2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Volker Lendecke 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #define DBGC_CLASS DBGC_PASSDB
30 /**********************************************************************
31 ***********************************************************************/
33 static int samu_destroy(struct samu *user)
35 data_blob_clear_free( &user->lm_pw );
36 data_blob_clear_free( &user->nt_pw );
38 if ( user->plaintext_pw )
39 memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
44 /**********************************************************************
45 generate a new struct samuser
46 ***********************************************************************/
48 struct samu *samu_new( TALLOC_CTX *ctx )
52 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
53 DEBUG(0,("samuser_new: Talloc failed!\n"));
57 talloc_set_destructor( user, samu_destroy );
59 /* no initial methods */
63 /* Don't change these timestamp settings without a good reason.
64 They are important for NT member server compatibility. */
66 user->logon_time = (time_t)0;
67 user->pass_last_set_time = (time_t)0;
68 user->pass_can_change_time = (time_t)0;
69 user->logoff_time = get_time_t_max();
70 user->kickoff_time = get_time_t_max();
71 user->pass_must_change_time = get_time_t_max();
72 user->fields_present = 0x00ffffff;
73 user->logon_divs = 168; /* hours per week */
74 user->hours_len = 21; /* 21 times 8 bits = 168 */
75 memset(user->hours, 0xff, user->hours_len); /* available at all hours */
76 user->bad_password_count = 0;
77 user->logon_count = 0;
78 user->unknown_6 = 0x000004ec; /* don't know */
80 /* Some parts of samba strlen their pdb_get...() returns,
81 so this keeps the interface unchanged for now. */
85 user->nt_username = "";
88 user->logon_script = "";
89 user->profile_path = "";
91 user->workstations = "";
93 user->munged_dial = "";
95 user->plaintext_pw = NULL;
97 /* Unless we know otherwise have a Account Control Bit
98 value of 'normal user'. This helps User Manager, which
99 asks for a filtered list of users. */
101 user->acct_ctrl = ACB_NORMAL;
106 /*********************************************************************
107 Initialize a struct samu from a struct passwd including the user
108 and group SIDs. The *user structure is filled out with the Unix
109 attributes and a user SID.
110 *********************************************************************/
112 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
114 const char *guest_account = lp_guestaccount();
115 const char *domain = global_myname();
119 return NT_STATUS_NO_SUCH_USER;
122 /* Basic properties based upon the Unix account information */
124 pdb_set_username(user, pwd->pw_name, PDB_SET);
125 pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
126 pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
128 /* This can lead to a primary group of S-1-22-2-XX which
129 will be rejected by other parts of the Samba code.
130 Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
133 gid_to_sid(&group_sid, pwd->pw_gid);
134 pdb_set_group_sid(user, &group_sid, PDB_SET);
137 /* save the password structure for later use */
139 user->unix_pw = tcopy_passwd( user, pwd );
141 /* Special case for the guest account which must have a RID of 501 */
143 if ( strequal( pwd->pw_name, guest_account ) ) {
144 if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
145 return NT_STATUS_NO_SUCH_USER;
150 /* Non-guest accounts...Check for a workstation or user account */
152 if (pwd->pw_name[strlen(pwd->pw_name)-1] == '$') {
155 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
156 DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
158 return NT_STATUS_INVALID_COMPUTER_NAME;
164 if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
165 DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
167 return NT_STATUS_INVALID_ACCOUNT_NAME;
170 /* set some basic attributes */
172 pdb_set_profile_path(user, talloc_sub_specified(user,
173 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
175 pdb_set_homedir(user, talloc_sub_specified(user,
176 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
178 pdb_set_dir_drive(user, talloc_sub_specified(user,
179 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
181 pdb_set_logon_script(user, talloc_sub_specified(user,
182 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
186 /* Now deal with the user SID. If we have a backend that can generate
187 RIDs, then do so. But sometimes the caller just wanted a structure
188 initialized and will fill in these fields later (such as from a
189 netr_SamInfo3 structure) */
191 if ( create && !pdb_rid_algorithm() ) {
195 if ( !pdb_new_rid( &user_rid ) ) {
196 DEBUG(3, ("Could not allocate a new RID\n"));
197 return NT_STATUS_ACCESS_DENIED;
200 sid_copy( &user_sid, get_global_sam_sid() );
201 sid_append_rid( &user_sid, user_rid );
203 if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
204 DEBUG(3, ("pdb_set_user_sid failed\n"));
205 return NT_STATUS_INTERNAL_ERROR;
211 /* generate a SID for the user with the RID algorithm */
213 urid = algorithmic_pdb_uid_to_user_rid( user->unix_pw->pw_uid );
215 if ( !pdb_set_user_sid_from_rid( user, urid, PDB_SET) ) {
216 return NT_STATUS_INTERNAL_ERROR;
222 /********************************************************************
223 Set the Unix user attributes
224 ********************************************************************/
226 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
228 return samu_set_unix_internal( user, pwd, False );
231 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
233 return samu_set_unix_internal( user, pwd, True );
236 /**********************************************************
237 Encode the account control bits into a string.
238 length = length of string to encode into (including terminating
239 null). length *MUST BE MORE THAN 2* !
240 **********************************************************/
242 char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
249 SMB_ASSERT(length <= sizeof(acct_str));
253 if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
254 if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
255 if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
256 if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
257 if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
258 if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
259 if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
260 if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
261 if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
262 if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
263 if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
265 for ( ; i < length - 2 ; i++ )
270 acct_str[i++] = '\0';
272 result = talloc_strdup(talloc_tos(), acct_str);
273 SMB_ASSERT(result != NULL);
277 /**********************************************************
278 Decode the account control bits from a string.
279 **********************************************************/
281 uint32_t pdb_decode_acct_ctrl(const char *p)
283 uint32_t acct_ctrl = 0;
284 bool finished = false;
287 * Check if the account type bits have been encoded after the
288 * NT password (in the form [NDHTUWSLXI]).
294 for (p++; *p && !finished; p++) {
296 case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
297 case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
298 case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
299 case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
300 case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
301 case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
302 case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
303 case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
304 case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
305 case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
306 case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
312 default: { finished = true; }
319 /*************************************************************
320 Routine to set 32 hex password characters from a 16 byte array.
321 **************************************************************/
323 void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32 acct_ctrl)
327 for (i = 0; i < 16; i++)
328 slprintf(&p[i*2], 3, "%02X", pwd[i]);
330 if (acct_ctrl & ACB_PWNOTREQ)
331 safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
333 safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
337 /*************************************************************
338 Routine to get the 32 hex characters and turn them
339 into a 16 byte array.
