2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "system/passwd.h"
28 #include "../libcli/auth/libcli_auth.h"
30 #include "../libcli/security/security.h"
31 #include "../lib/util/util_pw.h"
35 #define DBGC_CLASS DBGC_PASSDB
37 /******************************************************************
38 Get the default domain/netbios name to be used when
39 testing authentication.
41 LEGACY: this function provides the legacy domain mapping used with
42 the lp_map_untrusted_to_domain() parameter
43 ******************************************************************/
45 const char *my_sam_name(void)
47 /* Standalone servers can only use the local netbios name */
48 if ( lp_server_role() == ROLE_STANDALONE )
49 return lp_netbios_name();
51 /* Default to the DOMAIN name when not specified */
52 return lp_workgroup();
55 /**********************************************************************
56 ***********************************************************************/
58 static int samu_destroy(struct samu *user)
60 data_blob_clear_free( &user->lm_pw );
61 data_blob_clear_free( &user->nt_pw );
63 if ( user->plaintext_pw )
64 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
69 /**********************************************************************
70 generate a new struct samuser
71 ***********************************************************************/
73 struct samu *samu_new( TALLOC_CTX *ctx )
77 if ( !(user = talloc_zero( ctx, struct samu )) ) {
78 DEBUG(0,("samuser_new: Talloc failed!\n"));
82 talloc_set_destructor( user, samu_destroy );
84 /* no initial methods */
88 /* Don't change these timestamp settings without a good reason.
89 They are important for NT member server compatibility. */
91 user->logon_time = (time_t)0;
92 user->pass_last_set_time = (time_t)0;
93 user->pass_can_change_time = (time_t)0;
94 user->logoff_time = get_time_t_max();
95 user->kickoff_time = get_time_t_max();
96 user->pass_must_change_time = get_time_t_max();
97 user->fields_present = 0x00ffffff;
98 user->logon_divs = 168; /* hours per week */
99 user->hours_len = 21; /* 21 times 8 bits = 168 */
100 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
101 user->bad_password_count = 0;
102 user->logon_count = 0;
103 user->unknown_6 = 0x000004ec; /* don't know */
105 /* Some parts of samba strlen their pdb_get...() returns,
106 so this keeps the interface unchanged for now. */
110 user->nt_username = "";
111 user->full_name = "";
113 user->logon_script = "";
114 user->profile_path = "";
115 user->acct_desc = "";
116 user->workstations = "";
118 user->munged_dial = "";
120 user->plaintext_pw = NULL;
122 /* Unless we know otherwise have a Account Control Bit
123 value of 'normal user'. This helps User Manager, which
124 asks for a filtered list of users. */
126 user->acct_ctrl = ACB_NORMAL;
131 static int count_commas(const char *str)
134 const char *comma = str;
136 while ((comma = strchr(comma, ',')) != NULL) {
143 /*********************************************************************
144 Initialize a struct samu from a struct passwd including the user
145 and group SIDs. The *user structure is filled out with the Unix
146 attributes and a user SID.
147 *********************************************************************/
149 static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods,
150 struct samu *user, const struct passwd *pwd, bool create)
152 const char *guest_account = lp_guestaccount();
153 const char *domain = lp_netbios_name();
158 return NT_STATUS_NO_SUCH_USER;
161 /* Basic properties based upon the Unix account information */
163 pdb_set_username(user, pwd->pw_name, PDB_SET);
167 if (count_commas(pwd->pw_gecos) == 3) {
169 * Heuristic: This seems to be a gecos field that has been
170 * edited by chfn(1). Only use the part before the first
171 * comma. Fixes bug 5198.
173 fullname = talloc_strndup(
174 talloc_tos(), pwd->pw_gecos,
175 strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
178 if (fullname != NULL) {
179 pdb_set_fullname(user, fullname, PDB_SET);
181 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
183 TALLOC_FREE(fullname);
185 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
187 /* This can lead to a primary group of S-1-22-2-XX which
188 will be rejected by other parts of the Samba code.
189 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
192 gid_to_sid(&group_sid, pwd->pw_gid);
193 pdb_set_group_sid(user, &group_sid, PDB_SET);
196 /* save the password structure for later use */
198 user->unix_pw = tcopy_passwd( user, pwd );
200 /* Special case for the guest account which must have a RID of 501 */
202 if ( strequal( pwd->pw_name, guest_account ) ) {
203 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_RID_GUEST, PDB_DEFAULT)) {
204 return NT_STATUS_NO_SUCH_USER;
209 /* Non-guest accounts...Check for a workstation or user account */
211 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
214 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
215 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
217 return NT_STATUS_INVALID_COMPUTER_NAME;
223 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
224 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
226 return NT_STATUS_INVALID_ACCOUNT_NAME;
229 /* set some basic attributes */
231 pdb_set_profile_path(user, talloc_sub_specified(user,
232 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
234 pdb_set_homedir(user, talloc_sub_specified(user,
235 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
237 pdb_set_dir_drive(user, talloc_sub_specified(user,
238 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
240 pdb_set_logon_script(user, talloc_sub_specified(user,
241 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
245 /* Now deal with the user SID. If we have a backend that can generate
246 RIDs, then do so. But sometimes the caller just wanted a structure
247 initialized and will fill in these fields later (such as from a
248 netr_SamInfo3 structure) */
250 if ( create && (methods->capabilities(methods) & PDB_CAP_STORE_RIDS)) {
252 struct dom_sid user_sid;
254 if ( !methods->new_rid(methods, &user_rid) ) {
255 DEBUG(3, ("Could not allocate a new RID\n"));
256 return NT_STATUS_ACCESS_DENIED;
259 sid_compose(&user_sid, get_global_sam_sid(), user_rid);
261 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
262 DEBUG(3, ("pdb_set_user_sid failed\n"));
263 return NT_STATUS_INTERNAL_ERROR;
269 /* generate a SID for the user with the RID algorithm */
271 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
273 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
274 return NT_STATUS_INTERNAL_ERROR;
280 /********************************************************************
281 Set the Unix user attributes
282 ********************************************************************/
284 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
286 return samu_set_unix_internal( NULL, user, pwd, False );
289 NTSTATUS samu_alloc_rid_unix(struct pdb_methods *methods,
290 struct samu *user, const struct passwd *pwd)
292 return samu_set_unix_internal( methods, user, pwd, True );
295 /**********************************************************
296 Encode the account control bits into a string.
297 length = length of string to encode into (including terminating
298 null). length *MUST BE MORE THAN 2* !
