From cdf9b42754b7e97faa7fc4eb1ec69e32c0bfd1a0 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 3 Dec 2001 17:14:23 +0000 Subject: added a tdb to store the account policy informations. You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21) --- source3/Makefile.in | 2 +- source3/groupdb/mapping.c | 3 + source3/include/rpc_samr.h | 5 +- source3/include/smb.h | 14 +++ source3/lib/account_pol.c | 132 ++++++++++++++++++++ source3/lib/time.c | 88 ++++++++++++++ source3/passdb/passdb.c | 14 ++- source3/rpc_parse/parse_samr.c | 50 ++++---- source3/rpc_server/srv_samr_nt.c | 255 ++++++++++++++++++++++++++------------- source3/smbd/server.c | 13 +- source3/utils/smbgroupedit.c | 22 ++-- 11 files changed, 465 insertions(+), 133 deletions(-) create mode 100644 source3/lib/account_pol.c diff --git a/source3/Makefile.in b/source3/Makefile.in index 993d441d9f..8c121fea0d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -122,7 +122,7 @@ LIB_OBJ = lib/charcnv.o lib/debug.o lib/fault.o \ lib/ms_fnmatch.o lib/select.o lib/error.o lib/messages.o \ lib/md5.o lib/hmacmd5.o lib/iconv.o lib/smbpasswd.o \ nsswitch/wb_client.o nsswitch/wb_common.o \ - intl/lang_tdb.o $(TDB_OBJ) + intl/lang_tdb.o lib/account_pol.o $(TDB_OBJ) READLINE_OBJ = lib/readline.o diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index a0f6148e90..137f971228 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -166,6 +166,9 @@ BOOL init_group_mapping(void) } tdb_unlock_bystring(tdb, vstring); + /* write a list of default groups */ + if(!default_group_mapping()) + return False; return True; } diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h index b3b46c6f0c..0d0dd7237c 100644 --- a/source3/include/rpc_samr.h +++ b/source3/include/rpc_samr.h @@ -481,14 +481,11 @@ typedef struct q_samr_query_domain_info typedef struct sam_unknown_info_3_info { - uint32 unknown_0; /* 0x0000 0000 */ - uint32 unknown_1; - + NTTIME logout; /* 0x8000 0000 */ /* DON'T forcibly disconnect remote users from server when logon hours expire*/ /* 0x0000 0000 */ /* forcibly disconnect remote users from server when logon hours expire*/ - } SAM_UNK_INFO_3; typedef struct sam_unknown_info_6_info diff --git a/source3/include/smb.h b/source3/include/smb.h index 13fe6abffa..0ac2118b94 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -630,6 +630,20 @@ typedef struct sam_passwd } SAM_ACCOUNT; +/* + * Flags for account policy. + */ +#define AP_MIN_PASSWORD_LEN 1 +#define AP_PASSWORD_HISTORY 2 +#define AP_USER_MUST_LOGON_TO_CHG_PASS 3 +#define AP_MAX_PASSWORD_AGE 4 +#define AP_MIN_PASSWORD_AGE 5 +#define AP_LOCK_ACCOUNT_DURATION 6 +#define AP_RESET_COUNT_TIME 7 +#define AP_BAD_ATTEMPT_LOCKOUT 8 +#define AP_TIME_TO_LOGOUT 9 + + /* * Flags for local user manipulation. */ diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c new file mode 100644 index 0000000000..aad6f8e11d --- /dev/null +++ b/source3/lib/account_pol.c @@ -0,0 +1,132 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * account policy storage + * Copyright (C) Jean François Micouleau 1998-2001. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +static TDB_CONTEXT *tdb; /* used for driver files */ + +#define DATABASE_VERSION 1 + +/**************************************************************************** +open the account policy tdb +****************************************************************************/ +BOOL init_account_policy(void) +{ + static pid_t local_pid; + char *vstring = "INFO/version"; + + if (tdb && local_pid == sys_getpid()) return True; + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + local_pid = sys_getpid(); + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring); + if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) { + tdb_traverse(tdb, (tdb_traverse_func)tdb_delete, NULL); + tdb_store_int(tdb, vstring, DATABASE_VERSION); + + account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ + account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ + account_policy_set(AP_MAX_PASSWORD_AGE, MAX_PASSWORD_AGE); /* 21 days */ + account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ + account_policy_set(AP_LOCK_ACCOUNT_DURATION, 0); /* lockout for 0 minutes */ + account_policy_set(AP_RESET_COUNT_TIME, 0); /* reset immediatly */ + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */ + account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */ + } + tdb_unlock_bystring(tdb, vstring); + + + return True; +} + +/**************************************************************************** +****************************************************************************/ + +static char *decode_account_policy_name(field) +{ + switch (field) { + case AP_MIN_PASSWORD_LEN: + return "min password length"; + break; + case AP_PASSWORD_HISTORY: + return "password history"; + break; + case AP_USER_MUST_LOGON_TO_CHG_PASS: + return "user must logon to change password"; + break; + case AP_MAX_PASSWORD_AGE: + return "maximum password age"; + break; + case