struct samdb_context {
struct ldb_context *ldb;
+ struct samdb_context **static_ptr;
};
/*
this is used to catch debug messages from ldb
*/
-void samdb_debug(void *context, enum ldb_debug_level level, const char *fmt, va_list ap)
+void samdb_debug(void *context, enum ldb_debug_level level, const char *fmt, va_list ap) _PRINTF_ATTRIBUTE(3,0)
{
char *s = NULL;
if (DEBUGLEVEL < 4 && level > LDB_DEBUG_WARNING) {
free(s);
}
+/* destroy the last connection to the sam */
+static int samdb_destructor(void *ctx)
+{
+ struct samdb_context *sam_ctx = ctx;
+ ldb_close(sam_ctx->ldb);
+ *(sam_ctx->static_ptr) = NULL;
+ return 0;
+}
+
/*
connect to the SAM database
return an opaque context pointer on success, or NULL on failure
*/
-void *samdb_connect(void)
+void *samdb_connect(TALLOC_CTX *mem_ctx)
{
- struct samdb_context *ctx;
+ static struct samdb_context *ctx;
/*
the way that unix fcntl locking works forces us to have a
static ldb handle here rather than a much more sensible
the ldb more than once, and tdb would rightly refuse the
second open due to the broken nature of unix locking.
*/
- static struct ldb_context *static_sam_db;
-
- if (static_sam_db == NULL) {
- static_sam_db = ldb_connect(lp_sam_url(), 0, NULL);
- if (static_sam_db == NULL) {
- return NULL;
- }
+ if (ctx != NULL) {
+ return talloc_reference(mem_ctx, ctx);
}
- ldb_set_debug(static_sam_db, samdb_debug, NULL);
-
- ctx = malloc_p(struct samdb_context);
- if (!ctx) {
+ ctx = talloc_p(mem_ctx, struct samdb_context);
+ if (ctx == NULL) {
errno = ENOMEM;
return NULL;
}
- ctx->ldb = static_sam_db;
-
- return ctx;
-}
-
-/* close a connection to the sam */
-void samdb_close(void *ctx)
-{
- struct samdb_context *sam_ctx = ctx;
- /* we don't actually close due to broken posix locking semantics */
- sam_ctx->ldb = NULL;
- free(sam_ctx);
-}
+ ctx->static_ptr = &ctx;
-/*
- a alloc function for ldb
-*/
-static void *samdb_alloc(void *context, void *ptr, size_t size)
-{
- return talloc_realloc((TALLOC_CTX *)context, ptr, size);
-}
-
-/*
- search the sam for the specified attributes - va_list varient
-*/
-int samdb_search_v(void *ctx,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- struct ldb_message ***res,
- const char * const *attrs,
- const char *format,
- va_list ap)
-{
- struct samdb_context *sam_ctx = ctx;
- char *expr = NULL;
- int count;
-
- vasprintf(&expr, format, ap);
- if (expr == NULL) {
- return -1;
+ ctx->ldb = ldb_connect(lp_sam_url(), 0, NULL);
+ if (ctx->ldb == NULL) {
+ talloc_free(ctx);
+ return NULL;
}
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
-
- count = ldb_search(sam_ctx->ldb, basedn, LDB_SCOPE_SUBTREE, expr, attrs, res);
+ talloc_set_destructor(ctx, samdb_destructor);
+ ldb_set_debug(ctx->ldb, samdb_debug, NULL);
- DEBUG(4,("samdb_search_v: %s %s -> %d\n", basedn?basedn:"NULL", expr, count));
-
- free(expr);
-
- return count;
+ return ctx;
}
-
/*
- search the sam for the specified attributes - varargs varient
+ search the sam for the specified attributes - varargs variant
*/
int samdb_search(void *ctx,
TALLOC_CTX *mem_ctx,
const char *basedn,
struct ldb_message ***res,
const char * const *attrs,
- const char *format, ...)
