summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2005-01-22 03:37:09 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:08 -0500
commitb4afdc08d5336e4a337e453443d7af1d8655a31a (patch)
tree3d2e3351c4e767cbd05006b349006bb427ed3ec1 /source3
parent686ceda3c3d3510f873d44c7bbb89d9134e0cf88 (diff)
downloadsamba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.gz
samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.bz2
samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.zip
r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in20
-rw-r--r--source3/include/passdb.h12
-rw-r--r--source3/include/smbldap.h4
-rw-r--r--source3/lib/account_pol.c424
-rw-r--r--source3/lib/smbldap.c88
-rw-r--r--source3/passdb/passdb.c16
-rw-r--r--source3/passdb/pdb_get_set.c6
-rw-r--r--source3/passdb/pdb_interface.c68
-rw-r--r--source3/passdb/pdb_ldap.c248
-rw-r--r--source3/rpc_server/srv_reg_nt.c2
-rw-r--r--source3/rpc_server/srv_samr_nt.c59
-rw-r--r--source3/smbd/chgpasswd.c4
-rw-r--r--source3/utils/net_rpc_samsync.c18
-rw-r--r--source3/utils/pdbedit.c42
14 files changed, 840 insertions, 171 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 466958b5ab..f20584218a 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -203,10 +203,10 @@ LIB_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
lib/md5.o lib/hmacmd5.o lib/iconv.o \
nsswitch/wb_client.o $(WBCOMMON_OBJ) \
- lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \
+ lib/pam_errors.o intl/lang_tdb.o \
lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
lib/module.o lib/ldap_escape.o @CHARSET_STATIC@ \
- lib/privileges.o lib/secdesc.o lib/secace.o lib/secacl.o
+ lib/secdesc.o lib/secace.o lib/secacl.o
LIB_NONSMBD_OBJ = $(LIB_OBJ) lib/dummysmbd.o
@@ -312,7 +312,7 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
passdb/util_sam_sid.o passdb/pdb_compat.o \
passdb/lookup_sid.o \
passdb/login_cache.o @PDB_STATIC@ passdb/pdb_sql.o \
- lib/system_smbd.o
+ lib/system_smbd.o lib/account_pol.o lib/privileges.o
XML_OBJ = passdb/pdb_xml.o
MYSQL_OBJ = passdb/pdb_mysql.o
@@ -507,8 +507,8 @@ LIBSMBCLIENT_OBJ = libsmb/libsmbclient.o libsmb/libsmb_compat.o \
libsmb/libsmb_cache.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
$(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
- $(SECRETS_OBJ)
+ $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
+ $(SECRETS_OBJ) $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
# This shared library is intended for linking with unit test programs
# to test Samba internals. It's called libbigballofmud.so to
@@ -584,13 +584,15 @@ LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \
SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
$(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
- $(PASSDB_GET_SET_OBJ) $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
- $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ)
+ $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
+ $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ) \
+ $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
$(PARAM_OBJ) \
- $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
- $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ)
+ $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
+ $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
+ $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) libsmb/nterr.o
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 1b9ccc50ee..f37a278255 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -334,6 +334,12 @@ typedef struct pdb_context
DOM_SID **aliases,
int *num_aliases);
+ NTSTATUS (*pdb_get_account_policy)(struct pdb_context *context,
+ int policy_index, int *value);
+
+ NTSTATUS (*pdb_set_account_policy)(struct pdb_context *context,
+ int policy_index, int value);
+
void (*free_fn)(struct pdb_context **);
TALLOC_CTX *mem_ctx;
@@ -425,6 +431,12 @@ typedef struct pdb_methods
int num_members,
DOM_SID **aliases, int *num);
+ NTSTATUS (*get_account_policy)(struct pdb_methods *methods,
+ int policy_index, int *value);
+
+ NTSTATUS (*set_account_policy)(struct pdb_methods *methods,
+ int policy_index, int value);
+
void *private_data; /* Private data of some kind */
void (*free_private_data)(void **);
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index adb51430dc..9a116ab7e7 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -38,6 +38,7 @@
#define LDAP_OBJ_IDPOOL "sambaUnixIdPool"
#define LDAP_OBJ_IDMAP_ENTRY "sambaIdmapEntry"
#define LDAP_OBJ_SID_ENTRY "sambaSidEntry"
+#define LDAP_OBJ_ACCOUNT_POLICY "sambaAccountPolicy"
#define LDAP_OBJ_ACCOUNT "account"
#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
@@ -97,6 +98,8 @@
#define LDAP_ATTR_SID_LIST 40
#define LDAP_ATTR_MOD_TIMESTAMP 41
#define LDAP_ATTR_LOGON_HOURS 42
+#define LDAP_ATTR_ACCOUNT_POLICY_NAME 43
+#define LDAP_ATTR_ACCOUNT_POLICY_VAL 44
typedef struct _attrib_map_entry {
int attrib;
@@ -115,6 +118,7 @@ extern ATTRIB_MAP_ENTRY groupmap_attr_list[];
extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[];
extern ATTRIB_MAP_ENTRY idpool_attr_list[];
extern ATTRIB_MAP_ENTRY sidmap_attr_list[];
+extern ATTRIB_MAP_ENTRY acctpol_attr_list[];
/* Function declarations -- not included in proto.h so we don't
have to worry about LDAP structure types */
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c
index 5997d9180a..b81a9fe34d 100644
--- a/source3/lib/account_pol.c
+++ b/source3/lib/account_pol.c
@@ -3,6 +3,7 @@
* account policy storage
* Copyright (C) Jean François Micouleau 1998-2001.
