2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 #define DBGC_CLASS DBGC_PASSDB
31 /******************************************************************
32 get the default domain/netbios name to be used when
33 testing authentication. For example, if you connect
34 to a Windows member server using a bogus domain name, the
35 Windows box will map the BOGUS\user to DOMAIN\user. A
36 standalone box will map to WKS\user.
37 ******************************************************************/
39 const char *my_sam_name(void)
41 /* standalone servers can only use the local netbios name */
42 if ( lp_server_role() == ROLE_STANDALONE )
43 return global_myname();
45 /* Windows domain members default to the DOMAIN
46 name when not specified */
47 return lp_workgroup();
50 /**********************************************************************
51 ***********************************************************************/
53 static int samu_destroy(void *p)
55 struct samu *user = (struct samu *)p;
57 data_blob_clear_free( &user->lm_pw );
58 data_blob_clear_free( &user->nt_pw );
60 if ( user->plaintext_pw )
61 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
66 /**********************************************************************
67 generate a new struct samuser
68 ***********************************************************************/
70 struct samu *samu_new( TALLOC_CTX *ctx )
74 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
75 DEBUG(0,("samuser_new: Talloc failed!\n"));
79 talloc_set_destructor( user, samu_destroy );
81 /* no initial methods */
85 /* Don't change these timestamp settings without a good reason.
86 They are important for NT member server compatibility. */
88 user->logon_time = (time_t)0;
89 user->pass_last_set_time = (time_t)0;
90 user->pass_can_change_time = (time_t)0;
91 user->logoff_time = get_time_t_max();
92 user->kickoff_time = get_time_t_max();
93 user->pass_must_change_time = get_time_t_max();
94 user->fields_present = 0x00ffffff;
95 user->logon_divs = 168; /* hours per week */
96 user->hours_len = 21; /* 21 times 8 bits = 168 */
97 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
98 user->bad_password_count = 0;
99 user->logon_count = 0;
100 user->unknown_6 = 0x000004ec; /* don't know */
102 /* Some parts of samba strlen their pdb_get...() returns,
103 so this keeps the interface unchanged for now. */
107 user->nt_username = "";
108 user->full_name = "";
110 user->logon_script = "";
111 user->profile_path = "";
112 user->acct_desc = "";
113 user->workstations = "";
115 user->munged_dial = "";
117 user->plaintext_pw = NULL;
119 /* Unless we know otherwise have a Account Control Bit
120 value of 'normal user'. This helps User Manager, which
121 asks for a filtered list of users. */
123 user->acct_ctrl = ACB_NORMAL;
129 /*********************************************************************
130 Initialize a struct samu from a struct passwd including the user
131 and group SIDs. The *user structure is filled out with the Unix
132 attributes and a user SID.
133 *********************************************************************/
135 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, BOOL create)
137 const char *guest_account = lp_guestaccount();
138 const char *domain = global_myname();
143 return NT_STATUS_NO_SUCH_USER;
146 /* Basic properties based upon the Unix account information */
148 pdb_set_username(user, pwd->pw_name, PDB_SET);
149 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
150 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
151 gid_to_sid(&group_sid, pwd->pw_gid);
152 pdb_set_group_sid(user, &group_sid, PDB_SET);
154 /* save the password structure for later use */
156 user->unix_pw = tcopy_passwd( user, pwd );
158 /* Special case for the guest account which must have a RID of 501 */
160 if ( strequal( pwd->pw_name, guest_account ) ) {
161 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
162 return NT_STATUS_NO_SUCH_USER;
167 /* Non-guest accounts...Check for a workstation or user account */
169 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
172 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
173 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
175 return NT_STATUS_INVALID_COMPUTER_NAME;
181 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
182 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
184 return NT_STATUS_INVALID_ACCOUNT_NAME;
187 /* set some basic attributes */
189 pdb_set_profile_path(user, talloc_sub_specified(user,
190 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
192 pdb_set_homedir(user, talloc_sub_specified(user,
193 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
195 pdb_set_dir_drive(user, talloc_sub_specified(user,
196 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
198 pdb_set_logon_script(user, talloc_sub_specified(user,
199 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
203 /* Now deal with the user SID. If we have a backend that can generate
204 RIDs, then do so. But sometimes the caller just wanted a structure
