2 Unix SMB/Netbios implementation.
4 Password and authentication handling
5 Copyright (C) Jeremy Allison 1996-2001
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
7 Copyright (C) Gerald (Jerry) Carter 2000-2001
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * This is set on startup - it defines the SID for this
28 * machine, and therefore the SAM database for which it is
32 extern DOM_SID global_sam_sid;
34 struct passdb_ops *pdb_ops;
37 static void* pdb_handle = NULL;
40 /***************************************************************
41 Initialize the password db operations.
42 ***************************************************************/
44 BOOL initialize_password_db(BOOL reload)
47 * This function is unfinished right now, so just
48 * ignore the details and always return True. It
49 * is here only as a placeholder --jerry
56 /************************************************************
57 Fill the SAM_ACCOUNT with default values.
58 ***********************************************************/
60 static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user)
63 DEBUG(0,("pdb_fill_default_sam: SAM_ACCOUNT was NULL\n"));
69 /* Don't change these timestamp settings without a good reason.
70 They are important for NT member server compatibility. */
72 user->logon_time = (time_t)0;
73 user->pass_last_set_time = (time_t)0;
74 user->pass_can_change_time = (time_t)0;
77 user->pass_must_change_time = get_time_t_max();
79 user->unknown_3 = 0x00ffffff; /* don't know */
80 user->logon_divs = 168; /* hours per week */
81 user->hours_len = 21; /* 21 times 8 bits = 168 */
82 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
83 user->unknown_5 = 0x00000000; /* don't know */
84 user->unknown_6 = 0x000004ec; /* don't know */
89 /*************************************************************
90 Alloc memory and initialises a struct sam_passwd.
91 ************************************************************/
93 BOOL pdb_init_sam(SAM_ACCOUNT **user)
96 DEBUG(0,("pdb_init_sam: SAM_ACCOUNT was non NULL\n"));
98 smb_panic("NULL pointer passed to pdb_init_sam\n");
103 *user=(SAM_ACCOUNT *)malloc(sizeof(SAM_ACCOUNT));
106 DEBUG(0,("pdb_init_sam: error while allocating memory\n"));
110 pdb_fill_default_sam(*user);
116 /*************************************************************
117 Initialises a struct sam_passwd with sane values.
118 ************************************************************/
120 BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, struct passwd *pwd)
123 extern BOOL sam_logon_in_ssb;
124 extern pstring samlogon_user;
131 if (!pdb_init_sam(new_sam_acct)) {
136 pdb_set_username(*new_sam_acct, pwd->pw_name);
137 pdb_set_fullname(*new_sam_acct, pwd->pw_gecos);
139 pdb_set_uid(*new_sam_acct, &pwd->pw_uid);
140 pdb_set_gid(*new_sam_acct, &pwd->pw_gid);
142 pdb_set_user_rid(*new_sam_acct, pdb_uid_to_user_rid(pwd->pw_uid));
143 pdb_set_group_rid(*new_sam_acct, pdb_gid_to_group_rid(pwd->pw_gid));
145 /* UGLY, UGLY HACK!!! */
146 pstrcpy(samlogon_user, pwd->pw_name);
148 sam_logon_in_ssb = True;
150 pstrcpy(str, lp_logon_path());
151 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, str);
152 pdb_set_profile_path(*new_sam_acct, str);
154 pstrcpy(str, lp_logon_home());
155 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, str);
156 pdb_set_homedir(*new_sam_acct, str);
158 pstrcpy(str, lp_logon_drive());
159 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, str);
160 pdb_set_dir_drive(*new_sam_acct, str);
162 pstrcpy(str, lp_logon_script());
163 standard_sub_advanced(-1, pwd->pw_name, "", pwd->pw_gid, str);
164 pdb_set_logon_script(*new_sam_acct, str);
166 sam_logon_in_ssb = False;
171 /************************************************************
172 Free the NT/LM hashes only.
173 ***********************************************************/
175 static BOOL pdb_free_sam_contents(SAM_ACCOUNT *user)
178 DEBUG(0,("pdb_free_sam_contents: SAM_ACCOUNT was NULL\n"));
180 smb_panic("NULL pointer passed to pdb_free_sam_contents\n");
185 /* As we start mallocing more strings this is where
186 we should free them. */
188 SAFE_FREE(user->nt_pw);
189 SAFE_FREE(user->lm_pw);
191 SAFE_FREE(user->uid);
192 SAFE_FREE(user->gid);
198 /************************************************************
199 Reset the SAM_ACCOUNT and free the NT/LM hashes.
200 - note: they are not zero'ed out however.