+ const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
+ struct samdb_context *sam_ctx = ctx;
va_list ap;
int count;
va_start(ap, format);
- count = samdb_search_v(ctx, mem_ctx, basedn, res, attrs, format, ap);
+ count = gendb_search_v(sam_ctx->ldb, mem_ctx, basedn, res, attrs, format, ap);
va_end(ap);
return count;
TALLOC_CTX *mem_ctx, struct ldb_message **res)
{
struct samdb_context *sam_ctx = ctx;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_search_free(sam_ctx->ldb, res);
}
TALLOC_CTX *mem_ctx,
const char *basedn,
const char *attr_name,
- const char *format, va_list ap)
+ const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
{
+ struct samdb_context *sam_ctx = ctx;
int count;
const char * const attrs[2] = { attr_name, NULL };
struct ldb_message **res = NULL;
- count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap);
+ count = gendb_search_v(sam_ctx->ldb, mem_ctx, basedn, &res, attrs, format, ap);
if (count > 1) {
DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
attr_name, format, count));
TALLOC_CTX *mem_ctx,
const char *basedn,
const char *attr_name,
- const char *format, ...)
+ const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
{
va_list ap;
const char *str;
return str;
}
+/*
+ return the count of the number of records in the sam matching the query
+*/
+int samdb_search_count(void *ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *basedn,
+ const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
+{
+ struct samdb_context *samdb_ctx = ctx;
+ va_list ap;
+ struct ldb_message **res;
+ const char * const attrs[] = { NULL };
+ int ret;
+
+ va_start(ap, format);
+ ret = gendb_search_v(samdb_ctx->ldb, mem_ctx, basedn, &res, attrs, format, ap);
+ va_end(ap);
+
+ return ret;
+}
+
/*
search the sam for a single integer attribute in exactly 1 record
uint_t default_value,
const char *basedn,
const char *attr_name,
- const char *format, ...)
+ const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
+ struct samdb_context *samdb_ctx = ctx;
va_list ap;
int count;
struct ldb_message **res;
const char * const attrs[2] = { attr_name, NULL };
va_start(ap, format);
- count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap);
+ count = gendb_search_v(samdb_ctx->ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count != 1) {
return samdb_result_uint(res[0], attr_name, default_value);
}
+/*
+ search the sam for a single signed 64 bit integer attribute in exactly 1 record
+*/
+int64_t samdb_search_int64(void *ctx,
+ TALLOC_CTX *mem_ctx,
+ int64_t default_value,
+ const char *basedn,
+ const char *attr_name,
+ const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
+{
+ struct samdb_context *samdb_ctx = ctx;
+ va_list ap;
+ int count;
+ struct ldb_message **res;
+ const char * const attrs[2] = { attr_name, NULL };
+
+ va_start(ap, format);
+ count = gendb_search_v(samdb_ctx->ldb, mem_ctx, basedn, &res, attrs, format, ap);
+ va_end(ap);
+
+ if (count != 1) {
+ return default_value;
+ }
+
+ return samdb_result_int64(res[0], attr_name, default_value);
+}
+
/*
search the sam for multipe records each giving a single string attribute
return the number of matches, or -1 on error
const char *basedn,
const char ***strs,
const char *attr_name,
- const char *format, ...)
+ const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
+ struct samdb_context *samdb_ctx = ctx;
va_list ap;
int count, i;
const char * const attrs[2] = { attr_name, NULL };
struct ldb_message **res = NULL;
va_start(ap, format);
- count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap);
+ count = gendb_search_v(samdb_ctx->ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count <= 0) {
return ldb_msg_find_uint(msg, attr, default_value);
}
+/*
+ pull a (signed) int64 from a result set.
+*/
+int64_t samdb_result_int64(struct ldb_message *msg, const char *attr, int64_t default_value)
+{
+ return ldb_msg_find_int64(msg, attr, default_value);
+}
+
/*
pull a string from a result set.