205 initialized and will fill in these fields later (such as from a
206 NET_USER_INFO_3 structure) */
208 if ( create && !pdb_rid_algorithm() ) {
212 if ( !pdb_new_rid( &user_rid ) ) {
213 DEBUG(3, ("Could not allocate a new RID\n"));
214 return NT_STATUS_ACCESS_DENIED;
217 sid_copy( &user_sid, get_global_sam_sid() );
218 sid_append_rid( &user_sid, user_rid );
220 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
221 DEBUG(3, ("pdb_set_user_sid failed\n"));
222 return NT_STATUS_INTERNAL_ERROR;
228 /* generate a SID for the user with the RID algorithm */
230 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
232 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
233 return NT_STATUS_INTERNAL_ERROR;
239 /********************************************************************
240 Set the Unix user attributes
241 ********************************************************************/
243 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
245 return samu_set_unix_internal( user, pwd, False );
248 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
250 return samu_set_unix_internal( user, pwd, True );
253 /**********************************************************
254 Encode the account control bits into a string.
255 length = length of string to encode into (including terminating
256 null). length *MUST BE MORE THAN 2* !
257 **********************************************************/
259 char *pdb_encode_acct_ctrl(uint32 acct_ctrl, size_t length)
261 static fstring acct_str;
265 SMB_ASSERT(length <= sizeof(acct_str));
269 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
270 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
271 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
272 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
273 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
274 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
275 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
276 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
277 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
278 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
279 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
281 for ( ; i < length - 2 ; i++ )
286 acct_str[i++] = '\0';
291 /**********************************************************
292 Decode the account control bits from a string.
293 **********************************************************/
295 uint32 pdb_decode_acct_ctrl(const char *p)
297 uint32 acct_ctrl = 0;
298 BOOL finished = False;
301 * Check if the account type bits have been encoded after the
302 * NT password (in the form [NDHTUWSLXI]).
308 for (p++; *p && !finished; p++) {
310 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
311 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
312 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
313 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
314 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
315 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
316 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
317 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
318 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
319 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
320 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
326 default: { finished = True; }
333 /*************************************************************
334 Routine to set 32 hex password characters from a 16 byte array.
335 **************************************************************/
337 void pdb_sethexpwd(char *p, const unsigned char *pwd, uint32 acct_ctrl)
341 for (i = 0; i < 16; i++)
342 slprintf(&p[i*2], 3, "%02X", pwd[i]);
344 if (acct_ctrl & ACB_PWNOTREQ)
345 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
347 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
351 /*************************************************************
352 Routine to get the 32 hex characters and turn them
353 into a 16 byte array.
354 **************************************************************/
356 BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
359 unsigned char lonybble, hinybble;
360 const char *hexchars = "0123456789ABCDEF";
366 for (i = 0; i < 32; i += 2) {
367 hinybble = toupper_ascii(p[i]);
368 lonybble = toupper_ascii(p[i + 1]);
370 p1 = strchr(hexchars, hinybble);
371 p2 = strchr(hexchars, lonybble);
376 hinybble = PTR_DIFF(p1, hexchars);
377 lonybble = PTR_DIFF(p2, hexchars);
379 pwd[i / 2] = (hinybble << 4) | lonybble;
384 /*************************************************************
385 Routine to set 42 hex hours characters from a 21 byte array.
386 **************************************************************/
388 void pdb_sethexhours(char *p, const unsigned char *hours)
392 for (i = 0; i < 21; i++) {
393 slprintf(&p[i*2], 3, "%02X", hours[i]);
396 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
400 /*************************************************************
401 Routine to get the 42 hex characters and turn them
402 into a 21 byte array.