* Copyright (C) Andrew Bartlett 2002
+ * Copyright (C) Guenther Deschner 2004-2005
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -22,7 +23,14 @@
#include "includes.h"
static TDB_CONTEXT *tdb;
-#define DATABASE_VERSION 2
+/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
+ * after this period if admins do not use pdbedit or usermanager but manipulate
+ * ldap directly) - gd */
+
+#define DATABASE_VERSION 3
+#define AP_LASTSET "LAST_CACHE_UPDATE"
+#define AP_MIGRATED "ACCOUNT POLICIES WERE MIGRATED TO PASSDB"
+#define AP_TTL 60
extern DOM_SID global_sid_World;
extern DOM_SID global_sid_Builtin_Administrators;
@@ -32,100 +40,35 @@ extern DOM_SID global_sid_Builtin_Print_Operators;
extern DOM_SID global_sid_Builtin_Backup_Operators;
-/****************************************************************************
- Set default for a field if it is empty
-****************************************************************************/
-
-static void set_default_on_empty(int field, uint32 value)
-{
- if (account_policy_get(field, NULL))
- return;
- account_policy_set(field, value);
- return;
-}
-
-/****************************************************************************
- Open the account policy tdb.
-****************************************************************************/
-
-BOOL init_account_policy(void)
-{
- const char *vstring = "INFO/version";
- uint32 version;
-
- if (tdb)
- return True;
- tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
- if (!tdb) {
- DEBUG(0,("Failed to open account policy database\n"));
- return False;
- }
-
- /* handle a Samba upgrade */
- tdb_lock_bystring(tdb, vstring,0);
- if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
- tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
-
- set_default_on_empty(
- AP_MIN_PASSWORD_LEN,
- MINPASSWDLENGTH);/* 5 chars minimum */
- set_default_on_empty(
- AP_PASSWORD_HISTORY,
- 0); /* don't keep any old password */
- set_default_on_empty(
- AP_USER_MUST_LOGON_TO_CHG_PASS,
- 0); /* don't force user to logon */
- set_default_on_empty(
- AP_MAX_PASSWORD_AGE,
- (uint32)-1); /* don't expire */
- set_default_on_empty(
- AP_MIN_PASSWORD_AGE,
- 0); /* 0 days */
- set_default_on_empty(
- AP_LOCK_ACCOUNT_DURATION,
- 30); /* lockout for 30 minutes */
- set_default_on_empty(
- AP_RESET_COUNT_TIME,
- 30); /* reset after 30 minutes */
- set_default_on_empty(
- AP_BAD_ATTEMPT_LOCKOUT,
- 0); /* don't lockout */
- set_default_on_empty(
- AP_TIME_TO_LOGOUT,
- -1); /* don't force logout */
- set_default_on_empty(
- AP_REFUSE_MACHINE_PW_CHANGE,
- 0); /* allow machine pw changes */
- }
- tdb_unlock_bystring(tdb, vstring);
-
- /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
-
- privilege_create_account( &global_sid_World );
- privilege_create_account( &global_sid_Builtin_Administrators );
- privilege_create_account( &global_sid_Builtin_Account_Operators );
- privilege_create_account( &global_sid_Builtin_Server_Operators );
- privilege_create_account( &global_sid_Builtin_Print_Operators );
- privilege_create_account( &global_sid_Builtin_Backup_Operators );
-
- return True;
-}
-
-static const struct {
+struct ap_table {
int field;
const char *string;
-} account_policy_names[] = {
- {AP_MIN_PASSWORD_LEN, "min password length"},
- {AP_PASSWORD_HISTORY, "password history"},
- {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"},
- {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"},
- {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"},
- {AP_LOCK_ACCOUNT_DURATION, "lockout duration"},
- {AP_RESET_COUNT_TIME, "reset count minutes"},
- {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
- {AP_TIME_TO_LOGOUT, "disconnect time"},
- {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
- {0, NULL}
+ uint32 default_val;
+ const char *comment;
+};
+
+static const struct ap_table account_policy_names[] = {
+ {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
+ "Minimal password length (default: 5)"},
+ {AP_PASSWORD_HISTORY, "password history", 0,
+ "Length of Password History Entries (default: 0 => off)" },
+ {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
+ "Force Users to logon for password change (default: 0 => off, 2 => on)"},
+ {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1,
+ "Maximum password age, in seconds (default: -1 => never expire passwords)"},
+ {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
+ "Minimal password age, in seconds (default: 0 => allow immediate password change)"},
+ {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
+ "Lockout duration in minutes (default: 30, -1 => forever)"},
+ {AP_RESET_COUNT_TIME, "reset count minutes", 30,
+ "Reset time after lockout in minutes (default: 30)"},
+ {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
+ "Lockout users after bad logon attempts (default: 0 => off)"},
+ {AP_TIME_TO_LOGOUT, "disconnect time", -1,
+ "Disconnect Users outside logon hours (default: -1 => off, 0 => on)"},
+ {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
+ "Allow Machine Password changes (default: 0 => off)"},
+ {0, NULL, 0, ""}
};
char *account_policy_names_list(void)
@@ -156,7 +99,7 @@ char *account_policy_names_list(void)
Get the account policy name as a string from its #define'ed number
