2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/libcli_auth.h"
28 #include "../libcli/security/security.h"
29 #include "../lib/util/util_pw.h"
32 #define DBGC_CLASS DBGC_PASSDB
34 /******************************************************************
35 Get the default domain/netbios name to be used when
36 testing authentication.
38 LEGACY: this function provides the legacy domain mapping used with
39 the lp_map_untrusted_to_domain() parameter
40 ******************************************************************/
42 const char *my_sam_name(void)
44 /* Standalone servers can only use the local netbios name */
45 if ( lp_server_role() == ROLE_STANDALONE )
46 return global_myname();
48 /* Default to the DOMAIN name when not specified */
49 return lp_workgroup();
52 /**********************************************************************
53 ***********************************************************************/
55 static int samu_destroy(struct samu *user)
57 data_blob_clear_free( &user->lm_pw );
58 data_blob_clear_free( &user->nt_pw );
60 if ( user->plaintext_pw )
61 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
66 /**********************************************************************
67 generate a new struct samuser
68 ***********************************************************************/
70 struct samu *samu_new( TALLOC_CTX *ctx )
74 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
75 DEBUG(0,("samuser_new: Talloc failed!\n"));
79 talloc_set_destructor( user, samu_destroy );
81 /* no initial methods */
85 /* Don't change these timestamp settings without a good reason.
86 They are important for NT member server compatibility. */
88 user->logon_time = (time_t)0;
89 user->pass_last_set_time = (time_t)0;
90 user->pass_can_change_time = (time_t)0;
91 user->logoff_time = get_time_t_max();
92 user->kickoff_time = get_time_t_max();
93 user->pass_must_change_time = get_time_t_max();
94 user->fields_present = 0x00ffffff;
95 user->logon_divs = 168; /* hours per week */
96 user->hours_len = 21; /* 21 times 8 bits = 168 */
97 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
98 user->bad_password_count = 0;
99 user->logon_count = 0;
100 user->unknown_6 = 0x000004ec; /* don't know */
102 /* Some parts of samba strlen their pdb_get...() returns,
103 so this keeps the interface unchanged for now. */
107 user->nt_username = "";
108 user->full_name = "";
110 user->logon_script = "";
111 user->profile_path = "";
112 user->acct_desc = "";
113 user->workstations = "";
115 user->munged_dial = "";
117 user->plaintext_pw = NULL;
119 /* Unless we know otherwise have a Account Control Bit
120 value of 'normal user'. This helps User Manager, which
121 asks for a filtered list of users. */
123 user->acct_ctrl = ACB_NORMAL;
128 static int count_commas(const char *str)
131 const char *comma = str;
133 while ((comma = strchr(comma, ',')) != NULL) {
140 /*********************************************************************
141 Initialize a struct samu from a struct passwd including the user
142 and group SIDs. The *user structure is filled out with the Unix
143 attributes and a user SID.
144 *********************************************************************/
146 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
148 const char *guest_account = lp_guestaccount();
149 const char *domain = global_myname();
154 return NT_STATUS_NO_SUCH_USER;
157 /* Basic properties based upon the Unix account information */
159 pdb_set_username(user, pwd->pw_name, PDB_SET);
163 if (count_commas(pwd->pw_gecos) == 3) {
165 * Heuristic: This seems to be a gecos field that has been
166 * edited by chfn(1). Only use the part before the first
167 * comma. Fixes bug 5198.
169 fullname = talloc_strndup(
170 talloc_tos(), pwd->pw_gecos,
171 strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
174 if (fullname != NULL) {
175 pdb_set_fullname(user, fullname, PDB_SET);
177 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
179 TALLOC_FREE(fullname);
181 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
183 /* This can lead to a primary group of S-1-22-2-XX which
184 will be rejected by other parts of the Samba code.
185 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
188 gid_to_sid(&group_sid, pwd->pw_gid);
189 pdb_set_group_sid(user, &group_sid, PDB_SET);
192 /* save the password structure for later use */
194 user->unix_pw = tcopy_passwd( user, pwd );
196 /* Special case for the guest account which must have a RID of 501 */
198 if ( strequal( pwd->pw_name, guest_account ) ) {
199 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_RID_GUEST, PDB_DEFAULT)) {
200 return NT_STATUS_NO_SUCH_USER;
205 /* Non-guest accounts...Check for a workstation or user account */
207 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
210 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
211 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
213 return NT_STATUS_INVALID_COMPUTER_NAME;
219 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
220 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
222 return NT_STATUS_INVALID_ACCOUNT_NAME;
225 /* set some basic attributes */
227 pdb_set_profile_path(user, talloc_sub_specified(user,
228 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
230 pdb_set_homedir(user, talloc_sub_specified(user,
231 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
233 pdb_set_dir_drive(user, talloc_sub_specified(user,
234 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
236 pdb_set_logon_script(user, talloc_sub_specified(user,
237 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
241 /* Now deal with the user SID. If we have a backend that can generate
242 RIDs, then do so. But sometimes the caller just wanted a structure
243 initialized and will fill in these fields later (such as from a
244 netr_SamInfo3 structure) */
246 if ( create && (pdb_capabilities() & PDB_CAP_STORE_RIDS)) {
248 struct dom_sid user_sid;
250 if ( !pdb_new_rid( &user_rid ) ) {
251 DEBUG(3, ("Could not allocate a new RID\n"));
252 return NT_STATUS_ACCESS_DENIED;
255 sid_compose(&user_sid, get_global_sam_sid(), user_rid);
257 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
258 DEBUG(3, ("pdb_set_user_sid failed\n"));
259 return NT_STATUS_INTERNAL_ERROR;
265 /* generate a SID for the user with the RID algorithm */
267 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
269 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
270 return NT_STATUS_INTERNAL_ERROR;
276 /********************************************************************
277 Set the Unix user attributes
278 ********************************************************************/
280 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
282 return samu_set_unix_internal( user, pwd, False );
285 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
287 return samu_set_unix_internal( user, pwd, True );
290 /**********************************************************
291 Encode the account control bits into a string.
292 length = length of string to encode into (including terminating
293 null). length *MUST BE MORE THAN 2* !
294 **********************************************************/
296 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
303 SMB_ASSERT(length <= sizeof(acct_str));
307 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
308 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
309 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
310 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
311 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
312 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
313 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
314 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
315 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
316 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
317 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
319 for ( ; i < length - 2 ; i++ )
324 acct_str[i++] = '\0';
326 result = talloc_strdup(talloc_tos(), acct_str);
327 SMB_ASSERT(result != NULL);
331 /**********************************************************
332 Decode the account control bits from a string.
333 **********************************************************/
335 uint32_t pdb_decode_acct_ctrl(const char *p)
337 uint32_t acct_ctrl = 0;
338 bool finished = false;
341 * Check if the account type bits have been encoded after the
342 * NT password (in the form [NDHTUWSLXI]).