403 **************************************************************/
405 BOOL pdb_gethexhours(const char *p, unsigned char *hours)
408 unsigned char lonybble, hinybble;
409 const char *hexchars = "0123456789ABCDEF";
416 for (i = 0; i < 42; i += 2) {
417 hinybble = toupper_ascii(p[i]);
418 lonybble = toupper_ascii(p[i + 1]);
420 p1 = strchr(hexchars, hinybble);
421 p2 = strchr(hexchars, lonybble);
427 hinybble = PTR_DIFF(p1, hexchars);
428 lonybble = PTR_DIFF(p2, hexchars);
430 hours[i / 2] = (hinybble << 4) | lonybble;
435 /********************************************************************
436 ********************************************************************/
438 int algorithmic_rid_base(void)
440 static int rid_offset = 0;
445 rid_offset = lp_algorithmic_rid_base();
447 if (rid_offset < BASE_RID) {
448 /* Try to prevent admin foot-shooting, we can't put algorithmic
449 rids below 1000, that's the 'well known RIDs' on NT */
450 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
451 rid_offset = BASE_RID;
453 if (rid_offset & 1) {
454 DEBUG(0, ("algorithmic rid base must be even\n"));
460 /*******************************************************************
461 Converts NT user RID to a UNIX uid.
462 ********************************************************************/
464 uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
466 int rid_offset = algorithmic_rid_base();
467 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
470 uid_t max_algorithmic_uid(void)
472 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
475 /*******************************************************************
476 converts UNIX uid to an NT User RID.
477 ********************************************************************/
479 uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
481 int rid_offset = algorithmic_rid_base();
482 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
485 /*******************************************************************
486 Converts NT group RID to a UNIX gid.
487 ********************************************************************/
489 gid_t pdb_group_rid_to_gid(uint32 group_rid)
491 int rid_offset = algorithmic_rid_base();
492 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
495 gid_t max_algorithmic_gid(void)
497 return pdb_group_rid_to_gid(0xffffffff);
500 /*******************************************************************
501 converts NT Group RID to a UNIX uid.
503 warning: you must not call that function only
504 you must do a call to the group mapping first.
505 there is not anymore a direct link between the gid and the rid.
506 ********************************************************************/
508 uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
510 int rid_offset = algorithmic_rid_base();
511 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
514 /*******************************************************************
515 Decides if a RID is a well known RID.
516 ********************************************************************/
518 static BOOL rid_is_well_known(uint32 rid)
520 /* Not using rid_offset here, because this is the actual
521 NT fixed value (1000) */
523 return (rid < BASE_RID);
526 /*******************************************************************
527 Decides if a RID is a user or group RID.
528 ********************************************************************/
530 BOOL algorithmic_pdb_rid_is_user(uint32 rid)
532 if ( rid_is_well_known(rid) ) {
534 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
535 * and DOMAIN_USER_RID_GUEST.
537 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
539 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
545 /*******************************************************************
546 Convert a name into a SID. Used in the lookup name rpc.
547 ********************************************************************/
549 BOOL lookup_global_sam_name(const char *user, int flags, uint32_t *rid,
550 enum SID_NAME_USE *type)
555 /* Windows treats "MACHINE\None" as a special name for
556 rid 513 on non-DCs. You cannot create a user or group
557 name "None" on Windows. You will get an error that
558 the group already exists. */
560 if ( strequal( user, "None" ) ) {
561 *rid = DOMAIN_GROUP_RID_USERS;
562 *type = SID_NAME_DOM_GRP;
567 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
568 * correctly in the case where foo also exists as a user. If the flag
569 * is set, don't look for users at all. */
571 if ((flags & LOOKUP_NAME_GROUP) == 0) {
572 struct samu *sam_account = NULL;
575 if ( !(sam_account = samu_new( NULL )) ) {
580 ret = pdb_getsampwnam(sam_account, user);
584 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
587 TALLOC_FREE(sam_account);
590 if (!sid_check_is_in_our_domain(&user_sid)) {
591 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
592 user, sid_string_static(&user_sid)));
596 sid_peek_rid(&user_sid, rid);
597 *type = SID_NAME_USER;
603 * Maybe it is a group ?