AP_MIN_PASSWORD_AGE: + return "minimum password age"; + break; + case AP_LOCK_ACCOUNT_DURATION: + return "lockout duration"; + break; + case AP_RESET_COUNT_TIME: + return "reset count minutes"; + break; + case AP_BAD_ATTEMPT_LOCKOUT: + return "bad lockout attempt"; + break; + case AP_TIME_TO_LOGOUT: + return "disconnect time"; + break; + default: + return "undefined value"; + break; + } +} + + +/**************************************************************************** +****************************************************************************/ +BOOL account_policy_get(int field, int *value) +{ + fstring name; + + fstrcpy(name, decode_account_policy_name(field)); + *value=tdb_fetch_int(tdb, name); + DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); + return True; +} + + +/**************************************************************************** +****************************************************************************/ +BOOL account_policy_set(int field, int value) +{ + fstring name; + + fstrcpy(name, decode_account_policy_name(field)); + if ( tdb_store_int(tdb, name, value)== -1) + return False; + DEBUG(10,("account_policy_set: %s:%d\n", name, value)); + + return True; +} + diff --git a/source3/lib/time.c b/source3/lib/time.c index b302726a95..f0f62ca841 100644 --- a/source3/lib/time.c +++ b/source3/lib/time.c @@ -304,6 +304,50 @@ time_t nt_time_to_unix(NTTIME *nt) return(ret); } +/**************************************************************************** +convert a NTTIME structure to a time_t +It's originally in "100ns units" + +this is an absolute version of the one above. +By absolute I mean, it doesn't adjust from 1/1/1601 to 1/1/1970 +if the NTTIME was 5 seconds, the time_t is 5 seconds. JFM +****************************************************************************/ +time_t nt_time_to_unix_abs(NTTIME *nt) +{ + double d; + time_t ret; + /* The next two lines are a fix needed for the + broken SCO compiler. JRA. */ + time_t l_time_min = TIME_T_MIN; + time_t l_time_max = TIME_T_MAX; + + if (nt->high == 0) + return(0); + + if (nt->high==0x80000000 && nt->low==0) + return -1; + + /* reverse the time */ + /* it's a negative value, turn it to positive */ + nt->high=~nt->high; + nt->low=~nt->low; + + d = ((double)nt->high)*4.0*(double)(1<<30); + d += (nt->low&0xFFF00000); + d *= 1.0e-7; + + if (!(l_time_min <= d && d <= l_time_max)) + return(0); + + ret = (time_t)(d+0.5); + + /* this takes us from kludge-GMT to real GMT */ + ret -= get_serverzone(); + ret += LocTimeDiff(ret); + + return(ret); +} + /**************************************************************************** @@ -355,6 +399,50 @@ void unix_to_nt_time(NTTIME *nt, time_t t) nt->low = (uint32)(d - ((double)nt->high)*4.0*(double)(1<<30)); } +/**************************************************************************** +convert a time_t to a NTTIME structure + +this is an absolute version of the one above. +By absolute I mean, it doesn't adjust from 1/1/1970 to 1/1/1601 +if the nttime_t was 5 seconds, the NTTIME is 5 seconds. JFM +****************************************************************************/ +void unix_to_nt_time_abs(NTTIME *nt, time_t t) +{ + double d; + + if (t==0) { + nt->low = 0; + nt->high = 0; + return; + } + + if (t == TIME_T_MAX) { + nt->low = 0xffffffff; + nt->high = 0x7fffffff; + return; + } + + if (t == -1) { + /* that's what NT uses for infinite */ + nt->low = 0x0; + nt->high = 0x80000000; + return; + } + + /* this converts GMT to kludge-GMT */ + t -= LocTimeDiff(t) - get_serverzone(); + + d = (double)(t); + d *= 1.0e7; + + nt->high = (uint32)(d * (1.0/(4.0*(double)(1<<30)))); + nt->low = (uint32)(d - ((double)nt->high)*4.0*(double)(1<<30)); + + /* convert to a negative value */ + nt->high=~nt->high; + nt->low=~nt->low; +} + /**************************************************************************** take an NTTIME structure, containing high / low time. convert to unix time. diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 8555186826..e469718b5c 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1776,6 +1776,7 @@ BOOL pdb_set_hours (SAM_ACCOUNT *sampass, const uint8 *hours) BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass) { + time_t expire; if (!sampass) return False; @@ -1783,10 +1784,17 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass) if (!pdb_set_pass_last_set_time (sampass, time(NULL))) return False; - if (!pdb_set_pass_must_change_time (sampass, + account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&expire); + + if (expire==-1) { + if (!pdb_set_pass_must_change_time (sampass, 0)) + return False; + } else { + if (!pdb_set_pass_must_change_time (sampass, pdb_get_pass_last_set_time(sampass) - + MAX_PASSWORD_AGE)) - return False; + + expire)) + return False; + } return True; } diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c index 99c0fe30be..dfc58839e5 100644 --- a/source3/rpc_parse/parse_samr.c +++ b/source3/rpc_parse/parse_samr.c @@ -345,8 +345,15 @@ void init_samr_r_get_usrdom_pwinfo(SAMR_R_GET_USRDOM_PWINFO *r_u, NTSTATUS statu DEBUG(5, ("init_samr_r_get_usrdom_pwinfo\n")); r_u->unknown_0 = 0x0000; - r_u->unknown_1 = 0x0015; - r_u->unknown_2 = 0x00000000; + + /* + * used to be + * r_u->unknown_1 = 0x0015; + * but for trusts. + */ + r_u->unknown_1 = 0x01D1; + + r_u->unknown_2 = 0x00000000; r_u->status = status; } @@ -461,10 +468,10 @@ BOOL samr_io_q_query_dom_info(char *desc, SAMR_Q_QUERY_DOMAIN_INFO * q_u, inits a structure. ********************************************************************/ -void init_unk_info3(SAM_UNK_INFO_3 * u_3) +void init_unk_info3(SAM_UNK_INFO_3 *u_3, NTTIME nt_logout) { - u_3->unknown_0 = 0x00000000; - u_3->unknown_1 = 0x80000000; + u_3->logout.low = nt_logout.low; + u_3->logout.high = nt_logout.high; } /******************************************************************* @@ -480,9 +487,7 @@ static BOOL sam_io_unk_info3(char *desc, SAM_UNK_INFO_3 * u_3, prs_debug(ps, depth, desc, "sam_io_unk_info3"); depth++; - if(!prs_uint32("unknown_0", ps, depth, &u_3->unknown_0)) /* 0x0000 0000 */ - return False; - if(!prs_uint32("unknown_1", ps, depth, &u_3->unknown_1)) /* 0x8000 0000 */ + if(!smb_io_time("logout", &u_3->logout, ps, depth)) return False; return True; @@ -554,14 +559,14 @@ static BOOL sam_io_unk_info7(char *desc, SAM_UNK_INFO_7 * u_7, inits a structure. ********************************************************************/ -void init_unk_info12(SAM_UNK_INFO_12 * u_12) +void init_unk_info12(SAM_UNK_INFO_12 * u_12, NTTIME nt_lock_duration, NTTIME nt_reset_time, uint16 lockout) { - u_12->duration.low = 0xcf1dcc00; - u_12->duration.high = 0xfffffffb; - u_12->reset_count.low = 0xcf1dcc00; - u_12->reset_count.high = 0xfffffffb; + u_12->duration.low = nt_lock_duration.low; + u_12->duration.high = nt_lock_duration.high; + u_12->reset_count.low = nt_reset_time.low; + u_12->reset_count.high = nt_reset_time.high; - u_12->bad_attempt_lockout = 0x0000; + u_12->bad_attempt_lockout = lockout; } /******************************************************************* @@ -719,19 +724,20 @@ static BOOL sam_io_unk_info2(char *desc, SAM_UNK_INFO_2 * u_2, inits a structure. ********************************************************************/ -void init_unk_info1(SAM_UNK_INFO_1 * u_1) +void init_unk_info1(SAM_UNK_INFO_1 *u_1, uint16 min_pass_len, uint16 pass_hist, + uint32 flag, NTTIME nt_expire, NTTIME nt_min_age) { - u_1->min_length_password = 0; - u_1->password_history = 0; - u_1->flag = 0; + u_1->min_length_password = min_pass_len; + u_1->password_history = pass_hist; + u_1->flag = flag; /* password never expire */ - u_1->expire.high = 0x80000000; - u_1->expire.low = 0; + u_1->expire.high = nt_expire.high; + u_1->expire.low = nt_expire.low; /* can change the password now */ - u_1->min_passwordage.high = 0; - u_1->min_passwordage.low = 0; + u_1->min_passwordage.high = nt_min_age.high; + u_1->min_passwordage.low = nt_min_age.low; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8882b0801a..13340d0a60 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1907,53 +1907,84 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { - SAM_UNK_CTR *ctr; + SAM_UNK_CTR *ctr; + uint32 min_pass_len,pass_hist,flag; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + + time_t u_lock_duration, u_reset_time; + NTTIME nt_lock_duration, nt_reset_time; + uint32 lockout; + + time_t u_logout; + NTTIME nt_logout; + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(ctr); + ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - switch (q_u->switch_value) { - case 0x01: - init_unk_info1(&ctr->info.inf1); - break; - case 0x02: + switch (q_u->switch_value) { + case 0x01: + account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); + account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); + account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); + account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, + flag, nt_expire, nt_min_age); + break; + case 0x02: /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); - break; - case 0x03: - init_unk_info3(&ctr->info.inf3); - break; - case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); - break; - case 0x06: - init_unk_info6(&ctr->info.inf6); - break; - case 0x07: - init_unk_info7(&ctr->info.inf7); - break; - case 0x0c: - init_unk_info12(&ctr->info.inf12); - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; - } + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + unix_to_nt_time_abs(&nt_logout, u_logout); + + init_unk_info3(&ctr->info.inf3, nt_logout); + break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; + case 0x06: + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); + account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); + + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); + unix_to_nt_time_abs(&nt_reset_time, u_reset_time); + + init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } - init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -3460,53 +3491,83 @@ NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOW NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u) { - SAM_UNK_CTR *ctr; + SAM_UNK_CTR *ctr; + uint32 min_pass_len,pass_hist,flag; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + + time_t u_lock_duration, u_reset_time; + NTTIME nt_lock_duration, nt_reset_time; + uint32 lockout; + + time_t u_logout; + NTTIME nt_logout; if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(ctr); + ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - switch (q_u->switch_value) { - case 0x01: - init_unk_info1(&ctr->info.inf1); - break; - case 0x02: + switch (q_u->switch_value) { + case 0x01: + account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); + account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); + account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); + account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, + flag, nt_expire, nt_min_age); + break; + case 0x02: /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); - break; - case 0x03: - init_unk_info3(&ctr->info.inf3); - break; - case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); - break; - case 0x06: - init_unk_info6(&ctr->info.inf6); - break; - case 0x07: - init_unk_info7(&ctr->info.inf7); - break; - case 0x0c: - init_unk_info12(&ctr->info.inf12); - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; - } + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + unix_to_nt_time_abs(&nt_logout, u_logout); + + init_unk_info3(&ctr->info.inf3, nt_logout); + break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; + case 0x06: + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); + account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); + + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); + unix_to_nt_time_abs(&nt_reset_time, u_reset_time); + + init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } - init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -3515,6 +3576,10 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) { + time_t u_expire, u_min_age; + time_t u_logout; + time_t u_lock_duration, u_reset_time; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); @@ -3523,25 +3588,41 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(0,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); switch (q_u->switch_value) { - case 0x01: - break; - case 0x02: - break; - case 0x03: - break; - case 0x05: - break; - case 0x06: - break; - case 0x07: - break; - case 0x0c: - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; + case 0x01: + u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); + u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); + + account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); + account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); + break; + case 0x02: + break; + case 0x03: + u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); + account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); + break; + case 0x05: + break; + case 0x06: + break; + case 0x07: + break; + case 0x0c: + u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); + u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count); + + account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; } init_samr_r_set_domain_info(r_u, NT_STATUS_OK); diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 2f374e48aa..df56dfe9ab 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -825,13 +825,18 @@ static void usage(char *pname) /* possibly reload the services file. */ reload_services(True); - if (init_group_mapping()==False) { - printf("Could not open tdb mapping file.\n"); + if(!pdb_generate_sam_sid()) { + DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n")); + exit(1); + } + + if (!init_group_mapping()) { + DEBUG(0,("Could not open tdb mapping file.\n")); return 0; } - if(!pdb_generate_sam_sid()) { - DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n")); + if (!init_account_policy()) { + DEBUG(0,("Could not open account policy tdb.\n")); exit(1); } diff --git a/source3/utils/smbgroupedit.c b/source3/utils/smbgroupedit.c index 9d42d2fc92..58ed0a8294 100644 --- a/source3/utils/smbgroupedit.c +++ b/source3/utils/smbgroupedit.c @@ -246,6 +246,16 @@ int main (int argc, char **argv) exit(1); } + if(pdb_generate_sam_sid()==False) { + printf("Can not read machine SID\n"); + return 0; + } + + if (init_group_mapping()==False) { + printf("Could not open tdb mapping file.\n"); + return 0; + } + while ((ch = getopt(argc, argv, "a:c:d:ln:p:st:u:vx:")) != EOF) { switch(ch) { case 'a': @@ -325,18 +335,6 @@ int main (int argc, char **argv) break; } } - - if (init_group_mapping()==False) { - printf("Could not open tdb mapping file.\n"); - return 0; - } - - if(pdb_generate_sam_sid()==False) { - printf("Can not read machine SID\n"); - return 0; - } - - default_group_mapping(); if (add_group) return addgroup(group, sid_type, ntgroup, group_desc, privilege); -- cgit