348 for (p++; *p && !finished; p++) {
350 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
351 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
352 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
353 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
354 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
355 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
356 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
357 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
358 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
359 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
360 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
366 default: { finished = true; }
373 /*************************************************************
374 Routine to set 32 hex password characters from a 16 byte array.
375 **************************************************************/
377 void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32_t acct_ctrl)
381 for (i = 0; i < 16; i++)
382 slprintf(&p[i*2], 3, "%02X", pwd[i]);
384 if (acct_ctrl & ACB_PWNOTREQ)
385 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
387 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
391 /*************************************************************
392 Routine to get the 32 hex characters and turn them
393 into a 16 byte array.
394 **************************************************************/
396 bool pdb_gethexpwd(const char *p, unsigned char *pwd)
399 unsigned char lonybble, hinybble;
400 const char *hexchars = "0123456789ABCDEF";
406 for (i = 0; i < 32; i += 2) {
407 hinybble = toupper_ascii(p[i]);
408 lonybble = toupper_ascii(p[i + 1]);
410 p1 = strchr(hexchars, hinybble);
411 p2 = strchr(hexchars, lonybble);
416 hinybble = PTR_DIFF(p1, hexchars);
417 lonybble = PTR_DIFF(p2, hexchars);
419 pwd[i / 2] = (hinybble << 4) | lonybble;
424 /*************************************************************
425 Routine to set 42 hex hours characters from a 21 byte array.
426 **************************************************************/
428 void pdb_sethexhours(char *p, const unsigned char *hours)
432 for (i = 0; i < 21; i++) {
433 slprintf(&p[i*2], 3, "%02X", hours[i]);
436 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
440 /*************************************************************
441 Routine to get the 42 hex characters and turn them
442 into a 21 byte array.
443 **************************************************************/
445 bool pdb_gethexhours(const char *p, unsigned char *hours)
448 unsigned char lonybble, hinybble;
449 const char *hexchars = "0123456789ABCDEF";
456 for (i = 0; i < 42; i += 2) {
457 hinybble = toupper_ascii(p[i]);
458 lonybble = toupper_ascii(p[i + 1]);
460 p1 = strchr(hexchars, hinybble);
461 p2 = strchr(hexchars, lonybble);
467 hinybble = PTR_DIFF(p1, hexchars);
468 lonybble = PTR_DIFF(p2, hexchars);
470 hours[i / 2] = (hinybble << 4) | lonybble;
475 /********************************************************************
476 ********************************************************************/
478 int algorithmic_rid_base(void)
482 rid_offset = lp_algorithmic_rid_base();
484 if (rid_offset < BASE_RID) {
485 /* Try to prevent admin foot-shooting, we can't put algorithmic
486 rids below 1000, that's the 'well known RIDs' on NT */
487 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
488 rid_offset = BASE_RID;
490 if (rid_offset & 1) {
491 DEBUG(0, ("algorithmic rid base must be even\n"));
497 /*******************************************************************
498 Converts NT user RID to a UNIX uid.
499 ********************************************************************/
501 uid_t algorithmic_pdb_user_rid_to_uid(uint32_t user_rid)
503 int rid_offset = algorithmic_rid_base();
504 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
507 uid_t max_algorithmic_uid(void)
509 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
512 /*******************************************************************
513 converts UNIX uid to an NT User RID.
514 ********************************************************************/
516 uint32_t algorithmic_pdb_uid_to_user_rid(uid_t uid)
518 int rid_offset = algorithmic_rid_base();
519 return (((((uint32_t)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
522 /*******************************************************************
523 Converts NT group RID to a UNIX gid.
524 ********************************************************************/
526 gid_t pdb_group_rid_to_gid(uint32_t group_rid)
528 int rid_offset = algorithmic_rid_base();
529 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
532 gid_t max_algorithmic_gid(void)
534 return pdb_group_rid_to_gid(0xffffffff);
537 /*******************************************************************
538 converts NT Group RID to a UNIX uid.
540 warning: you must not call that function only
541 you must do a call to the group mapping first.
542 there is not anymore a direct link between the gid and the rid.
543 ********************************************************************/
545 uint32_t algorithmic_pdb_gid_to_group_rid(gid_t gid)
547 int rid_offset = algorithmic_rid_base();
548 return (((((uint32_t)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
551 /*******************************************************************
552 Decides if a RID is a well known RID.
553 ********************************************************************/
555 static bool rid_is_well_known(uint32_t rid)
557 /* Not using rid_offset here, because this is the actual
558 NT fixed value (1000) */
560 return (rid < BASE_RID);
563 /*******************************************************************
564 Decides if a RID is a user or group RID.
565 ********************************************************************/
567 bool algorithmic_pdb_rid_is_user(uint32_t rid)
569 if ( rid_is_well_known(rid) ) {
571 * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
572 * and DOMAIN_RID_GUEST.
574 if(rid == DOMAIN_RID_ADMINISTRATOR || rid == DOMAIN_RID_GUEST)
576 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
582 /*******************************************************************
583 Convert a name into a SID. Used in the lookup name rpc.
584 ********************************************************************/
586 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
587 enum lsa_SidType *type)
592 /* Windows treats "MACHINE\None" as a special name for
593 rid 513 on non-DCs. You cannot create a user or group
594 name "None" on Windows. You will get an error that
595 the group already exists. */
597 if ( strequal( name, "None" ) ) {
598 *rid = DOMAIN_RID_USERS;
599 *type = SID_NAME_DOM_GRP;
604 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
605 * correctly in the case where foo also exists as a user. If the flag
606 * is set, don't look for users at all. */
608 if ((flags & LOOKUP_NAME_GROUP) == 0) {
609 struct samu *sam_account = NULL;
610 struct dom_sid user_sid;
612 if ( !(sam_account = samu_new( NULL )) ) {
617 ret = pdb_getsampwnam(sam_account, name);
621 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
624 TALLOC_FREE(sam_account);
627 if (!sid_check_is_in_our_domain(&user_sid)) {
628 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
629 name, sid_string_dbg(&user_sid)));
633 sid_peek_rid(&user_sid, rid);
634 *type = SID_NAME_USER;
640 * Maybe it is a group ?
