2 Unix SMB/Netbios implementation.
4 Password and authentication handling
5 Copyright (C) Jeremy Allison 1996-2001
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
7 Copyright (C) Gerald (Jerry) Carter 2000-2001
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * This is set on startup - it defines the SID for this
28 * machine, and therefore the SAM database for which it is
32 extern DOM_SID global_sam_sid;
34 struct passdb_ops *pdb_ops;
37 static void* pdb_handle = NULL;
40 /***************************************************************
41 Initialize the password db operations.
42 ***************************************************************/
44 BOOL initialize_password_db(BOOL reload)
47 * This function is unfinished right now, so just
48 * ignore the details and always return True. It
49 * is here only as a placeholder --jerry
56 /************************************************************
57 Fill the SAM_ACCOUNT with default values.
58 ***********************************************************/
60 static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user)
63 DEBUG(0,("pdb_fill_default_sam: SAM_ACCOUNT was NULL\n"));
69 /* Don't change these timestamp settings without a good reason.
70 They are important for NT member server compatibility. */
72 user->init_flag = FLAG_SAM_UNINIT;
73 user->uid = user->gid = -1;
75 user->logon_time = (time_t)0;
76 user->pass_last_set_time = (time_t)0;
77 user->pass_can_change_time = (time_t)0;
80 user->pass_must_change_time = get_time_t_max();
81 user->unknown_3 = 0x00ffffff; /* don't know */
82 user->logon_divs = 168; /* hours per week */
83 user->hours_len = 21; /* 21 times 8 bits = 168 */
84 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
85 user->unknown_5 = 0x00000000; /* don't know */
86 user->unknown_6 = 0x000004ec; /* don't know */
91 /*************************************************************
92 Alloc memory and initialises a struct sam_passwd.
93 ************************************************************/
95 BOOL pdb_init_sam(SAM_ACCOUNT **user)
98 DEBUG(0,("pdb_init_sam: SAM_ACCOUNT was non NULL\n"));
100 smb_panic("NULL pointer passed to pdb_init_sam\n");
105 *user=(SAM_ACCOUNT *)malloc(sizeof(SAM_ACCOUNT));
108 DEBUG(0,("pdb_init_sam: error while allocating memory\n"));
112 pdb_fill_default_sam(*user);
118 /*************************************************************
119 Initialises a struct sam_passwd with sane values.
120 ************************************************************/
122 BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
133 if (!pdb_init_sam(new_sam_acct)) {
138 pdb_set_username(*new_sam_acct, pwd->pw_name);
139 pdb_set_fullname(*new_sam_acct, pwd->pw_gecos);
141 pdb_set_uid(*new_sam_acct, pwd->pw_uid);
142 pdb_set_gid(*new_sam_acct, pwd->pw_gid);
144 pdb_set_user_rid(*new_sam_acct, pdb_uid_to_user_rid(pwd->pw_uid));
146 /* call the mapping code here */
147 if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
148 sid_peek_rid(&map.sid, &rid);
151 rid=pdb_gid_to_group_rid(pwd->pw_gid);
154 pdb_set_group_rid(*new_sam_acct, rid);
156 pstrcpy(str, lp_logon_path());
157 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, pwd->pw_name, str);
158 pdb_set_profile_path(*new_sam_acct, str);
160 pstrcpy(str, lp_logon_home());
161 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, pwd->pw_name, str);
162 pdb_set_homedir(*new_sam_acct, str);
164 pstrcpy(str, lp_logon_drive());
165 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, pwd->pw_name, str);
166 pdb_set_dir_drive(*new_sam_acct, str);
168 pstrcpy(str, lp_logon_script());
169 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, pwd->pw_name, str);
170 pdb_set_logon_script(*new_sam_acct, str);
176 /************************************************************
177 Free the NT/LM hashes only.
178 ***********************************************************/
180 static BOOL pdb_free_sam_contents(SAM_ACCOUNT *user)
183 DEBUG(0,("pdb_free_sam_contents: SAM_ACCOUNT was NULL\n"));
185 smb_panic("NULL pointer passed to pdb_free_sam_contents\n");
190 /* As we start mallocing more strings this is where
191 we should free them. */
193 SAFE_FREE(user->nt_pw);
194 SAFE_FREE(user->lm_pw);
200 /************************************************************
201 Reset the SAM_ACCOUNT and free the NT/LM hashes.
202 - note: they are not zero'ed out however.
