*/
#include "includes.h"
+#include "system/passwd.h"
+#include "passdb.h"
#include "secrets.h"
#include "../librpc/gen_ndr/samr.h"
+#include "../librpc/gen_ndr/drsblobs.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
+#include "memcache.h"
+#include "nsswitch/winbind_client.h"
+#include "../libcli/security/security.h"
+#include "../lib/util/util_pw.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
return pdb->get_domain_info(pdb, mem_ctx);
}
+/**
+ * @brief Check if the user account has been locked out and try to unlock it.
+ *
+ * If the user has been automatically locked out and a lockout duration is set,
+ * then check if we can unlock the account and reset the bad password values.
+ *
+ * @param[in] sampass The sam user to check.
+ *
+ * @return True if the function was successfull, false on an error.
+ */
+static bool pdb_try_account_unlock(struct samu *sampass)
+{
+ uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+ if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
+ uint32_t lockout_duration;
+ time_t bad_password_time;
+ time_t now = time(NULL);
+ bool ok;
+
+ ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
+ &lockout_duration);
+ if (!ok) {
+ DEBUG(0, ("pdb_try_account_unlock: "
+ "pdb_get_account_policy failed.\n"));
+ return false;
+ }
+
+ if (lockout_duration == (uint32_t) -1 ||
+ lockout_duration == 0) {
+ DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
+ "can't reset autolock\n"));
+ return false;
+ }
+ lockout_duration *= 60;
+
+ bad_password_time = pdb_get_bad_password_time(sampass);
+ if (bad_password_time == (time_t) 0) {
+ DEBUG(2, ("pdb_try_account_unlock: Account %s "
+ "administratively locked out "
+ "with no bad password "
+ "time. Leaving locked out.\n",
+ pdb_get_username(sampass)));
+ return true;
+ }
+
+ if ((bad_password_time +
+ convert_uint32_t_to_time_t(lockout_duration)) < now) {
+ NTSTATUS status;
+
+ pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
+ PDB_CHANGED);
+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("_samr_OpenUser: Couldn't "
+ "update account %s - %s\n",
+ pdb_get_username(sampass),
+ nt_errstr(status)));
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] username The username to look for.
+ *
+ * @return True on success, false on error.
+ */
bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
{
struct pdb_methods *pdb = pdb_get_methods();
struct samu *for_cache;
const struct dom_sid *user_sid;
+ NTSTATUS status;
+ bool ok;
- if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) {
- return False;
+ status = pdb->getsampwnam(pdb, sam_acct, username);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
+ username));
}
for_cache = samu_new(NULL);
NTSTATUS result;
const char *guestname = lp_guestaccount();
- if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), guestname ) ) ) {
+ pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
+ if (pwd == NULL) {
DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
guestname));
return False;
return NT_STATUS_IS_OK( result );
}
-/**********************************************************************
-**********************************************************************/
-
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] sid The user SDI to look up.
+ *
+ * @return True on success, false on error.
+ */
bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
{
struct pdb_methods *pdb = pdb_get_methods();
uint32_t rid;
void *cache_data;
+ bool ok = false;
/* hard code the Guest RID of 501 */
struct samu *cache_copy = talloc_get_type_abort(
cache_data, struct samu);
- return pdb_copy_sam_account(sam_acct, cache_copy);
+ ok = pdb_copy_sam_account(sam_acct, cache_copy);
+ } else {
+ ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+ }
+
+ if (!ok) {
+ return false;
+ }
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
+ sam_acct->username));
}
- return NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+ return true;
}
static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
flush_pwnam_cache();
pwd = Get_Pwnam_alloc(tmp_ctx, name);
+
+ if(pwd == NULL) {
+ DEBUG(3, ("Could not find user %s, add script did not work\n", name));
+ return NT_STATUS_NO_SUCH_USER;
+ }
}
/* we have a valid SID coming out of this call */
NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
struct dom_sid **pp_sids, gid_t **pp_gids,
- size_t *p_num_groups)
+ uint32_t *p_num_groups)
{
struct pdb_methods *pdb = pdb_get_methods();
return pdb->enum_group_memberships(
{
struct dom_sid *sids;
gid_t *gids;
- size_t i, num_groups;
+ uint32_t i, num_groups;
if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
&sids, &gids,
}
for (i=0; i<num_groups; i++) {
- if (sid_equal(group_sid, &sids[i])) {
+ if (dom_sid_equal(group_sid, &sids[i])) {
return True;
}
}
return ret;
}
-static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size_t *p_num)
+static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
{
struct group *grp;
char **gr;
{
gid_t gid;
uid_t *uids;
- size_t i, num_uids;
+ uint32_t i, num_uids;
*pp_member_rids = NULL;
*p_num_members = 0;
if (num_uids == 0)
return NT_STATUS_OK;
- *pp_member_rids = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t, num_uids);
+ *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
for (i=0; i<num_uids; i++) {
struct dom_sid sid;
struct samu *user,
struct dom_sid **pp_sids,
gid_t **pp_gids,
- size_t *p_num_groups)
+ uint32_t *p_num_groups)
{
size_t i;
gid_t gid;
/* Ignore the primary group SID. Honor the real Unix primary group.
