From cdf9b42754b7e97faa7fc4eb1ec69e32c0bfd1a0 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 3 Dec 2001 17:14:23 +0000 Subject: added a tdb to store the account policy informations. You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21) --- source3/lib/account_pol.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 source3/lib/account_pol.c (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c new file mode 100644 index 0000000000..aad6f8e11d --- /dev/null +++ b/source3/lib/account_pol.c @@ -0,0 +1,132 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * account policy storage + * Copyright (C) Jean François Micouleau 1998-2001. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +static TDB_CONTEXT *tdb; /* used for driver files */ + +#define DATABASE_VERSION 1 + +/**************************************************************************** +open the account policy tdb +****************************************************************************/ +BOOL init_account_policy(void) +{ + static pid_t local_pid; + char *vstring = "INFO/version"; + + if (tdb && local_pid == sys_getpid()) return True; + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + local_pid = sys_getpid(); + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring); + if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) { + tdb_traverse(tdb, (tdb_traverse_func)tdb_delete, NULL); + tdb_store_int(tdb, vstring, DATABASE_VERSION); + + account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ + account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ + account_policy_set(AP_MAX_PASSWORD_AGE, MAX_PASSWORD_AGE); /* 21 days */ + account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ + account_policy_set(AP_LOCK_ACCOUNT_DURATION, 0); /* lockout for 0 minutes */ + account_policy_set(AP_RESET_COUNT_TIME, 0); /* reset immediatly */ + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */ + account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */ + } + tdb_unlock_bystring(tdb, vstring); + + + return True; +} + +/**************************************************************************** +****************************************************************************/ + +static char *decode_account_policy_name(field) +{ + switch (field) { + case AP_MIN_PASSWORD_LEN: + return "min password length"; + break; + case AP_PASSWORD_HISTORY: + return "password history"; + break; + case AP_USER_MUST_LOGON_TO_CHG_PASS: + return "user must logon to change password"; + break; + case AP_MAX_PASSWORD_AGE: + return "maximum password age"; + break; + case AP_MIN_PASSWORD_AGE: + return "minimum password age"; + break; + case AP_LOCK_ACCOUNT_DURATION: + return "lockout duration"; + break; + case AP_RESET_COUNT_TIME: + return "reset count minutes"; + break; + case AP_BAD_ATTEMPT_LOCKOUT: + return "bad lockout attempt"; + break; + case AP_TIME_TO_LOGOUT: + return "disconnect time"; + break; + default: + return "undefined value"; + break; + } +} + + +/**************************************************************************** +****************************************************************************/ +BOOL account_policy_get(int field, int *value) +{ + fstring name; + + fstrcpy(name, decode_account_policy_name(field)); + *value=tdb_fetch_int(tdb, name); + DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); + return True; +} + + +/**************************************************************************** +****************************************************************************/ +BOOL account_policy_set(int field, int value) +{ + fstring name; + + fstrcpy(name, decode_account_policy_name(field)); + if ( tdb_store_int(tdb, name, value)== -1) + return False; + DEBUG(10,("account_policy_set: %s:%d\n", name, value)); + + return True; +} + -- cgit From 1838d83e241ceaa73c61c53b50d5f7104b2f6143 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Dec 2001 06:20:39 +0000 Subject: moved init_account_policy() to the right place (This used to be commit e908f304a26b9f1100e301610151a9334bf117b0) --- source3/lib/account_pol.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index aad6f8e11d..74c8883ed1 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -66,7 +66,7 @@ BOOL init_account_policy(void) /**************************************************************************** ****************************************************************************/ -static char *decode_account_policy_name(field) +static char *decode_account_policy_name(int field) { switch (field) { case AP_MIN_PASSWORD_LEN: @@ -109,6 +109,8 @@ BOOL account_policy_get(int field, int *value) { fstring name; + init_account_policy(); + fstrcpy(name, decode_account_policy_name(field)); *value=tdb_fetch_int(tdb, name); DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); @@ -122,6 +124,8 @@ BOOL account_policy_set(int field, int value) { fstring name; + init_account_policy(); + fstrcpy(name, decode_account_policy_name(field)); if ( tdb_store_int(tdb, name, value)== -1) return False; -- cgit From eb4e10115310b6ed23b92abac2e79454c80930b1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Dec 2001 13:46:26 +0000 Subject: - portablitity fixes for cc -64 on irix - fixed gid* bug in rpc_server (This used to be commit 48aa90c48c5f0e3054c4acdc49668e222e7c0d36) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 74c8883ed1..1b70d0ceb0 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -105,7 +105,7 @@ static char *decode_account_policy_name(int field) /**************************************************************************** ****************************************************************************/ -BOOL account_policy_get(int field, int *value) +BOOL account_policy_get(int field, uint32 *value) { fstring name; @@ -120,7 +120,7 @@ BOOL account_policy_get(int field, int *value) /**************************************************************************** ****************************************************************************/ -BOOL account_policy_set(int field, int value) +BOOL account_policy_set(int field, uint32 value) { fstring name; -- cgit From 84ecd95dba6cf03070432b3cc37d511d310d1325 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Dec 2001 14:05:22 +0000 Subject: more irix -64 portability fixes (This used to be commit 65e857b36e170e3ecd78bf6695ae73342e9c04cd) --- source3/lib/account_pol.c | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 1b70d0ceb0..33579108fa 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -71,34 +71,24 @@ static char *decode_account_policy_name(int field) switch (field) { case AP_MIN_PASSWORD_LEN: return "min password length"; - break; case AP_PASSWORD_HISTORY: return "password history"; - break; case AP_USER_MUST_LOGON_TO_CHG_PASS: return "user must logon to change password"; - break; case AP_MAX_PASSWORD_AGE: return "maximum password age"; - break; case AP_MIN_PASSWORD_AGE: return "minimum password age"; - break; case AP_LOCK_ACCOUNT_DURATION: return "lockout duration"; - break; case AP_RESET_COUNT_TIME: return "reset count minutes"; - break; case AP_BAD_ATTEMPT_LOCKOUT: return "bad lockout attempt"; - break; case AP_TIME_TO_LOGOUT: return "disconnect time"; - break; default: return "undefined value"; - break; } } -- cgit From eca99f5c226f9518d1ab5c0ba3e586e3d59564d7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jan 2002 22:48:48 +0000 Subject: Fixed nasty cast of tdb_delete in traversals. Jeremy. (This used to be commit a0cdec3acc82d1ce0292fadd4b8dac23638450f3) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 33579108fa..111bf5bb91 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -44,7 +44,7 @@ BOOL init_account_policy(void) /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring); if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) { - tdb_traverse(tdb, (tdb_traverse_func)tdb_delete, NULL); + tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); tdb_store_int(tdb, vstring, DATABASE_VERSION); account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ -- cgit From 91536cc901088232074ad8dd7ae16e0f6026f25e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 9 Jan 2002 04:13:30 +0000 Subject: Fixed all uses of tdb_fetch/store/_int to use explicit int32 little endian in tdb's. All except winbindd_idmap.... Hmmmmmm. Jeremy. (This used to be commit ec71f1732b6b27bd2d65b250a6f3720a235dc38d) --- source3/lib/account_pol.