2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/libcli_auth.h"
29 #define DBGC_CLASS DBGC_PASSDB
31 /******************************************************************
32 Get the default domain/netbios name to be used when
33 testing authentication.
35 LEGACY: this function provides the legacy domain mapping used with
36 the lp_map_untrusted_to_domain() parameter
37 ******************************************************************/
39 const char *my_sam_name(void)
41 /* Standalone servers can only use the local netbios name */
42 if ( lp_server_role() == ROLE_STANDALONE )
43 return global_myname();
45 /* Default to the DOMAIN name when not specified */
46 return lp_workgroup();
49 /**********************************************************************
50 ***********************************************************************/
52 static int samu_destroy(struct samu *user)
54 data_blob_clear_free( &user->lm_pw );
55 data_blob_clear_free( &user->nt_pw );
57 if ( user->plaintext_pw )
58 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
63 /**********************************************************************
64 generate a new struct samuser
65 ***********************************************************************/
67 struct samu *samu_new( TALLOC_CTX *ctx )
71 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
72 DEBUG(0,("samuser_new: Talloc failed!\n"));
76 talloc_set_destructor( user, samu_destroy );
78 /* no initial methods */
82 /* Don't change these timestamp settings without a good reason.
83 They are important for NT member server compatibility. */
85 user->logon_time = (time_t)0;
86 user->pass_last_set_time = (time_t)0;
87 user->pass_can_change_time = (time_t)0;
88 user->logoff_time = get_time_t_max();
89 user->kickoff_time = get_time_t_max();
90 user->pass_must_change_time = get_time_t_max();
91 user->fields_present = 0x00ffffff;
92 user->logon_divs = 168; /* hours per week */
93 user->hours_len = 21; /* 21 times 8 bits = 168 */
94 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
95 user->bad_password_count = 0;
96 user->logon_count = 0;
97 user->unknown_6 = 0x000004ec; /* don't know */
99 /* Some parts of samba strlen their pdb_get...() returns,
100 so this keeps the interface unchanged for now. */
104 user->nt_username = "";
105 user->full_name = "";
107 user->logon_script = "";
108 user->profile_path = "";
109 user->acct_desc = "";
110 user->workstations = "";
112 user->munged_dial = "";
114 user->plaintext_pw = NULL;
116 /* Unless we know otherwise have a Account Control Bit
117 value of 'normal user'. This helps User Manager, which
118 asks for a filtered list of users. */
120 user->acct_ctrl = ACB_NORMAL;
125 /*********************************************************************
126 Initialize a struct samu from a struct passwd including the user
127 and group SIDs. The *user structure is filled out with the Unix
128 attributes and a user SID.
129 *********************************************************************/
131 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
133 const char *guest_account = lp_guestaccount();
134 const char *domain = global_myname();
138 return NT_STATUS_NO_SUCH_USER;
141 /* Basic properties based upon the Unix account information */
143 pdb_set_username(user, pwd->pw_name, PDB_SET);
144 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
145 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
147 /* This can lead to a primary group of S-1-22-2-XX which
148 will be rejected by other parts of the Samba code.
149 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
152 gid_to_sid(&group_sid, pwd->pw_gid);
153 pdb_set_group_sid(user, &group_sid, PDB_SET);
156 /* save the password structure for later use */
158 user->unix_pw = tcopy_passwd( user, pwd );
160 /* Special case for the guest account which must have a RID of 501 */
162 if ( strequal( pwd->pw_name, guest_account ) ) {
163 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
164 return NT_STATUS_NO_SUCH_USER;
169 /* Non-guest accounts...Check for a workstation or user account */
171 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
174 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
175 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
177 return NT_STATUS_INVALID_COMPUTER_NAME;
183 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
184 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
186 return NT_STATUS_INVALID_ACCOUNT_NAME;
189 /* set some basic attributes */
191 pdb_set_profile_path(user, talloc_sub_specified(user,
192 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
194 pdb_set_homedir(user, talloc_sub_specified(user,
195 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
197 pdb_set_dir_drive(user, talloc_sub_specified(user,
198 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
200 pdb_set_logon_script(user, talloc_sub_specified(user,
201 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
205 /* Now deal with the user SID. If we have a backend that can generate
206 RIDs, then do so. But sometimes the caller just wanted a structure
207 initialized and will fill in these fields later (such as from a
208 netr_SamInfo3 structure) */
210 if ( create && (pdb_capabilities() & PDB_CAP_STORE_RIDS)) {
214 if ( !pdb_new_rid( &user_rid ) ) {
215 DEBUG(3, ("Could not allocate a new RID\n"));
216 return NT_STATUS_ACCESS_DENIED;
219 sid_copy( &user_sid, get_global_sam_sid() );
220 sid_append_rid( &user_sid, user_rid );
222 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
223 DEBUG(3, ("pdb_set_user_sid failed\n"));
224 return NT_STATUS_INTERNAL_ERROR;
230 /* generate a SID for the user with the RID algorithm */
232 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
234 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
235 return NT_STATUS_INTERNAL_ERROR;
241 /********************************************************************
242 Set the Unix user attributes
243 ********************************************************************/
245 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
247 return samu_set_unix_internal( user, pwd, False );
250 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
252 return samu_set_unix_internal( user, pwd, True );
255 /**********************************************************
256 Encode the account control bits into a string.
257 length = length of string to encode into (including terminating
258 null). length *MUST BE MORE THAN 2* !
259 **********************************************************/
261 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
268 SMB_ASSERT(length <= sizeof(acct_str));
272 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
273 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
274 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
275 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
276 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
277 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
278 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
279 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
280 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
281 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
282 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
284 for ( ; i < length - 2 ; i++ )
289 acct_str[i++] = '\0';
291 result = talloc_strdup(talloc_tos(), acct_str);
292 SMB_ASSERT(result != NULL);
296 /**********************************************************
297 Decode the account control bits from a string.
298 **********************************************************/
300 uint32_t pdb_decode_acct_ctrl(const char *p)
302 uint32_t acct_ctrl = 0;
303 bool finished = false;
306 * Check if the account type bits have been encoded after the
307 * NT password (in the form [NDHTUWSLXI]).
313 for (p++; *p && !finished; p++) {
315 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
316 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
317 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
318 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
319 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
320 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
321 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
322 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
323 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
324 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
325 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
331 default: { finished = true; }
338 /*************************************************************
339 Routine to set 32 hex password characters from a 16 byte array.
340 **************************************************************/
342 void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32 acct_ctrl)
346 for (i = 0; i < 16; i++)
347 slprintf(&p[i*2], 3, "%02X", pwd[i]);
349 if (acct_ctrl & ACB_PWNOTREQ)
350 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
352 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
356 /*************************************************************
357 Routine to get the 32 hex characters and turn them
358 into a 16 byte array.