****************************************************************************/
-static const char *decode_account_policy_name(int field)
+const char *decode_account_policy_name(int field)
{
int i;
for (i=0; account_policy_names[i].string; i++) {
@@ -168,6 +111,21 @@ static const char *decode_account_policy_name(int field)
}
/****************************************************************************
+Get the account policy comment as a string from its #define'ed number
+****************************************************************************/
+
+const char *account_policy_get_comment(int field)
+{
+ int i;
+ for (i=0; account_policy_names[i].string; i++) {
+ if (field == account_policy_names[i].field)
+ return account_policy_names[i].comment;
+ }
+ return NULL;
+
+}
+
+/****************************************************************************
Get the account policy name as a string from its #define'ed number
****************************************************************************/
@@ -182,15 +140,222 @@ int account_policy_name_to_fieldnum(const char *name)
}
-/****************************************************************************
-****************************************************************************/
+/*****************************************************************************
+Update LAST-Set counter inside the cache
+*****************************************************************************/
+
+static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update)
+{
+ pstring key;
+ uint32 val = 0;
+ time_t now;
+
+ slprintf(key, sizeof(key)-1, "%s", AP_LASTSET);
+
+ if (!init_account_policy())
+ return False;
+
+ if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
+ DEBUG(10,("failed to get last set timestamp of cache\n"));
+ return False;
+ }
+
+ *value = val;
+
+ DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
+
+ if (update) {
+
+ now = time(NULL);
+
+ if (!tdb_store_uint32(tdb, key, (uint32)now)) {
+ DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
+ return False;
+ }
+ DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
+ *value = now;
+ }
+
+ return True;
+}
+
+/*****************************************************************************
+Get default value for account policy
+*****************************************************************************/
+
+BOOL account_policy_get_default(int account_policy, uint32 *val)
+{
+ int i;
+ for (i=0; account_policy_names[i].field; i++) {
+ if (account_policy_names[i].field == account_policy) {
+ *val = account_policy_names[i].default_val;
+ return True;
+ }
+ }
+ DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
+ account_policy));
+ return False;
+}
+
+/*****************************************************************************
+ Set default for a field if it is empty
+*****************************************************************************/
+
+static BOOL account_policy_set_default_on_empty(int account_policy)
+{
+
+ uint32 value;
+
+ if (!account_policy_get(account_policy, &value) &&
+ !account_policy_get_default(account_policy, &value)) {
+ return False;
+ }
+
+ return account_policy_set(account_policy, value);
+}
+
+/*****************************************************************************
+Check migration success, set marker if required
+*****************************************************************************/
+
+static BOOL already_migrated_account_policies(BOOL store_migration_success)
+{
+ pstring key;
+ uint32 value;
+
+ slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED);
+
+ if (tdb_fetch_uint32(tdb, key, &value)) {
+ return True;
+ }
+
+ if (store_migration_success) {
+
+ if (!tdb_store_uint32(tdb, key, 1)) {
+ DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
+ return False;
+ }
+ return True;
+ }
+
+ return False;
+}
+
+/*****************************************************************************
+Migrate account policies to passdb
+*****************************************************************************/
+
+static BOOL migrate_account_policy_names_to_passdb(void)
+{
+ int i, tmp_val;
+ BOOL got_pol;
+
+ if (already_migrated_account_policies(False)) {
+ return True;
+ }
+
+ DEBUG(1,("start migrating account policies into passdb\n"));
+
+ for (i=1; decode_account_policy_name(i) != NULL; i++) {
+
+ got_pol = False;
+
+ if (pdb_get_account_policy(i, &tmp_val)) {
+ DEBUG(10,("account policy already in passdb\n"));
+ got_pol = True;
+ }
+
+ if (!got_pol && !account_policy_get(i, &tmp_val)) {
+ DEBUG(0,("very weird: could not get value for account policy\n"));
+ return False;
+ }
+
+ DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n",
+ i, (char *)decode_account_policy_name(i), tmp_val));
+
+ /* set policy via new passdb api */
+ if (!pdb_set_account_policy(i, tmp_val)) {
+ DEBUG(0,("failed to set account_policy\n"));
+ return False;
+ }
+
+ }
+
+ if (!already_migrated_account_policies(True)) {
+ DEBUG(0,("could not store marker for account policy migration in the tdb\n"));
+ return False;
+ }
+
+ DEBUGADD(1,("succesfully migrated account policies into passdb\n"));
+
+ return True;
+}
+
+/*****************************************************************************
+ Open the account policy tdb.
