libcli/security Provide a common, top level libcli/security/security.h
[kai/samba.git] / source3 / passdb / pdb_get_set.c
1 /* 
2    Unix SMB/CIFS implementation.
3    struct samu access routines
4    Copyright (C) Jeremy Allison                 1996-2001
5    Copyright (C) Luke Kenneth Casson Leighton   1996-1998
6    Copyright (C) Gerald (Jerry) Carter          2000-2006
7    Copyright (C) Andrew Bartlett                2001-2002
8    Copyright (C) Stefan (metze) Metzmacher      2002
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "../libcli/auth/libcli_auth.h"
26 #include "../libcli/security/security.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_PASSDB
30
31 /**
32  * @todo Redefine this to NULL, but this changes the API because
33  *       much of samba assumes that the pdb_get...() funtions 
34  *       return strings.  (ie not null-pointers).
35  *       See also pdb_fill_default_sam().
36  */
37
38 #define PDB_NOT_QUITE_NULL ""
39
40 /*********************************************************************
41  Collection of get...() functions for struct samu.
42  ********************************************************************/
43
44 uint32_t pdb_get_acct_ctrl(const struct samu *sampass)
45 {
46         return sampass->acct_ctrl;
47 }
48
49 time_t pdb_get_logon_time(const struct samu *sampass)
50 {
51         return sampass->logon_time;
52 }
53
54 time_t pdb_get_logoff_time(const struct samu *sampass)
55 {
56         return sampass->logoff_time;
57 }
58
59 time_t pdb_get_kickoff_time(const struct samu *sampass)
60 {
61         return sampass->kickoff_time;
62 }
63
64 time_t pdb_get_bad_password_time(const struct samu *sampass)
65 {
66         return sampass->bad_password_time;
67 }
68
69 time_t pdb_get_pass_last_set_time(const struct samu *sampass)
70 {
71         return sampass->pass_last_set_time;
72 }
73
74 time_t pdb_get_pass_can_change_time(const struct samu *sampass)
75 {
76         uint32_t allow;
77
78         /* if the last set time is zero, it means the user cannot 
79            change their password, and this time must be zero.   jmcd 
80         */
81         if (sampass->pass_last_set_time == 0)
82                 return (time_t) 0;
83
84         /* if the time is max, and the field has been changed,
85            we're trying to update this real value from the sampass
86            to indicate that the user cannot change their password.  jmcd
87         */
88         if (sampass->pass_can_change_time == get_time_t_max() &&
89             IS_SAM_CHANGED(sampass, PDB_CANCHANGETIME))
90                 return sampass->pass_can_change_time;
91
92         if (!pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &allow))
93                 allow = 0;
94
95         /* in normal cases, just calculate it from policy */
96         return sampass->pass_last_set_time + allow;
97 }
98
99 /* we need this for loading from the backend, so that we don't overwrite
100    non-changed max times, otherwise the pass_can_change checking won't work */
101 time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
102 {
103         return sampass->pass_can_change_time;
104 }
105
106 time_t pdb_get_pass_must_change_time(const struct samu *sampass)
107 {
108         uint32_t expire;
109
110         if (sampass->pass_last_set_time == 0)
111                 return (time_t) 0;
112
113         if (sampass->acct_ctrl & ACB_PWNOEXP)
114                 return get_time_t_max();
115
116         if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire)
117             || expire == (uint32_t)-1 || expire == 0)
118                 return get_time_t_max();
119
120         return sampass->pass_last_set_time + expire;
121 }
122
123 bool pdb_get_pass_can_change(const struct samu *sampass)
124 {
125         if (sampass->pass_can_change_time == get_time_t_max() &&
126             sampass->pass_last_set_time != 0)
127                 return False;
128         return True;
129 }
130
131 uint16_t pdb_get_logon_divs(const struct samu *sampass)
132 {
133         return sampass->logon_divs;
134 }
135
136 uint32_t pdb_get_hours_len(const struct samu *sampass)
137 {
138         return sampass->hours_len;
139 }
140
141 const uint8 *pdb_get_hours(const struct samu *sampass)
142 {
143         return (sampass->hours);
144 }
145
146 const uint8 *pdb_get_nt_passwd(const struct samu *sampass)
147 {
148         SMB_ASSERT((!sampass->nt_pw.data) 
149                    || sampass->nt_pw.length == NT_HASH_LEN);
150         return (uint8 *)sampass->nt_pw.data;
151 }
152
153 const uint8 *pdb_get_lanman_passwd(const struct samu *sampass)
154 {
155         SMB_ASSERT((!sampass->lm_pw.data) 
156                    || sampass->lm_pw.length == LM_HASH_LEN);
157         return (uint8 *)sampass->lm_pw.data;
158 }
159
160 const uint8 *pdb_get_pw_history(const struct samu *sampass, uint32_t *current_hist_len)
161 {
162         SMB_ASSERT((!sampass->nt_pw_his.data) 
163            || ((sampass->nt_pw_his.length % PW_HISTORY_ENTRY_LEN) == 0));
164         *current_hist_len = sampass->nt_pw_his.length / PW_HISTORY_ENTRY_LEN;
165         return (uint8 *)sampass->nt_pw_his.data;
166 }
167
168 /* Return the plaintext password if known.  Most of the time
169    it isn't, so don't assume anything magic about this function.