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 111bf5bb91..126ee291d8 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -25,14 +25,16 @@ static TDB_CONTEXT *tdb; /* used for driver files */ #define DATABASE_VERSION 1 /**************************************************************************** -open the account policy tdb + Open the account policy tdb. ****************************************************************************/ + BOOL init_account_policy(void) { static pid_t local_pid; char *vstring = "INFO/version"; - if (tdb && local_pid == sys_getpid()) return True; + if (tdb && local_pid == sys_getpid()) + return True; tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { DEBUG(0,("Failed to open account policy database\n")); @@ -43,9 +45,9 @@ BOOL init_account_policy(void) /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring); - if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) { + if (tdb_fetch_int32(tdb, vstring) != DATABASE_VERSION) { tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); - tdb_store_int(tdb, vstring, DATABASE_VERSION); + tdb_store_int32(tdb, vstring, DATABASE_VERSION); account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ @@ -59,7 +61,6 @@ BOOL init_account_policy(void) } tdb_unlock_bystring(tdb, vstring); - return True; } @@ -102,7 +103,7 @@ BOOL account_policy_get(int field, uint32 *value) init_account_policy(); fstrcpy(name, decode_account_policy_name(field)); - *value=tdb_fetch_int(tdb, name); + *value=tdb_fetch_int32(tdb, name); DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); return True; } @@ -117,7 +118,7 @@ BOOL account_policy_set(int field, uint32 value) init_account_policy(); fstrcpy(name, decode_account_policy_name(field)); - if ( tdb_store_int(tdb, name, value)== -1) + if ( tdb_store_int32(tdb, name, value)== -1) return False; DEBUG(10,("account_policy_set: %s:%d\n", name, value)); -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/lib/account_pol.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 126ee291d8..07676e2202 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -1,6 +1,5 @@ /* - * Unix SMB/Netbios implementation. - * Version 1.9. + * Unix SMB/CIFS implementation. * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. * -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/lib/account_pol.c | 88 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 62 insertions(+), 26 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 07676e2202..07b5e2ecfc 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -2,6 +2,7 @@ * Unix SMB/CIFS implementation. * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. + * Copyright (C) Andrew Bartlett 2002 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,6 +32,7 @@ BOOL init_account_policy(void) { static pid_t local_pid; char *vstring = "INFO/version"; + uint32 version; if (tdb && local_pid == sys_getpid()) return True; @@ -44,9 +46,9 @@ BOOL init_account_policy(void) /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring); - if (tdb_fetch_int32(tdb, vstring) != DATABASE_VERSION) { + if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); - tdb_store_int32(tdb, vstring, DATABASE_VERSION); + tdb_store_uint32(tdb, vstring, DATABASE_VERSION); account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ @@ -63,33 +65,50 @@ BOOL init_account_policy(void) return True; } +static const struct { + int field; + char *string; +} account_policy_names[] = { + {AP_MIN_PASSWORD_LEN, "min password length"}, + {AP_PASSWORD_HISTORY, "password history"}, + {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, + {AP_MAX_PASSWORD_AGE, "maximum password age"}, + {AP_MIN_PASSWORD_AGE,"minimum password age"}, + {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, + {AP_RESET_COUNT_TIME, "reset count minutes"}, + {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, + {AP_TIME_TO_LOGOUT, "disconnect time"}, + {0, NULL} +}; + +/**************************************************************************** +Get the account policy name as a string from its #define'ed number +****************************************************************************/ + +static const char *decode_account_policy_name(int field) +{ + int i; + for (i=0; account_policy_names[i].string; i++) { + if (field == account_policy_names[i].field) + return account_policy_names[i].string; + } + return NULL; + +} + /**************************************************************************** +Get the account policy name as a string from its #define'ed number ****************************************************************************/ -static char *decode_account_policy_name(int field) +int account_policy_name_to_fieldnum(const char *name) { - switch (field) { - case AP_MIN_PASSWORD_LEN: - return "min password length"; - case AP_PASSWORD_HISTORY: - return "password history"; - case AP_USER_MUST_LOGON_TO_CHG_PASS: - return "user must logon to change password"; - case AP_MAX_PASSWORD_AGE: - return "maximum password age"; - case AP_MIN_PASSWORD_AGE: - return "minimum password age"; - case AP_LOCK_ACCOUNT_DURATION: - return "lockout duration"; - case AP_RESET_COUNT_TIME: - return "reset count minutes"; - case AP_BAD_ATTEMPT_LOCKOUT: - return "bad lockout attempt"; - case AP_TIME_TO_LOGOUT: - return "disconnect time"; - default: - return "undefined value"; + int i; + for (i=0; account_policy_names[i].string; i++) { + if (strcmp(name, account_policy_names[i].string) == 0) + return account_policy_names[i].field; } + return 0; + } @@ -101,8 +120,17 @@ BOOL account_policy_get(int field, uint32 *value) init_account_policy(); + *value = 0; + fstrcpy(name, decode_account_policy_name(field)); - *value=tdb_fetch_int32(tdb, name); + if (!*name) { + DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field)); + return False; + } + if (!tdb_fetch_uint32(tdb, name, value)) { + DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for feild %d (%s), returning 0", field, name)); + return False; + } DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); return True; } @@ -117,8 +145,16 @@ BOOL account_policy_set(int field, uint32 value) init_account_policy(); fstrcpy(name, decode_account_policy_name(field)); - if ( tdb_store_int32(tdb, name, value)== -1) + if (!*name) { + DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field)); return False; + } + + if (!tdb_store_uint32(tdb, name, value)) { + DEBUG(1, ("tdb_store_uint32 failed for feild %d (%s) on value %u", field, name, value)); + return False; + } + DEBUG(10,("account_policy_set: %s:%d\n", name, value)); return True; -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 07b5e2ecfc..b5f205c508 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -128,7 +128,7 @@ BOOL account_policy_get(int field, uint32 *value) return False; } if (!tdb_fetch_uint32(tdb, name, value)) { - DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for feild %d (%s), returning 0", field, name)); + DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for efild %d (%s), returning 0", field, name)); return False; } DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); @@ -151,7 +151,7 @@ BOOL account_policy_set(int field, uint32 value) } if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for feild %d (%s) on value %u", field, name, value)); + DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value)); return False; } -- cgit From 3665777a5bc7ffa92f64ba17daf4cc66c3607198 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Oct 2002 22:53:18 +0000 Subject: Add a timeout to tdb_lock_bystring(). Ensure we never have more than MAX_PRINT_JOBS in a queue. Jeremy. (This used to be commit 9fe3c0b90d4bff2217e3cb5a34b4683ca314c06e) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index b5f205c508..6f51c916d7 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -45,7 +45,7 @@ BOOL init_account_policy(void) local_pid = sys_getpid(); /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring); + tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); tdb_store_uint32(tdb, vstring, DATABASE_VERSION); -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 6f51c916d7..2e619c0c6b 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -31,7 +31,7 @@ static TDB_CONTEXT *tdb; /* used for driver files */ BOOL init_account_policy(void) { static pid_t local_pid; - char *vstring = "INFO/version"; + const char *vstring = "INFO/version"; uint32 version; if (tdb && local_pid == sys_getpid()) @@ -67,7 +67,7 @@ BOOL init_account_policy(void) static const struct { int field; - char *string; + const char *string; } account_policy_names[] = { {AP_MIN_PASSWORD_LEN, "min password length"}, {AP_PASSWORD_HISTORY, "password history"}, -- cgit From 656d2c75c98a8c454c0a3d6873b8a73ce6138e44 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 11:29:54 +0000 Subject: Don't try to continue if initialisation fails (merge from HEAD) (This used to be commit ff3ec67e120d29db2b85ce444ce89a205ea7a067) --- source3/lib/account_pol.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 2e619c0c6b..b43f582d7c 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -118,7 +118,8 @@ BOOL account_policy_get(int field, uint32 *value) { fstring name; - init_account_policy(); + if (!init_account_policy()) + return False; *value = 0; @@ -142,7 +143,8 @@ BOOL account_policy_set(int field, uint32 value) { fstring name; - init_account_policy(); + if (!init_account_policy()) + return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { -- cgit From 03412f056d7a277aab8cf6c3daa850803ae74126 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 28 Apr 2003 05:47:07 +0000 Subject: Whitespace syncup. (This used to be commit 7fd7af121ee8ba4f9540394f64fe3c78e2e96cd2) --- source3/lib/account_pol.