2
* Unix SMB/CIFS implementation.
3
* account policy storage
4
* Copyright (C) Jean Fran�ois Micouleau 1998-2001.
5
* Copyright (C) Andrew Bartlett 2002
6
* Copyright (C) Guenther Deschner 2004-2005
8
* This program is free software; you can redistribute it and/or modify
9
* it under the terms of the GNU General Public License as published by
10
* the Free Software Foundation; either version 3 of the License, or
11
* (at your option) any later version.
13
* This program is distributed in the hope that it will be useful,
14
* but WITHOUT ANY WARRANTY; without even the implied warranty of
15
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
* GNU General Public License for more details.
18
* You should have received a copy of the GNU General Public License
19
* along with this program; if not, see <http://www.gnu.org/licenses/>.
23
static struct db_context *db;
25
/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
26
* after this period if admins do not use pdbedit or usermanager but manipulate
27
* ldap directly) - gd */
29
#define DATABASE_VERSION 3
37
const char *description;
38
const char *ldap_attr;
41
static const struct ap_table account_policy_names[] = {
42
{AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
43
"Minimal password length (default: 5)",
44
"sambaMinPwdLength" },
46
{AP_PASSWORD_HISTORY, "password history", 0,
47
"Length of Password History Entries (default: 0 => off)",
48
"sambaPwdHistoryLength" },
50
{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
51
"Force Users to logon for password change (default: 0 => off, 2 => on)",
52
"sambaLogonToChgPwd" },
54
{AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
55
"Maximum password age, in seconds (default: -1 => never expire passwords)",
58
{AP_MIN_PASSWORD_AGE,"minimum password age", 0,
59
"Minimal password age, in seconds (default: 0 => allow immediate password change)",
62
{AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
63
"Lockout duration in minutes (default: 30, -1 => forever)",
64
"sambaLockoutDuration" },
66
{AP_RESET_COUNT_TIME, "reset count minutes", 30,
67
"Reset time after lockout in minutes (default: 30)",
68
"sambaLockoutObservationWindow" },
70
{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
71
"Lockout users after bad logon attempts (default: 0 => off)",
72
"sambaLockoutThreshold" },
74
{AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
75
"Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
78
{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
79
"Allow Machine Password changes (default: 0 => off)",
80
"sambaRefuseMachinePwdChange" },
82
{0, NULL, 0, "", NULL}
85
void account_policy_names_list(const char ***names, int *num_names)
90
for (count=0; account_policy_names[count].string; count++) {
92
nl = SMB_MALLOC_ARRAY(const char *, count);
97
for (i=0; account_policy_names[i].string; i++) {
98
nl[i] = account_policy_names[i].string;
105
/****************************************************************************
106
Get the account policy name as a string from its #define'ed number
107
****************************************************************************/
109
const char *decode_account_policy_name(int field)
112
for (i=0; account_policy_names[i].string; i++) {
113
if (field == account_policy_names[i].field) {
114
return account_policy_names[i].string;
120
/****************************************************************************
121
Get the account policy LDAP attribute as a string from its #define'ed number
122
****************************************************************************/
124
const char *get_account_policy_attr(int field)
127
for (i=0; account_policy_names[i].field; i++) {
128
if (field == account_policy_names[i].field) {
129
return account_policy_names[i].ldap_attr;
135
/****************************************************************************
136
Get the account policy description as a string from its #define'ed number
137
****************************************************************************/
139
const char *account_policy_get_desc(int field)
142
for (i=0; account_policy_names[i].string; i++) {
143
if (field == account_policy_names[i].field) {
144
return account_policy_names[i].description;
150
/****************************************************************************
151
Get the account policy name as a string from its #define'ed number
152
****************************************************************************/
154
int account_policy_name_to_fieldnum(const char *name)
157
for (i=0; account_policy_names[i].string; i++) {
158
if (strcmp(name, account_policy_names[i].string) == 0) {
159
return account_policy_names[i].field;
165
/*****************************************************************************
166
Get default value for account policy
167
*****************************************************************************/
169
bool account_policy_get_default(int account_policy, uint32 *val)
172
for (i=0; account_policy_names[i].field; i++) {
173
if (account_policy_names[i].field == account_policy) {
174
*val = account_policy_names[i].default_val;
178
DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
183
/*****************************************************************************
184
Set default for a field if it is empty
185
*****************************************************************************/
187
static bool account_policy_set_default_on_empty(int account_policy)
192
if (!account_policy_get(account_policy, &value) &&
193
!account_policy_get_default(account_policy, &value)) {
197
return account_policy_set(account_policy, value);
200
/*****************************************************************************
201
Open the account policy tdb.