340 **************************************************************/
342 bool pdb_gethexpwd(const char *p, unsigned char *pwd)
345 unsigned char lonybble, hinybble;
346 const char *hexchars = "0123456789ABCDEF";
352 for (i = 0; i < 32; i += 2) {
353 hinybble = toupper_ascii(p[i]);
354 lonybble = toupper_ascii(p[i + 1]);
356 p1 = strchr(hexchars, hinybble);
357 p2 = strchr(hexchars, lonybble);
362 hinybble = PTR_DIFF(p1, hexchars);
363 lonybble = PTR_DIFF(p2, hexchars);
365 pwd[i / 2] = (hinybble << 4) | lonybble;
370 /*************************************************************
371 Routine to set 42 hex hours characters from a 21 byte array.
372 **************************************************************/
374 void pdb_sethexhours(char *p, const unsigned char *hours)
378 for (i = 0; i < 21; i++) {
379 slprintf(&p[i*2], 3, "%02X", hours[i]);
382 safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
386 /*************************************************************
387 Routine to get the 42 hex characters and turn them
388 into a 21 byte array.
389 **************************************************************/
391 bool pdb_gethexhours(const char *p, unsigned char *hours)
394 unsigned char lonybble, hinybble;
395 const char *hexchars = "0123456789ABCDEF";
402 for (i = 0; i < 42; i += 2) {
403 hinybble = toupper_ascii(p[i]);
404 lonybble = toupper_ascii(p[i + 1]);
406 p1 = strchr(hexchars, hinybble);
407 p2 = strchr(hexchars, lonybble);
413 hinybble = PTR_DIFF(p1, hexchars);
414 lonybble = PTR_DIFF(p2, hexchars);
416 hours[i / 2] = (hinybble << 4) | lonybble;
421 /********************************************************************
422 ********************************************************************/
424 int algorithmic_rid_base(void)
428 rid_offset = lp_algorithmic_rid_base();
430 if (rid_offset < BASE_RID) {
431 /* Try to prevent admin foot-shooting, we can't put algorithmic
432 rids below 1000, that's the 'well known RIDs' on NT */
433 DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
434 rid_offset = BASE_RID;
436 if (rid_offset & 1) {
437 DEBUG(0, ("algorithmic rid base must be even\n"));
443 /*******************************************************************
444 Converts NT user RID to a UNIX uid.
445 ********************************************************************/
447 uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
449 int rid_offset = algorithmic_rid_base();
450 return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
453 uid_t max_algorithmic_uid(void)
455 return algorithmic_pdb_user_rid_to_uid(0xfffffffe);
458 /*******************************************************************
459 converts UNIX uid to an NT User RID.
460 ********************************************************************/
462 uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
464 int rid_offset = algorithmic_rid_base();
465 return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
468 /*******************************************************************
469 Converts NT group RID to a UNIX gid.
470 ********************************************************************/
472 gid_t pdb_group_rid_to_gid(uint32 group_rid)
474 int rid_offset = algorithmic_rid_base();
475 return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
478 gid_t max_algorithmic_gid(void)
480 return pdb_group_rid_to_gid(0xffffffff);
483 /*******************************************************************
484 converts NT Group RID to a UNIX uid.
486 warning: you must not call that function only
487 you must do a call to the group mapping first.
488 there is not anymore a direct link between the gid and the rid.
489 ********************************************************************/
491 uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
493 int rid_offset = algorithmic_rid_base();
494 return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
497 /*******************************************************************
498 Decides if a RID is a well known RID.
499 ********************************************************************/
501 static bool rid_is_well_known(uint32 rid)
503 /* Not using rid_offset here, because this is the actual
504 NT fixed value (1000) */
506 return (rid < BASE_RID);
509 /*******************************************************************
510 Decides if a RID is a user or group RID.
511 ********************************************************************/
513 bool algorithmic_pdb_rid_is_user(uint32 rid)
515 if ( rid_is_well_known(rid) ) {
517 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
518 * and DOMAIN_USER_RID_GUEST.
520 if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
522 } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
528 /*******************************************************************
529 Convert a name into a SID. Used in the lookup name rpc.
530 ********************************************************************/
532 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
533 enum lsa_SidType *type)
538 /* Windows treats "MACHINE\None" as a special name for
539 rid 513 on non-DCs. You cannot create a user or group
540 name "None" on Windows. You will get an error that
541 the group already exists. */
543 if ( strequal( name, "None" ) ) {
544 *rid = DOMAIN_GROUP_RID_USERS;
545 *type = SID_NAME_DOM_GRP;
550 /* LOOKUP_NAME_GROUP is a hack to allow valid users = @foo to work
551 * correctly in the case where foo also exists as a user. If the flag
552 * is set, don't look for users at all. */
554 if ((flags & LOOKUP_NAME_GROUP) == 0) {
555 struct samu *sam_account = NULL;
558 if ( !(sam_account = samu_new( NULL )) ) {
563 ret = pdb_getsampwnam(sam_account, name);
567 sid_copy(&user_sid, pdb_get_user_sid(sam_account));
570 TALLOC_FREE(sam_account);
573 if (!sid_check_is_in_our_domain(&user_sid)) {
574 DEBUG(0, ("User %s with invalid SID %s in passdb\n",
575 name, sid_string_dbg(&user_sid)));
579 sid_peek_rid(&user_sid, rid);
580 *type = SID_NAME_USER;
586 * Maybe it is a group ?
590 ret = pdb_getgrnam(&map, name);
597 /* BUILTIN groups are looked up elsewhere */
598 if (!sid_check_is_in_our_domain(&map.sid)) {
599 DEBUG(10, ("Found group %s (%s) not in our domain -- "
600 "ignoring.", name, sid_string_dbg(&map.sid)));
604 /* yes it's a mapped group */
605 sid_peek_rid(&map.sid, rid);
606 *type = map.sid_name_use;
610 /*************************************************************
611 Change a password entry in the local smbpasswd file.
612 *************************************************************/
614 NTSTATUS local_password_change(const char *user_name,
616 const char *new_passwd,
620 struct samu *sam_pass=NULL;
627 /* Get the smb passwd entry for this user */
629 if ( !(sam_pass = samu_new( NULL )) ) {
630 return NT_STATUS_NO_MEMORY;
634 if(!pdb_getsampwnam(sam_pass, user_name)) {
636 TALLOC_FREE(sam_pass);
638 if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
639 int tmp_debug = DEBUGLEVEL;
642 /* Might not exist in /etc/passwd. */
648 if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), user_name)) ) {
649 return NT_STATUS_NO_SUCH_USER;
652 /* create the struct samu and initialize the basic Unix properties */
654 if ( !(sam_pass = samu_new( NULL )) ) {
655 return NT_STATUS_NO_MEMORY;
658 result = samu_set_unix( sam_pass, pwd );
660 DEBUGLEVEL = tmp_debug;
664 if (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PRIMARY_GROUP)) {
668 if (!NT_STATUS_IS_OK(result)) {
669 if (asprintf(pp_err_str, "Failed to " "initialize account for user %s: %s\n",
670 user_name, nt_errstr(result)) < 0) {
676 if (asprintf(pp_err_str, "Failed to find entry for user %s.\n", user_name) < 0) {
679 return NT_STATUS_NO_SUCH_USER;
683 /* the entry already existed */
684 local_flags &= ~LOCAL_ADD_USER;
687 /* the 'other' acb bits not being changed here */
688 other_acb = (pdb_get_acct_ctrl(sam_pass) & (~(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
689 if (local_flags & LOCAL_TRUST_ACCOUNT) {
690 if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
691 if (asprintf(pp_err_str, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name) < 0) {
694 TALLOC_FREE(sam_pass);
695 return NT_STATUS_UNSUCCESSFUL;
697 } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
698 if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
699 if (asprintf(pp_err_str, "Failed to set 'domain trust account' flags for user %s.\n", user_name) < 0) {
702 TALLOC_FREE(sam_pass);
703 return NT_STATUS_UNSUCCESSFUL;
706 if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
707 if (asprintf(pp_err_str, "Failed to set 'normal account' flags for user %s.\n", user_name) < 0) {
710 TALLOC_FREE(sam_pass);
711 return NT_STATUS_UNSUCCESSFUL;
716 * We are root - just write the new password
717 * and the valid last change time.