607 ret = pdb_getgrnam(&map, user);
614 /* BUILTIN groups are looked up elsewhere */
615 if (!sid_check_is_in_our_domain(&map.sid)) {
616 DEBUG(10, ("Found group %s (%s) not in our domain -- "
618 sid_string_static(&map.sid)));
622 /* yes it's a mapped group */
623 sid_peek_rid(&map.sid, rid);
624 *type = map.sid_name_use;
628 /*************************************************************
629 Change a password entry in the local smbpasswd file.
630 *************************************************************/
632 NTSTATUS local_password_change(const char *user_name, int local_flags,
633 const char *new_passwd,
634 char *err_str, size_t err_str_len,
635 char *msg_str, size_t msg_str_len)
637 struct samu *sam_pass=NULL;
644 /* Get the smb passwd entry for this user */
646 if ( !(sam_pass = samu_new( NULL )) ) {
647 return NT_STATUS_NO_MEMORY;
651 if(!pdb_getsampwnam(sam_pass, user_name)) {
653 TALLOC_FREE(sam_pass);
655 if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
656 int tmp_debug = DEBUGLEVEL;
659 /* Might not exist in /etc/passwd. */
665 if ( !(pwd = getpwnam_alloc( NULL, user_name)) ) {
666 return NT_STATUS_NO_SUCH_USER;
669 /* create the struct samu and initialize the basic Unix properties */
671 if ( !(sam_pass = samu_new( NULL )) ) {
672 return NT_STATUS_NO_MEMORY;
675 result = samu_set_unix( sam_pass, pwd );
677 DEBUGLEVEL = tmp_debug;
681 if (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PRIMARY_GROUP)) {
685 if (!NT_STATUS_IS_OK(result)) {
686 slprintf(err_str, err_str_len-1, "Failed to " "initialize account for user %s: %s\n",
687 user_name, nt_errstr(result));
691 slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
692 return NT_STATUS_NO_SUCH_USER;
696 /* the entry already existed */
697 local_flags &= ~LOCAL_ADD_USER;
700 /* the 'other' acb bits not being changed here */
701 other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
702 if (local_flags & LOCAL_TRUST_ACCOUNT) {
703 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
704 slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
705 TALLOC_FREE(sam_pass);
706 return NT_STATUS_UNSUCCESSFUL;
708 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
709 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
710 slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
711 TALLOC_FREE(sam_pass);
712 return NT_STATUS_UNSUCCESSFUL;
715 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
716 slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
717 TALLOC_FREE(sam_pass);
718 return NT_STATUS_UNSUCCESSFUL;
723 * We are root - just write the new password
724 * and the valid last change time.
727 if (local_flags & LOCAL_DISABLE_USER) {
728 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
729 slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
730 TALLOC_FREE(sam_pass);
731 return NT_STATUS_UNSUCCESSFUL;
733 } else if (local_flags & LOCAL_ENABLE_USER) {
734 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
735 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
736 TALLOC_FREE(sam_pass);
737 return NT_STATUS_UNSUCCESSFUL;
741 if (local_flags & LOCAL_SET_NO_PASSWORD) {
742 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
743 slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
744 TALLOC_FREE(sam_pass);
745 return NT_STATUS_UNSUCCESSFUL;
747 } else if (local_flags & LOCAL_SET_PASSWORD) {
749 * If we're dealing with setting a completely empty user account
750 * ie. One with a password of 'XXXX', but not set disabled (like
751 * an account created from scratch) then if the old password was
752 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
753 * We remove that as we're giving this user their first password
754 * and the decision hasn't really been made to disable them (ie.
755 * don't create them disabled). JRA.