299 **********************************************************/
301 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
308 SMB_ASSERT(length <= sizeof(acct_str));
312 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
313 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
314 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
315 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
316 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
317 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
318 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
319 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
320 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
321 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
322 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
324 for ( ; i < length - 2 ; i++ )
329 acct_str[i++] = '\0';
331 result = talloc_strdup(talloc_tos(), acct_str);
332 SMB_ASSERT(result != NULL);
336 /**********************************************************
337 Decode the account control bits from a string.
338 **********************************************************/
340 uint32_t pdb_decode_acct_ctrl(const char *p)
342 uint32_t acct_ctrl = 0;
343 bool finished = false;
346 * Check if the account type bits have been encoded after the
347 * NT password (in the form [NDHTUWSLXI]).
353 for (p++; *p && !finished; p++) {
355 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
356 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
357 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
358 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
359 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
360 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
361 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
362 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
363 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
364 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
365 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
371 default: { finished = true; }
378 /*************************************************************
379 Routine to set 32 hex password characters from a 16 byte array.
380 **************************************************************/
382 void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32_t acct_ctrl)
386 for (i = 0; i < 16; i++)
387 slprintf(&p[i*2], 3, "%02X", pwd[i]);
389 if (acct_ctrl & ACB_PWNOTREQ)
390 strlcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
392 strlcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
396 /*************************************************************
397 Routine to get the 32 hex characters and turn them
398 into a 16 byte array.
399 **************************************************************/
401 bool pdb_gethexpwd(const char *p, unsigned char *pwd)
404 unsigned char lonybble, hinybble;
405 const char *hexchars = "0123456789ABCDEF";
411 for (i = 0; i < 32; i += 2) {
412 hinybble = toupper_m(p[i]);
413 lonybble = toupper_m(p[i + 1]);
415 p1 = strchr(hexchars, hinybble);
416 p2 = strchr(hexchars, lonybble);
421 hinybble = PTR_DIFF(p1, hexchars);
422 lonybble = PTR_DIFF(p2, hexchars);
424 pwd[i / 2] = (hinybble << 4) | lonybble;
429 /*************************************************************
430 Routine to set 42 hex hours characters from a 21 byte array.
431 **************************************************************/
433 void pdb_sethexhours(char *p, const unsigned char *hours)
437 for (i = 0; i < 21; i++) {
438 slprintf(&p[i*2], 3, "%02X", hours[i]);
441 strlcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 44);
445 /*************************************************************
446 Routine to get the 42 hex characters and turn them
447 into a 21 byte array.
448 **************************************************************/
450 bool pdb_gethexhours(const char *p, unsigned char *hours)
453 unsigned char lonybble, hinybble;
454 const char *hexchars = "0123456789ABCDEF";
461 for (i = 0; i < 42; i += 2) {
462 hinybble = toupper_m(p[i]);
463 lonybble = toupper_m(p[i + 1]);
465 p1 = strchr(hexchars, hinybble);
466 p2 = strchr(hexchars, lonybble);
472 hinybble = PTR_DIFF(p1, hexchars);
473 lonybble = PTR_DIFF(p2, hexchars);
475 hours[i / 2] = (hinybble << 4) | lonybble;
480 /********************************************************************
481 ********************************************************************/
483 int algorithmic_rid_base(void)
487 rid_offset = lp_algorithmic_rid_base();
489 if (rid_offset < BASE_RID) {
490 /* Try to prevent admin foot-shooting, we can't put algorithmic
491 rids below 1000, that's the 'well known RIDs' on NT */
492 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
493 rid_offset = BASE_RID;
495 if (rid_offset & 1) {
496 DEBUG(0, ("algorithmic rid base must be even\n"));
502 /*******************************************************************
503 Converts NT user RID to a UNIX uid.
504 ********************************************************************/
506 uid_t algorithmic_pdb_user_rid_to_uid(uint32_t user_rid)
508 int rid_offset = algorithmic_rid_base();
509 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
512 uid_t max_algorithmic_uid(void)
514 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
517 /*******************************************************************
518 converts UNIX uid to an NT User RID.
519 ********************************************************************/
521 uint32_t algorithmic_pdb_uid_to_user_rid(uid_t uid)
523 int rid_offset = algorithmic_rid_base();
524 return (((((uint32_t)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
527 /*******************************************************************
528 Converts NT group RID to a UNIX gid.
529 ********************************************************************/
531 gid_t pdb_group_rid_to_gid(uint32_t group_rid)
533 int rid_offset = algorithmic_rid_base();
534 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
537 gid_t max_algorithmic_gid(void)
539 return pdb_group_rid_to_gid(0xffffffff);
542 /*******************************************************************
543 converts NT Group RID to a UNIX uid.
545 warning: you must not call that function only
546 you must do a call to the group mapping first.
547 there is not anymore a direct link between the gid and the rid.
548 ********************************************************************/
550 uint32_t algorithmic_pdb_gid_to_group_rid(gid_t gid)
552 int rid_offset = algorithmic_rid_base();
553 return (((((uint32_t)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
556 /*******************************************************************
557 Decides if a RID is a well known RID.
558 ********************************************************************/
560 static bool rid_is_well_known(uint32_t rid)
562 /* Not using rid_offset here, because this is the actual
563 NT fixed value (1000) */
565 return (rid < BASE_RID);
568 /*******************************************************************
569 Decides if a RID is a user or group RID.
570 ********************************************************************/
572 bool algorithmic_pdb_rid_is_user(uint32_t rid)
574 if ( rid_is_well_known(rid) ) {
576 * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
577 * and DOMAIN_RID_GUEST.
579 if(rid == DOMAIN_RID_ADMINISTRATOR || rid == DOMAIN_RID_GUEST)
581 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
587 /*******************************************************************
588 Convert a name into a SID. Used in the lookup name rpc.
589 ********************************************************************/
591 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
592 enum lsa_SidType *type)
597 /* Windows treats "MACHINE\None" as a special name for
598 rid 513 on non-DCs. You cannot create a user or group
599 name "None" on Windows. You will get an error that
600 the group already exists. */
602 if ( strequal( name, "None" ) ) {
603 *rid = DOMAIN_RID_USERS;
604 *type = SID_NAME_DOM_GRP;
609 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
610 * correctly in the case where foo also exists as a user. If the flag
611 * is set, don't look for users at all. */
613 if ((flags & LOOKUP_NAME_GROUP) == 0) {
614 struct samu *sam_account = NULL;
615 struct dom_sid user_sid;
617 if ( !(sam_account = samu_new( NULL )) ) {
622 ret = pdb_getsampwnam(sam_account, name);
626 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
629 TALLOC_FREE(sam_account);
632 if (!sid_check_is_in_our_domain(&user_sid)) {
633 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
634 name, sid_string_dbg(&user_sid)));
638 sid_peek_rid(&user_sid, rid);
639 *type = SID_NAME_USER;
645 * Maybe it is a group ?