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index b43f582d7c..e8b382c7ab 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -118,8 +118,7 @@ BOOL account_policy_get(int field, uint32 *value) { fstring name; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; *value = 0; @@ -143,8 +142,7 @@ BOOL account_policy_set(int field, uint32 value) { fstring name; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { -- cgit From 37d77e3d6cf85eae9f45d18b756101fc1f50460b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 25 Jul 2003 19:57:26 +0000 Subject: Fix bug #184; set max_pw_age in account_pol to -1 so the default is never to expire (This used to be commit 833bc5c06018043cf0eb6bdcbb96922964286559) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index e8b382c7ab..dc131985a1 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -53,7 +53,7 @@ BOOL init_account_policy(void) account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ - account_policy_set(AP_MAX_PASSWORD_AGE, MAX_PASSWORD_AGE); /* 21 days */ + account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1); /* don't expire */ account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ account_policy_set(AP_LOCK_ACCOUNT_DURATION, 0); /* lockout for 0 minutes */ account_policy_set(AP_RESET_COUNT_TIME, 0); /* reset immediatly */ -- cgit From 4a7d90424fa75709a56f3810e6cf2bde1dc781f0 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 20 Feb 2004 15:59:05 +0000 Subject: Make default lockout duration and reset count time 30 minutes, to match windows, and also be valid (0 was invalid) (This used to be commit 7ff42fffb2b207aea1dba306c914c7e09994d608) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index dc131985a1..c2c63493a6 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -55,8 +55,8 @@ BOOL init_account_policy(void) account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1); /* don't expire */ account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ - account_policy_set(AP_LOCK_ACCOUNT_DURATION, 0); /* lockout for 0 minutes */ - account_policy_set(AP_RESET_COUNT_TIME, 0); /* reset immediatly */ + account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30); /* lockout for 30 minutes */ + account_policy_set(AP_RESET_COUNT_TIME, 30); /* reset after 30 minutes */ account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */ account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */ } -- cgit From d4ac326d46faab010eeeb24c893ab13bbbf0337e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 8 Jul 2004 21:01:30 +0000 Subject: r1412: Fix password history list in tdbsam. Fix some memory leaks. Add my (C) to a header file that was at least 50% mine :-). Jeremy. (This used to be commit 8ee6060977ec8e65082f3ad09e1e1ccf5b4672ed) --- source3/lib/account_pol.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index c2c63493a6..8d5b963da2 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -81,6 +81,30 @@ static const struct { {0, NULL} }; +char *account_policy_names_list(void) +{ + char *nl, *p; + int i; + size_t len = 0; + + for (i=0; account_policy_names[i].string; i++) { + len += strlen(account_policy_names[i].string) + 1; + } + len++; + nl = malloc(len); + if (!nl) { + return NULL; + } + p = nl; + for (i=0; account_policy_names[i].string; i++) { + memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1); + p[strlen(account_policy_names[i].string)] = '\n'; + p += strlen(account_policy_names[i].string) + 1; + } + *p = '\0'; + return nl; +} + /**************************************************************************** Get the account policy name as a string from its #define'ed number ****************************************************************************/ @@ -111,9 +135,9 @@ int account_policy_name_to_fieldnum(const char *name) } - /**************************************************************************** ****************************************************************************/ + BOOL account_policy_get(int field, uint32 *value) { fstring name; @@ -159,4 +183,3 @@ BOOL account_policy_set(int field, uint32 value) return True; } - -- cgit From 9c61daf667ca0ac939f4bd724d1c0f708983f82a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 5 Nov 2004 21:55:21 +0000 Subject: r3561: Since we have tdb_reopen_all() after all forks, the local_pid logic is not correct anymore. If we actually open the tdb before the fork, we end up opening the tdb twice. Jerry, jra, this also happens in the locking and printing subsystems. You might want to check it there (not that it actually happens right now, but this gave me some confusion lately...). Volker (This used to be commit 40cad9dcc14ddec0ce74bb9010d13bd82e4d10af) --- source3/lib/account_pol.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 8d5b963da2..c8507f722d 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -30,11 +30,10 @@ static TDB_CONTEXT *tdb; /* used for driver files */ BOOL init_account_policy(void) { - static pid_t local_pid; const char *vstring = "INFO/version"; uint32 version; - if (tdb && local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -42,8 +41,6 @@ BOOL init_account_policy(void) return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { -- cgit From 3bd5c9a8385576c3201580233e521b9de11918ab Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 24 Nov 2004 09:44:57 +0000 Subject: r3940: typo. Guenther (This used to be commit 412ff4a129c5e719aa4d4e4856500ff59c82b939) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index c8507f722d..9120452e2e 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -149,7 +149,7 @@ BOOL account_policy_get(int field, uint32 *value) return False; } if (!tdb_fetch_uint32(tdb, name, value)) { - DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for efild %d (%s), returning 0", field, name)); + DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name)); return False; } DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 9120452e2e..aa59383258 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -88,7 +88,7 @@ char *account_policy_names_list(void) len += strlen(account_policy_names[i].string) + 1; } len++; - nl = malloc(len); + nl = SMB_MALLOC(len); if (!nl) { return NULL; } -- cgit From deaaa6ee9ee0e3f170498baabca4a175453718ed Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Mon, 10 Jan 2005 18:29:52 +0000 Subject: r4651: Add "refuse machine password change" policy field. This update will just return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. (This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67) --- source3/lib/account_pol.c | 66 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 14 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index aa59383258..c62396c22d 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -22,7 +22,19 @@ #include "includes.h" static TDB_CONTEXT *tdb; /* used for driver files */ -#define DATABASE_VERSION 1 +#define DATABASE_VERSION 2 + +/**************************************************************************** + Set default for a field if it is empty +****************************************************************************/ + +static void set_default_on_empty(int field, uint32 value) +{ + if (account_policy_get(field, NULL)) + return; + account_policy_set(field, value); + return; +} /**************************************************************************** Open the account policy tdb. @@ -44,18 +56,38 @@ BOOL init_account_policy(void) /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); tdb_store_uint32(tdb, vstring, DATABASE_VERSION); - account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ - account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ - account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ - account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1); /* don't expire */ - account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ - account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30); /* lockout for 30 minutes */ - account_policy_set(AP_RESET_COUNT_TIME, 30); /* reset after 30 minutes */ - account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */ - account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */ + set_default_on_empty( + AP_MIN_PASSWORD_LEN, + MINPASSWDLENGTH);/* 5 chars minimum */ + set_default_on_empty( + AP_PASSWORD_HISTORY, + 0); /* don't keep any old password */ + set_default_on_empty( + AP_USER_MUST_LOGON_TO_CHG_PASS, + 0); /* don't force user to logon */ + set_default_on_empty( + AP_MAX_PASSWORD_AGE, + (uint32)-1); /* don't expire */ + set_default_on_empty( + AP_MIN_PASSWORD_AGE, + 0); /* 0 days */ + set_default_on_empty( + AP_LOCK_ACCOUNT_DURATION, + 30); /* lockout for 30 minutes */ + set_default_on_empty( + AP_RESET_COUNT_TIME, + 30); /* reset after 30 minutes */ + set_default_on_empty( + AP_BAD_ATTEMPT_LOCKOUT, + 0); /* don't lockout */ + set_default_on_empty( + AP_TIME_TO_LOGOUT, + -1); /* don't force logout */ + set_default_on_empty( + AP_REFUSE_MACHINE_PW_CHANGE, + 0); /* allow machine pw changes */ } tdb_unlock_bystring(tdb, vstring); @@ -75,6 +107,7 @@ static const struct { {AP_RESET_COUNT_TIME, "reset count minutes"}, {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, {AP_TIME_TO_LOGOUT, "disconnect time"}, + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, {0, NULL} }; @@ -138,21 +171,26 @@ int account_policy_name_to_fieldnum(const char *name) BOOL account_policy_get(int field, uint32 *value) { fstring name; + uint32 regval; if(!init_account_policy())return False; - *value = 0; + if (value) + *value = 0; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field)); return False; } - if (!tdb_fetch_uint32(tdb, name, value)) { + if (!tdb_fetch_uint32(tdb, name, ®val)) { DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name)); return False; } - DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); + if (value) + *value = regval; + + DEBUG(10,("account_policy_get: %s:%d\n", name, regval)); return True; } -- cgit From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/lib/account_pol.