diff options
-rw-r--r-- | source3/Makefile.in | 20 | ||||
-rw-r--r-- | source3/include/passdb.h | 12 | ||||
-rw-r--r-- | source3/include/smbldap.h | 4 | ||||
-rw-r--r-- | source3/lib/account_pol.c | 424 | ||||
-rw-r--r-- | source3/lib/smbldap.c | 88 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 16 | ||||
-rw-r--r-- | source3/passdb/pdb_get_set.c | 6 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 68 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 255 | ||||
-rw-r--r-- | source3/rpc_server/srv_reg_nt.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr.c | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 58 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 4 | ||||
-rw-r--r-- | source3/utils/net_rpc_samsync.c | 18 | ||||
-rw-r--r-- | source3/utils/pdbedit.c | 42 |
15 files changed, 172 insertions, 846 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index f20584218a..466958b5ab 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -203,10 +203,10 @@ LIB_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \ lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \ lib/md5.o lib/hmacmd5.o lib/iconv.o \ nsswitch/wb_client.o $(WBCOMMON_OBJ) \ - lib/pam_errors.o intl/lang_tdb.o \ + lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \ lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \ lib/module.o lib/ldap_escape.o @CHARSET_STATIC@ \ - lib/secdesc.o lib/secace.o lib/secacl.o + lib/privileges.o lib/secdesc.o lib/secace.o lib/secacl.o LIB_NONSMBD_OBJ = $(LIB_OBJ) lib/dummysmbd.o @@ -312,7 +312,7 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \ passdb/util_sam_sid.o passdb/pdb_compat.o \ passdb/lookup_sid.o \ passdb/login_cache.o @PDB_STATIC@ passdb/pdb_sql.o \ - lib/system_smbd.o lib/account_pol.o lib/privileges.o + lib/system_smbd.o XML_OBJ = passdb/pdb_xml.o MYSQL_OBJ = passdb/pdb_mysql.o @@ -507,8 +507,8 @@ LIBSMBCLIENT_OBJ = libsmb/libsmbclient.o libsmb/libsmb_compat.o \ libsmb/libsmb_cache.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ - $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ - $(SECRETS_OBJ) $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ) + $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \ + $(SECRETS_OBJ) # This shared library is intended for linking with unit test programs # to test Samba internals. It's called libbigballofmud.so to @@ -584,15 +584,13 @@ LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \ SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \ - $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \ - $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ) \ - $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ) + $(PASSDB_GET_SET_OBJ) $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \ + $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ) SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(PARAM_OBJ) \ - $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \ - $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \ - $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ) + $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \ + $(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) libsmb/nterr.o diff --git a/source3/include/passdb.h b/source3/include/passdb.h index eed3be1ff9..42f38e5b6a 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -334,12 +334,6 @@ typedef struct pdb_context DOM_SID **aliases, int *num_aliases); - NTSTATUS (*pdb_get_account_policy)(struct pdb_context *context, - int policy_index, int *value); - - NTSTATUS (*pdb_set_account_policy)(struct pdb_context *context, - int policy_index, int value); - void (*free_fn)(struct pdb_context **); TALLOC_CTX *mem_ctx; @@ -431,12 +425,6 @@ typedef struct pdb_methods int num_members, DOM_SID **aliases, int *num); - NTSTATUS (*get_account_policy)(struct pdb_methods *methods, - int policy_index, int *value); - - NTSTATUS (*set_account_policy)(struct pdb_methods *methods, - int policy_index, int value); - void *private_data; /* Private data of some kind */ void (*free_private_data)(void **); diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h index 9a116ab7e7..adb51430dc 100644 --- a/source3/include/smbldap.h +++ b/source3/include/smbldap.h @@ -38,7 +38,6 @@ #define LDAP_OBJ_IDPOOL "sambaUnixIdPool" #define LDAP_OBJ_IDMAP_ENTRY "sambaIdmapEntry" #define LDAP_OBJ_SID_ENTRY "sambaSidEntry" -#define LDAP_OBJ_ACCOUNT_POLICY "sambaAccountPolicy" #define LDAP_OBJ_ACCOUNT "account" #define LDAP_OBJ_POSIXACCOUNT "posixAccount" @@ -98,8 +97,6 @@ #define LDAP_ATTR_SID_LIST 40 #define LDAP_ATTR_MOD_TIMESTAMP 41 #define LDAP_ATTR_LOGON_HOURS 42 -#define LDAP_ATTR_ACCOUNT_POLICY_NAME 43 -#define LDAP_ATTR_ACCOUNT_POLICY_VAL 44 typedef struct _attrib_map_entry { int attrib; @@ -118,7 +115,6 @@ extern ATTRIB_MAP_ENTRY groupmap_attr_list[]; extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[]; extern ATTRIB_MAP_ENTRY idpool_attr_list[]; extern ATTRIB_MAP_ENTRY sidmap_attr_list[]; -extern ATTRIB_MAP_ENTRY acctpol_attr_list[]; /* Function declarations -- not included in proto.h so we don't have to worry about LDAP structure types */ diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index f6e3943993..5997d9180a 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -3,7 +3,6 @@ * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. * Copyright (C) Andrew Bartlett 2002 - * Copyright (C) Guenther Deschner 2004-2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -23,14 +22,7 @@ #include "includes.h" static TDB_CONTEXT *tdb; -/* cache all entries for 60 seconds for to save ldap-queries (cache is updated - * after this period if admins do not use pdbedit or usermanager but manipulate - * ldap directly) - gd */ - -#define DATABASE_VERSION 3 -#define