2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "system/passwd.h"
27 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
33 #define DBGC_CLASS DBGC_PASSDB
35 /******************************************************************
36 Get the default domain/netbios name to be used when
37 testing authentication.
39 LEGACY: this function provides the legacy domain mapping used with
40 the lp_map_untrusted_to_domain() parameter
41 ******************************************************************/
43 const char *my_sam_name(void)
45 /* Standalone servers can only use the local netbios name */
46 if ( lp_server_role() == ROLE_STANDALONE )
47 return global_myname();
49 /* Default to the DOMAIN name when not specified */
50 return lp_workgroup();
53 /**********************************************************************
54 ***********************************************************************/
56 static int samu_destroy(struct samu *user)
58 data_blob_clear_free( &user->lm_pw );
59 data_blob_clear_free( &user->nt_pw );
61 if ( user->plaintext_pw )
62 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
67 /**********************************************************************
68 generate a new struct samuser
69 ***********************************************************************/
71 struct samu *samu_new( TALLOC_CTX *ctx )
75 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
76 DEBUG(0,("samuser_new: Talloc failed!\n"));
80 talloc_set_destructor( user, samu_destroy );
82 /* no initial methods */
86 /* Don't change these timestamp settings without a good reason.
87 They are important for NT member server compatibility. */
89 user->logon_time = (time_t)0;
90 user->pass_last_set_time = (time_t)0;
91 user->pass_can_change_time = (time_t)0;
92 user->logoff_time = get_time_t_max();
93 user->kickoff_time = get_time_t_max();
94 user->pass_must_change_time = get_time_t_max();
95 user->fields_present = 0x00ffffff;
96 user->logon_divs = 168; /* hours per week */
97 user->hours_len = 21; /* 21 times 8 bits = 168 */
98 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
99 user->bad_password_count = 0;
100 user->logon_count = 0;
101 user->unknown_6 = 0x000004ec; /* don't know */
103 /* Some parts of samba strlen their pdb_get...() returns,
104 so this keeps the interface unchanged for now. */
108 user->nt_username = "";
109 user->full_name = "";
111 user->logon_script = "";
112 user->profile_path = "";
113 user->acct_desc = "";
114 user->workstations = "";
116 user->munged_dial = "";
118 user->plaintext_pw = NULL;
120 /* Unless we know otherwise have a Account Control Bit
121 value of 'normal user'. This helps User Manager, which
122 asks for a filtered list of users. */
124 user->acct_ctrl = ACB_NORMAL;
129 static int count_commas(const char *str)
132 const char *comma = str;
134 while ((comma = strchr(comma, ',')) != NULL) {
141 /*********************************************************************
142 Initialize a struct samu from a struct passwd including the user
143 and group SIDs. The *user structure is filled out with the Unix
144 attributes and a user SID.
145 *********************************************************************/
147 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
149 const char *guest_account = lp_guestaccount();
150 const char *domain = global_myname();
155 return NT_STATUS_NO_SUCH_USER;
158 /* Basic properties based upon the Unix account information */
160 pdb_set_username(user, pwd->pw_name, PDB_SET);
164 if (count_commas(pwd->pw_gecos) == 3) {
166 * Heuristic: This seems to be a gecos field that has been
167 * edited by chfn(1). Only use the part before the first
168 * comma. Fixes bug 5198.
170 fullname = talloc_strndup(
171 talloc_tos(), pwd->pw_gecos,
172 strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
175 if (fullname != NULL) {
176 pdb_set_fullname(user, fullname, PDB_SET);
178 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
180 TALLOC_FREE(fullname);
182 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
184 /* This can lead to a primary group of S-1-22-2-XX which
185 will be rejected by other parts of the Samba code.
186 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
189 gid_to_sid(&group_sid, pwd->pw_gid);
190 pdb_set_group_sid(user, &group_sid, PDB_SET);
193 /* save the password structure for later use */
195 user->unix_pw = tcopy_passwd( user, pwd );
197 /* Special case for the guest account which must have a RID of 501 */
199 if ( strequal( pwd->pw_name, guest_account ) ) {
200 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_RID_GUEST, PDB_DEFAULT)) {
201 return NT_STATUS_NO_SUCH_USER;
206 /* Non-guest accounts...Check for a workstation or user account */
208 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
211 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
212 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
214 return NT_STATUS_INVALID_COMPUTER_NAME;
220 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
221 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
223 return NT_STATUS_INVALID_ACCOUNT_NAME;
226 /* set some basic attributes */
228 pdb_set_profile_path(user, talloc_sub_specified(user,
229 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
231 pdb_set_homedir(user, talloc_sub_specified(user,
232 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
234 pdb_set_dir_drive(user, talloc_sub_specified(user,
235 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
237 pdb_set_logon_script(user, talloc_sub_specified(user,
238 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
242 /* Now deal with the user SID. If we have a backend that can generate
243 RIDs, then do so. But sometimes the caller just wanted a structure
244 initialized and will fill in these fields later (such as from a
245 netr_SamInfo3 structure) */
247 if ( create && (pdb_capabilities() & PDB_CAP_STORE_RIDS)) {
249 struct dom_sid user_sid;
251 if ( !pdb_new_rid( &user_rid ) ) {
252 DEBUG(3, ("Could not allocate a new RID\n"));
253 return NT_STATUS_ACCESS_DENIED;
256 sid_compose(&user_sid, get_global_sam_sid(), user_rid);
258 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
259 DEBUG(3, ("pdb_set_user_sid failed\n"));
260 return NT_STATUS_INTERNAL_ERROR;
266 /* generate a SID for the user with the RID algorithm */
268 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
270 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
271 return NT_STATUS_INTERNAL_ERROR;
277 /********************************************************************
278 Set the Unix user attributes
279 ********************************************************************/
281 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
283 return samu_set_unix_internal( user, pwd, False );
286 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
288 return samu_set_unix_internal( user, pwd, True );
291 /**********************************************************
292 Encode the account control bits into a string.
293 length = length of string to encode into (including terminating
294 null). length *MUST BE MORE THAN 2* !
295 **********************************************************/
297 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
304 SMB_ASSERT(length <= sizeof(acct_str));
308 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
309 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
310 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
311 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
312 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
313 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
314 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
315 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
316 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
317 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
318 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
320 for ( ; i < length - 2 ; i++ )
325 acct_str[i++] = '\0';
327 result = talloc_strdup(talloc_tos(), acct_str);
328 SMB_ASSERT(result != NULL);
332 /**********************************************************
333 Decode the account control bits from a string.
334 **********************************************************/
336 uint32_t pdb_decode_acct_ctrl(const char *p)
338 uint32_t acct_ctrl = 0;
339 bool finished = false;
342 * Check if the account type bits have been encoded after the
343 * NT password (in the form [NDHTUWSLXI]).
