2 Unix SMB/CIFS implementation.
3 struct samu access routines
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Stefan (metze) Metzmacher 2002
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "../libcli/auth/libcli_auth.h"
26 #include "../libcli/security/dom_sid.h"
29 #define DBGC_CLASS DBGC_PASSDB
32 * @todo Redefine this to NULL, but this changes the API because
33 * much of samba assumes that the pdb_get...() funtions
34 * return strings. (ie not null-pointers).
35 * See also pdb_fill_default_sam().
38 #define PDB_NOT_QUITE_NULL ""
40 /*********************************************************************
41 Collection of get...() functions for struct samu.
42 ********************************************************************/
44 uint32_t pdb_get_acct_ctrl(const struct samu *sampass)
46 return sampass->acct_ctrl;
49 time_t pdb_get_logon_time(const struct samu *sampass)
51 return sampass->logon_time;
54 time_t pdb_get_logoff_time(const struct samu *sampass)
56 return sampass->logoff_time;
59 time_t pdb_get_kickoff_time(const struct samu *sampass)
61 return sampass->kickoff_time;
64 time_t pdb_get_bad_password_time(const struct samu *sampass)
66 return sampass->bad_password_time;
69 time_t pdb_get_pass_last_set_time(const struct samu *sampass)
71 return sampass->pass_last_set_time;
74 time_t pdb_get_pass_can_change_time(const struct samu *sampass)
78 /* if the last set time is zero, it means the user cannot
79 change their password, and this time must be zero. jmcd
81 if (sampass->pass_last_set_time == 0)
84 /* if the time is max, and the field has been changed,
85 we're trying to update this real value from the sampass
86 to indicate that the user cannot change their password. jmcd
88 if (sampass->pass_can_change_time == get_time_t_max() &&
89 IS_SAM_CHANGED(sampass, PDB_CANCHANGETIME))
90 return sampass->pass_can_change_time;
92 if (!pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &allow))
95 /* in normal cases, just calculate it from policy */
96 return sampass->pass_last_set_time + allow;
99 /* we need this for loading from the backend, so that we don't overwrite
100 non-changed max times, otherwise the pass_can_change checking won't work */
101 time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
103 return sampass->pass_can_change_time;
106 time_t pdb_get_pass_must_change_time(const struct samu *sampass)
110 if (sampass->pass_last_set_time == 0)
113 if (sampass->acct_ctrl & ACB_PWNOEXP)
114 return get_time_t_max();
116 if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire)
117 || expire == (uint32_t)-1 || expire == 0)
118 return get_time_t_max();
120 return sampass->pass_last_set_time + expire;
123 bool pdb_get_pass_can_change(const struct samu *sampass)
125 if (sampass->pass_can_change_time == get_time_t_max() &&
126 sampass->pass_last_set_time != 0)
131 uint16_t pdb_get_logon_divs(const struct samu *sampass)
133 return sampass->logon_divs;
136 uint32_t pdb_get_hours_len(const struct samu *sampass)
138 return sampass->hours_len;
141 const uint8 *pdb_get_hours(const struct samu *sampass)
143 return (sampass->hours);
146 const uint8 *pdb_get_nt_passwd(const struct samu *sampass)
148 SMB_ASSERT((!sampass->nt_pw.data)
149 || sampass->nt_pw.length == NT_HASH_LEN);
150 return (uint8 *)sampass->nt_pw.data;
153 const uint8 *pdb_get_lanman_passwd(const struct samu *sampass)
155 SMB_ASSERT((!sampass->lm_pw.data)
156 || sampass->lm_pw.length == LM_HASH_LEN);
157 return (uint8 *)sampass->lm_pw.data;
160 const uint8 *pdb_get_pw_history(const struct samu *sampass, uint32_t *current_hist_len)
162 SMB_ASSERT((!sampass->nt_pw_his.data)
163 || ((sampass->nt_pw_his.length % PW_HISTORY_ENTRY_LEN) == 0));
164 *current_hist_len = sampass->nt_pw_his.length / PW_HISTORY_ENTRY_LEN;
165 return (uint8 *)sampass->nt_pw_his.data;
168 /* Return the plaintext password if known. Most of the time
169 it isn't, so don't assume anything magic about this function.
171 Used to pass the plaintext to passdb backends that might
172 want to store more than just the NTLM hashes.
