2
* Unix SMB/CIFS implementation.
3
* account policy storage
4
* Copyright (C) Jean Fran�ois Micouleau 1998-2001.
5
* Copyright (C) Andrew Bartlett 2002
6
* Copyright (C) Guenther Deschner 2004-2005
8
* This program is free software; you can redistribute it and/or modify
9
* it under the terms of the GNU General Public License as published by
10
* the Free Software Foundation; either version 2 of the License, or
11
* (at your option) any later version.
13
* This program is distributed in the hope that it will be useful,
14
* but WITHOUT ANY WARRANTY; without even the implied warranty of
15
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
* GNU General Public License for more details.
18
* You should have received a copy of the GNU General Public License
19
* along with this program; if not, write to the Free Software
20
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24
static TDB_CONTEXT *tdb;
26
/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27
* after this period if admins do not use pdbedit or usermanager but manipulate
28
* ldap directly) - gd */
30
#define DATABASE_VERSION 3
31
#define AP_LASTSET "LAST_CACHE_UPDATE"
39
const char *description;
40
const char *ldap_attr;
43
static const struct ap_table account_policy_names[] = {
44
{AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
45
"Minimal password length (default: 5)",
46
"sambaMinPwdLength" },
48
{AP_PASSWORD_HISTORY, "password history", 0,
49
"Length of Password History Entries (default: 0 => off)",
50
"sambaPwdHistoryLength" },
52
{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
53
"Force Users to logon for password change (default: 0 => off, 2 => on)",
54
"sambaLogonToChgPwd" },
56
{AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
57
"Maximum password age, in seconds (default: -1 => never expire passwords)",
60
{AP_MIN_PASSWORD_AGE,"minimum password age", 0,
61
"Minimal password age, in seconds (default: 0 => allow immediate password change)",
64
{AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
65
"Lockout duration in minutes (default: 30, -1 => forever)",
66
"sambaLockoutDuration" },
68
{AP_RESET_COUNT_TIME, "reset count minutes", 30,
69
"Reset time after lockout in minutes (default: 30)",
70
"sambaLockoutObservationWindow" },
72
{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
73
"Lockout users after bad logon attempts (default: 0 => off)",
74
"sambaLockoutThreshold" },
76
{AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
77
"Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
80
{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
81
"Allow Machine Password changes (default: 0 => off)",
82
"sambaRefuseMachinePwdChange" },
84
{0, NULL, 0, "", NULL}
87
char *account_policy_names_list(void)
93
for (i=0; account_policy_names[i].string; i++) {
94
len += strlen(account_policy_names[i].string) + 1;
102
for (i=0; account_policy_names[i].string; i++) {
103
memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1);
104
p[strlen(account_policy_names[i].string)] = '\n';
105
p += strlen(account_policy_names[i].string) + 1;
111
/****************************************************************************
112
Get the account policy name as a string from its #define'ed number
113
****************************************************************************/
115
const char *decode_account_policy_name(int field)
118
for (i=0; account_policy_names[i].string; i++) {
119
if (field == account_policy_names[i].field) {
120
return account_policy_names[i].string;
126
/****************************************************************************
127
Get the account policy LDAP attribute as a string from its #define'ed number
128
****************************************************************************/
130
const char *get_account_policy_attr(int field)
133
for (i=0; account_policy_names[i].field; i++) {
134
if (field == account_policy_names[i].field) {
135
return account_policy_names[i].ldap_attr;
141
/****************************************************************************
142
Get the account policy description as a string from its #define'ed number
143
****************************************************************************/
145
const char *account_policy_get_desc(int field)
148
for (i=0; account_policy_names[i].string; i++) {
149
if (field == account_policy_names[i].field) {
150
return account_policy_names[i].description;
156
/****************************************************************************
157
Get the account policy name as a string from its #define'ed number
158
****************************************************************************/
160
int account_policy_name_to_fieldnum(const char *name)
163
for (i=0; account_policy_names[i].string; i++) {
164
if (strcmp(name, account_policy_names[i].string) == 0) {
165
return account_policy_names[i].field;
171
/*****************************************************************************
172
Update LAST-Set counter inside the cache
173
*****************************************************************************/
175
static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update,
185
slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET);
187
if (!init_account_policy()) {
191
if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
192
DEBUG(10,("failed to get last set timestamp of cache\n"));
198
DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
204
if (!tdb_store_uint32(tdb, key, (uint32)now)) {
205
DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
208
DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
215
/*****************************************************************************
216
Get default value for account policy
217
*****************************************************************************/
219
BOOL account_policy_get_default(int account_policy, uint32 *val)
222
for (i=0; account_policy_names[i].field; i++) {
223
if (account_policy_names[i].field == account_policy) {
224
*val = account_policy_names[i].default_val;
228
DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
233
/*****************************************************************************
234
Set default for a field if it is empty
235
*****************************************************************************/
237
static BOOL account_policy_set_default_on_empty(int account_policy)
242
if (!account_policy_get(account_policy, &value) &&
243
!account_policy_get_default(account_policy, &value)) {
247
return account_policy_set(account_policy, value);
250
/*****************************************************************************
251
Open the account policy tdb.