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index c62396c22d..72d6e77ddd 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -20,10 +20,18 @@ */ #include "includes.h" -static TDB_CONTEXT *tdb; /* used for driver files */ +static TDB_CONTEXT *tdb; #define DATABASE_VERSION 2 +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Builtin_Administrators; +extern DOM_SID global_sid_Builtin_Account_Operators; +extern DOM_SID global_sid_Builtin_Server_Operators; +extern DOM_SID global_sid_Builtin_Print_Operators; +extern DOM_SID global_sid_Builtin_Backup_Operators; + + /**************************************************************************** Set default for a field if it is empty ****************************************************************************/ @@ -91,6 +99,15 @@ BOOL init_account_policy(void) } tdb_unlock_bystring(tdb, vstring); + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + return True; } @@ -218,3 +235,18 @@ BOOL account_policy_set(int field, uint32 value) return True; } + +/**************************************************************************** +****************************************************************************/ + +TDB_CONTEXT *get_account_pol_tdb( void ) +{ + + if ( !tdb ) { + if ( !init_account_policy() ) + return NULL; + } + + return tdb; +} + -- cgit From 6f56a5be2e7e9259f020dd20c37d79f8f95c3815 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 22 Jan 2005 01:22:39 +0000 Subject: r4917: Merge some of Derrell.Lipman@UnwiredUniverse.com obvious fixes. Added text explaining units in pdbedit time fields. Jeremy. (This used to be commit 3d09c15d8f06ad06fae362291a6c986f7b6107e6) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 72d6e77ddd..5997d9180a 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -118,8 +118,8 @@ static const struct { {AP_MIN_PASSWORD_LEN, "min password length"}, {AP_PASSWORD_HISTORY, "password history"}, {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, - {AP_MAX_PASSWORD_AGE, "maximum password age"}, - {AP_MIN_PASSWORD_AGE,"minimum password age"}, + {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"}, + {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"}, {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, {AP_RESET_COUNT_TIME, "reset count minutes"}, {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, -- cgit From b4afdc08d5336e4a337e453443d7af1d8655a31a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 22 Jan 2005 03:37:09 +0000 Subject: r4925: Migrate Account Policies to passdb (esp. replicating ldapsam). Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5) --- source3/lib/account_pol.c | 424 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 325 insertions(+), 99 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 5997d9180a..b81a9fe34d 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -3,6 +3,7 @@ * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. * Copyright (C) Andrew Bartlett 2002 + * Copyright (C) Guenther Deschner 2004-2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,7 +23,14 @@ #include "includes.h" static TDB_CONTEXT *tdb; -#define DATABASE_VERSION 2 +/* cache all entries for 60 seconds for to save ldap-queries (cache is updated + * after this period if admins do not use pdbedit or usermanager but manipulate + * ldap directly) - gd */ + +#define DATABASE_VERSION 3 +#define AP_LASTSET "LAST_CACHE_UPDATE" +#define AP_MIGRATED "ACCOUNT POLICIES WERE MIGRATED TO PASSDB" +#define AP_TTL 60 extern DOM_SID global_sid_World; extern DOM_SID global_sid_Builtin_Administrators; @@ -32,100 +40,35 @@ extern DOM_SID global_sid_Builtin_Print_Operators; extern DOM_SID global_sid_Builtin_Backup_Operators; -/**************************************************************************** - Set default for a field if it is empty -****************************************************************************/ - -static void set_default_on_empty(int field, uint32 value) -{ - if (account_policy_get(field, NULL)) - return; - account_policy_set(field, value); - return; -} - -/**************************************************************************** - Open the account policy tdb. -****************************************************************************/ - -BOOL init_account_policy(void) -{ - const char *vstring = "INFO/version"; - uint32 version; - - if (tdb) - return True; - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { - DEBUG(0,("Failed to open account policy database\n")); - return False; - } - - /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring,0); - if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - tdb_store_uint32(tdb, vstring, DATABASE_VERSION); - - set_default_on_empty( - AP_MIN_PASSWORD_LEN, - MINPASSWDLENGTH);/* 5 chars minimum */ - set_default_on_empty( - AP_PASSWORD_HISTORY, - 0); /* don't keep any old password */ - set_default_on_empty( - AP_USER_MUST_LOGON_TO_CHG_PASS, - 0); /* don't force user to logon */ - set_default_on_empty( - AP_MAX_PASSWORD_AGE, - (uint32)-1); /* don't expire */ - set_default_on_empty( - AP_MIN_PASSWORD_AGE, - 0); /* 0 days */ - set_default_on_empty( - AP_LOCK_ACCOUNT_DURATION, - 30); /* lockout for 30 minutes */ - set_default_on_empty( - AP_RESET_COUNT_TIME, - 30); /* reset after 30 minutes */ - set_default_on_empty( - AP_BAD_ATTEMPT_LOCKOUT, - 0); /* don't lockout */ - set_default_on_empty( - AP_TIME_TO_LOGOUT, - -1); /* don't force logout */ - set_default_on_empty( - AP_REFUSE_MACHINE_PW_CHANGE, - 0); /* allow machine pw changes */ - } - tdb_unlock_bystring(tdb, vstring); - - /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ - - privilege_create_account( &global_sid_World ); - privilege_create_account( &global_sid_Builtin_Administrators ); - privilege_create_account( &global_sid_Builtin_Account_Operators ); - privilege_create_account( &global_sid_Builtin_Server_Operators ); - privilege_create_account( &global_sid_Builtin_Print_Operators ); - privilege_create_account( &global_sid_Builtin_Backup_Operators ); - - return True; -} - -static const struct { +struct ap_table { int field; const char *string; -} account_policy_names[] = { - {AP_MIN_PASSWORD_LEN, "min password length"}, - {AP_PASSWORD_HISTORY, "password history"}, - {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, - {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"}, - {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"}, - {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, - {AP_RESET_COUNT_TIME, "reset count minutes"}, - {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, - {AP_TIME_TO_LOGOUT, "disconnect time"}, - {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, - {0, NULL} + uint32 default_val; + const char *comment; +}; + +static const struct ap_table account_policy_names[] = { + {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, + "Minimal password length (default: 5)"}, + {AP_PASSWORD_HISTORY, "password history", 0, + "Length of Password History Entries (default: 0 => off)" }, + {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0, + "Force Users to logon for password change (default: 0 => off, 2 => on)"}, + {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1, + "Maximum password age, in seconds (default: -1 => never expire passwords)"}, + {AP_MIN_PASSWORD_AGE,"minimum password age", 0, + "Minimal password age, in seconds (default: 0 => allow immediate password change)"}, + {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30, + "Lockout duration in minutes (default: 30, -1 => forever)"}, + {AP_RESET_COUNT_TIME, "reset count minutes", 30, + "Reset time after lockout in minutes (default: 30)"}, + {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0, + "Lockout users after bad logon attempts (default: 0 => off)"}, + {AP_TIME_TO_LOGOUT, "disconnect time", -1, + "Disconnect Users outside logon hours (default: -1 => off, 0 => on)"}, + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0, + "Allow Machine Password changes (default: 0 => off)"}, + {0, NULL, 0, ""} }; char *account_policy_names_list(void) @@ -156,7 +99,7 @@ char *account_policy_names_list(void) Get the account policy name as a string from its #define'ed number ****************************************************************************/ -static const char *decode_account_policy_name(int field) +const char *decode_account_policy_name(int field) { int i; for (i=0; account_policy_names[i].string; i++) { @@ -167,6 +110,21 @@ static const char *decode_account_policy_name(int field) } +/**************************************************************************** +Get the account policy comment as a string from its #define'ed number +****************************************************************************/ + +const char *account_policy_get_comment(int field) +{ + int i; + for (i=0; account_policy_names[i].string; i++) { + if (field == account_policy_names[i].field) + return account_policy_names[i].comment; + } + return