644 ret = pdb_getgrnam(&map, name);
651 /* BUILTIN groups are looked up elsewhere */
652 if (!sid_check_is_in_our_domain(&map.sid)) {
653 DEBUG(10, ("Found group %s (%s) not in our domain -- "
654 "ignoring.", name, sid_string_dbg(&map.sid)));
658 /* yes it's a mapped group */
659 sid_peek_rid(&map.sid, rid);
660 *type = map.sid_name_use;
664 /*************************************************************
665 Change a password entry in the local passdb backend.
668 - always called as root
669 - ignores the account type except when adding a new account
670 - will create/delete the unix account if the relative
671 add/delete user script is configured
673 *************************************************************/
675 NTSTATUS local_password_change(const char *user_name,
677 const char *new_passwd,
682 struct samu *sam_pass;
692 tosctx = talloc_tos();
694 sam_pass = samu_new(tosctx);
696 result = NT_STATUS_NO_MEMORY;
700 /* Get the smb passwd entry for this user */
701 user_exists = pdb_getsampwnam(sam_pass, user_name);
703 /* Check delete first, we don't need to do anything else if we
704 * are going to delete the acocunt */
705 if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
707 result = pdb_delete_user(tosctx, sam_pass);
708 if (!NT_STATUS_IS_OK(result)) {
709 ret = asprintf(pp_err_str,
710 "Failed to delete entry for user %s.\n",
715 result = NT_STATUS_UNSUCCESSFUL;
717 ret = asprintf(pp_msg_str,
718 "Deleted user %s.\n",
727 if (user_exists && (local_flags & LOCAL_ADD_USER)) {
728 /* the entry already existed */
729 local_flags &= ~LOCAL_ADD_USER;
732 if (!user_exists && !(local_flags & LOCAL_ADD_USER)) {
733 ret = asprintf(pp_err_str,
734 "Failed to find entry for user %s.\n",
739 result = NT_STATUS_NO_SUCH_USER;
743 /* First thing add the new user if we are required to do so */
744 if (local_flags & LOCAL_ADD_USER) {
746 if (local_flags & LOCAL_TRUST_ACCOUNT) {
748 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
754 result = pdb_create_user(tosctx, user_name, acb, &rid);
755 if (!NT_STATUS_IS_OK(result)) {
756 ret = asprintf(pp_err_str,
757 "Failed to add entry for user %s.\n",
762 result = NT_STATUS_UNSUCCESSFUL;
766 sam_pass = samu_new(tosctx);
768 result = NT_STATUS_NO_MEMORY;
772 /* Now get back the smb passwd entry for this new user */
773 user_exists = pdb_getsampwnam(sam_pass, user_name);
775 ret = asprintf(pp_err_str,
776 "Failed to add entry for user %s.\n",
781 result = NT_STATUS_UNSUCCESSFUL;
786 acb = pdb_get_acct_ctrl(sam_pass);
789 * We are root - just write the new password
790 * and the valid last change time.
792 if ((local_flags & LOCAL_SET_NO_PASSWORD) && !(acb & ACB_PWNOTREQ)) {
794 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
795 ret = asprintf(pp_err_str,
796 "Failed to set 'no password required' "
797 "flag for user %s.\n", user_name);
801 result = NT_STATUS_UNSUCCESSFUL;
806 if (local_flags & LOCAL_SET_PASSWORD) {
808 * If we're dealing with setting a completely empty user account
809 * ie. One with a password of 'XXXX', but not set disabled (like
810 * an account created from scratch) then if the old password was
811 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
812 * We remove that as we're giving this user their first password
813 * and the decision hasn't really been made to disable them (ie.
814 * don't create them disabled). JRA.
816 if ((pdb_get_lanman_passwd(sam_pass) == NULL) &&
817 (acb & ACB_DISABLED)) {
818 acb &= (~ACB_DISABLED);
819 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
820 ret = asprintf(pp_err_str,
821 "Failed to unset 'disabled' "
822 "flag for user %s.\n",
827 result = NT_STATUS_UNSUCCESSFUL;
832 acb &= (~ACB_PWNOTREQ);
833 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
834 ret = asprintf(pp_err_str,
835 "Failed to unset 'no password required'"
836 " flag for user %s.\n", user_name);
840 result = NT_STATUS_UNSUCCESSFUL;
844 if (!pdb_set_plaintext_passwd(sam_pass, new_passwd)) {
845 ret = asprintf(pp_err_str,
846 "Failed to set password for "
847 "user %s.\n", user_name);
851 result = NT_STATUS_UNSUCCESSFUL;
856 if ((local_flags & LOCAL_DISABLE_USER) && !(acb & ACB_DISABLED)) {
858 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
859 ret = asprintf(pp_err_str,
860 "Failed to set 'disabled' flag for "
861 "user %s.\n", user_name);
865 result = NT_STATUS_UNSUCCESSFUL;
870 if ((local_flags & LOCAL_ENABLE_USER) && (acb & ACB_DISABLED)) {
871 acb &= (~ACB_DISABLED);
872 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
873 ret = asprintf(pp_err_str,
874 "Failed to unset 'disabled' flag for "
875 "user %s.\n", user_name);
879 result = NT_STATUS_UNSUCCESSFUL;
884 /* now commit changes if any */
885 result = pdb_update_sam_account(sam_pass);
886 if (!NT_STATUS_IS_OK(result)) {
887 ret = asprintf(pp_err_str,
888 "Failed to modify entry for user %s.\n",
896 if (local_flags & LOCAL_ADD_USER) {
897 ret = asprintf(pp_msg_str, "Added user %s.\n", user_name);
898 } else if (local_flags & LOCAL_DISABLE_USER) {
899 ret = asprintf(pp_msg_str, "Disabled user %s.\n", user_name);
900 } else if (local_flags & LOCAL_ENABLE_USER) {
901 ret = asprintf(pp_msg_str, "Enabled user %s.\n", user_name);
902 } else if (local_flags & LOCAL_SET_NO_PASSWORD) {
903 ret = asprintf(pp_msg_str,
904 "User %s password set to none.\n", user_name);
911 result = NT_STATUS_OK;