203 ***********************************************************/
205 BOOL pdb_reset_sam(SAM_ACCOUNT *user)
208 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
210 smb_panic("NULL pointer passed to pdb_free_sam\n");
215 if (!pdb_free_sam_contents(user)) {
219 if (!pdb_fill_default_sam(user)) {
227 /************************************************************
228 Free the SAM_ACCOUNT and the NT/LM hashes.
229 ***********************************************************/
231 BOOL pdb_free_sam(SAM_ACCOUNT **user)
234 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
236 smb_panic("NULL pointer passed to pdb_free_sam\n");
241 if (!pdb_free_sam_contents(*user)) {
251 /**********************************************************
252 Encode the account control bits into a string.
253 length = length of string to encode into (including terminating
254 null). length *MUST BE MORE THAN 2* !
255 **********************************************************/
257 char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
259 static fstring acct_str;
264 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
265 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
266 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
267 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
268 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
269 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
270 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
271 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
272 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
273 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
274 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
276 for ( ; i < length - 2 ; i++ )
281 acct_str[i++] = '\0';
286 /**********************************************************
287 Decode the account control bits from a string.
288 **********************************************************/
290 uint16 pdb_decode_acct_ctrl(const char *p)
292 uint16 acct_ctrl = 0;
293 BOOL finished = False;
296 * Check if the account type bits have been encoded after the
297 * NT password (in the form [NDHTUWSLXI]).
303 for (p++; *p && !finished; p++) {
305 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
306 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
307 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
308 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
309 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
310 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
311 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
312 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
313 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
314 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
315 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
321 default: { finished = True; }
328 /*************************************************************
329 Routine to set 32 hex password characters from a 16 byte array.
330 **************************************************************/
332 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
336 for (i = 0; i < 16; i++)
337 slprintf(&p[i*2], 3, "%02X", pwd[i]);
339 if (acct_ctrl & ACB_PWNOTREQ)
340 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
342 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
346 /*************************************************************
347 Routine to get the 32 hex characters and turn them
348 into a 16 byte array.
349 **************************************************************/
351 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
354 unsigned char lonybble, hinybble;
355 char *hexchars = "0123456789ABCDEF";
361 for (i = 0; i < 32; i += 2) {
362 hinybble = toupper(p[i]);
363 lonybble = toupper(p[i + 1]);
365 p1 = strchr(hexchars, hinybble);
366 p2 = strchr(hexchars, lonybble);
371 hinybble = PTR_DIFF(p1, hexchars);
372 lonybble = PTR_DIFF(p2, hexchars);
374 pwd[i / 2] = (hinybble << 4) | lonybble;
379 /*******************************************************************
380 Group and User RID username mapping function
381 ********************************************************************/
383 BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
386 struct passwd *pw = Get_Pwnam(user_name);
388 if (u_rid == NULL || g_rid == NULL || user_name == NULL)
392 DEBUG(1,("Username %s is invalid on this system\n", user_name));
396 /* turn the unix UID into a Domain RID. this is what the posix
397 sub-system does (adds 1000 to the uid) */
398 *u_rid = pdb_uid_to_user_rid(pw->pw_uid);
400 /* absolutely no idea what to do about the unix GID to Domain RID mapping */
402 if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
403 sid_peek_rid(&map.sid, g_rid);
405 *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
410 /*******************************************************************
411 Converts NT user RID to a UNIX uid.
412 ********************************************************************/
414 uid_t pdb_user_rid_to_uid(uint32 user_rid)
416 return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER);
420 /*******************************************************************
421 Converts NT group RID to a UNIX gid.
422 ********************************************************************/
424 gid_t pdb_group_rid_to_gid(uint32 group_rid)
426 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER);
429 /*******************************************************************
430 converts UNIX uid to an NT User RID.
431 ********************************************************************/
433 uint32 pdb_uid_to_user_rid(uid_t uid)
435 return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE);
438 /*******************************************************************
439 converts NT Group RID to a UNIX uid.
441 warning: you must not call that function only
442 you must do a call to the group mapping first.
443 there is not anymore a direct link between the gid and the rid.
444 ********************************************************************/
446 uint32 pdb_gid_to_group_rid(gid_t gid)
448 return (((((uint32)gid)*RID_MULTIPLIER) + 1000) | GROUP_RID_TYPE);
451 /*******************************************************************
452 Decides if a RID is a well known RID.
453 ********************************************************************/
455 static BOOL pdb_rid_is_well_known(uint32 rid)
460 /*******************************************************************
461 Decides if a RID is a user or group RID.
462 ********************************************************************/
464 BOOL pdb_rid_is_user(uint32 rid)
466 /* lkcl i understand that NT attaches an enumeration to a RID
467 * such that it can be identified as either a user, group etc
468 * type. there are 5 such categories, and they are documented.
