s3-libnet-samsync: add samsync_ops to all samsync modules.
[samba.git] / source3 / libnet / libnet_samsync_passdb.c
1 /*
2    Unix SMB/CIFS implementation.
3    dump the remote SAM using rpc samsync operations
4
5    Copyright (C) Andrew Tridgell 2002
6    Copyright (C) Tim Potter 2001,2002
7    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
8    Modified by Volker Lendecke 2002
9    Copyright (C) Jeremy Allison 2005.
10    Copyright (C) Guenther Deschner 2008.
11
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "libnet/libnet.h"
28
29 /* Convert a struct samu_DELTA to a struct samu. */
30 #define STRING_CHANGED (old_string && !new_string) ||\
31                     (!old_string && new_string) ||\
32                 (old_string && new_string && (strcmp(old_string, new_string) != 0))
33
34 #define STRING_CHANGED_NC(s1,s2) ((s1) && !(s2)) ||\
35                     (!(s1) && (s2)) ||\
36                 ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
37
38 static NTSTATUS sam_account_from_delta(struct samu *account,
39                                        struct netr_DELTA_USER *r)
40 {
41         const char *old_string, *new_string;
42         time_t unix_time, stored_time;
43         uchar zero_buf[16];
44
45         memset(zero_buf, '\0', sizeof(zero_buf));
46
47         /* Username, fullname, home dir, dir drive, logon script, acct
48            desc, workstations, profile. */
49
50         if (r->account_name.string) {
51                 old_string = pdb_get_nt_username(account);
52                 new_string = r->account_name.string;
53
54                 if (STRING_CHANGED) {
55                         pdb_set_nt_username(account, new_string, PDB_CHANGED);
56                 }
57
58                 /* Unix username is the same - for sanity */
59                 old_string = pdb_get_username( account );
60                 if (STRING_CHANGED) {
61                         pdb_set_username(account, new_string, PDB_CHANGED);
62                 }
63         }
64
65         if (r->full_name.string) {
66                 old_string = pdb_get_fullname(account);
67                 new_string = r->full_name.string;
68
69                 if (STRING_CHANGED)
70                         pdb_set_fullname(account, new_string, PDB_CHANGED);
71         }
72
73         if (r->home_directory.string) {
74                 old_string = pdb_get_homedir(account);
75                 new_string = r->home_directory.string;
76
77                 if (STRING_CHANGED)
78                         pdb_set_homedir(account, new_string, PDB_CHANGED);
79         }
80
81         if (r->home_drive.string) {
82                 old_string = pdb_get_dir_drive(account);
83                 new_string = r->home_drive.string;
84
85                 if (STRING_CHANGED)
86                         pdb_set_dir_drive(account, new_string, PDB_CHANGED);
87         }
88
89         if (r->logon_script.string) {
90                 old_string = pdb_get_logon_script(account);
91                 new_string = r->logon_script.string;
92
93                 if (STRING_CHANGED)
94                         pdb_set_logon_script(account, new_string, PDB_CHANGED);
95         }
96
97         if (r->description.string) {
98                 old_string = pdb_get_acct_desc(account);
99                 new_string = r->description.string;
100
101                 if (STRING_CHANGED)
102                         pdb_set_acct_desc(account, new_string, PDB_CHANGED);
103         }
104
105         if (r->workstations.string) {
106                 old_string = pdb_get_workstations(account);
107                 new_string = r->workstations.string;
108
109                 if (STRING_CHANGED)
110                         pdb_set_workstations(account, new_string, PDB_CHANGED);
111         }
112
113         if (r->profile_path.string) {
114                 old_string = pdb_get_profile_path(account);
115                 new_string = r->profile_path.string;
116
117                 if (STRING_CHANGED)
118                         pdb_set_profile_path(account, new_string, PDB_CHANGED);
119         }
120
121         if (r->parameters.array) {
122                 DATA_BLOB mung;
123                 char *newstr;
124                 old_string = pdb_get_munged_dial(account);
125                 mung.length = r->parameters.length * 2;
126                 mung.data = (uint8_t *) r->parameters.array;
127                 newstr = (mung.length == 0) ? NULL :
128                         base64_encode_data_blob(talloc_tos(), mung);
129
130                 if (STRING_CHANGED_NC(old_string, newstr))