174 const char *pdb_get_plaintext_passwd(const struct samu *sampass)
176 return sampass->plaintext_pw;
179 const struct dom_sid *pdb_get_user_sid(const struct samu *sampass)
181 return &sampass->user_sid;
184 const struct dom_sid *pdb_get_group_sid(struct samu *sampass)
188 /* Return the cached group SID if we have that */
189 if (sampass->group_sid) {
190 return sampass->group_sid;
193 /* No algorithmic mapping, meaning that we have to figure out the
194 primary group SID according to group mapping and the user SID must
195 be a newly allocated one. We rely on the user's Unix primary gid.
196 We have no choice but to fail if we can't find it. */
197 status = get_primary_group_sid(sampass,
198 pdb_get_username(sampass),
200 &sampass->group_sid);
201 if (!NT_STATUS_IS_OK(status)) {
205 return sampass->group_sid;
209 * Get flags showing what is initalised in the struct samu
210 * @param sampass the struct samu in question
211 * @return the flags indicating the members initialised in the struct.
214 enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
216 enum pdb_value_state ret = PDB_DEFAULT;
218 if (!sampass->change_flags || !sampass->set_flags)
221 if (bitmap_query(sampass->set_flags, element)) {
222 DEBUG(11, ("element %d: SET\n", element));
226 if (bitmap_query(sampass->change_flags, element)) {
227 DEBUG(11, ("element %d: CHANGED\n", element));
231 if (ret == PDB_DEFAULT) {
232 DEBUG(11, ("element %d: DEFAULT\n", element));
238 const char *pdb_get_username(const struct samu *sampass)
240 return sampass->username;
243 const char *pdb_get_domain(const struct samu *sampass)
245 return sampass->domain;
248 const char *pdb_get_nt_username(const struct samu *sampass)
250 return sampass->nt_username;
253 const char *pdb_get_fullname(const struct samu *sampass)
255 return sampass->full_name;
258 const char *pdb_get_homedir(const struct samu *sampass)
260 return sampass->home_dir;
263 const char *pdb_get_dir_drive(const struct samu *sampass)
265 return sampass->dir_drive;
268 const char *pdb_get_logon_script(const struct samu *sampass)
270 return sampass->logon_script;
273 const char *pdb_get_profile_path(const struct samu *sampass)
275 return sampass->profile_path;
278 const char *pdb_get_acct_desc(const struct samu *sampass)
280 return sampass->acct_desc;
283 const char *pdb_get_workstations(const struct samu *sampass)
285 return sampass->workstations;
288 const char *pdb_get_comment(const struct samu *sampass)
290 return sampass->comment;
293 const char *pdb_get_munged_dial(const struct samu *sampass)
295 return sampass->munged_dial;
298 uint16_t pdb_get_bad_password_count(const struct samu *sampass)
300 return sampass->bad_password_count;
303 uint16_t pdb_get_logon_count(const struct samu *sampass)
305 return sampass->logon_count;
308 uint32_t pdb_get_unknown_6(const struct samu *sampass)
310 return sampass->unknown_6;
313 void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_methods *my_methods)
315 if (my_methods == sampass->backend_private_methods) {
316 return sampass->backend_private_data;
322 /*********************************************************************
323 Collection of set...() functions for struct samu.
324 ********************************************************************/
326 bool pdb_set_acct_ctrl(struct samu *sampass, uint32_t acct_ctrl, enum pdb_value_state flag)
328 sampass->acct_ctrl = acct_ctrl;
329 return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
332 bool pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
334 sampass->logon_time = mytime;
335 return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
338 bool pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
340 sampass->logoff_time = mytime;
341 return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
344 bool pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
346 sampass->kickoff_time = mytime;
347 return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
350 bool pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
352 sampass->bad_password_time = mytime;
353 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag);
356 bool pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
358 sampass->pass_can_change_time = mytime;
359 return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
362 bool pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
364 sampass->pass_must_change_time = mytime;
365 return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
368 bool pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
370 sampass->pass_last_set_time = mytime;
371 return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
374 bool pdb_set_hours_len(struct samu *sampass, uint32_t len, enum pdb_value_state flag)
376 sampass->hours_len = len;
377 return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
380 bool pdb_set_logon_divs(struct samu *sampass, uint16_t hours, enum pdb_value_state flag)
382 sampass->logon_divs = hours;
383 return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
387 * Set flags showing what is initalised in the struct samu
388 * @param sampass the struct samu in question
389 * @param flag The *new* flag to be set. Old flags preserved
390 * this flag is only added.