+***`*************************************************************************/
+
+BOOL init_account_policy(void)
+{
+
+ const char *vstring = "INFO/version";
+ uint32 version;
+ int i;
+
+ if (tdb)
+ return True;
+
+ tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+ if (!tdb) {
+ DEBUG(0,("Failed to open account policy database\n"));
+ return False;
+ }
+
+ /* handle a Samba upgrade */
+ tdb_lock_bystring(tdb, vstring,0);
+ if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
+
+ tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
+
+ for (i=0; account_policy_names[i].field; i++) {
+
+ if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
+ DEBUG(0,("failed to set default value in account policy tdb\n"));
+ return False;
+ }
+ }
+ }
+
+ if (!migrate_account_policy_names_to_passdb()) {
+ DEBUG(0,("Could not migrate account policy tdb to passdb.\n"));
+ return False;
+ }
+
+ tdb_unlock_bystring(tdb, vstring);
+
+ /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
+
+ privilege_create_account( &global_sid_World );
+ privilege_create_account( &global_sid_Builtin_Administrators );
+ privilege_create_account( &global_sid_Builtin_Account_Operators );
+ privilege_create_account( &global_sid_Builtin_Server_Operators );
+ privilege_create_account( &global_sid_Builtin_Print_Operators );
+ privilege_create_account( &global_sid_Builtin_Backup_Operators );
+
+ return True;
+}
+
+/*****************************************************************************
+Internal function
+*****************************************************************************/
BOOL account_policy_get(int field, uint32 *value)
{
fstring name;
uint32 regval;
- if(!init_account_policy())return False;
+ if (!init_account_policy())
+ return False;
if (value)
*value = 0;
@@ -213,12 +378,15 @@ BOOL account_policy_get(int field, uint32 *value)
/****************************************************************************
+Get an account policy from a (migrated tdb)
****************************************************************************/
+
BOOL account_policy_set(int field, uint32 value)
{
fstring name;
- if(!init_account_policy())return False;
+ if (!init_account_policy())
+ return False;
fstrcpy(name, decode_account_policy_name(field));
if (!*name) {
@@ -227,7 +395,7 @@ BOOL account_policy_set(int field, uint32 value)
}
if (!tdb_store_uint32(tdb, name, value)) {
- DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value));
+ DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
return False;
}
@@ -237,6 +405,64 @@ BOOL account_policy_set(int field, uint32 value)
}
/****************************************************************************
+Set an account policy in the cache
+****************************************************************************/
+
+BOOL cache_account_policy_set(int field, uint32 value)
+{
+ uint32 lastset, i;
+
+ for (i=0; account_policy_names[i].field; i++) {
+
+ if (account_policy_names[i].field == field) {
+
+ DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
+
+ if (!account_policy_set(field, value)) {
+ return False;
+ }
+
+ if (!account_policy_cache_timestamp(&lastset, True)) {
+ DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
+ return False;
+ }
+
+ DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
+ }
+ }
+
+ return True;
+}
+
+/*****************************************************************************
+Get an account policy from the cache
+*****************************************************************************/
+
+BOOL cache_account_policy_get(int field, uint32 *value)
+{
+ uint32 lastset, i;
+
+ if (!account_policy_cache_timestamp(&lastset, False)) {
+ DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
+ return False;
+ }
+
+ if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
+ DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
+ return False;
+ }
+
+ for (i=0; account_policy_names[i].field; i++) {
+ if (account_policy_names[i].field == field) {
+ return account_policy_get(field, value);
+ }
+ }
+
+ return False;
+}
+
+
+/****************************************************************************
****************************************************************************/
TDB_CONTEXT *get_account_pol_tdb( void )
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 7908bc254d..e242a6c3b1 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -208,6 +208,15 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
{ LDAP_ATTR_LIST_END, NULL }
};
+/* attributes used for account policies */
+
+ATTRIB_MAP_ENTRY acctpol_attr_list[] = {
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_ACCOUNT_POLICY_NAME,"sambaAccountPolicyName" },
+ { LDAP_ATTR_ACCOUNT_POLICY_VAL, "sambaAccountPolicyValue" },
+ { LDAP_ATTR_LIST_END, NULL },
+};
+
/**********************************************************************
perform a simple table lookup and return the attribute name
**********************************************************************/
@@ -1244,6 +1253,82 @@ NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, const char *location, struct smbldap_
}
/**********************************************************************
+ Add the account-policies below the sambaDomain object to LDAP,
+*********************************************************************/
+static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state,
+ const char *domain_name)
+{
+ NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+ int i, ldap_op, policy_default, rc;
+ const char *policy_string = NULL;
+ const char *policy_comment = NULL;
+ pstring dn;
+ fstring policy_default_str;
+
+ DEBUG(3,("Adding new account policies for domain\n"));
+ ldap_op = LDAP_MOD_ADD;
+
+ for (i=1; decode_account_policy_name(i) != NULL; i++) {
+ LDAPMod **mods = NULL;
+
+ policy_string = decode_account_policy_name(i);
+ if (!policy_string) {
+ DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n"));
+ return ntstatus;
+ }
+
+ policy_comment = account_policy_get_comment(i);
+ if (!policy_comment) {
+ DEBUG(0,("add_new_domain_account_policies: no description for policy found\n"));
+ return ntstatus;
+ }
+
+ if (!account_policy_get_default(i, &policy_default)) {
+ DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n"));
+ return ntstatus;
+ }
+
+ slprintf(policy_default_str, sizeof(policy_default_str) - 1, "%i", policy_default);
