summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2005-01-10 18:29:52 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:53:50 -0500
commitdeaaa6ee9ee0e3f170498baabca4a175453718ed (patch)
tree5a03768f3e660526339eb3f810f7b0d34d6a73d3 /source3
parenta9928f0d95670b0e770fc9e8b7673bc863c1253b (diff)
downloadsamba-deaaa6ee9ee0e3f170498baabca4a175453718ed.tar.gz
samba-deaaa6ee9ee0e3f170498baabca4a175453718ed.tar.bz2
samba-deaaa6ee9ee0e3f170498baabca4a175453718ed.zip
r4651: Add "refuse machine password change" policy field. This update will just
return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. (This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
Diffstat (limited to 'source3')
-rw-r--r--source3/include/smb.h2
-rw-r--r--source3/lib/account_pol.c66
-rw-r--r--source3/rpc_server/srv_reg_nt.c13
3 files changed, 65 insertions, 16 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h
index a7db0c0a86..d15f630507 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -638,7 +638,7 @@ typedef struct {
#define AP_RESET_COUNT_TIME 7
#define AP_BAD_ATTEMPT_LOCKOUT 8
#define AP_TIME_TO_LOGOUT 9
-
+#define AP_REFUSE_MACHINE_PW_CHANGE 10
/*
* Flags for local user manipulation.
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c
index aa59383258..c62396c22d 100644
--- a/source3/lib/account_pol.c
+++ b/source3/lib/account_pol.c
@@ -22,7 +22,19 @@
#include "includes.h"
static TDB_CONTEXT *tdb; /* used for driver files */
-#define DATABASE_VERSION 1
+#define DATABASE_VERSION 2
+
+/****************************************************************************
+ Set default for a field if it is empty
+****************************************************************************/
+
+static void set_default_on_empty(int field, uint32 value)
+{
+ if (account_policy_get(field, NULL))
+ return;
+ account_policy_set(field, value);
+ return;
+}
/****************************************************************************
Open the account policy tdb.
@@ -44,18 +56,38 @@ BOOL init_account_policy(void)
/* handle a Samba upgrade */
tdb_lock_bystring(tdb, vstring,0);
if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
- tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
- account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */
- account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */
- account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */
- account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1); /* don't expire */
- account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */
- account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30); /* lockout for 30 minutes */
- account_policy_set(AP_RESET_COUNT_TIME, 30); /* reset after 30 minutes */
- account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */
- account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */
+ set_default_on_empty(
+ AP_MIN_PASSWORD_LEN,
+ MINPASSWDLENGTH);/* 5 chars minimum */
+ set_default_on_empty(
+ AP_PASSWORD_HISTORY,
+ 0); /* don't keep any old password */
+ set_default_on_empty(
+ AP_USER_MUST_LOGON_TO_CHG_PASS,
+ 0); /* don't force user to logon */
+ set_default_on_empty(
+ AP_MAX_PASSWORD_AGE,
+ (uint32)-1); /* don't expire */
+ set_default_on_empty(
+ AP_MIN_PASSWORD_AGE,
+ 0); /* 0 days */
+ set_default_on_empty(
+ AP_LOCK_ACCOUNT_DURATION,
+ 30); /* lockout for 30 minutes */
+ set_default_on_empty(
+ AP_RESET_COUNT_TIME,
+ 30); /* reset after 30 minutes */
+ set_default_on_empty(
+ AP_BAD_ATTEMPT_LOCKOUT,
+ 0); /* don't lockout */
+ set_default_on_empty(
+ AP_TIME_TO_LOGOUT,
+ -1); /* don't force logout */
+ set_default_on_empty(
+ AP_REFUSE_MACHINE_PW_CHANGE,
+ 0); /* allow machine pw changes */
}
tdb_unlock_bystring(tdb, vstring);
@@ -75,6 +107,7 @@ static const struct {
{AP_RESET_COUNT_TIME, "reset count minutes"},
{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
{AP_TIME_TO_LOGOUT, "disconnect time"},
+ {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
{0, NULL}
};
@@ -138,21 +171,26 @@ int account_policy_name_to_fieldnum(const char *name)
BOOL account_policy_get(int field, uint32 *value)
{
fstring name;
+ uint32 regval;
if(!init_account_policy())return False;
- *value = 0;
+ if (value)
+ *value = 0;
fstrcpy(name, decode_account_policy_name(field));
if (!*name) {
DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
return False;
}
- if (!tdb_fetch_uint32(tdb, name, value)) {
+ if (!tdb_fetch_uint32(tdb, name, &regval)) {
DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
return False;
}
- DEBUG(10,("account_policy_get: %s:%d\n", name, *value));
+ if (value)
+ *value = regval;
+
+ DEBUG(10,("account_policy_get: %s:%d\n", name, regval));
return True;
}
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index dc9db47c66..d85a066e34 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -373,11 +373,22 @@ NTSTATUS _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u)
/* couple of hard coded registry values */
if ( strequal(name, "RefusePasswordChange") ) {
+ uint32 dwValue;
+
if ( (val = SMB_MALLOC_P(REGISTRY_VALUE)) == NULL ) {
DEBUG(0,("_reg_info: malloc() failed!\n"));
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP( val );
+
+ if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
+ dwValue = 0;
+ regval_ctr_addvalue(&regvals, "RefusePasswordChange",
+ REG_DWORD,
+ (const char*)&dwValue, sizeof(dwValue));
+ val = dup_registry_value(
+ regval_ctr_specific_value( &regvals, 0 ) );
+
+ status = NT_STATUS_OK;
goto out;
}