914 TALLOC_FREE(sam_pass);
918 /**********************************************************************
919 Marshall/unmarshall struct samu structs.
920 *********************************************************************/
922 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
923 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
924 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
925 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
926 /* nothing changed between V3 and V4 */
928 /*********************************************************************
929 *********************************************************************/
931 static bool init_samu_from_buffer_v0(struct samu *sampass, uint8_t *buf, uint32_t buflen)
934 /* times are stored as 32bit integer
935 take care on system with 64bit wide time_t
941 pass_can_change_time,
942 pass_must_change_time;
943 char *username = NULL;
945 char *nt_username = NULL;
946 char *dir_drive = NULL;
947 char *unknown_str = NULL;
948 char *munged_dial = NULL;
949 char *fullname = NULL;
950 char *homedir = NULL;
951 char *logon_script = NULL;
952 char *profile_path = NULL;
953 char *acct_desc = NULL;
954 char *workstations = NULL;
955 uint32_t username_len, domain_len, nt_username_len,
956 dir_drive_len, unknown_str_len, munged_dial_len,
957 fullname_len, homedir_len, logon_script_len,
958 profile_path_len, acct_desc_len, workstations_len;
960 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
961 uint16_t acct_ctrl, logon_divs;
962 uint16_t bad_password_count, logon_count;
963 uint8_t *hours = NULL;
964 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
966 uint32_t lm_pw_len, nt_pw_len, hourslen;
969 if(sampass == NULL || buf == NULL) {
970 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
974 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
976 /* unpack the buffer into variables */
977 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V0,
979 &logoff_time, /* d */
980 &kickoff_time, /* d */
981 &pass_last_set_time, /* d */
982 &pass_can_change_time, /* d */
983 &pass_must_change_time, /* d */
984 &username_len, &username, /* B */
985 &domain_len, &domain, /* B */
986 &nt_username_len, &nt_username, /* B */
987 &fullname_len, &fullname, /* B */
988 &homedir_len, &homedir, /* B */
989 &dir_drive_len, &dir_drive, /* B */
990 &logon_script_len, &logon_script, /* B */
991 &profile_path_len, &profile_path, /* B */
992 &acct_desc_len, &acct_desc, /* B */
993 &workstations_len, &workstations, /* B */
994 &unknown_str_len, &unknown_str, /* B */
995 &munged_dial_len, &munged_dial, /* B */
998 &lm_pw_len, &lm_pw_ptr, /* B */
999 &nt_pw_len, &nt_pw_ptr, /* B */
1001 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
1002 &logon_divs, /* w */
1004 &hourslen, &hours, /* B */
1005 &bad_password_count, /* w */
1006 &logon_count, /* w */
1007 &unknown_6); /* d */
1009 if (len == (uint32_t) -1) {
1014 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1015 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1016 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1017 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1018 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1019 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1021 pdb_set_username(sampass, username, PDB_SET);
1022 pdb_set_domain(sampass, domain, PDB_SET);
1023 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1024 pdb_set_fullname(sampass, fullname, PDB_SET);
1027 pdb_set_homedir(sampass, homedir, PDB_SET);
1030 pdb_set_homedir(sampass,
1031 talloc_sub_basic(sampass, username, domain,
1037 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1039 pdb_set_dir_drive(sampass,
1040 talloc_sub_basic(sampass, username, domain,
1046 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1048 pdb_set_logon_script(sampass,
1049 talloc_sub_basic(sampass, username, domain,
1055 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1057 pdb_set_profile_path(sampass,
1058 talloc_sub_basic(sampass, username, domain,
1063 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1064 pdb_set_workstations(sampass, workstations, PDB_SET);
1065 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1067 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1068 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1074 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1075 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1081 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1082 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1083 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1084 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1085 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1086 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1087 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1088 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1089 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1090 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1094 SAFE_FREE(username);
1096 SAFE_FREE(nt_username);
1097 SAFE_FREE(fullname);
1099 SAFE_FREE(dir_drive);
1100 SAFE_FREE(logon_script);
1101 SAFE_FREE(profile_path);
1102 SAFE_FREE(acct_desc);
1103 SAFE_FREE(workstations);
1104 SAFE_FREE(munged_dial);
1105 SAFE_FREE(unknown_str);
1106 SAFE_FREE(lm_pw_ptr);
1107 SAFE_FREE(nt_pw_ptr);
1113 /*********************************************************************
1114 *********************************************************************/
1116 static bool init_samu_from_buffer_v1(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1119 /* times are stored as 32bit integer
1120 take care on system with 64bit wide time_t
1122 uint32_t logon_time,
1127 pass_can_change_time,
1128 pass_must_change_time;
1129 char *username = NULL;
1130 char *domain = NULL;
1131 char *nt_username = NULL;
1132 char *dir_drive = NULL;
1133 char *unknown_str = NULL;
1134 char *munged_dial = NULL;
1135 char *fullname = NULL;
1136 char *homedir = NULL;
1137 char *logon_script = NULL;
1138 char *profile_path = NULL;
1139 char *acct_desc = NULL;
1140 char *workstations = NULL;
1141 uint32_t username_len, domain_len, nt_username_len,
1142 dir_drive_len, unknown_str_len, munged_dial_len,
1143 fullname_len, homedir_len, logon_script_len,
1144 profile_path_len, acct_desc_len, workstations_len;
1146 uint32_t user_rid, group_rid, remove_me, hours_len, unknown_6;
1147 uint16_t acct_ctrl, logon_divs;
1148 uint16_t bad_password_count, logon_count;
1149 uint8_t *hours = NULL;
1150 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1152 uint32_t lm_pw_len, nt_pw_len, hourslen;
1155 if(sampass == NULL || buf == NULL) {
1156 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1160 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1162 /* unpack the buffer into variables */
1163 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V1,
1164 &logon_time, /* d */
1165 &logoff_time, /* d */
1166 &kickoff_time, /* d */
1167 /* Change from V0 is addition of bad_password_time field. */
1168 &bad_password_time, /* d */
1169 &pass_last_set_time, /* d */
1170 &pass_can_change_time, /* d */
1171 &pass_must_change_time, /* d */
1172 &username_len, &username, /* B */
1173 &domain_len, &domain, /* B */
1174 &nt_username_len, &nt_username, /* B */
1175 &fullname_len, &fullname, /* B */
1176 &homedir_len, &homedir, /* B */
1177 &dir_drive_len, &dir_drive, /* B */
1178 &logon_script_len, &logon_script, /* B */
1179 &profile_path_len, &profile_path, /* B */
1180 &acct_desc_len, &acct_desc, /* B */
1181 &workstations_len, &workstations, /* B */
1182 &unknown_str_len, &unknown_str, /* B */
1183 &munged_dial_len, &munged_dial, /* B */
1186 &lm_pw_len, &lm_pw_ptr, /* B */
1187 &nt_pw_len, &nt_pw_ptr, /* B */
1190 &logon_divs, /* w */