+
+ pstr_sprintf(dn, "%s=%s,%s=%s,%s",
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
+ get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
+ lp_ldap_suffix());
+
+ smbldap_set_mod( &mods, ldap_op, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
+
+ smbldap_set_mod( &mods, ldap_op,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME),
+ policy_string);
+
+ smbldap_set_mod( &mods, ldap_op,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL),
+ policy_default_str);
+
+ smbldap_set_mod( &mods, ldap_op, "description", policy_comment);
+
+ rc = smbldap_add(ldap_state, dn, mods);
+
+ if (rc!=LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
+ DEBUG(1,("failed to add account policy dn= %s with: %s\n\t%s\n",
+ dn, ldap_err2string(rc),
+ ld_error?ld_error:"unknown"));
+ SAFE_FREE(ld_error);
+
+ ldap_mods_free(mods, True);
+ return ntstatus;
+ }
+
+ DEBUG(2,("added: domain account policy = [%s] in the LDAP database\n", policy_string));
+ ldap_mods_free(mods, True);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
Add the sambaDomain to LDAP, so we don't have to search for this stuff
again. This is a once-add operation for now.
@@ -1397,7 +1482,8 @@ NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
DEBUG(3, ("Got no domain info entries for domain\n"));
ldap_msgfree(*result);
*result = NULL;
- if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))) {
+ if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))
+ && NT_STATUS_IS_OK(ret = add_new_domain_account_policies(ldap_state, domain_name))) {
return smbldap_search_domain_info(ldap_state, result, domain_name, False);
}
else {
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 1f5e4be6cf..bd76941c61 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1897,7 +1897,7 @@ BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
}
/* Change from V1 is addition of password history field. */
- account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
if (pwHistLen) {
char *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
if (!pw_hist) {
@@ -2105,7 +2105,7 @@ uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL si
nt_pw_len = 0;
}
- account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len);
if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
@@ -2314,8 +2314,8 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
return True;
}
- if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
- DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
+ if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
+ DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
return False;
}
@@ -2356,8 +2356,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
return True;
}
- if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
- DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
+ if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+ DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
return False;
}
@@ -2405,9 +2405,9 @@ BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
return False;
/* Retrieve the account lockout policy */
- if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
+ if (!pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
&account_policy_lockout)) {
- DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
+ DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
return False;
}
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 92e2cee710..3430969e71 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -1123,7 +1123,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
return False;
- if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire)
+ if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire)
|| (expire==(uint32)-1) || (expire == 0)) {
if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
return False;
@@ -1134,7 +1134,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
return False;
}
- if (!account_policy_get(AP_MIN_PASSWORD_AGE, &min_age)
+ if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)
|| (min_age==(uint32)-1)) {
if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
return False;
@@ -1189,7 +1189,7 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
uchar *pwhistory;
uint32 pwHistLen;
- account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
if (pwHistLen != 0){
uint32 current_history_len;
/* We need to make sure we don't have a race condition here - the
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index ea097c10f6..bc4df4f2a3 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -620,6 +620,35 @@ static NTSTATUS context_enum_alias_memberships(struct pdb_context *context,
enum_alias_memberships(context->pdb_methods, members,
num_members, aliases, num);
}
+
+static NTSTATUS context_get_account_policy(struct pdb_context *context,
+ int policy_index, int *value)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->pdb_methods->get_account_policy(context->pdb_methods,
+ policy_index, value);
+}
+
+static NTSTATUS context_set_account_policy(struct pdb_context *context,
+ int policy_index, int value)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->pdb_methods->set_account_policy(context->pdb_methods,
+ policy_index, value);
+}
+
/******************************************************************
Free and cleanup a pdb context, any associated data and anything
@@ -749,6 +778,9 @@ static NTSTATUS make_pdb_context(struct pdb_context **context)
(*context)->pdb_enum_aliasmem = context_enum_aliasmem;
(*context)->pdb_enum_alias_memberships = context_enum_alias_memberships;
+ (*context)->pdb_get_account_policy = context_get_account_policy;
+ (*context)->pdb_set_account_policy = context_set_account_policy;
+
(*context)->free_fn = free_pdb_context;
return NT_STATUS_OK;
@@ -1201,6 +1233,30 @@ BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members,
aliases, num));
}
+BOOL pdb_get_account_policy(int policy_index, int *value)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_get_account_policy(pdb_context, policy_index, value));
+}
+
+BOOL pdb_set_account_policy(int policy_index, int value)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_set_account_policy(pdb_context, policy_index, value));
+}
+
/***************************************************************
Initialize the static context (at smbd startup etc).