170
171    Used to pass the plaintext to passdb backends that might 
172    want to store more than just the NTLM hashes.
173 */
174 const char *pdb_get_plaintext_passwd(const struct samu *sampass)
175 {
176         return sampass->plaintext_pw;
177 }
178
179 const struct dom_sid *pdb_get_user_sid(const struct samu *sampass)
180 {
181         return &sampass->user_sid;
182 }
183
184 const struct dom_sid *pdb_get_group_sid(struct samu *sampass)
185 {
186         NTSTATUS status;
187
188         /* Return the cached group SID if we have that */
189         if (sampass->group_sid) {
190                 return sampass->group_sid;
191         }
192
193         /* No algorithmic mapping, meaning that we have to figure out the
194            primary group SID according to group mapping and the user SID must
195            be a newly allocated one.  We rely on the user's Unix primary gid.
196            We have no choice but to fail if we can't find it. */
197         status = get_primary_group_sid(sampass,
198                                         pdb_get_username(sampass),
199                                         &sampass->unix_pw,
200                                         &sampass->group_sid);
201         if (!NT_STATUS_IS_OK(status)) {
202                 return NULL;
203         }
204
205         return sampass->group_sid;
206 }
207
208 /**
209  * Get flags showing what is initalised in the struct samu
210  * @param sampass the struct samu in question
211  * @return the flags indicating the members initialised in the struct.
212  **/
213
214 enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
215 {
216         enum pdb_value_state ret = PDB_DEFAULT;
217
218         if (!sampass->change_flags || !sampass->set_flags)
219                 return ret;
220
221         if (bitmap_query(sampass->set_flags, element)) {
222                 DEBUG(11, ("element %d: SET\n", element)); 
223                 ret = PDB_SET;
224         }
225
226         if (bitmap_query(sampass->change_flags, element)) {
227                 DEBUG(11, ("element %d: CHANGED\n", element)); 
228                 ret = PDB_CHANGED;
229         }
230
231         if (ret == PDB_DEFAULT) {
232                 DEBUG(11, ("element %d: DEFAULT\n", element)); 
233         }
234
235         return ret;
236 }
237
238 const char *pdb_get_username(const struct samu *sampass)
239 {
240         return sampass->username;
241 }
242
243 const char *pdb_get_domain(const struct samu *sampass)
244 {
245         return sampass->domain;
246 }
247
248 const char *pdb_get_nt_username(const struct samu *sampass)
249 {
250         return sampass->nt_username;
251 }
252
253 const char *pdb_get_fullname(const struct samu *sampass)
254 {
255         return sampass->full_name;
256 }
257
258 const char *pdb_get_homedir(const struct samu *sampass)
259 {
260         return sampass->home_dir;
261 }
262
263 const char *pdb_get_dir_drive(const struct samu *sampass)
264 {
265         return sampass->dir_drive;
266 }
267
268 const char *pdb_get_logon_script(const struct samu *sampass)
269 {
270         return sampass->logon_script;
271 }
272
273 const char *pdb_get_profile_path(const struct samu *sampass)
274 {
275         return sampass->profile_path;
276 }
277
278 const char *pdb_get_acct_desc(const struct samu *sampass)
279 {
280         return sampass->acct_desc;
281 }
282
283 const char *pdb_get_workstations(const struct samu *sampass)
284 {
285         return sampass->workstations;
286 }
287
288 const char *pdb_get_comment(const struct samu *sampass)
289 {
290         return sampass->comment;
291 }
292
293 const char *pdb_get_munged_dial(const struct samu *sampass)
294 {
295         return sampass->munged_dial;
296 }
297
298 uint16_t pdb_get_bad_password_count(const struct samu *sampass)
299 {
300         return sampass->bad_password_count;
301 }
302
303 uint16_t pdb_get_logon_count(const struct samu *sampass)
304 {
305         return sampass->logon_count;
306 }
307
308 uint32_t pdb_get_unknown_6(const struct samu *sampass)
309 {
310         return sampass->unknown_6;
311 }
312
313 void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_methods *my_methods)
314 {
315         if (my_methods == sampass->backend_private_methods) {
316                 return sampass->backend_private_data;
317         } else {
318                 return NULL;
