-/*
+/*
Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Jeremy Allison 1996-2001
#include "../libcli/security/security.h"
#include "../lib/util/util_pw.h"
#include "util_tdb.h"
+#include "auth/credentials/credentials.h"
+#include "lib/param/param.h"
+#include "lib/util/string_wrappers.h"
+#include "source3/lib/substitute.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
-/******************************************************************
- Get the default domain/netbios name to be used when
- testing authentication.
-
- LEGACY: this function provides the legacy domain mapping used with
- the lp_map_untrusted_to_domain() parameter
-******************************************************************/
-
-const char *my_sam_name(void)
-{
- /* Standalone servers can only use the local netbios name */
- if ( lp_server_role() == ROLE_STANDALONE )
- return lp_netbios_name();
-
- /* Default to the DOMAIN name when not specified */
- return lp_workgroup();
-}
-
/**********************************************************************
***********************************************************************/
-static int samu_destroy(struct samu *user)
+static int samu_destroy(struct samu *user)
{
data_blob_clear_free( &user->lm_pw );
data_blob_clear_free( &user->nt_pw );
if ( user->plaintext_pw )
- memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
+ BURN_STR(user->plaintext_pw);
return 0;
}
user->pass_can_change_time = (time_t)0;
user->logoff_time = get_time_t_max();
user->kickoff_time = get_time_t_max();
- user->pass_must_change_time = get_time_t_max();
user->fields_present = 0x00ffffff;
user->logon_divs = 168; /* hours per week */
user->hours_len = 21; /* 21 times 8 bits = 168 */
user->logon_count = 0;
user->unknown_6 = 0x000004ec; /* don't know */
- /* Some parts of samba strlen their pdb_get...() returns,
+ /* Some parts of samba strlen their pdb_get...() returns,
so this keeps the interface unchanged for now. */
user->username = "";
}
/*********************************************************************
- Initialize a struct samu from a struct passwd including the user
+ Initialize a struct samu from a struct passwd including the user
and group SIDs. The *user structure is filled out with the Unix
attributes and a user SID.
*********************************************************************/
-static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
+static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods,
+ struct samu *user, const struct passwd *pwd, bool create)
{
- const char *guest_account = lp_guestaccount();
+ const char *guest_account = lp_guest_account();
const char *domain = lp_netbios_name();
char *fullname;
uint32_t urid;
+ bool ok;
if ( !pwd ) {
return NT_STATUS_NO_SUCH_USER;
/* Basic properties based upon the Unix account information */
- pdb_set_username(user, pwd->pw_name, PDB_SET);
+ ok = pdb_set_username(user, pwd->pw_name, PDB_SET);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
fullname = NULL;
fullname = talloc_strndup(
talloc_tos(), pwd->pw_gecos,
strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
+ if (fullname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (fullname != NULL) {
- pdb_set_fullname(user, fullname, PDB_SET);
+ ok = pdb_set_fullname(user, fullname, PDB_SET);
} else {
- pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
+ ok = pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
}
TALLOC_FREE(fullname);
- pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = pdb_set_domain(user, get_global_sam_name(), PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
#if 0
- /* This can lead to a primary group of S-1-22-2-XX which
- will be rejected by other parts of the Samba code.
- Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
+ /* This can lead to a primary group of S-1-22-2-XX which
+ will be rejected by other parts of the Samba code.
+ Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
--jerry */
gid_to_sid(&group_sid, pwd->pw_gid);
/* save the password structure for later use */
user->unix_pw = tcopy_passwd( user, pwd );
+ if (user->unix_pw == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
/* Special case for the guest account which must have a RID of 501 */
/* workstation */
if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
+ DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
pwd->pw_name));
return NT_STATUS_INVALID_COMPUTER_NAME;
- }
- }
+ }
+ }
else {
/* user */
if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
+ DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
pwd->pw_name));
return NT_STATUS_INVALID_ACCOUNT_NAME;
}
/* set some basic attributes */
- pdb_set_profile_path(user, talloc_sub_specified(user,
- lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- pdb_set_homedir(user, talloc_sub_specified(user,
- lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
+ ok = pdb_set_profile_path(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_path(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
- pdb_set_dir_drive(user, talloc_sub_specified(user,
- lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
+ ok &= pdb_set_homedir(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_home(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
- pdb_set_logon_script(user, talloc_sub_specified(user,
- lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
+ ok &= pdb_set_dir_drive(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_drive(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
+ ok &= pdb_set_logon_script(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_script(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
+ PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
- /* Now deal with the user SID. If we have a backend that can generate
- RIDs, then do so. But sometimes the caller just wanted a structure
- initialized and will fill in these fields later (such as from a
+ /* Now deal with the user SID. If we have a backend that can generate
+ RIDs, then do so. But sometimes the caller just wanted a structure
+ initialized and will fill in these fields later (such as from a
netr_SamInfo3 structure) */
- if ( create && (pdb_capabilities() & PDB_CAP_STORE_RIDS)) {
+ if ( create && (methods->capabilities(methods) & PDB_CAP_STORE_RIDS)) {
uint32_t user_rid;
struct dom_sid user_sid;
- if ( !pdb_new_rid( &user_rid ) ) {
+ if ( !methods->new_rid(methods, &user_rid) ) {
DEBUG(3, ("Could not allocate a new RID\n"));
return NT_STATUS_ACCESS_DENIED;
}
NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
{
- return samu_set_unix_internal( user, pwd, False );
+ return samu_set_unix_internal( NULL, user, pwd, False );
}
-NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
+NTSTATUS samu_alloc_rid_unix(struct pdb_methods *methods,
+ struct samu *user, const struct passwd *pwd)
{
- return samu_set_unix_internal( user, pwd, True );
+ return samu_set_unix_internal( methods, user, pwd, True );
}
/**********************************************************
if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
- if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
+ if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
result = talloc_strdup(talloc_tos(), acct_str);
SMB_ASSERT(result != NULL);
return result;
-}
+}
/**********************************************************
Decode the account control bits from a string.
case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
- case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
- case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
- case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
- case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
- case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
- case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
- case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
+ case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
+ case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
+ case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
+ case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
+ case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
+ case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
+ case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
case ' ': { break; }
case ':':
case '\n':
- case '\0':
+ case '\0':
case ']':
default: { finished = true; }
}
void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32_t acct_ctrl)
{
if (pwd != NULL) {
- int i;
- for (i = 0; i < 16; i++)
- slprintf(&p[i*2], 3, "%02X", pwd[i]);
+ hex_encode_buf(p, pwd, 16);
} else {
if (acct_ctrl & ACB_PWNOTREQ)
strlcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
void pdb_sethexhours(char *p, const unsigned char *hours)
{
if (hours != NULL) {
- int i;
- for (i = 0; i < 21; i++) {
- slprintf(&p[i*2], 3, "%02X", hours[i]);
- }
+ hex_encode_buf(p, hours, 21);
} else {
strlcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 44);
}
rid_offset = lp_algorithmic_rid_base();
- if (rid_offset < BASE_RID) {
+ if (rid_offset < BASE_RID) {
/* Try to prevent admin foot-shooting, we can't put algorithmic
rids below 1000, that's the 'well known RIDs' on NT */
DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
/*******************************************************************
converts NT Group RID to a UNIX uid.
-
+
warning: you must not call that function only
you must do a call to the group mapping first.
there is not anymore a direct link between the gid and the rid.
bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
enum lsa_SidType *type)
{
- GROUP_MAP map;
+ GROUP_MAP *map;
bool ret;
- /* Windows treats "MACHINE\None" as a special name for
+ /* Windows treats "MACHINE\None" as a special name for
rid 513 on non-DCs. You cannot create a user or group
- name "None" on Windows. You will get an error that
+ name "None" on Windows. You will get an error that
the group already exists. */
if ( strequal( name, "None" ) ) {
TALLOC_FREE(sam_account);
if (ret) {
- if (!sid_check_is_in_our_domain(&user_sid)) {
- DEBUG(0, ("User %s with invalid SID %s in passdb\n",
- name, sid_string_dbg(&user_sid)));
+ if (!sid_check_is_in_our_sam(&user_sid)) {
+ struct dom_sid_buf buf;
+ DBG_ERR("User %s with invalid SID %s"
+ " in passdb\n",
+ name,
+ dom_sid_str_buf(&user_sid, &buf));
return False;
}
* Maybe it is a group ?
