2
Unix SMB/CIFS implementation.
3
struct samu access routines
4
Copyright (C) Jeremy Allison 1996-2001
5
Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6
Copyright (C) Gerald (Jerry) Carter 2000-2006
7
Copyright (C) Andrew Bartlett 2001-2002
8
Copyright (C) Stefan (metze) Metzmacher 2002
10
This program is free software; you can redistribute it and/or modify
11
it under the terms of the GNU General Public License as published by
12
the Free Software Foundation; either version 3 of the License, or
13
(at your option) any later version.
15
This program is distributed in the hope that it will be useful,
16
but WITHOUT ANY WARRANTY; without even the implied warranty of
17
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
GNU General Public License for more details.
20
You should have received a copy of the GNU General Public License
21
along with this program. If not, see <http://www.gnu.org/licenses/>.
27
#define DBGC_CLASS DBGC_PASSDB
30
* @todo Redefine this to NULL, but this changes the API because
31
* much of samba assumes that the pdb_get...() funtions
32
* return strings. (ie not null-pointers).
33
* See also pdb_fill_default_sam().
36
#define PDB_NOT_QUITE_NULL ""
38
/*********************************************************************
39
Collection of get...() functions for struct samu.
40
********************************************************************/
42
uint32 pdb_get_acct_ctrl(const struct samu *sampass)
44
return sampass->acct_ctrl;
47
time_t pdb_get_logon_time(const struct samu *sampass)
49
return sampass->logon_time;
52
time_t pdb_get_logoff_time(const struct samu *sampass)
54
return sampass->logoff_time;
57
time_t pdb_get_kickoff_time(const struct samu *sampass)
59
return sampass->kickoff_time;
62
time_t pdb_get_bad_password_time(const struct samu *sampass)
64
return sampass->bad_password_time;
67
time_t pdb_get_pass_last_set_time(const struct samu *sampass)
69
return sampass->pass_last_set_time;
72
time_t pdb_get_pass_can_change_time(const struct samu *sampass)
76
/* if the last set time is zero, it means the user cannot
77
change their password, and this time must be zero. jmcd
79
if (sampass->pass_last_set_time == 0)
82
/* if the time is max, and the field has been changed,
83
we're trying to update this real value from the sampass
84
to indicate that the user cannot change their password. jmcd
86
if (sampass->pass_can_change_time == get_time_t_max() &&
87
pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED)
88
return sampass->pass_can_change_time;
90
if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &allow))
93
/* in normal cases, just calculate it from policy */
94
return sampass->pass_last_set_time + allow;
97
/* we need this for loading from the backend, so that we don't overwrite
98
non-changed max times, otherwise the pass_can_change checking won't work */
99
time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
101
return sampass->pass_can_change_time;
104
time_t pdb_get_pass_must_change_time(const struct samu *sampass)
108
if (sampass->pass_last_set_time == 0)
111
if (sampass->acct_ctrl & ACB_PWNOEXP)
112
return get_time_t_max();
114
if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire)
115
|| expire == (uint32)-1 || expire == 0)
116
return get_time_t_max();
118
return sampass->pass_last_set_time + expire;
121
bool pdb_get_pass_can_change(const struct samu *sampass)
123
if (sampass->pass_can_change_time == get_time_t_max() &&
124
sampass->pass_last_set_time != 0)
129
uint16 pdb_get_logon_divs(const struct samu *sampass)
131
return sampass->logon_divs;
134
uint32 pdb_get_hours_len(const struct samu *sampass)
136
return sampass->hours_len;
139
const uint8 *pdb_get_hours(const struct samu *sampass)
141
return (sampass->hours);
144
const uint8 *pdb_get_nt_passwd(const struct samu *sampass)
146
SMB_ASSERT((!sampass->nt_pw.data)
147
|| sampass->nt_pw.length == NT_HASH_LEN);
148
return (uint8 *)sampass->nt_pw.data;
151
const uint8 *pdb_get_lanman_passwd(const struct samu *sampass)
153
SMB_ASSERT((!sampass->lm_pw.data)
154
|| sampass->lm_pw.length == LM_HASH_LEN);
155
return (uint8 *)sampass->lm_pw.data;
158
const uint8 *pdb_get_pw_history(const struct samu *sampass, uint32 *current_hist_len)
160
SMB_ASSERT((!sampass->nt_pw_his.data)
161
|| ((sampass->nt_pw_his.length % PW_HISTORY_ENTRY_LEN) == 0));
162
*current_hist_len = sampass->nt_pw_his.length / PW_HISTORY_ENTRY_LEN;
163
return (uint8 *)sampass->nt_pw_his.data;
166
/* Return the plaintext password if known. Most of the time
167
it isn't, so don't assume anything magic about this function.
