Copyright (C) Gerald (Jerry) Carter 2000-2006
Copyright (C) Andrew Bartlett 2001-2002
Copyright (C) Stefan (metze) Metzmacher 2002
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
*/
if (sampass->pass_last_set_time == 0)
return (time_t) 0;
-
+
/* if the time is max, and the field has been changed,
we're trying to update this real value from the sampass
to indicate that the user cannot change their password. jmcd
*/
if (sampass->pass_can_change_time == get_time_t_max() &&
- pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED)
+ IS_SAM_CHANGED(sampass, PDB_CANCHANGETIME))
return sampass->pass_can_change_time;
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &allow))
+ if (!pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &allow))
allow = 0;
/* in normal cases, just calculate it from policy */
if (sampass->acct_ctrl & ACB_PWNOEXP)
return get_time_t_max();
- if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire)
+ if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire)
|| expire == (uint32)-1 || expire == 0)
return get_time_t_max();
/* Return the plaintext password if known. Most of the time
it isn't, so don't assume anything magic about this function.
-
+
Used to pass the plaintext to passdb backends that might
want to store more than just the NTLM hashes.
*/
{
DOM_SID *gsid;
struct passwd *pwd;
-
+
/* Return the cached group SID if we have that */
if ( sampass->group_sid ) {
return sampass->group_sid;
}
-
+
/* generate the group SID from the user's primary Unix group */
-
+
if ( !(gsid = TALLOC_P( sampass, DOM_SID )) ) {
return NULL;
}
-
+
/* No algorithmic mapping, meaning that we have to figure out the
primary group SID according to group mapping and the user SID must
be a newly allocated one. We rely on the user's Unix primary gid.
DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
return NULL;
}
-
+
if ( pdb_gid_to_sid(pwd->pw_gid, gsid) ) {
enum lsa_SidType type = SID_NAME_UNKNOWN;
TALLOC_CTX *mem_ctx = talloc_init("pdb_get_group_sid");
bool lookup_ret;
-
+
if (!mem_ctx) {
return NULL;
}
pwd->pw_name, sid_type_lookup(type)));
}
- /* Just set it to the 'Domain Users' RID of 512 which will
+ /* Just set it to the 'Domain Users' RID of 513 which will
always resolve to a name */
-
- sid_copy( gsid, get_global_sam_sid() );
- sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS );
-
+
+ sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
+
sampass->group_sid = gsid;
-
+
return sampass->group_sid;
}
* @param sampass the struct samu in question
* @return the flags indicating the members initialised in the struct.
**/
-
+
enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
{
enum pdb_value_state ret = PDB_DEFAULT;
-
+
if (!sampass->change_flags || !sampass->set_flags)
return ret;
-
+
if (bitmap_query(sampass->set_flags, element)) {
DEBUG(11, ("element %d: SET\n", element));
ret = PDB_SET;
}
-
+
if (bitmap_query(sampass->change_flags, element)) {
DEBUG(11, ("element %d: CHANGED\n", element));
ret = PDB_CHANGED;
* @param flag The *new* flag to be set. Old flags preserved
* this flag is only added.
**/
-
+
bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
{
if (!sampass->set_flags) {
return False;
}
}
-
+
switch(value_flag) {
case PDB_CHANGED:
if (!bitmap_set(sampass->change_flags, element)) {
{
if (!u_sid)
return False;
-
+
sid_copy(&sampass->user_sid, u_sid);
DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
{
DOM_SID new_sid;
-
+
if (!u_sid)
return False;
DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
return False;
}
-
+
if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
return False;
if ( sid_to_gid( g_sid, &gid ) ) {
sid_copy(sampass->group_sid, g_sid);
} else {
- sid_copy( sampass->group_sid, get_global_sam_sid() );
- sid_append_rid( sampass->group_sid, DOMAIN_GROUP_RID_USERS );
+ sid_compose(sampass->group_sid, get_global_sam_sid(),
+ DOMAIN_GROUP_RID_USERS);
}
DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
} else {
sampass->username = PDB_NOT_QUITE_NULL;
}
-
+
return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
}
(sampass->nt_username)?(sampass->nt_username):"NULL"));
sampass->nt_username = talloc_strdup(sampass, nt_username);
-
+
if (!sampass->nt_username) {
DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
return False;
if (full_name) {
DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
(sampass->full_name)?(sampass->full_name):"NULL"));
-
+
sampass->full_name = talloc_strdup(sampass, full_name);
if (!sampass->full_name) {
if (logon_script) {
DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
(sampass->logon_script)?(sampass->logon_script):"NULL"));
-
+
sampass->logon_script = talloc_strdup(sampass, logon_script);
if (!sampass->logon_script) {
} else {
sampass->logon_script = PDB_NOT_QUITE_NULL;
}
-
+
return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
}
if (profile_path) {
DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
(sampass->profile_path)?(sampass->profile_path):"NULL"));
-
+
sampass->profile_path = talloc_strdup(sampass, profile_path);
-
+
if (!sampass->profile_path) {
DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
return False;
if (dir_drive) {
DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
(sampass->dir_drive)?(sampass->dir_drive):"NULL"));
-
+
sampass->dir_drive = talloc_strdup(sampass, dir_drive);
-
+
if (!sampass->dir_drive) {
DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
return False;
} else {
sampass->dir_drive = PDB_NOT_QUITE_NULL;
}
-
+
return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
}
if (home_dir) {
DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
(sampass->home_dir)?(sampass->home_dir):"NULL"));
-
+
sampass->home_dir = talloc_strdup(sampass, home_dir);
-
+
if (!sampass->home_dir) {
DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
return False;
if (workstations) {
DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
(sampass->workstations)?(sampass->workstations):"NULL"));
-
+
sampass->workstations = talloc_strdup(sampass, workstations);
if (!sampass->workstations) {
{
if (comment) {
sampass->comment = talloc_strdup(sampass, comment);
-
+
if (!sampass->comment) {
DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
return False;
{
if (munged_dial) {
sampass->munged_dial = talloc_strdup(sampass, munged_dial);
-
+
if (!sampass->munged_dial) {
DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
return False;
bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
{
data_blob_clear_free(&sampass->nt_pw);
-
+
if (pwd) {
sampass->nt_pw =
data_blob_talloc(sampass, pwd, NT_HASH_LEN);
bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
{
data_blob_clear_free(&sampass->lm_pw);
-
+
/* on keep the password if we are allowing LANMAN authentication */
if (pwd && lp_lanman_auth() ) {
bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag)
{
if (historyLen && pwd){
+ data_blob_free(&(sampass->nt_pw_his));
sampass->nt_pw_his = data_blob_talloc(sampass,
pwd, historyLen*PW_HISTORY_ENTRY_LEN);
if (!sampass->nt_pw_his.length) {
memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
sampass->plaintext_pw = talloc_strdup(sampass, password);
-
+
if (!sampass->plaintext_pw) {
DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
return False;
{
uchar new_lanman_p16[LM_HASH_LEN];
uchar new_nt_p16[NT_HASH_LEN];
+ uchar *pwhistory;
+ uint32 pwHistLen;
+ uint32 current_history_len;
if (!plaintext)
return False;
if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
return False;
- /* Store the password history. */
- if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
- uchar *pwhistory;
- uint32 pwHistLen;
- pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
- if (pwHistLen != 0){
- uint32 current_history_len;
- /* We need to make sure we don't have a race condition here - the
- account policy history length can change between when the pw_history
- was first loaded into the struct samu struct and now.... JRA. */
- pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len);
-
- if (current_history_len != pwHistLen) {
- /* After closing and reopening struct samu the history
- values will sync up. We can't do this here. */
-
- /* current_history_len > pwHistLen is not a problem - we
- have more history than we need. */
-
- if (current_history_len < pwHistLen) {
- /* Ensure we have space for the needed history. */
- uchar *new_history = (uchar *)TALLOC(sampass,
- pwHistLen*PW_HISTORY_ENTRY_LEN);
- if (!new_history) {
- return False;
- }
-
- /* And copy it into the new buffer. */
- if (current_history_len) {
- memcpy(new_history, pwhistory,
- current_history_len*PW_HISTORY_ENTRY_LEN);
- }
- /* Clearing out any extra space. */
- memset(&new_history[current_history_len*PW_HISTORY_ENTRY_LEN],
- '\0', (pwHistLen-current_history_len)*PW_HISTORY_ENTRY_LEN);
- /* Finally replace it. */
- pwhistory = new_history;
- }
- }
- if (pwhistory && pwHistLen){
- /* Make room for the new password in the history list. */
- if (pwHistLen > 1) {
- memmove(&pwhistory[PW_HISTORY_ENTRY_LEN],
- pwhistory, (pwHistLen -1)*PW_HISTORY_ENTRY_LEN );
- }
- /* Create the new salt as the first part of the history entry. */
- generate_random_buffer(pwhistory, PW_HISTORY_SALT_LEN);
-
- /* Generate the md5 hash of the salt+new password as the second
- part of the history entry. */
-
- E_md5hash(pwhistory, new_nt_p16, &pwhistory[PW_HISTORY_SALT_LEN]);
- pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
- } else {
- DEBUG (10,("pdb_get_set.c: pdb_set_plaintext_passwd: pwhistory was NULL!\n"));
- }
- } else {
- /* Set the history length to zero. */
- pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+ /*
+ * No password history for non-user accounts
+ */
+ return true;
+ }
+
+ pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
+
+ if (pwHistLen == 0) {
+ /* Set the history length to zero. */
+ pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+ return true;
+ }
+
+ /*
+ * We need to make sure we don't have a race condition here -
+ * the account policy history length can change between when
+ * the pw_history was first loaded into the struct samu struct
+ * and now.... JRA.
+ */
+ pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len);
+
+ if ((current_history_len != 0) && (pwhistory == NULL)) {
+ DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
+ return false;
+ }
+
+ if (current_history_len < pwHistLen) {
+ /*
+ * Ensure we have space for the needed history. This
+ * also takes care of an account which did not have
+ * any history at all so far, i.e. pwhistory==NULL
+ */
+ uchar *new_history = talloc_zero_array(
+ sampass, uchar,
+ pwHistLen*PW_HISTORY_ENTRY_LEN);
+
+ if (!new_history) {
+ return False;
}
+
+ memcpy(new_history, pwhistory,
+ current_history_len*PW_HISTORY_ENTRY_LEN);
+
+ pwhistory = new_history;
}
+ /*
+ * Make room for the new password in the history list.
+ */
+ if (pwHistLen > 1) {
+ memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
+ (pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
+ }
+
+ /*
+ * Fill the salt area with 0-s: this indicates that
+ * a plain nt hash is stored in the has area.
+ * The old format was to store a 16 byte salt and
+ * then an md5hash of the nt_hash concatenated with
+ * the salt.
+ */
+ memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
+
+ /*
+ * Store the plain nt hash in the second 16 bytes.
+ * The old format was to store the md5 hash of
+ * the salt+newpw.
+ */
+ memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
+
+ pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
+
return True;
}