359 **************************************************************/
361 bool pdb_gethexpwd(const char *p, unsigned char *pwd)
364 unsigned char lonybble, hinybble;
365 const char *hexchars = "0123456789ABCDEF";
371 for (i = 0; i < 32; i += 2) {
372 hinybble = toupper_ascii(p[i]);
373 lonybble = toupper_ascii(p[i + 1]);
375 p1 = strchr(hexchars, hinybble);
376 p2 = strchr(hexchars, lonybble);
381 hinybble = PTR_DIFF(p1, hexchars);
382 lonybble = PTR_DIFF(p2, hexchars);
384 pwd[i / 2] = (hinybble << 4) | lonybble;
389 /*************************************************************
390 Routine to set 42 hex hours characters from a 21 byte array.
391 **************************************************************/
393 void pdb_sethexhours(char *p, const unsigned char *hours)
397 for (i = 0; i < 21; i++) {
398 slprintf(&p[i*2], 3, "%02X", hours[i]);
401 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
405 /*************************************************************
406 Routine to get the 42 hex characters and turn them
407 into a 21 byte array.
408 **************************************************************/
410 bool pdb_gethexhours(const char *p, unsigned char *hours)
413 unsigned char lonybble, hinybble;
414 const char *hexchars = "0123456789ABCDEF";
421 for (i = 0; i < 42; i += 2) {
422 hinybble = toupper_ascii(p[i]);
423 lonybble = toupper_ascii(p[i + 1]);
425 p1 = strchr(hexchars, hinybble);
426 p2 = strchr(hexchars, lonybble);
432 hinybble = PTR_DIFF(p1, hexchars);
433 lonybble = PTR_DIFF(p2, hexchars);
435 hours[i / 2] = (hinybble << 4) | lonybble;
440 /********************************************************************
441 ********************************************************************/
443 int algorithmic_rid_base(void)
447 rid_offset = lp_algorithmic_rid_base();
449 if (rid_offset < BASE_RID) {
450 /* Try to prevent admin foot-shooting, we can't put algorithmic
451 rids below 1000, that's the 'well known RIDs' on NT */
452 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
453 rid_offset = BASE_RID;
455 if (rid_offset & 1) {
456 DEBUG(0, ("algorithmic rid base must be even\n"));
462 /*******************************************************************
463 Converts NT user RID to a UNIX uid.
464 ********************************************************************/
466 uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
468 int rid_offset = algorithmic_rid_base();
469 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
472 uid_t max_algorithmic_uid(void)
474 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
477 /*******************************************************************
478 converts UNIX uid to an NT User RID.
479 ********************************************************************/
481 uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
483 int rid_offset = algorithmic_rid_base();
484 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
487 /*******************************************************************
488 Converts NT group RID to a UNIX gid.
489 ********************************************************************/
491 gid_t pdb_group_rid_to_gid(uint32 group_rid)
493 int rid_offset = algorithmic_rid_base();
494 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
497 gid_t max_algorithmic_gid(void)
499 return pdb_group_rid_to_gid(0xffffffff);
502 /*******************************************************************
503 converts NT Group RID to a UNIX uid.
505 warning: you must not call that function only
506 you must do a call to the group mapping first.
507 there is not anymore a direct link between the gid and the rid.
508 ********************************************************************/
510 uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
512 int rid_offset = algorithmic_rid_base();
513 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
516 /*******************************************************************
517 Decides if a RID is a well known RID.
518 ********************************************************************/
520 static bool rid_is_well_known(uint32 rid)
522 /* Not using rid_offset here, because this is the actual
523 NT fixed value (1000) */
525 return (rid < BASE_RID);
528 /*******************************************************************
529 Decides if a RID is a user or group RID.
530 ********************************************************************/
532 bool algorithmic_pdb_rid_is_user(uint32 rid)
534 if ( rid_is_well_known(rid) ) {
536 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
537 * and DOMAIN_USER_RID_GUEST.
539 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
541 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
547 /*******************************************************************
548 Convert a name into a SID. Used in the lookup name rpc.
549 ********************************************************************/
551 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
552 enum lsa_SidType *type)
557 /* Windows treats "MACHINE\None" as a special name for
558 rid 513 on non-DCs. You cannot create a user or group
559 name "None" on Windows. You will get an error that
560 the group already exists. */
562 if ( strequal( name, "None" ) ) {
563 *rid = DOMAIN_GROUP_RID_USERS;
564 *type = SID_NAME_DOM_GRP;
569 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
570 * correctly in the case where foo also exists as a user. If the flag
571 * is set, don't look for users at all. */
573 if ((flags & LOOKUP_NAME_GROUP) == 0) {
574 struct samu *sam_account = NULL;
577 if ( !(sam_account = samu_new( NULL )) ) {
582 ret = pdb_getsampwnam(sam_account, name);
586 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
589 TALLOC_FREE(sam_account);
592 if (!sid_check_is_in_our_domain(&user_sid)) {
593 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
594 name, sid_string_dbg(&user_sid)));
598 sid_peek_rid(&user_sid, rid);
599 *type = SID_NAME_USER;
605 * Maybe it is a group ?
609 ret = pdb_getgrnam(&map, name);
616 /* BUILTIN groups are looked up elsewhere */
617 if (!sid_check_is_in_our_domain(&map.sid)) {
618 DEBUG(10, ("Found group %s (%s) not in our domain -- "
619 "ignoring.", name, sid_string_dbg(&map.sid)));
623 /* yes it's a mapped group */
624 sid_peek_rid(&map.sid, rid);
625 *type = map.sid_name_use;