649 ret = pdb_getgrnam(&map, name);
656 /* BUILTIN groups are looked up elsewhere */
657 if (!sid_check_is_in_our_domain(&map.sid)) {
658 DEBUG(10, ("Found group %s (%s) not in our domain -- "
659 "ignoring.", name, sid_string_dbg(&map.sid)));
663 /* yes it's a mapped group */
664 sid_peek_rid(&map.sid, rid);
665 *type = map.sid_name_use;
669 /*************************************************************
670 Change a password entry in the local passdb backend.
673 - always called as root
674 - ignores the account type except when adding a new account
675 - will create/delete the unix account if the relative
676 add/delete user script is configured
678 *************************************************************/
680 NTSTATUS local_password_change(const char *user_name,
682 const char *new_passwd,
687 struct samu *sam_pass;
697 tosctx = talloc_tos();
699 sam_pass = samu_new(tosctx);
701 result = NT_STATUS_NO_MEMORY;
705 /* Get the smb passwd entry for this user */
706 user_exists = pdb_getsampwnam(sam_pass, user_name);
708 /* Check delete first, we don't need to do anything else if we
709 * are going to delete the acocunt */
710 if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
712 result = pdb_delete_user(tosctx, sam_pass);
713 if (!NT_STATUS_IS_OK(result)) {
714 ret = asprintf(pp_err_str,
715 "Failed to delete entry for user %s.\n",
720 result = NT_STATUS_UNSUCCESSFUL;
722 ret = asprintf(pp_msg_str,
723 "Deleted user %s.\n",
732 if (user_exists && (local_flags & LOCAL_ADD_USER)) {
733 /* the entry already existed */
734 local_flags &= ~LOCAL_ADD_USER;
737 if (!user_exists && !(local_flags & LOCAL_ADD_USER)) {
738 ret = asprintf(pp_err_str,
739 "Failed to find entry for user %s.\n",
744 result = NT_STATUS_NO_SUCH_USER;
748 /* First thing add the new user if we are required to do so */
749 if (local_flags & LOCAL_ADD_USER) {
751 if (local_flags & LOCAL_TRUST_ACCOUNT) {
753 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
759 result = pdb_create_user(tosctx, user_name, acb, &rid);
760 if (!NT_STATUS_IS_OK(result)) {
761 ret = asprintf(pp_err_str,
762 "Failed to add entry for user %s.\n",
767 result = NT_STATUS_UNSUCCESSFUL;
771 sam_pass = samu_new(tosctx);
773 result = NT_STATUS_NO_MEMORY;
777 /* Now get back the smb passwd entry for this new user */
778 user_exists = pdb_getsampwnam(sam_pass, user_name);
780 ret = asprintf(pp_err_str,
781 "Failed to add entry for user %s.\n",
786 result = NT_STATUS_UNSUCCESSFUL;
791 acb = pdb_get_acct_ctrl(sam_pass);
794 * We are root - just write the new password
795 * and the valid last change time.
797 if ((local_flags & LOCAL_SET_NO_PASSWORD) && !(acb & ACB_PWNOTREQ)) {
799 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
800 ret = asprintf(pp_err_str,
801 "Failed to set 'no password required' "
802 "flag for user %s.\n", user_name);
806 result = NT_STATUS_UNSUCCESSFUL;
811 if (local_flags & LOCAL_SET_PASSWORD) {
813 * If we're dealing with setting a completely empty user account
814 * ie. One with a password of 'XXXX', but not set disabled (like
815 * an account created from scratch) then if the old password was
816 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
817 * We remove that as we're giving this user their first password
818 * and the decision hasn't really been made to disable them (ie.
819 * don't create them disabled). JRA.
821 if ((pdb_get_lanman_passwd(sam_pass) == NULL) &&
822 (acb & ACB_DISABLED)) {
823 acb &= (~ACB_DISABLED);
824 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
825 ret = asprintf(pp_err_str,
826 "Failed to unset 'disabled' "
827 "flag for user %s.\n",
832 result = NT_STATUS_UNSUCCESSFUL;
837 acb &= (~ACB_PWNOTREQ);
838 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
839 ret = asprintf(pp_err_str,
840 "Failed to unset 'no password required'"
841 " flag for user %s.\n", user_name);
845 result = NT_STATUS_UNSUCCESSFUL;
849 if (!pdb_set_plaintext_passwd(sam_pass, new_passwd)) {
850 ret = asprintf(pp_err_str,
851 "Failed to set password for "
852 "user %s.\n", user_name);
856 result = NT_STATUS_UNSUCCESSFUL;
861 if ((local_flags & LOCAL_DISABLE_USER) && !(acb & ACB_DISABLED)) {
863 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
864 ret = asprintf(pp_err_str,
865 "Failed to set 'disabled' flag for "
866 "user %s.\n", user_name);
870 result = NT_STATUS_UNSUCCESSFUL;
875 if ((local_flags & LOCAL_ENABLE_USER) && (acb & ACB_DISABLED)) {
876 acb &= (~ACB_DISABLED);
877 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
878 ret = asprintf(pp_err_str,
879 "Failed to unset 'disabled' flag for "
880 "user %s.\n", user_name);
884 result = NT_STATUS_UNSUCCESSFUL;
889 /* now commit changes if any */
890 result = pdb_update_sam_account(sam_pass);
891 if (!NT_STATUS_IS_OK(result)) {
892 ret = asprintf(pp_err_str,
893 "Failed to modify entry for user %s.\n",
901 if (local_flags & LOCAL_ADD_USER) {
902 ret = asprintf(pp_msg_str, "Added user %s.\n", user_name);
903 } else if (local_flags & LOCAL_DISABLE_USER) {
904 ret = asprintf(pp_msg_str, "Disabled user %s.\n", user_name);
905 } else if (local_flags & LOCAL_ENABLE_USER) {
906 ret = asprintf(pp_msg_str, "Enabled user %s.\n", user_name);
907 } else if (local_flags & LOCAL_SET_NO_PASSWORD) {
908 ret = asprintf(pp_msg_str,
909 "User %s password set to none.\n", user_name);
916 result = NT_STATUS_OK;
