESC 'Account Policy Name'
+       EQUALITY caseIgnoreMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue'
+       DESC 'Account Policy Value'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
  
  #######################################################################
  ##              objectClasses used by Samba 3.0 schema               ##
@@ -478,3 +488,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
         MUST ( sambaSID )
         MAY ( sambaPrivilegeList ) )
  
+objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL
+       DESC 'Samba Account Policy'
+       MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue )
+       MAY ( description ) )
+
diff --git a/source3/Makefile.in b/source3/Makefile.in

index 466958b5abb44067c38e23b62c626ce3cd3094da..f20584218a6b60102836095d1cdded04b9f1d88d 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -203,10 +203,10 @@ LIB_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
           lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
           lib/md5.o lib/hmacmd5.o lib/iconv.o \
           nsswitch/wb_client.o $(WBCOMMON_OBJ) \
-         lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \
+         lib/pam_errors.o intl/lang_tdb.o \
           lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
           lib/module.o lib/ldap_escape.o @CHARSET_STATIC@ \
-         lib/privileges.o lib/secdesc.o lib/secace.o lib/secacl.o
+         lib/secdesc.o lib/secace.o lib/secacl.o 
  
  LIB_NONSMBD_OBJ = $(LIB_OBJ) lib/dummysmbd.o
  
@@ -312,7 +312,7 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
                 passdb/util_sam_sid.o passdb/pdb_compat.o \
                 passdb/lookup_sid.o \
                 passdb/login_cache.o @PDB_STATIC@ passdb/pdb_sql.o \
-               lib/system_smbd.o
+               lib/system_smbd.o lib/account_pol.o lib/privileges.o
  
  XML_OBJ = passdb/pdb_xml.o
  MYSQL_OBJ = passdb/pdb_mysql.o
@@ -507,8 +507,8 @@ LIBSMBCLIENT_OBJ = libsmb/libsmbclient.o libsmb/libsmb_compat.o \
                    libsmb/libsmb_cache.o \
                    $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
                    $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
-                  $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
-                  $(SECRETS_OBJ) 
+                  $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
+                  $(SECRETS_OBJ) $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
  
  # This shared library is intended for linking with unit test programs
  # to test Samba internals.  It's called libbigballofmud.so to
@@ -584,13 +584,15 @@ LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \
  
  SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
                            $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
-                          $(PASSDB_GET_SET_OBJ) $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
-                          $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ)
+                          $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
+                          $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ) \
+                          $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
  
  SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
                 $(PARAM_OBJ) \
-               $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
-               $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ)
+               $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
+               $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
+               $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
  
  TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) libsmb/nterr.o
  
diff --git a/source3/include/passdb.h b/source3/include/passdb.h

index 1b9ccc50ee47e872253c54c5ccfb8fbd4e4edeaa..f37a2782551afc824cb2643123e8b26d82c14038 100644 (file)
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -334,6 +334,12 @@ typedef struct pdb_context
                                                DOM_SID **aliases,
                                                int *num_aliases);
  
+       NTSTATUS (*pdb_get_account_policy)(struct pdb_context *context,
+                                          int policy_index, int *value);
+
+       NTSTATUS (*pdb_set_account_policy)(struct pdb_context *context,
+                                          int policy_index, int value);
+
         void (*free_fn)(struct pdb_context **);
         
         TALLOC_CTX *mem_ctx;
@@ -425,6 +431,12 @@ typedef struct pdb_methods
                                            int num_members,
                                            DOM_SID **aliases, int *num);
  
+       NTSTATUS (*get_account_policy)(struct pdb_methods *methods,
+                                      int policy_index, int *value);
+
+       NTSTATUS (*set_account_policy)(struct pdb_methods *methods,
+                                      int policy_index, int value);
+
         void *private_data;  /* Private data of some kind */
         
         void (*free_private_data)(void **);
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h

index adb51430dc6b4e3068cd9bcae4c7be4238bd8028..9a116ab7e785874222713b5c088818865c7a53a6 100644 (file)
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -38,6 +38,7 @@
  #define LDAP_OBJ_IDPOOL                        "sambaUnixIdPool"
  #define LDAP_OBJ_IDMAP_ENTRY           "sambaIdmapEntry"
  #define LDAP_OBJ_SID_ENTRY             "sambaSidEntry"
+#define LDAP_OBJ_ACCOUNT_POLICY                "sambaAccountPolicy"
  
  #define LDAP_OBJ_ACCOUNT               "account"
  #define LDAP_OBJ_POSIXACCOUNT          "posixAccount"
@@ -97,6 +98,8 @@
  #define LDAP_ATTR_SID_LIST             40
  #define LDAP_ATTR_MOD_TIMESTAMP                41
  #define LDAP_ATTR_LOGON_HOURS          42
+#define LDAP_ATTR_ACCOUNT_POLICY_NAME  43
+#define LDAP_ATTR_ACCOUNT_POLICY_VAL   44
  
  typedef struct _attrib_map_entry {
         int             attrib;
@@ -115,6 +118,7 @@ extern ATTRIB_MAP_ENTRY groupmap_attr_list[];
  extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[];
  extern ATTRIB_MAP_ENTRY idpool_attr_list[];
  extern ATTRIB_MAP_ENTRY sidmap_attr_list[];
+extern ATTRIB_MAP_ENTRY acctpol_attr_list[];
  
  /* Function declarations -- not included in proto.h so we don't
     have to worry about LDAP structure types */
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c

index 5997d9180aedfab499eaecf4ba4035c3de05e2db..b81a9fe34daa5bf1166e01e7c3dff079585ab5bc 100644 (file)
--- a/source3/lib/account_pol.c
+++ b/source3/lib/account_pol.c
@@ -3,6 +3,7 @@
   *  account policy storage
   *  Copyright (C) Jean François Micouleau      1998-2001.
   *  Copyright (C) Andrew Bartlett              2002
+ *  Copyright (C) Guenther Deschner            2004-2005
   *  
   *  This program is free software; you can redistribute it and/or modify
   *  it under the terms of the GNU General Public License as published by
@@ -22,7 +23,14 @@
  #include "includes.h"
  static TDB_CONTEXT *tdb; 
  