757 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
758 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
759 slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
760 TALLOC_FREE(sam_pass);
761 return NT_STATUS_UNSUCCESSFUL;
764 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
765 slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
766 TALLOC_FREE(sam_pass);
767 return NT_STATUS_UNSUCCESSFUL;
770 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
771 slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
772 TALLOC_FREE(sam_pass);
773 return NT_STATUS_UNSUCCESSFUL;
777 if (local_flags & LOCAL_ADD_USER) {
778 if (NT_STATUS_IS_OK(pdb_add_sam_account(sam_pass))) {
779 slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
780 TALLOC_FREE(sam_pass);
783 slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
784 TALLOC_FREE(sam_pass);
785 return NT_STATUS_UNSUCCESSFUL;
787 } else if (local_flags & LOCAL_DELETE_USER) {
788 if (!NT_STATUS_IS_OK(pdb_delete_sam_account(sam_pass))) {
789 slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
790 TALLOC_FREE(sam_pass);
791 return NT_STATUS_UNSUCCESSFUL;
793 slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
795 result = pdb_update_sam_account(sam_pass);
796 if(!NT_STATUS_IS_OK(result)) {
797 slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
798 TALLOC_FREE(sam_pass);
801 if(local_flags & LOCAL_DISABLE_USER)
802 slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
803 else if (local_flags & LOCAL_ENABLE_USER)
804 slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
805 else if (local_flags & LOCAL_SET_NO_PASSWORD)
806 slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
809 TALLOC_FREE(sam_pass);
813 /**********************************************************************
814 Marshall/unmarshall struct samu structs.
815 *********************************************************************/
817 #define TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
819 /*********************************************************************
820 *********************************************************************/
822 BOOL init_sam_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
825 /* times are stored as 32bit integer
826 take care on system with 64bit wide time_t
833 pass_can_change_time,
834 pass_must_change_time;
835 char *username = NULL;
837 char *nt_username = NULL;
838 char *dir_drive = NULL;
839 char *unknown_str = NULL;
840 char *munged_dial = NULL;
841 char *fullname = NULL;
842 char *homedir = NULL;
843 char *logon_script = NULL;
844 char *profile_path = NULL;
845 char *acct_desc = NULL;
846 char *workstations = NULL;
847 uint32 username_len, domain_len, nt_username_len,
848 dir_drive_len, unknown_str_len, munged_dial_len,
849 fullname_len, homedir_len, logon_script_len,
850 profile_path_len, acct_desc_len, workstations_len;
852 uint32 user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
854 uint16 bad_password_count, logon_count;
856 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
858 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
859 uint32 pwHistLen = 0;
862 BOOL expand_explicit = lp_passdb_expand_explicit();
864 if(sampass == NULL || buf == NULL) {
865 DEBUG(0, ("init_sam_from_buffer_v3: NULL parameters found!\n"));
869 /* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
871 /* unpack the buffer into variables */
872 len = tdb_unpack ((char *)buf, buflen, TDB_FORMAT_STRING_V3,
874 &logoff_time, /* d */
875 &kickoff_time, /* d */
876 &bad_password_time, /* d */
877 &pass_last_set_time, /* d */
878 &pass_can_change_time, /* d */
879 &pass_must_change_time, /* d */
880 &username_len, &username, /* B */
881 &domain_len, &domain, /* B */
882 &nt_username_len, &nt_username, /* B */
883 &fullname_len, &fullname, /* B */
884 &homedir_len, &homedir, /* B */
885 &dir_drive_len, &dir_drive, /* B */
886 &logon_script_len, &logon_script, /* B */
887 &profile_path_len, &profile_path, /* B */
888 &acct_desc_len, &acct_desc, /* B */
889 &workstations_len, &workstations, /* B */
890 &unknown_str_len, &unknown_str, /* B */
891 &munged_dial_len, &munged_dial, /* B */
894 &lm_pw_len, &lm_pw_ptr, /* B */
895 &nt_pw_len, &nt_pw_ptr, /* B */
896 /* Change from V1 is addition of password history field. */
897 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
898 /* Change from V2 is the uint32 acb_mask */
900 /* Also "remove_me" field was removed. */
903 &hourslen, &hours, /* B */
904 &bad_password_count, /* w */
905 &logon_count, /* w */
908 if (len == (uint32) -1) {
913 pdb_set_logon_time(sampass, logon_time, PDB_SET);
914 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
915 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