201 ***********************************************************/
203 BOOL pdb_reset_sam(SAM_ACCOUNT *user)
206 DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
208 smb_panic("NULL pointer passed to pdb_free_sam\n");
213 if (!pdb_free_sam_contents(user)) {
217 if (!pdb_fill_default_sam(user)) {
225 /************************************************************
226 Free the SAM_ACCOUNT and the NT/LM hashes.
227 ***********************************************************/
229 BOOL pdb_free_sam(SAM_ACCOUNT **user)
232 DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
234 smb_panic("NULL pointer passed to pdb_free_sam\n");
239 if (!pdb_free_sam_contents(*user)) {
249 /**********************************************************
250 Encode the account control bits into a string.
251 length = length of string to encode into (including terminating
252 null). length *MUST BE MORE THAN 2* !
253 **********************************************************/
255 char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
257 static fstring acct_str;
262 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
263 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
264 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
265 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
266 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
267 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
268 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
269 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
270 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
271 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
272 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
274 for ( ; i < length - 2 ; i++ )
279 acct_str[i++] = '\0';
284 /**********************************************************
285 Decode the account control bits from a string.
286 **********************************************************/
288 uint16 pdb_decode_acct_ctrl(const char *p)
290 uint16 acct_ctrl = 0;
291 BOOL finished = False;
294 * Check if the account type bits have been encoded after the
295 * NT password (in the form [NDHTUWSLXI]).
301 for (p++; *p && !finished; p++) {
303 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
304 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
305 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
306 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
307 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
308 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
309 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
310 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
311 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
312 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
313 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
319 default: { finished = True; }
326 /*************************************************************
327 Routine to set 32 hex password characters from a 16 byte array.
328 **************************************************************/
330 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
334 for (i = 0; i < 16; i++)
335 slprintf(&p[i*2], 3, "%02X", pwd[i]);
337 if (acct_ctrl & ACB_PWNOTREQ)
338 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
340 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
344 /*************************************************************
345 Routine to get the 32 hex characters and turn them
346 into a 16 byte array.
347 **************************************************************/
349 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
352 unsigned char lonybble, hinybble;
353 char *hexchars = "0123456789ABCDEF";
359 for (i = 0; i < 32; i += 2) {
360 hinybble = toupper(p[i]);
361 lonybble = toupper(p[i + 1]);
363 p1 = strchr(hexchars, hinybble);
364 p2 = strchr(hexchars, lonybble);
369 hinybble = PTR_DIFF(p1, hexchars);
370 lonybble = PTR_DIFF(p2, hexchars);
372 pwd[i / 2] = (hinybble << 4) | lonybble;
377 /*******************************************************************
378 Group and User RID username mapping function
379 ********************************************************************/
381 BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
383 struct passwd *pw = Get_Pwnam(user_name);
385 if (u_rid == NULL || g_rid == NULL || user_name == NULL)
389 DEBUG(1,("Username %s is invalid on this system\n", user_name));
393 /* turn the unix UID into a Domain RID. this is what the posix
394 sub-system does (adds 1000 to the uid) */
395 *u_rid = pdb_uid_to_user_rid(pw->pw_uid);
397 /* absolutely no idea what to do about the unix GID to Domain RID mapping */
398 *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
403 /*******************************************************************
404 Converts NT user RID to a UNIX uid.
405 ********************************************************************/
407 uid_t pdb_user_rid_to_uid(uint32 user_rid)
409 return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER);
412 /*******************************************************************
413 Converts NT user RID to a UNIX gid.
414 ********************************************************************/
416 gid_t pdb_user_rid_to_gid(uint32 user_rid)
418 return (uid_t)(((user_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER);
421 /*******************************************************************
422 Converts NT group RID to a UNIX gid.
423 ********************************************************************/
425 gid_t pdb_group_rid_to_gid(uint32 group_rid)
427 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER);
430 /*******************************************************************
431 converts UNIX uid to an NT User RID.
432 ********************************************************************/
434 uint32 pdb_uid_to_user_rid(uid_t uid)
436 return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE);
439 /*******************************************************************
440 converts NT Group RID to a UNIX uid.