470 if(pdb_rid_is_well_known(rid)) {
472 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
473 * and DOMAIN_USER_RID_GUEST.
475 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
477 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
483 /*******************************************************************
484 Convert a rid into a name. Used in the lookup SID rpc.
485 ********************************************************************/
487 BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use)
492 sid_peek_rid(sid, &rid);
493 is_user = pdb_rid_is_user(rid);
494 *psid_name_use = SID_NAME_UNKNOWN;
496 DEBUG(5,("local_lookup_sid: looking up %s RID %u.\n", is_user ? "user" :
497 "group", (unsigned int)rid));
500 if(rid == DOMAIN_USER_RID_ADMIN) {
502 char *p = admin_users;
503 *psid_name_use = SID_NAME_USER;
504 if(!next_token(&p, name, NULL, sizeof(fstring)))
505 fstrcpy(name, "Administrator");
506 } else if (rid == DOMAIN_USER_RID_GUEST) {
508 char *p = guest_users;
509 *psid_name_use = SID_NAME_USER;
510 if(!next_token(&p, name, NULL, sizeof(fstring)))
511 fstrcpy(name, "Guest");
517 * Don't try to convert the rid to a name if
518 * running in appliance mode
520 if (lp_hide_local_users())
523 uid = pdb_user_rid_to_uid(rid);
524 pass = sys_getpwuid(uid);
526 *psid_name_use = SID_NAME_USER;
528 DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid,
529 pass ? "succeeded" : "failed" ));
532 slprintf(name, sizeof(fstring)-1, "unix_user.%u", (unsigned int)uid);
536 fstrcpy(name, pass->pw_name);
538 DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name,
539 (unsigned int)rid ));
548 * Don't try to convert the rid to a name if running
552 if (lp_hide_local_users())
555 /* check if it's a mapped group */
556 if (get_group_map_from_sid(*sid, &map, MAPPING_WITHOUT_PRIV)) {
558 DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
559 fstrcpy(name, map.nt_name);
560 *psid_name_use = map.sid_name_use;
565 gid = pdb_group_rid_to_gid(rid);
568 *psid_name_use = SID_NAME_ALIAS;
570 DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid,
571 gr ? "succeeded" : "failed" ));
574 slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned int)gid);
578 fstrcpy( name, gr->gr_name);
580 DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name,
581 (unsigned int)rid ));
587 /*******************************************************************
588 Convert a name into a SID. Used in the lookup name rpc.
589 ********************************************************************/
591 BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
593 extern DOM_SID global_sid_World_Domain;
594 struct passwd *pass = NULL;
599 *psid_name_use = SID_NAME_UNKNOWN;
602 * domain and user may be quoted const strings, and map_username and
603 * friends can modify them. Make a modifiable copy. JRA.
606 fstrcpy(domain, c_domain);
607 fstrcpy(user, c_user);
609 sid_copy(&local_sid, &global_sam_sid);
612 * Special case for MACHINE\Everyone. Map to the world_sid.
615 if(strequal(user, "Everyone")) {
616 sid_copy( psid, &global_sid_World_Domain);
617 sid_append_rid(psid, 0);
618 *psid_name_use = SID_NAME_ALIAS;
623 * Don't lookup local unix users if running in appliance mode
625 if (lp_hide_local_users())
628 (void)map_username(user);
630 if((pass = Get_Pwnam(user))) {
631 sid_append_rid( &local_sid, pdb_uid_to_user_rid(pass->pw_uid));
632 *psid_name_use = SID_NAME_USER;
635 * Maybe it was a group ?
640 /* check if it's a mapped group */
641 if (get_group_map_from_ntname(user, &map, MAPPING_WITHOUT_PRIV)) {
643 /* yes it's a mapped group to a valid unix group */
644 sid_copy(&local_sid, &map.sid);
645 *psid_name_use = map.sid_name_use;
648 /* it's a correct name but not mapped so it points to nothing*/
651 /* it's not a mapped group */
652 grp = getgrnam(user);
657 *check if it's mapped, if it is reply it doesn't exist
659 * that's to prevent this case:
661 * unix group ug is mapped to nt group ng
662 * someone does a lookup on ug
663 * we must not reply as it doesn't "exist" anymore
664 * for NT. For NT only ng exists.