-#define DATABASE_VERSION 2
+/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
+ * after this period if admins do not use pdbedit or usermanager but manipulate
+ * ldap directly) - gd */
+
+#define DATABASE_VERSION       3
+#define AP_LASTSET             "LAST_CACHE_UPDATE"
+#define AP_MIGRATED            "ACCOUNT POLICIES WERE MIGRATED TO PASSDB"
+#define AP_TTL                 60
  
  extern DOM_SID global_sid_World;
  extern DOM_SID global_sid_Builtin_Administrators;
@@ -32,100 +40,35 @@ extern DOM_SID global_sid_Builtin_Print_Operators;
  extern DOM_SID global_sid_Builtin_Backup_Operators;
  
  
-/****************************************************************************
- Set default for a field if it is empty
-****************************************************************************/
-
-static void set_default_on_empty(int field, uint32 value)
-{
-       if (account_policy_get(field, NULL))
-               return;
-       account_policy_set(field, value);
-       return;
-}
-
-/****************************************************************************
- Open the account policy tdb.
-****************************************************************************/
-
-BOOL init_account_policy(void)
-{
-       const char *vstring = "INFO/version";
-       uint32 version;
-
-       if (tdb)
-               return True;
-       tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
-       if (!tdb) {
-               DEBUG(0,("Failed to open account policy database\n"));
-               return False;
-       }
-
-       /* handle a Samba upgrade */
-       tdb_lock_bystring(tdb, vstring,0);
-       if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
-               tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
-               
-               set_default_on_empty(
-                       AP_MIN_PASSWORD_LEN, 
-                       MINPASSWDLENGTH);/* 5 chars minimum             */
-               set_default_on_empty(
-                       AP_PASSWORD_HISTORY, 
-                       0);             /* don't keep any old password  */
-               set_default_on_empty(
-                       AP_USER_MUST_LOGON_TO_CHG_PASS, 
-                       0);             /* don't force user to logon    */
-               set_default_on_empty(
-                       AP_MAX_PASSWORD_AGE, 
-                       (uint32)-1);    /* don't expire                 */
-               set_default_on_empty(
-                       AP_MIN_PASSWORD_AGE, 
-                       0);             /* 0 days                      */
-               set_default_on_empty(
-                       AP_LOCK_ACCOUNT_DURATION, 
-                       30);            /* lockout for 30 minutes      */
-               set_default_on_empty(
-                       AP_RESET_COUNT_TIME, 
-                       30);            /* reset after 30 minutes      */
-               set_default_on_empty(
-                       AP_BAD_ATTEMPT_LOCKOUT, 
-                       0);             /* don't lockout               */
-               set_default_on_empty(
-                       AP_TIME_TO_LOGOUT, 
-                       -1);            /* don't force logout          */
-               set_default_on_empty(
-                       AP_REFUSE_MACHINE_PW_CHANGE, 
-                       0);             /* allow machine pw changes    */
-       }
-       tdb_unlock_bystring(tdb, vstring);
-
-       /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
-
-       privilege_create_account( &global_sid_World );
-       privilege_create_account( &global_sid_Builtin_Administrators );
-       privilege_create_account( &global_sid_Builtin_Account_Operators );
-       privilege_create_account( &global_sid_Builtin_Server_Operators );
-       privilege_create_account( &global_sid_Builtin_Print_Operators );
-       privilege_create_account( &global_sid_Builtin_Backup_Operators );
-       
-       return True;
-}
-
-static const struct {
+struct ap_table {
         int field;
         const char *string;
-} account_policy_names[] = {
-       {AP_MIN_PASSWORD_LEN, "min password length"},
-       {AP_PASSWORD_HISTORY, "password history"},
-       {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"},
-       {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"},
-       {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"},
-       {AP_LOCK_ACCOUNT_DURATION, "lockout duration"},
-       {AP_RESET_COUNT_TIME, "reset count minutes"},
-       {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
-       {AP_TIME_TO_LOGOUT, "disconnect time"},
-       {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
-       {0, NULL}
+       uint32 default_val;
+       const char *comment;
+};
+
+static const struct ap_table account_policy_names[] = {
+       {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, 
+               "Minimal password length (default: 5)"},
+       {AP_PASSWORD_HISTORY, "password history", 0,
+               "Length of Password History Entries (default: 0 => off)" },
+       {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
+               "Force Users to logon for password change (default: 0 => off, 2 => on)"},
+       {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1,
+               "Maximum password age, in seconds (default: -1 => never expire passwords)"},
+       {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
+               "Minimal password age, in seconds (default: 0 => allow immediate password change)"},
+       {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
+               "Lockout duration in minutes (default: 30, -1 => forever)"},
+       {AP_RESET_COUNT_TIME, "reset count minutes", 30,
+               "Reset time after lockout in minutes (default: 30)"},
+       {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
+               "Lockout users after bad logon attempts (default: 0 => off)"},
+       {AP_TIME_TO_LOGOUT, "disconnect time", -1,
+               "Disconnect Users outside logon hours (default: -1 => off, 0 => on)"}, 
+       {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
+               "Allow Machine Password changes (default: 0 => off)"},
+       {0, NULL, 0, ""}
  };
  
  char *account_policy_names_list(void)
@@ -156,7 +99,7 @@ char *account_policy_names_list(void)
  Get the account policy name as a string from its #define'ed number
  ****************************************************************************/
  
-static const char *decode_account_policy_name(int field)
+const char *decode_account_policy_name(int field)
  {
         int i;
         for (i=0; account_policy_names[i].string; i++) {
@@ -167,6 +110,21 @@ static const char *decode_account_policy_name(int field)
  