1192 &hourslen, &hours, /* B */
1193 &bad_password_count, /* w */
1194 &logon_count, /* w */
1195 &unknown_6); /* d */
1197 if (len == (uint32_t) -1) {
1202 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1203 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1204 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1206 /* Change from V0 is addition of bad_password_time field. */
1207 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1208 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1209 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1210 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1212 pdb_set_username(sampass, username, PDB_SET);
1213 pdb_set_domain(sampass, domain, PDB_SET);
1214 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1215 pdb_set_fullname(sampass, fullname, PDB_SET);
1218 pdb_set_homedir(sampass, homedir, PDB_SET);
1221 pdb_set_homedir(sampass,
1222 talloc_sub_basic(sampass, username, domain,
1228 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1230 pdb_set_dir_drive(sampass,
1231 talloc_sub_basic(sampass, username, domain,
1237 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1239 pdb_set_logon_script(sampass,
1240 talloc_sub_basic(sampass, username, domain,
1246 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1248 pdb_set_profile_path(sampass,
1249 talloc_sub_basic(sampass, username, domain,
1254 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1255 pdb_set_workstations(sampass, workstations, PDB_SET);
1256 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1258 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1259 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1265 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1266 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1272 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1274 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1275 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1276 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1277 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1278 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1279 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1280 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1281 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1282 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1286 SAFE_FREE(username);
1288 SAFE_FREE(nt_username);
1289 SAFE_FREE(fullname);
1291 SAFE_FREE(dir_drive);
1292 SAFE_FREE(logon_script);
1293 SAFE_FREE(profile_path);
1294 SAFE_FREE(acct_desc);
1295 SAFE_FREE(workstations);
1296 SAFE_FREE(munged_dial);
1297 SAFE_FREE(unknown_str);
1298 SAFE_FREE(lm_pw_ptr);
1299 SAFE_FREE(nt_pw_ptr);
1305 static bool init_samu_from_buffer_v2(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1308 /* times are stored as 32bit integer
1309 take care on system with 64bit wide time_t
1311 uint32_t logon_time,
1316 pass_can_change_time,
1317 pass_must_change_time;
1318 char *username = NULL;
1319 char *domain = NULL;
1320 char *nt_username = NULL;
1321 char *dir_drive = NULL;
1322 char *unknown_str = NULL;
1323 char *munged_dial = NULL;
1324 char *fullname = NULL;
1325 char *homedir = NULL;
1326 char *logon_script = NULL;
1327 char *profile_path = NULL;
1328 char *acct_desc = NULL;
1329 char *workstations = NULL;
1330 uint32_t username_len, domain_len, nt_username_len,
1331 dir_drive_len, unknown_str_len, munged_dial_len,
1332 fullname_len, homedir_len, logon_script_len,
1333 profile_path_len, acct_desc_len, workstations_len;
1335 uint32_t user_rid, group_rid, hours_len, unknown_6;
1336 uint16_t acct_ctrl, logon_divs;
1337 uint16_t bad_password_count, logon_count;
1338 uint8_t *hours = NULL;
1339 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1341 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1342 uint32_t pwHistLen = 0;
1345 bool expand_explicit = lp_passdb_expand_explicit();
1347 if(sampass == NULL || buf == NULL) {
1348 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1352 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1354 /* unpack the buffer into variables */
1355 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V2,
1356 &logon_time, /* d */
1357 &logoff_time, /* d */
1358 &kickoff_time, /* d */
1359 &bad_password_time, /* d */
1360 &pass_last_set_time, /* d */
1361 &pass_can_change_time, /* d */
1362 &pass_must_change_time, /* d */
1363 &username_len, &username, /* B */
1364 &domain_len, &domain, /* B */
1365 &nt_username_len, &nt_username, /* B */
1366 &fullname_len, &fullname, /* B */
1367 &homedir_len, &homedir, /* B */
1368 &dir_drive_len, &dir_drive, /* B */
1369 &logon_script_len, &logon_script, /* B */
1370 &profile_path_len, &profile_path, /* B */
1371 &acct_desc_len, &acct_desc, /* B */
1372 &workstations_len, &workstations, /* B */
1373 &unknown_str_len, &unknown_str, /* B */
1374 &munged_dial_len, &munged_dial, /* B */
1377 &lm_pw_len, &lm_pw_ptr, /* B */
1378 &nt_pw_len, &nt_pw_ptr, /* B */
1379 /* Change from V1 is addition of password history field. */
1380 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1382 /* Also "remove_me" field was removed. */
1383 &logon_divs, /* w */
1385 &hourslen, &hours, /* B */
1386 &bad_password_count, /* w */
1387 &logon_count, /* w */
1388 &unknown_6); /* d */
1390 if (len == (uint32_t) -1) {
1395 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1396 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1397 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1398 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1399 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1400 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1401 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1403 pdb_set_username(sampass, username, PDB_SET);
1404 pdb_set_domain(sampass, domain, PDB_SET);
1405 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1406 pdb_set_fullname(sampass, fullname, PDB_SET);
1409 fstrcpy( tmp_string, homedir );
1410 if (expand_explicit) {
1411 standard_sub_basic( username, domain, tmp_string,
1412 sizeof(tmp_string) );
1414 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1417 pdb_set_homedir(sampass,
1418 talloc_sub_basic(sampass, username, domain,
1424 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1426 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1429 fstrcpy( tmp_string, logon_script );
1430 if (expand_explicit) {
1431 standard_sub_basic( username, domain, tmp_string,
1432 sizeof(tmp_string) );
1434 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1437 pdb_set_logon_script(sampass,
1438 talloc_sub_basic(sampass, username, domain,
1444 fstrcpy( tmp_string, profile_path );
1445 if (expand_explicit) {
1446 standard_sub_basic( username, domain, tmp_string,
1447 sizeof(tmp_string) );
1449 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1452 pdb_set_profile_path(sampass,
1453 talloc_sub_basic(sampass, username, domain,
1458 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1459 pdb_set_workstations(sampass, workstations, PDB_SET);
1460 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1462 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1463 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1469 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1470 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1476 /* Change from V1 is addition of password history field. */
1477 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1479 uint8_t *pw_hist = SMB_MALLOC_ARRAY(uint8_t, pwHistLen * PW_HISTORY_ENTRY_LEN);
1484 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1485 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1487 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1488 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1489 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1490 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1491 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1492 PW_HISTORY_ENTRY_LEN);