131                         pdb_set_munged_dial(account, newstr, PDB_CHANGED);
132                 TALLOC_FREE(newstr);
133         }
134
135         /* User and group sid */
136         if (pdb_get_user_rid(account) != r->rid)
137                 pdb_set_user_sid_from_rid(account, r->rid, PDB_CHANGED);
138         if (pdb_get_group_rid(account) != r->primary_gid)
139                 pdb_set_group_sid_from_rid(account, r->primary_gid, PDB_CHANGED);
140
141         /* Logon and password information */
142         if (!nt_time_is_zero(&r->last_logon)) {
143                 unix_time = nt_time_to_unix(r->last_logon);
144                 stored_time = pdb_get_logon_time(account);
145                 if (stored_time != unix_time)
146                         pdb_set_logon_time(account, unix_time, PDB_CHANGED);
147         }
148
149         if (!nt_time_is_zero(&r->last_logoff)) {
150                 unix_time = nt_time_to_unix(r->last_logoff);
151                 stored_time = pdb_get_logoff_time(account);
152                 if (stored_time != unix_time)
153                         pdb_set_logoff_time(account, unix_time,PDB_CHANGED);
154         }
155
156         /* Logon Divs */
157         if (pdb_get_logon_divs(account) != r->logon_hours.units_per_week)
158                 pdb_set_logon_divs(account, r->logon_hours.units_per_week, PDB_CHANGED);
159
160 #if 0
161         /* no idea what to do with this one - gd */
162         /* Max Logon Hours */
163         if (delta->unknown1 != pdb_get_unknown_6(account)) {
164                 pdb_set_unknown_6(account, delta->unknown1, PDB_CHANGED);
165         }
166 #endif
167         /* Logon Hours Len */
168         if (r->logon_hours.units_per_week/8 != pdb_get_hours_len(account)) {
169                 pdb_set_hours_len(account, r->logon_hours.units_per_week/8, PDB_CHANGED);
170         }
171
172         /* Logon Hours */
173         if (r->logon_hours.bits) {
174                 char oldstr[44], newstr[44];
175                 pdb_sethexhours(oldstr, pdb_get_hours(account));
176                 pdb_sethexhours(newstr, r->logon_hours.bits);
177                 if (!strequal(oldstr, newstr))
178                         pdb_set_hours(account, r->logon_hours.bits, PDB_CHANGED);
179         }
180
181         if (pdb_get_bad_password_count(account) != r->bad_password_count)
182                 pdb_set_bad_password_count(account, r->bad_password_count, PDB_CHANGED);
183
184         if (pdb_get_logon_count(account) != r->logon_count)
185                 pdb_set_logon_count(account, r->logon_count, PDB_CHANGED);
186
187         if (!nt_time_is_zero(&r->last_password_change)) {
188                 unix_time = nt_time_to_unix(r->last_password_change);
189                 stored_time = pdb_get_pass_last_set_time(account);
190                 if (stored_time != unix_time)
191                         pdb_set_pass_last_set_time(account, unix_time, PDB_CHANGED);
192         } else {
193                 /* no last set time, make it now */
194                 pdb_set_pass_last_set_time(account, time(NULL), PDB_CHANGED);
195         }
196
197         if (!nt_time_is_zero(&r->acct_expiry)) {
198                 unix_time = nt_time_to_unix(r->acct_expiry);
199                 stored_time = pdb_get_kickoff_time(account);
200                 if (stored_time != unix_time)
201                         pdb_set_kickoff_time(account, unix_time, PDB_CHANGED);
202         }
203
204         /* Decode hashes from password hash
205            Note that win2000 may send us all zeros for the hashes if it doesn't
206            think this channel is secure enough - don't set the passwords at all
207            in that case
208         */
209         if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
210                 pdb_set_lanman_passwd(account, r->lmpassword.hash, PDB_CHANGED);
211         }
212
213         if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
214                 pdb_set_nt_passwd(account, r->ntpassword.hash, PDB_CHANGED);
215         }
216
217         /* TODO: account expiry time */
218
219         pdb_set_acct_ctrl(account, r->acct_flags, PDB_CHANGED);
220
221         pdb_set_domain(account, lp_workgroup(), PDB_CHANGED);
222
223         return NT_STATUS_OK;
224 }
225
226 static NTSTATUS fetch_account_info(uint32_t rid,
227                                    struct netr_DELTA_USER *r)
228 {
229
230         NTSTATUS nt_ret = NT_STATUS_UNSUCCESSFUL;
231         fstring account;
232         char *add_script = NULL;