441 ********************************************************************/
443 uint32 pdb_gid_to_group_rid(gid_t gid)
445 return (((((uint32)gid)*RID_MULTIPLIER) + 1000) | GROUP_RID_TYPE);
448 /*******************************************************************
449 Decides if a RID is a well known RID.
450 ********************************************************************/
452 static BOOL pdb_rid_is_well_known(uint32 rid)
457 /*******************************************************************
458 Decides if a RID is a user or group RID.
459 ********************************************************************/
461 BOOL pdb_rid_is_user(uint32 rid)
463 /* lkcl i understand that NT attaches an enumeration to a RID
464 * such that it can be identified as either a user, group etc
465 * type. there are 5 such categories, and they are documented.
467 if(pdb_rid_is_well_known(rid)) {
469 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
470 * and DOMAIN_USER_RID_GUEST.
472 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
474 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
480 /*******************************************************************
481 Convert a rid into a name. Used in the lookup SID rpc.
482 ********************************************************************/
484 BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
486 BOOL is_user = pdb_rid_is_user(rid);
488 *psid_name_use = SID_NAME_UNKNOWN;
490 DEBUG(5,("local_lookup_rid: looking up %s RID %u.\n", is_user ? "user" :
491 "group", (unsigned int)rid));
494 if(rid == DOMAIN_USER_RID_ADMIN) {
496 char *p = admin_users;
497 *psid_name_use = SID_NAME_USER;
498 if(!next_token(&p, name, NULL, sizeof(fstring)))
499 fstrcpy(name, "Administrator");
500 } else if (rid == DOMAIN_USER_RID_GUEST) {
502 char *p = guest_users;
503 *psid_name_use = SID_NAME_USER;
504 if(!next_token(&p, name, NULL, sizeof(fstring)))
505 fstrcpy(name, "Guest");
511 * Don't try to convert the rid to a name if
512 * running in appliance mode
514 if (lp_hide_local_users())
517 uid = pdb_user_rid_to_uid(rid);
518 pass = sys_getpwuid(uid);
520 *psid_name_use = SID_NAME_USER;
522 DEBUG(5,("local_lookup_rid: looking up uid %u %s\n", (unsigned int)uid,
523 pass ? "succeeded" : "failed" ));
526 slprintf(name, sizeof(fstring)-1, "unix_user.%u", (unsigned int)uid);
530 fstrcpy(name, pass->pw_name);
532 DEBUG(5,("local_lookup_rid: found user %s for rid %u\n", name,
533 (unsigned int)rid ));
541 * Don't try to convert the rid to a name if running
545 if (lp_hide_local_users())
548 gid = pdb_user_rid_to_gid(rid);
551 *psid_name_use = SID_NAME_ALIAS;
553 DEBUG(5,("local_local_rid: looking up gid %u %s\n", (unsigned int)gid,
554 gr ? "succeeded" : "failed" ));
557 slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned int)gid);
561 fstrcpy( name, gr->gr_name);
563 DEBUG(5,("local_lookup_rid: found group %s for rid %u\n", name,
564 (unsigned int)rid ));
570 /*******************************************************************
571 Convert a name into a SID. Used in the lookup name rpc.
572 ********************************************************************/
574 BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
576 extern DOM_SID global_sid_World_Domain;
577 struct passwd *pass = NULL;
582 *psid_name_use = SID_NAME_UNKNOWN;
585 * domain and user may be quoted const strings, and map_username and
586 * friends can modify them. Make a modifiable copy. JRA.
589 fstrcpy(domain, c_domain);
590 fstrcpy(user, c_user);
592 sid_copy(&local_sid, &global_sam_sid);
595 * Special case for MACHINE\Everyone. Map to the world_sid.
598 if(strequal(user, "Everyone")) {
599 sid_copy( psid, &global_sid_World_Domain);
600 sid_append_rid(psid, 0);
601 *psid_name_use = SID_NAME_ALIAS;
606 * Don't lookup local unix users if running in appliance mode
608 if (lp_hide_local_users())
611 (void)map_username(user);
613 if((pass = Get_Pwnam(user))) {
614 sid_append_rid( &local_sid, pdb_uid_to_user_rid(pass->pw_uid));
615 *psid_name_use = SID_NAME_USER;
618 * Maybe it was a group ?