393 bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
395 if (!sampass->set_flags) {
396 if ((sampass->set_flags =
397 bitmap_talloc(sampass,
399 DEBUG(0,("bitmap_talloc failed\n"));
403 if (!sampass->change_flags) {
404 if ((sampass->change_flags =
405 bitmap_talloc(sampass,
407 DEBUG(0,("bitmap_talloc failed\n"));
414 if (!bitmap_set(sampass->change_flags, element)) {
415 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
418 if (!bitmap_set(sampass->set_flags, element)) {
419 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
422 DEBUG(11, ("element %d -> now CHANGED\n", element));
425 if (!bitmap_clear(sampass->change_flags, element)) {
426 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
429 if (!bitmap_set(sampass->set_flags, element)) {
430 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
433 DEBUG(11, ("element %d -> now SET\n", element));
437 if (!bitmap_clear(sampass->change_flags, element)) {
438 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
441 if (!bitmap_clear(sampass->set_flags, element)) {
442 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
445 DEBUG(11, ("element %d -> now DEFAULT\n", element));
452 bool pdb_set_user_sid(struct samu *sampass, const struct dom_sid *u_sid, enum pdb_value_state flag)
457 sid_copy(&sampass->user_sid, u_sid);
459 DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
460 sid_string_dbg(&sampass->user_sid)));
462 return pdb_set_init_flags(sampass, PDB_USERSID, flag);
465 bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
467 struct dom_sid new_sid;
472 DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
475 if (!string_to_sid(&new_sid, u_sid)) {
476 DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
480 if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
481 DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
488 /********************************************************************
489 We never fill this in from a passdb backend but rather set is
490 based on the user's primary group membership. However, the
491 struct samu* is overloaded and reused in domain memship code
492 as well and built from the netr_SamInfo3 or PAC so we
493 have to allow the explicitly setting of a group SID here.
494 ********************************************************************/
496 bool pdb_set_group_sid(struct samu *sampass, const struct dom_sid *g_sid, enum pdb_value_state flag)
499 struct dom_sid dug_sid;
504 if ( !(sampass->group_sid = TALLOC_P( sampass, struct dom_sid )) ) {
508 /* if we cannot resolve the SID to gid, then just ignore it and
509 store DOMAIN_USERS as the primary groupSID */
511 sid_compose(&dug_sid, get_global_sam_sid(), DOMAIN_RID_USERS);
513 if (dom_sid_equal(&dug_sid, g_sid)) {
514 sid_copy(sampass->group_sid, &dug_sid);
515 } else if (sid_to_gid( g_sid, &gid ) ) {
516 sid_copy(sampass->group_sid, g_sid);
518 sid_copy(sampass->group_sid, &dug_sid);
521 DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
522 sid_string_dbg(sampass->group_sid)));
524 return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
527 /*********************************************************************
528 Set the user's UNIX name.
529 ********************************************************************/
531 bool pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag)
534 DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
535 (sampass->username)?(sampass->username):"NULL"));
537 sampass->username = talloc_strdup(sampass, username);
539 if (!sampass->username) {
540 DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
544 sampass->username = PDB_NOT_QUITE_NULL;
547 return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
550 /*********************************************************************
552 ********************************************************************/
554 bool pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag)
557 DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
558 (sampass->domain)?(sampass->domain):"NULL"));
560 sampass->domain = talloc_strdup(sampass, domain);
562 if (!sampass->domain) {
563 DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
567 sampass->domain = PDB_NOT_QUITE_NULL;
570 return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
573 /*********************************************************************
574 Set the user's NT name.
575 ********************************************************************/
577 bool pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag)
580 DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
581 (sampass->nt_username)?(sampass->nt_username):"NULL"));
583 sampass->nt_username = talloc_strdup(sampass, nt_username);
585 if (!sampass->nt_username) {
586 DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
590 sampass->nt_username = PDB_NOT_QUITE_NULL;
593 return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
596 /*********************************************************************
597 Set the user's full name.
598 ********************************************************************/
600 bool pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag)
603 DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
604 (sampass->full_name)?(sampass->full_name):"NULL"));
606 sampass->full_name = talloc_strdup(sampass, full_name);
608 if (!sampass->full_name) {
609 DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
613 sampass->full_name = PDB_NOT_QUITE_NULL;