919 TALLOC_FREE(sam_pass);
923 /**********************************************************************
924 Marshall/unmarshall struct samu structs.
925 *********************************************************************/
927 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
928 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
929 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
930 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
931 /* nothing changed between V3 and V4 */
933 /*********************************************************************
934 *********************************************************************/
936 static bool init_samu_from_buffer_v0(struct samu *sampass, uint8_t *buf, uint32_t buflen)
939 /* times are stored as 32bit integer
940 take care on system with 64bit wide time_t
946 pass_can_change_time,
947 pass_must_change_time;
948 char *username = NULL;
950 char *nt_username = NULL;
951 char *dir_drive = NULL;
952 char *unknown_str = NULL;
953 char *munged_dial = NULL;
954 char *fullname = NULL;
955 char *homedir = NULL;
956 char *logon_script = NULL;
957 char *profile_path = NULL;
958 char *acct_desc = NULL;
959 char *workstations = NULL;
960 uint32_t username_len, domain_len, nt_username_len,
961 dir_drive_len, unknown_str_len, munged_dial_len,
962 fullname_len, homedir_len, logon_script_len,
963 profile_path_len, acct_desc_len, workstations_len;
965 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
966 uint16_t acct_ctrl, logon_divs;
967 uint16_t bad_password_count, logon_count;
968 uint8_t *hours = NULL;
969 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
971 uint32_t lm_pw_len, nt_pw_len, hourslen;
974 if(sampass == NULL || buf == NULL) {
975 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
979 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
981 /* unpack the buffer into variables */
982 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V0,
984 &logoff_time, /* d */
985 &kickoff_time, /* d */
986 &pass_last_set_time, /* d */
987 &pass_can_change_time, /* d */
988 &pass_must_change_time, /* d */
989 &username_len, &username, /* B */
990 &domain_len, &domain, /* B */
991 &nt_username_len, &nt_username, /* B */
992 &fullname_len, &fullname, /* B */
993 &homedir_len, &homedir, /* B */
994 &dir_drive_len, &dir_drive, /* B */
995 &logon_script_len, &logon_script, /* B */
996 &profile_path_len, &profile_path, /* B */
997 &acct_desc_len, &acct_desc, /* B */
998 &workstations_len, &workstations, /* B */
999 &unknown_str_len, &unknown_str, /* B */
1000 &munged_dial_len, &munged_dial, /* B */
1003 &lm_pw_len, &lm_pw_ptr, /* B */
1004 &nt_pw_len, &nt_pw_ptr, /* B */
1006 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
1007 &logon_divs, /* w */
1009 &hourslen, &hours, /* B */
1010 &bad_password_count, /* w */
1011 &logon_count, /* w */
1012 &unknown_6); /* d */
1014 if (len == (uint32_t) -1) {
1019 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1020 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1021 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1022 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1023 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1024 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1026 pdb_set_username(sampass, username, PDB_SET);
1027 pdb_set_domain(sampass, domain, PDB_SET);
1028 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1029 pdb_set_fullname(sampass, fullname, PDB_SET);
1032 pdb_set_homedir(sampass, homedir, PDB_SET);
1035 pdb_set_homedir(sampass,
1036 talloc_sub_basic(sampass, username, domain,
1042 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1044 pdb_set_dir_drive(sampass,
1045 talloc_sub_basic(sampass, username, domain,
1051 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1053 pdb_set_logon_script(sampass,
1054 talloc_sub_basic(sampass, username, domain,
1060 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1062 pdb_set_profile_path(sampass,
1063 talloc_sub_basic(sampass, username, domain,
1068 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1069 pdb_set_workstations(sampass, workstations, PDB_SET);
1070 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1072 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1073 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1079 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1080 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1086 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1087 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1088 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1089 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1090 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1091 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1092 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1093 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1094 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1095 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1099 SAFE_FREE(username);
1101 SAFE_FREE(nt_username);
1102 SAFE_FREE(fullname);
1104 SAFE_FREE(dir_drive);
1105 SAFE_FREE(logon_script);
1106 SAFE_FREE(profile_path);
1107 SAFE_FREE(acct_desc);
1108 SAFE_FREE(workstations);
1109 SAFE_FREE(munged_dial);
1110 SAFE_FREE(unknown_str);
1111 SAFE_FREE(lm_pw_ptr);
1112 SAFE_FREE(nt_pw_ptr);
1118 /*********************************************************************
1119 *********************************************************************/
1121 static bool init_samu_from_buffer_v1(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1124 /* times are stored as 32bit integer
1125 take care on system with 64bit wide time_t
1127 uint32_t logon_time,
1132 pass_can_change_time,
1133 pass_must_change_time;
1134 char *username = NULL;
1135 char *domain = NULL;
1136 char *nt_username = NULL;
1137 char *dir_drive = NULL;
1138 char *unknown_str = NULL;
1139 char *munged_dial = NULL;
1140 char *fullname = NULL;
1141 char *homedir = NULL;
1142 char *logon_script = NULL;
1143 char *profile_path = NULL;
1144 char *acct_desc = NULL;
1145 char *workstations = NULL;
1146 uint32_t username_len, domain_len, nt_username_len,
1147 dir_drive_len, unknown_str_len, munged_dial_len,
1148 fullname_len, homedir_len, logon_script_len,
1149 profile_path_len, acct_desc_len, workstations_len;
1151 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
1152 uint16_t acct_ctrl, logon_divs;
1153 uint16_t bad_password_count, logon_count;
1154 uint8_t *hours = NULL;
1155 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1157 uint32_t lm_pw_len, nt_pw_len, hourslen;
1160 if(sampass == NULL || buf == NULL) {
1161 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1165 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1167 /* unpack the buffer into variables */
1168 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V1,
1169 &logon_time, /* d */
1170 &logoff_time, /* d */
1171 &kickoff_time, /* d */
1172 /* Change from V0 is addition of bad_password_time field. */
1173 &bad_password_time, /* d */
1174 &pass_last_set_time, /* d */
1175 &pass_can_change_time, /* d */
1176 &pass_must_change_time, /* d */
1177 &username_len, &username, /* B */
1178 &domain_len, &domain, /* B */
1179 &nt_username_len, &nt_username, /* B */
1180 &fullname_len, &fullname, /* B */
1181 &homedir_len, &homedir, /* B */
1182 &dir_drive_len, &dir_drive, /* B */
1183 &logon_script_len, &logon_script, /* B */
1184 &profile_path_len, &profile_path, /* B */
1185 &acct_desc_len, &acct_desc, /* B */
1186 &workstations_len, &workstations, /* B */
1187 &unknown_str_len, &unknown_str, /* B */
1188 &munged_dial_len, &munged_dial, /* B */
1191 &lm_pw_len, &lm_pw_ptr, /* B */
1192 &nt_pw_len, &nt_pw_ptr, /* B */
1195 &logon_divs, /* w */