*/
+ map = talloc_zero(NULL, GROUP_MAP);
+ if (!map) {
+ return false;
+ }
+
become_root();
- ret = pdb_getgrnam(&map, name);
+ ret = pdb_getgrnam(map, name);
unbecome_root();
if (!ret) {
+ TALLOC_FREE(map);
return False;
}
/* BUILTIN groups are looked up elsewhere */
- if (!sid_check_is_in_our_domain(&map.sid)) {
+ if (!sid_check_is_in_our_sam(&map->sid)) {
+ struct dom_sid_buf buf;
DEBUG(10, ("Found group %s (%s) not in our domain -- "
- "ignoring.", name, sid_string_dbg(&map.sid)));
+ "ignoring.\n",
+ name,
+ dom_sid_str_buf(&map->sid, &buf)));
+ TALLOC_FREE(map);
return False;
}
/* yes it's a mapped group */
- sid_peek_rid(&map.sid, rid);
- *type = map.sid_name_use;
+ sid_peek_rid(&map->sid, rid);
+ *type = map->sid_name_use;
+ TALLOC_FREE(map);
return True;
}
NTSTATUS local_password_change(const char *user_name,
int local_flags,
- const char *new_passwd,
+ const char *new_passwd,
char **pp_err_str,
char **pp_msg_str)
{
user_exists = pdb_getsampwnam(sam_pass, user_name);
/* Check delete first, we don't need to do anything else if we
- * are going to delete the acocunt */
+ * are going to delete the account */
if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
result = pdb_delete_user(tosctx, sam_pass);
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, homedir, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else {
- pdb_set_dir_drive(sampass,
+ pdb_set_dir_drive(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_drive()),
PDB_DEFAULT);
}
- if (logon_script)
+ if (logon_script)
pdb_set_logon_script(sampass, logon_script, PDB_SET);
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
pdb_set_profile_path(sampass, profile_path, PDB_SET);
} else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
/* Change from V0 is addition of bad_password_time field. */
pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, homedir, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else {
- pdb_set_dir_drive(sampass,
+ pdb_set_dir_drive(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_drive()),
PDB_DEFAULT);
}
- if (logon_script)
+ if (logon_script)
pdb_set_logon_script(sampass, logon_script, PDB_SET);
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
pdb_set_profile_path(sampass, profile_path, PDB_SET);
} else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else
pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
pdb_set_logon_script(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
fstrcpy( tmp_string, profile_path );
if (expand_explicit) {
standard_sub_basic( username, domain, tmp_string,
sizeof(tmp_string) );
}
pdb_set_profile_path(sampass, tmp_string, PDB_SET);
- }
+ }
else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
pdb_set_kickoff_time(sampass, convert_uint32_t_to_time_t(kickoff_time), PDB_SET);
pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET);
pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
- pdb_set_pass_must_change_time(sampass, convert_uint32_t_to_time_t(pass_must_change_time), PDB_SET);
pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else
pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
pdb_set_logon_script(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
fstrcpy( tmp_string, profile_path );
if (expand_explicit) {
standard_sub_basic( username, domain, tmp_string,
sizeof(tmp_string) );
}
pdb_set_profile_path(sampass, tmp_string, PDB_SET);
- }
+ }
else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain, lp_logon_path()),
PDB_DEFAULT);
}
if (munged_dial) {
munged_dial_len = strlen(munged_dial) +1;
} else {
- munged_dial_len = 0;
+ munged_dial_len = 0;
}
/* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
/* check to make sure we got it correct */
if (buflen != len) {
- DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
- (unsigned long)buflen, (unsigned long)len));
+ DEBUG(0, ("init_buffer_from_samu_v3: something odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
+ (unsigned long)buflen, (unsigned long)len));
/* error */
SAFE_FREE (*buf);
return (-1);
}
LastBadPassword = pdb_get_bad_password_time(sampass);
- DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
+ DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
(uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
}
/*********************************************************************
- Increment the bad_password_count
+ Increment the bad_password_count
*********************************************************************/
bool pdb_increment_bad_password_count(struct samu *sampass)
return False;
/*
- Ok, now we can assume that any resetting that needs to be
+ Ok, now we can assume that any resetting that needs to be
done has been done, and just get on with incrementing
and autolocking if necessary
*/
- pdb_set_bad_password_count(sampass,
+ pdb_set_bad_password_count(sampass,
pdb_get_bad_password_count(sampass)+1,
PDB_CHANGED);
pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
- if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
+ if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
return True;
if (!pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
PDB_CHANGED)) {
- DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
+ DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
return False;
}
Caller must free password, but not account_name.