1495 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1502 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1505 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1506 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1507 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1508 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1509 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1510 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1511 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1512 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1513 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1517 SAFE_FREE(username);
1519 SAFE_FREE(nt_username);
1520 SAFE_FREE(fullname);
1522 SAFE_FREE(dir_drive);
1523 SAFE_FREE(logon_script);
1524 SAFE_FREE(profile_path);
1525 SAFE_FREE(acct_desc);
1526 SAFE_FREE(workstations);
1527 SAFE_FREE(munged_dial);
1528 SAFE_FREE(unknown_str);
1529 SAFE_FREE(lm_pw_ptr);
1530 SAFE_FREE(nt_pw_ptr);
1531 SAFE_FREE(nt_pw_hist_ptr);
1537 /*********************************************************************
1538 *********************************************************************/
1540 static bool init_samu_from_buffer_v3(struct samu *sampass, uint8_t *buf, uint32_t buflen)
1543 /* times are stored as 32bit integer
1544 take care on system with 64bit wide time_t
1546 uint32_t logon_time,
1551 pass_can_change_time,
1552 pass_must_change_time;
1553 char *username = NULL;
1554 char *domain = NULL;
1555 char *nt_username = NULL;
1556 char *dir_drive = NULL;
1557 char *comment = NULL;
1558 char *munged_dial = NULL;
1559 char *fullname = NULL;
1560 char *homedir = NULL;
1561 char *logon_script = NULL;
1562 char *profile_path = NULL;
1563 char *acct_desc = NULL;
1564 char *workstations = NULL;
1565 uint32_t username_len, domain_len, nt_username_len,
1566 dir_drive_len, comment_len, munged_dial_len,
1567 fullname_len, homedir_len, logon_script_len,
1568 profile_path_len, acct_desc_len, workstations_len;
1570 uint32_t user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
1571 uint16_t logon_divs;
1572 uint16_t bad_password_count, logon_count;
1573 uint8_t *hours = NULL;
1574 uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1576 uint32_t lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1577 uint32_t pwHistLen = 0;
1580 bool expand_explicit = lp_passdb_expand_explicit();
1582 if(sampass == NULL || buf == NULL) {
1583 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1587 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1589 /* unpack the buffer into variables */
1590 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V3,
1591 &logon_time, /* d */
1592 &logoff_time, /* d */
1593 &kickoff_time, /* d */
1594 &bad_password_time, /* d */
1595 &pass_last_set_time, /* d */
1596 &pass_can_change_time, /* d */
1597 &pass_must_change_time, /* d */
1598 &username_len, &username, /* B */
1599 &domain_len, &domain, /* B */
1600 &nt_username_len, &nt_username, /* B */
1601 &fullname_len, &fullname, /* B */
1602 &homedir_len, &homedir, /* B */
1603 &dir_drive_len, &dir_drive, /* B */
1604 &logon_script_len, &logon_script, /* B */
1605 &profile_path_len, &profile_path, /* B */
1606 &acct_desc_len, &acct_desc, /* B */
1607 &workstations_len, &workstations, /* B */
1608 &comment_len, &comment, /* B */
1609 &munged_dial_len, &munged_dial, /* B */
1612 &lm_pw_len, &lm_pw_ptr, /* B */
1613 &nt_pw_len, &nt_pw_ptr, /* B */
1614 /* Change from V1 is addition of password history field. */
1615 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1616 /* Change from V2 is the uint32_t acb_mask */
1618 /* Also "remove_me" field was removed. */
1619 &logon_divs, /* w */
1621 &hourslen, &hours, /* B */
1622 &bad_password_count, /* w */
1623 &logon_count, /* w */
1624 &unknown_6); /* d */
1626 if (len == (uint32_t) -1) {
1631 pdb_set_logon_time(sampass, convert_uint32_t_to_time_t(logon_time), PDB_SET);
1632 pdb_set_logoff_time(sampass, convert_uint32_t_to_time_t(logoff_time), PDB_SET);
1633 pdb_set_kickoff_time(sampass, convert_uint32_t_to_time_t(kickoff_time), PDB_SET);
1634 pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET);
1635 pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
1636 pdb_set_pass_must_change_time(sampass, convert_uint32_t_to_time_t(pass_must_change_time), PDB_SET);
1637 pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
1639 pdb_set_username(sampass, username, PDB_SET);
1640 pdb_set_domain(sampass, domain, PDB_SET);
1641 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1642 pdb_set_fullname(sampass, fullname, PDB_SET);
1645 fstrcpy( tmp_string, homedir );
1646 if (expand_explicit) {
1647 standard_sub_basic( username, domain, tmp_string,
1648 sizeof(tmp_string) );
1650 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1653 pdb_set_homedir(sampass,
1654 talloc_sub_basic(sampass, username, domain,
1660 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1662 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1665 fstrcpy( tmp_string, logon_script );
1666 if (expand_explicit) {
1667 standard_sub_basic( username, domain, tmp_string,
1668 sizeof(tmp_string) );
1670 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1673 pdb_set_logon_script(sampass,
1674 talloc_sub_basic(sampass, username, domain,
1680 fstrcpy( tmp_string, profile_path );
1681 if (expand_explicit) {
1682 standard_sub_basic( username, domain, tmp_string,
1683 sizeof(tmp_string) );
1685 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1688 pdb_set_profile_path(sampass,
1689 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
1693 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1694 pdb_set_comment(sampass, comment, PDB_SET);
1695 pdb_set_workstations(sampass, workstations, PDB_SET);
1696 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1698 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1699 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1705 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1706 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1712 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1714 uint8_t *pw_hist = (uint8_t *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1719 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1720 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1722 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1723 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1724 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1725 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1726 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1727 PW_HISTORY_ENTRY_LEN);
1730 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1737 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1740 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1741 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1742 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1743 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1744 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1745 /* Change from V2 is the uint32_t acct_ctrl */
1746 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1747 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1748 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
1752 SAFE_FREE(username);
1754 SAFE_FREE(nt_username);
1755 SAFE_FREE(fullname);
1757 SAFE_FREE(dir_drive);
1758 SAFE_FREE(logon_script);
1759 SAFE_FREE(profile_path);
1760 SAFE_FREE(acct_desc);
1761 SAFE_FREE(workstations);
1762 SAFE_FREE(munged_dial);
1764 SAFE_FREE(lm_pw_ptr);
1765 SAFE_FREE(nt_pw_ptr);