1197 &hourslen, &hours, /* B */
1198 &bad_password_count, /* w */
1199 &logon_count, /* w */
1200 &unknown_6); /* d */
1202 if (len == (uint32_t) -1) {
1207 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1208 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1209 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1211 /* Change from V0 is addition of bad_password_time field. */
1212 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1213 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1214 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1215 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1217 pdb_set_username(sampass, username, PDB_SET);
1218 pdb_set_domain(sampass, domain, PDB_SET);
1219 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1220 pdb_set_fullname(sampass, fullname, PDB_SET);
1223 pdb_set_homedir(sampass, homedir, PDB_SET);
1226 pdb_set_homedir(sampass,
1227 talloc_sub_basic(sampass, username, domain,
1233 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1235 pdb_set_dir_drive(sampass,
1236 talloc_sub_basic(sampass, username, domain,
1242 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1244 pdb_set_logon_script(sampass,
1245 talloc_sub_basic(sampass, username, domain,
1251 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1253 pdb_set_profile_path(sampass,
1254 talloc_sub_basic(sampass, username, domain,
1259 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1260 pdb_set_workstations(sampass, workstations, PDB_SET);
1261 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1263 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1264 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1270 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1271 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1277 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1279 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1280 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1281 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1282 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1283 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1284 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1285 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1286 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1287 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1291 SAFE_FREE(username);
1293 SAFE_FREE(nt_username);
1294 SAFE_FREE(fullname);
1296 SAFE_FREE(dir_drive);
1297 SAFE_FREE(logon_script);
1298 SAFE_FREE(profile_path);
1299 SAFE_FREE(acct_desc);
1300 SAFE_FREE(workstations);
1301 SAFE_FREE(munged_dial);
1302 SAFE_FREE(unknown_str);
1303 SAFE_FREE(lm_pw_ptr);
1304 SAFE_FREE(nt_pw_ptr);
1310 static bool init_samu_from_buffer_v2(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1313 /* times are stored as 32bit integer
1314 take care on system with 64bit wide time_t
1316 uint32_t logon_time,
1321 pass_can_change_time,
1322 pass_must_change_time;
1323 char *username = NULL;
1324 char *domain = NULL;
1325 char *nt_username = NULL;
1326 char *dir_drive = NULL;
1327 char *unknown_str = NULL;
1328 char *munged_dial = NULL;
1329 char *fullname = NULL;
1330 char *homedir = NULL;
1331 char *logon_script = NULL;
1332 char *profile_path = NULL;
1333 char *acct_desc = NULL;
1334 char *workstations = NULL;
1335 uint32_t username_len, domain_len, nt_username_len,
1336 dir_drive_len, unknown_str_len, munged_dial_len,
1337 fullname_len, homedir_len, logon_script_len,
1338 profile_path_len, acct_desc_len, workstations_len;
1340 uint32_t user_rid, group_rid, hours_len, unknown_6;
1341 uint16_t acct_ctrl, logon_divs;
1342 uint16_t bad_password_count, logon_count;
1343 uint8_t *hours = NULL;
1344 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1346 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1347 uint32_t pwHistLen = 0;
1350 bool expand_explicit = lp_passdb_expand_explicit();
1352 if(sampass == NULL || buf == NULL) {
1353 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1357 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1359 /* unpack the buffer into variables */
1360 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V2,
1361 &logon_time, /* d */
1362 &logoff_time, /* d */
1363 &kickoff_time, /* d */
1364 &bad_password_time, /* d */
1365 &pass_last_set_time, /* d */
1366 &pass_can_change_time, /* d */
1367 &pass_must_change_time, /* d */
1368 &username_len, &username, /* B */
1369 &domain_len, &domain, /* B */
1370 &nt_username_len, &nt_username, /* B */
1371 &fullname_len, &fullname, /* B */
1372 &homedir_len, &homedir, /* B */
1373 &dir_drive_len, &dir_drive, /* B */
1374 &logon_script_len, &logon_script, /* B */
1375 &profile_path_len, &profile_path, /* B */
1376 &acct_desc_len, &acct_desc, /* B */
1377 &workstations_len, &workstations, /* B */
1378 &unknown_str_len, &unknown_str, /* B */
1379 &munged_dial_len, &munged_dial, /* B */
1382 &lm_pw_len, &lm_pw_ptr, /* B */
1383 &nt_pw_len, &nt_pw_ptr, /* B */
1384 /* Change from V1 is addition of password history field. */
1385 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1387 /* Also "remove_me" field was removed. */
1388 &logon_divs, /* w */
1390 &hourslen, &hours, /* B */
1391 &bad_password_count, /* w */
1392 &logon_count, /* w */
1393 &unknown_6); /* d */
1395 if (len == (uint32_t) -1) {
1400 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1401 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1402 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1403 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1404 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1405 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1406 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1408 pdb_set_username(sampass, username, PDB_SET);
1409 pdb_set_domain(sampass, domain, PDB_SET);
1410 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1411 pdb_set_fullname(sampass, fullname, PDB_SET);
1414 fstrcpy( tmp_string, homedir );
1415 if (expand_explicit) {
1416 standard_sub_basic( username, domain, tmp_string,
1417 sizeof(tmp_string) );
1419 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1422 pdb_set_homedir(sampass,
1423 talloc_sub_basic(sampass, username, domain,
1429 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1431 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1434 fstrcpy( tmp_string, logon_script );
1435 if (expand_explicit) {
1436 standard_sub_basic( username, domain, tmp_string,
1437 sizeof(tmp_string) );
1439 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1442 pdb_set_logon_script(sampass,
1443 talloc_sub_basic(sampass, username, domain,
1449 fstrcpy( tmp_string, profile_path );
1450 if (expand_explicit) {
1451 standard_sub_basic( username, domain, tmp_string,
1452 sizeof(tmp_string) );
1454 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1457 pdb_set_profile_path(sampass,
1458 talloc_sub_basic(sampass, username, domain,
1463 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1464 pdb_set_workstations(sampass, workstations, PDB_SET);
1465 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1467 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1468 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1474 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1475 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1481 /* Change from V1 is addition of password history field. */
1482 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1484 uint8_t *pw_hist = SMB_MALLOC_ARRAY(uint8_t, pwHistLen * PW_HISTORY_ENTRY_LEN);
1489 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1490 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1492 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1493 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1494 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1495 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1496 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1497 PW_HISTORY_ENTRY_LEN);