349 for (p++; *p && !finished; p++) {
351 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
352 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
353 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
354 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
355 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
356 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
357 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
358 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
359 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
360 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
361 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
367 default: { finished = true; }
374 /*************************************************************
375 Routine to set 32 hex password characters from a 16 byte array.
376 **************************************************************/
378 void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32_t acct_ctrl)
382 for (i = 0; i < 16; i++)
383 slprintf(&p[i*2], 3, "%02X", pwd[i]);
385 if (acct_ctrl & ACB_PWNOTREQ)
386 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
388 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
392 /*************************************************************
393 Routine to get the 32 hex characters and turn them
394 into a 16 byte array.
395 **************************************************************/
397 bool pdb_gethexpwd(const char *p, unsigned char *pwd)
400 unsigned char lonybble, hinybble;
401 const char *hexchars = "0123456789ABCDEF";
407 for (i = 0; i < 32; i += 2) {
408 hinybble = toupper_ascii(p[i]);
409 lonybble = toupper_ascii(p[i + 1]);
411 p1 = strchr(hexchars, hinybble);
412 p2 = strchr(hexchars, lonybble);
417 hinybble = PTR_DIFF(p1, hexchars);
418 lonybble = PTR_DIFF(p2, hexchars);
420 pwd[i / 2] = (hinybble << 4) | lonybble;
425 /*************************************************************
426 Routine to set 42 hex hours characters from a 21 byte array.
427 **************************************************************/
429 void pdb_sethexhours(char *p, const unsigned char *hours)
433 for (i = 0; i < 21; i++) {
434 slprintf(&p[i*2], 3, "%02X", hours[i]);
437 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
441 /*************************************************************
442 Routine to get the 42 hex characters and turn them
443 into a 21 byte array.
444 **************************************************************/
446 bool pdb_gethexhours(const char *p, unsigned char *hours)
449 unsigned char lonybble, hinybble;
450 const char *hexchars = "0123456789ABCDEF";
457 for (i = 0; i < 42; i += 2) {
458 hinybble = toupper_ascii(p[i]);
459 lonybble = toupper_ascii(p[i + 1]);
461 p1 = strchr(hexchars, hinybble);
462 p2 = strchr(hexchars, lonybble);
468 hinybble = PTR_DIFF(p1, hexchars);
469 lonybble = PTR_DIFF(p2, hexchars);
471 hours[i / 2] = (hinybble << 4) | lonybble;
476 /********************************************************************
477 ********************************************************************/
479 int algorithmic_rid_base(void)
483 rid_offset = lp_algorithmic_rid_base();
485 if (rid_offset < BASE_RID) {
486 /* Try to prevent admin foot-shooting, we can't put algorithmic
487 rids below 1000, that's the 'well known RIDs' on NT */
488 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
489 rid_offset = BASE_RID;
491 if (rid_offset & 1) {
492 DEBUG(0, ("algorithmic rid base must be even\n"));
498 /*******************************************************************
499 Converts NT user RID to a UNIX uid.
500 ********************************************************************/
502 uid_t algorithmic_pdb_user_rid_to_uid(uint32_t user_rid)
504 int rid_offset = algorithmic_rid_base();
505 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
508 uid_t max_algorithmic_uid(void)
510 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
513 /*******************************************************************
514 converts UNIX uid to an NT User RID.
515 ********************************************************************/
517 uint32_t algorithmic_pdb_uid_to_user_rid(uid_t uid)
519 int rid_offset = algorithmic_rid_base();
520 return (((((uint32_t)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
523 /*******************************************************************
524 Converts NT group RID to a UNIX gid.
525 ********************************************************************/
527 gid_t pdb_group_rid_to_gid(uint32_t group_rid)
529 int rid_offset = algorithmic_rid_base();
530 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
533 gid_t max_algorithmic_gid(void)
535 return pdb_group_rid_to_gid(0xffffffff);
538 /*******************************************************************
539 converts NT Group RID to a UNIX uid.
541 warning: you must not call that function only
542 you must do a call to the group mapping first.
543 there is not anymore a direct link between the gid and the rid.
544 ********************************************************************/
546 uint32_t algorithmic_pdb_gid_to_group_rid(gid_t gid)
548 int rid_offset = algorithmic_rid_base();
549 return (((((uint32_t)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
552 /*******************************************************************
553 Decides if a RID is a well known RID.
554 ********************************************************************/
556 static bool rid_is_well_known(uint32_t rid)
558 /* Not using rid_offset here, because this is the actual
559 NT fixed value (1000) */
561 return (rid < BASE_RID);
564 /*******************************************************************
565 Decides if a RID is a user or group RID.
566 ********************************************************************/
568 bool algorithmic_pdb_rid_is_user(uint32_t rid)
570 if ( rid_is_well_known(rid) ) {
572 * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
573 * and DOMAIN_RID_GUEST.
575 if(rid == DOMAIN_RID_ADMINISTRATOR || rid == DOMAIN_RID_GUEST)
577 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
583 /*******************************************************************
584 Convert a name into a SID. Used in the lookup name rpc.
585 ********************************************************************/
587 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
588 enum lsa_SidType *type)
593 /* Windows treats "MACHINE\None" as a special name for
594 rid 513 on non-DCs. You cannot create a user or group
595 name "None" on Windows. You will get an error that
596 the group already exists. */
598 if ( strequal( name, "None" ) ) {
599 *rid = DOMAIN_RID_USERS;
600 *type = SID_NAME_DOM_GRP;
605 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
606 * correctly in the case where foo also exists as a user. If the flag
607 * is set, don't look for users at all. */
609 if ((flags & LOOKUP_NAME_GROUP) == 0) {
610 struct samu *sam_account = NULL;
611 struct dom_sid user_sid;
613 if ( !(sam_account = samu_new( NULL )) ) {
618 ret = pdb_getsampwnam(sam_account, name);
622 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
625 TALLOC_FREE(sam_account);
628 if (!sid_check_is_in_our_domain(&user_sid)) {
629 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
630 name, sid_string_dbg(&user_sid)));
634 sid_peek_rid(&user_sid, rid);
635 *type = SID_NAME_USER;
641 * Maybe it is a group ?