  }
  
+/****************************************************************************
+Get the account policy comment as a string from its #define'ed number
+****************************************************************************/
+
+const char *account_policy_get_comment(int field)
+{
+       int i;
+       for (i=0; account_policy_names[i].string; i++) {
+               if (field == account_policy_names[i].field)
+                       return account_policy_names[i].comment;
+       }
+       return NULL;
+
+}
+
  /****************************************************************************
  Get the account policy name as a string from its #define'ed number
  ****************************************************************************/
@@ -182,15 +140,222 @@ int account_policy_name_to_fieldnum(const char *name)
  
  }
  
-/****************************************************************************
-****************************************************************************/
+/*****************************************************************************
+Update LAST-Set counter inside the cache
+*****************************************************************************/
+
+static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update)
+{
+       pstring key;
+       uint32 val = 0;
+       time_t now;
+
+       slprintf(key, sizeof(key)-1, "%s", AP_LASTSET);
+
+       if (!init_account_policy())
+               return False;
+
+       if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
+               DEBUG(10,("failed to get last set timestamp of cache\n"));
+               return False;
+       }
+
+       *value = val;
+
+       DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
+
+       if (update) {
+
+               now = time(NULL);
+
+               if (!tdb_store_uint32(tdb, key, (uint32)now)) {
+                       DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
+                       return False;
+               }
+               DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
+               *value = now;
+       }
+
+       return True;
+}
+
+/*****************************************************************************
+Get default value for account policy
+*****************************************************************************/
+
+BOOL account_policy_get_default(int account_policy, uint32 *val)
+{
+       int i;
+       for (i=0; account_policy_names[i].field; i++) {
+               if (account_policy_names[i].field == account_policy) {
+                       *val = account_policy_names[i].default_val;
+                       return True;
+               }
+       }
+       DEBUG(0,("no default for account_policy index %d found. This should never happen\n", 
+               account_policy));
+       return False;
+}
+
+/*****************************************************************************
+ Set default for a field if it is empty
+*****************************************************************************/
+
+static BOOL account_policy_set_default_on_empty(int account_policy)
+{
+
+       uint32 value;
+
+       if (!account_policy_get(account_policy, &value) && 
+           !account_policy_get_default(account_policy, &value)) {
+               return False;
+       }
+
+       return account_policy_set(account_policy, value);
+}
+
+/*****************************************************************************
+Check migration success, set marker if required
+*****************************************************************************/
+
+static BOOL already_migrated_account_policies(BOOL store_migration_success)
+{
+       pstring key;
+       uint32 value;
+
+       slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED);
+
+       if (tdb_fetch_uint32(tdb, key, &value)) {
+               return True;
+       }
+
+       if (store_migration_success) {
+
+               if (!tdb_store_uint32(tdb, key, 1)) {
+                       DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
+                       return False;
+               }
+               return True;
+       }
+
+       return False;
+}
+
+/*****************************************************************************
+Migrate account policies to passdb
+*****************************************************************************/
+
+static BOOL migrate_account_policy_names_to_passdb(void)
+{
+       int i, tmp_val;
+       BOOL got_pol;
+
+       if (already_migrated_account_policies(False)) {
+               return True;
+       }
+
+       DEBUG(1,("start migrating account policies into passdb\n"));
+
+       for (i=1; decode_account_policy_name(i) != NULL; i++) {
+
+               got_pol = False;
+
+               if (pdb_get_account_policy(i, &tmp_val)) {
+                       DEBUG(10,("account policy already in passdb\n"));
+                       got_pol = True;
+               }
+
+               if (!got_pol && !account_policy_get(i, &tmp_val)) {
+                       DEBUG(0,("very weird: could not get value for account policy\n"));
+                       return False;
+               }
+
+               DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", 
+                       i, (char *)decode_account_policy_name(i), tmp_val));
+
+               /* set policy via new passdb api */
+               if (!pdb_set_account_policy(i, tmp_val)) {
+                       DEBUG(0,("failed to set account_policy\n"));
+                       return False;
+               }
+
+       }
+
+       if (!already_migrated_account_policies(True)) {
+               DEBUG(0,("could not store marker for account policy migration in the tdb\n"));
+               return False;
+       }
+               
+       DEBUGADD(1,("succesfully migrated account policies into passdb\n"));
+
+       return True;
+}
+
+/*****************************************************************************
+ Open the account policy tdb.
+***`*************************************************************************/
+
+BOOL init_account_policy(void)
+{
+
+       const char *vstring = "INFO/version";
+       uint32 version;
+       int i;
+
+       if (tdb)
+               return True;
+
+       tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+       if (!tdb) {
+               DEBUG(0,("Failed to open account policy database\n"));
+               return False;
+       }
+
+       /* handle a Samba upgrade */
+       tdb_lock_bystring(tdb, vstring,0);
+       if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
+
+               tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
+
+               for (i=0; account_policy_names[i].field; i++) {
+
+                       if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
+                               DEBUG(0,("failed to set default value in account policy tdb\n"));
+                               return False;
+                       }
+               }
+       }
+
+       if (!migrate_account_policy_names_to_passdb()) {
+               DEBUG(0,("Could not migrate account policy tdb to passdb.\n"));
+               return False;
+       }
+
+       tdb_unlock_bystring(tdb, vstring);
+
+       /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
+
+       privilege_create_account( &global_sid_World );
+       privilege_create_account( &global_sid_Builtin_Administrators );
+       privilege_create_account( &global_sid_Builtin_Account_Operators );
+       privilege_create_account( &global_sid_Builtin_Server_Operators );
+       privilege_create_account( &global_sid_Builtin_Print_Operators );
+       privilege_create_account( &global_sid_Builtin_Backup_Operators );
+
+       return True;
+}
+
+/*****************************************************************************
+Internal function
+*****************************************************************************/
  
  BOOL account_policy_get(int field, uint32 *value)
  {
         fstring name;
         uint32 regval;
  
