summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth_sam.c63
-rw-r--r--source3/include/local.h3
-rw-r--r--source3/passdb/passdb.c10
-rw-r--r--source3/passdb/pdb_smbpasswd.c9
-rw-r--r--source3/passdb/pdb_tdb.c3
-rw-r--r--source3/smbd/auth_smbpasswd.c63
6 files changed, 77 insertions, 74 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 8159ad988f..304e5be44b 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -204,7 +204,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username));
/* Quit if the account was disabled. */
- if(acct_ctrl & ACB_DISABLED) {
+ if (acct_ctrl & ACB_DISABLED) {
DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username));
return NT_STATUS_ACCOUNT_DISABLED;
}
@@ -212,52 +212,53 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
- if (kickoff_time != (time_t)-1) {
- if (time(NULL) > kickoff_time) {
- DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
- DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
- return NT_STATUS_ACCOUNT_EXPIRED;
- }
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
+ DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
+ return NT_STATUS_ACCOUNT_EXPIRED;
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
- if (workstation_list) {
- if (*workstation_list) {
- BOOL invalid_ws = True;
- char *s = workstation_list;
+ if (!workstation_list) return NT_STATUS_NO_MEMORY;
+
+ if (*workstation_list) {
+ BOOL invalid_ws = True;
+ char *s = workstation_list;
- fstring tok;
+ fstring tok;
- while (next_token(&s, tok, ",", sizeof(tok))) {
- DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
- tok, user_info->wksta_name.str, user_info->wksta_name.len));
- if(strequal(tok, user_info->wksta_name.str)) {
- invalid_ws = False;
- break;
- }
+ while (next_token(&s, tok, ",", sizeof(tok))) {
+ DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+ tok, user_info->wksta_name.str, user_info->wksta_name.len));
+ if(strequal(tok, user_info->wksta_name.str)) {
+ invalid_ws = False;
+ break;
}
-
- SAFE_FREE(workstation_list);
- if (invalid_ws)
- return NT_STATUS_INVALID_WORKSTATION;
- } else {
- SAFE_FREE(workstation_list);
}
+
+ SAFE_FREE(workstation_list);
+ if (invalid_ws)
+ return NT_STATUS_INVALID_WORKSTATION;
} else {
- return NT_STATUS_NO_MEMORY;
+ SAFE_FREE(workstation_list);
}
+
{
time_t must_change_time = pdb_get_pass_must_change_time(sampass);
- if (must_change_time == 0) {
- DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username));
+ time_t last_set_time = pdb_get_pass_last_set_time(sampass);
+
+ /* check for immediate expiry "must change at next logon" */
+ if (must_change_time == 0 && last_set_time != 0) {
+ DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
- if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) {
+ /* check for expired password */
+ if (must_change_time < time(NULL) && must_change_time != 0) {
DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username));
DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time));
return NT_STATUS_PASSWORD_EXPIRED;
@@ -265,12 +266,12 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
}
if (acct_ctrl & ACB_DOMTRUST) {
- DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
diff --git a/source3/include/local.h b/source3/include/local.h
index e9e4fb2d35..53ef564610 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -186,4 +186,7 @@
#define SESSION_TEMPLATE "smb/%d"
#endif
+/* the maximum age in seconds of a password. Should be a lp_ parameter */
+#define MAX_PASSWORD_AGE (21*24*60*60)
+
#endif
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 75f2d432f2..2ffbe42f8c 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -79,11 +79,11 @@ static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user)
ZERO_STRUCTP(user);
user->logon_time = (time_t)0;
- user->logoff_time = (time_t)-1;
- user->kickoff_time = (time_t)-1;
- user->pass_last_set_time = (time_t)-1;
- user->pass_can_change_time = (time_t)-1;
- user->pass_must_change_time = (time_t)-1;
+ user->logoff_time = (time_t)0;
+ user->kickoff_time = (time_t)0;
+ user->pass_last_set_time = (time_t)0;
+ user->pass_can_change_time = (time_t)0;
+ user->pass_must_change_time = (time_t)0;
user->unknown_3 = 0x00ffffff; /* don't know */
user->logon_divs = 168; /* hours per week */
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index bca7541782..f487dcf347 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1219,10 +1219,11 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, struct smb_passwd *pw_buf)
pdb_set_dir_drive (sam_pass, lp_logon_drive());
- /* FIXME!! What should this be set to? New smb.conf parameter maybe?