645 ret = pdb_getgrnam(&map, name);
652 /* BUILTIN groups are looked up elsewhere */
653 if (!sid_check_is_in_our_domain(&map.sid)) {
654 DEBUG(10, ("Found group %s (%s) not in our domain -- "
655 "ignoring.", name, sid_string_dbg(&map.sid)));
659 /* yes it's a mapped group */
660 sid_peek_rid(&map.sid, rid);
661 *type = map.sid_name_use;
665 /*************************************************************
666 Change a password entry in the local passdb backend.
669 - always called as root
670 - ignores the account type except when adding a new account
671 - will create/delete the unix account if the relative
672 add/delete user script is configured
674 *************************************************************/
676 NTSTATUS local_password_change(const char *user_name,
678 const char *new_passwd,
683 struct samu *sam_pass;
693 tosctx = talloc_tos();
695 sam_pass = samu_new(tosctx);
697 result = NT_STATUS_NO_MEMORY;
701 /* Get the smb passwd entry for this user */
702 user_exists = pdb_getsampwnam(sam_pass, user_name);
704 /* Check delete first, we don't need to do anything else if we
705 * are going to delete the acocunt */
706 if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
708 result = pdb_delete_user(tosctx, sam_pass);
709 if (!NT_STATUS_IS_OK(result)) {
710 ret = asprintf(pp_err_str,
711 "Failed to delete entry for user %s.\n",
716 result = NT_STATUS_UNSUCCESSFUL;
718 ret = asprintf(pp_msg_str,
719 "Deleted user %s.\n",
728 if (user_exists && (local_flags & LOCAL_ADD_USER)) {
729 /* the entry already existed */
730 local_flags &= ~LOCAL_ADD_USER;
733 if (!user_exists && !(local_flags & LOCAL_ADD_USER)) {
734 ret = asprintf(pp_err_str,
735 "Failed to find entry for user %s.\n",
740 result = NT_STATUS_NO_SUCH_USER;
744 /* First thing add the new user if we are required to do so */
745 if (local_flags & LOCAL_ADD_USER) {
747 if (local_flags & LOCAL_TRUST_ACCOUNT) {
749 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
755 result = pdb_create_user(tosctx, user_name, acb, &rid);
756 if (!NT_STATUS_IS_OK(result)) {
757 ret = asprintf(pp_err_str,
758 "Failed to add entry for user %s.\n",
763 result = NT_STATUS_UNSUCCESSFUL;
767 sam_pass = samu_new(tosctx);
769 result = NT_STATUS_NO_MEMORY;
773 /* Now get back the smb passwd entry for this new user */
774 user_exists = pdb_getsampwnam(sam_pass, user_name);
776 ret = asprintf(pp_err_str,
777 "Failed to add entry for user %s.\n",
782 result = NT_STATUS_UNSUCCESSFUL;
787 acb = pdb_get_acct_ctrl(sam_pass);
790 * We are root - just write the new password
791 * and the valid last change time.
793 if ((local_flags & LOCAL_SET_NO_PASSWORD) && !(acb & ACB_PWNOTREQ)) {
795 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
796 ret = asprintf(pp_err_str,
797 "Failed to set 'no password required' "
798 "flag for user %s.\n", user_name);
802 result = NT_STATUS_UNSUCCESSFUL;
807 if (local_flags & LOCAL_SET_PASSWORD) {
809 * If we're dealing with setting a completely empty user account
810 * ie. One with a password of 'XXXX', but not set disabled (like
811 * an account created from scratch) then if the old password was
812 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
813 * We remove that as we're giving this user their first password
814 * and the decision hasn't really been made to disable them (ie.
815 * don't create them disabled). JRA.
817 if ((pdb_get_lanman_passwd(sam_pass) == NULL) &&
818 (acb & ACB_DISABLED)) {
819 acb &= (~ACB_DISABLED);
820 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
821 ret = asprintf(pp_err_str,
822 "Failed to unset 'disabled' "
823 "flag for user %s.\n",
828 result = NT_STATUS_UNSUCCESSFUL;
833 acb &= (~ACB_PWNOTREQ);
834 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
835 ret = asprintf(pp_err_str,
836 "Failed to unset 'no password required'"
837 " flag for user %s.\n", user_name);
841 result = NT_STATUS_UNSUCCESSFUL;
845 if (!pdb_set_plaintext_passwd(sam_pass, new_passwd)) {
846 ret = asprintf(pp_err_str,
847 "Failed to set password for "
848 "user %s.\n", user_name);
852 result = NT_STATUS_UNSUCCESSFUL;
857 if ((local_flags & LOCAL_DISABLE_USER) && !(acb & ACB_DISABLED)) {
859 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
860 ret = asprintf(pp_err_str,
861 "Failed to set 'disabled' flag for "
862 "user %s.\n", user_name);
866 result = NT_STATUS_UNSUCCESSFUL;
871 if ((local_flags & LOCAL_ENABLE_USER) && (acb & ACB_DISABLED)) {
872 acb &= (~ACB_DISABLED);
873 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
874 ret = asprintf(pp_err_str,
875 "Failed to unset 'disabled' flag for "
876 "user %s.\n", user_name);
880 result = NT_STATUS_UNSUCCESSFUL;
885 /* now commit changes if any */
886 result = pdb_update_sam_account(sam_pass);
887 if (!NT_STATUS_IS_OK(result)) {
888 ret = asprintf(pp_err_str,
889 "Failed to modify entry for user %s.\n",
897 if (local_flags & LOCAL_ADD_USER) {
898 ret = asprintf(pp_msg_str, "Added user %s.\n", user_name);
899 } else if (local_flags & LOCAL_DISABLE_USER) {
900 ret = asprintf(pp_msg_str, "Disabled user %s.\n", user_name);
901 } else if (local_flags & LOCAL_ENABLE_USER) {
902 ret = asprintf(pp_msg_str, "Enabled user %s.\n", user_name);
903 } else if (local_flags & LOCAL_SET_NO_PASSWORD) {
904 ret = asprintf(pp_msg_str,
905 "User %s password set to none.\n", user_name);
912 result = NT_STATUS_OK;
