summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2004-08-12 18:20:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:52:20 -0500
commita8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8 (patch)
treebd376eaeb36c545d267824697ae56f58a0683e0c
parentd86f6ceeadd04dccf6b5d7a78e627f78bb424fc7 (diff)
downloadsamba-a8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8.tar.gz
samba-a8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8.tar.bz2
samba-a8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8.zip
r1778: Fix based on code from Richard Renard <rrenard@idealx.com> to
enforce logon hours. ldap fixes to follow. Jeremy. (This used to be commit 9ce273ed662bd34987eaeedeeeb7cb1c99cd50a4)
-rw-r--r--source3/auth/auth_sam.c42
1 files changed, 42 insertions, 0 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 44e0a1810f..0c59dbe049 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -65,6 +65,43 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
lm_pw, nt_pw, user_sess_key, lm_sess_key);
}
+/****************************************************************************
+ Check if a user is allowed to logon at this time. Note this is the
+ servers local time, as logon hours are just specified as a weekly
+ bitmask.
+****************************************************************************/
+
+static BOOL logon_hours_ok(SAM_ACCOUNT *sampass)
+{
+ /* In logon hours first bit is Sunday from 12AM to 1AM */
+ extern struct timeval smb_last_time;
+ const uint8 *hours;
+ struct tm *utctime;
+ uint8 bitmask, bitpos;
+
+ hours = pdb_get_hours(sampass);
+ if (!hours) {
+ DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n",pdb_get_username(sampass)));
+ return True;
+ }
+
+ utctime = localtime(&smb_last_time.tv_sec);
+
+ /* find the corresponding byte and bit */
+ bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168;
+ bitmask = 1 << (bitpos % 8);
+
+ if (! (hours[bitpos/8] & bitmask)) {
+ DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (UTC %s).\n",
+ pdb_get_username(sampass), asctime(utctime) ));
+ return False;
+ }
+
+ DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (UTC %s)\n",
+ pdb_get_username(sampass), asctime(utctime) ));
+
+ return True;
+}
/****************************************************************************
Do a specific test for a SAM_ACCOUNT being vaild for this connection
@@ -93,6 +130,11 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
+ /* Quit if the account is not allowed to logon at this time. */
+ if (! logon_hours_ok(sampass)) {
+ return NT_STATUS_INVALID_LOGON_HOURS;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);