620 struct group *grp = getgrnam(user);
625 sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
626 *psid_name_use = SID_NAME_ALIAS;
629 sid_copy( psid, &local_sid);
634 /****************************************************************************
635 Convert a uid to SID - locally.
636 ****************************************************************************/
638 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
640 extern DOM_SID global_sam_sid;
642 sid_copy(psid, &global_sam_sid);
643 sid_append_rid(psid, pdb_uid_to_user_rid(uid));
648 /****************************************************************************
649 Convert a SID to uid - locally.
650 ****************************************************************************/
652 BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
654 extern DOM_SID global_sam_sid;
661 *name_type = SID_NAME_UNKNOWN;
663 sid_copy(&dom_sid, psid);
664 sid_split_rid(&dom_sid, &rid);
666 if (!pdb_rid_is_user(rid))
670 * We can only convert to a uid if this is our local
671 * Domain SID (ie. we are the controling authority).
673 if (!sid_equal(&global_sam_sid, &dom_sid))
676 *puid = pdb_user_rid_to_uid(rid);
679 * Ensure this uid really does exist.
681 if(!(pass = sys_getpwuid(*puid)))
684 DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
685 (unsigned int)*puid, pass->pw_name ));
687 *name_type = SID_NAME_USER;
692 /****************************************************************************
693 Convert a gid to SID - locally.
694 ****************************************************************************/
696 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
698 extern DOM_SID global_sam_sid;
700 sid_copy(psid, &global_sam_sid);
701 sid_append_rid(psid, pdb_gid_to_group_rid(gid));
706 /****************************************************************************
707 Convert a SID to gid - locally.
708 ****************************************************************************/
710 BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
712 extern DOM_SID global_sam_sid;
718 *name_type = SID_NAME_UNKNOWN;
720 sid_copy(&dom_sid, psid);
721 sid_split_rid(&dom_sid, &rid);
724 * We can only convert to a gid if this is our local
725 * Domain SID (ie. we are the controling authority).
728 if (!sid_equal(&global_sam_sid, &dom_sid))
731 if (pdb_rid_is_user(rid))
734 *pgid = pdb_user_rid_to_gid(rid);
737 * Ensure this gid really does exist.
740 if(!(grp = getgrgid(*pgid)))
743 DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid),
744 (unsigned int)*pgid, grp->gr_name ));
746 *name_type = SID_NAME_ALIAS;
751 static void select_name(pstring string, const UNISTR2 *from)
753 if (from->buffer != 0)
754 unistr2_to_ascii(string, from, sizeof(pstring));
757 /*************************************************************
758 Copies a SAM_USER_INFO_23 to a SAM_ACCOUNT
759 **************************************************************/
761 void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from)
764 if (from == NULL || to == NULL)
767 to->logon_time = nt_time_to_unix(&from->logon_time);
768 to->logoff_time = nt_time_to_unix(&from->logoff_time);
769 to->kickoff_time = nt_time_to_unix(&from->kickoff_time);
770 to->pass_last_set_time = nt_time_to_unix(&from->pass_last_set_time);
771 to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time);
772 to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time);
774 select_name(to->username , &from->uni_user_name );
775 select_name(to->full_name , &from->uni_full_name );
776 select_name(to->home_dir , &from->uni_home_dir );
777 select_name(to->dir_drive , &from->uni_dir_drive );
778 select_name(to->logon_script, &from->uni_logon_script);
779 select_name(to->profile_path, &from->uni_profile_path);
780 select_name(to->acct_desc , &from->uni_acct_desc );
781 select_name(to->workstations, &from->uni_workstations);
782 select_name(to->unknown_str , &from->uni_unknown_str );
783 select_name(to->munged_dial , &from->uni_munged_dial );
786 to->user_rid = from->user_rid;
788 to->group_rid = from->group_rid;
790 to->acct_ctrl = from->acb_info;
791 to->unknown_3 = from->unknown_3;
793 to->logon_divs = from->logon_divs;
794 to->hours_len = from->logon_hrs.len;
795 memcpy(to->hours, from->logon_hrs.hours, MAX_HOURS_LEN);
797 to->unknown_5 = from->unknown_5;
798 to->unknown_6 = from->unknown_6;
801 /*************************************************************
803 **************************************************************/
805 void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from)
807 if (from == NULL || to == NULL)
810 to->logon_time = nt_time_to_unix(&from->logon_time);
811 to->logoff_time = nt_time_to_unix(&from->logoff_time);
812 to->kickoff_time = nt_time_to_unix(&from->kickoff_time);
813 to->pass_last_set_time = nt_time_to_unix(&from->pass_last_set_time);
814 to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time);
815 to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time);
817 select_name(to->username , &from->uni_user_name );
818 select_name(to->full_name , &from->uni_full_name );
819 select_name(to->home_dir , &from->uni_home_dir );
820 select_name(to->dir_drive , &from->uni_dir_drive );
821 select_name(to->logon_script, &from->uni_logon_script);
822 select_name(to->profile_path, &from->uni_profile_path);
823 select_name(to->acct_desc , &from->uni_acct_desc );
824 select_name(to->workstations, &from->uni_workstations);
825 select_name(to->unknown_str , &from->uni_unknown_str );
826 select_name(to->munged_dial , &from->uni_munged_dial );
828 to->user_rid = from->user_rid;
829 to->group_rid = from->group_rid;
831 /* FIXME!! Do we need to copy the passwords here as well?