915 TALLOC_FREE(sam_pass);
919 /**********************************************************************
920 Marshall/unmarshall struct samu structs.
921 *********************************************************************/
923 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
924 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
925 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
926 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
927 /* nothing changed between V3 and V4 */
929 /*********************************************************************
930 *********************************************************************/
932 static bool init_samu_from_buffer_v0(struct samu *sampass, uint8_t *buf, uint32_t buflen)
935 /* times are stored as 32bit integer
936 take care on system with 64bit wide time_t
942 pass_can_change_time,
943 pass_must_change_time;
944 char *username = NULL;
946 char *nt_username = NULL;
947 char *dir_drive = NULL;
948 char *unknown_str = NULL;
949 char *munged_dial = NULL;
950 char *fullname = NULL;
951 char *homedir = NULL;
952 char *logon_script = NULL;
953 char *profile_path = NULL;
954 char *acct_desc = NULL;
955 char *workstations = NULL;
956 uint32_t username_len, domain_len, nt_username_len,
957 dir_drive_len, unknown_str_len, munged_dial_len,
958 fullname_len, homedir_len, logon_script_len,
959 profile_path_len, acct_desc_len, workstations_len;
961 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
962 uint16_t acct_ctrl, logon_divs;
963 uint16_t bad_password_count, logon_count;
964 uint8_t *hours = NULL;
965 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
967 uint32_t lm_pw_len, nt_pw_len, hourslen;
970 if(sampass == NULL || buf == NULL) {
971 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
975 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
977 /* unpack the buffer into variables */
978 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V0,
980 &logoff_time, /* d */
981 &kickoff_time, /* d */
982 &pass_last_set_time, /* d */
983 &pass_can_change_time, /* d */
984 &pass_must_change_time, /* d */
985 &username_len, &username, /* B */
986 &domain_len, &domain, /* B */
987 &nt_username_len, &nt_username, /* B */
988 &fullname_len, &fullname, /* B */
989 &homedir_len, &homedir, /* B */
990 &dir_drive_len, &dir_drive, /* B */
991 &logon_script_len, &logon_script, /* B */
992 &profile_path_len, &profile_path, /* B */
993 &acct_desc_len, &acct_desc, /* B */
994 &workstations_len, &workstations, /* B */
995 &unknown_str_len, &unknown_str, /* B */
996 &munged_dial_len, &munged_dial, /* B */
999 &lm_pw_len, &lm_pw_ptr, /* B */
1000 &nt_pw_len, &nt_pw_ptr, /* B */
1002 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
1003 &logon_divs, /* w */
1005 &hourslen, &hours, /* B */
1006 &bad_password_count, /* w */
1007 &logon_count, /* w */
1008 &unknown_6); /* d */
1010 if (len == (uint32_t) -1) {
1015 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1016 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1017 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1018 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1019 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1020 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1022 pdb_set_username(sampass, username, PDB_SET);
1023 pdb_set_domain(sampass, domain, PDB_SET);
1024 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1025 pdb_set_fullname(sampass, fullname, PDB_SET);
1028 pdb_set_homedir(sampass, homedir, PDB_SET);
1031 pdb_set_homedir(sampass,
1032 talloc_sub_basic(sampass, username, domain,
1038 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1040 pdb_set_dir_drive(sampass,
1041 talloc_sub_basic(sampass, username, domain,
1047 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1049 pdb_set_logon_script(sampass,
1050 talloc_sub_basic(sampass, username, domain,
1056 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1058 pdb_set_profile_path(sampass,
1059 talloc_sub_basic(sampass, username, domain,
1064 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1065 pdb_set_workstations(sampass, workstations, PDB_SET);
1066 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1068 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1069 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1075 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1076 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1082 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1083 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1084 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1085 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1086 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1087 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1088 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1089 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1090 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1091 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1095 SAFE_FREE(username);
1097 SAFE_FREE(nt_username);
1098 SAFE_FREE(fullname);
1100 SAFE_FREE(dir_drive);
1101 SAFE_FREE(logon_script);
1102 SAFE_FREE(profile_path);
1103 SAFE_FREE(acct_desc);
1104 SAFE_FREE(workstations);
1105 SAFE_FREE(munged_dial);
1106 SAFE_FREE(unknown_str);
1107 SAFE_FREE(lm_pw_ptr);
1108 SAFE_FREE(nt_pw_ptr);
1114 /*********************************************************************
1115 *********************************************************************/
1117 static bool init_samu_from_buffer_v1(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1120 /* times are stored as 32bit integer
1121 take care on system with 64bit wide time_t
1123 uint32_t logon_time,
1128 pass_can_change_time,
1129 pass_must_change_time;
1130 char *username = NULL;
1131 char *domain = NULL;
1132 char *nt_username = NULL;
1133 char *dir_drive = NULL;
1134 char *unknown_str = NULL;
1135 char *munged_dial = NULL;
1136 char *fullname = NULL;
1137 char *homedir = NULL;
1138 char *logon_script = NULL;
1139 char *profile_path = NULL;
1140 char *acct_desc = NULL;
1141 char *workstations = NULL;
1142 uint32_t username_len, domain_len, nt_username_len,
1143 dir_drive_len, unknown_str_len, munged_dial_len,
1144 fullname_len, homedir_len, logon_script_len,
1145 profile_path_len, acct_desc_len, workstations_len;
1147 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
1148 uint16_t acct_ctrl, logon_divs;
1149 uint16_t bad_password_count, logon_count;
1150 uint8_t *hours = NULL;
1151 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1153 uint32_t lm_pw_len, nt_pw_len, hourslen;
1156 if(sampass == NULL || buf == NULL) {
1157 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1161 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1163 /* unpack the buffer into variables */
1164 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V1,
1165 &logon_time, /* d */
1166 &logoff_time, /* d */
1167 &kickoff_time, /* d */
1168 /* Change from V0 is addition of bad_password_time field. */
1169 &bad_password_time, /* d */
1170 &pass_last_set_time, /* d */
1171 &pass_can_change_time, /* d */
1172 &pass_must_change_time, /* d */
1173 &username_len, &username, /* B */
1174 &domain_len, &domain, /* B */
1175 &nt_username_len, &nt_username, /* B */
1176 &fullname_len, &fullname, /* B */
1177 &homedir_len, &homedir, /* B */
1178 &dir_drive_len, &dir_drive, /* B */
1179 &logon_script_len, &logon_script, /* B */
1180 &profile_path_len, &profile_path, /* B */
1181 &acct_desc_len, &acct_desc, /* B */
1182 &workstations_len, &workstations, /* B */
1183 &unknown_str_len, &unknown_str, /* B */
1184 &munged_dial_len, &munged_dial, /* B */
1187 &lm_pw_len, &lm_pw_ptr, /* B */
1188 &nt_pw_len, &nt_pw_ptr, /* B */
1191 &logon_divs, /* w */