1500 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1507 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1510 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1511 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1512 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1513 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1514 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1515 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1516 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1517 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1518 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1522 SAFE_FREE(username);
1524 SAFE_FREE(nt_username);
1525 SAFE_FREE(fullname);
1527 SAFE_FREE(dir_drive);
1528 SAFE_FREE(logon_script);
1529 SAFE_FREE(profile_path);
1530 SAFE_FREE(acct_desc);
1531 SAFE_FREE(workstations);
1532 SAFE_FREE(munged_dial);
1533 SAFE_FREE(unknown_str);
1534 SAFE_FREE(lm_pw_ptr);
1535 SAFE_FREE(nt_pw_ptr);
1536 SAFE_FREE(nt_pw_hist_ptr);
1542 /*********************************************************************
1543 *********************************************************************/
1545 static bool init_samu_from_buffer_v3(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1548 /* times are stored as 32bit integer
1549 take care on system with 64bit wide time_t
1551 uint32_t logon_time,
1556 pass_can_change_time,
1557 pass_must_change_time;
1558 char *username = NULL;
1559 char *domain = NULL;
1560 char *nt_username = NULL;
1561 char *dir_drive = NULL;
1562 char *comment = NULL;
1563 char *munged_dial = NULL;
1564 char *fullname = NULL;
1565 char *homedir = NULL;
1566 char *logon_script = NULL;
1567 char *profile_path = NULL;
1568 char *acct_desc = NULL;
1569 char *workstations = NULL;
1570 uint32_t username_len, domain_len, nt_username_len,
1571 dir_drive_len, comment_len, munged_dial_len,
1572 fullname_len, homedir_len, logon_script_len,
1573 profile_path_len, acct_desc_len, workstations_len;
1575 uint32_t user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
1576 uint16_t logon_divs;
1577 uint16_t bad_password_count, logon_count;
1578 uint8_t *hours = NULL;
1579 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1581 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1582 uint32_t pwHistLen = 0;
1585 bool expand_explicit = lp_passdb_expand_explicit();
1587 if(sampass == NULL || buf == NULL) {
1588 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1592 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1594 /* unpack the buffer into variables */
1595 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V3,
1596 &logon_time, /* d */
1597 &logoff_time, /* d */
1598 &kickoff_time, /* d */
1599 &bad_password_time, /* d */
1600 &pass_last_set_time, /* d */
1601 &pass_can_change_time, /* d */
1602 &pass_must_change_time, /* d */
1603 &username_len, &username, /* B */
1604 &domain_len, &domain, /* B */
1605 &nt_username_len, &nt_username, /* B */
1606 &fullname_len, &fullname, /* B */
1607 &homedir_len, &homedir, /* B */
1608 &dir_drive_len, &dir_drive, /* B */
1609 &logon_script_len, &logon_script, /* B */
1610 &profile_path_len, &profile_path, /* B */
1611 &acct_desc_len, &acct_desc, /* B */
1612 &workstations_len, &workstations, /* B */
1613 &comment_len, &comment, /* B */
1614 &munged_dial_len, &munged_dial, /* B */
1617 &lm_pw_len, &lm_pw_ptr, /* B */
1618 &nt_pw_len, &nt_pw_ptr, /* B */
1619 /* Change from V1 is addition of password history field. */
1620 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1621 /* Change from V2 is the uint32_t acb_mask */
1623 /* Also "remove_me" field was removed. */
1624 &logon_divs, /* w */
1626 &hourslen, &hours, /* B */
1627 &bad_password_count, /* w */
1628 &logon_count, /* w */
1629 &unknown_6); /* d */
1631 if (len == (uint32_t) -1) {
1636 pdb_set_logon_time(sampass, convert_uint32_t_to_time_t(logon_time), PDB_SET);
1637 pdb_set_logoff_time(sampass, convert_uint32_t_to_time_t(logoff_time), PDB_SET);
1638 pdb_set_kickoff_time(sampass, convert_uint32_t_to_time_t(kickoff_time), PDB_SET);
1639 pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET);
1640 pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
1641 pdb_set_pass_must_change_time(sampass, convert_uint32_t_to_time_t(pass_must_change_time), PDB_SET);
1642 pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
1644 pdb_set_username(sampass, username, PDB_SET);
1645 pdb_set_domain(sampass, domain, PDB_SET);
1646 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1647 pdb_set_fullname(sampass, fullname, PDB_SET);
1650 fstrcpy( tmp_string, homedir );
1651 if (expand_explicit) {
1652 standard_sub_basic( username, domain, tmp_string,
1653 sizeof(tmp_string) );
1655 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1658 pdb_set_homedir(sampass,
1659 talloc_sub_basic(sampass, username, domain,
1665 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1667 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1670 fstrcpy( tmp_string, logon_script );
1671 if (expand_explicit) {
1672 standard_sub_basic( username, domain, tmp_string,
1673 sizeof(tmp_string) );
1675 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1678 pdb_set_logon_script(sampass,
1679 talloc_sub_basic(sampass, username, domain,
1685 fstrcpy( tmp_string, profile_path );
1686 if (expand_explicit) {
1687 standard_sub_basic( username, domain, tmp_string,
1688 sizeof(tmp_string) );
1690 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1693 pdb_set_profile_path(sampass,
1694 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
1698 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1699 pdb_set_comment(sampass, comment, PDB_SET);
1700 pdb_set_workstations(sampass, workstations, PDB_SET);
1701 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1703 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1704 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1710 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1711 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1717 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1719 uint8_t *pw_hist = (uint8_t *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1724 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1725 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1727 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1728 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1729 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1730 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1731 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1732 PW_HISTORY_ENTRY_LEN);
1735 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1742 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1745 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1746 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1747 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1748 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1749 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1750 /* Change from V2 is the uint32_t acct_ctrl */
1751 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1752 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1753 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1757 SAFE_FREE(username);
1759 SAFE_FREE(nt_username);
1760 SAFE_FREE(fullname);
1762 SAFE_FREE(dir_drive);
1763 SAFE_FREE(logon_script);
1764 SAFE_FREE(profile_path);
1765 SAFE_FREE(acct_desc);
1766 SAFE_FREE(workstations);
1767 SAFE_FREE(munged_dial);
1769 SAFE_FREE(lm_pw_ptr);
1770 SAFE_FREE(nt_pw_ptr);