319         }
320 }
321
322 /*********************************************************************
323  Collection of set...() functions for struct samu.
324  ********************************************************************/
325
326 bool pdb_set_acct_ctrl(struct samu *sampass, uint32_t acct_ctrl, enum pdb_value_state flag)
327 {
328         sampass->acct_ctrl = acct_ctrl;
329         return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
330 }
331
332 bool pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
333 {
334         sampass->logon_time = mytime;
335         return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
336 }
337
338 bool pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
339 {
340         sampass->logoff_time = mytime;
341         return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
342 }
343
344 bool pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
345 {
346         sampass->kickoff_time = mytime;
347         return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
348 }
349
350 bool pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
351 {
352         sampass->bad_password_time = mytime;
353         return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag);
354 }
355
356 bool pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
357 {
358         sampass->pass_can_change_time = mytime;
359         return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
360 }
361
362 bool pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
363 {
364         sampass->pass_must_change_time = mytime;
365         return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
366 }
367
368 bool pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
369 {
370         sampass->pass_last_set_time = mytime;
371         return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
372 }
373
374 bool pdb_set_hours_len(struct samu *sampass, uint32_t len, enum pdb_value_state flag)
375 {
376         sampass->hours_len = len;
377         return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
378 }
379
380 bool pdb_set_logon_divs(struct samu *sampass, uint16_t hours, enum pdb_value_state flag)
381 {
382         sampass->logon_divs = hours;
383         return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
384 }
385
386 /**
387  * Set flags showing what is initalised in the struct samu
388  * @param sampass the struct samu in question
389  * @param flag The *new* flag to be set.  Old flags preserved
390  *             this flag is only added.  
391  **/
392
393 bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
394 {
395         if (!sampass->set_flags) {
396                 if ((sampass->set_flags = 
397                         bitmap_talloc(sampass, 
398                                         PDB_COUNT))==NULL) {
399                         DEBUG(0,("bitmap_talloc failed\n"));
400                         return False;
401                 }
402         }
403         if (!sampass->change_flags) {
404                 if ((sampass->change_flags = 
405                         bitmap_talloc(sampass, 
406                                         PDB_COUNT))==NULL) {
407                         DEBUG(0,("bitmap_talloc failed\n"));
408                         return False;
409                 }
410         }
411
412         switch(value_flag) {
413                 case PDB_CHANGED:
414                         if (!bitmap_set(sampass->change_flags, element)) {
415                                 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
416                                 return False;
417                         }
418                         if (!bitmap_set(sampass->set_flags, element)) {
419                                 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
420                                 return False;
421                         }
422                         DEBUG(11, ("element %d -> now CHANGED\n", element)); 
423                         break;
424                 case PDB_SET:
425                         if (!bitmap_clear(sampass->change_flags, element)) {
426                                 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
427                                 return False;
428                         }
429                         if (!bitmap_set(sampass->set_flags, element)) {
430                                 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
431                                 return False;
432                         }
433                         DEBUG(11, ("element %d -> now SET\n", element)); 
434                         break;
435                 case PDB_DEFAULT:
436                 default:
437                         if (!bitmap_clear(sampass->change_flags, element)) {
438                                 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
439                                 return False;
440                         }
441                         if (!bitmap_clear(sampass->set_flags, element)) {
442                                 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
443                                 return False;
444                         }
445                         DEBUG(11, ("element %d -> now DEFAULT\n", element)); 
446                         break;
447         }
448