832 I don't know. Need to figure this out --jerry */
834 to->acct_ctrl = from->acb_info;
835 to->unknown_3 = from->unknown_3;
837 to->logon_divs = from->logon_divs;
838 to->hours_len = from->logon_hrs.len;
839 memcpy(to->hours, from->logon_hrs.hours, MAX_HOURS_LEN);
841 to->unknown_5 = from->unknown_5;
842 to->unknown_6 = from->unknown_6;
845 /*************************************************************
846 Copies a SAM_ACCOUNT.
847 **************************************************************/
849 void copy_sam_passwd(SAM_ACCOUNT *to, const SAM_ACCOUNT *from)
854 memcpy(to, from, sizeof(SAM_ACCOUNT));
857 /*************************************************************
858 Change a password entry in the local smbpasswd file.
860 FIXME!! The function needs to be abstracted into the
861 passdb interface or something. It is currently being called
862 by _api_samr_create_user() in rpc_server/srv_samr.c,
863 in SWAT and by smbpasswd/pdbedit.
866 *************************************************************/
868 BOOL local_password_change(const char *user_name, int local_flags,
869 const char *new_passwd,
870 char *err_str, size_t err_str_len,
871 char *msg_str, size_t msg_str_len)
873 struct passwd *pwd = NULL;
874 SAM_ACCOUNT *sam_pass=NULL;
879 /* Get the smb passwd entry for this user */
880 pdb_init_sam(&sam_pass);
881 if(!pdb_getsampwnam(sam_pass, user_name)) {
882 pdb_free_sam(&sam_pass);
884 if (local_flags & LOCAL_ADD_USER) {
886 * Check for a local account - if we're adding only.
889 if(!(pwd = sys_getpwnam(user_name))) {
890 slprintf(err_str, err_str_len - 1, "User %s does not \
891 exist in system password file (usually /etc/passwd). Cannot add \
892 account without a valid local system user.\n", user_name);
896 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
900 if (!pdb_init_sam_pw(&sam_pass, pwd)) {
901 slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
905 /* set account flags. Note that the default is non-expiring accounts */
906 if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL|ACB_PWNOEXP) )) {
907 slprintf(err_str, err_str_len-1, "Failed to set 'trust account' flags for user %s.\n", user_name);
908 pdb_free_sam(&sam_pass);
912 /* the entry already existed */
913 local_flags &= ~LOCAL_ADD_USER;
917 * We are root - just write the new password
918 * and the valid last change time.
921 if (local_flags & LOCAL_DISABLE_USER) {
922 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED)) {
923 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
924 pdb_free_sam(&sam_pass);
927 } else if (local_flags & LOCAL_ENABLE_USER) {
928 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED))) {
929 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
930 pdb_free_sam(&sam_pass);
935 if (local_flags & LOCAL_SET_NO_PASSWORD) {
936 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ)) {
937 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
938 pdb_free_sam(&sam_pass);
941 } else if (local_flags & LOCAL_SET_PASSWORD) {
943 * If we're dealing with setting a completely empty user account
944 * ie. One with a password of 'XXXX', but not set disabled (like
945 * an account created from scratch) then if the old password was
946 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
947 * We remove that as we're giving this user their first password
948 * and the decision hasn't really been made to disable them (ie.
949 * don't create them disabled). JRA.