The primary group SID is only of real use to Windows clients */
- if ( !(pw = getpwnam_alloc(mem_ctx, username)) ) {
+ if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
return NT_STATUS_NO_SUCH_USER;
}
smb_panic("primary group missing");
}
- *pp_sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, *p_num_groups);
+ *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
if (*pp_sids == NULL) {
TALLOC_FREE(*pp_gids);
return secrets_trusted_domains(mem_ctx, num_domains, domains);
}
+/*******************************************************************
+ trusted_domain methods
+ *******************************************************************/
+
+NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
+}
+
+NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
+}
+
+NTSTATUS pdb_set_trusted_domain(const char* domain,
+ const struct pdb_trusted_domain *td)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_trusted_domain(pdb, domain, td);
+}
+
+NTSTATUS pdb_del_trusted_domain(const char *domain)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_trusted_domain(pdb, domain);
+}
+
+NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
+ struct pdb_trusted_domain ***domains)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
+}
+
+static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ struct pdb_trusted_domain **td)
+{
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation aia;
+ struct pdb_trusted_domain *tdom;
+ enum ndr_err_code ndr_err;
+ time_t last_set_time;
+ char *pwd;
+ bool ok;
+
+ tdom = talloc(mem_ctx, struct pdb_trusted_domain);
+ if (!tdom) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tdom->domain_name = talloc_strdup(tdom, domain);
+ tdom->netbios_name = talloc_strdup(tdom, domain);
+ if (!tdom->domain_name || !tdom->netbios_name) {
+ talloc_free(tdom);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tdom->trust_auth_incoming = data_blob_null;
+
+ ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
+ &last_set_time);
+ if (!ok) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ZERO_STRUCT(taiob);
+ ZERO_STRUCT(aia);
+ taiob.count = 1;
+ taiob.current.count = 1;
+ taiob.current.array = &aia;
+ unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
+ aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
+ aia.AuthInfo.clear.password = (uint8_t *) pwd;
+ aia.AuthInfo.clear.size = strlen(pwd);
+ taiob.previous.count = 0;
+ taiob.previous.array = NULL;
+
+ ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
+ tdom, &taiob,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
+ tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ tdom->trust_attributes = 0;
+ tdom->trust_forest_trust_info = data_blob_null;
+
+ *td = tdom;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+#define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
+
+static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
+ const char* domain,
+ const struct pdb_trusted_domain *td)
+{
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation *aia;
+ enum ndr_err_code ndr_err;
+ char *pwd;
+ bool ok;
+
+ if (td->trust_attributes != 0 ||
+ td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
+ td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
+ !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
+ !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ZERO_STRUCT(taiob);
+ ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
+ &taiob,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ aia = (struct AuthenticationInformation *) taiob.current.array;
+
+ if (taiob.count != 1 || taiob.current.count != 1 ||
+ taiob.previous.count != 0 ||
+ aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
+ aia->AuthInfo.clear.size);
+ if (!pwd) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
+ if (!ok) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
+ const char *domain)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_domains,
+ struct pdb_trusted_domain ***domains)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
static struct pdb_domain_info *pdb_default_get_domain_info(
struct pdb_methods *m, TALLOC_CTX *mem_ctx)
{
{
/* allocate memory for the structure as its own talloc CTX */
- *methods = talloc_zero(talloc_autofree_context(), struct pdb_methods);
+ *methods = talloc_zero(NULL, struct pdb_methods);
if (*methods == NULL) {
return NT_STATUS_NO_MEMORY;
}
(*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
(*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
+ (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
+ (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
+ (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
+ (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
+ (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
+
return NT_STATUS_OK;
}