449         return True;
450 }
451
452 bool pdb_set_user_sid(struct samu *sampass, const struct dom_sid *u_sid, enum pdb_value_state flag)
453 {
454         if (!u_sid)
455                 return False;
456
457         sid_copy(&sampass->user_sid, u_sid);
458
459         DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n", 
460                     sid_string_dbg(&sampass->user_sid)));
461
462         return pdb_set_init_flags(sampass, PDB_USERSID, flag);
463 }
464
465 bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
466 {
467         struct dom_sid new_sid;
468
469         if (!u_sid)
470                 return False;
471
472         DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
473                    u_sid));
474
475         if (!string_to_sid(&new_sid, u_sid)) { 
476                 DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
477                 return False;
478         }
479
480         if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
481                 DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
482                 return False;
483         }
484
485         return True;
486 }
487
488 /********************************************************************
489  We never fill this in from a passdb backend but rather set is 
490  based on the user's primary group membership.  However, the 
491  struct samu* is overloaded and reused in domain memship code 
492  as well and built from the netr_SamInfo3 or PAC so we
493  have to allow the explicitly setting of a group SID here.
494 ********************************************************************/
495
496 bool pdb_set_group_sid(struct samu *sampass, const struct dom_sid *g_sid, enum pdb_value_state flag)
497 {
498         gid_t gid;
499         struct dom_sid dug_sid;
500
501         if (!g_sid)
502                 return False;
503
504         if ( !(sampass->group_sid = TALLOC_P( sampass, struct dom_sid )) ) {
505                 return False;
506         }
507
508         /* if we cannot resolve the SID to gid, then just ignore it and 
509            store DOMAIN_USERS as the primary groupSID */
510
511         sid_compose(&dug_sid, get_global_sam_sid(), DOMAIN_RID_USERS);
512
513         if (dom_sid_equal(&dug_sid, g_sid)) {
514                 sid_copy(sampass->group_sid, &dug_sid);
515         } else if (sid_to_gid( g_sid, &gid ) ) {
516                 sid_copy(sampass->group_sid, g_sid);
517         } else {
518                 sid_copy(sampass->group_sid, &dug_sid);
519         }
520
521         DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", 
522                    sid_string_dbg(sampass->group_sid)));
523
524         return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
525 }
526
527 /*********************************************************************
528  Set the user's UNIX name.
529  ********************************************************************/
530
531 bool pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag)
532 {
533         if (username) { 
534                 DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
535                         (sampass->username)?(sampass->username):"NULL"));
536
537                 sampass->username = talloc_strdup(sampass, username);
538
539                 if (!sampass->username) {
540                         DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
541                         return False;
542                 }
543         } else {
544                 sampass->username = PDB_NOT_QUITE_NULL;
545         }
546
547         return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
548 }
549
550 /*********************************************************************
551  Set the domain name.
552  ********************************************************************/
553
554 bool pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag)
555 {
556         if (domain) { 
557                 DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
558                         (sampass->domain)?(sampass->domain):"NULL"));
559
560                 sampass->domain = talloc_strdup(sampass, domain);
561
562                 if (!sampass->domain) {
563                         DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
564                         return False;
565                 }
566         } else {
567                 sampass->domain = PDB_NOT_QUITE_NULL;
568         }
569
570         return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
571 }
572
573 /*********************************************************************
574  Set the user's NT name.
575  ********************************************************************/
576
577 bool pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag)
578 {
579         if (nt_username) { 
580                 DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
581                         (sampass->nt_username)?(sampass->nt_username):"NULL"));
582  
583                 sampass->nt_username = talloc_strdup(sampass, nt_username);
584
585                 if (!sampass->nt_username) {
586                         DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
587                         return False;
588                 }
589         } else {
590                 sampass->nt_username = PDB_NOT_QUITE_NULL;