*******************************************************************/
-bool get_trust_pw_clear(const char *domain, char **ret_pwd,
- const char **account_name,
- enum netr_SchannelType *channel)
+static bool get_trust_pw_clear2(const char *domain,
+ const char **account_name,
+ enum netr_SchannelType *channel,
+ char **cur_pw,
+ time_t *_last_set_time,
+ char **prev_pw)
{
char *pwd;
time_t last_set_time;
+ if (cur_pw != NULL) {
+ *cur_pw = NULL;
+ }
+ if (_last_set_time != NULL) {
+ *_last_set_time = 0;
+ }
+ if (prev_pw != NULL) {
+ *prev_pw = NULL;
+ }
+
/* if we are a DC and this is not our domain, then lookup an account
* for the domain trust */
return false;
}
- if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+ if (!pdb_get_trusteddom_pw(domain, cur_pw, NULL,
&last_set_time))
{
DEBUG(0, ("get_trust_pw: could not fetch trust "
*account_name = lp_workgroup();
}
+ if (_last_set_time != NULL) {
+ *_last_set_time = last_set_time;
+ }
+
return true;
}
pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
if (pwd != NULL) {
- *ret_pwd = pwd;
+ struct timeval expire;
+
+ *cur_pw = pwd;
+
if (account_name != NULL) {
*account_name = lp_netbios_name();
}
+ if (_last_set_time != NULL) {
+ *_last_set_time = last_set_time;
+ }
+
+ if (prev_pw == NULL) {
+ return true;
+ }
+
+ ZERO_STRUCT(expire);
+ expire.tv_sec = lp_machine_password_timeout();
+ expire.tv_sec /= 2;
+ expire.tv_sec += last_set_time;
+ if (timeval_expired(&expire)) {
+ return true;
+ }
+
+ pwd = secrets_fetch_prev_machine_password(lp_workgroup());
+ if (pwd != NULL) {
+ *prev_pw = pwd;
+ }
+
return true;
}
- DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ DEBUG(5, ("get_trust_pw_clear2: could not fetch clear text trust "
"account password for domain %s\n", domain));
return false;
}
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name,
+ enum netr_SchannelType *channel)
+{
+ return get_trust_pw_clear2(domain,
+ account_name,
+ channel,
+ ret_pwd,
+ NULL,
+ NULL);
+}
+
/*******************************************************************
Wrapper around retrieving the trust account password.
appropriate account name is stored in account_name.
*******************************************************************/
-bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
- const char **account_name,
- enum netr_SchannelType *channel)
+static bool get_trust_pw_hash2(const char *domain,
+ const char **account_name,
+ enum netr_SchannelType *channel,
+ struct samr_Password *current_nt_hash,
+ time_t *last_set_time,
+ struct samr_Password **_previous_nt_hash)
{
- char *pwd = NULL;
- time_t last_set_time;
+ char *cur_pw = NULL;
+ char *prev_pw = NULL;
+ char **_prev_pw = NULL;
+ bool ok;
+
+ if (_previous_nt_hash != NULL) {
+ *_previous_nt_hash = NULL;
+ _prev_pw = &prev_pw;
+ }
+
+ ok = get_trust_pw_clear2(domain, account_name, channel,
+ &cur_pw, last_set_time, _prev_pw);
+ if (ok) {
+ struct samr_Password *previous_nt_hash = NULL;
+
+ E_md4hash(cur_pw, current_nt_hash->hash);
+ BURN_FREE_STR(cur_pw);
- if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
+ if (prev_pw == NULL) {
+ return true;
+ }
+
+ previous_nt_hash = SMB_MALLOC_P(struct samr_Password);
+ if (previous_nt_hash == NULL) {
+ return false;
+ }
+
+ E_md4hash(prev_pw, previous_nt_hash->hash);
+ BURN_FREE_STR(prev_pw);
+
+ *_previous_nt_hash = previous_nt_hash;
return true;
} else if (is_dc_trusted_domain_situation(domain)) {
return false;
/* as a fallback, try to get the hashed pwd directly from the tdb... */
- if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
- &last_set_time,
+ if (secrets_fetch_trust_account_password_legacy(domain,
+ current_nt_hash->hash,
+ last_set_time,
channel))
{
if (account_name != NULL) {
"password for domain %s\n", domain));
return False;
}
+
+bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