*/
/*
pull a rid from a objectSid in a result set.
*/
-uint32 samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr, uint32 default_value)
+uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr, uint32_t default_value)
{
struct dom_sid *sid;
const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
return sid->sub_auths[sid->num_auths-1];
}
+/*
+ pull a dom_sid structure from a objectSid in a result set.
+*/
+struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr)
+{
+ const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
+ if (!sidstr) return NULL;
+
+ return dom_sid_parse_talloc(mem_ctx, sidstr);
+}
+
+/*
+ pull a guid structure from a objectGUID in a result set.
+*/
+struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr)
+{
+ NTSTATUS status;
+ struct GUID guid;
+ const char *guidstr = ldb_msg_find_string(msg, attr, NULL);
+
+ ZERO_STRUCT(guid);
+
+ if (!guidstr) return guid;
+
+ status = GUID_from_string(guidstr, &guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCT(guid);
+ return guid;
+ }
+
+ return guid;
+}
+
+/*
+ pull a sid prefix from a objectSid in a result set.
+ this is used to find the domain sid for a user
+*/
+const char *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr)
+{
+ struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
+ if (!sid || sid->num_auths < 1) return NULL;
+
+ sid->num_auths--;
+
+ return dom_sid_string(mem_ctx, sid);
+}
+
/*
pull a NTTIME in a result set.
*/
}
/*
- pull a double (really a large integer) from a result set.
+ pull a uint64_t from a result set.
*/
-double samdb_result_double(struct ldb_message *msg, const char *attr, double default_value)
+uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value)
{
- return ldb_msg_find_double(msg, attr, default_value);
+ return ldb_msg_find_uint64(msg, attr, default_value);
}
/*
- construct the allow_pwd_change field from the PwdLastSet attribute and the
+ construct the allow_password_change field from the PwdLastSet attribute and the
domain password settings
*/
-NTTIME samdb_result_allow_pwd_change(void *ctx, TALLOC_CTX *mem_ctx,
- const char *domain_dn, struct ldb_message *msg, const char *attr)
+NTTIME samdb_result_allow_password_change(void *ctx, TALLOC_CTX *mem_ctx,
+ const char *domain_dn,
+ struct ldb_message *msg,
+ const char *attr)
{
- double attr_time = samdb_result_double(msg, attr, 0);
- if (attr_time > 0) {
- const char *minPwdAge = samdb_search_string(ctx, mem_ctx, NULL, "minPwdAge",
- "dn=%s", domain_dn);
- if (minPwdAge) {
- /* yes, this is a -= not a += as minPwdAge is stored as the negative
- of the number of 100-nano-seconds */
- attr_time -= strtod(minPwdAge, NULL);
- }
+ uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+ int64_t minPwdAge;
+
+ if (attr_time == 0) {
+ return 0;
}
- return nttime_from_double_nt(attr_time);
+
+ minPwdAge = samdb_search_int64(ctx, mem_ctx, 0, NULL,
+ "minPwdAge", "dn=%s", domain_dn);
+
+ /* yes, this is a -= not a += as minPwdAge is stored as the negative
+ of the number of 100-nano-seconds */
+ attr_time -= minPwdAge;
+
+ return attr_time;
}
/*
- construct the force_pwd_change field from the PwdLastSet attribute and the
+ construct the force_password_change field from the PwdLastSet attribute and the
domain password settings
*/
-NTTIME samdb_result_force_pwd_change(void *ctx, TALLOC_CTX *mem_ctx,
- const char *domain_dn, struct ldb_message *msg, const char *attr)
+NTTIME samdb_result_force_password_change(void *ctx, TALLOC_CTX *mem_ctx,
+ const char *domain_dn,
+ struct ldb_message *msg,
+ const char *attr)
{
- double attr_time = samdb_result_double(msg, attr, 0);
- if (attr_time > 0) {
- const char *maxPwdAge = samdb_search_string(ctx, mem_ctx, NULL, "maxPwdAge",
- "dn=%s", domain_dn);
- if (!maxPwdAge || strcmp(maxPwdAge, "0") == 0) {
- attr_time = 0;
- } else {
- attr_time -= strtod(maxPwdAge, NULL);
- }
+ uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+ int64_t maxPwdAge;
+
+ if (attr_time == 0) {
+ return 0;
+ }
+
+ maxPwdAge = samdb_search_int64(ctx, mem_ctx, 0, NULL, "maxPwdAge", "dn=%s", domain_dn);
+ if (maxPwdAge == 0) {
+ return 0;
+ } else {
+ attr_time -= maxPwdAge;
}
- return nttime_from_double_nt(attr_time);
+
+ return attr_time;
}
/*
- pull a samr_Hash structutre from a result set.