169
Used to pass the plaintext to passdb backends that might
170
want to store more than just the NTLM hashes.
172
const char *pdb_get_plaintext_passwd(const struct samu *sampass)
174
return sampass->plaintext_pw;
177
const DOM_SID *pdb_get_user_sid(const struct samu *sampass)
179
return &sampass->user_sid;
182
const DOM_SID *pdb_get_group_sid(struct samu *sampass)
186
bool need_lookup_sid = false;
188
/* Return the cached group SID if we have that */
189
if ( sampass->group_sid ) {
190
return sampass->group_sid;
193
/* generate the group SID from the user's primary Unix group */
195
if ( !(gsid = TALLOC_ZERO_P( sampass, DOM_SID )) ) {
199
/* No algorithmic mapping, meaning that we have to figure out the
200
primary group SID according to group mapping and the user SID must
201
be a newly allocated one. We rely on the user's Unix primary gid.
202
We have no choice but to fail if we can't find it. */
204
if ( sampass->unix_pw ) {
205
pwd = sampass->unix_pw;
207
pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) );
211
DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
215
gid_to_sid(gsid, pwd->pw_gid);
216
if (!is_null_sid(gsid)) {
220
sid_copy(&dgsid, gsid);
221
sid_split_rid(&dgsid, &rid);
222
if (sid_equal(&dgsid, get_global_sam_sid())) {
224
* As shortcut for the expensive lookup_sid call
225
* compare the domain sid part
228
case DOMAIN_RID_ADMINS:
229
case DOMAIN_RID_USERS:
230
sampass->group_sid = gsid;
231
return sampass->group_sid;
233
need_lookup_sid = true;
238
if (pdb_gid_to_sid(pwd->pw_gid, gsid)) {
239
need_lookup_sid = true;
244
if (need_lookup_sid) {
245
enum lsa_SidType type = SID_NAME_UNKNOWN;
248
const DOM_SID *usid = pdb_get_user_sid(sampass);
250
mem_ctx = talloc_init("pdb_get_group_sid");
255
DEBUG(10,("do lookup_sid(%s) for group of user %s\n",
256
sid_string_dbg(gsid), sid_string_dbg(usid)));
258
/* Now check that it's actually a domain group and not something else */
260
lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type);
262
TALLOC_FREE( mem_ctx );
264
if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) {
265
sampass->group_sid = gsid;
266
return sampass->group_sid;
269
DEBUG(3, ("Primary group %s for user %s is a %s and not a domain group\n",
270
sid_string_dbg(gsid), pwd->pw_name, sid_type_lookup(type)));
273
/* Just set it to the 'Domain Users' RID of 512 which will
274
always resolve to a name */
276
sid_copy( gsid, get_global_sam_sid() );
277
sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS );
279
sampass->group_sid = gsid;
281
return sampass->group_sid;
285
* Get flags showing what is initalised in the struct samu
286
* @param sampass the struct samu in question
287
* @return the flags indicating the members initialised in the struct.