233         struct samu *sam_account=NULL;
234         GROUP_MAP map;
235         struct group *grp;
236         DOM_SID user_sid;
237         DOM_SID group_sid;
238         struct passwd *passwd;
239         fstring sid_string;
240
241         fstrcpy(account, r->account_name.string);
242         d_printf("Creating account: %s\n", account);
243
244         if ( !(sam_account = samu_new( NULL )) ) {
245                 return NT_STATUS_NO_MEMORY;
246         }
247
248         if (!(passwd = Get_Pwnam_alloc(sam_account, account))) {
249                 /* Create appropriate user */
250                 if (r->acct_flags & ACB_NORMAL) {
251                         add_script = talloc_strdup(sam_account,
252                                         lp_adduser_script());
253                 } else if ( (r->acct_flags & ACB_WSTRUST) ||
254                             (r->acct_flags & ACB_SVRTRUST) ||
255                             (r->acct_flags & ACB_DOMTRUST) ) {
256                         add_script = talloc_strdup(sam_account,
257                                         lp_addmachine_script());
258                 } else {
259                         DEBUG(1, ("Unknown user type: %s\n",
260                                   pdb_encode_acct_ctrl(r->acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
261                         nt_ret = NT_STATUS_UNSUCCESSFUL;
262                         goto done;
263                 }
264                 if (!add_script) {
265                         nt_ret = NT_STATUS_NO_MEMORY;
266                         goto done;
267                 }
268                 if (*add_script) {
269                         int add_ret;
270                         add_script = talloc_all_string_sub(sam_account,
271                                         add_script,
272                                         "%u",
273                                         account);
274                         if (!add_script) {
275                                 nt_ret = NT_STATUS_NO_MEMORY;
276                                 goto done;
277                         }
278                         add_ret = smbrun(add_script,NULL);
279                         DEBUG(add_ret ? 0 : 1,("fetch_account: Running the command `%s' "
280                                  "gave %d\n", add_script, add_ret));
281                         if (add_ret == 0) {
282                                 smb_nscd_flush_user_cache();
283                         }
284                 }
285
286                 /* try and find the possible unix account again */
287                 if ( !(passwd = Get_Pwnam_alloc(sam_account, account)) ) {
288                         d_fprintf(stderr, "Could not create posix account info for '%s'\n", account);
289                         nt_ret = NT_STATUS_NO_SUCH_USER;
290                         goto done;
291                 }
292         }
293
294         sid_copy(&user_sid, get_global_sam_sid());
295         sid_append_rid(&user_sid, r->rid);
296
297         DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n",
298                   sid_to_fstring(sid_string, &user_sid), account));
299         if (!pdb_getsampwsid(sam_account, &user_sid)) {
300                 sam_account_from_delta(sam_account, r);
301                 DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
302                           sid_to_fstring(sid_string, &user_sid),
303                           pdb_get_username(sam_account)));
304                 if (!NT_STATUS_IS_OK(pdb_add_sam_account(sam_account))) {
305                         DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
306                                   account));
307                         return NT_STATUS_ACCESS_DENIED;
308                 }
309         } else {
310                 sam_account_from_delta(sam_account, r);
311                 DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
312                           sid_to_fstring(sid_string, &user_sid),
313                           pdb_get_username(sam_account)));
314                 if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_account))) {
315                         DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
316                                   account));
317                         TALLOC_FREE(sam_account);
318                         return NT_STATUS_ACCESS_DENIED;
319                 }
320         }
321
322         if (pdb_get_group_sid(sam_account) == NULL) {
323                 return NT_STATUS_UNSUCCESSFUL;
324         }
325