629 /*************************************************************
630 Change a password entry in the local passdb backend.
633 - always called as root
634 - ignores the account type except when adding a new account
635 - will create/delete the unix account if the relative
636 add/delete user script is configured
638 *************************************************************/
640 NTSTATUS local_password_change(const char *user_name,
642 const char *new_passwd,
647 struct samu *sam_pass;
657 tosctx = talloc_tos();
659 sam_pass = samu_new(tosctx);
661 result = NT_STATUS_NO_MEMORY;
665 /* Get the smb passwd entry for this user */
666 user_exists = pdb_getsampwnam(sam_pass, user_name);
668 /* Check delete first, we don't need to do anything else if we
669 * are going to delete the acocunt */
670 if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
672 result = pdb_delete_user(tosctx, sam_pass);
673 if (!NT_STATUS_IS_OK(result)) {
674 ret = asprintf(pp_err_str,
675 "Failed to delete entry for user %s.\n",
680 result = NT_STATUS_UNSUCCESSFUL;
682 ret = asprintf(pp_msg_str,
683 "Deleted user %s.\n",
692 if (user_exists && (local_flags & LOCAL_ADD_USER)) {
693 /* the entry already existed */
694 local_flags &= ~LOCAL_ADD_USER;
697 if (!user_exists && !(local_flags & LOCAL_ADD_USER)) {
698 ret = asprintf(pp_err_str,
699 "Failed to find entry for user %s.\n",
704 result = NT_STATUS_NO_SUCH_USER;
708 /* First thing add the new user if we are required to do so */
709 if (local_flags & LOCAL_ADD_USER) {
711 if (local_flags & LOCAL_TRUST_ACCOUNT) {
713 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
719 result = pdb_create_user(tosctx, user_name, acb, &rid);
720 if (!NT_STATUS_IS_OK(result)) {
721 ret = asprintf(pp_err_str,
722 "Failed to add entry for user %s.\n",
727 result = NT_STATUS_UNSUCCESSFUL;
731 sam_pass = samu_new(tosctx);
733 result = NT_STATUS_NO_MEMORY;
737 /* Now get back the smb passwd entry for this new user */
738 user_exists = pdb_getsampwnam(sam_pass, user_name);
740 ret = asprintf(pp_err_str,
741 "Failed to add entry for user %s.\n",
746 result = NT_STATUS_UNSUCCESSFUL;
751 acb = pdb_get_acct_ctrl(sam_pass);
754 * We are root - just write the new password
755 * and the valid last change time.
757 if ((local_flags & LOCAL_SET_NO_PASSWORD) && !(acb & ACB_PWNOTREQ)) {
759 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
760 ret = asprintf(pp_err_str,
761 "Failed to set 'no password required' "
762 "flag for user %s.\n", user_name);
766 result = NT_STATUS_UNSUCCESSFUL;
771 if (local_flags & LOCAL_SET_PASSWORD) {
773 * If we're dealing with setting a completely empty user account
774 * ie. One with a password of 'XXXX', but not set disabled (like
775 * an account created from scratch) then if the old password was
776 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
777 * We remove that as we're giving this user their first password
778 * and the decision hasn't really been made to disable them (ie.
779 * don't create them disabled). JRA.
781 if ((pdb_get_lanman_passwd(sam_pass) == NULL) &&
782 (acb & ACB_DISABLED)) {
783 acb &= (~ACB_DISABLED);
784 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
785 ret = asprintf(pp_err_str,
786 "Failed to unset 'disabled' "
787 "flag for user %s.\n",
792 result = NT_STATUS_UNSUCCESSFUL;
797 acb &= (~ACB_PWNOTREQ);
798 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
799 ret = asprintf(pp_err_str,
800 "Failed to unset 'no password required'"
801 " flag for user %s.\n", user_name);
805 result = NT_STATUS_UNSUCCESSFUL;
809 if (!pdb_set_plaintext_passwd(sam_pass, new_passwd)) {
810 ret = asprintf(pp_err_str,
811 "Failed to set password for "
812 "user %s.\n", user_name);
816 result = NT_STATUS_UNSUCCESSFUL;
821 if ((local_flags & LOCAL_DISABLE_USER) && !(acb & ACB_DISABLED)) {
823 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
824 ret = asprintf(pp_err_str,
825 "Failed to set 'disabled' flag for "
826 "user %s.\n", user_name);
830 result = NT_STATUS_UNSUCCESSFUL;
835 if ((local_flags & LOCAL_ENABLE_USER) && (acb & ACB_DISABLED)) {
836 acb &= (~ACB_DISABLED);
837 if (!pdb_set_acct_ctrl(sam_pass, acb, PDB_CHANGED)) {
838 ret = asprintf(pp_err_str,
839 "Failed to unset 'disabled' flag for "
840 "user %s.\n", user_name);
844 result = NT_STATUS_UNSUCCESSFUL;
849 /* now commit changes if any */
850 result = pdb_update_sam_account(sam_pass);
851 if (!NT_STATUS_IS_OK(result)) {
852 ret = asprintf(pp_err_str,
853 "Failed to modify entry for user %s.\n",
861 if (local_flags & LOCAL_ADD_USER) {
862 ret = asprintf(pp_msg_str, "Added user %s.\n", user_name);
863 } else if (local_flags & LOCAL_DISABLE_USER) {
864 ret = asprintf(pp_msg_str, "Disabled user %s.\n", user_name);
865 } else if (local_flags & LOCAL_ENABLE_USER) {
866 ret = asprintf(pp_msg_str, "Enabled user %s.\n", user_name);
867 } else if (local_flags & LOCAL_SET_NO_PASSWORD) {
868 ret = asprintf(pp_msg_str,
869 "User %s password set to none.\n", user_name);
876 result = NT_STATUS_OK;