1766 SAFE_FREE(nt_pw_hist_ptr);
1772 /*********************************************************************
1773 *********************************************************************/
1775 static uint32_t init_buffer_from_samu_v3 (uint8_t **buf, struct samu *sampass, bool size_only)
1779 /* times are stored as 32bit integer
1780 take care on system with 64bit wide time_t
1782 uint32_t logon_time,
1787 pass_can_change_time,
1788 pass_must_change_time;
1790 uint32_t user_rid, group_rid;
1792 const char *username;
1794 const char *nt_username;
1795 const char *dir_drive;
1796 const char *comment;
1797 const char *munged_dial;
1798 const char *fullname;
1799 const char *homedir;
1800 const char *logon_script;
1801 const char *profile_path;
1802 const char *acct_desc;
1803 const char *workstations;
1804 uint32_t username_len, domain_len, nt_username_len,
1805 dir_drive_len, comment_len, munged_dial_len,
1806 fullname_len, homedir_len, logon_script_len,
1807 profile_path_len, acct_desc_len, workstations_len;
1809 const uint8_t *lm_pw;
1810 const uint8_t *nt_pw;
1811 const uint8_t *nt_pw_hist;
1812 uint32_t lm_pw_len = 16;
1813 uint32_t nt_pw_len = 16;
1814 uint32_t nt_pw_hist_len;
1815 uint32_t pwHistLen = 0;
1820 logon_time = convert_time_t_to_uint32_t(pdb_get_logon_time(sampass));
1821 logoff_time = convert_time_t_to_uint32_t(pdb_get_logoff_time(sampass));
1822 kickoff_time = convert_time_t_to_uint32_t(pdb_get_kickoff_time(sampass));
1823 bad_password_time = convert_time_t_to_uint32_t(pdb_get_bad_password_time(sampass));
1824 pass_can_change_time = convert_time_t_to_uint32_t(pdb_get_pass_can_change_time_noncalc(sampass));
1825 pass_must_change_time = convert_time_t_to_uint32_t(pdb_get_pass_must_change_time(sampass));
1826 pass_last_set_time = convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sampass));
1828 user_rid = pdb_get_user_rid(sampass);
1829 group_rid = pdb_get_group_rid(sampass);
1831 username = pdb_get_username(sampass);
1833 username_len = strlen(username) +1;
1838 domain = pdb_get_domain(sampass);
1840 domain_len = strlen(domain) +1;
1845 nt_username = pdb_get_nt_username(sampass);
1847 nt_username_len = strlen(nt_username) +1;
1849 nt_username_len = 0;
1852 fullname = pdb_get_fullname(sampass);
1854 fullname_len = strlen(fullname) +1;
1860 * Only updates fields which have been set (not defaults from smb.conf)
1863 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1864 dir_drive = pdb_get_dir_drive(sampass);
1869 dir_drive_len = strlen(dir_drive) +1;
1874 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1875 homedir = pdb_get_homedir(sampass);
1880 homedir_len = strlen(homedir) +1;
1885 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1886 logon_script = pdb_get_logon_script(sampass);
1888 logon_script = NULL;
1891 logon_script_len = strlen(logon_script) +1;
1893 logon_script_len = 0;
1896 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1897 profile_path = pdb_get_profile_path(sampass);
1899 profile_path = NULL;
1902 profile_path_len = strlen(profile_path) +1;
1904 profile_path_len = 0;
1907 lm_pw = pdb_get_lanman_passwd(sampass);
1912 nt_pw = pdb_get_nt_passwd(sampass);
1917 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1918 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1919 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1920 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1925 acct_desc = pdb_get_acct_desc(sampass);
1927 acct_desc_len = strlen(acct_desc) +1;
1932 workstations = pdb_get_workstations(sampass);
1934 workstations_len = strlen(workstations) +1;
1936 workstations_len = 0;
1939 comment = pdb_get_comment(sampass);
1941 comment_len = strlen(comment) +1;
1946 munged_dial = pdb_get_munged_dial(sampass);
1948 munged_dial_len = strlen(munged_dial) +1;
1950 munged_dial_len = 0;
1953 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1955 /* one time to get the size needed */
1956 len = tdb_pack(NULL, 0, SAMU_BUFFER_FORMAT_V3,
1958 logoff_time, /* d */
1959 kickoff_time, /* d */
1960 bad_password_time, /* d */
1961 pass_last_set_time, /* d */
1962 pass_can_change_time, /* d */
1963 pass_must_change_time, /* d */
1964 username_len, username, /* B */
1965 domain_len, domain, /* B */
1966 nt_username_len, nt_username, /* B */
1967 fullname_len, fullname, /* B */
1968 homedir_len, homedir, /* B */
1969 dir_drive_len, dir_drive, /* B */
1970 logon_script_len, logon_script, /* B */
1971 profile_path_len, profile_path, /* B */
1972 acct_desc_len, acct_desc, /* B */
1973 workstations_len, workstations, /* B */
1974 comment_len, comment, /* B */
1975 munged_dial_len, munged_dial, /* B */
1978 lm_pw_len, lm_pw, /* B */
1979 nt_pw_len, nt_pw, /* B */
1980 nt_pw_hist_len, nt_pw_hist, /* B */
1981 pdb_get_acct_ctrl(sampass), /* d */
1982 pdb_get_logon_divs(sampass), /* w */
1983 pdb_get_hours_len(sampass), /* d */
1984 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1985 pdb_get_bad_password_count(sampass), /* w */
1986 pdb_get_logon_count(sampass), /* w */
1987 pdb_get_unknown_6(sampass)); /* d */
1993 /* malloc the space needed */
1994 if ( (*buf=(uint8_t*)SMB_MALLOC(len)) == NULL) {
1995 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
1999 /* now for the real call to tdb_pack() */
2000 buflen = tdb_pack(*buf, len, SAMU_BUFFER_FORMAT_V3,
2002 logoff_time, /* d */
2003 kickoff_time, /* d */
2004 bad_password_time, /* d */
2005 pass_last_set_time, /* d */
2006 pass_can_change_time, /* d */
2007 pass_must_change_time, /* d */
2008 username_len, username, /* B */
2009 domain_len, domain, /* B */
2010 nt_username_len, nt_username, /* B */
2011 fullname_len, fullname, /* B */
2012 homedir_len, homedir, /* B */
2013 dir_drive_len, dir_drive, /* B */
2014 logon_script_len, logon_script, /* B */
2015 profile_path_len, profile_path, /* B */
2016 acct_desc_len, acct_desc, /* B */
2017 workstations_len, workstations, /* B */
2018 comment_len, comment, /* B */
2019 munged_dial_len, munged_dial, /* B */
2022 lm_pw_len, lm_pw, /* B */
2023 nt_pw_len, nt_pw, /* B */
2024 nt_pw_hist_len, nt_pw_hist, /* B */
2025 pdb_get_acct_ctrl(sampass), /* d */
2026 pdb_get_logon_divs(sampass), /* w */
2027 pdb_get_hours_len(sampass), /* d */
2028 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
2029 pdb_get_bad_password_count(sampass), /* w */
2030 pdb_get_logon_count(sampass), /* w */
2031 pdb_get_unknown_6(sampass)); /* d */
2033 /* check to make sure we got it correct */
2034 if (buflen != len) {
2035 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2036 (unsigned long)buflen, (unsigned long)len));
2045 static bool init_samu_from_buffer_v4(struct samu *sampass, uint8_t *buf, uint32_t buflen)
2047 /* nothing changed between V3 and V4 */
2048 return init_samu_from_buffer_v3(sampass, buf, buflen);
2051 static uint32_t init_buffer_from_samu_v4(uint8_t **buf, struct samu *sampass, bool size_only)
2053 /* nothing changed between V3 and V4 */
2054 return init_buffer_from_samu_v3(buf, sampass, size_only);
2057 /**********************************************************************
2058 Intialize a struct samu struct from a BYTE buffer of size len
2059 *********************************************************************/
2061 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
2062 uint8_t *buf, uint32_t buflen)
2065 case SAMU_BUFFER_V0:
2066 return init_samu_from_buffer_v0(sampass, buf, buflen);
2067 case SAMU_BUFFER_V1:
2068 return init_samu_from_buffer_v1(sampass, buf, buflen);
2069 case SAMU_BUFFER_V2:
2070 return init_samu_from_buffer_v2(sampass, buf, buflen);
2071 case SAMU_BUFFER_V3:
2072 return init_samu_from_buffer_v3(sampass, buf, buflen);
2073 case SAMU_BUFFER_V4:
2074 return init_samu_from_buffer_v4(sampass, buf, buflen);
2080 /**********************************************************************