@@ -1258,6 +1314,16 @@ static void pdb_default_endsampwent(struct pdb_methods *methods)
return; /* NT_STATUS_NOT_IMPLEMENTED; */
}
+static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+ return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+ return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
{
*methods = TALLOC_P(mem_ctx, struct pdb_methods);
@@ -1295,6 +1361,8 @@ NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
(*methods)->del_aliasmem = pdb_default_del_aliasmem;
(*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
(*methods)->enum_alias_memberships = pdb_default_alias_memberships;
+ (*methods)->get_account_policy = pdb_default_get_account_policy;
+ (*methods)->set_account_policy = pdb_default_set_account_policy;
return NT_STATUS_OK;
}
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 8b7661d9a3..2691965364 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -727,7 +727,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
ZERO_STRUCT(smbntpwd);
}
- account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
if (pwHistLen > 0){
uint8 *pwhist = NULL;
int i;
@@ -1071,7 +1071,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
if (need_update(sampass, PDB_PWHISTORY)) {
int pwHistLen = 0;
- account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
if (pwHistLen == 0) {
/* Remove any password history from the LDAP store. */
memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
@@ -1136,7 +1136,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
uint16 badcount = pdb_get_bad_password_count(sampass);
time_t badtime = pdb_get_bad_password_time(sampass);
uint32 pol;
- account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
+ pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
@@ -2878,6 +2878,245 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
return NT_STATUS_OK;
}
+static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+ NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ int count;
+ int rc;
+ pstring filter, base;
+ char **vals;
+ const char *policy_string = NULL;
+ int tmp_val;
+ BOOL found_tdb = False;
+
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
+
+ char *attrs[] = {
+ (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME),
+ (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL),
+ NULL
+ };
+
+ if (cache_account_policy_get(policy_index, value)) {
+ DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n"));
+ return NT_STATUS_OK;
+ }
+
+ policy_string = decode_account_policy_name(policy_index);
+ if (!policy_string) {
+ DEBUG(0,("ldapsam_get_account_policy: invalid policy index: %d\n", policy_index));
+ return ntstatus;
+ }
+
+ pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+ LDAP_OBJ_ACCOUNT_POLICY,
+ get_attr_key2string(acctpol_attr_list,
+ LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+ pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ get_global_sam_name(), lp_ldap_suffix());
+
+search:
+ rc = smbldap_search(ldap_state->smbldap_state, base,
+ LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+ if (rc != LDAP_SUCCESS)
+ return ntstatus;
+
+ count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
+ result);
+
+ /* handle deleted ldap-entries (migrate on the fly, use a default as last resort) - gd */
+ if (count < 1 && !found_tdb) {
+
+ found_tdb = False;
+
+ DEBUG(3,("ldapsam_get_account_policy: no entry for that policy in ldap found\n"));
+
+ if (!account_policy_get(policy_index, &tmp_val)) {
+ DEBUG(10,("ldapsam_get_account_policy: failed to get account_policy from tdb\n"));
+ found_tdb = True;
+ }
+
+ if (!found_tdb && !account_policy_get_default(policy_index, &tmp_val)) {
+ ldap_msgfree(result);
+ return ntstatus;
+ }
+
+ if (!pdb_set_account_policy(policy_index, tmp_val)) {
+ DEBUG(1,("ldapsam_get_account_policy: failed to set account_policy\n"));
+ ldap_msgfree(result);
+ return ntstatus;
+ }
+
+ DEBUG(3,("ldapsam_get_account_policy: set account policy value based on %s value.\n",
+ found_tdb ? "tdb":"default"));
+
+ ldap_msgfree(result);
+ goto search;
+ }
+
+ entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+ if (!entry) {
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL));
+
+ if (vals == NULL)
+ goto out;
+
+ *value = (uint32)atol(vals[0]);
+
+ if (!cache_account_policy_set(policy_index, *value)) {
+ DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n"));
+ return ntstatus;
+ }
+
+ ntstatus = NT_STATUS_OK;
+
+out:
+ ldap_value_free(vals);
+ ldap_msgfree(result);
+
+ return ntstatus;
+}
+
+static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+ NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ int count;
+ int rc;
+ pstring filter, base, dn;
+ int modop;
+ LDAPMod **mods = NULL;
+ fstring value_string;
+ char *old_dn = NULL;
+ const char *policy_string = NULL;
+ const char *policy_description = NULL;
+
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
+
+ char *attrs[] = {
+ (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME),
+ (char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL),
+ NULL
+ };
+
+ policy_string = decode_account_policy_name(policy_index);
+ if (!policy_string) {
+ DEBUG(0,("ldapsam_set_account_policy: invalid policy\n"));
+ return ntstatus;
+ }
+
+ policy_description = account_policy_get_comment(policy_index);
+ if (!policy_description) {
+ DEBUG(0,("ldapsam_set_account_policy: no description for policy found\n"));
+ return ntstatus;
+ }
+
+ pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+ LDAP_OBJ_ACCOUNT_POLICY,
+ get_attr_key2string(acctpol_attr_list,
+ LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+ pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ get_global_sam_name(), lp_ldap_suffix());
+
+ rc = smbldap_search(ldap_state->smbldap_state, base,
+ LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+ if (rc != LDAP_SUCCESS)
+ return ntstatus;
+
+ count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+ slprintf(value_string, sizeof(value_string) - 1, "%i", value);
+
+ if (count == 1) {
+
+ modop = LDAP_MOD_REPLACE;
+
+ entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+ if (!entry) {
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ old_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
+ if (!old_dn) {
+ ldap_msgfree(result);
+ return ntstatus;
+ }
+
+ smbldap_set_mod(&mods, modop,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL),
+ value_string);
+
+ rc = smbldap_modify(ldap_state->smbldap_state, old_dn, mods);
+
+ } else {
+
+ modop = LDAP_MOD_ADD;
+
+ pstr_sprintf(dn, "%s=%s,%s=%s,%s",
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
+ get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
+ lp_ldap_suffix());
+
+ smbldap_set_mod( &mods, modop, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
+
+ smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME),
+ policy_string);
+
+ smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods,