AP_LASTSET "LAST_CACHE_UPDATE" -#define AP_MIGRATED "ACCOUNT POLICIES WERE MIGRATED TO PASSDB" -#define AP_TTL 60 +#define DATABASE_VERSION 2 extern DOM_SID global_sid_World; extern DOM_SID global_sid_Builtin_Administrators; @@ -40,35 +32,100 @@ extern DOM_SID global_sid_Builtin_Print_Operators; extern DOM_SID global_sid_Builtin_Backup_Operators; -struct ap_table { +/**************************************************************************** + Set default for a field if it is empty +****************************************************************************/ + +static void set_default_on_empty(int field, uint32 value) +{ + if (account_policy_get(field, NULL)) + return; + account_policy_set(field, value); + return; +} + +/**************************************************************************** + Open the account policy tdb. +****************************************************************************/ + +BOOL init_account_policy(void) +{ + const char *vstring = "INFO/version"; + uint32 version; + + if (tdb) + return True; + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring,0); + if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { + tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + + set_default_on_empty( + AP_MIN_PASSWORD_LEN, + MINPASSWDLENGTH);/* 5 chars minimum */ + set_default_on_empty( + AP_PASSWORD_HISTORY, + 0); /* don't keep any old password */ + set_default_on_empty( + AP_USER_MUST_LOGON_TO_CHG_PASS, + 0); /* don't force user to logon */ + set_default_on_empty( + AP_MAX_PASSWORD_AGE, + (uint32)-1); /* don't expire */ + set_default_on_empty( + AP_MIN_PASSWORD_AGE, + 0); /* 0 days */ + set_default_on_empty( + AP_LOCK_ACCOUNT_DURATION, + 30); /* lockout for 30 minutes */ + set_default_on_empty( + AP_RESET_COUNT_TIME, + 30); /* reset after 30 minutes */ + set_default_on_empty( + AP_BAD_ATTEMPT_LOCKOUT, + 0); /* don't lockout */ + set_default_on_empty( + AP_TIME_TO_LOGOUT, + -1); /* don't force logout */ + set_default_on_empty( + AP_REFUSE_MACHINE_PW_CHANGE, + 0); /* allow machine pw changes */ + } + tdb_unlock_bystring(tdb, vstring); + + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + + return True; +} + +static const struct { int field; const char *string; - uint32 default_val; - const char *comment; -}; - -static const struct ap_table account_policy_names[] = { - {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, - "Minimal password length (default: 5)"}, - {AP_PASSWORD_HISTORY, "password history", 0, - "Length of Password History Entries (default: 0 => off)" }, - {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0, - "Force Users to logon for password change (default: 0 => off, 2 => on)"}, - {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1, - "Maximum password age, in seconds (default: -1 => never expire passwords)"}, - {AP_MIN_PASSWORD_AGE,"minimum password age", 0, - "Minimal password age, in seconds (default: 0 => allow immediate password change)"}, - {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30, - "Lockout duration in minutes (default: 30, -1 => forever)"}, - {AP_RESET_COUNT_TIME, "reset count minutes", 30, - "Reset time after lockout in minutes (default: 30)"}, - {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0, - "Lockout users after bad logon attempts (default: 0 => off)"}, - {AP_TIME_TO_LOGOUT, "disconnect time", -1, - "Disconnect Users outside logon hours (default: -1 => off, 0 => on)"}, - {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0, - "Allow Machine Password changes (default: 0 => off)"}, - {0, NULL, 0, ""} +} account_policy_names[] = { + {AP_MIN_PASSWORD_LEN, "min password length"}, + {AP_PASSWORD_HISTORY, "password history"}, + {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, + {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"}, + {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"}, + {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, + {AP_RESET_COUNT_TIME, "reset count minutes"}, + {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, + {AP_TIME_TO_LOGOUT, "disconnect time"}, + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, + {0, NULL} }; char *account_policy_names_list(void) @@ -99,7 +156,7 @@ char *account_policy_names_list(void) Get the account policy name as a string from its #define'ed number ****************************************************************************/ -const char *decode_account_policy_name(int field) +static const char *decode_account_policy_name(int field) { int i; for (i=0; account_policy_names[i].string; i++) { @@ -111,21 +168,6 @@ const char *decode_account_policy_name(int field) } /**************************************************************************** -Get the account policy comment as a string from its #define'ed number -****************************************************************************/ - -const char *account_policy_get_comment(int field) -{ - int i; - for (i=0; account_policy_names[i].string; i++) { - if (field == account_policy_names[i].field) - return account_policy_names[i].comment; - } - return NULL; - -} - -/**************************************************************************** Get the account policy name as a string from its #define'ed number ****************************************************************************/ @@ -140,222 +182,15 @@ int account_policy_name_to_fieldnum(const char *name) } -/***************************************************************************** -Update LAST-Set counter inside the cache -*****************************************************************************/ - -static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update) -{ - pstring key; - uint32 val = 0; - time_t now; - - slprintf(key, sizeof(key)-1, "%s", AP_LASTSET); - - if (!init_account_policy()) - return False; - - if (!tdb_fetch_uint32(tdb, key, &val) && !update) { - DEBUG(10,("failed to get last set timestamp of cache\n")); - return False; - } - - *value = val; - - DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val))); - - if (update) { - - now = time(NULL); - - if (!tdb_store_uint32(tdb, key, (uint32)now)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now))); - *value = now; - } - - return True; -} - -/***************************************************************************** -Get default value for account policy -*****************************************************************************/ - -BOOL account_policy_get_default(int account_policy, uint32 *val) -{ - int i; - for (i=0; account_policy_names[i].field; i++) { - if (account_policy_names[i].field == account_policy) { - *val = account_policy_names[i].default_val; - return True; - } - } - DEBUG(0,("no default for account_policy index %d found. This should never happen\n", - account_policy)); - return False; -} - -/***************************************************************************** - Set default for a field if it is empty -*****************************************************************************/ - -static BOOL account_policy_set_default_on_empty(int account_policy) -{ - - uint32 value; - - if (!account_policy_get(account_policy, &value) && - !account_policy_get_default(account_policy, &value)) { - return False; - } - - return account_policy_set(account_policy, value); -} - -/***************************************************************************** -Check migration success, set marker if required -*****************************************************************************/ - -static BOOL already_migrated_account_policies(BOOL store_migration_success) -{ - pstring key; - uint32 value; - - slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED); - - if (tdb_fetch_uint32(tdb, key, &value)) { - return True; - } - - if (store_migration_success) { - - if (!tdb_store_uint32(tdb, key, 1)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - return True; - } - - return False; -} - -/***************************************************************************** -Migrate account policies to passdb -*****************************************************************************/ - -static BOOL migrate_account_policy_names_to_passdb(void) -{ - int i, tmp_val; - BOOL got_pol; - - if (already_migrated_account_policies(False)) { - return True; - } - - DEBUG(1,("start migrating account policies into passdb\n")); - - for (i=1; decode_account_policy_name(i) != NULL; i++) { - - got_pol = False; - - if (pdb_get_account_policy(i, &tmp_val)) { - DEBUG(10,("account policy already in passdb\n")); - got_pol = True; - } - - if (!got_pol && !account_policy_get(i, &tmp_val)) { - DEBUG(0,("very weird: could not get value for account policy\n")); - return False; - } - - DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", - i, decode_account_policy_name(i), tmp_val)); - - /* set policy via new passdb api */ - if (!pdb_set_account_policy(i, tmp_val)) { - DEBUG(0,("failed to set account_policy\n")); - return False; - } - - } - - if (!already_migrated_account_policies(True)) { - DEBUG(0,("could not store marker for account policy migration in the tdb\n")); - return False; - } - - DEBUGADD(1,("succesfully migrated account policies into passdb\n")); - - return True; -} - -/***************************************************************************** - Open the account policy tdb. -***`*************************************************************************/ - -BOOL init_account_policy(void) -{ - - const char *vstring = "INFO/version"; - uint32 version; - int i; - - if (tdb) - return True; - - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { - DEBUG(0,("Failed to open account policy database\n")); - return False; - } - - /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring,0); - if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - - tdb_store_uint32(tdb, vstring, DATABASE_VERSION); - - for (i=0; account_policy_names[i].field; i++) { - - if (!account_policy_set_default_on_empty(account_policy_names[i].field)) { - DEBUG(0,("failed to set default value in account policy tdb\n")); - return False; - } - } - } - - if (!migrate_account_policy_names_to_passdb()) { - DEBUG(0,("Could not migrate account policy tdb to passdb.\n")); - return False; - } - - tdb_unlock_bystring(tdb, vstring); - - /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ - - privilege_create_account( &global_sid_World ); - privilege_create_account( &global_sid_Builtin_Administrators ); - privilege_create_account( &global_sid_Builtin_Account_Operators ); - privilege_create_account( &global_sid_Builtin_Server_Operators ); - privilege_create_account( &global_sid_Builtin_Print_Operators ); - privilege_create_account( &global_sid_Builtin_Backup_Operators ); - - return True; -} - -/***************************************************************************** -Internal function -*****************************************************************************/ +/**************************************************************************** +****************************************************************************/ BOOL account_policy_get(int field, uint32 *value) { fstring name; uint32 regval; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; if (value) *value = 0; @@ -378,15 +213,12 @@ BOOL account_policy_get(int field, uint32 *value) /**************************************************************************** -Get an account policy from a (migrated tdb) ****************************************************************************/ - BOOL account_policy_set(int field, uint32 value) { fstring name; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { @@ -395,7 +227,7 @@ BOOL account_policy_set(int field, uint32 value) } if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value)); + DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value)); return False; } @@ -405,64 +237,6 @@ BOOL account_policy_set(int field, uint32 value) } /**************************************************************************** -Set an account policy in the cache -****************************************************************************/ - -BOOL cache_account_policy_set(int field, uint32 value) -{ - uint32 lastset, i; - - for (i=0; account_policy_names[i].field; i++) { - - if (account_policy_names[i].field == field) { - - DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); - - if (!account_policy_set(field, value)) { - return False; - } - - if (!account_policy_cache_timestamp(&lastset, True)) { - DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n")); - return False; - } - - DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL))); - } - } - - return True; -} - -/***************************************************************************** -Get an account policy from the cache -*****************************************************************************/ - -BOOL cache_account_policy_get(int field, uint32 *value) -{ - uint32 lastset, i; - - if (!account_policy_cache_timestamp(&lastset, False)) { - DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n")); - return False; - } - - if ((lastset + AP_TTL) < (uint32)time(NULL) ) { - DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n")); - return False; - } - - for (i=0; account_policy_names[i].field; i++) { - if (account_policy_names[i].field == field) { - return account_policy_get(field, value); - } - } - - return False; -} - - -/**************************************************************************** ****************************************************************************/ TDB_CONTEXT *get_account_pol_tdb( void ) diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 2fc71b1402..7aeecb89d6 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -208,15 +208,6 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = { { LDAP_ATTR_LIST_END, NULL } }; -/* attributes used for account policies */ - -ATTRIB_MAP_ENTRY acctpol_attr_list[] = { - { LDAP_ATTR_OBJCLASS, "objectClass" }, - { LDAP_ATTR_ACCOUNT_POLICY_NAME,"sambaAccountPolicyName" }, - { LDAP_ATTR_ACCOUNT_POLICY_VAL, "sambaAccountPolicyValue" }, - { LDAP_ATTR_LIST_END, NULL }, -}; - /********************************************************************** perform a simple table lookup and return the attribute name **********************************************************************/ @@ -1254,82 +1245,6 @@ NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, const char *location, struct smbldap_ } /********************************************************************** - Add the account-policies below the sambaDomain object to LDAP, -*********************************************************************/ -static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state, - const char *domain_name) -{ - NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; - int i, ldap_op, policy_default, rc; - const char *policy_string = NULL; - const char *policy_comment = NULL; - pstring dn; - fstring policy_default_str; - - DEBUG(3,("Adding new account policies for domain\n")); - ldap_op = LDAP_MOD_ADD; - - for (i=1; decode_account_policy_name(i) != NULL; i++) { - LDAPMod **mods = NULL; - - policy_string = decode_account_policy_name(i); - if (!policy_string) { - DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n")); - return ntstatus; - } - - policy_comment = account_policy_get_comment(i); - if (!policy_comment) { - DEBUG(0,("add_new_domain_account_policies: no description for policy found\n")); - return ntstatus; - } - - if (!account_policy_get_default(i, &policy_default)) { - DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n")); - return ntstatus; - } - - slprintf(policy_default_str, sizeof(policy_default_str) - 1, "%i", policy_default); - - pstr_sprintf(dn, "%s=%s,%s=%s,%s", - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string, - get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(), - lp_ldap_suffix()); - - smbldap_set_mod( &mods, ldap_op, "objectClass", LDAP_OBJ_ACCOUNT_POLICY ); - - smbldap_set_mod( &mods, ldap_op, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), - policy_string); - - smbldap_set_mod( &mods, ldap_op, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), - policy_default_str); - - smbldap_set_mod( &mods, ldap_op, "description", policy_comment); - - rc = smbldap_add(ldap_state, dn, mods); - - if (rc!=LDAP_SUCCESS) { - char *ld_error = NULL; - ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); - DEBUG(1,("failed to add account policy dn= %s with: %s\n\t%s\n", - dn, ldap_err2string(rc), - ld_error?ld_error:"unknown")); - SAFE_FREE(ld_error); - - ldap_mods_free(mods, True); - return ntstatus; - } - - DEBUG(2,("added: domain account policy = [%s] in the LDAP database\n", policy_string)); - ldap_mods_free(mods, True); - } - - return NT_STATUS_OK; -} - -/********************************************************************** Add the sambaDomain to LDAP, so we don't have to search for this stuff again. This is a once-add operation for now. @@ -1483,8 +1398,7 @@ NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state, DEBUG(3, ("Got no domain info entries for domain\n")); ldap_msgfree(*result); *result = NULL; - if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name)) - && NT_STATUS_IS_OK(ret = add_new_domain_account_policies(ldap_state, domain_name))) { + if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))) { return smbldap_search_domain_info(ldap_state, result, domain_name, False); } else { diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index d2e1eacdd2..715eb9ed4c 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1890,7 +1890,7 @@ BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen) } /* Change from V1 is addition of password history field. */ - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen) { char *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN); if (!pw_hist) { @@ -2098,7 +2098,7 @@ uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL si nt_pw_len = 0; } - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); nt_pw_hist = pdb_get_pw_history(sampass, &nt_pw_hist_len); if (pwHistLen && nt_pw_hist && nt_pw_hist_len) { nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN; @@ -2307,8 +2307,8 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated) return True; } - if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) { - DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n")); + if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) { + DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n")); return False; } @@ -2349,8 +2349,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated) return True; } - if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) { - DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n")); + if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) { + DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n")); return False; } @@ -2398,9 +2398,9 @@ BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass) return False; /* Retrieve the account lockout policy */ - if (!pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, + if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout)) { - DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n")); + DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n")); return False; } diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index e0fc0ef280..4b59b5fdf9 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -1123,7 +1123,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass) if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; - if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) + if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire) || (expire==(uint32)-1) || (expire == 0)) { if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED)) return False; @@ -1134,7 +1134,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass) return False; } - if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) + if (!account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) || (min_age==(uint32)-1)) { if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED)) return False; @@ -1189,7 +1189,7 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext) if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) { uchar *pwhistory; uint32 pwHistLen; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen != 0){ uint32 current_history_len; /* We need to make sure we don't have a race condition here - the diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 938622abff..382c028b0c 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -622,35 +622,6 @@ static NTSTATUS context_enum_alias_memberships(struct pdb_context *context, num_members, aliases, num); } -static NTSTATUS context_get_account_policy(struct pdb_context *context, - int policy_index, int *value) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - - if ((!context) || (!context->pdb_methods)) { - DEBUG(0, ("invalid pdb_context specified!\n")); - return ret; - } - - return context->pdb_methods->get_account_policy(context->pdb_methods, - policy_index, value); -} - -static NTSTATUS context_set_account_policy(struct pdb_context *context, - int policy_index, int value) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - - if ((!context) || (!context->pdb_methods)) { - DEBUG(0, ("invalid pdb_context specified!\n")); - return ret; - } - - return context->pdb_methods->set_account_policy(context->pdb_methods, - policy_index, value); -} - - /****************************************************************** Free and cleanup a pdb context, any associated data and anything that the attached modules might have associated. @@ -779,9 +750,6 @@ static NTSTATUS make_pdb_context(struct pdb_context **context) (*context)->pdb_enum_aliasmem = context_enum_aliasmem; (*context)->pdb_enum_alias_memberships = context_enum_alias_memberships; - (*context)->pdb_get_account_policy = context_get_account_policy; - (*context)->pdb_set_account_policy = context_set_account_policy; - (*context)->free_fn = free_pdb_context; return NT_STATUS_OK; @@ -1234,30 +1202,6 @@ BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members, aliases, num)); } -BOOL pdb_get_account_policy(int policy_index, int *value) -{ - struct pdb_context *pdb_context = pdb_get_static_context(False); - - if (!pdb_context) { - return False; - } - - return NT_STATUS_IS_OK(pdb_context-> - pdb_get_account_policy(pdb_context, policy_index, value)); -} - -BOOL pdb_set_account_policy(int policy_index, int value) -{ - struct pdb_context *pdb_context = pdb_get_static_context(False); - - if (!pdb_context) { - return False; - } - - return NT_STATUS_IS_OK(pdb_context-> - pdb_set_account_policy(pdb_context, policy_index, value)); -} - /*************************************************************** Initialize the static context (at smbd startup etc). @@ -1315,16 +1259,6 @@ static void pdb_default_endsampwent(struct pdb_methods *methods) return; /* NT_STATUS_NOT_IMPLEMENTED; */ } -static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value) -{ - return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; -} - -static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value) -{ - return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; -} - NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods) { *methods = TALLOC_P(mem_ctx, struct pdb_methods); @@ -1362,8 +1296,6 @@ NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods) (*methods)->del_aliasmem = pdb_default_del_aliasmem; (*methods)->enum_aliasmem = pdb_default_enum_aliasmem; (*methods)->enum_alias_memberships = pdb_default_alias_memberships; - (*methods)->get_account_policy = pdb_default_get_account_policy; - (*methods)->set_account_policy = pdb_default_set_account_policy; return NT_STATUS_OK; } diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 6fdf80074c..ff99b21f1f 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -729,7 +729,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, ZERO_STRUCT(smbntpwd); } - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen > 0){ uint8 *pwhist = NULL; int i; @@ -1073,7 +1073,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if (need_update(sampass, PDB_PWHISTORY)) { int pwHistLen = 0; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen == 0) { /* Remove any password history from the LDAP store. */ memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */ @@ -1138,7 +1138,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, uint16 badcount = pdb_get_bad_password_count(sampass); time_t badtime = pdb_get_bad_password_time(sampass); uint32 pol; - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol); DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n", (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime)); @@ -2880,252 +2880,6 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, return NT_STATUS_OK; } -static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, int *value) -{ - NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - int count; - int rc; - pstring filter; - char **vals; - const char *policy_string = NULL; - int tmp_val; - BOOL found_tdb = False; - - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)methods->private_data; - - const char *attrs[] = { - NULL, - NULL, - NULL - }; - - attrs[0] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME); - attrs[1] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL); - - if (cache_account_policy_get(policy_index, value)) { - DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n")); - return NT_STATUS_OK; - } - - policy_string = decode_account_policy_name(policy_index); - if (!policy_string) { - DEBUG(0,("ldapsam_get_account_policy: invalid policy index: %d\n", policy_index)); - return ntstatus; - } - - pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))", - LDAP_OBJ_ACCOUNT_POLICY, - get_attr_key2string(acctpol_attr_list, - LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string); - - if (!ldap_state->domain_dn) { - return NT_STATUS_INVALID_PARAMETER; - } - -search: - rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn, - LDAP_SCOPE_ONELEVEL, filter, attrs, 0, &result); - - if (rc != LDAP_SUCCESS) - return ntstatus; - - count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, - result); - - /* handle deleted ldap-entries (migrate on the fly, use a default as last resort) - gd */ - if (count < 1 && !found_tdb) { - - found_tdb = False; - - DEBUG(3,("ldapsam_get_account_policy: no entry for that policy in ldap found\n")); - - if (!account_policy_get(policy_index, &tmp_val)) { - DEBUG(10,("ldapsam_get_account_policy: failed to get account_policy from tdb\n")); - found_tdb = True; - } - - if (!found_tdb && !account_policy_get_default(policy_index, &tmp_val)) { - ldap_msgfree(result); - return ntstatus; - } - - if (!pdb_set_account_policy(policy_index, tmp_val)) { - DEBUG(1,("ldapsam_get_account_policy: failed to set account_policy\n")); - ldap_msgfree(result); - return ntstatus; - } - - DEBUG(3,("ldapsam_get_account_policy: set account policy value based on %s value.\n", - found_tdb ? "tdb":"default")); - - ldap_msgfree(result); - goto search; - } - - entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); - - if (!entry) { - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - - vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL)); - - if (vals == NULL) - goto out; - - *value = (uint32)atol(vals[0]); - - if (!cache_account_policy_set(policy_index, *value)) { - DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n")); - return ntstatus; - } - - ntstatus = NT_STATUS_OK; - -out: - ldap_value_free(vals); - ldap_msgfree(result); - - return ntstatus; -} - -static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, int value) -{ - NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - int count; - int rc; - pstring filter, dn; - int modop; - LDAPMod **mods = NULL; - fstring value_string; - char *old_dn = NULL; - const char *policy_string = NULL; - const char *policy_description = NULL; - - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)methods->private_data; - - const char *attrs[] = { - NULL, - NULL, - NULL - }; - - attrs[0] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), - attrs[1] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), - - policy_string = decode_account_policy_name(policy_index); - if (!policy_string) { - DEBUG(0,("ldapsam_set_account_policy: invalid policy\n")); - return ntstatus; - } - - policy_description = account_policy_get_comment(policy_index); - if (!policy_description) { - DEBUG(0,("ldapsam_set_account_policy: no description for policy found\n")); - return