668 if(get_group_map_from_gid(grp->gr_gid, &map, MAPPING_WITHOUT_PRIV)){
672 sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
673 *psid_name_use = SID_NAME_ALIAS;
677 sid_copy( psid, &local_sid);
682 /****************************************************************************
683 Convert a uid to SID - locally.
684 ****************************************************************************/
686 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
688 extern DOM_SID global_sam_sid;
690 sid_copy(psid, &global_sam_sid);
691 sid_append_rid(psid, pdb_uid_to_user_rid(uid));
696 /****************************************************************************
697 Convert a SID to uid - locally.
698 ****************************************************************************/
700 BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
702 extern DOM_SID global_sam_sid;
709 *name_type = SID_NAME_UNKNOWN;
711 sid_copy(&dom_sid, psid);
712 sid_split_rid(&dom_sid, &rid);
714 if (!pdb_rid_is_user(rid))
718 * We can only convert to a uid if this is our local
719 * Domain SID (ie. we are the controling authority).
721 if (!sid_equal(&global_sam_sid, &dom_sid))
724 *puid = pdb_user_rid_to_uid(rid);
727 * Ensure this uid really does exist.
729 if(!(pass = sys_getpwuid(*puid)))
732 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
733 (unsigned int)*puid, pass->pw_name ));
735 *name_type = SID_NAME_USER;
740 /****************************************************************************
741 Convert a gid to SID - locally.
742 ****************************************************************************/
744 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
746 extern DOM_SID global_sam_sid;
749 sid_copy(psid, &global_sam_sid);
751 if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
752 sid_copy(psid, &map.sid);
755 sid_append_rid(psid, pdb_gid_to_group_rid(gid));
761 /****************************************************************************
762 Convert a SID to gid - locally.
763 ****************************************************************************/
765 BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
767 extern DOM_SID global_sam_sid;
774 *name_type = SID_NAME_UNKNOWN;
776 sid_copy(&dom_sid, psid);
777 sid_split_rid(&dom_sid, &rid);
780 * We can only convert to a gid if this is our local
781 * Domain SID (ie. we are the controling authority).
783 * Or in the Builtin SID too. JFM, 11/30/2001
786 if (!sid_equal(&global_sam_sid, &dom_sid))
789 if (pdb_rid_is_user(rid))
792 if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
794 /* the SID is in the mapping table but not mapped */
798 sid_peek_rid(&map.sid, pgid);
799 *name_type = map.sid_name_use;
801 *pgid = pdb_group_rid_to_gid(rid);
802 *name_type = SID_NAME_ALIAS;
806 * Ensure this gid really does exist.
809 if(!(grp = getgrgid(*pgid)))
812 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid),
813 (unsigned int)*pgid, grp->gr_name ));
818 static void select_name(pstring string, const UNISTR2 *from)
820 if (from->buffer != 0)
821 unistr2_to_ascii(string, from, sizeof(pstring));
824 /*************************************************************
825 Copies a SAM_USER_INFO_23 to a SAM_ACCOUNT
826 **************************************************************/
828 void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from)
831 if (from == NULL || to == NULL)
834 to->logon_time = nt_time_to_unix(&from->logon_time);
835 to->logoff_time = nt_time_to_unix(&from->logoff_time);
836 to->kickoff_time = nt_time_to_unix(&from->kickoff_time);
837 to->pass_last_set_time = nt_time_to_unix(&from->pass_last_set_time);
838 to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time);
839 to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time);
841 select_name(to->username , &from->uni_user_name );
842 select_name(to->full_name , &from->uni_full_name );
843 select_name(to->home_dir , &from->uni_home_dir );
844 select_name(to->dir_drive , &from->uni_dir_drive );
845 select_name(to->logon_script, &from->uni_logon_script);
846 select_name(to->profile_path, &from->uni_profile_path);
847 select_name(to->acct_desc , &from->uni_acct_desc );
848 select_name(to->workstations, &from->uni_workstations);
849 select_name(to->unknown_str , &from->uni_unknown_str );
850 select_name(to->munged_dial , &from->uni_munged_dial );
853 to->user_rid = from->user_rid;
855 to->group_rid = from->group_rid;
857 to->acct_ctrl = from->acb_info;
858 to->unknown_3 = from->unknown_3;
860 to->logon_divs = from->logon_divs;
861 to->hours_len = from->logon_hrs.len;
862 memcpy(to->hours, from->logon_hrs.hours, MAX_HOURS_LEN);
864 to->unknown_5 = from->unknown_5;
865 to->unknown_6 = from->unknown_6;