+ get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL),
+ value_string);
+
+ smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods,
+ "description",
+ policy_description);
+
+ rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
+ }
+
+ ldap_mods_free(mods, True);
+ ldap_msgfree(result);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->smbldap_state->ldap_struct,
+ LDAP_OPT_ERROR_STRING,&ld_error);
+
+ DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy "
+ "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
+ ld_error?ld_error:"unknown"));
+ SAFE_FREE(ld_error);
+ SAFE_FREE(old_dn);
+ return ntstatus;
+ }
+
+ SAFE_FREE(old_dn);
+
+ if (!cache_account_policy_set(policy_index, value)) {
+ DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n"));
+ return ntstatus;
+ }
+
+ return NT_STATUS_OK;
+}
+
/**********************************************************************
Housekeeping
*********************************************************************/
@@ -2932,6 +3171,9 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
(*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
+ (*pdb_method)->get_account_policy = ldapsam_get_account_policy;
+ (*pdb_method)->set_account_policy = ldapsam_set_account_policy;
+
/* TODO: Setup private data and free */
ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index c11e0d59a0..3a5c965820 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -380,7 +380,7 @@ WERROR _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u)
return WERR_NOMEM;
}
- if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
+ if (!pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
dwValue = 0;
regval_ctr_addvalue(&regvals, "RefusePasswordChange",
REG_DWORD,
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 462a646329..8ee59210eb 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2100,19 +2100,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
switch (q_u->switch_value) {
case 0x01:
- account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+ pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
min_pass_len = account_policy_temp;
- account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
pass_hist = account_policy_temp;
- account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+ pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
flag = account_policy_temp;
- account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+ pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
u_expire = account_policy_temp;
- account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+ pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
u_min_age = account_policy_temp;
unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -2140,7 +2140,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
num_groups=info->disp_info.num_group_account;
free_samr_db(info);
- account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+ pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
u_logout = account_policy_temp;
unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -2150,7 +2150,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
num_users, num_groups, num_aliases, nt_logout);
break;
case 0x03:
- account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
+ pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
unix_to_nt_time_abs(&nt_logout, u_logout);
init_unk_info3(&ctr->info.inf3, nt_logout);
@@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
break;
case 0x0c:
- account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+ pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
u_lock_duration = account_policy_temp;
if (u_lock_duration != -1)
u_lock_duration *= 60;
- account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
+ pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
u_reset_time = account_policy_temp * 60;
- account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+ pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
lockout = account_policy_temp;
unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4567,19 +4567,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
switch (q_u->switch_value) {
case 0x01:
- account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+ pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
min_pass_len = account_policy_temp;
- account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
pass_hist = account_policy_temp;
- account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+ pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
flag = account_policy_temp;
- account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+ pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
u_expire = account_policy_temp;
- account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+ pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
u_min_age = account_policy_temp;
unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -4607,7 +4607,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
num_groups=info->disp_info.num_group_account;
free_samr_db(info);
- account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+ pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
u_logout = account_policy_temp;
unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4617,7 +4617,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
num_users, num_groups, num_aliases, nt_logout);
break;
case 0x03:
- account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
+ pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
u_logout = account_policy_temp;
unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4637,15 +4637,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
break;
case 0x0c:
- account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+ pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
u_lock_duration = account_policy_temp;
if (u_lock_duration != -1)
u_lock_duration *= 60;
- account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
+ pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
u_reset_time = account_policy_temp * 60;
- account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+ pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
lockout = account_policy_temp;
unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4689,17 +4689,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
- account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
- account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
- account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
- account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
- account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
+ pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
+ pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
+ pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
+ pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
+ pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
break;
case 0x02:
break;
case 0x03:
u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
- account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
+ pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
break;
case 0x05:
break;
@@ -4711,11 +4711,12 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
if (u_lock_duration != -1)
u_lock_duration /= 60;
+
u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
- account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
- account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
- account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
+ pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
+ pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
+ pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
break;
default:
return NT_STATUS_INVALID_INFO_CLASS;
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 540acfc225..3765b7d38f 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -945,7 +945,7 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
BOOL found = False;
int i, pwHisLen, curr_pwHisLen;
- account_policy_get(AP_PASSWORD_HISTORY, &pwHisLen);
+ pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHisLen);
if (pwHisLen == 0) {
return False;
}
@@ -1017,7 +1017,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw
}
/* FIXME: AP_MIN_PASSWORD_LEN and lp_min_passwd_length() need to be merged - gd */
- if (account_policy_get(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
+ if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
DEBUG(1, ("user %s cannot change password - password too short\n",
username));
DEBUGADD(1, (" account policy min password len = %d\n", min_len));
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 320341ec05..2db8ff054b 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -1000,34 +1000,34 @@ static NTSTATUS fetch_domain_info(uint32 rid, SAM_DOMAIN_INFO *delta)
}
- if (!account_policy_set(AP_PASSWORD_HISTORY, delta->pwd_history_len))
+ if (!pdb_set_account_policy(AP_PASSWORD_HISTORY, delta->pwd_history_len))
return nt_status;
- if (!account_policy_set(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
+ if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
return nt_status;
- if (!account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
+ if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
return nt_status;
- if (!account_policy_set(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
+ if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
return nt_status;
- if (!account_policy_set(AP_TIME_TO_LOGOUT, (uint32)u_logout))
+ if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
return nt_status;
- if (!account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
+ if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
return nt_status;
- if (!account_policy_set(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
+ if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
return nt_status;
if (u_lockouttime != -1)
u_lockouttime /= 60;
- if (!account_policy_set(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
+ if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
return nt_status;
- if (!account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
+ if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
return nt_status;
return NT_STATUS_OK;
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index 3584ef0367..d29b6ea66c 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -119,6 +119,27 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) {
}
/*********************************************************
+ Add all currently available account policy from tdb to one backend
+ ********************************************************/
+
+static int export_account_policies (struct pdb_context *in, struct pdb_context *out)
+{
+ int i;
+
+ for (i=1; decode_account_policy_name(i) != NULL; i++) {
+ uint32 policy_value;
+ if (NT_STATUS_IS_ERR(in->pdb_get_account_policy(in, i, &policy_value))) {
+ fprintf(stderr, "Can't get account policy from tdb\n");
+ return -1;
+ }
+ out->pdb_set_account_policy(out, i, policy_value);
+ }
+
+ return 0;
+}
+
+
+/*********************************************************
Print info from sam structure
**********************************************************/
@@ -648,6 +669,7 @@ int main (int argc, char **argv)
static char *backend_in = NULL;
static char *backend_out = NULL;
static BOOL transfer_groups = False;
+ static BOOL transfer_account_policies = False;
static BOOL force_initialised_password = False;
static char *logon_script = NULL;
static char *profile_path = NULL;
@@ -688,6 +710,7 @@ int main (int argc, char **argv)
{"import", 'i', POPT_ARG_STRING, &backend_in, 0, "import user accounts from this backend", NULL},
{"export", 'e', POPT_ARG_STRING, &backend_out, 0, "export user accounts to this backend", NULL},
{"group", 'g', POPT_ARG_NONE, &transfer_groups, 0, "use -i and -e for groups", NULL},
+ {"policies", 'y', POPT_ARG_NONE, &transfer_account_policies, 0, "use -i and -e to move account policies between backends", NULL},
{"account-policy", 'P', POPT_ARG_STRING, &account_policy, 0,"value of an account policy (like maximum password age)",NULL},
{"value", 'C', POPT_ARG_LONG, &account_policy_value, 'C',"set the account policy to this value", NULL},
{"account-control", 'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL},
@@ -787,20 +810,22 @@ int main (int argc, char **argv)
SAFE_FREE(apn);
exit(1);
}
- if (!account_policy_get(field, &value)) {
+ if (!pdb_get_account_policy(field, &value)) {
fprintf(stderr, "valid account policy, but unable to fetch value!\n");
- exit(1);
+ if (!account_policy_value_set)
+ exit(1);
}
+ printf("account policy \"%s\" description: %s\n", account_policy, account_policy_get_comment(field));
if (account_policy_value_set) {
- printf("account policy value for %s was %u\n", account_policy, value);
- if (!account_policy_set(field, account_policy_value)) {
+ printf("account policy \"%s\" value was: %u\n", account_policy, value);
+ if (!pdb_set_account_policy(field, account_policy_value)) {
fprintf(stderr, "valid account policy, but unable to set value!\n");
exit(1);
}
- printf("account policy value for %s is now %lu\n", account_policy, account_policy_value);
+ printf("account policy \"%s\" value is now: %lu\n", account_policy, account_policy_value);
exit(0);
} else {
- printf("account policy value for %s is %u\n", account_policy, value);
+ printf("account policy \"%s\" value is: %u\n", account_policy, value);
exit(0);
}
}
@@ -824,7 +849,10 @@ int main (int argc, char **argv)
} else {
bout = bdef;
}
- if (transfer_groups) {
+ if (transfer_account_policies) {
+ if (!(checkparms & BIT_USER))
+ return export_account_policies(bin, bout);
+ } else if (transfer_groups) {
if (!(checkparms & BIT_USER))
return export_groups(bin, bout);
} else {