1193 &hourslen, &hours, /* B */
1194 &bad_password_count, /* w */
1195 &logon_count, /* w */
1196 &unknown_6); /* d */
1198 if (len == (uint32_t) -1) {
1203 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1204 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1205 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1207 /* Change from V0 is addition of bad_password_time field. */
1208 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1209 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1210 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1211 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1213 pdb_set_username(sampass, username, PDB_SET);
1214 pdb_set_domain(sampass, domain, PDB_SET);
1215 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1216 pdb_set_fullname(sampass, fullname, PDB_SET);
1219 pdb_set_homedir(sampass, homedir, PDB_SET);
1222 pdb_set_homedir(sampass,
1223 talloc_sub_basic(sampass, username, domain,
1229 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1231 pdb_set_dir_drive(sampass,
1232 talloc_sub_basic(sampass, username, domain,
1238 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1240 pdb_set_logon_script(sampass,
1241 talloc_sub_basic(sampass, username, domain,
1247 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1249 pdb_set_profile_path(sampass,
1250 talloc_sub_basic(sampass, username, domain,
1255 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1256 pdb_set_workstations(sampass, workstations, PDB_SET);
1257 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1259 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1260 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1266 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1267 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1273 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1275 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1276 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1277 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1278 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1279 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1280 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1281 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1282 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1283 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1287 SAFE_FREE(username);
1289 SAFE_FREE(nt_username);
1290 SAFE_FREE(fullname);
1292 SAFE_FREE(dir_drive);
1293 SAFE_FREE(logon_script);
1294 SAFE_FREE(profile_path);
1295 SAFE_FREE(acct_desc);
1296 SAFE_FREE(workstations);
1297 SAFE_FREE(munged_dial);
1298 SAFE_FREE(unknown_str);
1299 SAFE_FREE(lm_pw_ptr);
1300 SAFE_FREE(nt_pw_ptr);
1306 static bool init_samu_from_buffer_v2(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1309 /* times are stored as 32bit integer
1310 take care on system with 64bit wide time_t
1312 uint32_t logon_time,
1317 pass_can_change_time,
1318 pass_must_change_time;
1319 char *username = NULL;
1320 char *domain = NULL;
1321 char *nt_username = NULL;
1322 char *dir_drive = NULL;
1323 char *unknown_str = NULL;
1324 char *munged_dial = NULL;
1325 char *fullname = NULL;
1326 char *homedir = NULL;
1327 char *logon_script = NULL;
1328 char *profile_path = NULL;
1329 char *acct_desc = NULL;
1330 char *workstations = NULL;
1331 uint32_t username_len, domain_len, nt_username_len,
1332 dir_drive_len, unknown_str_len, munged_dial_len,
1333 fullname_len, homedir_len, logon_script_len,
1334 profile_path_len, acct_desc_len, workstations_len;
1336 uint32_t user_rid, group_rid, hours_len, unknown_6;
1337 uint16_t acct_ctrl, logon_divs;
1338 uint16_t bad_password_count, logon_count;
1339 uint8_t *hours = NULL;
1340 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1342 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1343 uint32_t pwHistLen = 0;
1346 bool expand_explicit = lp_passdb_expand_explicit();
1348 if(sampass == NULL || buf == NULL) {
1349 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1353 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1355 /* unpack the buffer into variables */
1356 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V2,
1357 &logon_time, /* d */
1358 &logoff_time, /* d */
1359 &kickoff_time, /* d */
1360 &bad_password_time, /* d */
1361 &pass_last_set_time, /* d */
1362 &pass_can_change_time, /* d */
1363 &pass_must_change_time, /* d */
1364 &username_len, &username, /* B */
1365 &domain_len, &domain, /* B */
1366 &nt_username_len, &nt_username, /* B */
1367 &fullname_len, &fullname, /* B */
1368 &homedir_len, &homedir, /* B */
1369 &dir_drive_len, &dir_drive, /* B */
1370 &logon_script_len, &logon_script, /* B */
1371 &profile_path_len, &profile_path, /* B */
1372 &acct_desc_len, &acct_desc, /* B */
1373 &workstations_len, &workstations, /* B */
1374 &unknown_str_len, &unknown_str, /* B */
1375 &munged_dial_len, &munged_dial, /* B */
1378 &lm_pw_len, &lm_pw_ptr, /* B */
1379 &nt_pw_len, &nt_pw_ptr, /* B */
1380 /* Change from V1 is addition of password history field. */
1381 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1383 /* Also "remove_me" field was removed. */
1384 &logon_divs, /* w */
1386 &hourslen, &hours, /* B */
1387 &bad_password_count, /* w */
1388 &logon_count, /* w */
1389 &unknown_6); /* d */
1391 if (len == (uint32_t) -1) {
1396 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1397 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1398 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1399 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1400 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1401 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1402 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1404 pdb_set_username(sampass, username, PDB_SET);
1405 pdb_set_domain(sampass, domain, PDB_SET);
1406 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1407 pdb_set_fullname(sampass, fullname, PDB_SET);
1410 fstrcpy( tmp_string, homedir );
1411 if (expand_explicit) {
1412 standard_sub_basic( username, domain, tmp_string,
1413 sizeof(tmp_string) );
1415 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1418 pdb_set_homedir(sampass,
1419 talloc_sub_basic(sampass, username, domain,
1425 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1427 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1430 fstrcpy( tmp_string, logon_script );
1431 if (expand_explicit) {
1432 standard_sub_basic( username, domain, tmp_string,
1433 sizeof(tmp_string) );
1435 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1438 pdb_set_logon_script(sampass,
1439 talloc_sub_basic(sampass, username, domain,
1445 fstrcpy( tmp_string, profile_path );
1446 if (expand_explicit) {
1447 standard_sub_basic( username, domain, tmp_string,
1448 sizeof(tmp_string) );
1450 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1453 pdb_set_profile_path(sampass,
1454 talloc_sub_basic(sampass, username, domain,
1459 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1460 pdb_set_workstations(sampass, workstations, PDB_SET);
1461 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1463 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1464 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1470 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1471 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1477 /* Change from V1 is addition of password history field. */
1478 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1480 uint8_t *pw_hist = SMB_MALLOC_ARRAY(uint8_t, pwHistLen * PW_HISTORY_ENTRY_LEN);
1485 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1486 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1488 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1489 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1490 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1491 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1492 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1493 PW_HISTORY_ENTRY_LEN);