2081 Intialize a BYTE buffer from a struct samu struct
2082 *********************************************************************/
2084 uint32_t init_buffer_from_samu (uint8_t **buf, struct samu *sampass, bool size_only)
2086 return init_buffer_from_samu_v4(buf, sampass, size_only);
2089 /*********************************************************************
2090 *********************************************************************/
2092 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
2094 uint8_t *buf = NULL;
2097 len = init_buffer_from_samu(&buf, src, False);
2098 if (len == -1 || !buf) {
2103 if (!init_samu_from_buffer( dst, SAMU_BUFFER_LATEST, buf, len )) {
2108 dst->methods = src->methods;
2110 if ( src->unix_pw ) {
2111 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
2112 if (!dst->unix_pw) {
2118 if (src->group_sid) {
2119 pdb_set_group_sid(dst, src->group_sid, PDB_SET);
2126 /*********************************************************************
2127 Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2128 *********************************************************************/
2130 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
2132 time_t LastBadPassword;
2133 uint16_t BadPasswordCount;
2137 BadPasswordCount = pdb_get_bad_password_count(sampass);
2138 if (!BadPasswordCount) {
2139 DEBUG(9, ("No bad password attempts.\n"));
2144 res = pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &resettime);
2148 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2152 /* First, check if there is a reset time to compare */
2153 if ((resettime == (uint32_t) -1) || (resettime == 0)) {
2154 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2158 LastBadPassword = pdb_get_bad_password_time(sampass);
2159 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2160 (uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
2161 if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
2162 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2163 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2172 /*********************************************************************
2173 Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2174 *********************************************************************/
2176 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
2179 time_t LastBadPassword;
2182 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2183 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2184 pdb_get_username(sampass)));
2189 res = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &duration);
2193 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2197 /* First, check if there is a duration to compare */
2198 if ((duration == (uint32_t) -1) || (duration == 0)) {
2199 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2203 LastBadPassword = pdb_get_bad_password_time(sampass);
2204 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2205 pdb_get_username(sampass), (uint32_t)LastBadPassword, duration*60, (uint32_t)time(NULL)));
2207 if (LastBadPassword == (time_t)0) {
2208 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2209 "administratively locked out with no bad password "
2210 "time. Leaving locked out.\n",
2211 pdb_get_username(sampass) ));
2215 if ((time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(duration) * 60))) {
2216 pdb_set_acct_ctrl(sampass,
2217 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2219 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2220 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2229 /*********************************************************************
2230 Increment the bad_password_count
2231 *********************************************************************/
2233 bool pdb_increment_bad_password_count(struct samu *sampass)
2235 uint32_t account_policy_lockout;
2236 bool autolock_updated = False, badpw_updated = False;
2239 /* Retrieve the account lockout policy */
2241 ret = pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2244 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2248 /* If there is no policy, we don't need to continue checking */
2249 if (!account_policy_lockout) {
2250 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2254 /* Check if the autolock needs to be cleared */
2255 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2258 /* Check if the badpw count needs to be reset */
2259 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2263 Ok, now we can assume that any resetting that needs to be
2264 done has been done, and just get on with incrementing
2265 and autolocking if necessary
2268 pdb_set_bad_password_count(sampass,
2269 pdb_get_bad_password_count(sampass)+1,
2271 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2274 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2277 if (!pdb_set_acct_ctrl(sampass,
2278 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2280 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2287 bool is_dc_trusted_domain_situation(const char *domain_name)
2289 return IS_DC && !strequal(domain_name, lp_workgroup());
2292 /*******************************************************************
2293 Wrapper around retrieving the clear text trust account password.
2294 appropriate account name is stored in account_name.
2295 Caller must free password, but not account_name.
2296 *******************************************************************/
2298 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
2299 const char **account_name,
2300 enum netr_SchannelType *channel)
2303 time_t last_set_time;
2305 /* if we are a DC and this is not our domain, then lookup an account
2306 * for the domain trust */
2308 if (is_dc_trusted_domain_situation(domain)) {
2309 if (!lp_allow_trusted_domains()) {
2313 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
2316 DEBUG(0, ("get_trust_pw: could not fetch trust "
2317 "account password for trusted domain %s\n",
2322 if (channel != NULL) {
2323 *channel = SEC_CHAN_DOMAIN;
2326 if (account_name != NULL) {
2327 *account_name = lp_workgroup();
2334 * Since we can only be member of one single domain, we are now
2335 * in a member situation:
2337 * - Either we are a DC (selfjoined) and the domain is our
2339 * - Or we are on a member and the domain is our own or some
2340 * other (potentially trusted) domain.
2342 * In both cases, we can only get the machine account password
2343 * for our own domain to connect to our own dc. (For a member,
2344 * request to trusted domains are performed through our dc.)
2346 * So we simply use our own domain name to retrieve the
2347 * machine account passowrd and ignore the request domain here.
2350 pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
2354 if (account_name != NULL) {
2355 *account_name = global_myname();
2361 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2362 "account password for domain %s\n", domain));
2366 /*******************************************************************
2367 Wrapper around retrieving the trust account password.
2368 appropriate account name is stored in account_name.
2369 *******************************************************************/
2371 bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
2372 const char **account_name,
2373 enum netr_SchannelType *channel)
2376 time_t last_set_time;
2378 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
2379 E_md4hash(pwd, ret_pwd);
2382 } else if (is_dc_trusted_domain_situation(domain)) {
2386 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2388 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
2392 if (account_name != NULL) {
2393 *account_name = global_myname();
2399 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2400 "password for domain %s\n", domain));