616 return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
619 /*********************************************************************
620 Set the user's logon script.
621 ********************************************************************/
623 bool pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag)
626 DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
627 (sampass->logon_script)?(sampass->logon_script):"NULL"));
629 sampass->logon_script = talloc_strdup(sampass, logon_script);
631 if (!sampass->logon_script) {
632 DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
636 sampass->logon_script = PDB_NOT_QUITE_NULL;
639 return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
642 /*********************************************************************
643 Set the user's profile path.
644 ********************************************************************/
646 bool pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag)
649 DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
650 (sampass->profile_path)?(sampass->profile_path):"NULL"));
652 sampass->profile_path = talloc_strdup(sampass, profile_path);
654 if (!sampass->profile_path) {
655 DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
659 sampass->profile_path = PDB_NOT_QUITE_NULL;
662 return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
665 /*********************************************************************
666 Set the user's directory drive.
667 ********************************************************************/
669 bool pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag)
672 DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
673 (sampass->dir_drive)?(sampass->dir_drive):"NULL"));
675 sampass->dir_drive = talloc_strdup(sampass, dir_drive);
677 if (!sampass->dir_drive) {
678 DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
683 sampass->dir_drive = PDB_NOT_QUITE_NULL;
686 return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
689 /*********************************************************************
690 Set the user's home directory.
691 ********************************************************************/
693 bool pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag)
696 DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
697 (sampass->home_dir)?(sampass->home_dir):"NULL"));
699 sampass->home_dir = talloc_strdup(sampass, home_dir);
701 if (!sampass->home_dir) {
702 DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
706 sampass->home_dir = PDB_NOT_QUITE_NULL;
709 return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
712 /*********************************************************************
713 Set the user's account description.
714 ********************************************************************/
716 bool pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag)
719 sampass->acct_desc = talloc_strdup(sampass, acct_desc);
721 if (!sampass->acct_desc) {
722 DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
726 sampass->acct_desc = PDB_NOT_QUITE_NULL;
729 return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
732 /*********************************************************************
733 Set the user's workstation allowed list.
734 ********************************************************************/
736 bool pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag)
739 DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
740 (sampass->workstations)?(sampass->workstations):"NULL"));
742 sampass->workstations = talloc_strdup(sampass, workstations);
744 if (!sampass->workstations) {
745 DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
749 sampass->workstations = PDB_NOT_QUITE_NULL;
752 return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
755 /*********************************************************************
756 ********************************************************************/
758 bool pdb_set_comment(struct samu *sampass, const char *comment, enum pdb_value_state flag)
761 sampass->comment = talloc_strdup(sampass, comment);
763 if (!sampass->comment) {
764 DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
768 sampass->comment = PDB_NOT_QUITE_NULL;
771 return pdb_set_init_flags(sampass, PDB_COMMENT, flag);
774 /*********************************************************************
775 Set the user's dial string.
776 ********************************************************************/
778 bool pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag)
781 sampass->munged_dial = talloc_strdup(sampass, munged_dial);
783 if (!sampass->munged_dial) {
784 DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
788 sampass->munged_dial = PDB_NOT_QUITE_NULL;
791 return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
794 /*********************************************************************
795 Set the user's NT hash.
796 ********************************************************************/
798 bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
800 data_blob_clear_free(&sampass->nt_pw);
804 data_blob_talloc(sampass, pwd, NT_HASH_LEN);
806 sampass->nt_pw = data_blob_null;
