From c6d1e756649408412d72e5ad2789804b2908b6f2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Oct 2001 10:54:11 +0000 Subject: - fix handling of 0 last_change_time and must_change_time - move the arbitrary 21 day timeout to local.h (This used to be commit 11075f543470c3283accce0246d0b2983420695a) --- source3/auth/auth_sam.c | 63 +++++++++++++++++++++--------------------- source3/include/local.h | 3 ++ source3/passdb/passdb.c | 10 +++---- source3/passdb/pdb_smbpasswd.c | 9 +++--- source3/passdb/pdb_tdb.c | 3 -- source3/smbd/auth_smbpasswd.c | 63 +++++++++++++++++++++--------------------- 6 files changed, 77 insertions(+), 74 deletions(-) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 8159ad988f..304e5be44b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -204,7 +204,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); /* Quit if the account was disabled. */ - if(acct_ctrl & ACB_DISABLED) { + if (acct_ctrl & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); return NT_STATUS_ACCOUNT_DISABLED; } @@ -212,52 +212,53 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); - if (kickoff_time != (time_t)-1) { - if (time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); - DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); - return NT_STATUS_ACCOUNT_EXPIRED; - } + if (kickoff_time != 0 && time(NULL) > kickoff_time) { + DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); + DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); + return NT_STATUS_ACCOUNT_EXPIRED; } /* Test workstation. Workstation list is comma separated. */ workstation_list = strdup(pdb_get_workstations(sampass)); - if (workstation_list) { - if (*workstation_list) { - BOOL invalid_ws = True; - char *s = workstation_list; + if (!workstation_list) return NT_STATUS_NO_MEMORY; + + if (*workstation_list) { + BOOL invalid_ws = True; + char *s = workstation_list; - fstring tok; + fstring tok; - while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", - tok, user_info->wksta_name.str, user_info->wksta_name.len)); - if(strequal(tok, user_info->wksta_name.str)) { - invalid_ws = False; - break; - } + while (next_token(&s, tok, ",", sizeof(tok))) { + DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + tok, user_info->wksta_name.str, user_info->wksta_name.len)); + if(strequal(tok, user_info->wksta_name.str)) { + invalid_ws = False; + break; } - - SAFE_FREE(workstation_list); - if (invalid_ws) - return NT_STATUS_INVALID_WORKSTATION; - } else { - SAFE_FREE(workstation_list); } + + SAFE_FREE(workstation_list); + if (invalid_ws) + return NT_STATUS_INVALID_WORKSTATION; } else { - return NT_STATUS_NO_MEMORY; + SAFE_FREE(workstation_list); } + { time_t must_change_time = pdb_get_pass_must_change_time(sampass); - if (must_change_time == 0) { - DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username)); + time_t last_set_time = pdb_get_pass_last_set_time(sampass); + + /* check for immediate expiry "must change at next logon" */ + if (must_change_time == 0 && last_set_time != 0) { + DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) { + /* check for expired password */ + if (must_change_time < time(NULL) && must_change_time != 0) { DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; @@ -265,12 +266,12 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user } if (acct_ctrl & ACB_DOMTRUST) { - DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } diff --git a/source3/include/local.h b/source3/include/local.h index e9e4fb2d35..53ef564610 100644 --- a/source3/include/local.h +++ b/source3/include/local.h @@ -186,4 +186,7 @@ #define SESSION_TEMPLATE "smb/%d" #endif +/* the maximum age in seconds of a password. Should be a lp_ parameter */ +#define MAX_PASSWORD_AGE (21*24*60*60) + #endif diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 75f2d432f2..2ffbe42f8c 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -79,11 +79,11 @@ static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user) ZERO_STRUCTP(user); user->logon_time = (time_t)0; - user->logoff_time = (time_t)-1; - user->kickoff_time = (time_t)-1; - user->pass_last_set_time = (time_t)-1; - user->pass_can_change_time = (time_t)-1; - user->pass_must_change_time = (time_t)-1; + user->logoff_time = (time_t)0; + user->kickoff_time = (time_t)0; + user->pass_last_set_time = (time_t)0; + user->pass_can_change_time = (time_t)0; + user->pass_must_change_time = (time_t)0; user->unknown_3 = 0x00ffffff; /* don't know */ user->logon_divs = 168; /* hours per week */ diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index bca7541782..f487dcf347 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1219,10 +1219,11 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, struct smb_passwd *pw_buf) pdb_set_dir_drive (sam_pass, lp_logon_drive()); - /* FIXME!! What should this be set to? New smb.conf parameter maybe? - max password age? For now, we'll use the current time + 21 days. - --jerry */ - pdb_set_pass_must_change_time (sam_pass, time(NULL)+1814400); + /* the smbpasswd format doesn't have a must change time field, so + we can't get this right. The best we can do is to set this to + some time in the future. 21 days seems as reasonable as any other value :) + */ + pdb_set_pass_must_change_time (sam_pass, pw_buf->pass_last_set_time + MAX_PASSWORD_AGE); /* check if this is a user account or a machine account */ if (samlogon_user[strlen(samlogon_user)-1] != '$') diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 9b932b7821..43eefa5c7a 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -466,9 +466,6 @@ BOOL pdb_getsampwent(SAM_ACCOUNT *user) pdb_set_uid (user, uid); pdb_set_gid (user, gid); - /* 21 days from present */ - pdb_set_pass_must_change_time(user, time(NULL)+1814400); - standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_logon_script(user)); standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_profile_path(user)); standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_homedir(user)); diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c index 8159ad988f..304e5be44b 100644 --- a/source3/smbd/auth_smbpasswd.c +++ b/source3/smbd/auth_smbpasswd.c @@ -204,7 +204,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); /* Quit if the account was disabled. */ - if(acct_ctrl & ACB_DISABLED) { + if (acct_ctrl & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); return NT_STATUS_ACCOUNT_DISABLED; } @@ -212,52 +212,53 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); - if (kickoff_time != (time_t)-1) { - if (time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); - DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); - return NT_STATUS_ACCOUNT_EXPIRED; - } + if (kickoff_time != 0 && time(NULL) > kickoff_time) { + DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); + DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); + return NT_STATUS_ACCOUNT_EXPIRED; } /* Test workstation. Workstation list is comma separated. */ workstation_list = strdup(pdb_get_workstations(sampass)); - if (workstation_list) { - if (*workstation_list) { - BOOL invalid_ws = True; - char *s = workstation_list; + if (!workstation_list) return NT_STATUS_NO_MEMORY; + + if (*workstation_list) { + BOOL invalid_ws = True; + char *s = workstation_list; - fstring tok; + fstring tok; - while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", - tok, user_info->wksta_name.str, user_info->wksta_name.len)); - if(strequal(tok, user_info->wksta_name.str)) { - invalid_ws = False; - break; - } + while (next_token(&s, tok, ",", sizeof(tok))) { + DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + tok, user_info->wksta_name.str, user_info->wksta_name.len)); + if(strequal(tok, user_info->wksta_name.str)) { + invalid_ws = False; + break; } - - SAFE_FREE(workstation_list); - if (invalid_ws) - return NT_STATUS_INVALID_WORKSTATION; - } else { - SAFE_FREE(workstation_list); } + + SAFE_FREE(workstation_list); + if (invalid_ws) + return NT_STATUS_INVALID_WORKSTATION; } else { - return NT_STATUS_NO_MEMORY; + SAFE_FREE(workstation_list); } + { time_t must_change_time = pdb_get_pass_must_change_time(sampass); - if (must_change_time == 0) { - DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username)); + time_t last_set_time = pdb_get_pass_last_set_time(sampass); + + /* check for immediate expiry "must change at next logon" */ + if (must_change_time == 0 && last_set_time != 0) { + DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) { + /* check for expired password */ + if (must_change_time < time(NULL) && must_change_time != 0) { DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; @@ -265,12 +266,12 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user } if (acct_ctrl & ACB_DOMTRUST) { - DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } -- cgit