ntstatus; - } - - pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))", - LDAP_OBJ_ACCOUNT_POLICY, - get_attr_key2string(acctpol_attr_list, - LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string); - - if (!ldap_state->domain_dn) { - return NT_STATUS_INVALID_PARAMETER; - } - - rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn, - LDAP_SCOPE_ONELEVEL, filter, attrs, 0, &result); - - if (rc != LDAP_SUCCESS) - return ntstatus; - - count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); - - slprintf(value_string, sizeof(value_string) - 1, "%i", value); - - if (count == 1) { - - modop = LDAP_MOD_REPLACE; - - entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); - - if (!entry) { - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - - old_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry); - if (!old_dn) { - ldap_msgfree(result); - return ntstatus; - } - - smbldap_set_mod(&mods, modop, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), - value_string); - - rc = smbldap_modify(ldap_state->smbldap_state, old_dn, mods); - - } else { - - modop = LDAP_MOD_ADD; - - pstr_sprintf(dn, "%s=%s,%s", - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string, - ldap_state->domain_dn); - - smbldap_set_mod( &mods, modop, "objectClass", LDAP_OBJ_ACCOUNT_POLICY ); - - smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), - policy_string); - - smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, - get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), - value_string); - - smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, - "description", - policy_description); - - rc = smbldap_add(ldap_state->smbldap_state, dn, mods); - } - - ldap_mods_free(mods, True); - ldap_msgfree(result); - - if (rc != LDAP_SUCCESS) { - char *ld_error = NULL; - ldap_get_option(ldap_state->smbldap_state->ldap_struct, - LDAP_OPT_ERROR_STRING,&ld_error); - - DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy " - "for %s, error: %s (%s)\n", dn, ldap_err2string(rc), - ld_error?ld_error:"unknown")); - SAFE_FREE(ld_error); - SAFE_FREE(old_dn); - return ntstatus; - } - - SAFE_FREE(old_dn); - - if (!cache_account_policy_set(policy_index, value)) { - DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n")); - return ntstatus; - } - - return NT_STATUS_OK; -} - /********************************************************************** Housekeeping *********************************************************************/ @@ -3183,9 +2937,6 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS ** (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping; (*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships; - (*pdb_method)->get_account_policy = ldapsam_get_account_policy; - (*pdb_method)->set_account_policy = ldapsam_set_account_policy; - /* TODO: Setup private data and free */ ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates); diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c index 3a5c965820..c11e0d59a0 100644 --- a/source3/rpc_server/srv_reg_nt.c +++ b/source3/rpc_server/srv_reg_nt.c @@ -380,7 +380,7 @@ WERROR _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u) return WERR_NOMEM; } - if (!pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue)) + if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue)) dwValue = 0; regval_ctr_addvalue(®vals, "RefusePasswordChange", REG_DWORD, diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index 971f5ed40c..ffb7882e11 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -785,6 +785,7 @@ static BOOL api_samr_set_userinfo(pipes_struct *p) if (!samr_io_q_set_userinfo("", &q_u, data, 0)) { DEBUG(0,("api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.\n")); /* Fix for W2K SP2 */ + /* what is that status-code ? - gd */ if (q_u.switch_value == 0x1a) { setup_fault_pdu(p, NT_STATUS(0x1c000006)); return True; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9c8a35045f..291d8713d5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2092,19 +2092,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA switch (q_u->switch_value) { case 0x01: - pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -2132,7 +2132,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_groups=info->disp_info.num_group_account; free_samr_db(info); - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -2146,7 +2146,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4572,19 +4572,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW switch (q_u->switch_value) { case 0x01: - pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -4612,7 +4612,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_groups=info->disp_info.num_group_account; free_samr_db(info); - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4626,7 +4626,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4649,15 +4649,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4701,17 +4701,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); - pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); - pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); + account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); + account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); - pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); + account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: break; @@ -4726,9 +4726,9 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); - pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); - pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 3765b7d38f..540acfc225 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -945,7 +945,7 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext) BOOL found = False; int i, pwHisLen, curr_pwHisLen; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHisLen); + account_policy_get(AP_PASSWORD_HISTORY, &pwHisLen); if (pwHisLen == 0) { return False; } @@ -1017,7 +1017,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw } /* FIXME: AP_MIN_PASSWORD_LEN and lp_min_passwd_length() need to be merged - gd */ - if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) { + if (account_policy_get(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) { DEBUG(1, ("user %s cannot change password - password too short\n", username)); DEBUGADD(1, (" account policy min password len = %d\n", min_len)); diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index cc81719b6a..49aef2a23c 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -1000,34 +1000,34 @@ static NTSTATUS fetch_domain_info(uint32 rid, SAM_DOMAIN_INFO *delta) } - if (!pdb_set_account_policy(AP_PASSWORD_HISTORY, delta->pwd_history_len)) + if (!account_policy_set(AP_PASSWORD_HISTORY, delta->pwd_history_len)) return nt_status; - if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN, delta->min_pwd_len)) + if (!account_policy_set(AP_MIN_PASSWORD_LEN, delta->min_pwd_len)) return nt_status; - if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age)) + if (!account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)u_max_age)) return nt_status; - if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age)) + if (!account_policy_set(AP_MIN_PASSWORD_AGE, (uint32)u_min_age)) return nt_status; - if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout)) + if (!account_policy_set(AP_TIME_TO_LOGOUT, (uint32)u_logout)) return nt_status; - if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout)) + if (!account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout)) return nt_status; - if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60)) + if (!account_policy_set(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60)) return nt_status; if (u_lockouttime != -1) u_lockouttime /= 60; - if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime)) + if (!account_policy_set(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime)) return nt_status; - if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass)) + if (!account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass)) return nt_status; return NT_STATUS_OK; diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index d29b6ea66c..3584ef0367 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -119,27 +119,6 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) { } /********************************************************* - Add all currently available account policy from tdb to one backend - ********************************************************/ - -static int export_account_policies (struct pdb_context *in, struct pdb_context *out) -{ - int i; - - for (i=1; decode_account_policy_name(i) != NULL; i++) { - uint32 policy_value; - if (NT_STATUS_IS_ERR(in->pdb_get_account_policy(in, i, &policy_value))) { - fprintf(stderr, "Can't get account policy from tdb\n"); - return -1; - } - out->pdb_set_account_policy(out, i, policy_value); - } - - return 0; -} - - -/********************************************************* Print info from sam structure **********************************************************/ @@ -669,7 +648,6 @@ int main (int argc, char **argv) static char *backend_in = NULL; static char *backend_out = NULL; static BOOL transfer_groups = False; - static BOOL transfer_account_policies = False; static BOOL force_initialised_password = False; static char *logon_script = NULL; static char *profile_path = NULL; @@ -710,7 +688,6 @@ int main (int argc, char **argv) {"import", 'i', POPT_ARG_STRING, &backend_in, 0, "import user accounts from this backend", NULL}, {"export", 'e', POPT_ARG_STRING, &backend_out, 0, "export user accounts to this backend", NULL}, {"group", 'g', POPT_ARG_NONE, &transfer_groups, 0, "use -i and -e for groups", NULL}, - {"policies", 'y', POPT_ARG_NONE, &transfer_account_policies, 0, "use -i and -e to move account policies between backends", NULL}, {"account-policy", 'P', POPT_ARG_STRING, &account_policy, 0,"value of an account policy (like maximum password age)",NULL}, {"value", 'C', POPT_ARG_LONG, &account_policy_value, 'C',"set the account policy to this value", NULL}, {"account-control", 'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL}, @@ -810,22 +787,20 @@ int main (int argc, char **argv) SAFE_FREE(apn); exit(1); } - if (!pdb_get_account_policy(field, &value)) { + if (!account_policy_get(field, &value)) { fprintf(stderr, "valid account policy, but unable to fetch value!\n"); - if (!account_policy_value_set) - exit(1); + exit(1); } - printf("account policy \"%s\" description: %s\n", account_policy, account_policy_get_comment(field)); if (account_policy_value_set) { - printf("account policy \"%s\" value was: %u\n", account_policy, value); - if (!pdb_set_account_policy(field, account_policy_value)) { + printf("account policy value for %s was %u\n", account_policy, value); + if (!account_policy_set(field, account_policy_value)) { fprintf(stderr, "valid account policy, but unable to set value!\n"); exit(1); } - printf("account policy \"%s\" value is now: %lu\n", account_policy, account_policy_value); + printf("account policy value for %s is now %lu\n", account_policy, account_policy_value); exit(0); } else { - printf("account policy \"%s\" value is: %u\n", account_policy, value); + printf("account policy value for %s is %u\n", account_policy, value); exit(0); } } @@ -849,10 +824,7 @@ int main (int argc, char **argv) } else { bout = bdef; } - if (transfer_account_policies) { - if (!(checkparms & BIT_USER)) - return export_account_policies(bin, bout); - } else if (transfer_groups) { + if (transfer_groups) { if (!(checkparms & BIT_USER)) return export_groups(bin, bout); } else { |