1496 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1503 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1506 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1507 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1508 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1509 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1510 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1511 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1512 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1513 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1514 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1518 SAFE_FREE(username);
1520 SAFE_FREE(nt_username);
1521 SAFE_FREE(fullname);
1523 SAFE_FREE(dir_drive);
1524 SAFE_FREE(logon_script);
1525 SAFE_FREE(profile_path);
1526 SAFE_FREE(acct_desc);
1527 SAFE_FREE(workstations);
1528 SAFE_FREE(munged_dial);
1529 SAFE_FREE(unknown_str);
1530 SAFE_FREE(lm_pw_ptr);
1531 SAFE_FREE(nt_pw_ptr);
1532 SAFE_FREE(nt_pw_hist_ptr);
1538 /*********************************************************************
1539 *********************************************************************/
1541 static bool init_samu_from_buffer_v3(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1544 /* times are stored as 32bit integer
1545 take care on system with 64bit wide time_t
1547 uint32_t logon_time,
1552 pass_can_change_time,
1553 pass_must_change_time;
1554 char *username = NULL;
1555 char *domain = NULL;
1556 char *nt_username = NULL;
1557 char *dir_drive = NULL;
1558 char *comment = NULL;
1559 char *munged_dial = NULL;
1560 char *fullname = NULL;
1561 char *homedir = NULL;
1562 char *logon_script = NULL;
1563 char *profile_path = NULL;
1564 char *acct_desc = NULL;
1565 char *workstations = NULL;
1566 uint32_t username_len, domain_len, nt_username_len,
1567 dir_drive_len, comment_len, munged_dial_len,
1568 fullname_len, homedir_len, logon_script_len,
1569 profile_path_len, acct_desc_len, workstations_len;
1571 uint32_t user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
1572 uint16_t logon_divs;
1573 uint16_t bad_password_count, logon_count;
1574 uint8_t *hours = NULL;
1575 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1577 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1578 uint32_t pwHistLen = 0;
1581 bool expand_explicit = lp_passdb_expand_explicit();
1583 if(sampass == NULL || buf == NULL) {
1584 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1588 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1590 /* unpack the buffer into variables */
1591 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V3,
1592 &logon_time, /* d */
1593 &logoff_time, /* d */
1594 &kickoff_time, /* d */
1595 &bad_password_time, /* d */
1596 &pass_last_set_time, /* d */
1597 &pass_can_change_time, /* d */
1598 &pass_must_change_time, /* d */
1599 &username_len, &username, /* B */
1600 &domain_len, &domain, /* B */
1601 &nt_username_len, &nt_username, /* B */
1602 &fullname_len, &fullname, /* B */
1603 &homedir_len, &homedir, /* B */
1604 &dir_drive_len, &dir_drive, /* B */
1605 &logon_script_len, &logon_script, /* B */
1606 &profile_path_len, &profile_path, /* B */
1607 &acct_desc_len, &acct_desc, /* B */
1608 &workstations_len, &workstations, /* B */
1609 &comment_len, &comment, /* B */
1610 &munged_dial_len, &munged_dial, /* B */
1613 &lm_pw_len, &lm_pw_ptr, /* B */
1614 &nt_pw_len, &nt_pw_ptr, /* B */
1615 /* Change from V1 is addition of password history field. */
1616 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1617 /* Change from V2 is the uint32_t acb_mask */
1619 /* Also "remove_me" field was removed. */
1620 &logon_divs, /* w */
1622 &hourslen, &hours, /* B */
1623 &bad_password_count, /* w */
1624 &logon_count, /* w */
1625 &unknown_6); /* d */
1627 if (len == (uint32_t) -1) {
1632 pdb_set_logon_time(sampass, convert_uint32_t_to_time_t(logon_time), PDB_SET);
1633 pdb_set_logoff_time(sampass, convert_uint32_t_to_time_t(logoff_time), PDB_SET);
1634 pdb_set_kickoff_time(sampass, convert_uint32_t_to_time_t(kickoff_time), PDB_SET);
1635 pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET);
1636 pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
1637 pdb_set_pass_must_change_time(sampass, convert_uint32_t_to_time_t(pass_must_change_time), PDB_SET);
1638 pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
1640 pdb_set_username(sampass, username, PDB_SET);
1641 pdb_set_domain(sampass, domain, PDB_SET);
1642 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1643 pdb_set_fullname(sampass, fullname, PDB_SET);
1646 fstrcpy( tmp_string, homedir );
1647 if (expand_explicit) {
1648 standard_sub_basic( username, domain, tmp_string,
1649 sizeof(tmp_string) );
1651 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1654 pdb_set_homedir(sampass,
1655 talloc_sub_basic(sampass, username, domain,
1661 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1663 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1666 fstrcpy( tmp_string, logon_script );
1667 if (expand_explicit) {
1668 standard_sub_basic( username, domain, tmp_string,
1669 sizeof(tmp_string) );
1671 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1674 pdb_set_logon_script(sampass,
1675 talloc_sub_basic(sampass, username, domain,
1681 fstrcpy( tmp_string, profile_path );
1682 if (expand_explicit) {
1683 standard_sub_basic( username, domain, tmp_string,
1684 sizeof(tmp_string) );
1686 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1689 pdb_set_profile_path(sampass,
1690 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
1694 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1695 pdb_set_comment(sampass, comment, PDB_SET);
1696 pdb_set_workstations(sampass, workstations, PDB_SET);
1697 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1699 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1700 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1706 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1707 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1713 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1715 uint8_t *pw_hist = (uint8_t *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1720 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1721 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1723 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1724 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1725 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1726 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1727 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1728 PW_HISTORY_ENTRY_LEN);
1731 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1738 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1741 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1742 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1743 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1744 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1745 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1746 /* Change from V2 is the uint32_t acct_ctrl */
1747 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1748 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1749 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1753 SAFE_FREE(username);
1755 SAFE_FREE(nt_username);
1756 SAFE_FREE(fullname);
1758 SAFE_FREE(dir_drive);
1759 SAFE_FREE(logon_script);
1760 SAFE_FREE(profile_path);
1761 SAFE_FREE(acct_desc);
1762 SAFE_FREE(workstations);
1763 SAFE_FREE(munged_dial);
1765 SAFE_FREE(lm_pw_ptr);
1766 SAFE_FREE(nt_pw_ptr);