720 if (local_flags & LOCAL_DISABLE_USER) {
721 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
722 if (asprintf(pp_err_str, "Failed to set 'disabled' flag for user %s.\n", user_name) < 0) {
725 TALLOC_FREE(sam_pass);
726 return NT_STATUS_UNSUCCESSFUL;
728 } else if (local_flags & LOCAL_ENABLE_USER) {
729 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
730 if (asprintf(pp_err_str, "Failed to unset 'disabled' flag for user %s.\n", user_name) < 0) {
733 TALLOC_FREE(sam_pass);
734 return NT_STATUS_UNSUCCESSFUL;
738 if (local_flags & LOCAL_SET_NO_PASSWORD) {
739 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
740 if (asprintf(pp_err_str, "Failed to set 'no password required' flag for user %s.\n", user_name) < 0) {
743 TALLOC_FREE(sam_pass);
744 return NT_STATUS_UNSUCCESSFUL;
746 } else if (local_flags & LOCAL_SET_PASSWORD) {
748 * If we're dealing with setting a completely empty user account
749 * ie. One with a password of 'XXXX', but not set disabled (like
750 * an account created from scratch) then if the old password was
751 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
752 * We remove that as we're giving this user their first password
753 * and the decision hasn't really been made to disable them (ie.
754 * don't create them disabled). JRA.
756 if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
757 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
758 if (asprintf(pp_err_str, "Failed to unset 'disabled' flag for user %s.\n", user_name) < 0) {
761 TALLOC_FREE(sam_pass);
762 return NT_STATUS_UNSUCCESSFUL;
765 if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
766 if (asprintf(pp_err_str, "Failed to unset 'no password required' flag for user %s.\n", user_name) < 0) {
769 TALLOC_FREE(sam_pass);
770 return NT_STATUS_UNSUCCESSFUL;
773 if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
774 if (asprintf(pp_err_str, "Failed to set password for user %s.\n", user_name) < 0) {
777 TALLOC_FREE(sam_pass);
778 return NT_STATUS_UNSUCCESSFUL;
782 if (local_flags & LOCAL_ADD_USER) {
783 if (NT_STATUS_IS_OK(pdb_add_sam_account(sam_pass))) {
784 if (asprintf(pp_msg_str, "Added user %s.\n", user_name) < 0) {
787 TALLOC_FREE(sam_pass);
790 if (asprintf(pp_err_str, "Failed to add entry for user %s.\n", user_name) < 0) {
793 TALLOC_FREE(sam_pass);
794 return NT_STATUS_UNSUCCESSFUL;
796 } else if (local_flags & LOCAL_DELETE_USER) {
797 if (!NT_STATUS_IS_OK(pdb_delete_sam_account(sam_pass))) {
798 if (asprintf(pp_err_str, "Failed to delete entry for user %s.\n", user_name) < 0) {
801 TALLOC_FREE(sam_pass);
802 return NT_STATUS_UNSUCCESSFUL;
804 if (asprintf(pp_msg_str, "Deleted user %s.\n", user_name) < 0) {
808 result = pdb_update_sam_account(sam_pass);
809 if(!NT_STATUS_IS_OK(result)) {
810 if (asprintf(pp_err_str, "Failed to modify entry for user %s.\n", user_name) < 0) {
813 TALLOC_FREE(sam_pass);
816 if(local_flags & LOCAL_DISABLE_USER) {
817 if (asprintf(pp_msg_str, "Disabled user %s.\n", user_name) < 0) {
820 } else if (local_flags & LOCAL_ENABLE_USER) {
821 if (asprintf(pp_msg_str, "Enabled user %s.\n", user_name) < 0) {
824 } else if (local_flags & LOCAL_SET_NO_PASSWORD) {
825 if (asprintf(pp_msg_str, "User %s password set to none.\n", user_name) < 0) {