879 TALLOC_FREE(sam_pass);
883 /**********************************************************************
884 Marshall/unmarshall struct samu structs.
885 *********************************************************************/
887 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
888 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
889 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
890 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
891 /* nothing changed between V3 and V4 */
893 /*********************************************************************
894 *********************************************************************/
896 static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 buflen)
899 /* times are stored as 32bit integer
900 take care on system with 64bit wide time_t
906 pass_can_change_time,
907 pass_must_change_time;
908 char *username = NULL;
910 char *nt_username = NULL;
911 char *dir_drive = NULL;
912 char *unknown_str = NULL;
913 char *munged_dial = NULL;
914 char *fullname = NULL;
915 char *homedir = NULL;
916 char *logon_script = NULL;
917 char *profile_path = NULL;
918 char *acct_desc = NULL;
919 char *workstations = NULL;
920 uint32 username_len, domain_len, nt_username_len,
921 dir_drive_len, unknown_str_len, munged_dial_len,
922 fullname_len, homedir_len, logon_script_len,
923 profile_path_len, acct_desc_len, workstations_len;
925 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
926 uint16 acct_ctrl, logon_divs;
927 uint16 bad_password_count, logon_count;
929 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
931 uint32 lm_pw_len, nt_pw_len, hourslen;
934 if(sampass == NULL || buf == NULL) {
935 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
939 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
941 /* unpack the buffer into variables */
942 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V0,
944 &logoff_time, /* d */
945 &kickoff_time, /* d */
946 &pass_last_set_time, /* d */
947 &pass_can_change_time, /* d */
948 &pass_must_change_time, /* d */
949 &username_len, &username, /* B */
950 &domain_len, &domain, /* B */
951 &nt_username_len, &nt_username, /* B */
952 &fullname_len, &fullname, /* B */
953 &homedir_len, &homedir, /* B */
954 &dir_drive_len, &dir_drive, /* B */
955 &logon_script_len, &logon_script, /* B */
956 &profile_path_len, &profile_path, /* B */
957 &acct_desc_len, &acct_desc, /* B */
958 &workstations_len, &workstations, /* B */
959 &unknown_str_len, &unknown_str, /* B */
960 &munged_dial_len, &munged_dial, /* B */
963 &lm_pw_len, &lm_pw_ptr, /* B */
964 &nt_pw_len, &nt_pw_ptr, /* B */
966 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
969 &hourslen, &hours, /* B */
970 &bad_password_count, /* w */
971 &logon_count, /* w */
974 if (len == (uint32) -1) {
979 pdb_set_logon_time(sampass, logon_time, PDB_SET);
980 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
981 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
982 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
983 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
984 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
986 pdb_set_username(sampass, username, PDB_SET);
987 pdb_set_domain(sampass, domain, PDB_SET);
988 pdb_set_nt_username(sampass, nt_username, PDB_SET);
989 pdb_set_fullname(sampass, fullname, PDB_SET);
992 pdb_set_homedir(sampass, homedir, PDB_SET);
995 pdb_set_homedir(sampass,
996 talloc_sub_basic(sampass, username, domain,
1002 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1004 pdb_set_dir_drive(sampass,
1005 talloc_sub_basic(sampass, username, domain,
1011 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1013 pdb_set_logon_script(sampass,
1014 talloc_sub_basic(sampass, username, domain,
1020 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1022 pdb_set_profile_path(sampass,
1023 talloc_sub_basic(sampass, username, domain,
1028 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1029 pdb_set_workstations(sampass, workstations, PDB_SET);
1030 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1032 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1033 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1039 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1040 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1046 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1047 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1048 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1049 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1050 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1051 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1052 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1053 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1054 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1055 pdb_set_hours(sampass, hours, PDB_SET);
1059 SAFE_FREE(username);
1061 SAFE_FREE(nt_username);
1062 SAFE_FREE(fullname);
1064 SAFE_FREE(dir_drive);
1065 SAFE_FREE(logon_script);
1066 SAFE_FREE(profile_path);
1067 SAFE_FREE(acct_desc);
1068 SAFE_FREE(workstations);
1069 SAFE_FREE(munged_dial);
1070 SAFE_FREE(unknown_str);
1071 SAFE_FREE(lm_pw_ptr);
1072 SAFE_FREE(nt_pw_ptr);
1078 /*********************************************************************
1079 *********************************************************************/
1081 static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 buflen)
1084 /* times are stored as 32bit integer
1085 take care on system with 64bit wide time_t
1092 pass_can_change_time,
1093 pass_must_change_time;
1094 char *username = NULL;
1095 char *domain = NULL;
1096 char *nt_username = NULL;
1097 char *dir_drive = NULL;
1098 char *unknown_str = NULL;
1099 char *munged_dial = NULL;
1100 char *fullname = NULL;
1101 char *homedir = NULL;
1102 char *logon_script = NULL;
1103 char *profile_path = NULL;
1104 char *acct_desc = NULL;
1105 char *workstations = NULL;
1106 uint32 username_len, domain_len, nt_username_len,
1107 dir_drive_len, unknown_str_len, munged_dial_len,
1108 fullname_len, homedir_len, logon_script_len,
1109 profile_path_len, acct_desc_len, workstations_len;
1111 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1112 uint16 acct_ctrl, logon_divs;
1113 uint16 bad_password_count, logon_count;
1114 uint8 *hours = NULL;
1115 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1117 uint32 lm_pw_len, nt_pw_len, hourslen;
1120 if(sampass == NULL || buf == NULL) {
1121 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1125 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1127 /* unpack the buffer into variables */
1128 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V1,
1129 &logon_time, /* d */
1130 &logoff_time, /* d */
1131 &kickoff_time, /* d */
1132 /* Change from V0 is addition of bad_password_time field. */
1133 &bad_password_time, /* d */
1134 &pass_last_set_time, /* d */
1135 &pass_can_change_time, /* d */
1136 &pass_must_change_time, /* d */
1137 &username_len, &username, /* B */
1138 &domain_len, &domain, /* B */
1139 &nt_username_len, &nt_username, /* B */
1140 &fullname_len, &fullname, /* B */
1141 &homedir_len, &homedir, /* B */
1142 &dir_drive_len, &dir_drive, /* B */
1143 &logon_script_len, &logon_script, /* B */
1144 &profile_path_len, &profile_path, /* B */
1145 &acct_desc_len, &acct_desc, /* B */
1146 &workstations_len, &workstations, /* B */
1147 &unknown_str_len, &unknown_str, /* B */
1148 &munged_dial_len, &munged_dial, /* B */
1151 &lm_pw_len, &lm_pw_ptr, /* B */
1152 &nt_pw_len, &nt_pw_ptr, /* B */
1155 &logon_divs, /* w */
1157 &hourslen, &hours, /* B */
1158 &bad_password_count, /* w */
1159 &logon_count, /* w */
1160 &unknown_6); /* d */
1162 if (len == (uint32) -1) {
