summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2006-10-03 17:14:18 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:15:06 -0500
commitdc1f0804dd8177d3c3a0b2db993855d5679e9565 (patch)
tree9893078628f8963ca854411001cd3c7fdcff998d /source3/passdb
parentb96aae779bdbd96677aef58d205282605046a8a6 (diff)
downloadsamba-dc1f0804dd8177d3c3a0b2db993855d5679e9565.tar.gz
samba-dc1f0804dd8177d3c3a0b2db993855d5679e9565.tar.bz2
samba-dc1f0804dd8177d3c3a0b2db993855d5679e9565.zip
r19058: Implement "user cannot change password", and complete "user must change
password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/passdb.c2
-rw-r--r--source3/passdb/pdb_get_set.c68
-rw-r--r--source3/passdb/pdb_interface.c41
-rw-r--r--source3/passdb/pdb_ldap.c2
4 files changed, 36 insertions, 77 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index da3ddb3914..4bdceec571 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1106,7 +1106,7 @@ uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, BOOL size_onl
logoff_time = (uint32)pdb_get_logoff_time(sampass);
kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
bad_password_time = (uint32)pdb_get_bad_password_time(sampass);
- pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
+ pass_can_change_time = (uint32)pdb_get_pass_can_change_time_noncalc(sampass);
pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 7aac8f5856..62898f3dac 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -74,15 +74,34 @@ time_t pdb_get_pass_can_change_time(const struct samu *sampass)
{
uint32 allow;
+ /* if the last set time is zero, it means the user cannot
+ change their password, and this time must be zero. jmcd
+ */
if (sampass->pass_last_set_time == 0)
return (time_t) 0;
+ /* if the time is max, and the field has been changed,
+ we're trying to update this real value from the sampass
+ to indicate that the user cannot change their password. jmcd
+ */
+ if (sampass->pass_can_change_time == get_time_t_max() &&
+ pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED)
+ return sampass->pass_can_change_time;
+
if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &allow))
allow = 0;
+ /* in normal cases, just calculate it from policy */
return sampass->pass_last_set_time + allow;
}
+/* we need this for loading from the backend, so that we don't overwrite
+ non-changed max times, otherwise the pass_can_change checking won't work */
+time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
+{
+ return sampass->pass_can_change_time;
+}
+
time_t pdb_get_pass_must_change_time(const struct samu *sampass)
{
uint32 expire;
@@ -100,6 +119,14 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass)
return sampass->pass_last_set_time + expire;
}
+BOOL pdb_get_pass_can_change(const struct samu *sampass)
+{
+ if (sampass->pass_can_change_time == get_time_t_max() &&
+ sampass->pass_last_set_time != 0)
+ return False;
+ return True;
+}
+
uint16 pdb_get_logon_divs(const struct samu *sampass)
{
return sampass->logon_divs;
@@ -944,43 +971,14 @@ BOOL pdb_set_backend_private_data(struct samu *sampass, void *private_data,
/* Helpful interfaces to the above */
-/*********************************************************************
- Sets the last changed times and must change times for a normal
- password change.
- ********************************************************************/
-
-BOOL pdb_set_pass_changed_now(struct samu *sampass)
+BOOL pdb_set_pass_can_change(struct samu *sampass, BOOL canchange)
{
- uint32 expire;
- uint32 min_age;
-
- if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
- return False;
-
- if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire)
- || (expire==(uint32)-1) || (expire == 0)) {
- if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
- return False;
- } else {
- if (!pdb_set_pass_must_change_time (sampass,
- pdb_get_pass_last_set_time(sampass)
- + expire, PDB_CHANGED))
- return False;
- }
-
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)
- || (min_age==(uint32)-1)) {
- if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
- return False;
- } else {
- if (!pdb_set_pass_can_change_time (sampass,
- pdb_get_pass_last_set_time(sampass)
- + min_age, PDB_CHANGED))
- return False;
- }
- return True;
+ return pdb_set_pass_can_change_time(sampass,
+ canchange ? 0 : get_time_t_max(),
+ PDB_CHANGED);
}
+
/*********************************************************************
Set the user's PLAINTEXT password. Used as an interface to the above.
Also sets the last change time to NOW.
@@ -1016,7 +1014,7 @@ BOOL pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
return False;
- if (!pdb_set_pass_changed_now (sampass))
+ if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
return False;
/* Store the password history. */
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 7252ea4c8c..73f538214d 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -48,43 +48,6 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
const char **name,
enum lsa_SidType *psid_name_use,
union unid_t *unix_id);
-/*******************************************************************
- Clean up uninitialised passwords. The only way to tell
- that these values are not 'real' is that they do not
- have a valid last set time. Instead, the value is fixed at 0.
- Therefore we use that as the key for 'is this a valid password'.
- However, it is perfectly valid to have a 'default' last change
- time, such LDAP with a missing attribute would produce.
-********************************************************************/
-
-static void pdb_force_pw_initialization(struct samu *pass)
-{
- const uint8 *lm_pwd, *nt_pwd;
-
- /* only reset a password if the last set time has been
- explicitly been set to zero. A default last set time
- is ignored */
-
- if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT)
- && (pdb_get_pass_last_set_time(pass) == 0) )
- {
-
- if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT)
- {
- lm_pwd = pdb_get_lanman_passwd(pass);
- if (lm_pwd)
- pdb_set_lanman_passwd(pass, NULL, PDB_CHANGED);
- }
- if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT)
- {
- nt_pwd = pdb_get_nt_passwd(pass);
- if (nt_pwd)
- pdb_set_nt_passwd(pass, NULL, PDB_CHANGED);
- }
- }
-
- return;
-}
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
{
@@ -250,7 +213,7 @@ BOOL pdb_getsampwent(struct samu *user)
if ( !NT_STATUS_IS_OK(pdb->getsampwent(pdb, user) ) ) {
return False;
}
- pdb_force_pw_initialization( user );
+
return True;
}
@@ -266,8 +229,6 @@ BOOL pdb_getsampwnam(struct samu *sam_acct, const char *username)
TALLOC_FREE(csamuser);
}
- pdb_force_pw_initialization( sam_acct );
-
csamuser = samu_new( NULL );
if (!csamuser) {
return False;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 0f03a1cc6e..a716dfa805 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -1096,7 +1096,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
- slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
+ slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time_noncalc(sampass));
if (need_update(sampass, PDB_CANCHANGETIME))
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);