591         }
592
593         return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
594 }
595
596 /*********************************************************************
597  Set the user's full name.
598  ********************************************************************/
599
600 bool pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag)
601 {
602         if (full_name) { 
603                 DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
604                         (sampass->full_name)?(sampass->full_name):"NULL"));
605
606                 sampass->full_name = talloc_strdup(sampass, full_name);
607
608                 if (!sampass->full_name) {
609                         DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
610                         return False;
611                 }
612         } else {
613                 sampass->full_name = PDB_NOT_QUITE_NULL;
614         }
615
616         return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
617 }
618
619 /*********************************************************************
620  Set the user's logon script.
621  ********************************************************************/
622
623 bool pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag)
624 {
625         if (logon_script) { 
626                 DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
627                         (sampass->logon_script)?(sampass->logon_script):"NULL"));
628
629                 sampass->logon_script = talloc_strdup(sampass, logon_script);
630
631                 if (!sampass->logon_script) {
632                         DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
633                         return False;
634                 }
635         } else {
636                 sampass->logon_script = PDB_NOT_QUITE_NULL;
637         }
638
639         return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
640 }
641
642 /*********************************************************************
643  Set the user's profile path.
644  ********************************************************************/
645
646 bool pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag)
647 {
648         if (profile_path) { 
649                 DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
650                         (sampass->profile_path)?(sampass->profile_path):"NULL"));
651
652                 sampass->profile_path = talloc_strdup(sampass, profile_path);
653
654                 if (!sampass->profile_path) {
655                         DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
656                         return False;
657                 }
658         } else {
659                 sampass->profile_path = PDB_NOT_QUITE_NULL;
660         }
661
662         return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
663 }
664
665 /*********************************************************************
666  Set the user's directory drive.
667  ********************************************************************/
668
669 bool pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag)
670 {
671         if (dir_drive) { 
672                 DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
673                         (sampass->dir_drive)?(sampass->dir_drive):"NULL"));
674
675                 sampass->dir_drive = talloc_strdup(sampass, dir_drive);
676
677                 if (!sampass->dir_drive) {
678                         DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
679                         return False;
680                 }
681
682         } else {
683                 sampass->dir_drive = PDB_NOT_QUITE_NULL;
684         }
685
686         return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
687 }
688
689 /*********************************************************************
690  Set the user's home directory.
691  ********************************************************************/
692
693 bool pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag)
694 {
695         if (home_dir) { 
696                 DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
697                         (sampass->home_dir)?(sampass->home_dir):"NULL"));
698
699                 sampass->home_dir = talloc_strdup(sampass, home_dir);
700
701                 if (!sampass->home_dir) {
702                         DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
703                         return False;
704                 }
705         } else {
706                 sampass->home_dir = PDB_NOT_QUITE_NULL;
707         }
708
709         return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
710 }
711
712 /*********************************************************************
713  Set the user's account description.
714  ********************************************************************/
715
716 bool pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag)
717 {
718         if (acct_desc) { 
719                 sampass->acct_desc = talloc_strdup(sampass, acct_desc);
720
721                 if (!sampass->acct_desc) {
722                         DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
723                         return False;
724                 }
725         } else {
726                 sampass->acct_desc = PDB_NOT_QUITE_NULL;
727         }
728
729         return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
730 }
731
732 /*********************************************************************
733  Set the user's workstation allowed list.
734  ********************************************************************/
735
736 bool pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag)
737 {
738         if (workstations) { 
739                 DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
740                         (sampass->workstations)?(sampass->workstations):"NULL"));
741
742                 sampass->workstations = talloc_strdup(sampass, workstations);
743
744                 if (!sampass->workstations) {
745                         DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
746                         return False;
747                 }
748         } else {
749                 sampass->workstations = PDB_NOT_QUITE_NULL;
750         }
751
752         return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
753 }
754
755 /*********************************************************************
756  ********************************************************************/
757
758 bool pdb_set_comment(struct samu *sampass, const char *comment, enum pdb_value_state flag)
759 {
760         if (comment) { 
761                 sampass->comment = talloc_strdup(sampass, comment);
762
763                 if (!sampass->comment) {
764                         DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
765                         return False;
766                 }
767         } else {
768                 sampass->comment = PDB_NOT_QUITE_NULL;
769         }
770
771         return pdb_set_init_flags(sampass, PDB_COMMENT, flag);