831 TALLOC_FREE(sam_pass);
835 /**********************************************************************
836 Marshall/unmarshall struct samu structs.
837 *********************************************************************/
839 #define SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
840 #define SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
841 #define SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd"
842 #define SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd"
843 /* nothing changed between V3 and V4 */
845 /*********************************************************************
846 *********************************************************************/
848 static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 buflen)
851 /* times are stored as 32bit integer
852 take care on system with 64bit wide time_t
858 pass_can_change_time,
859 pass_must_change_time;
860 char *username = NULL;
862 char *nt_username = NULL;
863 char *dir_drive = NULL;
864 char *unknown_str = NULL;
865 char *munged_dial = NULL;
866 char *fullname = NULL;
867 char *homedir = NULL;
868 char *logon_script = NULL;
869 char *profile_path = NULL;
870 char *acct_desc = NULL;
871 char *workstations = NULL;
872 uint32 username_len, domain_len, nt_username_len,
873 dir_drive_len, unknown_str_len, munged_dial_len,
874 fullname_len, homedir_len, logon_script_len,
875 profile_path_len, acct_desc_len, workstations_len;
877 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
878 uint16 acct_ctrl, logon_divs;
879 uint16 bad_password_count, logon_count;
881 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
883 uint32 lm_pw_len, nt_pw_len, hourslen;
886 if(sampass == NULL || buf == NULL) {
887 DEBUG(0, ("init_samu_from_buffer_v0: NULL parameters found!\n"));
891 /* SAMU_BUFFER_FORMAT_V0 "ddddddBBBBBBBBBBBBddBBwdwdBwwd" */
893 /* unpack the buffer into variables */
894 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V0,
896 &logoff_time, /* d */
897 &kickoff_time, /* d */
898 &pass_last_set_time, /* d */
899 &pass_can_change_time, /* d */
900 &pass_must_change_time, /* d */
901 &username_len, &username, /* B */
902 &domain_len, &domain, /* B */
903 &nt_username_len, &nt_username, /* B */
904 &fullname_len, &fullname, /* B */
905 &homedir_len, &homedir, /* B */
906 &dir_drive_len, &dir_drive, /* B */
907 &logon_script_len, &logon_script, /* B */
908 &profile_path_len, &profile_path, /* B */
909 &acct_desc_len, &acct_desc, /* B */
910 &workstations_len, &workstations, /* B */
911 &unknown_str_len, &unknown_str, /* B */
912 &munged_dial_len, &munged_dial, /* B */
915 &lm_pw_len, &lm_pw_ptr, /* B */
916 &nt_pw_len, &nt_pw_ptr, /* B */
918 &remove_me, /* remove on the next TDB_FORMAT upgarde */ /* d */
921 &hourslen, &hours, /* B */
922 &bad_password_count, /* w */
923 &logon_count, /* w */
926 if (len == (uint32) -1) {
931 pdb_set_logon_time(sampass, logon_time, PDB_SET);
932 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
933 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
934 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
935 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
936 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
938 pdb_set_username(sampass, username, PDB_SET);
939 pdb_set_domain(sampass, domain, PDB_SET);
940 pdb_set_nt_username(sampass, nt_username, PDB_SET);
941 pdb_set_fullname(sampass, fullname, PDB_SET);
944 pdb_set_homedir(sampass, homedir, PDB_SET);
947 pdb_set_homedir(sampass,
948 talloc_sub_basic(sampass, username, domain,
954 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
956 pdb_set_dir_drive(sampass,
957 talloc_sub_basic(sampass, username, domain,
963 pdb_set_logon_script(sampass, logon_script, PDB_SET);
965 pdb_set_logon_script(sampass,
966 talloc_sub_basic(sampass, username, domain,
972 pdb_set_profile_path(sampass, profile_path, PDB_SET);
974 pdb_set_profile_path(sampass,
975 talloc_sub_basic(sampass, username, domain,
980 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
981 pdb_set_workstations(sampass, workstations, PDB_SET);
982 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
984 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
985 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
991 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
992 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
998 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
999 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1000 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1001 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1002 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1003 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1004 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1005 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1006 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1007 pdb_set_hours(sampass, hours, PDB_SET);
1011 SAFE_FREE(username);
1013 SAFE_FREE(nt_username);
1014 SAFE_FREE(fullname);
1016 SAFE_FREE(dir_drive);
1017 SAFE_FREE(logon_script);
1018 SAFE_FREE(profile_path);
1019 SAFE_FREE(acct_desc);
1020 SAFE_FREE(workstations);
1021 SAFE_FREE(munged_dial);
1022 SAFE_FREE(unknown_str);
1023 SAFE_FREE(lm_pw_ptr);
1024 SAFE_FREE(nt_pw_ptr);
1030 /*********************************************************************
1031 *********************************************************************/
1033 static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 buflen)
1036 /* times are stored as 32bit integer
1037 take care on system with 64bit wide time_t
1044 pass_can_change_time,
1045 pass_must_change_time;
1046 char *username = NULL;
1047 char *domain = NULL;
1048 char *nt_username = NULL;
1049 char *dir_drive = NULL;
1050 char *unknown_str = NULL;
1051 char *munged_dial = NULL;
1052 char *fullname = NULL;
1053 char *homedir = NULL;
1054 char *logon_script = NULL;
1055 char *profile_path = NULL;
1056 char *acct_desc = NULL;
1057 char *workstations = NULL;
1058 uint32 username_len, domain_len, nt_username_len,
1059 dir_drive_len, unknown_str_len, munged_dial_len,
1060 fullname_len, homedir_len, logon_script_len,
1061 profile_path_len, acct_desc_len, workstations_len;
1063 uint32 user_rid, group_rid, remove_me, hours_len, unknown_6;
1064 uint16 acct_ctrl, logon_divs;
1065 uint16 bad_password_count, logon_count;
1066 uint8 *hours = NULL;
1067 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
1069 uint32 lm_pw_len, nt_pw_len, hourslen;
1072 if(sampass == NULL || buf == NULL) {
1073 DEBUG(0, ("init_samu_from_buffer_v1: NULL parameters found!\n"));
1077 /* SAMU_BUFFER_FORMAT_V1 "dddddddBBBBBBBBBBBBddBBwdwdBwwd" */
1079 /* unpack the buffer into variables */
1080 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V1,
1081 &logon_time, /* d */
1082 &logoff_time, /* d */
1083 &kickoff_time, /* d */
1084 /* Change from V0 is addition of bad_password_time field. */
1085 &bad_password_time, /* d */
1086 &pass_last_set_time, /* d */
1087 &pass_can_change_time, /* d */
1088 &pass_must_change_time, /* d */
1089 &username_len, &username, /* B */
1090 &domain_len, &domain, /* B */
1091 &nt_username_len, &nt_username, /* B */
1092 &fullname_len, &fullname, /* B */
1093 &homedir_len, &homedir, /* B */
1094 &dir_drive_len, &dir_drive, /* B */
1095 &logon_script_len, &logon_script, /* B */
1096 &profile_path_len, &profile_path, /* B */
1097 &acct_desc_len, &acct_desc, /* B */
1098 &workstations_len, &workstations, /* B */
1099 &unknown_str_len, &unknown_str, /* B */
1100 &munged_dial_len, &munged_dial, /* B */
1103 &lm_pw_len, &lm_pw_ptr, /* B */
1104 &nt_pw_len, &nt_pw_ptr, /* B */
1107 &logon_divs, /* w */
1109 &hourslen, &hours, /* B */
1110 &bad_password_count, /* w */
1111 &logon_count, /* w */
1112 &unknown_6); /* d */