NULL; + +} + /**************************************************************************** Get the account policy name as a string from its #define'ed number ****************************************************************************/ @@ -182,15 +140,222 @@ int account_policy_name_to_fieldnum(const char *name) } -/**************************************************************************** -****************************************************************************/ +/***************************************************************************** +Update LAST-Set counter inside the cache +*****************************************************************************/ + +static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update) +{ + pstring key; + uint32 val = 0; + time_t now; + + slprintf(key, sizeof(key)-1, "%s", AP_LASTSET); + + if (!init_account_policy()) + return False; + + if (!tdb_fetch_uint32(tdb, key, &val) && !update) { + DEBUG(10,("failed to get last set timestamp of cache\n")); + return False; + } + + *value = val; + + DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val))); + + if (update) { + + now = time(NULL); + + if (!tdb_store_uint32(tdb, key, (uint32)now)) { + DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); + return False; + } + DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now))); + *value = now; + } + + return True; +} + +/***************************************************************************** +Get default value for account policy +*****************************************************************************/ + +BOOL account_policy_get_default(int account_policy, uint32 *val) +{ + int i; + for (i=0; account_policy_names[i].field; i++) { + if (account_policy_names[i].field == account_policy) { + *val = account_policy_names[i].default_val; + return True; + } + } + DEBUG(0,("no default for account_policy index %d found. This should never happen\n", + account_policy)); + return False; +} + +/***************************************************************************** + Set default for a field if it is empty +*****************************************************************************/ + +static BOOL account_policy_set_default_on_empty(int account_policy) +{ + + uint32 value; + + if (!account_policy_get(account_policy, &value) && + !account_policy_get_default(account_policy, &value)) { + return False; + } + + return account_policy_set(account_policy, value); +} + +/***************************************************************************** +Check migration success, set marker if required +*****************************************************************************/ + +static BOOL already_migrated_account_policies(BOOL store_migration_success) +{ + pstring key; + uint32 value; + + slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED); + + if (tdb_fetch_uint32(tdb, key, &value)) { + return True; + } + + if (store_migration_success) { + + if (!tdb_store_uint32(tdb, key, 1)) { + DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); + return False; + } + return True; + } + + return False; +} + +/***************************************************************************** +Migrate account policies to passdb +*****************************************************************************/ + +static BOOL migrate_account_policy_names_to_passdb(void) +{ + int i, tmp_val; + BOOL got_pol; + + if (already_migrated_account_policies(False)) { + return True; + } + + DEBUG(1,("start migrating account policies into passdb\n")); + + for (i=1; decode_account_policy_name(i) != NULL; i++) { + + got_pol = False; + + if (pdb_get_account_policy(i, &tmp_val)) { + DEBUG(10,("account policy already in passdb\n")); + got_pol = True; + } + + if (!got_pol && !account_policy_get(i, &tmp_val)) { + DEBUG(0,("very weird: could not get value for account policy\n")); + return False; + } + + DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", + i, (char *)decode_account_policy_name(i), tmp_val)); + + /* set policy via new passdb api */ + if (!pdb_set_account_policy(i, tmp_val)) { + DEBUG(0,("failed to set account_policy\n")); + return False; + } + + } + + if (!already_migrated_account_policies(True)) { + DEBUG(0,("could not store marker for account policy migration in the tdb\n")); + return False; + } + + DEBUGADD(1,("succesfully migrated account policies into passdb\n")); + + return True; +} + +/***************************************************************************** + Open the account policy tdb. +***`*************************************************************************/ + +BOOL init_account_policy(void) +{ + + const char *vstring = "INFO/version"; + uint32 version; + int i; + + if (tdb) + return True; + + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring,0); + if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { + + tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + + for (i=0; account_policy_names[i].field; i++) { + + if (!account_policy_set_default_on_empty(account_policy_names[i].field)) { + DEBUG(0,("failed to set default value in account policy tdb\n")); + return False; + } + } + } + + if (!migrate_account_policy_names_to_passdb()) { + DEBUG(0,("Could not migrate account policy tdb to passdb.\n")); + return False; + } + + tdb_unlock_bystring(tdb, vstring); + + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + + return True; +} + +/***************************************************************************** +Internal function +*****************************************************************************/ BOOL account_policy_get(int field, uint32 *value) { fstring name; uint32 regval; - if(!init_account_policy())return False; + if (!init_account_policy()) + return False; if (value) *value = 0; @@ -213,12 +378,15 @@ BOOL account_policy_get(int field, uint32 *value) /**************************************************************************** +Get an account policy from a (migrated tdb) ****************************************************************************/ + BOOL account_policy_set(int field, uint32 value) { fstring name; - if(!init_account_policy())return False; + if (!init_account_policy()) + return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { @@ -227,7 +395,7 @@ BOOL account_policy_set(int field, uint32 value) } if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value)); + DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value)); return False; } @@ -236,6 +404,64 @@ BOOL account_policy_set(int field, uint32 value) return True; } +/**************************************************************************** +Set an account policy in the cache +****************************************************************************/ + +BOOL cache_account_policy_set(int field, uint32 value) +{ + uint32 lastset, i; + + for (i=0; account_policy_names[i].field; i++) { + + if (account_policy_names[i].field == field) { + + DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); + + if (!account_policy_set(field, value)) { + return False; + } + + if (!account_policy_cache_timestamp(&lastset, True)) { + DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n")); + return False; + } + + DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL))); + } + } + + return True; +} + +/***************************************************************************** +Get an account policy from the cache +*****************************************************************************/ + +BOOL cache_account_policy_get(int field, uint32 *value) +{ + uint32 lastset, i; + + if (!account_policy_cache_timestamp(&lastset, False)) { + DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n")); + return False; + } + + if ((lastset + AP_TTL) < (uint32)time(NULL) ) { + DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n")); + return False; + } + + for (i=0; account_policy_names[i].field; i++) { + if (account_policy_names[i].field == field) { + return account_policy_get(field, value); + } + } + + return False; +} + + /**************************************************************************** ****************************************************************************/ -- cgit From 2c5e65dd5fac6677958386e43658528157d4227c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Feb 2005 23:01:52 +0000 Subject: r5235: Fix compile warning. (This used to be commit 00b5990617b341b1fe7863552acb02e30cd022e5) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index b81a9fe34d..f6e3943993 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -271,7 +271,7 @@ static BOOL migrate_account_policy_names_to_passdb(void) } DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", - i, (char *)decode_account_policy_name(i), tmp_val)); + i, decode_account_policy_name(i), tmp_val)); /* set policy via new passdb api */ if (!pdb_set_account_policy(i, tmp_val)) { -- cgit From 6c84ecb55657ae28eb739a72164f6d7251dc627f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 12 Feb 2005 00:51:31 +0000 Subject: r5349: After talking with Jerry, reverted the addition of account policies to passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1) --- source3/lib/account_pol.c | 424 +++++++++++----------------------------------- 1 file changed, 99 insertions(+), 325 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index