951 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
952 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED))) {
953 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
954 pdb_free_sam(&sam_pass);
958 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ))) {
959 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
960 pdb_free_sam(&sam_pass);
964 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
965 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
966 pdb_free_sam(&sam_pass);
971 if (local_flags & LOCAL_ADD_USER) {
972 if (pdb_add_sam_account(sam_pass)) {
973 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
974 pdb_free_sam(&sam_pass);
977 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
978 pdb_free_sam(&sam_pass);
981 } else if (local_flags & LOCAL_DELETE_USER) {
982 if (!pdb_delete_sam_account(user_name)) {
983 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
984 pdb_free_sam(&sam_pass);
987 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
989 if(!pdb_update_sam_account(sam_pass, True)) {
990 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
991 pdb_free_sam(&sam_pass);
994 if(local_flags & LOCAL_DISABLE_USER)
995 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
996 else if (local_flags & LOCAL_ENABLE_USER)
997 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
998 else if (local_flags & LOCAL_SET_NO_PASSWORD)
999 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
1002 pdb_free_sam(&sam_pass);
1006 /*********************************************************************
1007 Collection of get...() functions for SAM_ACCOUNT_INFO.
1008 ********************************************************************/
1010 uint16 pdb_get_acct_ctrl (const SAM_ACCOUNT *sampass)
1013 return (sampass->acct_ctrl);
1015 return (ACB_DISABLED);
1018 time_t pdb_get_logon_time (const SAM_ACCOUNT *sampass)
1021 return (sampass->logon_time);
1026 time_t pdb_get_logoff_time (const SAM_ACCOUNT *sampass)
1029 return (sampass->logoff_time);
1034 time_t pdb_get_kickoff_time (const SAM_ACCOUNT *sampass)
1037 return (sampass->kickoff_time);
1042 time_t pdb_get_pass_last_set_time (const SAM_ACCOUNT *sampass)
1045 return (sampass->pass_last_set_time);
1050 time_t pdb_get_pass_can_change_time (const SAM_ACCOUNT *sampass)
1053 return (sampass->pass_can_change_time);
1058 time_t pdb_get_pass_must_change_time (const SAM_ACCOUNT *sampass)
1061 return (sampass->pass_must_change_time);
1066 uint16 pdb_get_logon_divs (const SAM_ACCOUNT *sampass)
1069 return (sampass->logon_divs);
1074 uint32 pdb_get_hours_len (const SAM_ACCOUNT *sampass)
1077 return (sampass->hours_len);
1082 const uint8* pdb_get_hours (const SAM_ACCOUNT *sampass)
1085 return (sampass->hours);
1090 const uint8* pdb_get_nt_passwd (const SAM_ACCOUNT *sampass)
1093 return (sampass->nt_pw);
1098 const uint8* pdb_get_lanman_passwd (const SAM_ACCOUNT *sampass)
1101 return (sampass->lm_pw);
1106 uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
1109 return (sampass->user_rid);
1114 uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
1117 return (sampass->group_rid);
1122 uid_t *pdb_get_uid (const SAM_ACCOUNT *sampass)
1125 return (sampass->uid);
1130 gid_t *pdb_get_gid (const SAM_ACCOUNT *sampass)
1133 return (sampass->gid);
1138 const char* pdb_get_username (const SAM_ACCOUNT *sampass)
1141 return (sampass->username);
1146 const char* pdb_get_domain (const SAM_ACCOUNT *sampass)
1149 return (sampass->domain);
1154 const char* pdb_get_nt_username (const SAM_ACCOUNT *sampass)
1157 return (sampass->nt_username);
1162 const char* pdb_get_fullname (const SAM_ACCOUNT *sampass)
1165 return (sampass->full_name);
1170 const char* pdb_get_homedir (const SAM_ACCOUNT *sampass)
1173 return (sampass->home_dir);
1178 const char* pdb_get_dirdrive (const SAM_ACCOUNT *sampass)
1181 return (sampass->dir_drive);
1186 const char* pdb_get_logon_script (const SAM_ACCOUNT *sampass)
1189 return (sampass->logon_script);
1194 const char* pdb_get_profile_path (const SAM_ACCOUNT *sampass)
1197 return (sampass->profile_path);
1202 const char* pdb_get_acct_desc (const SAM_ACCOUNT *sampass)
1205 return (sampass->acct_desc);
1210 const char* pdb_get_workstations (const SAM_ACCOUNT *sampass)
1213 return (sampass->workstations);
1218 const char* pdb_get_munged_dial (const SAM_ACCOUNT *sampass)
1221 return (sampass->munged_dial);
1226 uint32 pdb_get_unknown3 (const SAM_ACCOUNT *sampass)
1229 return (sampass->unknown_3);
1234 uint32 pdb_get_unknown5 (const SAM_ACCOUNT *sampass)
1237 return (sampass->unknown_5);
1242 uint32 pdb_get_unknown6 (const SAM_ACCOUNT *sampass)
1245 return (sampass->unknown_6);