+ const char **account_name,
+ enum netr_SchannelType *channel)
+{
+ struct samr_Password current_nt_hash;
+ bool ok;
+
+ ok = get_trust_pw_hash2(domain, account_name, channel,
+ ¤t_nt_hash, NULL, NULL);
+ if (!ok) {
+ return false;
+ }
+
+ memcpy(ret_pwd, current_nt_hash.hash, sizeof(current_nt_hash.hash));
+ return true;
+}
+
+NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
+ const char *dns_domain, /* optional */
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **_creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+ struct loadparm_context *lp_ctx;
+ enum netr_SchannelType channel;
+ time_t last_set_time;
+ const char *_account_name;
+ const char *account_name;
+ char *cur_pw = NULL;
+ char *prev_pw = NULL;
+ struct samr_Password cur_nt_hash;
+ struct cli_credentials *creds = NULL;
+ bool ok;
+
+ /*
+ * If this is our primary trust relationship, use the common
+ * code to read the secrets.ldb or secrets.tdb file.
+ */
+ if (strequal(netbios_domain, lp_workgroup())) {
+ struct db_context *db_ctx = secrets_db_ctx();
+ if (db_ctx == NULL) {
+ DEBUG(1, ("failed to open secrets.tdb to obtain our trust credentials for %s\n",
+ netbios_domain));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_conf(creds, lp_ctx);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ status = cli_credentials_set_machine_account_db_ctx(creds,
+ lp_ctx,
+ db_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+ goto done;
+ } else if (!IS_DC) {
+ DEBUG(1, ("Refusing to get trust account info for %s, "
+ "which is not our primary domain %s, "
+ "as we are not a DC\n",
+ netbios_domain, lp_workgroup()));
+ status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ goto fail;
+ }
+
+ status = pdb_get_trusteddom_creds(netbios_domain, mem_ctx, &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ goto fail;
+ }
+
+ ok = get_trust_pw_clear2(netbios_domain,
+ &_account_name,
+ &channel,
+ &cur_pw,
+ &last_set_time,
+ &prev_pw);
+ if (!ok) {
+ ok = get_trust_pw_hash2(netbios_domain,
+ &_account_name,
+ &channel,
+ &cur_nt_hash,
+ &last_set_time,
+ NULL);
+ if (!ok) {
+ DEBUG(1, ("get_trust_pw_*2 failed for domain[%s]\n",
+ netbios_domain));
+ status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ goto fail;
+ }
+ }
+
+ account_name = talloc_asprintf(frame, "%s$", _account_name);
+ if (account_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_conf(creds, lp_ctx);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ cli_credentials_set_secure_channel_type(creds, channel);
+ cli_credentials_set_password_last_changed_time(creds, last_set_time);
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (dns_domain != NULL) {
+ ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ /*
+ * It's not possible to use NTLMSSP with a domain trust account.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
+ } else {
+ /*
+ * We can't use kerberos against an NT4 domain.
+ *
+ * We should have a mode that also disallows NTLMSSP here,
+ * as only NETLOGON SCHANNEL is possible.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
+ }
+
+ ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (cur_pw == NULL) {
+ ok = cli_credentials_set_nt_hash(creds, &cur_nt_hash, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ /*
+ * We currently can't do kerberos just with an NTHASH.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
+ goto done;
+ }
+
+ ok = cli_credentials_set_password(creds, cur_pw, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (prev_pw != NULL) {
+ ok = cli_credentials_set_old_password(creds, prev_pw, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ done:
+ *_creds = creds;
+ creds = NULL;
+ status = NT_STATUS_OK;
+ fail:
+ TALLOC_FREE(creds);
+ SAFE_FREE(cur_pw);
+ SAFE_FREE(prev_pw);
+ TALLOC_FREE(frame);
+ return status;
+}