326         group_sid = *pdb_get_group_sid(sam_account);
327
328         if (!pdb_getgrsid(&map, group_sid)) {
329                 DEBUG(0, ("Primary group of %s has no mapping!\n",
330                           pdb_get_username(sam_account)));
331         } else {
332                 if (map.gid != passwd->pw_gid) {
333                         if (!(grp = getgrgid(map.gid))) {
334                                 DEBUG(0, ("Could not find unix group %lu for user %s (group SID=%s)\n",
335                                           (unsigned long)map.gid, pdb_get_username(sam_account), sid_string_tos(&group_sid)));
336                         } else {
337                                 smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
338                         }
339                 }
340         }
341
342         if ( !passwd ) {
343                 DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
344                         pdb_get_username(sam_account)));
345         }
346
347  done:
348         TALLOC_FREE(sam_account);
349         return nt_ret;
350 }
351
352 static NTSTATUS fetch_group_info(uint32_t rid,
353                                  struct netr_DELTA_GROUP *r)
354 {
355         fstring name;
356         fstring comment;
357         struct group *grp = NULL;
358         DOM_SID group_sid;
359         fstring sid_string;
360         GROUP_MAP map;
361         bool insert = true;
362
363         fstrcpy(name, r->group_name.string);
364         fstrcpy(comment, r->description.string);
365
366         /* add the group to the mapping table */
367         sid_copy(&group_sid, get_global_sam_sid());
368         sid_append_rid(&group_sid, rid);
369         sid_to_fstring(sid_string, &group_sid);
370
371         if (pdb_getgrsid(&map, group_sid)) {
372                 if ( map.gid != -1 )
373                         grp = getgrgid(map.gid);
374                 insert = false;
375         }
376
377         if (grp == NULL) {
378                 gid_t gid;
379
380                 /* No group found from mapping, find it from its name. */
381                 if ((grp = getgrnam(name)) == NULL) {
382
383                         /* No appropriate group found, create one */
384
385                         d_printf("Creating unix group: '%s'\n", name);
386
387                         if (smb_create_group(name, &gid) != 0)
388                                 return NT_STATUS_ACCESS_DENIED;
389
390                         if ((grp = getgrnam(name)) == NULL)
391                                 return NT_STATUS_ACCESS_DENIED;
392                 }
393         }
394
395         map.gid = grp->gr_gid;
396         map.sid = group_sid;
397         map.sid_name_use = SID_NAME_DOM_GRP;
398         fstrcpy(map.nt_name, name);
399         if (r->description.string) {
400                 fstrcpy(map.comment, comment);
401         } else {
402                 fstrcpy(map.comment, "");
403         }
404
405         if (insert)
406                 pdb_add_group_mapping_entry(&map);
407         else
408                 pdb_update_group_mapping_entry(&map);
409
410         return NT_STATUS_OK;
411 }
412
413 static NTSTATUS fetch_group_mem_info(uint32_t rid,
414                                      struct netr_DELTA_GROUP_MEMBER *r)
415 {
416         int i;
417         TALLOC_CTX *t = NULL;
418         char **nt_members = NULL;
419         char **unix_members;
420         DOM_SID group_sid;
421         GROUP_MAP map;
422         struct group *grp;
423
424         if (r->num_rids == 0) {
425                 return NT_STATUS_OK;
426         }
427
428         sid_copy(&group_sid, get_global_sam_sid());
429         sid_append_rid(&group_sid, rid);
430
431         if (!get_domain_group_from_sid(group_sid, &map)) {
432                 DEBUG(0, ("Could not find global group %d\n", rid));
433                 return NT_STATUS_NO_SUCH_GROUP;
434         }
435
436         if (!(grp = getgrgid(map.gid))) {
437                 DEBUG(0, ("Could not find unix group %lu\n", (unsigned long)map.gid));
438                 return NT_STATUS_NO_SUCH_GROUP;
439         }
440
441         d_printf("Group members of %s: ", grp->gr_name);
442
443         if (!(t = talloc_init("fetch_group_mem_info"))) {
444                 DEBUG(0, ("could not talloc_init\n"));
445                 return NT_STATUS_NO_MEMORY;
446         }
447
448         if (r->num_rids) {
449                 if ((nt_members = TALLOC_ZERO_ARRAY(t, char *, r->num_rids)) == NULL) {
450                         DEBUG(0, ("talloc failed\n"));
451                         talloc_free(t);