1167 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1168 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1169 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1171 /* Change from V0 is addition of bad_password_time field. */
1172 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1173 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1174 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1175 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1177 pdb_set_username(sampass, username, PDB_SET);
1178 pdb_set_domain(sampass, domain, PDB_SET);
1179 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1180 pdb_set_fullname(sampass, fullname, PDB_SET);
1183 pdb_set_homedir(sampass, homedir, PDB_SET);
1186 pdb_set_homedir(sampass,
1187 talloc_sub_basic(sampass, username, domain,
1193 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1195 pdb_set_dir_drive(sampass,
1196 talloc_sub_basic(sampass, username, domain,
1202 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1204 pdb_set_logon_script(sampass,
1205 talloc_sub_basic(sampass, username, domain,
1211 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1213 pdb_set_profile_path(sampass,
1214 talloc_sub_basic(sampass, username, domain,
1219 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1220 pdb_set_workstations(sampass, workstations, PDB_SET);
1221 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1223 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1224 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1230 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1231 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1237 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1239 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1240 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1241 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1242 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1243 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1244 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1245 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1246 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1247 pdb_set_hours(sampass, hours, PDB_SET);
1251 SAFE_FREE(username);
1253 SAFE_FREE(nt_username);
1254 SAFE_FREE(fullname);
1256 SAFE_FREE(dir_drive);
1257 SAFE_FREE(logon_script);
1258 SAFE_FREE(profile_path);
1259 SAFE_FREE(acct_desc);
1260 SAFE_FREE(workstations);
1261 SAFE_FREE(munged_dial);
1262 SAFE_FREE(unknown_str);
1263 SAFE_FREE(lm_pw_ptr);
1264 SAFE_FREE(nt_pw_ptr);
1270 static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 buflen)
1273 /* times are stored as 32bit integer
1274 take care on system with 64bit wide time_t
1281 pass_can_change_time,
1282 pass_must_change_time;
1283 char *username = NULL;
1284 char *domain = NULL;
1285 char *nt_username = NULL;
1286 char *dir_drive = NULL;
1287 char *unknown_str = NULL;
1288 char *munged_dial = NULL;
1289 char *fullname = NULL;
1290 char *homedir = NULL;
1291 char *logon_script = NULL;
1292 char *profile_path = NULL;
1293 char *acct_desc = NULL;
1294 char *workstations = NULL;
1295 uint32 username_len, domain_len, nt_username_len,
1296 dir_drive_len, unknown_str_len, munged_dial_len,
1297 fullname_len, homedir_len, logon_script_len,
1298 profile_path_len, acct_desc_len, workstations_len;
1300 uint32 user_rid, group_rid, hours_len, unknown_6;
1301 uint16 acct_ctrl, logon_divs;
1302 uint16 bad_password_count, logon_count;
1303 uint8 *hours = NULL;
1304 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1306 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1307 uint32 pwHistLen = 0;
1310 bool expand_explicit = lp_passdb_expand_explicit();
1312 if(sampass == NULL || buf == NULL) {
1313 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1317 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1319 /* unpack the buffer into variables */
1320 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V2,
1321 &logon_time, /* d */
1322 &logoff_time, /* d */
1323 &kickoff_time, /* d */
1324 &bad_password_time, /* d */
1325 &pass_last_set_time, /* d */
1326 &pass_can_change_time, /* d */
1327 &pass_must_change_time, /* d */
1328 &username_len, &username, /* B */
1329 &domain_len, &domain, /* B */
1330 &nt_username_len, &nt_username, /* B */
1331 &fullname_len, &fullname, /* B */
1332 &homedir_len, &homedir, /* B */
1333 &dir_drive_len, &dir_drive, /* B */
1334 &logon_script_len, &logon_script, /* B */
1335 &profile_path_len, &profile_path, /* B */
1336 &acct_desc_len, &acct_desc, /* B */
1337 &workstations_len, &workstations, /* B */
1338 &unknown_str_len, &unknown_str, /* B */
1339 &munged_dial_len, &munged_dial, /* B */
1342 &lm_pw_len, &lm_pw_ptr, /* B */
1343 &nt_pw_len, &nt_pw_ptr, /* B */
1344 /* Change from V1 is addition of password history field. */
1345 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1347 /* Also "remove_me" field was removed. */
1348 &logon_divs, /* w */
1350 &hourslen, &hours, /* B */
1351 &bad_password_count, /* w */
1352 &logon_count, /* w */
1353 &unknown_6); /* d */
1355 if (len == (uint32) -1) {
1360 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1361 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1362 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1363 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1364 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1365 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1366 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1368 pdb_set_username(sampass, username, PDB_SET);
1369 pdb_set_domain(sampass, domain, PDB_SET);
1370 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1371 pdb_set_fullname(sampass, fullname, PDB_SET);
1374 fstrcpy( tmp_string, homedir );
1375 if (expand_explicit) {
1376 standard_sub_basic( username, domain, tmp_string,
1377 sizeof(tmp_string) );
1379 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1382 pdb_set_homedir(sampass,
1383 talloc_sub_basic(sampass, username, domain,
1389 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1391 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1394 fstrcpy( tmp_string, logon_script );
1395 if (expand_explicit) {
1396 standard_sub_basic( username, domain, tmp_string,
1397 sizeof(tmp_string) );
1399 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1402 pdb_set_logon_script(sampass,
1403 talloc_sub_basic(sampass, username, domain,
1409 fstrcpy( tmp_string, profile_path );
1410 if (expand_explicit) {
1411 standard_sub_basic( username, domain, tmp_string,
1412 sizeof(tmp_string) );
1414 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1417 pdb_set_profile_path(sampass,
1418 talloc_sub_basic(sampass, username, domain,
1423 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1424 pdb_set_workstations(sampass, workstations, PDB_SET);
1425 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1427 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1428 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1434 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1435 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1441 /* Change from V1 is addition of password history field. */
1442 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1444 uint8 *pw_hist = SMB_MALLOC_ARRAY(uint8, pwHistLen * PW_HISTORY_ENTRY_LEN);
1449 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1450 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1452 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1453 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1454 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1455 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1456 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1457 PW_HISTORY_ENTRY_LEN);