868 /*************************************************************
870 **************************************************************/
872 void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from)
874 if (from == NULL || to == NULL)
877 to->logon_time = nt_time_to_unix(&from->logon_time);
878 to->logoff_time = nt_time_to_unix(&from->logoff_time);
879 to->kickoff_time = nt_time_to_unix(&from->kickoff_time);
880 to->pass_last_set_time = nt_time_to_unix(&from->pass_last_set_time);
881 to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time);
882 to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time);
884 select_name(to->username , &from->uni_user_name );
885 select_name(to->full_name , &from->uni_full_name );
886 select_name(to->home_dir , &from->uni_home_dir );
887 select_name(to->dir_drive , &from->uni_dir_drive );
888 select_name(to->logon_script, &from->uni_logon_script);
889 select_name(to->profile_path, &from->uni_profile_path);
890 select_name(to->acct_desc , &from->uni_acct_desc );
891 select_name(to->workstations, &from->uni_workstations);
892 select_name(to->unknown_str , &from->uni_unknown_str );
893 select_name(to->munged_dial , &from->uni_munged_dial );
895 to->user_rid = from->user_rid;
896 to->group_rid = from->group_rid;
898 /* FIXME!! Do we need to copy the passwords here as well?
899 I don't know. Need to figure this out --jerry */
901 to->acct_ctrl = from->acb_info;
902 to->unknown_3 = from->unknown_3;
904 to->logon_divs = from->logon_divs;
905 to->hours_len = from->logon_hrs.len;
906 memcpy(to->hours, from->logon_hrs.hours, MAX_HOURS_LEN);
908 to->unknown_5 = from->unknown_5;
909 to->unknown_6 = from->unknown_6;
912 /*************************************************************
913 Change a password entry in the local smbpasswd file.
915 FIXME!! The function needs to be abstracted into the
916 passdb interface or something. It is currently being called
917 by _api_samr_create_user() in rpc_server/srv_samr.c,
918 in SWAT and by smbpasswd/pdbedit.
921 *************************************************************/
923 BOOL local_password_change(const char *user_name, int local_flags,
924 const char *new_passwd,
925 char *err_str, size_t err_str_len,
926 char *msg_str, size_t msg_str_len)
928 struct passwd *pwd = NULL;
929 SAM_ACCOUNT *sam_pass=NULL;
934 /* Get the smb passwd entry for this user */
935 pdb_init_sam(&sam_pass);
936 if(!pdb_getsampwnam(sam_pass, user_name)) {
937 pdb_free_sam(&sam_pass);
939 if (local_flags & LOCAL_ADD_USER) {
941 * Check for a local account - if we're adding only.
944 if(!(pwd = sys_getpwnam(user_name))) {
945 slprintf(err_str, err_str_len - 1, "User %s does not \
946 exist in system password file (usually /etc/passwd). Cannot add \
947 account without a valid local system user.\n", user_name);
951 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
955 if (!pdb_init_sam_pw(&sam_pass, pwd)) {
956 slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
961 if (local_flags & LOCAL_TRUST_ACCOUNT) {
962 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST)) {
963 slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
964 pdb_free_sam(&sam_pass);
967 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
968 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST)) {
969 slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
970 pdb_free_sam(&sam_pass);
974 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL)) {
975 slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
976 pdb_free_sam(&sam_pass);
982 /* the entry already existed */
983 local_flags &= ~LOCAL_ADD_USER;
987 * We are root - just write the new password
988 * and the valid last change time.
991 if (local_flags & LOCAL_DISABLE_USER) {
992 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED)) {
993 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
994 pdb_free_sam(&sam_pass);
997 } else if (local_flags & LOCAL_ENABLE_USER) {
998 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED))) {
999 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
1000 pdb_free_sam(&sam_pass);
1005 if (local_flags & LOCAL_SET_NO_PASSWORD) {
1006 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ)) {
1007 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
1008 pdb_free_sam(&sam_pass);
1011 } else if (local_flags & LOCAL_SET_PASSWORD) {
1013 * If we're dealing with setting a completely empty user account
1014 * ie. One with a password of 'XXXX', but not set disabled (like
1015 * an account created from scratch) then if the old password was
1016 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
1017 * We remove that as we're giving this user their first password
1018 * and the decision hasn't really been made to disable them (ie.