452                         return NT_STATUS_NO_MEMORY;
453                 }
454         } else {
455                 nt_members = NULL;
456         }
457
458         for (i=0; i < r->num_rids; i++) {
459                 struct samu *member = NULL;
460                 DOM_SID member_sid;
461
462                 if ( !(member = samu_new(t)) ) {
463                         talloc_destroy(t);
464                         return NT_STATUS_NO_MEMORY;
465                 }
466
467                 sid_copy(&member_sid, get_global_sam_sid());
468                 sid_append_rid(&member_sid, r->rids[i]);
469
470                 if (!pdb_getsampwsid(member, &member_sid)) {
471                         DEBUG(1, ("Found bogus group member: %d (member_sid=%s group=%s)\n",
472                                   r->rids[i], sid_string_tos(&member_sid), grp->gr_name));
473                         TALLOC_FREE(member);
474                         continue;
475                 }
476
477                 if (pdb_get_group_rid(member) == rid) {
478                         d_printf("%s(primary),", pdb_get_username(member));
479                         TALLOC_FREE(member);
480                         continue;
481                 }
482
483                 d_printf("%s,", pdb_get_username(member));
484                 nt_members[i] = talloc_strdup(t, pdb_get_username(member));
485                 TALLOC_FREE(member);
486         }
487
488         d_printf("\n");
489
490         unix_members = grp->gr_mem;
491
492         while (*unix_members) {
493                 bool is_nt_member = false;
494                 for (i=0; i < r->num_rids; i++) {
495                         if (nt_members[i] == NULL) {
496                                 /* This was a primary group */
497                                 continue;
498                         }
499
500                         if (strcmp(*unix_members, nt_members[i]) == 0) {
501                                 is_nt_member = true;
502                                 break;
503                         }
504                 }
505                 if (!is_nt_member) {
506                         /* We look at a unix group member that is not
507                            an nt group member. So, remove it. NT is
508                            boss here. */
509                         smb_delete_user_group(grp->gr_name, *unix_members);
510                 }
511                 unix_members += 1;
512         }
513
514         for (i=0; i < r->num_rids; i++) {
515                 bool is_unix_member = false;
516
517                 if (nt_members[i] == NULL) {
518                         /* This was the primary group */
519                         continue;
520                 }
521
522                 unix_members = grp->gr_mem;
523
524                 while (*unix_members) {
525                         if (strcmp(*unix_members, nt_members[i]) == 0) {
526                                 is_unix_member = true;
527                                 break;
528                         }
529                         unix_members += 1;
530                 }
531
532                 if (!is_unix_member) {
533                         /* We look at a nt group member that is not a
534                            unix group member currently. So, add the nt
535                            group member. */
536                         smb_add_user_group(grp->gr_name, nt_members[i]);
537                 }
538         }
539
540         talloc_destroy(t);
541         return NT_STATUS_OK;
542 }
543
544 static NTSTATUS fetch_alias_info(uint32_t rid,
545                                  struct netr_DELTA_ALIAS *r,
546                                  const DOM_SID *dom_sid)
547 {
548         fstring name;
549         fstring comment;
550         struct group *grp = NULL;
551         DOM_SID alias_sid;
552         fstring sid_string;
553         GROUP_MAP map;
554         bool insert = true;
555
556         fstrcpy(name, r->alias_name.string);
557         fstrcpy(comment, r->description.string);
558
559         /* Find out whether the group is already mapped */
560         sid_copy(&alias_sid, dom_sid);
561         sid_append_rid(&alias_sid, rid);
562         sid_to_fstring(sid_string, &alias_sid);
563
564         if (pdb_getgrsid(&map, alias_sid)) {
565                 grp = getgrgid(map.gid);
566                 insert = false;
567         }
568
569         if (grp == NULL) {
570                 gid_t gid;
571
572                 /* No group found from mapping, find it from its name. */