-       if(!init_account_policy())return False;
+       if (!init_account_policy())
+               return False;
  
         if (value)
                 *value = 0;
@@ -213,12 +378,15 @@ BOOL account_policy_get(int field, uint32 *value)
  
  
  /****************************************************************************
+Get an account policy from a (migrated tdb)
  ****************************************************************************/
+
  BOOL account_policy_set(int field, uint32 value)
  {
         fstring name;
  
-       if(!init_account_policy())return False;
+       if (!init_account_policy())
+               return False;
  
         fstrcpy(name, decode_account_policy_name(field));
         if (!*name) {
@@ -227,7 +395,7 @@ BOOL account_policy_set(int field, uint32 value)
         }
  
         if (!tdb_store_uint32(tdb, name, value)) {
-               DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value));
+               DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
                 return False;
         }
  
@@ -236,6 +404,64 @@ BOOL account_policy_set(int field, uint32 value)
         return True;
  }
  
+/****************************************************************************
+Set an account policy in the cache 
+****************************************************************************/
+
+BOOL cache_account_policy_set(int field, uint32 value)
+{
+       uint32 lastset, i;
+
+       for (i=0; account_policy_names[i].field; i++) {
+
+               if (account_policy_names[i].field == field) {
+
+                       DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
+
+                       if (!account_policy_set(field, value)) {
+                               return False;
+                       }
+
+                       if (!account_policy_cache_timestamp(&lastset, True)) {
+                               DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
+                               return False;
+                       }
+
+                       DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
+               }
+       }
+
+       return True;
+}
+
+/*****************************************************************************
+Get an account policy from the cache 
+*****************************************************************************/
+
+BOOL cache_account_policy_get(int field, uint32 *value)
+{
+       uint32 lastset, i;
+
+       if (!account_policy_cache_timestamp(&lastset, False)) {
+               DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
+               return False;
+       }
+
+       if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
+               DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
+               return False;
+       } 
+
+       for (i=0; account_policy_names[i].field; i++) {
+               if (account_policy_names[i].field == field) {
+                       return account_policy_get(field, value);
+               }
+       }
+
+       return False;
+}
+
+
  /****************************************************************************
  ****************************************************************************/
  
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c

index 7908bc254dac23ba77bbf4931909e84edc6b6760..e242a6c3b1ad6c6424bb2357c65edc4ba18da5ed 100644 (file)
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -208,6 +208,15 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
         { LDAP_ATTR_LIST_END,           NULL                    }       
  };
  
+/* attributes used for account policies */
+
+ATTRIB_MAP_ENTRY acctpol_attr_list[] = {
+       { LDAP_ATTR_OBJCLASS,           "objectClass"                   },
+       { LDAP_ATTR_ACCOUNT_POLICY_NAME,"sambaAccountPolicyName"        },
+       { LDAP_ATTR_ACCOUNT_POLICY_VAL, "sambaAccountPolicyValue"       },
+       { LDAP_ATTR_LIST_END,           NULL                            },
+};
+
  /**********************************************************************
   perform a simple table lookup and return the attribute name 
   **********************************************************************/
@@ -1243,6 +1252,82 @@ NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, const char *location, struct smbldap_
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ Add the account-policies below the sambaDomain object to LDAP, 
+*********************************************************************/
+static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state,
+                                               const char *domain_name)
+{
+       NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+       int i, ldap_op, policy_default, rc;
+       const char *policy_string = NULL;
+       const char *policy_comment = NULL;
+       pstring dn;
+       fstring policy_default_str;
+
+       DEBUG(3,("Adding new account policies for domain\n"));
+       ldap_op = LDAP_MOD_ADD;
+
+       for (i=1; decode_account_policy_name(i) != NULL; i++) {
+               LDAPMod **mods = NULL;
+
+               policy_string = decode_account_policy_name(i);
+               if (!policy_string) {
+                       DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n"));
+                       return ntstatus;
+               }
+
+               policy_comment = account_policy_get_comment(i);
+               if (!policy_comment) {
+                       DEBUG(0,("add_new_domain_account_policies: no description for policy found\n"));
+                       return ntstatus;
+               }
+
+               if (!account_policy_get_default(i, &policy_default)) {
+                       DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n"));
+                       return ntstatus;
+               }
+
+               slprintf(policy_default_str, sizeof(policy_default_str) - 1, "%i", policy_default);
+
+               pstr_sprintf(dn, "%s=%s,%s=%s,%s",
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
+                       get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
+                       lp_ldap_suffix());
+
+               smbldap_set_mod( &mods, ldap_op, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
+
+               smbldap_set_mod( &mods, ldap_op,
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+                       policy_string);
+
+               smbldap_set_mod( &mods, ldap_op,
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+                       policy_default_str);
+
+               smbldap_set_mod( &mods, ldap_op, "description", policy_comment);
+
+               rc = smbldap_add(ldap_state, dn, mods);
+
+               if (rc!=LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(1,("failed to add account policy dn= %s with: %s\n\t%s\n",
+                              dn, ldap_err2string(rc),
+                              ld_error?ld_error:"unknown"));
+                       SAFE_FREE(ld_error);
+
+                       ldap_mods_free(mods, True);
+                       return ntstatus;
+               }
+
+               DEBUG(2,("added: domain account policy = [%s] in the LDAP database\n", policy_string));
+               ldap_mods_free(mods, True);
+       }
+
+       return NT_STATUS_OK;
+}
+
  /**********************************************************************
   Add the sambaDomain to LDAP, so we don't have to search for this stuff
   again.  This is a once-add operation for now.
@@ -1397,7 +1482,8 @@ NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
                 DEBUG(3, ("Got no domain info entries for domain\n"));
                 ldap_msgfree(*result);
                 *result = NULL;
-               if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))) {
+               if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name)) 
+                           && NT_STATUS_IS_OK(ret = add_new_domain_account_policies(ldap_state, domain_name))) {
                         return smbldap_search_domain_info(ldap_state, result, domain_name, False);
                 } 
                 else {
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c

index 1f5e4be6cf60584414621e634fe5ec0bdcfeaba1..bd76941c6178bb4205916d2a56d466f271eeec0f 100644 (file)
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1897,7 +1897,7 @@ BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
         }
  