1019 * don't create them disabled). JRA.
1021 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
1022 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED))) {
1023 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
1024 pdb_free_sam(&sam_pass);
1028 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ))) {
1029 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
1030 pdb_free_sam(&sam_pass);
1034 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
1035 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
1036 pdb_free_sam(&sam_pass);
1041 if (local_flags & LOCAL_ADD_USER) {
1042 if (pdb_add_sam_account(sam_pass)) {
1043 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
1044 pdb_free_sam(&sam_pass);
1047 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
1048 pdb_free_sam(&sam_pass);
1051 } else if (local_flags & LOCAL_DELETE_USER) {
1052 if (!pdb_delete_sam_account(user_name)) {
1053 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
1054 pdb_free_sam(&sam_pass);
1057 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
1059 if(!pdb_update_sam_account(sam_pass, True)) {
1060 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
1061 pdb_free_sam(&sam_pass);
1064 if(local_flags & LOCAL_DISABLE_USER)
1065 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
1066 else if (local_flags & LOCAL_ENABLE_USER)
1067 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
1068 else if (local_flags & LOCAL_SET_NO_PASSWORD)
1069 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
1072 pdb_free_sam(&sam_pass);
1076 /*********************************************************************
1077 Collection of get...() functions for SAM_ACCOUNT_INFO.
1078 ********************************************************************/
1080 uint16 pdb_get_acct_ctrl (const SAM_ACCOUNT *sampass)
1083 return (sampass->acct_ctrl);
1085 return (ACB_DISABLED);
1088 time_t pdb_get_logon_time (const SAM_ACCOUNT *sampass)
1091 return (sampass->logon_time);
1096 time_t pdb_get_logoff_time (const SAM_ACCOUNT *sampass)
1099 return (sampass->logoff_time);
1104 time_t pdb_get_kickoff_time (const SAM_ACCOUNT *sampass)
1107 return (sampass->kickoff_time);
1112 time_t pdb_get_pass_last_set_time (const SAM_ACCOUNT *sampass)
1115 return (sampass->pass_last_set_time);
1120 time_t pdb_get_pass_can_change_time (const SAM_ACCOUNT *sampass)
1123 return (sampass->pass_can_change_time);
1128 time_t pdb_get_pass_must_change_time (const SAM_ACCOUNT *sampass)
1131 return (sampass->pass_must_change_time);
1136 uint16 pdb_get_logon_divs (const SAM_ACCOUNT *sampass)
1139 return (sampass->logon_divs);
1144 uint32 pdb_get_hours_len (const SAM_ACCOUNT *sampass)
1147 return (sampass->hours_len);
1152 const uint8* pdb_get_hours (const SAM_ACCOUNT *sampass)
1155 return (sampass->hours);
1160 const uint8* pdb_get_nt_passwd (const SAM_ACCOUNT *sampass)
1163 return (sampass->nt_pw);
1168 const uint8* pdb_get_lanman_passwd (const SAM_ACCOUNT *sampass)
1171 return (sampass->lm_pw);
1176 uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
1179 return (sampass->user_rid);
1184 uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
1187 return (sampass->group_rid);
1192 uid_t pdb_get_uid (const SAM_ACCOUNT *sampass)
1195 return (sampass->uid);
1200 gid_t pdb_get_gid (const SAM_ACCOUNT *sampass)
1203 return (sampass->gid);
1208 const char* pdb_get_username (const SAM_ACCOUNT *sampass)
1211 return (sampass->username);
1216 const char* pdb_get_domain (const SAM_ACCOUNT *sampass)
1219 return (sampass->domain);
1224 const char* pdb_get_nt_username (const SAM_ACCOUNT *sampass)
1227 return (sampass->nt_username);
1232 const char* pdb_get_fullname (const SAM_ACCOUNT *sampass)
1235 return (sampass->full_name);
1240 const char* pdb_get_homedir (const SAM_ACCOUNT *sampass)
1243 return (sampass->home_dir);
1248 const char* pdb_get_dirdrive (const SAM_ACCOUNT *sampass)
1251 return (sampass->dir_drive);
1256 const char* pdb_get_logon_script (const SAM_ACCOUNT *sampass)
1259 return (sampass->logon_script);
1264 const char* pdb_get_profile_path (const SAM_ACCOUNT *sampass)
1267 return (sampass->profile_path);
1272 const char* pdb_get_acct_desc (const SAM_ACCOUNT *sampass)
1275 return (sampass->acct_desc);
1280 const char* pdb_get_workstations (const SAM_ACCOUNT *sampass)
1283 return (sampass->workstations);
1288 const char* pdb_get_munged_dial (const SAM_ACCOUNT *sampass)
1291 return (sampass->munged_dial);
1296 uint32 pdb_get_unknown3 (const SAM_ACCOUNT *sampass)
1299 return (sampass->unknown_3);
1304 uint32 pdb_get_unknown5 (const SAM_ACCOUNT *sampass)
1307 return (sampass->unknown_5);
1312 uint32 pdb_get_unknown6 (const SAM_ACCOUNT *sampass)
1315 return (sampass->unknown_6);