916 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
917 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
918 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
919 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
921 pdb_set_username(sampass, username, PDB_SET);
922 pdb_set_domain(sampass, domain, PDB_SET);
923 pdb_set_nt_username(sampass, nt_username, PDB_SET);
924 pdb_set_fullname(sampass, fullname, PDB_SET);
927 fstrcpy( tmpstring, homedir );
928 if (expand_explicit) {
929 standard_sub_basic( username, domain, tmpstring,
932 pdb_set_homedir(sampass, tmpstring, PDB_SET);
935 pdb_set_homedir(sampass,
936 talloc_sub_basic(sampass, username, domain,
942 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
944 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
947 fstrcpy( tmpstring, logon_script );
948 if (expand_explicit) {
949 standard_sub_basic( username, domain, tmpstring,
952 pdb_set_logon_script(sampass, tmpstring, PDB_SET);
955 pdb_set_logon_script(sampass,
956 talloc_sub_basic(sampass, username, domain,
962 fstrcpy( tmpstring, profile_path );
963 if (expand_explicit) {
964 standard_sub_basic( username, domain, tmpstring,
967 pdb_set_profile_path(sampass, tmpstring, PDB_SET);
970 pdb_set_profile_path(sampass,
971 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
975 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
976 pdb_set_workstations(sampass, workstations, PDB_SET);
977 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
979 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
980 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
986 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
987 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
993 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
995 uint8 *pw_hist = (uint8 *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1000 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1001 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1003 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1004 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1005 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1006 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1007 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1008 PW_HISTORY_ENTRY_LEN);
1011 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1018 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1021 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1022 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1023 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1024 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1025 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1026 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1027 /* Change from V2 is the uint32 acct_ctrl */
1028 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1029 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1030 pdb_set_hours(sampass, hours, PDB_SET);
1034 SAFE_FREE(username);
1036 SAFE_FREE(nt_username);
1037 SAFE_FREE(fullname);
1039 SAFE_FREE(dir_drive);
1040 SAFE_FREE(logon_script);
1041 SAFE_FREE(profile_path);
1042 SAFE_FREE(acct_desc);
1043 SAFE_FREE(workstations);
1044 SAFE_FREE(munged_dial);
1045 SAFE_FREE(unknown_str);
1046 SAFE_FREE(lm_pw_ptr);
1047 SAFE_FREE(nt_pw_ptr);
1048 SAFE_FREE(nt_pw_hist_ptr);
1054 /*********************************************************************
1055 *********************************************************************/
1057 uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, BOOL size_only)
1061 /* times are stored as 32bit integer
1062 take care on system with 64bit wide time_t
1069 pass_can_change_time,
1070 pass_must_change_time;
1072 uint32 user_rid, group_rid;
1074 const char *username;
1076 const char *nt_username;
1077 const char *dir_drive;
1078 const char *unknown_str;
1079 const char *munged_dial;
1080 const char *fullname;
1081 const char *homedir;
1082 const char *logon_script;
1083 const char *profile_path;
1084 const char *acct_desc;
1085 const char *workstations;
1086 uint32 username_len, domain_len, nt_username_len,
1087 dir_drive_len, unknown_str_len, munged_dial_len,
1088 fullname_len, homedir_len, logon_script_len,
1089 profile_path_len, acct_desc_len, workstations_len;
1093 const uint8 *nt_pw_hist;
1094 uint32 lm_pw_len = 16;
1095 uint32 nt_pw_len = 16;
1096 uint32 nt_pw_hist_len;
1097 uint32 pwHistLen = 0;
1102 logon_time = (uint32)pdb_get_logon_time(sampass);
1103 logoff_time = (uint32)pdb_get_logoff_time(sampass);
1104 kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
1105 bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