573                 if ((grp = getgrnam(name)) == NULL) {
574                         /* No appropriate group found, create one */
575                         d_printf("Creating unix group: '%s'\n", name);
576                         if (smb_create_group(name, &gid) != 0)
577                                 return NT_STATUS_ACCESS_DENIED;
578                         if ((grp = getgrgid(gid)) == NULL)
579                                 return NT_STATUS_ACCESS_DENIED;
580                 }
581         }
582
583         map.gid = grp->gr_gid;
584         map.sid = alias_sid;
585
586         if (sid_equal(dom_sid, &global_sid_Builtin))
587                 map.sid_name_use = SID_NAME_WKN_GRP;
588         else
589                 map.sid_name_use = SID_NAME_ALIAS;
590
591         fstrcpy(map.nt_name, name);
592         fstrcpy(map.comment, comment);
593
594         if (insert)
595                 pdb_add_group_mapping_entry(&map);
596         else
597                 pdb_update_group_mapping_entry(&map);
598
599         return NT_STATUS_OK;
600 }
601
602 static NTSTATUS fetch_alias_mem(uint32_t rid,
603                                 struct netr_DELTA_ALIAS_MEMBER *r,
604                                 const DOM_SID *dom_sid)
605 {
606         return NT_STATUS_OK;
607 }
608
609 static NTSTATUS fetch_domain_info(uint32_t rid,
610                                   struct netr_DELTA_DOMAIN *r)
611 {
612         time_t u_max_age, u_min_age, u_logout;
613         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
614         const char *domname;
615         struct netr_AcctLockStr *lockstr = NULL;
616         NTSTATUS status;
617         TALLOC_CTX *mem_ctx = talloc_tos();
618
619         status = pull_netr_AcctLockStr(mem_ctx, &r->account_lockout,
620                                        &lockstr);
621         if (!NT_STATUS_IS_OK(status)) {
622                 d_printf("failed to pull account lockout string: %s\n",
623                         nt_errstr(status));
624         }
625
626         u_max_age = uint64s_nt_time_to_unix_abs((uint64 *)&r->max_password_age);
627         u_min_age = uint64s_nt_time_to_unix_abs((uint64 *)&r->min_password_age);
628         u_logout = uint64s_nt_time_to_unix_abs((uint64 *)&r->force_logoff_time);
629
630         domname = r->domain_name.string;
631         if (!domname) {
632                 return NT_STATUS_NO_MEMORY;
633         }
634
635         /* we don't handle BUILTIN account policies */
636         if (!strequal(domname, get_global_sam_name())) {
637                 printf("skipping SAM_DOMAIN_INFO delta for '%s' (is not my domain)\n", domname);
638                 return NT_STATUS_OK;
639         }
640
641
642         if (!pdb_set_account_policy(AP_PASSWORD_HISTORY,
643                                     r->password_history_length))
644                 return nt_status;
645
646         if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN,
647                                     r->min_password_length))
648                 return nt_status;
649
650         if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
651                 return nt_status;
652
653         if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
654                 return nt_status;
655
656         if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
657                 return nt_status;
658
659         if (lockstr) {
660                 time_t u_lockoutreset, u_lockouttime;
661
662                 u_lockoutreset = uint64s_nt_time_to_unix_abs(&lockstr->reset_count);
663                 u_lockouttime = uint64s_nt_time_to_unix_abs((uint64_t *)&lockstr->lockout_duration);
664
665                 if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
666                                             lockstr->bad_attempt_lockout))
667                         return nt_status;
668
669                 if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32_t)u_lockoutreset/60))
670                         return nt_status;
671
672                 if (u_lockouttime != -1)
673                         u_lockouttime /= 60;
674
675                 if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32_t)u_lockouttime))
676                         return nt_status;
677         }
678
679         if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
680                                     r->logon_to_chgpass))
681                 return nt_status;
682
683         return NT_STATUS_OK;
684 }
685
686 static NTSTATUS fetch_sam_entry(TALLOC_CTX *mem_ctx,