290
enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
292
enum pdb_value_state ret = PDB_DEFAULT;
294
if (!sampass->change_flags || !sampass->set_flags)
297
if (bitmap_query(sampass->set_flags, element)) {
298
DEBUG(11, ("element %d: SET\n", element));
302
if (bitmap_query(sampass->change_flags, element)) {
303
DEBUG(11, ("element %d: CHANGED\n", element));
307
if (ret == PDB_DEFAULT) {
308
DEBUG(11, ("element %d: DEFAULT\n", element));
314
const char *pdb_get_username(const struct samu *sampass)
316
return sampass->username;
319
const char *pdb_get_domain(const struct samu *sampass)
321
return sampass->domain;
324
const char *pdb_get_nt_username(const struct samu *sampass)
326
return sampass->nt_username;
329
const char *pdb_get_fullname(const struct samu *sampass)
331
return sampass->full_name;
334
const char *pdb_get_homedir(const struct samu *sampass)
336
return sampass->home_dir;
339
const char *pdb_get_dir_drive(const struct samu *sampass)
341
return sampass->dir_drive;
344
const char *pdb_get_logon_script(const struct samu *sampass)
346
return sampass->logon_script;
349
const char *pdb_get_profile_path(const struct samu *sampass)
351
return sampass->profile_path;
354
const char *pdb_get_acct_desc(const struct samu *sampass)
356
return sampass->acct_desc;
359
const char *pdb_get_workstations(const struct samu *sampass)
361
return sampass->workstations;
364
const char *pdb_get_comment(const struct samu *sampass)
366
return sampass->comment;
369
const char *pdb_get_munged_dial(const struct samu *sampass)
371
return sampass->munged_dial;
374
uint16 pdb_get_bad_password_count(const struct samu *sampass)
376
return sampass->bad_password_count;
379
uint16 pdb_get_logon_count(const struct samu *sampass)
381
return sampass->logon_count;
384
uint32 pdb_get_unknown_6(const struct samu *sampass)
386
return sampass->unknown_6;
389
void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_methods *my_methods)
391
if (my_methods == sampass->backend_private_methods) {
392
return sampass->backend_private_data;
398
/*********************************************************************
399
Collection of set...() functions for struct samu.
400
********************************************************************/
402
bool pdb_set_acct_ctrl(struct samu *sampass, uint32 acct_ctrl, enum pdb_value_state flag)
404
sampass->acct_ctrl = acct_ctrl;
405
return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
408
bool pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
410
sampass->logon_time = mytime;
411
return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
414
bool pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
416
sampass->logoff_time = mytime;
417
return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
420
bool pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
422
sampass->kickoff_time = mytime;
423
return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
426
bool pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
428
sampass->bad_password_time = mytime;
429
return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag);
432
bool pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
434
sampass->pass_can_change_time = mytime;
435
return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
438
bool pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
440
sampass->pass_must_change_time = mytime;
441
return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
444
bool pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
446
sampass->pass_last_set_time = mytime;
447
return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
450
bool pdb_set_hours_len(struct samu *sampass, uint32 len, enum pdb_value_state flag)
452
sampass->hours_len = len;
453
return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
456
bool pdb_set_logon_divs(struct samu *sampass, uint16 hours, enum pdb_value_state flag)
458
sampass->logon_divs = hours;
459
return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
463
* Set flags showing what is initalised in the struct samu
464
* @param sampass the struct samu in question
465
* @param flag The *new* flag to be set. Old flags preserved
466
* this flag is only added.
469
bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
471
if (!sampass->set_flags) {
472
if ((sampass->set_flags =
473
bitmap_talloc(sampass,
475
DEBUG(0,("bitmap_talloc failed\n"));
479
if (!sampass->change_flags) {
480
if ((sampass->change_flags =
481
bitmap_talloc(sampass,
483
DEBUG(0,("bitmap_talloc failed\n"));
490
if (!bitmap_set(sampass->change_flags, element)) {
491
DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
494
if (!bitmap_set(sampass->set_flags, element)) {
495
DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
498
DEBUG(11, ("element %d -> now CHANGED\n", element));
501
if (!bitmap_clear(sampass->change_flags, element)) {
502
DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
505
if (!bitmap_set(sampass->set_flags, element)) {
506
DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
509
DEBUG(11, ("element %d -> now SET\n", element));
513
if (!bitmap_clear(sampass->change_flags, element)) {
514
DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
517
if (!bitmap_clear(sampass->set_flags, element)) {
518
DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
521
DEBUG(11, ("element %d -> now DEFAULT\n", element));
528
bool pdb_set_user_sid(struct samu *sampass, const DOM_SID *u_sid, enum pdb_value_state flag)
533
sid_copy(&sampass->user_sid, u_sid);
535
DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
536
sid_string_dbg(&sampass->user_sid)));
538
return pdb_set_init_flags(sampass, PDB_USERSID, flag);
541
bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
548
DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
551
if (!string_to_sid(&new_sid, u_sid)) {
552
DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
556
if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
557
DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
564
/********************************************************************
565
We never fill this in from a passdb backend but rather set is
566
based on the user's primary group membership. However, the
567
struct samu* is overloaded and reused in domain memship code
568
as well and built from the netr_SamInfo3 or PAC so we
569
have to allow the explicitly setting of a group SID here.