1114 if (len == (uint32) -1) {
1119 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1120 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1121 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1123 /* Change from V0 is addition of bad_password_time field. */
1124 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1125 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1126 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1127 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1129 pdb_set_username(sampass, username, PDB_SET);
1130 pdb_set_domain(sampass, domain, PDB_SET);
1131 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1132 pdb_set_fullname(sampass, fullname, PDB_SET);
1135 pdb_set_homedir(sampass, homedir, PDB_SET);
1138 pdb_set_homedir(sampass,
1139 talloc_sub_basic(sampass, username, domain,
1145 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1147 pdb_set_dir_drive(sampass,
1148 talloc_sub_basic(sampass, username, domain,
1154 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1156 pdb_set_logon_script(sampass,
1157 talloc_sub_basic(sampass, username, domain,
1163 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1165 pdb_set_profile_path(sampass,
1166 talloc_sub_basic(sampass, username, domain,
1171 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1172 pdb_set_workstations(sampass, workstations, PDB_SET);
1173 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1175 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1176 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1182 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1183 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1189 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1191 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1192 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1193 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1194 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1195 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1196 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1197 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1198 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1199 pdb_set_hours(sampass, hours, PDB_SET);
1203 SAFE_FREE(username);
1205 SAFE_FREE(nt_username);
1206 SAFE_FREE(fullname);
1208 SAFE_FREE(dir_drive);
1209 SAFE_FREE(logon_script);
1210 SAFE_FREE(profile_path);
1211 SAFE_FREE(acct_desc);
1212 SAFE_FREE(workstations);
1213 SAFE_FREE(munged_dial);
1214 SAFE_FREE(unknown_str);
1215 SAFE_FREE(lm_pw_ptr);
1216 SAFE_FREE(nt_pw_ptr);
1222 static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 buflen)
1225 /* times are stored as 32bit integer
1226 take care on system with 64bit wide time_t
1233 pass_can_change_time,
1234 pass_must_change_time;
1235 char *username = NULL;
1236 char *domain = NULL;
1237 char *nt_username = NULL;
1238 char *dir_drive = NULL;
1239 char *unknown_str = NULL;
1240 char *munged_dial = NULL;
1241 char *fullname = NULL;
1242 char *homedir = NULL;
1243 char *logon_script = NULL;
1244 char *profile_path = NULL;
1245 char *acct_desc = NULL;
1246 char *workstations = NULL;
1247 uint32 username_len, domain_len, nt_username_len,
1248 dir_drive_len, unknown_str_len, munged_dial_len,
1249 fullname_len, homedir_len, logon_script_len,
1250 profile_path_len, acct_desc_len, workstations_len;
1252 uint32 user_rid, group_rid, hours_len, unknown_6;
1253 uint16 acct_ctrl, logon_divs;
1254 uint16 bad_password_count, logon_count;
1255 uint8 *hours = NULL;
1256 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1258 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1259 uint32 pwHistLen = 0;
1262 bool expand_explicit = lp_passdb_expand_explicit();
1264 if(sampass == NULL || buf == NULL) {
1265 DEBUG(0, ("init_samu_from_buffer_v2: NULL parameters found!\n"));
1269 /* SAMU_BUFFER_FORMAT_V2 "dddddddBBBBBBBBBBBBddBBBwwdBwwd" */
1271 /* unpack the buffer into variables */
1272 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V2,
1273 &logon_time, /* d */
1274 &logoff_time, /* d */
1275 &kickoff_time, /* d */
1276 &bad_password_time, /* d */
1277 &pass_last_set_time, /* d */
1278 &pass_can_change_time, /* d */
1279 &pass_must_change_time, /* d */
1280 &username_len, &username, /* B */
1281 &domain_len, &domain, /* B */
1282 &nt_username_len, &nt_username, /* B */
1283 &fullname_len, &fullname, /* B */
1284 &homedir_len, &homedir, /* B */
1285 &dir_drive_len, &dir_drive, /* B */
1286 &logon_script_len, &logon_script, /* B */
1287 &profile_path_len, &profile_path, /* B */
1288 &acct_desc_len, &acct_desc, /* B */
1289 &workstations_len, &workstations, /* B */
1290 &unknown_str_len, &unknown_str, /* B */
1291 &munged_dial_len, &munged_dial, /* B */
1294 &lm_pw_len, &lm_pw_ptr, /* B */
1295 &nt_pw_len, &nt_pw_ptr, /* B */
1296 /* Change from V1 is addition of password history field. */
1297 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1299 /* Also "remove_me" field was removed. */
1300 &logon_divs, /* w */
1302 &hourslen, &hours, /* B */
1303 &bad_password_count, /* w */
1304 &logon_count, /* w */
1305 &unknown_6); /* d */
1307 if (len == (uint32) -1) {
1312 pdb_set_logon_time(sampass, logon_time, PDB_SET);
1313 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
1314 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1315 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1316 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1317 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1318 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
1320 pdb_set_username(sampass, username, PDB_SET);
1321 pdb_set_domain(sampass, domain, PDB_SET);
1322 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1323 pdb_set_fullname(sampass, fullname, PDB_SET);
1326 fstrcpy( tmp_string, homedir );
1327 if (expand_explicit) {
1328 standard_sub_basic( username, domain, tmp_string,
1329 sizeof(tmp_string) );
1331 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1334 pdb_set_homedir(sampass,
1335 talloc_sub_basic(sampass, username, domain,
1341 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1343 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1346 fstrcpy( tmp_string, logon_script );
1347 if (expand_explicit) {
1348 standard_sub_basic( username, domain, tmp_string,
1349 sizeof(tmp_string) );
1351 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1354 pdb_set_logon_script(sampass,
1355 talloc_sub_basic(sampass, username, domain,
1361 fstrcpy( tmp_string, profile_path );
1362 if (expand_explicit) {
1363 standard_sub_basic( username, domain, tmp_string,
1364 sizeof(tmp_string) );
1366 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1369 pdb_set_profile_path(sampass,
1370 talloc_sub_basic(sampass, username, domain,
1375 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1376 pdb_set_workstations(sampass, workstations, PDB_SET);
1377 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1379 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1380 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1386 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1387 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1393 /* Change from V1 is addition of password history field. */
1394 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1396 uint8 *pw_hist = SMB_MALLOC_ARRAY(uint8, pwHistLen * PW_HISTORY_ENTRY_LEN);
1401 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1402 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1404 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1405 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1406 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1407 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1408 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1409 PW_HISTORY_ENTRY_LEN);