1250 /*********************************************************************
1251 Collection of set...() functions for SAM_ACCOUNT_INFO.
1252 ********************************************************************/
1254 BOOL pdb_set_acct_ctrl (SAM_ACCOUNT *sampass, uint16 flags)
1260 sampass->acct_ctrl = flags;
1267 BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime)
1272 sampass->logon_time = mytime;
1276 BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime)
1281 sampass->logoff_time = mytime;
1285 BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime)
1290 sampass->kickoff_time = mytime;
1294 BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime)
1299 sampass->pass_can_change_time = mytime;
1303 BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime)
1308 sampass->pass_must_change_time = mytime;
1312 BOOL pdb_set_pass_last_set_time (SAM_ACCOUNT *sampass, time_t mytime)
1317 sampass->pass_last_set_time = mytime;
1321 BOOL pdb_set_hours_len (SAM_ACCOUNT *sampass, uint32 len)
1326 sampass->hours_len = len;
1330 BOOL pdb_set_logons_divs (SAM_ACCOUNT *sampass, uint16 hours)
1335 sampass->logon_divs = hours;
1339 /*********************************************************************
1340 Set the user's UNIX uid, as a pointer to malloc'ed memory.
1341 ********************************************************************/
1343 BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t *uid)
1349 /* Allow setting to NULL */
1350 SAFE_FREE(sampass->uid);
1354 if (sampass->uid!=NULL)
1355 DEBUG(4,("pdb_set_nt_passwd: uid non NULL overwritting ?\n"));
1357 sampass->uid=(uid_t *)malloc(sizeof(uid_t));
1359 if (sampass->uid==NULL)
1362 *sampass->uid = *uid;
1368 /*********************************************************************
1369 Set the user's UNIX gid, as a pointer to malloc'ed memory.
1370 ********************************************************************/
1372 BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t *gid)
1378 /* Allow setting to NULL */
1379 SAFE_FREE(sampass->gid);
1383 if (sampass->gid!=NULL)
1384 DEBUG(4,("pdb_set_nt_passwd: gid non NULL overwritting ?\n"));
1386 sampass->gid=(gid_t *)malloc(sizeof(gid_t));
1388 if (sampass->gid==NULL)
1391 *sampass->gid = *gid;
1397 BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
1402 sampass->user_rid = rid;
1406 BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
1411 sampass->group_rid = grid;
1415 /*********************************************************************
1416 Set the user's UNIX name.
1417 ********************************************************************/
1419 BOOL pdb_set_username(SAM_ACCOUNT *sampass, const char *username)
1423 *sampass->username = '\0';
1427 StrnCpy (sampass->username, username, strlen(username));
1432 /*********************************************************************
1433 Set the domain name.
1434 ********************************************************************/
1436 BOOL pdb_set_domain(SAM_ACCOUNT *sampass, const char *domain)
1440 *sampass->domain = '\0';
1444 StrnCpy (sampass->domain, domain, strlen(domain));
1449 /*********************************************************************
1450 Set the user's NT name.
1451 ********************************************************************/
1453 BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, const char *nt_username)
1457 *sampass->nt_username = '\0';
1461 StrnCpy (sampass->nt_username, nt_username, strlen(nt_username));
1466 /*********************************************************************
1467 Set the user's full name.
1468 ********************************************************************/
1470 BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, const char *fullname)
1474 *sampass->full_name = '\0';
1478 StrnCpy (sampass->full_name, fullname, strlen(fullname));
1483 /*********************************************************************
1484 Set the user's logon script.
1485 ********************************************************************/
1487 BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, const char *logon_script)
1491 *sampass->logon_script = '\0';
1495 StrnCpy (sampass->logon_script, logon_script, strlen(logon_script));
1500 /*********************************************************************
1501 Set the user's profile path.
1502 ********************************************************************/
1504 BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, const char *profile_path)
1508 *sampass->profile_path = '\0';