         /* Change from V1 is addition of password history field. */
-       account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+       pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
         if (pwHistLen) {
                 char *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
                 if (!pw_hist) {
@@ -2105,7 +2105,7 @@ uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL si
                 nt_pw_len = 0;
         }
  
-       account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+       pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
         nt_pw_hist =  pdb_get_pw_history(sampass, &nt_pw_hist_len);
         if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
                 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
@@ -2314,8 +2314,8 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
                 return True;
         }
  
-       if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
-               DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
+       if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
+               DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
                 return False;
         }
  
@@ -2356,8 +2356,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
                 return True;
         }
  
-       if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
-               DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
+       if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+               DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
                 return False;
         }
  
@@ -2405,9 +2405,9 @@ BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
                 return False;
  
         /* Retrieve the account lockout policy */
-       if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
+       if (!pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
                                 &account_policy_lockout)) {
-               DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
+               DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
                 return False;
         }
  
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c

index 92e2cee7100c370320e3e519215768d46a8d9e8c..3430969e7171235ee9e374ba63b177ce751a5c2e 100644 (file)
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -1123,7 +1123,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
         if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
                 return False;
  
-       if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire) 
+       if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) 
             || (expire==(uint32)-1) || (expire == 0)) {
                 if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
                         return False;
@@ -1134,7 +1134,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
                         return False;
         }
         
-       if (!account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) 
+       if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) 
             || (min_age==(uint32)-1)) {
                 if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
                         return False;
@@ -1189,7 +1189,7 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
         if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
                 uchar *pwhistory;
                 uint32 pwHistLen;
-               account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+               pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
                 if (pwHistLen != 0){
                         uint32 current_history_len;
                         /* We need to make sure we don't have a race condition here - the
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c

index ea097c10f694d87a5db4200f114a58bc522f85b6..bc4df4f2a38b60097eb1ac6cd59a63eeca578088 100644 (file)
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -620,6 +620,35 @@ static NTSTATUS context_enum_alias_memberships(struct pdb_context *context,
                 enum_alias_memberships(context->pdb_methods, members,
                                        num_members, aliases, num);
  }
+
+static NTSTATUS context_get_account_policy(struct pdb_context *context,
+                                          int policy_index, int *value)
+{
+       NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+       if ((!context) || (!context->pdb_methods)) {
+               DEBUG(0, ("invalid pdb_context specified!\n"));
+               return ret;
+       }
+
+       return context->pdb_methods->get_account_policy(context->pdb_methods,
+                                                       policy_index, value);
+}
+
+static NTSTATUS context_set_account_policy(struct pdb_context *context,
+                                          int policy_index, int value)
+{
+       NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+       if ((!context) || (!context->pdb_methods)) {
+               DEBUG(0, ("invalid pdb_context specified!\n"));
+               return ret;
+       }
+
+       return context->pdb_methods->set_account_policy(context->pdb_methods,
+                                                       policy_index, value);
+}
+
         
  /******************************************************************
    Free and cleanup a pdb context, any associated data and anything
@@ -749,6 +778,9 @@ static NTSTATUS make_pdb_context(struct pdb_context **context)
         (*context)->pdb_enum_aliasmem = context_enum_aliasmem;
         (*context)->pdb_enum_alias_memberships = context_enum_alias_memberships;
  
+       (*context)->pdb_get_account_policy = context_get_account_policy;
+       (*context)->pdb_set_account_policy = context_set_account_policy;
+
         (*context)->free_fn = free_pdb_context;
  
         return NT_STATUS_OK;
@@ -1201,6 +1233,30 @@ BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members,
                                                           aliases, num));
  }
  
+BOOL pdb_get_account_policy(int policy_index, int *value)
+{
+       struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+       if (!pdb_context) {
+               return False;
+       }
+
+       return NT_STATUS_IS_OK(pdb_context->
+                              pdb_get_account_policy(pdb_context, policy_index, value));
+}
+
+BOOL pdb_set_account_policy(int policy_index, int value)
+{
+       struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+       if (!pdb_context) {
+               return False;
+       }
+
+       return NT_STATUS_IS_OK(pdb_context->
+                              pdb_set_account_policy(pdb_context, policy_index, value));
+}
+
  /***************************************************************
    Initialize the static context (at smbd startup etc). 
  
@@ -1258,6 +1314,16 @@ static void pdb_default_endsampwent(struct pdb_methods *methods)
         return; /* NT_STATUS_NOT_IMPLEMENTED; */
  }
  
+static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+       return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+       return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
  NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods) 
  {
         *methods = TALLOC_P(mem_ctx, struct pdb_methods);
@@ -1295,6 +1361,8 @@ NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
         (*methods)->del_aliasmem = pdb_default_del_aliasmem;
         (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
         (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
+       (*methods)->get_account_policy = pdb_default_get_account_policy;
+       (*methods)->set_account_policy = pdb_default_set_account_policy;
  
         return NT_STATUS_OK;
  }
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c

index 8b7661d9a36fb86a3e9e0f4a3c26deaf60f68d2c..2691965364cce0328958039833b27737adad1c65 100644 (file)
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -727,7 +727,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                 ZERO_STRUCT(smbntpwd);
         }
  
-       account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+       pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
         if (pwHistLen > 0){
                 uint8 *pwhist = NULL;
                 int i;
@@ -1071,7 +1071,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
  
                 if (need_update(sampass, PDB_PWHISTORY)) {
                         int pwHistLen = 0;
-                       account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+                       pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
                         if (pwHistLen == 0) {
                                 /* Remove any password history from the LDAP store. */
                                 memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
@@ -1136,7 +1136,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
                 uint16 badcount = pdb_get_bad_password_count(sampass);
                 time_t badtime = pdb_get_bad_password_time(sampass);
                 uint32 pol;
-               account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
+               pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
  
