2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 static TDB_CONTEXT *tdb;
26 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27 * after this period if admins do not use pdbedit or usermanager but manipulate
28 * ldap directly) - gd */
30 #define DATABASE_VERSION 3
31 #define AP_LASTSET "LAST_CACHE_UPDATE"
39 const char *description;
40 const char *ldap_attr;
43 static const struct ap_table account_policy_names[] = {
44 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
45 "Minimal password length (default: 5)",
46 "sambaMinPwdLength" },
48 {AP_PASSWORD_HISTORY, "password history", 0,
49 "Length of Password History Entries (default: 0 => off)",
50 "sambaPwdHistoryLength" },
52 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
53 "Force Users to logon for password change (default: 0 => off, 2 => on)",
54 "sambaLogonToChgPwd" },
56 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
57 "Maximum password age, in seconds (default: -1 => never expire passwords)",
60 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
61 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
64 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
65 "Lockout duration in minutes (default: 30, -1 => forever)",
66 "sambaLockoutDuration" },
68 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
69 "Reset time after lockout in minutes (default: 30)",
70 "sambaLockoutObservationWindow" },
72 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
73 "Lockout users after bad logon attempts (default: 0 => off)",
74 "sambaLockoutThreshold" },
76 {AP_TIME_TO_LOGOUT, "disconnect time", -1,
77 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
80 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
81 "Allow Machine Password changes (default: 0 => off)",
82 "sambaRefuseMachinePwdChange" },
84 {0, NULL, 0, "", NULL}
87 char *account_policy_names_list(void)
93 for (i=0; account_policy_names[i].string; i++) {
94 len += strlen(account_policy_names[i].string) + 1;
102 for (i=0; account_policy_names[i].string; i++) {
103 memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1);
104 p[strlen(account_policy_names[i].string)] = '\n';
105 p += strlen(account_policy_names[i].string) + 1;
111 /****************************************************************************
112 Get the account policy name as a string from its #define'ed number
113 ****************************************************************************/
115 const char *decode_account_policy_name(int field)
118 for (i=0; account_policy_names[i].string; i++) {
119 if (field == account_policy_names[i].field)
120 return account_policy_names[i].string;
125 /****************************************************************************
126 Get the account policy LDAP attribute as a string from its #define'ed number
127 ****************************************************************************/
129 const char *get_account_policy_attr(int field)
132 for (i=0; account_policy_names[i].field; i++) {
133 if (field == account_policy_names[i].field)
134 return account_policy_names[i].ldap_attr;
139 /****************************************************************************
140 Get the account policy description as a string from its #define'ed number
141 ****************************************************************************/
143 const char *account_policy_get_desc(int field)
146 for (i=0; account_policy_names[i].string; i++) {
147 if (field == account_policy_names[i].field)
148 return account_policy_names[i].description;
153 /****************************************************************************
154 Get the account policy name as a string from its #define'ed number
155 ****************************************************************************/
157 int account_policy_name_to_fieldnum(const char *name)
160 for (i=0; account_policy_names[i].string; i++) {
161 if (strcmp(name, account_policy_names[i].string) == 0)
162 return account_policy_names[i].field;
167 /*****************************************************************************
168 Update LAST-Set counter inside the cache
169 *****************************************************************************/
171 static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update,
181 slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET);
183 if (!init_account_policy())
186 if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
187 DEBUG(10,("failed to get last set timestamp of cache\n"));
193 DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
199 if (!tdb_store_uint32(tdb, key, (uint32)now)) {
200 DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
203 DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
210 /*****************************************************************************
211 Get default value for account policy
212 *****************************************************************************/
214 BOOL account_policy_get_default(int account_policy, uint32 *val)
217 for (i=0; account_policy_names[i].field; i++) {
218 if (account_policy_names[i].field == account_policy) {
219 *val = account_policy_names[i].default_val;
223 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
228 /*****************************************************************************
229 Set default for a field if it is empty
230 *****************************************************************************/
232 static BOOL account_policy_set_default_on_empty(int account_policy)
237 if (!account_policy_get(account_policy, &value) &&
238 !account_policy_get_default(account_policy, &value)) {
242 return account_policy_set(account_policy, value);
245 /*****************************************************************************
246 Open the account policy tdb.
247 ***`*************************************************************************/
249 BOOL init_account_policy(void)
252 const char *vstring = "INFO/version";
259 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
261 DEBUG(0,("Failed to open account policy database\n"));
265 /* handle a Samba upgrade */
266 tdb_lock_bystring(tdb, vstring,0);
267 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
269 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
271 for (i=0; account_policy_names[i].field; i++) {
273 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
274 DEBUG(0,("failed to set default value in account policy tdb\n"));
280 tdb_unlock_bystring(tdb, vstring);
282 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
284 privilege_create_account( &global_sid_World );
285 privilege_create_account( &global_sid_Builtin_Administrators );
286 privilege_create_account( &global_sid_Builtin_Account_Operators );
287 privilege_create_account( &global_sid_Builtin_Server_Operators );
288 privilege_create_account( &global_sid_Builtin_Print_Operators );
289 privilege_create_account( &global_sid_Builtin_Backup_Operators );
294 /*****************************************************************************
295 Get an account policy (from tdb)
296 *****************************************************************************/
298 BOOL account_policy_get(int field, uint32 *value)
303 if (!init_account_policy())
309 fstrcpy(name, decode_account_policy_name(field));
311 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
314 if (!tdb_fetch_uint32(tdb, name, ®val)) {
315 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
321 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
326 /****************************************************************************
327 Set an account policy (in tdb)
328 ****************************************************************************/
330 BOOL account_policy_set(int field, uint32 value)
334 if (!init_account_policy())
337 fstrcpy(name, decode_account_policy_name(field));
339 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
343 if (!tdb_store_uint32(tdb, name, value)) {
344 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
348 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
353 /****************************************************************************
354 Set an account policy in the cache
355 ****************************************************************************/
357 BOOL cache_account_policy_set(int field, uint32 value)
360 const char *policy_name = NULL;
362 policy_name = decode_account_policy_name(field);
363 if (policy_name == NULL) {
364 DEBUG(0,("cache_account_policy_set: no policy found\n"));
368 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
370 if (!account_policy_set(field, value)) {
374 if (!account_policy_cache_timestamp(&lastset, True, policy_name))
376 DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
380 DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
385 /*****************************************************************************
386 Get an account policy from the cache
387 *****************************************************************************/
389 BOOL cache_account_policy_get(int field, uint32 *value)
393 if (!account_policy_cache_timestamp(&lastset, False,
394 decode_account_policy_name(field)))
396 DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
400 if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
401 DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
405 return account_policy_get(field, value);
409 /****************************************************************************
410 ****************************************************************************/
412 TDB_CONTEXT *get_account_pol_tdb( void )
416 if ( !init_account_policy() )