1512 StrnCpy (sampass->profile_path, profile_path, strlen(profile_path));
1517 /*********************************************************************
1518 Set the user's directory drive.
1519 ********************************************************************/
1521 BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, const char *dir_drive)
1525 *sampass->dir_drive = '\0';
1529 StrnCpy (sampass->dir_drive, dir_drive, strlen(dir_drive));
1534 /*********************************************************************
1535 Set the user's home directory.
1536 ********************************************************************/
1538 BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, const char *homedir)
1542 *sampass->home_dir = '\0';
1546 StrnCpy (sampass->home_dir, homedir, strlen(homedir));
1551 /*********************************************************************
1552 Set the user's account description.
1553 ********************************************************************/
1555 BOOL pdb_set_acct_desc (SAM_ACCOUNT *sampass, const char *acct_desc)
1559 *sampass->acct_desc = '\0';
1563 StrnCpy (sampass->acct_desc, acct_desc, strlen(acct_desc));
1568 /*********************************************************************
1569 Set the user's workstation allowed list.
1570 ********************************************************************/
1572 BOOL pdb_set_workstations (SAM_ACCOUNT *sampass, const char *workstations)
1576 *sampass->workstations = '\0';
1580 StrnCpy (sampass->workstations, workstations, strlen(workstations));
1585 /*********************************************************************
1586 Set the user's dial string.
1587 ********************************************************************/
1589 BOOL pdb_set_munged_dial (SAM_ACCOUNT *sampass, const char *munged_dial)
1593 *sampass->munged_dial = '\0';
1597 StrnCpy (sampass->munged_dial, munged_dial, strlen(munged_dial));
1602 /*********************************************************************
1603 Set the user's NT hash.
1604 ********************************************************************/
1606 BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 *pwd)
1612 /* Allow setting to NULL */
1613 SAFE_FREE(sampass->nt_pw);
1617 if (sampass->nt_pw!=NULL)
1618 DEBUG(4,("pdb_set_nt_passwd: NT hash non NULL overwritting ?\n"));
1620 sampass->nt_pw=(unsigned char *)malloc(sizeof(unsigned char)*16);
1622 if (sampass->nt_pw==NULL)
1625 memcpy (sampass->nt_pw, pwd, 16);
1630 /*********************************************************************
1631 Set the user's LM hash.
1632 ********************************************************************/
1634 BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 *pwd)
1640 /* Allow setting to NULL */
1641 SAFE_FREE(sampass->lm_pw);
1645 if (sampass->lm_pw!=NULL)
1646 DEBUG(4,("pdb_set_lanman_passwd: LM hash non NULL overwritting ?\n"));
1648 sampass->lm_pw=(unsigned char *)malloc(sizeof(unsigned char)*16);
1650 if (sampass->lm_pw==NULL)
1653 memcpy (sampass->lm_pw, pwd, 16);
1658 BOOL pdb_set_unknown_3 (SAM_ACCOUNT *sampass, uint32 unkn)
1663 sampass->unknown_3 = unkn;
1667 BOOL pdb_set_unknown_5 (SAM_ACCOUNT *sampass, uint32 unkn)
1672 sampass->unknown_5 = unkn;
1676 BOOL pdb_set_unknown_6 (SAM_ACCOUNT *sampass, uint32 unkn)
1681 sampass->unknown_6 = unkn;
1685 BOOL pdb_set_hours (SAM_ACCOUNT *sampass, const uint8 *hours)
1691 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
1695 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
1701 /* Helpful interfaces to the above */
1703 /*********************************************************************
1704 Sets the last changed times and must change times for a normal
1706 ********************************************************************/
1708 BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
1714 if (!pdb_set_pass_last_set_time (sampass, time(NULL)))
1717 if (!pdb_set_pass_must_change_time (sampass,
1718 pdb_get_pass_last_set_time(sampass)
1719 + MAX_PASSWORD_AGE))
1725 /*********************************************************************
1726 Set the user's PLAINTEXT password. Used as an interface to the above.
1727 Also sets the last change time to NOW.
1728 ********************************************************************/
1730 BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
1732 uchar new_lanman_p16[16];
1733 uchar new_nt_p16[16];
1735 if (!sampass || !plaintext)
1738 nt_lm_owf_gen (plaintext, new_nt_p16, new_lanman_p16);
1740 if (!pdb_set_nt_passwd (sampass, new_nt_p16))
1743 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16))
1746 if (!pdb_set_pass_changed_now (sampass))
git.samba.org / ira / wip.git / blob