                 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
                         (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
@@ -2878,6 +2878,245 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
         return NT_STATUS_OK;
  }
  
+static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+       NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+       LDAPMessage *result = NULL;
+       LDAPMessage *entry = NULL;
+       int count;
+       int rc;
+       pstring filter, base;
+       char **vals;
+       const char *policy_string = NULL;
+       int tmp_val;
+       BOOL found_tdb = False;
+
+       struct ldapsam_privates *ldap_state =
+               (struct ldapsam_privates *)methods->private_data;
+
+       char *attrs[] = {
+               (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+               (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+               NULL 
+       };
+
+       if (cache_account_policy_get(policy_index, value)) {
+               DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n"));
+               return NT_STATUS_OK;
+       }
+
+       policy_string = decode_account_policy_name(policy_index);
+       if (!policy_string) {
+               DEBUG(0,("ldapsam_get_account_policy: invalid policy index: %d\n", policy_index));
+               return ntstatus;
+       }
+
+       pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+                    LDAP_OBJ_ACCOUNT_POLICY, 
+                    get_attr_key2string(acctpol_attr_list,
+                                        LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+       pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+               get_global_sam_name(), lp_ldap_suffix());
+
+search:                
+       rc = smbldap_search(ldap_state->smbldap_state, base,
+                           LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+       if (rc != LDAP_SUCCESS) 
+               return ntstatus;
+
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
+                                  result);
+
+       /* handle deleted ldap-entries (migrate on the fly, use a default as last resort) - gd */
+       if (count < 1 && !found_tdb) {
+
+               found_tdb = False;
+
+               DEBUG(3,("ldapsam_get_account_policy: no entry for that policy in ldap found\n"));
+
+               if (!account_policy_get(policy_index, &tmp_val)) {
+                       DEBUG(10,("ldapsam_get_account_policy: failed to get account_policy from tdb\n"));
+                       found_tdb = True;
+               }
+
+               if (!found_tdb && !account_policy_get_default(policy_index, &tmp_val)) {
+                       ldap_msgfree(result);
+                       return ntstatus;
+               }
+
+               if (!pdb_set_account_policy(policy_index, tmp_val)) {
+                       DEBUG(1,("ldapsam_get_account_policy: failed to set account_policy\n"));
+                       ldap_msgfree(result);
+                       return ntstatus;
+               }
+
+               DEBUG(3,("ldapsam_get_account_policy: set account policy value based on %s value.\n", 
+                       found_tdb ? "tdb":"default"));
+
+               ldap_msgfree(result);
+               goto search;
+       }
+
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+       if (!entry) {
+               ldap_msgfree(result);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL));
+
+       if (vals == NULL) 
+               goto out;
+
+       *value = (uint32)atol(vals[0]);
+
+       if (!cache_account_policy_set(policy_index, *value)) {
+               DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n"));
+               return ntstatus;
+       }
+
+       ntstatus = NT_STATUS_OK;
+
+out:
+       ldap_value_free(vals);
+       ldap_msgfree(result);
+
+       return ntstatus;
+}
+
+static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+       NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+       LDAPMessage *result = NULL;
+       LDAPMessage *entry = NULL;
+       int count;
+       int rc;
+       pstring filter, base, dn;
+       int modop;
+       LDAPMod **mods = NULL;
+       fstring value_string;
+       char *old_dn = NULL;
+       const char *policy_string = NULL;
+       const char *policy_description = NULL;
+
+       struct ldapsam_privates *ldap_state =
+               (struct ldapsam_privates *)methods->private_data;
+
+       char *attrs[] = {
+               (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+               (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+               NULL 
+       };
+
+       policy_string = decode_account_policy_name(policy_index);
+       if (!policy_string) {
+               DEBUG(0,("ldapsam_set_account_policy: invalid policy\n"));
+               return ntstatus;
+       }
+
+       policy_description = account_policy_get_comment(policy_index);
+       if (!policy_description) {
+               DEBUG(0,("ldapsam_set_account_policy: no description for policy found\n"));
+               return ntstatus;
+       }
+
+       pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+                    LDAP_OBJ_ACCOUNT_POLICY, 
+                    get_attr_key2string(acctpol_attr_list,
+                                        LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+       pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+               get_global_sam_name(), lp_ldap_suffix());
+               
+       rc = smbldap_search(ldap_state->smbldap_state, base,
+                           LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+       if (rc != LDAP_SUCCESS) 
+               return ntstatus;
+
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+       slprintf(value_string, sizeof(value_string) - 1, "%i", value);
+
+       if (count == 1) {
+
+               modop = LDAP_MOD_REPLACE;
+
+               entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+               if (!entry) {
+                       ldap_msgfree(result);
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+
+               old_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
+               if (!old_dn) {
+                       ldap_msgfree(result);
+                       return ntstatus;
+               }
+
+               smbldap_set_mod(&mods, modop,
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+                       value_string);
+
+               rc = smbldap_modify(ldap_state->smbldap_state, old_dn, mods);
+
+       } else {
+
+               modop = LDAP_MOD_ADD;
+
+               pstr_sprintf(dn, "%s=%s,%s=%s,%s",
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
+                       get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
+                       lp_ldap_suffix());
+
+               smbldap_set_mod( &mods, modop, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
+
+               smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+                       policy_string);
+
+               smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+                       get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+                       value_string);
+
+               smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+                       "description", 
+                       policy_description);
+
+               rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
+       }
+
+       ldap_mods_free(mods, True);
+       ldap_msgfree(result);
+
+       if (rc != LDAP_SUCCESS) {
+               char *ld_error = NULL;
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct,
+                               LDAP_OPT_ERROR_STRING,&ld_error);
+               
+               DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy "
+                         "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
+                         ld_error?ld_error:"unknown"));
+               SAFE_FREE(ld_error);
+               SAFE_FREE(old_dn);
+               return ntstatus;
+       }
+
+       SAFE_FREE(old_dn);
+
+       if (!cache_account_policy_set(policy_index, value)) {
+               DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n"));
+               return ntstatus;
+       }
+
+       return NT_STATUS_OK;
+}
+
  /**********************************************************************
   Housekeeping
   *********************************************************************/
@@ -2932,6 +3171,9 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
         (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
         (*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
  