f6e3943993..5997d9180a 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -3,7 +3,6 @@ * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. * Copyright (C) Andrew Bartlett 2002 - * Copyright (C) Guenther Deschner 2004-2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -23,14 +22,7 @@ #include "includes.h" static TDB_CONTEXT *tdb; -/* cache all entries for 60 seconds for to save ldap-queries (cache is updated - * after this period if admins do not use pdbedit or usermanager but manipulate - * ldap directly) - gd */ - -#define DATABASE_VERSION 3 -#define AP_LASTSET "LAST_CACHE_UPDATE" -#define AP_MIGRATED "ACCOUNT POLICIES WERE MIGRATED TO PASSDB" -#define AP_TTL 60 +#define DATABASE_VERSION 2 extern DOM_SID global_sid_World; extern DOM_SID global_sid_Builtin_Administrators; @@ -40,35 +32,100 @@ extern DOM_SID global_sid_Builtin_Print_Operators; extern DOM_SID global_sid_Builtin_Backup_Operators; -struct ap_table { +/**************************************************************************** + Set default for a field if it is empty +****************************************************************************/ + +static void set_default_on_empty(int field, uint32 value) +{ + if (account_policy_get(field, NULL)) + return; + account_policy_set(field, value); + return; +} + +/**************************************************************************** + Open the account policy tdb. +****************************************************************************/ + +BOOL init_account_policy(void) +{ + const char *vstring = "INFO/version"; + uint32 version; + + if (tdb) + return True; + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring,0); + if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { + tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + + set_default_on_empty( + AP_MIN_PASSWORD_LEN, + MINPASSWDLENGTH);/* 5 chars minimum */ + set_default_on_empty( + AP_PASSWORD_HISTORY, + 0); /* don't keep any old password */ + set_default_on_empty( + AP_USER_MUST_LOGON_TO_CHG_PASS, + 0); /* don't force user to logon */ + set_default_on_empty( + AP_MAX_PASSWORD_AGE, + (uint32)-1); /* don't expire */ + set_default_on_empty( + AP_MIN_PASSWORD_AGE, + 0); /* 0 days */ + set_default_on_empty( + AP_LOCK_ACCOUNT_DURATION, + 30); /* lockout for 30 minutes */ + set_default_on_empty( + AP_RESET_COUNT_TIME, + 30); /* reset after 30 minutes */ + set_default_on_empty( + AP_BAD_ATTEMPT_LOCKOUT, + 0); /* don't lockout */ + set_default_on_empty( + AP_TIME_TO_LOGOUT, + -1); /* don't force logout */ + set_default_on_empty( + AP_REFUSE_MACHINE_PW_CHANGE, + 0); /* allow machine pw changes */ + } + tdb_unlock_bystring(tdb, vstring); + + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + + return True; +} + +static const struct { int field; const char *string; - uint32 default_val; - const char *comment; -}; - -static const struct ap_table account_policy_names[] = { - {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, - "Minimal password length (default: 5)"}, - {AP_PASSWORD_HISTORY, "password history", 0, - "Length of Password History Entries (default: 0 => off)" }, - {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0, - "Force Users to logon for password change (default: 0 => off, 2 => on)"}, - {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1, - "Maximum password age, in seconds (default: -1 => never expire passwords)"}, - {AP_MIN_PASSWORD_AGE,"minimum password age", 0, - "Minimal password age, in seconds (default: 0 => allow immediate password change)"}, - {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30, - "Lockout duration in minutes (default: 30, -1 => forever)"}, - {AP_RESET_COUNT_TIME, "reset count minutes", 30, - "Reset time after lockout in minutes (default: 30)"}, - {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0, - "Lockout users after bad logon attempts (default: 0 => off)"}, - {AP_TIME_TO_LOGOUT, "disconnect time", -1, - "Disconnect Users outside logon hours (default: -1 => off, 0 => on)"}, - {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0, - "Allow Machine Password changes (default: 0 => off)"}, - {0, NULL, 0, ""} +} account_policy_names[] = { + {AP_MIN_PASSWORD_LEN, "min password length"}, + {AP_PASSWORD_HISTORY, "password history"}, + {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, + {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"}, + {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"}, + {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, + {AP_RESET_COUNT_TIME, "reset count minutes"}, + {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, + {AP_TIME_TO_LOGOUT, "disconnect time"}, + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, + {0, NULL} }; char *account_policy_names_list(void) @@ -99,7 +156,7 @@ char *account_policy_names_list(void) Get the account policy name as a string from its #define'ed number ****************************************************************************/ -const char *decode_account_policy_name(int field) +static const char *decode_account_policy_name(int field) { int i; for (i=0; account_policy_names[i].string; i++) { @@ -110,21 +167,6 @@ const char *decode_account_policy_name(int field) } -/**************************************************************************** -Get the account policy comment as a string from its #define'ed number -****************************************************************************/ - -const char *account_policy_get_comment(int field) -{ - int i; - for (i=0; account_policy_names[i].string; i++) { - if (field == account_policy_names[i].field) - return account_policy_names[i].comment; - } - return NULL; - -} - /**************************************************************************** Get the account policy name as a string from its #define'ed number ****************************************************************************/ @@ -140,222 +182,15 @@ int account_policy_name_to_fieldnum(const char *name) } -/***************************************************************************** -Update LAST-Set counter inside the cache -*****************************************************************************/ - -static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update) -{ - pstring key; - uint32 val = 0; - time_t now; - - slprintf(key, sizeof(key)-1, "%s", AP_LASTSET); - - if (!init_account_policy()) - return False; - - if (!tdb_fetch_uint32(tdb, key, &val) && !update) { - DEBUG(10,("failed to get last set timestamp of cache\n")); - return False; - } - - *value = val; - - DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val))); - - if (update) { - - now = time(NULL); - - if (!tdb_store_uint32(tdb, key, (uint32)now)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now))); - *value = now; - } - - return True; -} - -/***************************************************************************** -Get default value for account policy -*****************************************************************************/ - -BOOL account_policy_get_default(int account_policy, uint32 *val) -{ - int i; - for (i=0; account_policy_names[i].field; i++) { - if (account_policy_names[i].field == account_policy) { - *val = account_policy_names[i].default_val; - return True; - } - } - DEBUG(0,("no default for account_policy index %d found. This should never happen\n", - account_policy)); - return False; -} - -/***************************************************************************** - Set default for a field if it is empty -*****************************************************************************/ - -static BOOL account_policy_set_default_on_empty(int account_policy) -{ - - uint32 value; - - if (!account_policy_get(account_policy, &value) && - !account_policy_get_default(account_policy, &value)) { - return False; - } - - return account_policy_set(account_policy, value); -} - -/***************************************************************************** -Check migration success, set marker if required -*****************************************************************************/ - -static BOOL already_migrated_account_policies(BOOL store_migration_success) -{ - pstring key; - uint32 value; - - slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED); - - if (tdb_fetch_uint32(tdb, key, &value)) { - return True; - } - - if (store_migration_success) { - - if (!tdb_store_uint32(tdb, key, 1)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - return True; - } - - return False; -} - -/***************************************************************************** -Migrate account policies to passdb -*****************************************************************************/ - -static BOOL migrate_account_policy_names_to_passdb(void) -{ - int i, tmp_val; - BOOL got_pol; - - if (already_migrated_account_policies(False)) { - return True; - } - - DEBUG(1,("start migrating account policies into passdb\n")); - - for (i=1; decode_account_policy_name(i) != NULL; i++) { - - got_pol = False; - - if (pdb_get_account_policy(i, &tmp_val)) { - DEBUG(10,("account policy already in passdb\n")); - got_pol = True; - } - - if (!got_pol && !account_policy_get(i, &tmp_val)) { - DEBUG(0,("very weird: could not get value for account policy\n")); - return False; - } - - DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", - i, decode_account_policy_name(i), tmp_val)); - - /* set policy via new passdb api */ - if (!pdb_set_account_policy(i, tmp_val)) { - DEBUG(0,("failed to set account_policy\n")); - return False; - } - - } - - if (!already_migrated_account_policies(True)) { - DEBUG(0,("could not store marker for account policy migration in the tdb\n")); - return False; - } - - DEBUGADD(1,("succesfully migrated account policies into passdb\n")); - - return True; -} - -/***************************************************************************** - Open the account policy tdb. -***`*************************************************************************/ - -BOOL init_account_policy(void) -{ - - const char *vstring = "INFO/version"; - uint32 version; - int i; - - if (tdb) - return True; - - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { - DEBUG(0,("Failed to open account policy database\n")); - return False; - } - - /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring,0); - if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - - tdb_store_uint32(tdb, vstring, DATABASE_VERSION); - - for (i=0; account_policy_names[i].field; i++) { - - if (!account_policy_set_default_on_empty(account_policy_names[i].field)) { - DEBUG(0,("failed to set default value in account policy tdb\n")); - return False; - } - } - } - - if (!migrate_account_policy_names_to_passdb()) { - DEBUG(0,("Could not migrate account policy tdb to passdb.\n")); - return False; - } - - tdb_unlock_bystring(tdb, vstring); - - /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ - - privilege_create_account( &global_sid_World ); - privilege_create_account( &global_sid_Builtin_Administrators ); - privilege_create_account( &global_sid_Builtin_Account_Operators ); - privilege_create_account( &global_sid_Builtin_Server_Operators ); - privilege_create_account( &global_sid_Builtin_Print_Operators ); - privilege_create_account( &global_sid_Builtin_Backup_Operators ); - - return True; -} - -/***************************************************************************** -Internal function -*****************************************************************************/ +/**************************************************************************** +****************************************************************************/ BOOL account_policy_get(int field, uint32 *value) { fstring name; uint32 regval; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; if (value) *value = 0; @@ -378,15 +213,12 @@ BOOL account_policy_get(int field, uint32 *value) /**************************************************************************** -Get an account policy from a (migrated tdb) ****************************************************************************/ - BOOL account_policy_set(int field, uint32 value) { fstring name; - if (!init_account_policy()) - return False; + if(!init_account_policy())return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { @@ -395,7 +227,7 @@ BOOL account_policy_set(int field, uint32 value) } if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value)); + DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value)); return False; } @@ -404,64 +236,6 @@ BOOL account_policy_set(int field, uint32 value) return True; } -/**************************************************************************** -Set an account policy in the cache -****************************************************************************/ - -BOOL cache_account_policy_set(int field, uint32 value) -{ - uint32 lastset, i; - - for (i=0; account_policy_names[i].field; i++) { - - if (account_policy_names[i].field == field) { - - DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); - - if (!account_policy_set(field, value)) { - return False; - } - - if (!account_policy_cache_timestamp(&lastset, True)) { - DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n")); - return False; - } - - DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL))); - } - } - - return True; -} - -/***************************************************************************** -Get an account policy from the cache -*****************************************************************************/ - -BOOL cache_account_policy_get(int field, uint32 *value) -{ - uint32 lastset, i; - - if (!account_policy_cache_timestamp(&lastset, False)) { - DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n")); - return False; - } - - if ((lastset + AP_TTL) < (uint32)time(NULL) ) { - DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n")); - return False; - } - - for (i=0; account_policy_names[i].field; i++) { - if (account_policy_names[i].field == field) { - return account_policy_get(field, value); - } - } - - return False; -} - - /**************************************************************************** ****************************************************************************/ -- cgit From 0f535e3e5b2e3fa0ce107fb4253bc1e0ec19b674 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Apr 2005 13:12:51 +0000 Subject: r6166: Derell, I'm reverting this part of -r4917 because it modifies the keys to search in tdbs in a way that is not upgrade-safe and somewhat weird to use: Users have to modify policies like pdbedit -P "maximum password policies (seconds since 1970)" The value-description should better go into the manpage. Guenther (This used to be commit f46c0c12274cd0bf1c24bc2d1d708b2960433195) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 5997d9180a..72d6e77ddd 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -118,8 +118,8 @@ static const struct { {AP_MIN_PASSWORD_LEN, "min password length"}, {AP_PASSWORD_HISTORY, "password history"}, {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, - {AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"}, - {AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"}, + {AP_MAX_PASSWORD_AGE, "maximum password age"}, + {AP_MIN_PASSWORD_AGE,"minimum password age"}, {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, {AP_RESET_COUNT_TIME, "reset count minutes"}, {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, -- cgit From 83e11ba86c2401ece3c845fd10c22b84e6be7811 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Apr 2005 11:46:40 +0000 Subject: r6263: Get rid of generate_wellknown_sids, they are const static and initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9) --- source3/lib/account_pol.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 72d6e77ddd..423dc1675a 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -24,14 +24,6 @@ static TDB_CONTEXT *tdb; #define DATABASE_VERSION 2 -extern DOM_SID global_sid_World; -extern DOM_SID global_sid_Builtin_Administrators; -extern DOM_SID global_sid_Builtin_Account_Operators; -extern DOM_SID global_sid_Builtin_Server_Operators; -extern DOM_SID global_sid_Builtin_Print_Operators; -extern DOM_SID global_sid_Builtin_Backup_Operators; - - /**************************************************************************** Set default for a field if it is empty ****************************************************************************/ -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/lib/account_pol.c | 372 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 275 insertions(+), 97 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 423dc1675a..b02edc5b40 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -3,6 +3,7 @@ * account policy storage * Copyright (C) Jean François Micouleau 1998-2001. * Copyright (C) Andrew Bartlett 2002 + * Copyright (C) Guenther Deschner 2004-2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,102 +23,65 @@ #include "includes.h" static TDB_CONTEXT *tdb; -#define DATABASE_VERSION 2 +/* cache all entries for 60 seconds for to save ldap-queries (cache is updated + * after this period if admins do not use pdbedit or usermanager but manipulate + * ldap directly) - gd */ -/**************************************************************************** - Set default for a field if it is empty -****************************************************************************/ - -static void set_default_on_empty(int field, uint32 value) -{ - if (account_policy_get(field, NULL)) - return; - account_policy_set(field, value); - return; -} +#define DATABASE_VERSION 3 +#define AP_LASTSET "LAST_CACHE_UPDATE" +#define AP_TTL 60 -/**************************************************************************** - Open the account policy tdb. -****************************************************************************/ -BOOL init_account_policy(void) -{ - const char *vstring = "INFO/version"; - uint32 version; +struct ap_table { + int field; + const char *string; + uint32 default_val; + const char *description; + const char *ldap_attr; +}; - if (tdb) - return True; - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { - DEBUG(0,("Failed to open account policy database\n")); - return False; - } +static const struct ap_table account_policy_names[] = { + {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, + "Minimal password length (default: 5)", + "sambaMinPwdLength" }, - /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring,0); - if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + {AP_PASSWORD_HISTORY, "password history", 