1460 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1467 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1470 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1471 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1472 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1473 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1474 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1475 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1476 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1477 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1478 pdb_set_hours(sampass, hours, PDB_SET);
1482 SAFE_FREE(username);
1484 SAFE_FREE(nt_username);
1485 SAFE_FREE(fullname);
1487 SAFE_FREE(dir_drive);
1488 SAFE_FREE(logon_script);
1489 SAFE_FREE(profile_path);
1490 SAFE_FREE(acct_desc);
1491 SAFE_FREE(workstations);
1492 SAFE_FREE(munged_dial);
1493 SAFE_FREE(unknown_str);
1494 SAFE_FREE(lm_pw_ptr);
1495 SAFE_FREE(nt_pw_ptr);
1496 SAFE_FREE(nt_pw_hist_ptr);
1502 /*********************************************************************
1503 *********************************************************************/
1505 static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
1508 /* times are stored as 32bit integer
1509 take care on system with 64bit wide time_t
1516 pass_can_change_time,
1517 pass_must_change_time;
1518 char *username = NULL;
1519 char *domain = NULL;
1520 char *nt_username = NULL;
1521 char *dir_drive = NULL;
1522 char *comment = NULL;
1523 char *munged_dial = NULL;
1524 char *fullname = NULL;
1525 char *homedir = NULL;
1526 char *logon_script = NULL;
1527 char *profile_path = NULL;
1528 char *acct_desc = NULL;
1529 char *workstations = NULL;
1530 uint32 username_len, domain_len, nt_username_len,
1531 dir_drive_len, comment_len, munged_dial_len,
1532 fullname_len, homedir_len, logon_script_len,
1533 profile_path_len, acct_desc_len, workstations_len;
1535 uint32 user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
1537 uint16 bad_password_count, logon_count;
1538 uint8 *hours = NULL;
1539 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1541 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1542 uint32 pwHistLen = 0;
1545 bool expand_explicit = lp_passdb_expand_explicit();
1547 if(sampass == NULL || buf == NULL) {
1548 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1552 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1554 /* unpack the buffer into variables */
1555 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V3,
1556 &logon_time, /* d */
1557 &logoff_time, /* d */
1558 &kickoff_time, /* d */
1559 &bad_password_time, /* d */
1560 &pass_last_set_time, /* d */
1561 &pass_can_change_time, /* d */
1562 &pass_must_change_time, /* d */
1563 &username_len, &username, /* B */
1564 &domain_len, &domain, /* B */
1565 &nt_username_len, &nt_username, /* B */
1566 &fullname_len, &fullname, /* B */
1567 &homedir_len, &homedir, /* B */
1568 &dir_drive_len, &dir_drive, /* B */
1569 &logon_script_len, &logon_script, /* B */
1570 &profile_path_len, &profile_path, /* B */
1571 &acct_desc_len, &acct_desc, /* B */
1572 &workstations_len, &workstations, /* B */
1573 &comment_len, &comment, /* B */
1574 &munged_dial_len, &munged_dial, /* B */
1577 &lm_pw_len, &lm_pw_ptr, /* B */
1578 &nt_pw_len, &nt_pw_ptr, /* B */
1579 /* Change from V1 is addition of password history field. */
1580 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1581 /* Change from V2 is the uint32 acb_mask */
1583 /* Also "remove_me" field was removed. */
1584 &logon_divs, /* w */
1586 &hourslen, &hours, /* B */
1587 &bad_password_count, /* w */
1588 &logon_count, /* w */
1589 &unknown_6); /* d */
1591 if (len == (uint32) -1) {
1596 pdb_set_logon_time(sampass, convert_uint32_to_time_t(logon_time), PDB_SET);
1597 pdb_set_logoff_time(sampass, convert_uint32_to_time_t(logoff_time), PDB_SET);
1598 pdb_set_kickoff_time(sampass, convert_uint32_to_time_t(kickoff_time), PDB_SET);
1599 pdb_set_bad_password_time(sampass, convert_uint32_to_time_t(bad_password_time), PDB_SET);
1600 pdb_set_pass_can_change_time(sampass, convert_uint32_to_time_t(pass_can_change_time), PDB_SET);
1601 pdb_set_pass_must_change_time(sampass, convert_uint32_to_time_t(pass_must_change_time), PDB_SET);
1602 pdb_set_pass_last_set_time(sampass, convert_uint32_to_time_t(pass_last_set_time), PDB_SET);
1604 pdb_set_username(sampass, username, PDB_SET);
1605 pdb_set_domain(sampass, domain, PDB_SET);
1606 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1607 pdb_set_fullname(sampass, fullname, PDB_SET);
1610 fstrcpy( tmp_string, homedir );
1611 if (expand_explicit) {
1612 standard_sub_basic( username, domain, tmp_string,
1613 sizeof(tmp_string) );
1615 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1618 pdb_set_homedir(sampass,
1619 talloc_sub_basic(sampass, username, domain,
1625 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1627 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1630 fstrcpy( tmp_string, logon_script );
1631 if (expand_explicit) {
1632 standard_sub_basic( username, domain, tmp_string,
1633 sizeof(tmp_string) );
1635 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1638 pdb_set_logon_script(sampass,
1639 talloc_sub_basic(sampass, username, domain,
1645 fstrcpy( tmp_string, profile_path );
1646 if (expand_explicit) {
1647 standard_sub_basic( username, domain, tmp_string,
1648 sizeof(tmp_string) );
1650 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1653 pdb_set_profile_path(sampass,
1654 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
1658 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1659 pdb_set_comment(sampass, comment, PDB_SET);
1660 pdb_set_workstations(sampass, workstations, PDB_SET);
1661 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1663 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1664 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1670 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1671 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1677 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1679 uint8 *pw_hist = (uint8 *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1684 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1685 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1687 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1688 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1689 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1690 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1691 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1692 PW_HISTORY_ENTRY_LEN);
1695 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1702 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1705 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1706 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1707 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1708 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1709 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1710 /* Change from V2 is the uint32 acct_ctrl */
1711 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1712 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1713 pdb_set_hours(sampass, hours, PDB_SET);
1717 SAFE_FREE(username);
1719 SAFE_FREE(nt_username);
1720 SAFE_FREE(fullname);
1722 SAFE_FREE(dir_drive);
1723 SAFE_FREE(logon_script);
1724 SAFE_FREE(profile_path);
1725 SAFE_FREE(acct_desc);
1726 SAFE_FREE(workstations);
1727 SAFE_FREE(munged_dial);
1729 SAFE_FREE(lm_pw_ptr);
1730 SAFE_FREE(nt_pw_ptr);
1731 SAFE_FREE(nt_pw_hist_ptr);
1737 /*********************************************************************
1738 *********************************************************************/
1740 static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool size_only)