+       (*pdb_method)->get_account_policy = ldapsam_get_account_policy;
+       (*pdb_method)->set_account_policy = ldapsam_set_account_policy;
+
         /* TODO: Setup private data and free */
  
         ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c

index c11e0d59a056915253dd83b54e35a33fda704125..3a5c9658204c6a5126a063b29b3cb53cb1ab7c18 100644 (file)
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -380,7 +380,7 @@ WERROR _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u)
                         return WERR_NOMEM;
                 }
  
-               if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
+               if (!pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
                         dwValue = 0;
                 regval_ctr_addvalue(&regvals, "RefusePasswordChange", 
                                     REG_DWORD,
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c

index 462a646329334a78be4369de91ff1dd2c6c4bb84..8ee59210eb9a9b5917aa6f190a9bb830d8f8faba 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2100,19 +2100,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
         switch (q_u->switch_value) {
                 case 0x01:
                         
-                       account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
                         min_pass_len = account_policy_temp;
  
-                       account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
+                       pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
                         pass_hist = account_policy_temp;
  
-                       account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
                         flag = account_policy_temp;
  
-                       account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+                       pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
                         u_expire = account_policy_temp;
  
-                       account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+                       pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
                         u_min_age = account_policy_temp;
                         
                         unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -2140,7 +2140,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
                         num_groups=info->disp_info.num_group_account;
                         free_samr_db(info);
  
-                       account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
                         u_logout = account_policy_temp;
  
                         unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -2150,7 +2150,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
                                        num_users, num_groups, num_aliases, nt_logout);
                         break;
                 case 0x03:
-                       account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
+                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
                         unix_to_nt_time_abs(&nt_logout, u_logout);
                         
                         init_unk_info3(&ctr->info.inf3, nt_logout);
@@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
                         init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
                         break;
                 case 0x0c:
-                       account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+                       pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
                         u_lock_duration = account_policy_temp;
                         if (u_lock_duration != -1)
                                 u_lock_duration *= 60;
  
-                       account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
+                       pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
                         u_reset_time = account_policy_temp * 60;
  
-                       account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+                       pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
                         lockout = account_policy_temp;
  
                         unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4567,19 +4567,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
  
         switch (q_u->switch_value) {
                 case 0x01:
-                       account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
                         min_pass_len = account_policy_temp;
  
-                       account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
+                       pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
                         pass_hist = account_policy_temp;
  
-                       account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
                         flag = account_policy_temp;
  
-                       account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+                       pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
                         u_expire = account_policy_temp;
  
-                       account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+                       pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
                         u_min_age = account_policy_temp;
  
                         unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -4607,7 +4607,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
                         num_groups=info->disp_info.num_group_account;
                         free_samr_db(info);
  
-                       account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
                         u_logout = account_policy_temp;
  
                         unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4617,7 +4617,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
                                        num_users, num_groups, num_aliases, nt_logout);
                         break;
                 case 0x03:
-                       account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
                         u_logout = account_policy_temp;
  
                         unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4637,15 +4637,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
                         init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
                         break;
                 case 0x0c:
-                       account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+                       pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
                         u_lock_duration = account_policy_temp;
                         if (u_lock_duration != -1)
                                 u_lock_duration *= 60;
  
-                       account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
+                       pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
                         u_reset_time = account_policy_temp * 60;
  
-                       account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+                       pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
                         lockout = account_policy_temp;
         
                         unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4689,17 +4689,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
                         u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
                         u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
                         
-                       account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
-                       account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
-                       account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
-                       account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
-                       account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
+                       pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
+                       pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
+                       pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
+                       pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
+                       pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
                         break;
                 case 0x02:
                         break;
                 case 0x03:
                         u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
-                       account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
+                       pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
                         break;
                 case 0x05:
                         break;
@@ -4711,11 +4711,12 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
                         u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
                         if (u_lock_duration != -1)
                                 u_lock_duration /= 60;
+
                         u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
                         
-                       account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
-                       account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
-                       account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
+                       pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
+                       pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
+                       pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
                         break;
                 default:
                         return NT_STATUS_INVALID_INFO_CLASS;
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c

index 540acfc22509629214626cca3d68f6fa60e20aba..3765b7d38f17bf705c469b8c9f9a820ffed78a1a 100644 (file)
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -945,7 +945,7 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
         BOOL found = False;
         int i, pwHisLen, curr_pwHisLen;
  
-       account_policy_get(AP_PASSWORD_HISTORY, &pwHisLen);
+       pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHisLen);
         if (pwHisLen == 0) {
                 return False;
         }
@@ -1017,7 +1017,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw
         }
  
         /* FIXME: AP_MIN_PASSWORD_LEN and lp_min_passwd_length() need to be merged - gd */
-       if (account_policy_get(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
+       if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
                 DEBUG(1, ("user %s cannot change password - password too short\n", 
                           username));
                 DEBUGADD(1, (" account policy min password len = %d\n", min_len));
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c

index 320341ec05017a633376a9935e9925f1a1dc4ce7..2db8ff054b0c38b2e3c084e2f16b18d6e937a5a1 100644 (file)
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -1000,34 +1000,34 @@ static NTSTATUS fetch_domain_info(uint32 rid, SAM_DOMAIN_INFO *delta)
         }
  
  
-       if (!account_policy_set(AP_PASSWORD_HISTORY, delta->pwd_history_len))
+       if (!pdb_set_account_policy(AP_PASSWORD_HISTORY, delta->pwd_history_len))
                 return nt_status;
  