1767 SAFE_FREE(nt_pw_hist_ptr);
1773 /*********************************************************************
1774 *********************************************************************/
1776 static uint32_t init_buffer_from_samu_v3 (uint8_t **buf, struct samu *sampass, bool size_only)
1780 /* times are stored as 32bit integer
1781 take care on system with 64bit wide time_t
1783 uint32_t logon_time,
1788 pass_can_change_time,
1789 pass_must_change_time;
1791 uint32_t user_rid, group_rid;
1793 const char *username;
1795 const char *nt_username;
1796 const char *dir_drive;
1797 const char *comment;
1798 const char *munged_dial;
1799 const char *fullname;
1800 const char *homedir;
1801 const char *logon_script;
1802 const char *profile_path;
1803 const char *acct_desc;
1804 const char *workstations;
1805 uint32_t username_len, domain_len, nt_username_len,
1806 dir_drive_len, comment_len, munged_dial_len,
1807 fullname_len, homedir_len, logon_script_len,
1808 profile_path_len, acct_desc_len, workstations_len;
1810 const uint8_t *lm_pw;
1811 const uint8_t *nt_pw;
1812 const uint8_t *nt_pw_hist;
1813 uint32_t lm_pw_len = 16;
1814 uint32_t nt_pw_len = 16;
1815 uint32_t nt_pw_hist_len;
1816 uint32_t pwHistLen = 0;
1821 logon_time = convert_time_t_to_uint32_t(pdb_get_logon_time(sampass));
1822 logoff_time = convert_time_t_to_uint32_t(pdb_get_logoff_time(sampass));
1823 kickoff_time = convert_time_t_to_uint32_t(pdb_get_kickoff_time(sampass));
1824 bad_password_time = convert_time_t_to_uint32_t(pdb_get_bad_password_time(sampass));
1825 pass_can_change_time = convert_time_t_to_uint32_t(pdb_get_pass_can_change_time_noncalc(sampass));
1826 pass_must_change_time = convert_time_t_to_uint32_t(pdb_get_pass_must_change_time(sampass));
1827 pass_last_set_time = convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sampass));
1829 user_rid = pdb_get_user_rid(sampass);
1830 group_rid = pdb_get_group_rid(sampass);
1832 username = pdb_get_username(sampass);
1834 username_len = strlen(username) +1;
1839 domain = pdb_get_domain(sampass);
1841 domain_len = strlen(domain) +1;
1846 nt_username = pdb_get_nt_username(sampass);
1848 nt_username_len = strlen(nt_username) +1;
1850 nt_username_len = 0;
1853 fullname = pdb_get_fullname(sampass);
1855 fullname_len = strlen(fullname) +1;
1861 * Only updates fields which have been set (not defaults from smb.conf)
1864 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1865 dir_drive = pdb_get_dir_drive(sampass);
1870 dir_drive_len = strlen(dir_drive) +1;
1875 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1876 homedir = pdb_get_homedir(sampass);
1881 homedir_len = strlen(homedir) +1;
1886 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1887 logon_script = pdb_get_logon_script(sampass);
1889 logon_script = NULL;
1892 logon_script_len = strlen(logon_script) +1;
1894 logon_script_len = 0;
1897 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1898 profile_path = pdb_get_profile_path(sampass);
1900 profile_path = NULL;
1903 profile_path_len = strlen(profile_path) +1;
1905 profile_path_len = 0;
1908 lm_pw = pdb_get_lanman_passwd(sampass);
1913 nt_pw = pdb_get_nt_passwd(sampass);
1918 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1919 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1920 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1921 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1926 acct_desc = pdb_get_acct_desc(sampass);
1928 acct_desc_len = strlen(acct_desc) +1;
1933 workstations = pdb_get_workstations(sampass);
1935 workstations_len = strlen(workstations) +1;
1937 workstations_len = 0;
1940 comment = pdb_get_comment(sampass);
1942 comment_len = strlen(comment) +1;
1947 munged_dial = pdb_get_munged_dial(sampass);
1949 munged_dial_len = strlen(munged_dial) +1;
1951 munged_dial_len = 0;
1954 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1956 /* one time to get the size needed */
1957 len = tdb_pack(NULL, 0, SAMU_BUFFER_FORMAT_V3,
1959 logoff_time, /* d */
1960 kickoff_time, /* d */
1961 bad_password_time, /* d */
1962 pass_last_set_time, /* d */
1963 pass_can_change_time, /* d */
1964 pass_must_change_time, /* d */
1965 username_len, username, /* B */
1966 domain_len, domain, /* B */
1967 nt_username_len, nt_username, /* B */
1968 fullname_len, fullname, /* B */
1969 homedir_len, homedir, /* B */
1970 dir_drive_len, dir_drive, /* B */
1971 logon_script_len, logon_script, /* B */
1972 profile_path_len, profile_path, /* B */
1973 acct_desc_len, acct_desc, /* B */
1974 workstations_len, workstations, /* B */
1975 comment_len, comment, /* B */
1976 munged_dial_len, munged_dial, /* B */
1979 lm_pw_len, lm_pw, /* B */
1980 nt_pw_len, nt_pw, /* B */
1981 nt_pw_hist_len, nt_pw_hist, /* B */
1982 pdb_get_acct_ctrl(sampass), /* d */
1983 pdb_get_logon_divs(sampass), /* w */
1984 pdb_get_hours_len(sampass), /* d */
1985 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1986 pdb_get_bad_password_count(sampass), /* w */
1987 pdb_get_logon_count(sampass), /* w */
1988 pdb_get_unknown_6(sampass)); /* d */
1994 /* malloc the space needed */
1995 if ( (*buf=(uint8_t*)SMB_MALLOC(len)) == NULL) {
1996 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
2000 /* now for the real call to tdb_pack() */
2001 buflen = tdb_pack(*buf, len, SAMU_BUFFER_FORMAT_V3,
2003 logoff_time, /* d */
2004 kickoff_time, /* d */
2005 bad_password_time, /* d */
2006 pass_last_set_time, /* d */
2007 pass_can_change_time, /* d */
2008 pass_must_change_time, /* d */
2009 username_len, username, /* B */
2010 domain_len, domain, /* B */
2011 nt_username_len, nt_username, /* B */
2012 fullname_len, fullname, /* B */
2013 homedir_len, homedir, /* B */
2014 dir_drive_len, dir_drive, /* B */
2015 logon_script_len, logon_script, /* B */
2016 profile_path_len, profile_path, /* B */
2017 acct_desc_len, acct_desc, /* B */
2018 workstations_len, workstations, /* B */
2019 comment_len, comment, /* B */
2020 munged_dial_len, munged_dial, /* B */
2023 lm_pw_len, lm_pw, /* B */
2024 nt_pw_len, nt_pw, /* B */
2025 nt_pw_hist_len, nt_pw_hist, /* B */
2026 pdb_get_acct_ctrl(sampass), /* d */
2027 pdb_get_logon_divs(sampass), /* w */
2028 pdb_get_hours_len(sampass), /* d */
2029 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
2030 pdb_get_bad_password_count(sampass), /* w */
2031 pdb_get_logon_count(sampass), /* w */
2032 pdb_get_unknown_6(sampass)); /* d */
2034 /* check to make sure we got it correct */
2035 if (buflen != len) {
2036 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2037 (unsigned long)buflen, (unsigned long)len));
2046 static bool init_samu_from_buffer_v4(struct samu *sampass, uint8_t *buf, uint32_t buflen)
2048 /* nothing changed between V3 and V4 */
2049 return init_samu_from_buffer_v3(sampass, buf, buflen);
2052 static uint32_t init_buffer_from_samu_v4(uint8_t **buf, struct samu *sampass, bool size_only)
2054 /* nothing changed between V3 and V4 */
2055 return init_buffer_from_samu_v3(buf, sampass, size_only);
2058 /**********************************************************************
2059 Intialize a struct samu struct from a BYTE buffer of size len
2060 *********************************************************************/
2062 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
2063 uint8_t *buf, uint32_t buflen)
2066 case SAMU_BUFFER_V0:
2067 return init_samu_from_buffer_v0(sampass, buf, buflen);
2068 case SAMU_BUFFER_V1:
2069 return init_samu_from_buffer_v1(sampass, buf, buflen);
2070 case SAMU_BUFFER_V2:
2071 return init_samu_from_buffer_v2(sampass, buf, buflen);
2072 case SAMU_BUFFER_V3:
2073 return init_samu_from_buffer_v3(sampass, buf, buflen);
2074 case SAMU_BUFFER_V4:
2075 return init_samu_from_buffer_v4(sampass, buf, buflen);
2081 /**********************************************************************