1106 pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
1107 pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
1108 pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
1110 user_rid = pdb_get_user_rid(sampass);
1111 group_rid = pdb_get_group_rid(sampass);
1113 username = pdb_get_username(sampass);
1115 username_len = strlen(username) +1;
1120 domain = pdb_get_domain(sampass);
1122 domain_len = strlen(domain) +1;
1127 nt_username = pdb_get_nt_username(sampass);
1129 nt_username_len = strlen(nt_username) +1;
1131 nt_username_len = 0;
1134 fullname = pdb_get_fullname(sampass);
1136 fullname_len = strlen(fullname) +1;
1142 * Only updates fields which have been set (not defaults from smb.conf)
1145 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1146 dir_drive = pdb_get_dir_drive(sampass);
1151 dir_drive_len = strlen(dir_drive) +1;
1156 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1157 homedir = pdb_get_homedir(sampass);
1162 homedir_len = strlen(homedir) +1;
1167 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1168 logon_script = pdb_get_logon_script(sampass);
1170 logon_script = NULL;
1173 logon_script_len = strlen(logon_script) +1;
1175 logon_script_len = 0;
1178 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1179 profile_path = pdb_get_profile_path(sampass);
1181 profile_path = NULL;
1184 profile_path_len = strlen(profile_path) +1;
1186 profile_path_len = 0;
1189 lm_pw = pdb_get_lanman_passwd(sampass);
1194 nt_pw = pdb_get_nt_passwd(sampass);
1199 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1200 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1201 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1202 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1207 acct_desc = pdb_get_acct_desc(sampass);
1209 acct_desc_len = strlen(acct_desc) +1;
1214 workstations = pdb_get_workstations(sampass);
1216 workstations_len = strlen(workstations) +1;
1218 workstations_len = 0;
1222 unknown_str_len = 0;
1224 munged_dial = pdb_get_munged_dial(sampass);
1226 munged_dial_len = strlen(munged_dial) +1;
1228 munged_dial_len = 0;
1231 /* TDB_FORMAT_STRING_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1233 /* one time to get the size needed */
1234 len = tdb_pack(NULL, 0, TDB_FORMAT_STRING_V3,
1236 logoff_time, /* d */
1237 kickoff_time, /* d */
1238 bad_password_time, /* d */
1239 pass_last_set_time, /* d */
1240 pass_can_change_time, /* d */
1241 pass_must_change_time, /* d */
1242 username_len, username, /* B */
1243 domain_len, domain, /* B */
1244 nt_username_len, nt_username, /* B */
1245 fullname_len, fullname, /* B */
1246 homedir_len, homedir, /* B */
1247 dir_drive_len, dir_drive, /* B */
1248 logon_script_len, logon_script, /* B */
1249 profile_path_len, profile_path, /* B */
1250 acct_desc_len, acct_desc, /* B */
1251 workstations_len, workstations, /* B */
1252 unknown_str_len, unknown_str, /* B */
1253 munged_dial_len, munged_dial, /* B */
1256 lm_pw_len, lm_pw, /* B */
1257 nt_pw_len, nt_pw, /* B */
1258 nt_pw_hist_len, nt_pw_hist, /* B */
1259 pdb_get_acct_ctrl(sampass), /* d */
1260 pdb_get_logon_divs(sampass), /* w */
1261 pdb_get_hours_len(sampass), /* d */
1262 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1263 pdb_get_bad_password_count(sampass), /* w */
1264 pdb_get_logon_count(sampass), /* w */
1265 pdb_get_unknown_6(sampass)); /* d */
1271 /* malloc the space needed */
1272 if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
1273 DEBUG(0,("init_buffer_from_sam_v3: Unable to malloc() memory for buffer!\n"));
1277 /* now for the real call to tdb_pack() */
1278 buflen = tdb_pack((char *)*buf, len, TDB_FORMAT_STRING_V3,
1280 logoff_time, /* d */
1281 kickoff_time, /* d */
1282 bad_password_time, /* d */
1283 pass_last_set_time, /* d */
1284 pass_can_change_time, /* d */
1285 pass_must_change_time, /* d */
1286 username_len, username, /* B */
1287 domain_len, domain, /* B */
1288 nt_username_len, nt_username, /* B */
1289 fullname_len, fullname, /* B */
1290 homedir_len, homedir, /* B */
1291 dir_drive_len, dir_drive, /* B */
1292 logon_script_len, logon_script, /* B */
1293 profile_path_len, profile_path, /* B */
1294 acct_desc_len, acct_desc, /* B */
1295 workstations_len, workstations, /* B */
1296 unknown_str_len, unknown_str, /* B */
1297 munged_dial_len, munged_dial, /* B */
1300 lm_pw_len, lm_pw, /* B */
1301 nt_pw_len, nt_pw, /* B */
1302 nt_pw_hist_len, nt_pw_hist, /* B */
1303 pdb_get_acct_ctrl(sampass), /* d */
1304 pdb_get_logon_divs(sampass), /* w */
1305 pdb_get_hours_len(sampass), /* d */
1306 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1307 pdb_get_bad_password_count(sampass), /* w */
1308 pdb_get_logon_count(sampass), /* w */
1309 pdb_get_unknown_6(sampass)); /* d */