570
********************************************************************/
572
bool pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_value_state flag)
579
if ( !(sampass->group_sid = TALLOC_P( sampass, DOM_SID )) ) {
583
/* if we cannot resolve the SID to gid, then just ignore it and
584
store DOMAIN_USERS as the primary groupSID */
586
if ( sid_to_gid( g_sid, &gid ) ) {
587
sid_copy(sampass->group_sid, g_sid);
589
sid_copy( sampass->group_sid, get_global_sam_sid() );
590
sid_append_rid( sampass->group_sid, DOMAIN_GROUP_RID_USERS );
593
DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
594
sid_string_dbg(sampass->group_sid)));
596
return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
599
/*********************************************************************
600
Set the user's UNIX name.
601
********************************************************************/
603
bool pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag)
606
DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
607
(sampass->username)?(sampass->username):"NULL"));
609
sampass->username = talloc_strdup(sampass, username);
611
if (!sampass->username) {
612
DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
616
sampass->username = PDB_NOT_QUITE_NULL;
619
return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
622
/*********************************************************************
624
********************************************************************/
626
bool pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag)
629
DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
630
(sampass->domain)?(sampass->domain):"NULL"));
632
sampass->domain = talloc_strdup(sampass, domain);
634
if (!sampass->domain) {
635
DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
639
sampass->domain = PDB_NOT_QUITE_NULL;
642
return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
645
/*********************************************************************
646
Set the user's NT name.
647
********************************************************************/
649
bool pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag)
652
DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
653
(sampass->nt_username)?(sampass->nt_username):"NULL"));
655
sampass->nt_username = talloc_strdup(sampass, nt_username);
657
if (!sampass->nt_username) {
658
DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
662
sampass->nt_username = PDB_NOT_QUITE_NULL;
665
return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
668
/*********************************************************************
669
Set the user's full name.
670
********************************************************************/
672
bool pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag)
675
DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
676
(sampass->full_name)?(sampass->full_name):"NULL"));
678
sampass->full_name = talloc_strdup(sampass, full_name);
680
if (!sampass->full_name) {
681
DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
685
sampass->full_name = PDB_NOT_QUITE_NULL;
688
return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
691
/*********************************************************************
692
Set the user's logon script.
693
********************************************************************/
695
bool pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag)
698
DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
699
(sampass->logon_script)?(sampass->logon_script):"NULL"));
701
sampass->logon_script = talloc_strdup(sampass, logon_script);
703
if (!sampass->logon_script) {
704
DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
708
sampass->logon_script = PDB_NOT_QUITE_NULL;
711
return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
714
/*********************************************************************
715
Set the user's profile path.
716
********************************************************************/
718
bool pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag)
721
DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
722
(sampass->profile_path)?(sampass->profile_path):"NULL"));
724
sampass->profile_path = talloc_strdup(sampass, profile_path);
726
if (!sampass->profile_path) {
727
DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
731
sampass->profile_path = PDB_NOT_QUITE_NULL;
734
return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
737
/*********************************************************************
738
Set the user's directory drive.
739
********************************************************************/
741
bool pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag)
744
DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
745
(sampass->dir_drive)?(sampass->dir_drive):"NULL"));
747
sampass->dir_drive = talloc_strdup(sampass, dir_drive);
749
if (!sampass->dir_drive) {
750
DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
755
sampass->dir_drive = PDB_NOT_QUITE_NULL;
758
return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
761
/*********************************************************************
762
Set the user's home directory.