687                                 enum netr_SamDatabaseID database_id,
688                                 struct netr_DELTA_ENUM *r,
689                                 struct samsync_context *ctx)
690 {
691         switch(r->delta_type) {
692         case NETR_DELTA_USER:
693                 fetch_account_info(r->delta_id_union.rid,
694                                    r->delta_union.user);
695                 break;
696         case NETR_DELTA_GROUP:
697                 fetch_group_info(r->delta_id_union.rid,
698                                  r->delta_union.group);
699                 break;
700         case NETR_DELTA_GROUP_MEMBER:
701                 fetch_group_mem_info(r->delta_id_union.rid,
702                                      r->delta_union.group_member);
703                 break;
704         case NETR_DELTA_ALIAS:
705                 fetch_alias_info(r->delta_id_union.rid,
706                                  r->delta_union.alias,
707                                  ctx->domain_sid);
708                 break;
709         case NETR_DELTA_ALIAS_MEMBER:
710                 fetch_alias_mem(r->delta_id_union.rid,
711                                 r->delta_union.alias_member,
712                                 ctx->domain_sid);
713                 break;
714         case NETR_DELTA_DOMAIN:
715                 fetch_domain_info(r->delta_id_union.rid,
716                                   r->delta_union.domain);
717                 break;
718         /* The following types are recognised but not handled */
719         case NETR_DELTA_RENAME_GROUP:
720                 d_printf("NETR_DELTA_RENAME_GROUP not handled\n");
721                 break;
722         case NETR_DELTA_RENAME_USER:
723                 d_printf("NETR_DELTA_RENAME_USER not handled\n");
724                 break;
725         case NETR_DELTA_RENAME_ALIAS:
726                 d_printf("NETR_DELTA_RENAME_ALIAS not handled\n");
727                 break;
728         case NETR_DELTA_POLICY:
729                 d_printf("NETR_DELTA_POLICY not handled\n");
730                 break;
731         case NETR_DELTA_TRUSTED_DOMAIN:
732                 d_printf("NETR_DELTA_TRUSTED_DOMAIN not handled\n");
733                 break;
734         case NETR_DELTA_ACCOUNT:
735                 d_printf("NETR_DELTA_ACCOUNT not handled\n");
736                 break;
737         case NETR_DELTA_SECRET:
738                 d_printf("NETR_DELTA_SECRET not handled\n");
739                 break;
740         case NETR_DELTA_DELETE_GROUP:
741                 d_printf("NETR_DELTA_DELETE_GROUP not handled\n");
742                 break;
743         case NETR_DELTA_DELETE_USER:
744                 d_printf("NETR_DELTA_DELETE_USER not handled\n");
745                 break;
746         case NETR_DELTA_MODIFY_COUNT:
747                 d_printf("NETR_DELTA_MODIFY_COUNT not handled\n");
748                 break;
749         case NETR_DELTA_DELETE_ALIAS:
750                 d_printf("NETR_DELTA_DELETE_ALIAS not handled\n");
751                 break;
752         case NETR_DELTA_DELETE_TRUST:
753                 d_printf("NETR_DELTA_DELETE_TRUST not handled\n");
754                 break;
755         case NETR_DELTA_DELETE_ACCOUNT:
756                 d_printf("NETR_DELTA_DELETE_ACCOUNT not handled\n");
757                 break;
758         case NETR_DELTA_DELETE_SECRET:
759                 d_printf("NETR_DELTA_DELETE_SECRET not handled\n");
760                 break;
761         case NETR_DELTA_DELETE_GROUP2:
762                 d_printf("NETR_DELTA_DELETE_GROUP2 not handled\n");
763                 break;
764         case NETR_DELTA_DELETE_USER2:
765                 d_printf("NETR_DELTA_DELETE_USER2 not handled\n");
766                 break;
767         default:
768                 d_printf("Unknown delta record type %d\n", r->delta_type);
769                 break;
770         }
771
772         return NT_STATUS_OK;
773 }
774
775 NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx,
776                            enum netr_SamDatabaseID database_id,
777                            struct netr_DELTA_ENUM_ARRAY *r,
778                            bool last_query,
779                            struct samsync_context *ctx)
780 {
781         int i;
782
783         for (i = 0; i < r->num_deltas; i++) {
784                 fetch_sam_entry(mem_ctx, database_id, &r->delta_enum[i], ctx);
785         }
786
787         return NT_STATUS_OK;
788 }
789
790 const struct samsync_ops libnet_samsync_passdb_ops = {
791         .process_objects        = fetch_sam_entries,
792 };