diff options
Diffstat (limited to 'source3/passdb')
| -rw-r--r-- | source3/passdb/passdb.c | 2 | ||||
| -rw-r--r-- | source3/passdb/pdb_get_set.c | 68 | ||||
| -rw-r--r-- | source3/passdb/pdb_interface.c | 41 | ||||
| -rw-r--r-- | source3/passdb/pdb_ldap.c | 2 |
4 files changed, 36 insertions, 77 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index da3ddb3914..4bdceec571 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1106,7 +1106,7 @@ uint32 init_buffer_from_sam_v3 (uint8 **buf, struct samu *sampass, BOOL size_onl logoff_time = (uint32)pdb_get_logoff_time(sampass); kickoff_time = (uint32)pdb_get_kickoff_time(sampass); bad_password_time = (uint32)pdb_get_bad_password_time(sampass); - pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass); + pass_can_change_time = (uint32)pdb_get_pass_can_change_time_noncalc(sampass); pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass); pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass); diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 7aac8f5856..62898f3dac 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -74,15 +74,34 @@ time_t pdb_get_pass_can_change_time(const struct samu *sampass) { uint32 allow; + /* if the last set time is zero, it means the user cannot + change their password, and this time must be zero. jmcd + */ if (sampass->pass_last_set_time == 0) return (time_t) 0; + /* if the time is max, and the field has been changed, + we're trying to update this real value from the sampass + to indicate that the user cannot change their password. jmcd + */ + if (sampass->pass_can_change_time == get_time_t_max() && + pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED) + return sampass->pass_can_change_time; + if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &allow)) allow = 0; + /* in normal cases, just calculate it from policy */ return sampass->pass_last_set_time + allow; } +/* we need this for loading from the backend, so that we don't overwrite + non-changed max times, otherwise the pass_can_change checking won't work */ +time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass) +{ + return sampass->pass_can_change_time; +} + time_t pdb_get_pass_must_change_time(const struct samu *sampass) { uint32 expire; @@ -100,6 +119,14 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass) return sampass->pass_last_set_time + expire; } +BOOL pdb_get_pass_can_change(const struct samu *sampass) +{ + if (sampass->pass_can_change_time == get_time_t_max() && + sampass->pass_last_set_time != 0) + return False; + return True; +} + uint16 pdb_get_logon_divs(const struct samu *sampass) { return sampass->logon_divs; @@ -944,43 +971,14 @@ BOOL pdb_set_backend_private_data(struct samu *sampass, void *private_data, /* Helpful interfaces to the above */ -/********************************************************************* - Sets the last changed times and must change times for a normal - password change. - ********************************************************************/ - -BOOL pdb_set_pass_changed_now(struct samu *sampass) +BOOL pdb_set_pass_can_change(struct samu *sampass, BOOL canchange) { - uint32 expire; - uint32 min_age; - - if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) - return False; - - if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) - || (expire==(uint32)-1) || (expire == 0)) { - if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED)) - return False; - } else { - if (!pdb_set_pass_must_change_time (sampass, - pdb_get_pass_last_set_time(sampass) - + expire, PDB_CHANGED)) - return False; - } - - if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) - || (min_age==(uint32)-1)) { - if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED)) - return False; - } else { - if (!pdb_set_pass_can_change_time (sampass, - pdb_get_pass_last_set_time(sampass) - + min_age, PDB_CHANGED)) - return False; - } - return True; + return pdb_set_pass_can_change_time(sampass, + canchange ? 0 : get_time_t_max(), + PDB_CHANGED); } + /********************************************************************* Set the user's PLAINTEXT password. Used as an interface to the above. Also sets the last change time to NOW. @@ -1016,7 +1014,7 @@ BOOL pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) return False; - if (!pdb_set_pass_changed_now (sampass)) + if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; /* Store the password history. */ diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 7252ea4c8c..73f538214d 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -48,43 +48,6 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, const char **name, enum lsa_SidType *psid_name_use, union unid_t *unix_id); -/******************************************************************* - Clean up uninitialised passwords. The only way to tell - that these values are not 'real' is that they do not - have a valid last set time. Instead, the value is fixed at 0. - Therefore we use that as the key for 'is this a valid password'. - However, it is perfectly valid to have a 'default' last change - time, such LDAP with a missing attribute would produce. -********************************************************************/ - -static void pdb_force_pw_initialization(struct samu *pass) -{ - const uint8 *lm_pwd, *nt_pwd; - - /* only reset a password if the last set time has been - explicitly been set to zero. A default last set time - is ignored */ - - if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT) - && (pdb_get_pass_last_set_time(pass) == 0) ) - { - - if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT) - { - lm_pwd = pdb_get_lanman_passwd(pass); - if (lm_pwd) - pdb_set_lanman_passwd(pass, NULL, PDB_CHANGED); - } - if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT) - { - nt_pwd = pdb_get_nt_passwd(pass); - if (nt_pwd) - pdb_set_nt_passwd(pass, NULL, PDB_CHANGED); - } - } - - return; -} NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init) { @@ -250,7 +213,7 @@ BOOL pdb_getsampwent(struct samu *user) if ( !NT_STATUS_IS_OK(pdb->getsampwent(pdb, user) ) ) { return False; } - pdb_force_pw_initialization( user ); + return True; } @@ -266,8 +229,6 @@ BOOL pdb_getsampwnam(struct samu *sam_acct, const char *username) TALLOC_FREE(csamuser); } - pdb_force_pw_initialization( sam_acct ); - csamuser = samu_new( NULL ); if (!csamuser) { return False; diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 0f03a1cc6e..a716dfa805 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -1096,7 +1096,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp); - slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass)); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time_noncalc(sampass)); if (need_update(sampass, PDB_CANCHANGETIME)) smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp); |