- max password age? For now, we'll use the current time + 21 days.
- --jerry */
- pdb_set_pass_must_change_time (sam_pass, time(NULL)+1814400);
+ /* the smbpasswd format doesn't have a must change time field, so
+ we can't get this right. The best we can do is to set this to
+ some time in the future. 21 days seems as reasonable as any other value :)
+ */
+ pdb_set_pass_must_change_time (sam_pass, pw_buf->pass_last_set_time + MAX_PASSWORD_AGE);
/* check if this is a user account or a machine account */
if (samlogon_user[strlen(samlogon_user)-1] != '$')
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 9b932b7821..43eefa5c7a 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -466,9 +466,6 @@ BOOL pdb_getsampwent(SAM_ACCOUNT *user)
pdb_set_uid (user, uid);
pdb_set_gid (user, gid);
- /* 21 days from present */
- pdb_set_pass_must_change_time(user, time(NULL)+1814400);
-
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_logon_script(user));
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_profile_path(user));
standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_homedir(user));
diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c
index 8159ad988f..304e5be44b 100644
--- a/source3/smbd/auth_smbpasswd.c
+++ b/source3/smbd/auth_smbpasswd.c
@@ -204,7 +204,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username));
/* Quit if the account was disabled. */
- if(acct_ctrl & ACB_DISABLED) {
+ if (acct_ctrl & ACB_DISABLED) {
DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username));
return NT_STATUS_ACCOUNT_DISABLED;
}
@@ -212,52 +212,53 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
- if (kickoff_time != (time_t)-1) {
- if (time(NULL) > kickoff_time) {
- DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
- DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
- return NT_STATUS_ACCOUNT_EXPIRED;
- }
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ DEBUG(1,("Account for user '%s' has expried.\n", sampass->username));
+ DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time));
+ return NT_STATUS_ACCOUNT_EXPIRED;
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
- if (workstation_list) {
- if (*workstation_list) {
- BOOL invalid_ws = True;
- char *s = workstation_list;
+ if (!workstation_list) return NT_STATUS_NO_MEMORY;
+
+ if (*workstation_list) {
+ BOOL invalid_ws = True;
+ char *s = workstation_list;
- fstring tok;
+ fstring tok;
- while (next_token(&s, tok, ",", sizeof(tok))) {
- DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
- tok, user_info->wksta_name.str, user_info->wksta_name.len));
- if(strequal(tok, user_info->wksta_name.str)) {
- invalid_ws = False;
- break;
- }
+ while (next_token(&s, tok, ",", sizeof(tok))) {
+ DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+ tok, user_info->wksta_name.str, user_info->wksta_name.len));
+ if(strequal(tok, user_info->wksta_name.str)) {
+ invalid_ws = False;
+ break;
}
-
- SAFE_FREE(workstation_list);
- if (invalid_ws)
- return NT_STATUS_INVALID_WORKSTATION;
- } else {
- SAFE_FREE(workstation_list);
}
+
+ SAFE_FREE(workstation_list);
+ if (invalid_ws)
+ return NT_STATUS_INVALID_WORKSTATION;
} else {
- return NT_STATUS_NO_MEMORY;
+ SAFE_FREE(workstation_list);
}
+
{
time_t must_change_time = pdb_get_pass_must_change_time(sampass);
- if (must_change_time == 0) {
- DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username));
+ time_t last_set_time = pdb_get_pass_last_set_time(sampass);
+
+ /* check for immediate expiry "must change at next logon" */
+ if (must_change_time == 0 && last_set_time != 0) {
+ DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
- if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) {
+ /* check for expired password */
+ if (must_change_time < time(NULL) && must_change_time != 0) {
DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username));
DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time));
return NT_STATUS_PASSWORD_EXPIRED;
@@ -265,12 +266,12 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user
}
if (acct_ctrl & ACB_DOMTRUST) {
- DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
+ DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}