1320 /*********************************************************************
1321 Collection of set...() functions for SAM_ACCOUNT_INFO.
1322 ********************************************************************/
1324 BOOL pdb_set_acct_ctrl (SAM_ACCOUNT *sampass, uint16 flags)
1330 sampass->acct_ctrl = flags;
1337 BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime)
1342 sampass->logon_time = mytime;
1346 BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime)
1351 sampass->logoff_time = mytime;
1355 BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime)
1360 sampass->kickoff_time = mytime;
1364 BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime)
1369 sampass->pass_can_change_time = mytime;
1373 BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime)
1378 sampass->pass_must_change_time = mytime;
1382 BOOL pdb_set_pass_last_set_time (SAM_ACCOUNT *sampass, time_t mytime)
1387 sampass->pass_last_set_time = mytime;
1391 BOOL pdb_set_hours_len (SAM_ACCOUNT *sampass, uint32 len)
1396 sampass->hours_len = len;
1400 BOOL pdb_set_logons_divs (SAM_ACCOUNT *sampass, uint16 hours)
1405 sampass->logon_divs = hours;
1409 BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid)
1415 sampass->init_flag |= FLAG_SAM_UID;
1421 BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid)
1427 sampass->init_flag |= FLAG_SAM_GID;
1433 BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
1438 sampass->user_rid = rid;
1442 BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
1447 sampass->group_rid = grid;
1451 /*********************************************************************
1452 Set the user's UNIX name.
1453 ********************************************************************/
1455 BOOL pdb_set_username(SAM_ACCOUNT *sampass, const char *username)
1459 *sampass->username = '\0';
1463 StrnCpy (sampass->username, username, strlen(username));
1468 /*********************************************************************
1469 Set the domain name.
1470 ********************************************************************/
1472 BOOL pdb_set_domain(SAM_ACCOUNT *sampass, const char *domain)
1476 *sampass->domain = '\0';
1480 StrnCpy (sampass->domain, domain, strlen(domain));
1485 /*********************************************************************
1486 Set the user's NT name.
1487 ********************************************************************/
1489 BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, const char *nt_username)
1493 *sampass->nt_username = '\0';
1497 StrnCpy (sampass->nt_username, nt_username, strlen(nt_username));
1502 /*********************************************************************
1503 Set the user's full name.
1504 ********************************************************************/
1506 BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, const char *fullname)
1510 *sampass->full_name = '\0';
1514 StrnCpy (sampass->full_name, fullname, strlen(fullname));
1519 /*********************************************************************
1520 Set the user's logon script.
1521 ********************************************************************/
1523 BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, const char *logon_script)
1527 *sampass->logon_script = '\0';
1531 StrnCpy (sampass->logon_script, logon_script, strlen(logon_script));
1536 /*********************************************************************
1537 Set the user's profile path.
1538 ********************************************************************/
1540 BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, const char *profile_path)
1544 *sampass->profile_path = '\0';
1548 StrnCpy (sampass->profile_path, profile_path, strlen(profile_path));
1553 /*********************************************************************
1554 Set the user's directory drive.
1555 ********************************************************************/
1557 BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, const char *dir_drive)
1561 *sampass->dir_drive = '\0';
1565 StrnCpy (sampass->dir_drive, dir_drive, strlen(dir_drive));
1570 /*********************************************************************
1571 Set the user's home directory.
1572 ********************************************************************/
1574 BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, const char *homedir)
1578 *sampass->home_dir = '\0';