1744 /* times are stored as 32bit integer
1745 take care on system with 64bit wide time_t
1752 pass_can_change_time,
1753 pass_must_change_time;
1755 uint32 user_rid, group_rid;
1757 const char *username;
1759 const char *nt_username;
1760 const char *dir_drive;
1761 const char *comment;
1762 const char *munged_dial;
1763 const char *fullname;
1764 const char *homedir;
1765 const char *logon_script;
1766 const char *profile_path;
1767 const char *acct_desc;
1768 const char *workstations;
1769 uint32 username_len, domain_len, nt_username_len,
1770 dir_drive_len, comment_len, munged_dial_len,
1771 fullname_len, homedir_len, logon_script_len,
1772 profile_path_len, acct_desc_len, workstations_len;
1776 const uint8 *nt_pw_hist;
1777 uint32 lm_pw_len = 16;
1778 uint32 nt_pw_len = 16;
1779 uint32 nt_pw_hist_len;
1780 uint32 pwHistLen = 0;
1785 logon_time = convert_time_t_to_uint32(pdb_get_logon_time(sampass));
1786 logoff_time = convert_time_t_to_uint32(pdb_get_logoff_time(sampass));
1787 kickoff_time = convert_time_t_to_uint32(pdb_get_kickoff_time(sampass));
1788 bad_password_time = convert_time_t_to_uint32(pdb_get_bad_password_time(sampass));
1789 pass_can_change_time = convert_time_t_to_uint32(pdb_get_pass_can_change_time_noncalc(sampass));
1790 pass_must_change_time = convert_time_t_to_uint32(pdb_get_pass_must_change_time(sampass));
1791 pass_last_set_time = convert_time_t_to_uint32(pdb_get_pass_last_set_time(sampass));
1793 user_rid = pdb_get_user_rid(sampass);
1794 group_rid = pdb_get_group_rid(sampass);
1796 username = pdb_get_username(sampass);
1798 username_len = strlen(username) +1;
1803 domain = pdb_get_domain(sampass);
1805 domain_len = strlen(domain) +1;
1810 nt_username = pdb_get_nt_username(sampass);
1812 nt_username_len = strlen(nt_username) +1;
1814 nt_username_len = 0;
1817 fullname = pdb_get_fullname(sampass);
1819 fullname_len = strlen(fullname) +1;
1825 * Only updates fields which have been set (not defaults from smb.conf)
1828 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1829 dir_drive = pdb_get_dir_drive(sampass);
1834 dir_drive_len = strlen(dir_drive) +1;
1839 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1840 homedir = pdb_get_homedir(sampass);
1845 homedir_len = strlen(homedir) +1;
1850 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1851 logon_script = pdb_get_logon_script(sampass);
1853 logon_script = NULL;
1856 logon_script_len = strlen(logon_script) +1;
1858 logon_script_len = 0;
1861 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1862 profile_path = pdb_get_profile_path(sampass);
1864 profile_path = NULL;
1867 profile_path_len = strlen(profile_path) +1;
1869 profile_path_len = 0;
1872 lm_pw = pdb_get_lanman_passwd(sampass);
1877 nt_pw = pdb_get_nt_passwd(sampass);
1882 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1883 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1884 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1885 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1890 acct_desc = pdb_get_acct_desc(sampass);
1892 acct_desc_len = strlen(acct_desc) +1;
1897 workstations = pdb_get_workstations(sampass);
1899 workstations_len = strlen(workstations) +1;
1901 workstations_len = 0;
1904 comment = pdb_get_comment(sampass);
1906 comment_len = strlen(comment) +1;
1911 munged_dial = pdb_get_munged_dial(sampass);
1913 munged_dial_len = strlen(munged_dial) +1;
1915 munged_dial_len = 0;
1918 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1920 /* one time to get the size needed */
1921 len = tdb_pack(NULL, 0, SAMU_BUFFER_FORMAT_V3,
1923 logoff_time, /* d */
1924 kickoff_time, /* d */
1925 bad_password_time, /* d */
1926 pass_last_set_time, /* d */
1927 pass_can_change_time, /* d */
1928 pass_must_change_time, /* d */
1929 username_len, username, /* B */
1930 domain_len, domain, /* B */
1931 nt_username_len, nt_username, /* B */
1932 fullname_len, fullname, /* B */
1933 homedir_len, homedir, /* B */
1934 dir_drive_len, dir_drive, /* B */
1935 logon_script_len, logon_script, /* B */
1936 profile_path_len, profile_path, /* B */
1937 acct_desc_len, acct_desc, /* B */
1938 workstations_len, workstations, /* B */
1939 comment_len, comment, /* B */
1940 munged_dial_len, munged_dial, /* B */
1943 lm_pw_len, lm_pw, /* B */
1944 nt_pw_len, nt_pw, /* B */
1945 nt_pw_hist_len, nt_pw_hist, /* B */
1946 pdb_get_acct_ctrl(sampass), /* d */
1947 pdb_get_logon_divs(sampass), /* w */
1948 pdb_get_hours_len(sampass), /* d */
1949 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1950 pdb_get_bad_password_count(sampass), /* w */
1951 pdb_get_logon_count(sampass), /* w */
1952 pdb_get_unknown_6(sampass)); /* d */
1958 /* malloc the space needed */
1959 if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
1960 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
1964 /* now for the real call to tdb_pack() */
1965 buflen = tdb_pack(*buf, len, SAMU_BUFFER_FORMAT_V3,
1967 logoff_time, /* d */
1968 kickoff_time, /* d */
1969 bad_password_time, /* d */
1970 pass_last_set_time, /* d */
1971 pass_can_change_time, /* d */
1972 pass_must_change_time, /* d */
1973 username_len, username, /* B */
1974 domain_len, domain, /* B */
1975 nt_username_len, nt_username, /* B */
1976 fullname_len, fullname, /* B */
1977 homedir_len, homedir, /* B */
1978 dir_drive_len, dir_drive, /* B */
1979 logon_script_len, logon_script, /* B */
1980 profile_path_len, profile_path, /* B */
1981 acct_desc_len, acct_desc, /* B */
1982 workstations_len, workstations, /* B */
1983 comment_len, comment, /* B */
1984 munged_dial_len, munged_dial, /* B */
1987 lm_pw_len, lm_pw, /* B */
1988 nt_pw_len, nt_pw, /* B */
1989 nt_pw_hist_len, nt_pw_hist, /* B */
1990 pdb_get_acct_ctrl(sampass), /* d */
1991 pdb_get_logon_divs(sampass), /* w */
1992 pdb_get_hours_len(sampass), /* d */
1993 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1994 pdb_get_bad_password_count(sampass), /* w */
1995 pdb_get_logon_count(sampass), /* w */
1996 pdb_get_unknown_6(sampass)); /* d */
1998 /* check to make sure we got it correct */
1999 if (buflen != len) {
2000 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
2001 (unsigned long)buflen, (unsigned long)len));
2010 static bool init_samu_from_buffer_v4(struct samu *sampass, uint8 *buf, uint32 buflen)
2012 /* nothing changed between V3 and V4 */
2013 return init_samu_from_buffer_v3(sampass, buf, buflen);
2016 static uint32 init_buffer_from_samu_v4(uint8 **buf, struct samu *sampass, bool size_only)
2018 /* nothing changed between V3 and V4 */
2019 return init_buffer_from_samu_v3(buf, sampass, size_only);
2022 /**********************************************************************
2023 Intialize a struct samu struct from a BYTE buffer of size len
2024 *********************************************************************/
2026 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
2027 uint8 *buf, uint32 buflen)
2030 case SAMU_BUFFER_V0:
2031 return init_samu_from_buffer_v0(sampass, buf, buflen);
2032 case SAMU_BUFFER_V1:
2033 return init_samu_from_buffer_v1(sampass, buf, buflen);
2034 case SAMU_BUFFER_V2:
2035 return init_samu_from_buffer_v2(sampass, buf, buflen);
2036 case SAMU_BUFFER_V3:
2037 return init_samu_from_buffer_v3(sampass, buf, buflen);
2038 case SAMU_BUFFER_V4:
2039 return init_samu_from_buffer_v4(sampass, buf, buflen);
2045 /**********************************************************************
2046 Intialize a BYTE buffer from a struct samu struct
2047 *********************************************************************/
2049 uint32 init_buffer_from_samu (uint8 **buf, struct samu *sampass, bool size_only)
2051 return init_buffer_from_samu_v4(buf, sampass, size_only);
2054 /*********************************************************************