772 }
773
774 /*********************************************************************
775  Set the user's dial string.
776  ********************************************************************/
777
778 bool pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag)
779 {
780         if (munged_dial) { 
781                 sampass->munged_dial = talloc_strdup(sampass, munged_dial);
782
783                 if (!sampass->munged_dial) {
784                         DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
785                         return False;
786                 }
787         } else {
788                 sampass->munged_dial = PDB_NOT_QUITE_NULL;
789         }
790
791         return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
792 }
793
794 /*********************************************************************
795  Set the user's NT hash.
796  ********************************************************************/
797
798 bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
799 {
800         data_blob_clear_free(&sampass->nt_pw);
801
802        if (pwd) {
803                sampass->nt_pw =
804                        data_blob_talloc(sampass, pwd, NT_HASH_LEN);
805        } else {
806                sampass->nt_pw = data_blob_null;
807        }
808
809         return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
810 }
811
812 /*********************************************************************
813  Set the user's LM hash.
814  ********************************************************************/
815
816 bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
817 {
818         data_blob_clear_free(&sampass->lm_pw);
819
820         /* on keep the password if we are allowing LANMAN authentication */
821
822         if (pwd && lp_lanman_auth() ) {
823                 sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
824         } else {
825                 sampass->lm_pw = data_blob_null;
826         }
827
828         return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
829 }
830
831 /*********************************************************************
832  Set the user's password history hash. historyLen is the number of 
833  PW_HISTORY_SALT_LEN+SALTED_MD5_HASH_LEN length
834  entries to store in the history - this must match the size of the uint8 array
835  in pwd.
836 ********************************************************************/
837
838 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32_t historyLen, enum pdb_value_state flag)
839 {
840         if (historyLen && pwd){
841                 data_blob_free(&(sampass->nt_pw_his));
842                 sampass->nt_pw_his = data_blob_talloc(sampass,
843                                                 pwd, historyLen*PW_HISTORY_ENTRY_LEN);
844                 if (!sampass->nt_pw_his.length) {
845                         DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
846                         return False;
847                 }
848         } else {
849                 sampass->nt_pw_his = data_blob_talloc(sampass, NULL, 0);
850         }
851
852         return pdb_set_init_flags(sampass, PDB_PWHISTORY, flag);
853 }
854
855 /*********************************************************************
856  Set the user's plaintext password only (base procedure, see helper
857  below)
858  ********************************************************************/
859
860 bool pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag)
861 {
862         if (password) { 
863                 if (sampass->plaintext_pw!=NULL) 
864                         memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
865
866                 sampass->plaintext_pw = talloc_strdup(sampass, password);
867
868                 if (!sampass->plaintext_pw) {
869                         DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
870                         return False;
871                 }
872         } else {
873                 sampass->plaintext_pw = NULL;
874         }
875
876         return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
877 }
878
879 bool pdb_set_bad_password_count(struct samu *sampass, uint16_t bad_password_count, enum pdb_value_state flag)
880 {
881         sampass->bad_password_count = bad_password_count;
882         return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag);
883 }
884
885 bool pdb_set_logon_count(struct samu *sampass, uint16_t logon_count, enum pdb_value_state flag)
886 {
887         sampass->logon_count = logon_count;
888         return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag);
889 }
890
891 bool pdb_set_unknown_6(struct samu *sampass, uint32_t unkn, enum pdb_value_state flag)
892 {
893         sampass->unknown_6 = unkn;
894         return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
895 }
896
897 bool pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag)
898 {
899         if (!hours) {
900                 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
901         } else {
902                 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
903         }
904
905         return pdb_set_init_flags(sampass, PDB_HOURS, flag);
906 }
907
908 bool pdb_set_backend_private_data(struct samu *sampass, void *private_data, 
909                                    void (*free_fn)(void **), 
910                                    const struct pdb_methods *my_methods, 
911                                    enum pdb_value_state flag)
912 {
913         if (sampass->backend_private_data &&
914             sampass->backend_private_data_free_fn) {
915                 sampass->backend_private_data_free_fn(
916                         &sampass->backend_private_data);
917         }
918
919         sampass->backend_private_data = private_data;
920         sampass->backend_private_data_free_fn = free_fn;
921         sampass->backend_private_methods = my_methods;
922
923         return pdb_set_init_flags(sampass, PDB_BACKEND_PRIVATE_DATA, flag);
924 }
925
926
927 /* Helpful interfaces to the above */
928
929 bool pdb_set_pass_can_change(struct samu *sampass, bool canchange)