1412 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1419 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1422 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1423 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
1424 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1425 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1426 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1427 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1428 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1429 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1430 pdb_set_hours(sampass, hours, PDB_SET);
1434 SAFE_FREE(username);
1436 SAFE_FREE(nt_username);
1437 SAFE_FREE(fullname);
1439 SAFE_FREE(dir_drive);
1440 SAFE_FREE(logon_script);
1441 SAFE_FREE(profile_path);
1442 SAFE_FREE(acct_desc);
1443 SAFE_FREE(workstations);
1444 SAFE_FREE(munged_dial);
1445 SAFE_FREE(unknown_str);
1446 SAFE_FREE(lm_pw_ptr);
1447 SAFE_FREE(nt_pw_ptr);
1448 SAFE_FREE(nt_pw_hist_ptr);
1454 /*********************************************************************
1455 *********************************************************************/
1457 static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
1460 /* times are stored as 32bit integer
1461 take care on system with 64bit wide time_t
1468 pass_can_change_time,
1469 pass_must_change_time;
1470 char *username = NULL;
1471 char *domain = NULL;
1472 char *nt_username = NULL;
1473 char *dir_drive = NULL;
1474 char *unknown_str = NULL;
1475 char *munged_dial = NULL;
1476 char *fullname = NULL;
1477 char *homedir = NULL;
1478 char *logon_script = NULL;
1479 char *profile_path = NULL;
1480 char *acct_desc = NULL;
1481 char *workstations = NULL;
1482 uint32 username_len, domain_len, nt_username_len,
1483 dir_drive_len, unknown_str_len, munged_dial_len,
1484 fullname_len, homedir_len, logon_script_len,
1485 profile_path_len, acct_desc_len, workstations_len;
1487 uint32 user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
1489 uint16 bad_password_count, logon_count;
1490 uint8 *hours = NULL;
1491 uint8 *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
1493 uint32 lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
1494 uint32 pwHistLen = 0;
1497 bool expand_explicit = lp_passdb_expand_explicit();
1499 if(sampass == NULL || buf == NULL) {
1500 DEBUG(0, ("init_samu_from_buffer_v3: NULL parameters found!\n"));
1504 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1506 /* unpack the buffer into variables */
1507 len = tdb_unpack (buf, buflen, SAMU_BUFFER_FORMAT_V3,
1508 &logon_time, /* d */
1509 &logoff_time, /* d */
1510 &kickoff_time, /* d */
1511 &bad_password_time, /* d */
1512 &pass_last_set_time, /* d */
1513 &pass_can_change_time, /* d */
1514 &pass_must_change_time, /* d */
1515 &username_len, &username, /* B */
1516 &domain_len, &domain, /* B */
1517 &nt_username_len, &nt_username, /* B */
1518 &fullname_len, &fullname, /* B */
1519 &homedir_len, &homedir, /* B */
1520 &dir_drive_len, &dir_drive, /* B */
1521 &logon_script_len, &logon_script, /* B */
1522 &profile_path_len, &profile_path, /* B */
1523 &acct_desc_len, &acct_desc, /* B */
1524 &workstations_len, &workstations, /* B */
1525 &unknown_str_len, &unknown_str, /* B */
1526 &munged_dial_len, &munged_dial, /* B */
1529 &lm_pw_len, &lm_pw_ptr, /* B */
1530 &nt_pw_len, &nt_pw_ptr, /* B */
1531 /* Change from V1 is addition of password history field. */
1532 &nt_pw_hist_len, &nt_pw_hist_ptr, /* B */
1533 /* Change from V2 is the uint32 acb_mask */
1535 /* Also "remove_me" field was removed. */
1536 &logon_divs, /* w */
1538 &hourslen, &hours, /* B */
1539 &bad_password_count, /* w */
1540 &logon_count, /* w */
1541 &unknown_6); /* d */
1543 if (len == (uint32) -1) {
1548 pdb_set_logon_time(sampass, convert_uint32_to_time_t(logon_time), PDB_SET);
1549 pdb_set_logoff_time(sampass, convert_uint32_to_time_t(logoff_time), PDB_SET);
1550 pdb_set_kickoff_time(sampass, convert_uint32_to_time_t(kickoff_time), PDB_SET);
1551 pdb_set_bad_password_time(sampass, convert_uint32_to_time_t(bad_password_time), PDB_SET);
1552 pdb_set_pass_can_change_time(sampass, convert_uint32_to_time_t(pass_can_change_time), PDB_SET);
1553 pdb_set_pass_must_change_time(sampass, convert_uint32_to_time_t(pass_must_change_time), PDB_SET);
1554 pdb_set_pass_last_set_time(sampass, convert_uint32_to_time_t(pass_last_set_time), PDB_SET);
1556 pdb_set_username(sampass, username, PDB_SET);
1557 pdb_set_domain(sampass, domain, PDB_SET);
1558 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1559 pdb_set_fullname(sampass, fullname, PDB_SET);
1562 fstrcpy( tmp_string, homedir );
1563 if (expand_explicit) {
1564 standard_sub_basic( username, domain, tmp_string,
1565 sizeof(tmp_string) );
1567 pdb_set_homedir(sampass, tmp_string, PDB_SET);
1570 pdb_set_homedir(sampass,
1571 talloc_sub_basic(sampass, username, domain,
1577 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1579 pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
1582 fstrcpy( tmp_string, logon_script );
1583 if (expand_explicit) {
1584 standard_sub_basic( username, domain, tmp_string,
1585 sizeof(tmp_string) );
1587 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
1590 pdb_set_logon_script(sampass,
1591 talloc_sub_basic(sampass, username, domain,
1597 fstrcpy( tmp_string, profile_path );
1598 if (expand_explicit) {
1599 standard_sub_basic( username, domain, tmp_string,
1600 sizeof(tmp_string) );
1602 pdb_set_profile_path(sampass, tmp_string, PDB_SET);
1605 pdb_set_profile_path(sampass,
1606 talloc_sub_basic(sampass, username, domain, lp_logon_path()),
1610 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1611 pdb_set_workstations(sampass, workstations, PDB_SET);
1612 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1614 if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
1615 if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
1621 if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
1622 if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
1628 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1630 uint8 *pw_hist = (uint8 *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
1635 memset(pw_hist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
1636 if (nt_pw_hist_ptr && nt_pw_hist_len) {
1638 SMB_ASSERT((nt_pw_hist_len % PW_HISTORY_ENTRY_LEN) == 0);
1639 nt_pw_hist_len /= PW_HISTORY_ENTRY_LEN;
1640 for (i = 0; (i < pwHistLen) && (i < nt_pw_hist_len); i++) {
1641 memcpy(&pw_hist[i*PW_HISTORY_ENTRY_LEN],
1642 &nt_pw_hist_ptr[i*PW_HISTORY_ENTRY_LEN],
1643 PW_HISTORY_ENTRY_LEN);
1646 if (!pdb_set_pw_history(sampass, pw_hist, pwHistLen, PDB_SET)) {
1653 pdb_set_pw_history(sampass, NULL, 0, PDB_SET);
1656 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1657 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1658 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
1659 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1660 pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
1661 /* Change from V2 is the uint32 acct_ctrl */
1662 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1663 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1664 pdb_set_hours(sampass, hours, PDB_SET);
1668 SAFE_FREE(username);
1670 SAFE_FREE(nt_username);
1671 SAFE_FREE(fullname);
1673 SAFE_FREE(dir_drive);
1674 SAFE_FREE(logon_script);
1675 SAFE_FREE(profile_path);
1676 SAFE_FREE(acct_desc);
1677 SAFE_FREE(workstations);
1678 SAFE_FREE(munged_dial);
1679 SAFE_FREE(unknown_str);
1680 SAFE_FREE(lm_pw_ptr);
1681 SAFE_FREE(nt_pw_ptr);
1682 SAFE_FREE(nt_pw_hist_ptr);
1688 /*********************************************************************
1689 *********************************************************************/