+ pull a samr_Password structutre from a result set.
*/
-struct samr_Hash samdb_result_hash(struct ldb_message *msg, const char *attr)
+struct samr_Password samdb_result_hash(struct ldb_message *msg, const char *attr)
{
- struct samr_Hash hash;
+ struct samr_Password hash;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
ZERO_STRUCT(hash);
if (val) {
- memcpy(hash.hash, val->data, MIN(val->length, 16));
+ memcpy(hash.hash, val->data, MIN(val->length, sizeof(hash.hash)));
}
return hash;
}
/*
- pull an array of samr_Hash structutres from a result set.
+ pull an array of samr_Password structutres from a result set.
*/
uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr, struct samr_Hash **hashes)
+ const char *attr, struct samr_Password **hashes)
{
uint_t count = 0;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
return 0;
}
- *hashes = talloc_array_p(mem_ctx, struct samr_Hash, count);
+ *hashes = talloc_array_p(mem_ctx, struct samr_Password, count);
if (! *hashes) {
return 0;
}
}
NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- uint8 **lm_pwd, uint8 **nt_pwd)
+ struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
{
const char *unicodePwd = samdb_result_string(msg, "unicodePwd", NULL);
- struct samr_Hash *lmPwdHash, *ntPwdHash;
+ struct samr_Password *lmPwdHash, *ntPwdHash;
if (unicodePwd) {
if (nt_pwd) {
- ntPwdHash = talloc_p(mem_ctx, struct samr_Hash);
+ ntPwdHash = talloc_p(mem_ctx, struct samr_Password);
if (!ntPwdHash) {
return NT_STATUS_NO_MEMORY;
}
E_md4hash(unicodePwd, ntPwdHash->hash);
- *nt_pwd = ntPwdHash->hash;
+ *nt_pwd = ntPwdHash;
}
if (lm_pwd) {
BOOL lm_hash_ok;
- lmPwdHash = talloc_p(mem_ctx, struct samr_Hash);
+ lmPwdHash = talloc_p(mem_ctx, struct samr_Password);
if (!lmPwdHash) {
return NT_STATUS_NO_MEMORY;
}
lm_hash_ok = E_deshash(unicodePwd, lmPwdHash->hash);
if (lm_hash_ok) {
- *lm_pwd = lmPwdHash->hash;
+ *lm_pwd = lmPwdHash;
} else {
*lm_pwd = NULL;
}
int num_nt;
num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash);
if (num_nt == 0) {
- nt_pwd = NULL;
+ *nt_pwd = NULL;
} else if (num_nt > 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- *nt_pwd = ntPwdHash[0].hash;
+ *nt_pwd = &ntPwdHash[0];
}
}
if (lm_pwd) {
} else if (num_lm > 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- *lm_pwd = lmPwdHash[0].hash;
+ *lm_pwd = &lmPwdHash[0];
}
}
/*
pull a set of account_flags from a result set.