252
***`*************************************************************************/
254
BOOL init_account_policy(void)
257
const char *vstring = "INFO/version";
265
tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
266
if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
267
tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
269
DEBUG(0,("Failed to open account policy database\n"));
272
/* creation was successful */
273
/* add AP_MIGRATED_TO_PASSDB speacial key */
274
/* so that you do not need to migrate policies */
275
/* on brand new servers as it does not make sense */
276
account_policy_migrated(True);
279
/* handle a Samba upgrade */
280
tdb_lock_bystring(tdb, vstring);
281
if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
283
tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
285
for (i=0; account_policy_names[i].field; i++) {
287
if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
288
DEBUG(0,("failed to set default value in account policy tdb\n"));
294
tdb_unlock_bystring(tdb, vstring);
296
/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
298
privilege_create_account( &global_sid_World );
299
privilege_create_account( &global_sid_Builtin_Account_Operators );
300
privilege_create_account( &global_sid_Builtin_Server_Operators );
301
privilege_create_account( &global_sid_Builtin_Print_Operators );
302
privilege_create_account( &global_sid_Builtin_Backup_Operators );
304
/* BUILTIN\Administrators get everything -- *always* */
306
if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
307
DEBUG(0,("init_account_policy: Failed to grant privileges to BUILTIN\\Administrators!\n"));
313
/*****************************************************************************
314
Get an account policy (from tdb)
315
*****************************************************************************/
317
BOOL account_policy_get(int field, uint32 *value)
322
if (!init_account_policy()) {
330
fstrcpy(name, decode_account_policy_name(field));
332
DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
336
if (!tdb_fetch_uint32(tdb, name, ®val)) {
337
DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
345
DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
350
/****************************************************************************
351
Set an account policy (in tdb)
352
****************************************************************************/
354
BOOL account_policy_set(int field, uint32 value)
358
if (!init_account_policy()) {
362
fstrcpy(name, decode_account_policy_name(field));
364
DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
368
if (!tdb_store_uint32(tdb, name, value)) {
369
DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
373
DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
378
/****************************************************************************
379
Set an account policy in the cache
380
****************************************************************************/
382
BOOL cache_account_policy_set(int field, uint32 value)
385
const char *policy_name = NULL;
387
policy_name = decode_account_policy_name(field);
388
if (policy_name == NULL) {
389
DEBUG(0,("cache_account_policy_set: no policy found\n"));
393
DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
395
if (!account_policy_set(field, value)) {
399
if (!account_policy_cache_timestamp(&lastset, True, policy_name))
401
DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
405
DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
410
/*****************************************************************************
411
Check whether account policies have been migrated to passdb
412
*****************************************************************************/
414
BOOL account_policy_migrated(BOOL init)
420
slprintf(key, sizeof(key)-1, "AP_MIGRATED_TO_PASSDB");
422
if (!init_account_policy()) {
429
if (!tdb_store_uint32(tdb, key, (uint32)now)) {
430
DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
437
if (!tdb_fetch_uint32(tdb, key, &val)) {
444
/*****************************************************************************
445
Remove marker that informs that account policies have been migrated to passdb
446
*****************************************************************************/
448
BOOL remove_account_policy_migrated(void)
450
if (!init_account_policy()) {
454
return tdb_delete_bystring(tdb, "AP_MIGRATED_TO_PASSDB");
458
/*****************************************************************************
459
Get an account policy from the cache
460
*****************************************************************************/
462
BOOL cache_account_policy_get(int field, uint32 *value)
466
if (!account_policy_cache_timestamp(&lastset, False,
467
decode_account_policy_name(field)))
469
DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
473
if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
474
DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
478
return account_policy_get(field, value);
482
/****************************************************************************
483
****************************************************************************/
485
TDB_CONTEXT *get_account_pol_tdb( void )
489
if ( !init_account_policy() ) {