1582 StrnCpy (sampass->home_dir, homedir, strlen(homedir));
1587 /*********************************************************************
1588 Set the user's account description.
1589 ********************************************************************/
1591 BOOL pdb_set_acct_desc (SAM_ACCOUNT *sampass, const char *acct_desc)
1595 *sampass->acct_desc = '\0';
1599 StrnCpy (sampass->acct_desc, acct_desc, strlen(acct_desc));
1604 /*********************************************************************
1605 Set the user's workstation allowed list.
1606 ********************************************************************/
1608 BOOL pdb_set_workstations (SAM_ACCOUNT *sampass, const char *workstations)
1612 *sampass->workstations = '\0';
1616 StrnCpy (sampass->workstations, workstations, strlen(workstations));
1621 /*********************************************************************
1622 Set the user's dial string.
1623 ********************************************************************/
1625 BOOL pdb_set_munged_dial (SAM_ACCOUNT *sampass, const char *munged_dial)
1629 *sampass->munged_dial = '\0';
1633 StrnCpy (sampass->munged_dial, munged_dial, strlen(munged_dial));
1638 /*********************************************************************
1639 Set the user's NT hash.
1640 ********************************************************************/
1642 BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 *pwd)
1648 /* Allow setting to NULL */
1649 SAFE_FREE(sampass->nt_pw);
1653 if (sampass->nt_pw!=NULL)
1654 DEBUG(4,("pdb_set_nt_passwd: NT hash non NULL overwritting ?\n"));
1656 sampass->nt_pw=(unsigned char *)malloc(sizeof(unsigned char)*16);
1658 if (sampass->nt_pw==NULL)
1661 memcpy (sampass->nt_pw, pwd, 16);
1666 /*********************************************************************
1667 Set the user's LM hash.
1668 ********************************************************************/
1670 BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 *pwd)
1676 /* Allow setting to NULL */
1677 SAFE_FREE(sampass->lm_pw);
1681 if (sampass->lm_pw!=NULL)
1682 DEBUG(4,("pdb_set_lanman_passwd: LM hash non NULL overwritting ?\n"));
1684 sampass->lm_pw=(unsigned char *)malloc(sizeof(unsigned char)*16);
1686 if (sampass->lm_pw==NULL)
1689 memcpy (sampass->lm_pw, pwd, 16);
1694 BOOL pdb_set_unknown_3 (SAM_ACCOUNT *sampass, uint32 unkn)
1699 sampass->unknown_3 = unkn;
1703 BOOL pdb_set_unknown_5 (SAM_ACCOUNT *sampass, uint32 unkn)
1708 sampass->unknown_5 = unkn;
1712 BOOL pdb_set_unknown_6 (SAM_ACCOUNT *sampass, uint32 unkn)
1717 sampass->unknown_6 = unkn;
1721 BOOL pdb_set_hours (SAM_ACCOUNT *sampass, const uint8 *hours)
1727 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
1731 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
1737 /* Helpful interfaces to the above */
1739 /*********************************************************************
1740 Sets the last changed times and must change times for a normal
1742 ********************************************************************/
1744 BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
1751 if (!pdb_set_pass_last_set_time (sampass, time(NULL)))
1754 account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&expire);
1757 if (!pdb_set_pass_must_change_time (sampass, 0))
1760 if (!pdb_set_pass_must_change_time (sampass,
1761 pdb_get_pass_last_set_time(sampass)
1769 /*********************************************************************
1770 Set the user's PLAINTEXT password. Used as an interface to the above.
1771 Also sets the last change time to NOW.
1772 ********************************************************************/
1774 BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
1776 uchar new_lanman_p16[16];
1777 uchar new_nt_p16[16];
1779 if (!sampass || !plaintext)
1782 nt_lm_owf_gen (plaintext, new_nt_p16, new_lanman_p16);
1784 if (!pdb_set_nt_passwd (sampass, new_nt_p16))
1787 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16))
1790 if (!pdb_set_pass_changed_now (sampass))
1796 /***************************************************************************
1797 Search by uid. Wrapper around pdb_getsampwnam()
1798 **************************************************************************/
1800 BOOL pdb_getsampwuid (SAM_ACCOUNT* user, uid_t uid)
1806 DEBUG(0,("pdb_getsampwuid: SAM_ACCOUNT is NULL.\n"));
1811 * Never trust the uid in the passdb. Lookup the username first
1812 * and then lokup the user by name in the sam.
1815 if ((pw=sys_getpwuid(uid)) == NULL) {
1816 DEBUG(0,("pdb_getsampwuid: getpwuid(%d) return NULL. User does not exist in Unix accounts!\n", uid));
1820 fstrcpy (name, pw->pw_name);
1822 return pdb_getsampwnam (user, name);