From a8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Aug 2004 18:20:02 +0000 Subject: r1778: Fix based on code from Richard Renard to enforce logon hours. ldap fixes to follow. Jeremy. (This used to be commit 9ce273ed662bd34987eaeedeeeb7cb1c99cd50a4) --- source3/auth/auth_sam.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 44e0a1810f..0c59dbe049 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -65,6 +65,43 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, lm_pw, nt_pw, user_sess_key, lm_sess_key); } +/**************************************************************************** + Check if a user is allowed to logon at this time. Note this is the + servers local time, as logon hours are just specified as a weekly + bitmask. +****************************************************************************/ + +static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) +{ + /* In logon hours first bit is Sunday from 12AM to 1AM */ + extern struct timeval smb_last_time; + const uint8 *hours; + struct tm *utctime; + uint8 bitmask, bitpos; + + hours = pdb_get_hours(sampass); + if (!hours) { + DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n",pdb_get_username(sampass))); + return True; + } + + utctime = localtime(&smb_last_time.tv_sec); + + /* find the corresponding byte and bit */ + bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; + bitmask = 1 << (bitpos % 8); + + if (! (hours[bitpos/8] & bitmask)) { + DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (UTC %s).\n", + pdb_get_username(sampass), asctime(utctime) )); + return False; + } + + DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (UTC %s)\n", + pdb_get_username(sampass), asctime(utctime) )); + + return True; +} /**************************************************************************** Do a specific test for a SAM_ACCOUNT being vaild for this connection @@ -93,6 +130,11 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_LOCKED_OUT; } + /* Quit if the account is not allowed to logon at this time. */ + if (! logon_hours_ok(sampass)) { + return NT_STATUS_INVALID_LOGON_HOURS; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); -- cgit