763
********************************************************************/
765
bool pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag)
768
DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
769
(sampass->home_dir)?(sampass->home_dir):"NULL"));
771
sampass->home_dir = talloc_strdup(sampass, home_dir);
773
if (!sampass->home_dir) {
774
DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
778
sampass->home_dir = PDB_NOT_QUITE_NULL;
781
return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
784
/*********************************************************************
785
Set the user's account description.
786
********************************************************************/
788
bool pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag)
791
sampass->acct_desc = talloc_strdup(sampass, acct_desc);
793
if (!sampass->acct_desc) {
794
DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
798
sampass->acct_desc = PDB_NOT_QUITE_NULL;
801
return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
804
/*********************************************************************
805
Set the user's workstation allowed list.
806
********************************************************************/
808
bool pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag)
811
DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
812
(sampass->workstations)?(sampass->workstations):"NULL"));
814
sampass->workstations = talloc_strdup(sampass, workstations);
816
if (!sampass->workstations) {
817
DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
821
sampass->workstations = PDB_NOT_QUITE_NULL;
824
return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
827
/*********************************************************************
828
********************************************************************/
830
bool pdb_set_comment(struct samu *sampass, const char *comment, enum pdb_value_state flag)
833
sampass->comment = talloc_strdup(sampass, comment);
835
if (!sampass->comment) {
836
DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
840
sampass->comment = PDB_NOT_QUITE_NULL;
843
return pdb_set_init_flags(sampass, PDB_COMMENT, flag);
846
/*********************************************************************
847
Set the user's dial string.
848
********************************************************************/
850
bool pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag)
853
sampass->munged_dial = talloc_strdup(sampass, munged_dial);
855
if (!sampass->munged_dial) {
856
DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
860
sampass->munged_dial = PDB_NOT_QUITE_NULL;
863
return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
866
/*********************************************************************
867
Set the user's NT hash.
868
********************************************************************/
870
bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
872
data_blob_clear_free(&sampass->nt_pw);
876
data_blob_talloc(sampass, pwd, NT_HASH_LEN);
878
sampass->nt_pw = data_blob_null;
881
return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
884
/*********************************************************************
885
Set the user's LM hash.
886
********************************************************************/
888
bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
890
data_blob_clear_free(&sampass->lm_pw);
892
/* on keep the password if we are allowing LANMAN authentication */
894
if (pwd && lp_lanman_auth() ) {
895
sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
897
sampass->lm_pw = data_blob_null;
900
return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
903
/*********************************************************************
904
Set the user's password history hash. historyLen is the number of
905
PW_HISTORY_SALT_LEN+SALTED_MD5_HASH_LEN length
906
entries to store in the history - this must match the size of the uint8 array
908
********************************************************************/
910
bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag)
912
if (historyLen && pwd){
913
sampass->nt_pw_his = data_blob_talloc(sampass,
914
pwd, historyLen*PW_HISTORY_ENTRY_LEN);
915
if (!sampass->nt_pw_his.length) {
916
DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
920
sampass->nt_pw_his = data_blob_talloc(sampass, NULL, 0);
923
return pdb_set_init_flags(sampass, PDB_PWHISTORY, flag);
926
/*********************************************************************
927
Set the user's plaintext password only (base procedure, see helper
929
********************************************************************/
931
bool pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag)
934
if (sampass->plaintext_pw!=NULL)
935
memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
937
sampass->plaintext_pw = talloc_strdup(sampass, password);
939
if (!sampass->plaintext_pw) {
940
DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
944
sampass->plaintext_pw = NULL;
947
return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
950
bool pdb_set_bad_password_count(struct samu *sampass, uint16 bad_password_count, enum pdb_value_state flag)
952
sampass->bad_password_count = bad_password_count;
953
return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag);
956
bool pdb_set_logon_count(struct samu *sampass, uint16 logon_count, enum pdb_value_state flag)
958
sampass->logon_count = logon_count;
959
return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag);
962
bool pdb_set_unknown_6(struct samu *sampass, uint32 unkn, enum pdb_value_state flag)
964
sampass->unknown_6 = unkn;
965
return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
968
bool pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag)
971
memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
973
memcpy (sampass->hours, hours, MAX_HOURS_LEN);
976
return pdb_set_init_flags(sampass, PDB_HOURS, flag);
979
bool pdb_set_backend_private_data(struct samu *sampass, void *private_data,
980
void (*free_fn)(void **),
981
const struct pdb_methods *my_methods,
982
enum pdb_value_state flag)
984
if (sampass->backend_private_data &&
985
sampass->backend_private_data_free_fn) {
986
sampass->backend_private_data_free_fn(
987
&sampass->backend_private_data);
990
sampass->backend_private_data = private_data;
991
sampass->backend_private_data_free_fn = free_fn;
992
sampass->backend_private_methods = my_methods;
994
return pdb_set_init_flags(sampass, PDB_BACKEND_PRIVATE_DATA, flag);
998
/* Helpful interfaces to the above */
1000
bool pdb_set_pass_can_change(struct samu *sampass, bool canchange)
1002
return pdb_set_pass_can_change_time(sampass,
1003
canchange ? 0 : get_time_t_max(),
1008
/*********************************************************************
1009
Set the user's PLAINTEXT password. Used as an interface to the above.