1691 static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool size_only)
1695 /* times are stored as 32bit integer
1696 take care on system with 64bit wide time_t
1703 pass_can_change_time,
1704 pass_must_change_time;
1706 uint32 user_rid, group_rid;
1708 const char *username;
1710 const char *nt_username;
1711 const char *dir_drive;
1712 const char *unknown_str;
1713 const char *munged_dial;
1714 const char *fullname;
1715 const char *homedir;
1716 const char *logon_script;
1717 const char *profile_path;
1718 const char *acct_desc;
1719 const char *workstations;
1720 uint32 username_len, domain_len, nt_username_len,
1721 dir_drive_len, unknown_str_len, munged_dial_len,
1722 fullname_len, homedir_len, logon_script_len,
1723 profile_path_len, acct_desc_len, workstations_len;
1727 const uint8 *nt_pw_hist;
1728 uint32 lm_pw_len = 16;
1729 uint32 nt_pw_len = 16;
1730 uint32 nt_pw_hist_len;
1731 uint32 pwHistLen = 0;
1736 logon_time = convert_time_t_to_uint32(pdb_get_logon_time(sampass));
1737 logoff_time = convert_time_t_to_uint32(pdb_get_logoff_time(sampass));
1738 kickoff_time = convert_time_t_to_uint32(pdb_get_kickoff_time(sampass));
1739 bad_password_time = convert_time_t_to_uint32(pdb_get_bad_password_time(sampass));
1740 pass_can_change_time = convert_time_t_to_uint32(pdb_get_pass_can_change_time_noncalc(sampass));
1741 pass_must_change_time = convert_time_t_to_uint32(pdb_get_pass_must_change_time(sampass));
1742 pass_last_set_time = convert_time_t_to_uint32(pdb_get_pass_last_set_time(sampass));
1744 user_rid = pdb_get_user_rid(sampass);
1745 group_rid = pdb_get_group_rid(sampass);
1747 username = pdb_get_username(sampass);
1749 username_len = strlen(username) +1;
1754 domain = pdb_get_domain(sampass);
1756 domain_len = strlen(domain) +1;
1761 nt_username = pdb_get_nt_username(sampass);
1763 nt_username_len = strlen(nt_username) +1;
1765 nt_username_len = 0;
1768 fullname = pdb_get_fullname(sampass);
1770 fullname_len = strlen(fullname) +1;
1776 * Only updates fields which have been set (not defaults from smb.conf)
1779 if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE)) {
1780 dir_drive = pdb_get_dir_drive(sampass);
1785 dir_drive_len = strlen(dir_drive) +1;
1790 if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) {
1791 homedir = pdb_get_homedir(sampass);
1796 homedir_len = strlen(homedir) +1;
1801 if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) {
1802 logon_script = pdb_get_logon_script(sampass);
1804 logon_script = NULL;
1807 logon_script_len = strlen(logon_script) +1;
1809 logon_script_len = 0;
1812 if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) {
1813 profile_path = pdb_get_profile_path(sampass);
1815 profile_path = NULL;
1818 profile_path_len = strlen(profile_path) +1;
1820 profile_path_len = 0;
1823 lm_pw = pdb_get_lanman_passwd(sampass);
1828 nt_pw = pdb_get_nt_passwd(sampass);
1833 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1834 nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
1835 if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
1836 nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
1841 acct_desc = pdb_get_acct_desc(sampass);
1843 acct_desc_len = strlen(acct_desc) +1;
1848 workstations = pdb_get_workstations(sampass);
1850 workstations_len = strlen(workstations) +1;
1852 workstations_len = 0;
1856 unknown_str_len = 0;
1858 munged_dial = pdb_get_munged_dial(sampass);
1860 munged_dial_len = strlen(munged_dial) +1;
1862 munged_dial_len = 0;
1865 /* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
1867 /* one time to get the size needed */
1868 len = tdb_pack(NULL, 0, SAMU_BUFFER_FORMAT_V3,
1870 logoff_time, /* d */
1871 kickoff_time, /* d */
1872 bad_password_time, /* d */
1873 pass_last_set_time, /* d */
1874 pass_can_change_time, /* d */
1875 pass_must_change_time, /* d */
1876 username_len, username, /* B */
1877 domain_len, domain, /* B */
1878 nt_username_len, nt_username, /* B */
1879 fullname_len, fullname, /* B */
1880 homedir_len, homedir, /* B */
1881 dir_drive_len, dir_drive, /* B */
1882 logon_script_len, logon_script, /* B */
1883 profile_path_len, profile_path, /* B */
1884 acct_desc_len, acct_desc, /* B */
1885 workstations_len, workstations, /* B */
1886 unknown_str_len, unknown_str, /* B */
1887 munged_dial_len, munged_dial, /* B */
1890 lm_pw_len, lm_pw, /* B */
1891 nt_pw_len, nt_pw, /* B */
1892 nt_pw_hist_len, nt_pw_hist, /* B */
1893 pdb_get_acct_ctrl(sampass), /* d */
1894 pdb_get_logon_divs(sampass), /* w */
1895 pdb_get_hours_len(sampass), /* d */
1896 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1897 pdb_get_bad_password_count(sampass), /* w */
1898 pdb_get_logon_count(sampass), /* w */
1899 pdb_get_unknown_6(sampass)); /* d */
1905 /* malloc the space needed */
1906 if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
1907 DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
1911 /* now for the real call to tdb_pack() */
1912 buflen = tdb_pack(*buf, len, SAMU_BUFFER_FORMAT_V3,
1914 logoff_time, /* d */
1915 kickoff_time, /* d */
1916 bad_password_time, /* d */
1917 pass_last_set_time, /* d */
1918 pass_can_change_time, /* d */
1919 pass_must_change_time, /* d */
1920 username_len, username, /* B */
1921 domain_len, domain, /* B */
1922 nt_username_len, nt_username, /* B */
1923 fullname_len, fullname, /* B */
1924 homedir_len, homedir, /* B */
1925 dir_drive_len, dir_drive, /* B */
1926 logon_script_len, logon_script, /* B */
1927 profile_path_len, profile_path, /* B */
1928 acct_desc_len, acct_desc, /* B */
1929 workstations_len, workstations, /* B */
1930 unknown_str_len, unknown_str, /* B */
1931 munged_dial_len, munged_dial, /* B */
1934 lm_pw_len, lm_pw, /* B */
1935 nt_pw_len, nt_pw, /* B */
1936 nt_pw_hist_len, nt_pw_hist, /* B */
1937 pdb_get_acct_ctrl(sampass), /* d */
1938 pdb_get_logon_divs(sampass), /* w */
1939 pdb_get_hours_len(sampass), /* d */
1940 MAX_HOURS_LEN, pdb_get_hours(sampass), /* B */
1941 pdb_get_bad_password_count(sampass), /* w */
1942 pdb_get_logon_count(sampass), /* w */
1943 pdb_get_unknown_6(sampass)); /* d */
1945 /* check to make sure we got it correct */
1946 if (buflen != len) {
1947 DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
1948 (unsigned long)buflen, (unsigned long)len));
1957 static bool init_samu_from_buffer_v4(struct samu *sampass, uint8 *buf, uint32 buflen)
1959 /* nothing changed between V3 and V4 */
1960 return init_samu_from_buffer_v3(sampass, buf, buflen);
1963 static uint32 init_buffer_from_samu_v4(uint8 **buf, struct samu *sampass, bool size_only)
1965 /* nothing changed between V3 and V4 */
1966 return init_buffer_from_samu_v3(buf, sampass, size_only);
1969 /**********************************************************************
1970 Intialize a struct samu struct from a BYTE buffer of size len
1971 *********************************************************************/
1973 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
1974 uint8 *buf, uint32 buflen)
1977 case SAMU_BUFFER_V0:
1978 return init_samu_from_buffer_v0(sampass, buf, buflen);
1979 case SAMU_BUFFER_V1:
1980 return init_samu_from_buffer_v1(sampass, buf, buflen);
1981 case SAMU_BUFFER_V2:
1982 return init_samu_from_buffer_v2(sampass, buf, buflen);
1983 case SAMU_BUFFER_V3:
1984 return init_samu_from_buffer_v3(sampass, buf, buflen);
1985 case SAMU_BUFFER_V4:
1986 return init_samu_from_buffer_v4(sampass, buf, buflen);
1992 /**********************************************************************
1993 Intialize a BYTE buffer from a struct samu struct
1994 *********************************************************************/
1996 uint32 init_buffer_from_samu (uint8 **buf, struct samu *sampass, bool size_only)
1998 return init_buffer_from_samu_v4(buf, sampass, size_only);