809 return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
812 /*********************************************************************
813 Set the user's LM hash.
814 ********************************************************************/
816 bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
818 data_blob_clear_free(&sampass->lm_pw);
820 /* on keep the password if we are allowing LANMAN authentication */
822 if (pwd && lp_lanman_auth() ) {
823 sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
825 sampass->lm_pw = data_blob_null;
828 return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
831 /*********************************************************************
832 Set the user's password history hash. historyLen is the number of
833 PW_HISTORY_SALT_LEN+SALTED_MD5_HASH_LEN length
834 entries to store in the history - this must match the size of the uint8 array
836 ********************************************************************/
838 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32_t historyLen, enum pdb_value_state flag)
840 if (historyLen && pwd){
841 data_blob_free(&(sampass->nt_pw_his));
842 sampass->nt_pw_his = data_blob_talloc(sampass,
843 pwd, historyLen*PW_HISTORY_ENTRY_LEN);
844 if (!sampass->nt_pw_his.length) {
845 DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
849 sampass->nt_pw_his = data_blob_talloc(sampass, NULL, 0);
852 return pdb_set_init_flags(sampass, PDB_PWHISTORY, flag);
855 /*********************************************************************
856 Set the user's plaintext password only (base procedure, see helper
858 ********************************************************************/
860 bool pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag)
863 if (sampass->plaintext_pw!=NULL)
864 memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
866 sampass->plaintext_pw = talloc_strdup(sampass, password);
868 if (!sampass->plaintext_pw) {
869 DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
873 sampass->plaintext_pw = NULL;
876 return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
879 bool pdb_set_bad_password_count(struct samu *sampass, uint16_t bad_password_count, enum pdb_value_state flag)
881 sampass->bad_password_count = bad_password_count;
882 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag);
885 bool pdb_set_logon_count(struct samu *sampass, uint16_t logon_count, enum pdb_value_state flag)
887 sampass->logon_count = logon_count;
888 return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag);
891 bool pdb_set_unknown_6(struct samu *sampass, uint32_t unkn, enum pdb_value_state flag)
893 sampass->unknown_6 = unkn;
894 return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
897 bool pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag)
900 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
902 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
905 return pdb_set_init_flags(sampass, PDB_HOURS, flag);
908 bool pdb_set_backend_private_data(struct samu *sampass, void *private_data,
909 void (*free_fn)(void **),
910 const struct pdb_methods *my_methods,
911 enum pdb_value_state flag)
913 if (sampass->backend_private_data &&
914 sampass->backend_private_data_free_fn) {
915 sampass->backend_private_data_free_fn(
916 &sampass->backend_private_data);
919 sampass->backend_private_data = private_data;
920 sampass->backend_private_data_free_fn = free_fn;
921 sampass->backend_private_methods = my_methods;
923 return pdb_set_init_flags(sampass, PDB_BACKEND_PRIVATE_DATA, flag);
927 /* Helpful interfaces to the above */
929 bool pdb_set_pass_can_change(struct samu *sampass, bool canchange)
931 return pdb_set_pass_can_change_time(sampass,
932 canchange ? 0 : get_time_t_max(),
937 /*********************************************************************
938 Set the user's PLAINTEXT password. Used as an interface to the above.
939 Also sets the last change time to NOW.
940 ********************************************************************/
942 bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
944 uchar new_lanman_p16[LM_HASH_LEN];
945 uchar new_nt_p16[NT_HASH_LEN];
948 uint32_t current_history_len;
953 /* Calculate the MD4 hash (NT compatible) of the password */
954 E_md4hash(plaintext, new_nt_p16);
956 if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
959 if (!E_deshash(plaintext, new_lanman_p16)) {
960 /* E_deshash returns false for 'long' passwords (> 14
961 DOS chars). This allows us to match Win2k, which
962 does not store a LM hash for these passwords (which
963 would reduce the effective password length to 14 */
965 if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
968 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
972 if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
975 if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
978 if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
980 * No password history for non-user accounts
985 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
987 if (pwHistLen == 0) {
988 /* Set the history length to zero. */
989 pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
994 * We need to make sure we don't have a race condition here -
995 * the account policy history length can change between when
996 * the pw_history was first loaded into the struct samu struct
999 pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len);
1001 if ((current_history_len != 0) && (pwhistory == NULL)) {
1002 DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
1006 if (current_history_len < pwHistLen) {
1008 * Ensure we have space for the needed history. This
1009 * also takes care of an account which did not have
1010 * any history at all so far, i.e. pwhistory==NULL
1012 uchar *new_history = talloc_zero_array(
1014 pwHistLen*PW_HISTORY_ENTRY_LEN);
1020 memcpy(new_history, pwhistory,
1021 current_history_len*PW_HISTORY_ENTRY_LEN);
1023 pwhistory = new_history;
1027 * Make room for the new password in the history list.
1029 if (pwHistLen > 1) {
1030 memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
1031 (pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
1035 * Fill the salt area with 0-s: this indicates that
1036 * a plain nt hash is stored in the has area.
1037 * The old format was to store a 16 byte salt and
1038 * then an md5hash of the nt_hash concatenated with
1041 memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
1044 * Store the plain nt hash in the second 16 bytes.
1045 * The old format was to store the md5 hash of
1048 memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
1050 pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
1055 /* check for any PDB_SET/CHANGED field and fill the appropriate mask bit */
1056 uint32_t pdb_build_fields_present(struct samu *sampass)
1058 /* value set to all for testing */
git.samba.org / samba.git / blob