1010
Also sets the last change time to NOW.
1011
********************************************************************/
1013
bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
1015
uchar new_lanman_p16[LM_HASH_LEN];
1016
uchar new_nt_p16[NT_HASH_LEN];
1021
/* Calculate the MD4 hash (NT compatible) of the password */
1022
E_md4hash(plaintext, new_nt_p16);
1024
if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
1027
if (!E_deshash(plaintext, new_lanman_p16)) {
1028
/* E_deshash returns false for 'long' passwords (> 14
1029
DOS chars). This allows us to match Win2k, which
1030
does not store a LM hash for these passwords (which
1031
would reduce the effective password length to 14 */
1033
if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
1036
if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
1040
if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
1043
if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
1046
/* Store the password history. */
1047
if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
1050
pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1051
if (pwHistLen != 0){
1052
uint32 current_history_len;
1053
/* We need to make sure we don't have a race condition here - the
1054
account policy history length can change between when the pw_history
1055
was first loaded into the struct samu struct and now.... JRA. */
1056
pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len);
1058
if (current_history_len != pwHistLen) {
1059
/* After closing and reopening struct samu the history
1060
values will sync up. We can't do this here. */
1062
/* current_history_len > pwHistLen is not a problem - we
1063
have more history than we need. */
1065
if (current_history_len < pwHistLen) {
1066
/* Ensure we have space for the needed history. */
1067
uchar *new_history = (uchar *)TALLOC(sampass,
1068
pwHistLen*PW_HISTORY_ENTRY_LEN);
1073
/* And copy it into the new buffer. */
1074
if (current_history_len) {
1075
memcpy(new_history, pwhistory,
1076
current_history_len*PW_HISTORY_ENTRY_LEN);
1078
/* Clearing out any extra space. */
1079
memset(&new_history[current_history_len*PW_HISTORY_ENTRY_LEN],
1080
'\0', (pwHistLen-current_history_len)*PW_HISTORY_ENTRY_LEN);
1081
/* Finally replace it. */
1082
pwhistory = new_history;
1085
if (pwhistory && pwHistLen){
1086
/* Make room for the new password in the history list. */
1087
if (pwHistLen > 1) {
1088
memmove(&pwhistory[PW_HISTORY_ENTRY_LEN],
1089
pwhistory, (pwHistLen -1)*PW_HISTORY_ENTRY_LEN );
1091
/* Create the new salt as the first part of the history entry. */
1092
generate_random_buffer(pwhistory, PW_HISTORY_SALT_LEN);
1094
/* Generate the md5 hash of the salt+new password as the second
1095
part of the history entry. */
1097
E_md5hash(pwhistory, new_nt_p16, &pwhistory[PW_HISTORY_SALT_LEN]);
1098
pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
1100
DEBUG (10,("pdb_get_set.c: pdb_set_plaintext_passwd: pwhistory was NULL!\n"));
1103
/* Set the history length to zero. */
1104
pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
1111
/* check for any PDB_SET/CHANGED field and fill the appropriate mask bit */
1112
uint32 pdb_build_fields_present(struct samu *sampass)
1114
/* value set to all for testing */