930 {
931         return pdb_set_pass_can_change_time(sampass, 
932                                      canchange ? 0 : get_time_t_max(),
933                                      PDB_CHANGED);
934 }
935
936
937 /*********************************************************************
938  Set the user's PLAINTEXT password.  Used as an interface to the above.
939  Also sets the last change time to NOW.
940  ********************************************************************/
941
942 bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
943 {
944         uchar new_lanman_p16[LM_HASH_LEN];
945         uchar new_nt_p16[NT_HASH_LEN];
946         uchar *pwhistory;
947         uint32_t pwHistLen;
948         uint32_t current_history_len;
949
950         if (!plaintext)
951                 return False;
952
953         /* Calculate the MD4 hash (NT compatible) of the password */
954         E_md4hash(plaintext, new_nt_p16);
955
956         if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED)) 
957                 return False;
958
959         if (!E_deshash(plaintext, new_lanman_p16)) {
960                 /* E_deshash returns false for 'long' passwords (> 14
961                    DOS chars).  This allows us to match Win2k, which
962                    does not store a LM hash for these passwords (which
963                    would reduce the effective password length to 14 */
964
965                 if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) 
966                         return False;
967         } else {
968                 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED)) 
969                         return False;
970         }
971
972         if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) 
973                 return False;
974
975         if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
976                 return False;
977
978         if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
979                 /*
980                  * No password history for non-user accounts
981                  */
982                 return true;
983         }
984
985         pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
986
987         if (pwHistLen == 0) {
988                 /* Set the history length to zero. */
989                 pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
990                 return true;
991         }
992
993         /*
994          * We need to make sure we don't have a race condition here -
995          * the account policy history length can change between when
996          * the pw_history was first loaded into the struct samu struct
997          * and now.... JRA.
998          */
999         pwhistory = (uchar *)pdb_get_pw_history(sampass, &current_history_len);
1000
1001         if ((current_history_len != 0) && (pwhistory == NULL)) {
1002                 DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
1003                 return false;
1004         }
1005
1006         if (current_history_len < pwHistLen) {
1007                 /*
1008                  * Ensure we have space for the needed history. This
1009                  * also takes care of an account which did not have
1010                  * any history at all so far, i.e. pwhistory==NULL
1011                  */
1012                 uchar *new_history = talloc_zero_array(
1013                         sampass, uchar,
1014                         pwHistLen*PW_HISTORY_ENTRY_LEN);
1015
1016                 if (!new_history) {
1017                         return False;
1018                 }
1019
1020                 memcpy(new_history, pwhistory,
1021                        current_history_len*PW_HISTORY_ENTRY_LEN);
1022
1023                 pwhistory = new_history;
1024         }
1025
1026         /*
1027          * Make room for the new password in the history list.
1028          */
1029         if (pwHistLen > 1) {
1030                 memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
1031                         (pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
1032         }
1033
1034         /*
1035          * Fill the salt area with 0-s: this indicates that
1036          * a plain nt hash is stored in the has area.
1037          * The old format was to store a 16 byte salt and
1038          * then an md5hash of the nt_hash concatenated with
1039          * the salt.
1040          */
1041         memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
1042
1043         /*
1044          * Store the plain nt hash in the second 16 bytes.
1045          * The old format was to store the md5 hash of
1046          * the salt+newpw.
1047          */
1048         memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
1049
1050         pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
1051
1052         return True;
1053 }
1054
1055 /* check for any PDB_SET/CHANGED field and fill the appropriate mask bit */
1056 uint32_t pdb_build_fields_present(struct samu *sampass)
1057 {
1058         /* value set to all for testing */
1059         return 0x00ffffff;
1060 }