-       if (!account_policy_set(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
+       if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
                 return nt_status;
  
-       if (!account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
+       if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
                 return nt_status;
  
-       if (!account_policy_set(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
+       if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
                 return nt_status;
  
-       if (!account_policy_set(AP_TIME_TO_LOGOUT, (uint32)u_logout))
+       if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
                 return nt_status;
  
-       if (!account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
+       if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
                 return nt_status;
  
-       if (!account_policy_set(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
+       if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
                 return nt_status;
  
         if (u_lockouttime != -1)
                 u_lockouttime /= 60;
  
-       if (!account_policy_set(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
+       if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
                 return nt_status;
  
-       if (!account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
+       if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
                 return nt_status;
  
         return NT_STATUS_OK;
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c

index 3584ef0367aa2e52a2380d9e56bdd6b3427c3ee3..d29b6ea66cbf7013cf4f6e2e1e0a5a1b462ebe71 100644 (file)
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -118,6 +118,27 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) {
         return 0;
  }
  
+/*********************************************************
+ Add all currently available account policy from tdb to one backend
+ ********************************************************/
+
+static int export_account_policies (struct pdb_context *in, struct pdb_context *out) 
+{
+       int i;
+
+       for (i=1; decode_account_policy_name(i) != NULL; i++) {
+               uint32 policy_value;
+               if (NT_STATUS_IS_ERR(in->pdb_get_account_policy(in, i, &policy_value))) {
+                       fprintf(stderr, "Can't get account policy from tdb\n");
+                       return -1;
+               }
+               out->pdb_set_account_policy(out, i, policy_value);
+       }
+
+       return 0;
+}
+
+
  /*********************************************************
   Print info from sam structure
  **********************************************************/
@@ -648,6 +669,7 @@ int main (int argc, char **argv)
         static char *backend_in = NULL;
         static char *backend_out = NULL;
         static BOOL transfer_groups = False;
+       static BOOL transfer_account_policies = False;
         static BOOL  force_initialised_password = False;
         static char *logon_script = NULL;
         static char *profile_path = NULL;
@@ -688,6 +710,7 @@ int main (int argc, char **argv)
                 {"import",      'i', POPT_ARG_STRING, &backend_in, 0, "import user accounts from this backend", NULL},
                 {"export",      'e', POPT_ARG_STRING, &backend_out, 0, "export user accounts to this backend", NULL},
                 {"group",       'g', POPT_ARG_NONE, &transfer_groups, 0, "use -i and -e for groups", NULL},
+               {"policies",    'y', POPT_ARG_NONE, &transfer_account_policies, 0, "use -i and -e to move account policies between backends", NULL},
                 {"account-policy",      'P', POPT_ARG_STRING, &account_policy, 0,"value of an account policy (like maximum password age)",NULL},
                 {"value",       'C', POPT_ARG_LONG, &account_policy_value, 'C',"set the account policy to this value", NULL},
                 {"account-control",     'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL},
@@ -787,20 +810,22 @@ int main (int argc, char **argv)
                         SAFE_FREE(apn);
                         exit(1);
                 }
-               if (!account_policy_get(field, &value)) {
+               if (!pdb_get_account_policy(field, &value)) {
                         fprintf(stderr, "valid account policy, but unable to fetch value!\n");
-                       exit(1);
+                       if (!account_policy_value_set)
+                               exit(1);
                 }
+               printf("account policy \"%s\" description: %s\n", account_policy, account_policy_get_comment(field));
                 if (account_policy_value_set) {
-                       printf("account policy value for %s was %u\n", account_policy, value);
-                       if (!account_policy_set(field, account_policy_value)) {
+                       printf("account policy \"%s\" value was: %u\n", account_policy, value);
+                       if (!pdb_set_account_policy(field, account_policy_value)) {
                                 fprintf(stderr, "valid account policy, but unable to set value!\n");
                                 exit(1);
                         }
-                       printf("account policy value for %s is now %lu\n", account_policy, account_policy_value);
+                       printf("account policy \"%s\" value is now: %lu\n", account_policy, account_policy_value);
                         exit(0);
                 } else {
-                       printf("account policy value for %s is %u\n", account_policy, value);
+                       printf("account policy \"%s\" value is: %u\n", account_policy, value);
                         exit(0);
                 }
         }
@@ -824,7 +849,10 @@ int main (int argc, char **argv)
                 } else {
                         bout = bdef;
                 }
-               if (transfer_groups) {
+               if (transfer_account_policies) {
+                       if (!(checkparms & BIT_USER))
+                               return export_account_policies(bin, bout);
+               } else  if (transfer_groups) {
                         if (!(checkparms & BIT_USER))
                                 return export_groups(bin, bout);
                 } else {
author	Günther Deschner <gd@samba.org>
	Sat, 22 Jan 2005 03:37:09 +0000 (03:37 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 15:55:08 +0000 (10:55 -0500)
examples/LDAP/samba.schema		patch \| blob \| history
source3/Makefile.in		patch \| blob \| history
source3/include/passdb.h		patch \| blob \| history
source3/include/smbldap.h		patch \| blob \| history
source3/lib/account_pol.c		patch \| blob \| history
source3/lib/smbldap.c		patch \| blob \| history
source3/passdb/passdb.c		patch \| blob \| history
source3/passdb/pdb_get_set.c		patch \| blob \| history
source3/passdb/pdb_interface.c		patch \| blob \| history
source3/passdb/pdb_ldap.c		patch \| blob \| history
source3/rpc_server/srv_reg_nt.c		patch \| blob \| history
source3/rpc_server/srv_samr_nt.c		patch \| blob \| history
source3/smbd/chgpasswd.c		patch \| blob \| history
source3/utils/net_rpc_samsync.c		patch \| blob \| history
source3/utils/pdbedit.c		patch \| blob \| history