1311 /* check to make sure we got it correct */
1312 if (buflen != len) {
1313 DEBUG(0, ("init_buffer_from_sam_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1314 (unsigned long)buflen, (unsigned long)len));
1324 /*********************************************************************
1325 *********************************************************************/
1327 BOOL pdb_copy_sam_account(struct samu *dst, struct samu *src )
1332 len = init_buffer_from_sam_v3(&buf, src, False);
1333 if (len == -1 || !buf) {
1338 if (!init_sam_from_buffer_v3( dst, buf, len )) {
1343 dst->methods = src->methods;
1345 if ( src->unix_pw ) {
1346 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
1347 if (!dst->unix_pw) {
1357 /*********************************************************************
1358 Update the bad password count checking the AP_RESET_COUNT_TIME
1359 *********************************************************************/
1361 BOOL pdb_update_bad_password_count(struct samu *sampass, BOOL *updated)
1363 time_t LastBadPassword;
1364 uint16 BadPasswordCount;
1367 BadPasswordCount = pdb_get_bad_password_count(sampass);
1368 if (!BadPasswordCount) {
1369 DEBUG(9, ("No bad password attempts.\n"));
1373 if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
1374 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
1378 /* First, check if there is a reset time to compare */
1379 if ((resettime == (uint32) -1) || (resettime == 0)) {
1380 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
1384 LastBadPassword = pdb_get_bad_password_time(sampass);
1385 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
1386 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
1387 if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
1388 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
1389 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
1398 /*********************************************************************
1399 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
1400 *********************************************************************/
1402 BOOL pdb_update_autolock_flag(struct samu *sampass, BOOL *updated)
1405 time_t LastBadPassword;
1407 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
1408 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
1409 pdb_get_username(sampass)));
1413 if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
1414 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
1418 /* First, check if there is a duration to compare */
1419 if ((duration == (uint32) -1) || (duration == 0)) {
1420 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
1424 LastBadPassword = pdb_get_bad_password_time(sampass);
1425 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
1426 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
1428 if (LastBadPassword == (time_t)0) {
1429 DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
1430 bad password time. Leaving locked out.\n",
1431 pdb_get_username(sampass) ));
1435 if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
1436 pdb_set_acct_ctrl(sampass,
1437 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
1439 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
1440 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
1449 /*********************************************************************
1450 Increment the bad_password_count
1451 *********************************************************************/
1453 BOOL pdb_increment_bad_password_count(struct samu *sampass)
1455 uint32 account_policy_lockout;
1456 BOOL autolock_updated = False, badpw_updated = False;
1459 /* Retrieve the account lockout policy */
1461 ret = pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
1464 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
1468 /* If there is no policy, we don't need to continue checking */
1469 if (!account_policy_lockout) {
1470 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
1474 /* Check if the autolock needs to be cleared */
1475 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
1478 /* Check if the badpw count needs to be reset */
1479 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
1483 Ok, now we can assume that any resetting that needs to be
1484 done has been done, and just get on with incrementing
1485 and autolocking if necessary
1488 pdb_set_bad_password_count(sampass,
1489 pdb_get_bad_password_count(sampass)+1,
1491 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
1494 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
1497 if (!pdb_set_acct_ctrl(sampass,
1498 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
1500 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));