*/
-uint16 samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
+uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
{
uint_t userAccountControl = ldb_msg_find_uint(msg, attr, 0);
return samdb_uf2acb(userAccountControl);
/* pull the template record */
- ret = samdb_search(ctx, mem_ctx, NULL, &res, NULL, expression);
+ ret = samdb_search(ctx, mem_ctx, NULL, &res, NULL, "%s", expression);
if (ret != 1) {
DEBUG(1,("samdb: ERROR: template '%s' matched %d records\n",
expression, ret));
return 0 on failure, the id on success
*/
static NTSTATUS _samdb_allocate_next_id(void *ctx, TALLOC_CTX *mem_ctx, const char *dn,
- const char *attr, uint32 *id)
+ const char *attr, uint32_t *id)
{
struct samdb_context *sam_ctx = ctx;
struct ldb_message msg;
return 0 on failure, the id on success
*/
NTSTATUS samdb_allocate_next_id(void *ctx, TALLOC_CTX *mem_ctx, const char *dn, const char *attr,
- uint32 *id)
+ uint32_t *id)
{
int tries = 10;
NTSTATUS status;
if (s == NULL || a == NULL) {
return -1;
}
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_msg_add_string(sam_ctx->ldb, msg, a, s);
}
if (a == NULL) {
return -1;
}
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
- return ldb_msg_add_empty(sam_ctx->ldb, msg, a, LDB_FLAG_MOD_DELETE);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
+ /* we use an empty replace rather than a delete, as it allows for
+ samdb_replace() to be used everywhere */
+ return ldb_msg_add_empty(sam_ctx->ldb, msg, a, LDB_FLAG_MOD_REPLACE);
}
/*
}
/*
- add a double element to a message (actually a large integer)
+ add a (signed) int64_t element to a message
*/
-int samdb_msg_add_double(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, double v)
+int samdb_msg_add_int64(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr_name, int64_t v)
{
- const char *s = talloc_asprintf(mem_ctx, "%.0f", v);
+ const char *s = talloc_asprintf(mem_ctx, "%lld", v);
return samdb_msg_add_string(ctx, mem_ctx, msg, attr_name, s);
}
/*
- add a samr_Hash element to a message
+ add a uint64_t element to a message
+*/
+int samdb_msg_add_uint64(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr_name, uint64_t v)
+{
+ const char *s = talloc_asprintf(mem_ctx, "%llu", v);
+ return samdb_msg_add_string(ctx, mem_ctx, msg, attr_name, s);
+}
+
+/*
+ add a samr_Password element to a message
*/
int samdb_msg_add_hash(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_Hash hash)
+ const char *attr_name, struct samr_Password hash)
{
struct samdb_context *sam_ctx = ctx;
struct ldb_val val;
return -1;
}
memcpy(val.data, hash.hash, 16);
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val);
}
/*
- add a samr_Hash array to a message
+ add a samr_Password array to a message
*/
int samdb_msg_add_hashes(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_Hash *hashes, uint_t count)
+ const char *attr_name, struct samr_Password *hashes, uint_t count)
{
struct samdb_context *sam_ctx = ctx;
struct ldb_val val;
for (i=0;i<count;i++) {
memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
}
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val);
}
add a acct_flags element to a message
*/
int samdb_msg_add_acct_flags(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, uint32 v)
+ const char *attr_name, uint32_t v)
{
return samdb_msg_add_uint(ctx, mem_ctx, msg, attr_name, samdb_acb2uf(v));
}
struct ldb_val val;
val.length = hours.units_per_week / 8;
val.data = hours.bitmap;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val);
}
struct samdb_context *sam_ctx = ctx;
struct ldb_message_element *el;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
el = ldb_msg_find_element(msg, attr_name);
if (el) {
{