2001 /*********************************************************************
2002 *********************************************************************/
2004 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
2009 len = init_buffer_from_samu(&buf, src, False);
2010 if (len == -1 || !buf) {
2015 if (!init_samu_from_buffer( dst, SAMU_BUFFER_LATEST, buf, len )) {
2020 dst->methods = src->methods;
2022 if ( src->unix_pw ) {
2023 dst->unix_pw = tcopy_passwd( dst, src->unix_pw );
2024 if (!dst->unix_pw) {
2034 /*********************************************************************
2035 Update the bad password count checking the AP_RESET_COUNT_TIME
2036 *********************************************************************/
2038 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
2040 time_t LastBadPassword;
2041 uint16 BadPasswordCount;
2045 BadPasswordCount = pdb_get_bad_password_count(sampass);
2046 if (!BadPasswordCount) {
2047 DEBUG(9, ("No bad password attempts.\n"));
2052 res = pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime);
2056 DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
2060 /* First, check if there is a reset time to compare */
2061 if ((resettime == (uint32) -1) || (resettime == 0)) {
2062 DEBUG(9, ("No reset time, can't reset bad pw count\n"));
2066 LastBadPassword = pdb_get_bad_password_time(sampass);
2067 DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
2068 (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
2069 if (time(NULL) > (LastBadPassword + convert_uint32_to_time_t(resettime)*60)){
2070 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2071 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2080 /*********************************************************************
2081 Update the ACB_AUTOLOCK flag checking the AP_LOCK_ACCOUNT_DURATION
2082 *********************************************************************/
2084 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
2087 time_t LastBadPassword;
2090 if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
2091 DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
2092 pdb_get_username(sampass)));
2097 res = pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration);
2101 DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
2105 /* First, check if there is a duration to compare */
2106 if ((duration == (uint32) -1) || (duration == 0)) {
2107 DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
2111 LastBadPassword = pdb_get_bad_password_time(sampass);
2112 DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
2113 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
2115 if (LastBadPassword == (time_t)0) {
2116 DEBUG(1,("pdb_update_autolock_flag: Account %s "
2117 "administratively locked out with no bad password "
2118 "time. Leaving locked out.\n",
2119 pdb_get_username(sampass) ));
2123 if ((time(NULL) > (LastBadPassword + convert_uint32_to_time_t(duration) * 60))) {
2124 pdb_set_acct_ctrl(sampass,
2125 pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
2127 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
2128 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
2137 /*********************************************************************
2138 Increment the bad_password_count
2139 *********************************************************************/
2141 bool pdb_increment_bad_password_count(struct samu *sampass)
2143 uint32 account_policy_lockout;
2144 bool autolock_updated = False, badpw_updated = False;
2147 /* Retrieve the account lockout policy */
2149 ret = pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout);
2152 DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
2156 /* If there is no policy, we don't need to continue checking */
2157 if (!account_policy_lockout) {
2158 DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
2162 /* Check if the autolock needs to be cleared */
2163 if (!pdb_update_autolock_flag(sampass, &autolock_updated))
2166 /* Check if the badpw count needs to be reset */
2167 if (!pdb_update_bad_password_count(sampass, &badpw_updated))
2171 Ok, now we can assume that any resetting that needs to be
2172 done has been done, and just get on with incrementing
2173 and autolocking if necessary
2176 pdb_set_bad_password_count(sampass,
2177 pdb_get_bad_password_count(sampass)+1,
2179 pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
2182 if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
2185 if (!pdb_set_acct_ctrl(sampass,
2186 pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
2188 DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
2195 bool is_dc_trusted_domain_situation(const char *domain_name)
2197 return IS_DC && !strequal(domain_name, lp_workgroup());
2200 /*******************************************************************
2201 Wrapper around retrieving the clear text trust account password.
2202 appropriate account name is stored in account_name.
2203 Caller must free password, but not account_name.
2204 *******************************************************************/
2206 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
2207 const char **account_name, uint32 *channel)
2210 time_t last_set_time;
2212 /* if we are a DC and this is not our domain, then lookup an account
2213 * for the domain trust */
2215 if (is_dc_trusted_domain_situation(domain)) {
2216 if (!lp_allow_trusted_domains()) {
2220 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
2223 DEBUG(0, ("get_trust_pw: could not fetch trust "
2224 "account password for trusted domain %s\n",
2229 if (channel != NULL) {
2230 *channel = SEC_CHAN_DOMAIN;
2233 if (account_name != NULL) {
2234 *account_name = lp_workgroup();
2241 * Since we can only be member of one single domain, we are now
2242 * in a member situation:
2244 * - Either we are a DC (selfjoined) and the domain is our
2246 * - Or we are on a member and the domain is our own or some
2247 * other (potentially trusted) domain.
2249 * In both cases, we can only get the machine account password
2250 * for our own domain to connect to our own dc. (For a member,
2251 * request to trusted domains are performed through our dc.)
2253 * So we simply use our own domain name to retrieve the
2254 * machine account passowrd and ignore the request domain here.
2257 pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
2261 if (account_name != NULL) {
2262 *account_name = global_myname();
2268 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
2269 "account password for domain %s\n", domain));
2273 /*******************************************************************
2274 Wrapper around retrieving the trust account password.
2275 appropriate account name is stored in account_name.
2276 *******************************************************************/
2278 bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
2279 const char **account_name, uint32 *channel)
2282 time_t last_set_time;
2284 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
2285 E_md4hash(pwd, ret_pwd);
2288 } else if (is_dc_trusted_domain_situation(domain)) {
2292 /* as a fallback, try to get the hashed pwd directly from the tdb... */
2294 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
2298 if (account_name != NULL) {
2299 *account_name = global_myname();
2305 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
2306 "password for domain %s\n", domain));
2310 struct samr_LogonHours get_logon_hours_from_pdb(TALLOC_CTX *mem_ctx,
2313 struct samr_LogonHours hours;
2314 const int units_per_week = 168;
2317 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
2322 hours.units_per_week = units_per_week;
2323 memset(hours.bits, 0xFF, units_per_week);
2325 if (pdb_get_hours(pw)) {
2326 memcpy(hours.bits, pdb_get_hours(pw),
2327 MIN(pdb_get_hours_len(pw), units_per_week));