202
***`*************************************************************************/
204
bool init_account_policy(void)
207
const char *vstring = "INFO/version";
215
db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
218
if (db == NULL) { /* the account policies files does not exist or open
219
* failed, try to create a new one */
220
db = db_open(NULL, state_path("account_policy.tdb"), 0,
221
TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
223
DEBUG(0,("Failed to open account policy database\n"));
228
version = dbwrap_fetch_int32(db, vstring);
229
if (version == DATABASE_VERSION) {
233
/* handle a Samba upgrade */
235
if (db->transaction_start(db) != 0) {
236
DEBUG(0, ("transaction_start failed\n"));
241
version = dbwrap_fetch_int32(db, vstring);
242
if (version == DATABASE_VERSION) {
246
if (db->transaction_cancel(db)) {
247
smb_panic("transaction_cancel failed");
252
if (version != DATABASE_VERSION) {
253
if (dbwrap_store_uint32(db, vstring, DATABASE_VERSION) != 0) {
254
DEBUG(0, ("dbwrap_store_uint32 failed\n"));
258
for (i=0; account_policy_names[i].field; i++) {
260
if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
261
DEBUG(0,("failed to set default value in account policy tdb\n"));
267
/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
269
privilege_create_account( &global_sid_World );
270
privilege_create_account( &global_sid_Builtin_Account_Operators );
271
privilege_create_account( &global_sid_Builtin_Server_Operators );
272
privilege_create_account( &global_sid_Builtin_Print_Operators );
273
privilege_create_account( &global_sid_Builtin_Backup_Operators );
275
/* BUILTIN\Administrators get everything -- *always* */
277
if ( lp_enable_privileges() ) {
278
if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
279
DEBUG(1,("init_account_policy: Failed to grant privileges "
280
"to BUILTIN\\Administrators!\n"));
284
if (db->transaction_commit(db) != 0) {
285
DEBUG(0, ("transaction_commit failed\n"));
293
if (db->transaction_cancel(db)) {
294
smb_panic("transaction_cancel failed");
301
/*****************************************************************************
302
Get an account policy (from tdb)
303
*****************************************************************************/
305
bool account_policy_get(int field, uint32 *value)
310
if (!init_account_policy()) {
318
name = decode_account_policy_name(field);
320
DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
324
if (!dbwrap_fetch_uint32(db, name, ®val)) {
325
DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
333
DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
338
/****************************************************************************
339
Set an account policy (in tdb)
340
****************************************************************************/
342
bool account_policy_set(int field, uint32 value)
347
if (!init_account_policy()) {
351
name = decode_account_policy_name(field);
353
DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
357
status = dbwrap_trans_store_uint32(db, name, value);
358
if (!NT_STATUS_IS_OK(status)) {
359
DEBUG(1, ("store_uint32 failed for field %d (%s) on value "
360
"%u: %s\n", field, name, value, nt_errstr(status)));
364
DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
369
/****************************************************************************
370
Set an account policy in the cache
371
****************************************************************************/
373
bool cache_account_policy_set(int field, uint32 value)
375
const char *policy_name = NULL;
376
char *cache_key = NULL;
377
char *cache_value = NULL;
380
policy_name = decode_account_policy_name(field);
381
if (policy_name == NULL) {
382
DEBUG(0,("cache_account_policy_set: no policy found\n"));
386
if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
387
DEBUG(0, ("asprintf failed\n"));
391
if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
392
DEBUG(0, ("asprintf failed\n"));
396
DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
398
ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
401
SAFE_FREE(cache_key);
402
SAFE_FREE(cache_value);
406
/*****************************************************************************
407
Get an account policy from the cache
408
*****************************************************************************/
410
bool cache_account_policy_get(int field, uint32 *value)
412
const char *policy_name = NULL;
413
char *cache_key = NULL;
414
char *cache_value = NULL;
417
policy_name = decode_account_policy_name(field);
418
if (policy_name == NULL) {
419
DEBUG(0,("cache_account_policy_set: no policy found\n"));
423
if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
424
DEBUG(0, ("asprintf failed\n"));
428
if (gencache_get(cache_key, &cache_value, NULL)) {
429
uint32 tmp = strtoul(cache_value, NULL, 10);
435
SAFE_FREE(cache_key);
436
SAFE_FREE(cache_value);
440
/****************************************************************************
441
****************************************************************************/
443
struct db_context *get_account_pol_db( void )
447
if ( !init_account_policy() ) {