2082 Intialize a BYTE buffer from a struct samu struct
2083 *********************************************************************/
2085 uint32_t init_buffer_from_samu (uint8_t **buf, struct samu *sampass, bool size_only)
2087 return init_buffer_from_samu_v4(buf, sampass, size_only);
2090 /*********************************************************************
2091 *********************************************************************/
2093 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
2095 uint8_t *buf = NULL;
2098 len = init_buffer_from_samu(&buf, src, False);
2099 if (len == -1 || !buf) {
2104 if (!init_samu_from_buffer( dst, SAMU_BUFFER_LATEST, buf, len )) {
2109 dst->methods = src->methods;
2111 if ( src->unix_pw ) {
2112 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
2113 if (!dst->unix_pw) {
2119 if (src->group_sid) {
2120 pdb_set_group_sid(dst, src->group_sid, PDB_SET);
2127 /*********************************************************************
2128 Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2129 *********************************************************************/
2131 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
2133 time_t LastBadPassword;
2134 uint16_t BadPasswordCount;
2138 BadPasswordCount = pdb_get_bad_password_count(sampass);
2139 if (!BadPasswordCount) {
2140 DEBUG(9, ("No bad password attempts.\n"));
2145 res = pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &resettime);
2149 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2153 /* First, check if there is a reset time to compare */
2154 if ((resettime == (uint32_t) -1) || (resettime == 0)) {
2155 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2159 LastBadPassword = pdb_get_bad_password_time(sampass);
2160 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2161 (uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
2162 if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
2163 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2164 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2173 /*********************************************************************
2174 Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2175 *********************************************************************/
2177 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
2180 time_t LastBadPassword;
2183 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2184 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2185 pdb_get_username(sampass)));
2190 res = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &duration);
2194 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2198 /* First, check if there is a duration to compare */
2199 if ((duration == (uint32_t) -1) || (duration == 0)) {
2200 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2204 LastBadPassword = pdb_get_bad_password_time(sampass);
2205 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2206 pdb_get_username(sampass), (uint32_t)LastBadPassword, duration*60, (uint32_t)time(NULL)));
2208 if (LastBadPassword == (time_t)0) {
2209 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2210 "administratively locked out with no bad password "
2211 "time. Leaving locked out.\n",
2212 pdb_get_username(sampass) ));
2216 if ((time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(duration) * 60))) {
2217 pdb_set_acct_ctrl(sampass,
2218 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2220 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2221 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2230 /*********************************************************************
2231 Increment the bad_password_count
2232 *********************************************************************/
2234 bool pdb_increment_bad_password_count(struct samu *sampass)
2236 uint32_t account_policy_lockout;
2237 bool autolock_updated = False, badpw_updated = False;
2240 /* Retrieve the account lockout policy */
2242 ret = pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2245 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2249 /* If there is no policy, we don't need to continue checking */
2250 if (!account_policy_lockout) {
2251 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2255 /* Check if the autolock needs to be cleared */
2256 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2259 /* Check if the badpw count needs to be reset */
2260 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2264 Ok, now we can assume that any resetting that needs to be
2265 done has been done, and just get on with incrementing
2266 and autolocking if necessary
2269 pdb_set_bad_password_count(sampass,
2270 pdb_get_bad_password_count(sampass)+1,
2272 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2275 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2278 if (!pdb_set_acct_ctrl(sampass,
2279 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2281 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2288 bool is_dc_trusted_domain_situation(const char *domain_name)
2290 return IS_DC && !strequal(domain_name, lp_workgroup());
2293 /*******************************************************************
2294 Wrapper around retrieving the clear text trust account password.
2295 appropriate account name is stored in account_name.
2296 Caller must free password, but not account_name.
2297 *******************************************************************/
2299 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
2300 const char **account_name,
2301 enum netr_SchannelType *channel)
2304 time_t last_set_time;
2306 /* if we are a DC and this is not our domain, then lookup an account
2307 * for the domain trust */
2309 if (is_dc_trusted_domain_situation(domain)) {
2310 if (!lp_allow_trusted_domains()) {
2314 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
2317 DEBUG(0, ("get_trust_pw: could not fetch trust "
2318 "account password for trusted domain %s\n",
2323 if (channel != NULL) {
2324 *channel = SEC_CHAN_DOMAIN;
2327 if (account_name != NULL) {
2328 *account_name = lp_workgroup();
2335 * Since we can only be member of one single domain, we are now
2336 * in a member situation:
2338 * - Either we are a DC (selfjoined) and the domain is our
2340 * - Or we are on a member and the domain is our own or some
2341 * other (potentially trusted) domain.
2343 * In both cases, we can only get the machine account password
2344 * for our own domain to connect to our own dc. (For a member,
2345 * request to trusted domains are performed through our dc.)
2347 * So we simply use our own domain name to retrieve the
2348 * machine account passowrd and ignore the request domain here.
2351 pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
2355 if (account_name != NULL) {
2356 *account_name = global_myname();
2362 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2363 "account password for domain %s\n", domain));
2367 /*******************************************************************
2368 Wrapper around retrieving the trust account password.
2369 appropriate account name is stored in account_name.
2370 *******************************************************************/
2372 bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
2373 const char **account_name,
2374 enum netr_SchannelType *channel)
2377 time_t last_set_time;
2379 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
2380 E_md4hash(pwd, ret_pwd);
2383 } else if (is_dc_trusted_domain_situation(domain)) {
2387 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2389 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
2393 if (account_name != NULL) {
2394 *account_name = global_myname();
2400 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2401 "password for domain %s\n", domain));