1771 SAFE_FREE(nt_pw_hist_ptr);
1777 /*********************************************************************
1778 *********************************************************************/
1780 static uint32_t init_buffer_from_samu_v3 (uint8_t **buf, struct samu *sampass, bool size_only)
1784 /* times are stored as 32bit integer
1785 take care on system with 64bit wide time_t
1787 uint32_t logon_time,
1792 pass_can_change_time,
1793 pass_must_change_time;
1795 uint32_t user_rid, group_rid;
1797 const char *username;
1799 const char *nt_username;
1800 const char *dir_drive;
1801 const char *comment;
1802 const char *munged_dial;
1803 const char *fullname;
1804 const char *homedir;
1805 const char *logon_script;
1806 const char *profile_path;
1807 const char *acct_desc;
1808 const char *workstations;
1809 uint32_t username_len, domain_len, nt_username_len,
1810 dir_drive_len, comment_len, munged_dial_len,
1811 fullname_len, homedir_len, logon_script_len,
1812 profile_path_len, acct_desc_len, workstations_len;
1814 const uint8_t *lm_pw;
1815 const uint8_t *nt_pw;
1816 const uint8_t *nt_pw_hist;
1817 uint32_t lm_pw_len = 16;
1818 uint32_t nt_pw_len = 16;
1819 uint32_t nt_pw_hist_len;
1820 uint32_t pwHistLen = 0;
1825 logon_time = convert_time_t_to_uint32_t(pdb_get_logon_time(sampass));
1826 logoff_time = convert_time_t_to_uint32_t(pdb_get_logoff_time(sampass));
1827 kickoff_time = convert_time_t_to_uint32_t(pdb_get_kickoff_time(sampass));
1828 bad_password_time = convert_time_t_to_uint32_t(pdb_get_bad_password_time(sampass));
1829 pass_can_change_time = convert_time_t_to_uint32_t(pdb_get_pass_can_change_time_noncalc(sampass));
1830 pass_must_change_time = convert_time_t_to_uint32_t(pdb_get_pass_must_change_time(sampass));
1831 pass_last_set_time = convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sampass));
1833 user_rid = pdb_get_user_rid(sampass);
1834 group_rid = pdb_get_group_rid(sampass);
1836 username = pdb_get_username(sampass);
1838 username_len = strlen(username) +1;
1843 domain = pdb_get_domain(sampass);
1845 domain_len = strlen(domain) +1;
1850 nt_username = pdb_get_nt_username(sampass);
1852 nt_username_len = strlen(nt_username) +1;
1854 nt_username_len = 0;
1857 fullname = pdb_get_fullname(sampass);
1859 fullname_len = strlen(fullname) +1;
1865 * Only updates fields which have been set (not defaults from smb.conf)
1868 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1869 dir_drive = pdb_get_dir_drive(sampass);
1874 dir_drive_len = strlen(dir_drive) +1;
1879 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1880 homedir = pdb_get_homedir(sampass);
1885 homedir_len = strlen(homedir) +1;
1890 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1891 logon_script = pdb_get_logon_script(sampass);
1893 logon_script = NULL;
1896 logon_script_len = strlen(logon_script) +1;
1898 logon_script_len = 0;
1901 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1902 profile_path = pdb_get_profile_path(sampass);
1904 profile_path = NULL;
1907 profile_path_len = strlen(profile_path) +1;
1909 profile_path_len = 0;
1912 lm_pw = pdb_get_lanman_passwd(sampass);
1917 nt_pw = pdb_get_nt_passwd(sampass);
1922 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1923 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1924 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1925 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1930 acct_desc = pdb_get_acct_desc(sampass);
1932 acct_desc_len = strlen(acct_desc) +1;
1937 workstations = pdb_get_workstations(sampass);
1939 workstations_len = strlen(workstations) +1;
1941 workstations_len = 0;
1944 comment = pdb_get_comment(sampass);
1946 comment_len = strlen(comment) +1;
1951 munged_dial = pdb_get_munged_dial(sampass);
1953 munged_dial_len = strlen(munged_dial) +1;
1955 munged_dial_len = 0;
1958 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1960 /* one time to get the size needed */
1961 len = tdb_pack(NULL, 0, SAMU_BUFFER_FORMAT_V3,
1963 logoff_time, /* d */
1964 kickoff_time, /* d */
1965 bad_password_time, /* d */
1966 pass_last_set_time, /* d */
1967 pass_can_change_time, /* d */
1968 pass_must_change_time, /* d */
1969 username_len, username, /* B */
1970 domain_len, domain, /* B */
1971 nt_username_len, nt_username, /* B */
1972 fullname_len, fullname, /* B */
1973 homedir_len, homedir, /* B */
1974 dir_drive_len, dir_drive, /* B */
1975 logon_script_len, logon_script, /* B */
1976 profile_path_len, profile_path, /* B */
1977 acct_desc_len, acct_desc, /* B */
1978 workstations_len, workstations, /* B */
1979 comment_len, comment, /* B */
1980 munged_dial_len, munged_dial, /* B */
1983 lm_pw_len, lm_pw, /* B */
1984 nt_pw_len, nt_pw, /* B */
1985 nt_pw_hist_len, nt_pw_hist, /* B */
1986 pdb_get_acct_ctrl(sampass), /* d */
1987 pdb_get_logon_divs(sampass), /* w */
1988 pdb_get_hours_len(sampass), /* d */
1989 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1990 pdb_get_bad_password_count(sampass), /* w */
1991 pdb_get_logon_count(sampass), /* w */
1992 pdb_get_unknown_6(sampass)); /* d */
1998 /* malloc the space needed */
1999 if ( (*buf=(uint8_t*)SMB_MALLOC(len)) == NULL) {
2000 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
2004 /* now for the real call to tdb_pack() */
2005 buflen = tdb_pack(*buf, len, SAMU_BUFFER_FORMAT_V3,
2007 logoff_time, /* d */
2008 kickoff_time, /* d */
2009 bad_password_time, /* d */
2010 pass_last_set_time, /* d */
2011 pass_can_change_time, /* d */
2012 pass_must_change_time, /* d */
2013 username_len, username, /* B */
2014 domain_len, domain, /* B */
2015 nt_username_len, nt_username, /* B */
2016 fullname_len, fullname, /* B */
2017 homedir_len, homedir, /* B */
2018 dir_drive_len, dir_drive, /* B */
2019 logon_script_len, logon_script, /* B */
2020 profile_path_len, profile_path, /* B */
2021 acct_desc_len, acct_desc, /* B */
2022 workstations_len, workstations, /* B */
2023 comment_len, comment, /* B */
2024 munged_dial_len, munged_dial, /* B */
2027 lm_pw_len, lm_pw, /* B */
2028 nt_pw_len, nt_pw, /* B */
2029 nt_pw_hist_len, nt_pw_hist, /* B */
2030 pdb_get_acct_ctrl(sampass), /* d */
2031 pdb_get_logon_divs(sampass), /* w */
2032 pdb_get_hours_len(sampass), /* d */
2033 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
2034 pdb_get_bad_password_count(sampass), /* w */
2035 pdb_get_logon_count(sampass), /* w */
2036 pdb_get_unknown_6(sampass)); /* d */
2038 /* check to make sure we got it correct */
2039 if (buflen != len) {
2040 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2041 (unsigned long)buflen, (unsigned long)len));
2050 static bool init_samu_from_buffer_v4(struct samu *sampass, uint8_t *buf, uint32_t buflen)
2052 /* nothing changed between V3 and V4 */
2053 return init_samu_from_buffer_v3(sampass, buf, buflen);
2056 static uint32_t init_buffer_from_samu_v4(uint8_t **buf, struct samu *sampass, bool size_only)
2058 /* nothing changed between V3 and V4 */
2059 return init_buffer_from_samu_v3(buf, sampass, size_only);
2062 /**********************************************************************
2063 Intialize a struct samu struct from a BYTE buffer of size len
2064 *********************************************************************/
2066 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
2067 uint8_t *buf, uint32_t buflen)
2070 case SAMU_BUFFER_V0:
2071 return init_samu_from_buffer_v0(sampass, buf, buflen);
2072 case SAMU_BUFFER_V1:
2073 return init_samu_from_buffer_v1(sampass, buf, buflen);
2074 case SAMU_BUFFER_V2:
2075 return init_samu_from_buffer_v2(sampass, buf, buflen);
2076 case SAMU_BUFFER_V3:
2077 return init_samu_from_buffer_v3(sampass, buf, buflen);
2078 case SAMU_BUFFER_V4:
2079 return init_samu_from_buffer_v4(sampass, buf, buflen);
2085 /**********************************************************************