struct samdb_context *sam_ctx = ctx;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_add(sam_ctx->ldb, msg);
}
{
struct samdb_context *sam_ctx = ctx;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_delete(sam_ctx->ldb, dn);
}
{
struct samdb_context *sam_ctx = ctx;
- ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx);
+ ldb_set_alloc(sam_ctx->ldb, talloc_realloc_fn, mem_ctx);
return ldb_modify(sam_ctx->ldb, msg);
}
/*
- check that a password is sufficiently complex
+ replace elements in a record
*/
-static BOOL samdb_password_complexity_ok(const char *pass)
+int samdb_replace(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
{
- return check_password_quality(pass);
-}
-
-/*
- set the user password using plaintext, obeying any user or domain
- password restrictions
-*/
-NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
- const char *user_dn, const char *domain_dn,
- struct ldb_message *mod, const char *new_pass,
- BOOL user_change)
-{
- const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory",
- "ntPwdHistory", "unicodePwd",
- "lmPwdHash", "ntPwdHash", "badPwdCount",
- NULL };
- const char * const domain_attrs[] = { "pwdProperties", "pwdHistoryLength",
- "maxPwdAge", "minPwdAge",
- "minPwdLength", "pwdLastSet", NULL };
- const char *unicodePwd;
- double minPwdAge, pwdLastSet;
- uint_t minPwdLength, pwdProperties, pwdHistoryLength;
- uint_t userAccountControl, badPwdCount;
- struct samr_Hash *lmPwdHistory, *ntPwdHistory, lmPwdHash, ntPwdHash;
- struct samr_Hash *new_lmPwdHistory, *new_ntPwdHistory;
- struct samr_Hash lmNewHash, ntNewHash;
- uint_t lmPwdHistory_len, ntPwdHistory_len;
- struct ldb_message **res;
- int count;
- time_t now = time(NULL);
- NTTIME now_nt;
- double now_double;
int i;
- BOOL lm_hash_ok;
- /* we need to know the time to compute password age */
- unix_to_nt_time(&now_nt, now);
- now_double = nttime_to_double_nt(now_nt);
-
- /* pull all the user parameters */
- count = samdb_search(ctx, mem_ctx, NULL, &res, user_attrs, "dn=%s", user_dn);
- if (count != 1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
- unicodePwd = samdb_result_string(res[0], "unicodePwd", NULL);
- userAccountControl = samdb_result_uint(res[0], "userAccountControl", 0);
- badPwdCount = samdb_result_uint(res[0], "badPwdCount", 0);
- lmPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
- "lmPwdHistory", &lmPwdHistory);
- ntPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
- "ntPwdHistory", &ntPwdHistory);
- lmPwdHash = samdb_result_hash(res[0], "lmPwdHash");
- ntPwdHash = samdb_result_hash(res[0], "ntPwdHash");
- pwdLastSet = samdb_result_double(res[0], "pwdLastSet", 0);
-
- /* pull the domain parameters */
- count = samdb_search(ctx, mem_ctx, NULL, &res, domain_attrs, "dn=%s", domain_dn);
- if (count != 1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
- pwdProperties = samdb_result_uint(res[0], "pwdProperties", 0);
- pwdHistoryLength = samdb_result_uint(res[0], "pwdHistoryLength", 0);
- minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0);
- minPwdAge = samdb_result_double(res[0], "minPwdAge", 0);
-
- /* compute the new nt and lm hashes */
- lm_hash_ok = E_deshash(new_pass, lmNewHash.hash);
- E_md4hash(new_pass, ntNewHash.hash);
-
- if (user_change) {
- /* are all password changes disallowed? */
- if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- /* can this user change password? */
- if (userAccountControl & UF_PASSWD_CANT_CHANGE) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- /* yes, this is a minus. The ages are in negative 100nsec units! */
- if (pwdLastSet - minPwdAge > now_double) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- /* check the immediately past password */
