DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username));
/* Quit if the account was disabled. */
- if(acct_ctrl & ACB_DISABLED) {
+ if (acct_ctrl & ACB_DISABLED) {
DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username));
return NT_STATUS_ACCOUNT_DISABLED;
}
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
- if (kickoff_time != (time_t)-1) {
- if (time(NULL) > kickoff_time) {
- DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
- DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
- return NT_STATUS_ACCOUNT_EXPIRED;
- }
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
+ DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
+ return NT_STATUS_ACCOUNT_EXPIRED;
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
- if (workstation_list) {
- if (*workstation_list) {
- BOOL invalid_ws = True;
- char *s = workstation_list;
+ if (!workstation_list) return NT_STATUS_NO_MEMORY;
+
+ if (*workstation_list) {
+ BOOL invalid_ws = True;
+ char *s = workstation_list;
- fstring tok;
+ fstring tok;
- while (next_token(&s, tok, ",", sizeof(tok))) {
- DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
- tok, user_info->wksta_name.str, user_info->wksta_name.len));
- if(strequal(tok, user_info->wksta_name.str)) {
- invalid_ws = False;
- break;
- }
+ while (next_token(&s, tok, ",", sizeof(tok))) {
+ DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+ tok, user_info->wksta_name.str, user_info->wksta_name.len));
+ if(strequal(tok, user_info->wksta_name.str)) {
+ invalid_ws = False;
+ break;
}
-
- SAFE_FREE(workstation_list);
- if (invalid_ws)
- return NT_STATUS_INVALID_WORKSTATION;
- } else {
- SAFE_FREE(workstation_list);
}
+
+ SAFE_FREE(workstation_list);
+ if (invalid_ws)
+ return NT_STATUS_INVALID_WORKSTATION;
} else {
- return NT_STATUS_NO_MEMORY;
+ SAFE_FREE(workstation_list);
}
+
{
time_t must_change_time = pdb_get_pass_must_change_time(sampass);
- if (must_change_time == 0) {
- DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username));
+ time_t last_set_time = pdb_get_pass_last_set_time(sampass);
+
+ /* check for immediate expiry "must change at next logon" */
+ if (must_change_time == 0 && last_set_time != 0) {
+ DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
- if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) {
+ /* check for expired password */
+ if (must_change_time < time(NULL) && must_change_time != 0) {
DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username));
DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time));
return NT_STATUS_PASSWORD_EXPIRED;
}
if (acct_ctrl & ACB_DOMTRUST) {
- DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
#define SESSION_TEMPLATE "smb/%d"
#endif
+/* the maximum age in seconds of a password. Should be a lp_ parameter */
+#define MAX_PASSWORD_AGE (21*24*60*60)
+
#endif
ZERO_STRUCTP(user);
user->logon_time = (time_t)0;
- user->logoff_time = (time_t)-1;
- user->kickoff_time = (time_t)-1;
- user->pass_last_set_time = (time_t)-1;
- user->pass_can_change_time = (time_t)-1;
- user->pass_must_change_time = (time_t)-1;
+ user->logoff_time = (time_t)0;
+ user->kickoff_time = (time_t)0;
+ user->pass_last_set_time = (time_t)0;
+ user->pass_can_change_time = (time_t)0;
+ user->pass_must_change_time = (time_t)0;
user->unknown_3 = 0x00ffffff; /* don't know */
user->logon_divs = 168; /* hours per week */
pdb_set_dir_drive (sam_pass, lp_logon_drive());
- /* FIXME!! What should this be set to? New smb.conf parameter maybe?
- max password age? For now, we'll use the current time + 21 days.
- --jerry */
- pdb_set_pass_must_change_time (sam_pass, time(NULL)+1814400);
+ /* the smbpasswd format doesn't have a must change time field, so
+ we can't get this right. The best we can do is to set this to
+ some time in the future. 21 days seems as reasonable as any other value :)
+ */
+ pdb_set_pass_must_change_time (sam_pass, pw_buf->pass_last_set_time + MAX_PASSWORD_AGE);
/* check if this is a user account or a machine account */
if (samlogon_user[strlen(samlogon_user)-1] != '$')
pdb_set_uid (user, uid);
pdb_set_gid (user, gid);
- /* 21 days from present */
- pdb_set_pass_must_change_time(user, time(NULL)+1814400);
-
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_logon_script(user));
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_profile_path(user));
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_homedir(user));
DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username));
/* Quit if the account was disabled. */
- if(acct_ctrl & ACB_DISABLED) {
+ if (acct_ctrl & ACB_DISABLED) {
DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username));
return NT_STATUS_ACCOUNT_DISABLED;
}
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
- if (kickoff_time != (time_t)-1) {
- if (time(NULL) > kickoff_time) {
- DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
- DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
- return NT_STATUS_ACCOUNT_EXPIRED;
- }
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
+ DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
+ return NT_STATUS_ACCOUNT_EXPIRED;
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
- if (workstation_list) {
- if (*workstation_list) {
- BOOL invalid_ws = True;
- char *s = workstation_list;
+ if (!workstation_list) return NT_STATUS_NO_MEMORY;
+
+ if (*workstation_list) {
+ BOOL invalid_ws = True;
+ char *s = workstation_list;
- fstring tok;
+ fstring tok;
- while (next_token(&s, tok, ",", sizeof(tok))) {
- DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
- tok, user_info->wksta_name.str, user_info->wksta_name.len));
- if(strequal(tok, user_info->wksta_name.str)) {
- invalid_ws = False;
- break;
- }
+ while (next_token(&s, tok, ",", sizeof(tok))) {
+ DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+ tok, user_info->wksta_name.str, user_info->wksta_name.len));
+ if(strequal(tok, user_info->wksta_name.str)) {
+ invalid_ws = False;
+ break;
}
-
- SAFE_FREE(workstation_list);
- if (invalid_ws)
- return NT_STATUS_INVALID_WORKSTATION;
- } else {
- SAFE_FREE(workstation_list);
}
+
+ SAFE_FREE(workstation_list);
+ if (invalid_ws)
+ return NT_STATUS_INVALID_WORKSTATION;
} else {
- return NT_STATUS_NO_MEMORY;
+ SAFE_FREE(workstation_list);
}
+
{
time_t must_change_time = pdb_get_pass_must_change_time(sampass);
- if (must_change_time == 0) {
- DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username));
+ time_t last_set_time = pdb_get_pass_last_set_time(sampass);
+
+ /* check for immediate expiry "must change at next logon" */
+ if (must_change_time == 0 && last_set_time != 0) {
+ DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
- if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) {
+ /* check for expired password */
+ if (must_change_time < time(NULL) && must_change_time != 0) {
DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username));
DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time));
return NT_STATUS_PASSWORD_EXPIRED;
}
if (acct_ctrl & ACB_DOMTRUST) {
- DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
git.samba.org / kai / samba.git / commitdiff