2055 *********************************************************************/
2057 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
2062 len = init_buffer_from_samu(&buf, src, False);
2063 if (len == -1 || !buf) {
2068 if (!init_samu_from_buffer( dst, SAMU_BUFFER_LATEST, buf, len )) {
2073 dst->methods = src->methods;
2075 if ( src->unix_pw ) {
2076 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
2077 if (!dst->unix_pw) {
2087 /*********************************************************************
2088 Update the bad password count checking the PDB_POLICY_RESET_COUNT_TIME
2089 *********************************************************************/
2091 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
2093 time_t LastBadPassword;
2094 uint16 BadPasswordCount;
2098 BadPasswordCount = pdb_get_bad_password_count(sampass);
2099 if (!BadPasswordCount) {
2100 DEBUG(9, ("No bad password attempts.\n"));
2105 res = pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &resettime);
2109 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2113 /* First, check if there is a reset time to compare */
2114 if ((resettime == (uint32) -1) || (resettime == 0)) {
2115 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2119 LastBadPassword = pdb_get_bad_password_time(sampass);
2120 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2121 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
2122 if (time(NULL) > (LastBadPassword + convert_uint32_to_time_t(resettime)*60)){
2123 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2124 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2133 /*********************************************************************
2134 Update the ACB_AUTOLOCK flag checking the PDB_POLICY_LOCK_ACCOUNT_DURATION
2135 *********************************************************************/
2137 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
2140 time_t LastBadPassword;
2143 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2144 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2145 pdb_get_username(sampass)));
2150 res = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &duration);
2154 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2158 /* First, check if there is a duration to compare */
2159 if ((duration == (uint32) -1) || (duration == 0)) {
2160 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2164 LastBadPassword = pdb_get_bad_password_time(sampass);
2165 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2166 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
2168 if (LastBadPassword == (time_t)0) {
2169 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2170 "administratively locked out with no bad password "
2171 "time. Leaving locked out.\n",
2172 pdb_get_username(sampass) ));
2176 if ((time(NULL) > (LastBadPassword + convert_uint32_to_time_t(duration) * 60))) {
2177 pdb_set_acct_ctrl(sampass,
2178 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2180 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2181 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2190 /*********************************************************************
2191 Increment the bad_password_count
2192 *********************************************************************/
2194 bool pdb_increment_bad_password_count(struct samu *sampass)
2196 uint32 account_policy_lockout;
2197 bool autolock_updated = False, badpw_updated = False;
2200 /* Retrieve the account lockout policy */
2202 ret = pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2205 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2209 /* If there is no policy, we don't need to continue checking */
2210 if (!account_policy_lockout) {
2211 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2215 /* Check if the autolock needs to be cleared */
2216 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2219 /* Check if the badpw count needs to be reset */
2220 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2224 Ok, now we can assume that any resetting that needs to be
2225 done has been done, and just get on with incrementing
2226 and autolocking if necessary
2229 pdb_set_bad_password_count(sampass,
2230 pdb_get_bad_password_count(sampass)+1,
2232 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2235 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2238 if (!pdb_set_acct_ctrl(sampass,
2239 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2241 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2248 bool is_dc_trusted_domain_situation(const char *domain_name)
2250 return IS_DC && !strequal(domain_name, lp_workgroup());
2253 /*******************************************************************
2254 Wrapper around retrieving the clear text trust account password.
2255 appropriate account name is stored in account_name.
2256 Caller must free password, but not account_name.
2257 *******************************************************************/
2259 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
2260 const char **account_name,
2261 enum netr_SchannelType *channel)
2264 time_t last_set_time;
2266 /* if we are a DC and this is not our domain, then lookup an account
2267 * for the domain trust */
2269 if (is_dc_trusted_domain_situation(domain)) {
2270 if (!lp_allow_trusted_domains()) {
2274 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
2277 DEBUG(0, ("get_trust_pw: could not fetch trust "
2278 "account password for trusted domain %s\n",
2283 if (channel != NULL) {
2284 *channel = SEC_CHAN_DOMAIN;
2287 if (account_name != NULL) {
2288 *account_name = lp_workgroup();
2295 * Since we can only be member of one single domain, we are now
2296 * in a member situation:
2298 * - Either we are a DC (selfjoined) and the domain is our
2300 * - Or we are on a member and the domain is our own or some
2301 * other (potentially trusted) domain.
2303 * In both cases, we can only get the machine account password
2304 * for our own domain to connect to our own dc. (For a member,
2305 * request to trusted domains are performed through our dc.)
2307 * So we simply use our own domain name to retrieve the
2308 * machine account passowrd and ignore the request domain here.
2311 pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
2315 if (account_name != NULL) {
2316 *account_name = global_myname();
2322 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2323 "account password for domain %s\n", domain));
2327 /*******************************************************************
2328 Wrapper around retrieving the trust account password.
2329 appropriate account name is stored in account_name.
2330 *******************************************************************/
2332 bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
2333 const char **account_name,
2334 enum netr_SchannelType *channel)
2337 time_t last_set_time;
2339 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
2340 E_md4hash(pwd, ret_pwd);
2343 } else if (is_dc_trusted_domain_situation(domain)) {
2347 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2349 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
2353 if (account_name != NULL) {
2354 *account_name = global_myname();
2360 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2361 "password for domain %s\n", domain));
2365 struct samr_LogonHours get_logon_hours_from_pdb(TALLOC_CTX *mem_ctx,
2368 struct samr_LogonHours hours;
2369 const int units_per_week = 168;
2372 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
2377 hours.units_per_week = units_per_week;
2378 memset(hours.bits, 0xFF, units_per_week);
2380 if (pdb_get_hours(pw)) {
2381 memcpy(hours.bits, pdb_get_hours(pw),
2382 MIN(pdb_get_hours_len(pw), units_per_week));
git.samba.org / ira / wip.git / blob