2086 Intialize a BYTE buffer from a struct samu struct
2087 *********************************************************************/
2089 uint32_t init_buffer_from_samu (uint8_t **buf, struct samu *sampass, bool size_only)
2091 return init_buffer_from_samu_v4(buf, sampass, size_only);
2094 /*********************************************************************
2095 *********************************************************************/
2097 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
2099 uint8_t *buf = NULL;
2102 len = init_buffer_from_samu(&buf, src, False);
2103 if (len == -1 || !buf) {
2108 if (!init_samu_from_buffer( dst, SAMU_BUFFER_LATEST, buf, len )) {
2113 dst->methods = src->methods;
2115 if ( src->unix_pw ) {
2116 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
2117 if (!dst->unix_pw) {
2123 if (src->group_sid) {
2124 pdb_set_group_sid(dst, src->group_sid, PDB_SET);
2131 /*********************************************************************
2132 Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2133 *********************************************************************/
2135 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
2137 time_t LastBadPassword;
2138 uint16_t BadPasswordCount;
2142 BadPasswordCount = pdb_get_bad_password_count(sampass);
2143 if (!BadPasswordCount) {
2144 DEBUG(9, ("No bad password attempts.\n"));
2149 res = pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &resettime);
2153 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2157 /* First, check if there is a reset time to compare */
2158 if ((resettime == (uint32_t) -1) || (resettime == 0)) {
2159 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2163 LastBadPassword = pdb_get_bad_password_time(sampass);
2164 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2165 (uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
2166 if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
2167 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2168 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2177 /*********************************************************************
2178 Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2179 *********************************************************************/
2181 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
2184 time_t LastBadPassword;
2187 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2188 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2189 pdb_get_username(sampass)));
2194 res = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &duration);
2198 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2202 /* First, check if there is a duration to compare */
2203 if ((duration == (uint32_t) -1) || (duration == 0)) {
2204 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2208 LastBadPassword = pdb_get_bad_password_time(sampass);
2209 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2210 pdb_get_username(sampass), (uint32_t)LastBadPassword, duration*60, (uint32_t)time(NULL)));
2212 if (LastBadPassword == (time_t)0) {
2213 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2214 "administratively locked out with no bad password "
2215 "time. Leaving locked out.\n",
2216 pdb_get_username(sampass) ));
2220 if ((time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(duration) * 60))) {
2221 pdb_set_acct_ctrl(sampass,
2222 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2224 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2225 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2234 /*********************************************************************
2235 Increment the bad_password_count
2236 *********************************************************************/
2238 bool pdb_increment_bad_password_count(struct samu *sampass)
2240 uint32_t account_policy_lockout;
2241 bool autolock_updated = False, badpw_updated = False;
2244 /* Retrieve the account lockout policy */
2246 ret = pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2249 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2253 /* If there is no policy, we don't need to continue checking */
2254 if (!account_policy_lockout) {
2255 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2259 /* Check if the autolock needs to be cleared */
2260 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2263 /* Check if the badpw count needs to be reset */
2264 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2268 Ok, now we can assume that any resetting that needs to be
2269 done has been done, and just get on with incrementing
2270 and autolocking if necessary
2273 pdb_set_bad_password_count(sampass,
2274 pdb_get_bad_password_count(sampass)+1,
2276 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2279 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2282 if (!pdb_set_acct_ctrl(sampass,
2283 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2285 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2292 bool is_dc_trusted_domain_situation(const char *domain_name)
2294 return IS_DC && !strequal(domain_name, lp_workgroup());
2297 /*******************************************************************
2298 Wrapper around retrieving the clear text trust account password.
2299 appropriate account name is stored in account_name.
2300 Caller must free password, but not account_name.
2301 *******************************************************************/
2303 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
2304 const char **account_name,
2305 enum netr_SchannelType *channel)
2308 time_t last_set_time;
2310 /* if we are a DC and this is not our domain, then lookup an account
2311 * for the domain trust */
2313 if (is_dc_trusted_domain_situation(domain)) {
2314 if (!lp_allow_trusted_domains()) {
2318 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
2321 DEBUG(0, ("get_trust_pw: could not fetch trust "
2322 "account password for trusted domain %s\n",
2327 if (channel != NULL) {
2328 *channel = SEC_CHAN_DOMAIN;
2331 if (account_name != NULL) {
2332 *account_name = lp_workgroup();
2339 * Since we can only be member of one single domain, we are now
2340 * in a member situation:
2342 * - Either we are a DC (selfjoined) and the domain is our
2344 * - Or we are on a member and the domain is our own or some
2345 * other (potentially trusted) domain.
2347 * In both cases, we can only get the machine account password
2348 * for our own domain to connect to our own dc. (For a member,
2349 * request to trusted domains are performed through our dc.)
2351 * So we simply use our own domain name to retrieve the
2352 * machine account passowrd and ignore the request domain here.
2355 pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
2359 if (account_name != NULL) {
2360 *account_name = lp_netbios_name();
2366 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2367 "account password for domain %s\n", domain));
2371 /*******************************************************************
2372 Wrapper around retrieving the trust account password.
2373 appropriate account name is stored in account_name.
2374 *******************************************************************/
2376 bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
2377 const char **account_name,
2378 enum netr_SchannelType *channel)
2381 time_t last_set_time;
2383 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
2384 E_md4hash(pwd, ret_pwd);
2387 } else if (is_dc_trusted_domain_situation(domain)) {
2391 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2393 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
2397 if (account_name != NULL) {
2398 *account_name = lp_netbios_name();
2404 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2405 "password for domain %s\n", domain));