- if (pwdHistoryLength > 0) {
- if (lm_hash_ok && memcmp(lmNewHash.hash, lmPwdHash.hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- if (memcmp(ntNewHash.hash, ntPwdHash.hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- }
-
- /* check the password history */
- lmPwdHistory_len = MIN(lmPwdHistory_len, pwdHistoryLength);
- ntPwdHistory_len = MIN(ntPwdHistory_len, pwdHistoryLength);
-
- if (pwdHistoryLength > 0) {
- if (unicodePwd && strcmp(unicodePwd, new_pass) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- if (lm_hash_ok && memcmp(lmNewHash.hash, lmPwdHash.hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- if (memcmp(ntNewHash.hash, ntPwdHash.hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- }
-
- for (i=0;lm_hash_ok && i<lmPwdHistory_len;i++) {
- if (memcmp(lmNewHash.hash, lmPwdHistory[i].hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- }
- for (i=0;i<ntPwdHistory_len;i++) {
- if (memcmp(ntNewHash.hash, ntPwdHistory[i].hash, 16) == 0) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
- }
- }
-
- /* check the various password restrictions */
- if (minPwdLength > str_charnum(new_pass)) {
- return NT_STATUS_PASSWORD_RESTRICTION;
- }
-
- /* possibly check password complexity */
- if (pwdProperties & DOMAIN_PASSWORD_COMPLEX &&
- !samdb_password_complexity_ok(new_pass)) {
- return NT_STATUS_PASSWORD_RESTRICTION;
+ /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
+ for (i=0;i<msg->num_elements;i++) {
+ msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
}
-#define CHECK_RET(x) do { if (x != 0) return NT_STATUS_NO_MEMORY; } while(0)
+ /* modify the samdb record */
+ return samdb_modify(ctx, mem_ctx, msg);
+}
- /* the password is acceptable. Start forming the new fields */
- if (lm_hash_ok) {
- CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "lmPwdHash", lmNewHash));
- } else {
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "lmPwdHash"));
- }
- CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "ntPwdHash", ntNewHash));
+/*
+ return a default security descriptor
+*/
+struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
+{
+ struct security_descriptor *sd;
- if ((pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
- (userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
- CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod,
- "unicodePwd", new_pass));
- } else {
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "unicodePwd"));
- }
+ sd = sd_initialise(mem_ctx);
- CHECK_RET(samdb_msg_add_double(ctx, mem_ctx, mod, "pwdLastSet", now_double));
-
- if (pwdHistoryLength == 0) {
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "lmPwdHistory"));
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "ntPwdHistory"));
- return NT_STATUS_OK;
- }
-
- /* store the password history */
- new_lmPwdHistory = talloc_array_p(mem_ctx, struct samr_Hash,
- pwdHistoryLength);
- if (!new_lmPwdHistory) {
- return NT_STATUS_NO_MEMORY;
- }
- new_ntPwdHistory = talloc_array_p(mem_ctx, struct samr_Hash,
- pwdHistoryLength);
- if (!new_ntPwdHistory) {
- return NT_STATUS_NO_MEMORY;
- }
- for (i=0;i<MIN(pwdHistoryLength-1, lmPwdHistory_len);i++) {
- new_lmPwdHistory[i+1] = lmPwdHistory[i];
- }
- for (i=0;i<MIN(pwdHistoryLength-1, ntPwdHistory_len);i++) {
- new_ntPwdHistory[i+1] = ntPwdHistory[i];
- }
- new_lmPwdHistory[0] = lmNewHash;
- new_ntPwdHistory[0] = ntNewHash;
-
- CHECK_RET(samdb_msg_add_hashes(ctx, mem_ctx, mod,
- "lmPwdHistory",
- new_lmPwdHistory,
- MIN(pwdHistoryLength, lmPwdHistory_len+1)));
- CHECK_RET(samdb_msg_add_hashes(ctx, mem_ctx, mod,
- "ntPwdHistory",
- new_ntPwdHistory,
- MIN(pwdHistoryLength, ntPwdHistory_len+1)));
-
- return NT_STATUS_OK;
+ return sd;
}