0, + "Length of Password History Entries (default: 0 => off)", + "sambaPwdHistoryLength" }, - set_default_on_empty( - AP_MIN_PASSWORD_LEN, - MINPASSWDLENGTH);/* 5 chars minimum */ - set_default_on_empty( - AP_PASSWORD_HISTORY, - 0); /* don't keep any old password */ - set_default_on_empty( - AP_USER_MUST_LOGON_TO_CHG_PASS, - 0); /* don't force user to logon */ - set_default_on_empty( - AP_MAX_PASSWORD_AGE, - (uint32)-1); /* don't expire */ - set_default_on_empty( - AP_MIN_PASSWORD_AGE, - 0); /* 0 days */ - set_default_on_empty( - AP_LOCK_ACCOUNT_DURATION, - 30); /* lockout for 30 minutes */ - set_default_on_empty( - AP_RESET_COUNT_TIME, - 30); /* reset after 30 minutes */ - set_default_on_empty( - AP_BAD_ATTEMPT_LOCKOUT, - 0); /* don't lockout */ - set_default_on_empty( - AP_TIME_TO_LOGOUT, - -1); /* don't force logout */ - set_default_on_empty( - AP_REFUSE_MACHINE_PW_CHANGE, - 0); /* allow machine pw changes */ - } - tdb_unlock_bystring(tdb, vstring); - - /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ - - privilege_create_account( &global_sid_World ); - privilege_create_account( &global_sid_Builtin_Administrators ); - privilege_create_account( &global_sid_Builtin_Account_Operators ); - privilege_create_account( &global_sid_Builtin_Server_Operators ); - privilege_create_account( &global_sid_Builtin_Print_Operators ); - privilege_create_account( &global_sid_Builtin_Backup_Operators ); + {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0, + "Force Users to logon for password change (default: 0 => off, 2 => on)", + "sambaLogonToChgPwd" }, - return True; -} - -static const struct { - int field; - const char *string; -} account_policy_names[] = { - {AP_MIN_PASSWORD_LEN, "min password length"}, - {AP_PASSWORD_HISTORY, "password history"}, - {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"}, - {AP_MAX_PASSWORD_AGE, "maximum password age"}, - {AP_MIN_PASSWORD_AGE,"minimum password age"}, - {AP_LOCK_ACCOUNT_DURATION, "lockout duration"}, - {AP_RESET_COUNT_TIME, "reset count minutes"}, - {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, - {AP_TIME_TO_LOGOUT, "disconnect time"}, - {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, - {0, NULL} + {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1, + "Maximum password age, in seconds (default: -1 => never expire passwords)", + "sambaMaxPwdAge" }, + + {AP_MIN_PASSWORD_AGE,"minimum password age", 0, + "Minimal password age, in seconds (default: 0 => allow immediate password change)", + "sambaMinPwdAge" }, + + {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30, + "Lockout duration in minutes (default: 30, -1 => forever)", + "sambaLockoutDuration" }, + + {AP_RESET_COUNT_TIME, "reset count minutes", 30, + "Reset time after lockout in minutes (default: 30)", + "sambaLockoutObservationWindow" }, + + {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0, + "Lockout users after bad logon attempts (default: 0 => off)", + "sambaLockoutThreshold" }, + + {AP_TIME_TO_LOGOUT, "disconnect time", -1, + "Disconnect Users outside logon hours (default: -1 => off, 0 => on)", + "sambaForceLogoff" }, + + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0, + "Allow Machine Password changes (default: 0 => off)", + "sambaRefuseMachinePwdChange" }, + + {0, NULL, 0, "", NULL} }; char *account_policy_names_list(void) @@ -148,7 +112,7 @@ char *account_policy_names_list(void) Get the account policy name as a string from its #define'ed number ****************************************************************************/ -static const char *decode_account_policy_name(int field) +const char *decode_account_policy_name(int field) { int i; for (i=0; account_policy_names[i].string; i++) { @@ -156,7 +120,34 @@ static const char *decode_account_policy_name(int field) return account_policy_names[i].string; } return NULL; +} + +/**************************************************************************** +Get the account policy LDAP attribute as a string from its #define'ed number +****************************************************************************/ +const char *get_account_policy_attr(int field) +{ + int i; + for (i=0; account_policy_names[i].field; i++) { + if (field == account_policy_names[i].field) + return account_policy_names[i].ldap_attr; + } + return NULL; +} + +/**************************************************************************** +Get the account policy description as a string from its #define'ed number +****************************************************************************/ + +const char *account_policy_get_desc(int field) +{ + int i; + for (i=0; account_policy_names[i].string; i++) { + if (field == account_policy_names[i].field) + return account_policy_names[i].description; + } + return NULL; } /**************************************************************************** @@ -171,18 +162,146 @@ int account_policy_name_to_fieldnum(const char *name) return account_policy_names[i].field; } return 0; +} + +/***************************************************************************** +Update LAST-Set counter inside the cache +*****************************************************************************/ + +static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update, + const char *ap_name) +{ + pstring key; + uint32 val = 0; + time_t now; + + if (ap_name == NULL) + return False; + + slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET); + + if (!init_account_policy()) + return False; + + if (!tdb_fetch_uint32(tdb, key, &val) && !update) { + DEBUG(10,("failed to get last set timestamp of cache\n")); + return False; + } + + *value = val; + + DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val))); + + if (update) { + + now = time(NULL); + if (!tdb_store_uint32(tdb, key, (uint32)now)) { + DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); + return False; + } + DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now))); + *value = now; + } + + return True; } -/**************************************************************************** -****************************************************************************/ +/***************************************************************************** +Get default value for account policy +*****************************************************************************/ + +BOOL account_policy_get_default(int account_policy, uint32 *val) +{ + int i; + for (i=0; account_policy_names[i].field; i++) { + if (account_policy_names[i].field == account_policy) { + *val = account_policy_names[i].default_val; + return True; + } + } + DEBUG(0,("no default for account_policy index %d found. This should never happen\n", + account_policy)); + return False; +} + +/***************************************************************************** + Set default for a field if it is empty +*****************************************************************************/ + +static BOOL account_policy_set_default_on_empty(int account_policy) +{ + + uint32 value; + + if (!account_policy_get(account_policy, &value) && + !account_policy_get_default(account_policy, &value)) { + return False; + } + + return account_policy_set(account_policy, value); +} + +/***************************************************************************** + Open the account policy tdb. +***`*************************************************************************/ + +BOOL init_account_policy(void) +{ + + const char *vstring = "INFO/version"; + uint32 version; + int i; + + if (tdb) + return True; + + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring,0); + if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { + + tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + + for (i=0; account_policy_names[i].field; i++) { + + if (!account_policy_set_default_on_empty(account_policy_names[i].field)) { + DEBUG(0,("failed to set default value in account policy tdb\n")); + return False; + } + } + } + + tdb_unlock_bystring(tdb, vstring); + + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + + return True; +} + +/***************************************************************************** +Get an account policy (from tdb) +*****************************************************************************/ BOOL account_policy_get(int field, uint32 *value) { fstring name; uint32 regval; - if(!init_account_policy())return False; + if (!init_account_policy()) + return False; if (value) *value = 0; @@ -199,18 +318,21 @@ BOOL account_policy_get(int field, uint32 *value) if (value) *value = regval; - DEBUG(10,("account_policy_get: %s:%d\n", name, regval)); + DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval)); return True; } /**************************************************************************** +Set an account policy (in tdb) ****************************************************************************/ + BOOL account_policy_set(int field, uint32 value) { fstring name; - if(!init_account_policy())return False; + if (!init_account_policy()) + return False; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { @@ -219,15 +341,71 @@ BOOL account_policy_set(int field, uint32 value) } if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value)); + DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value)); return False; } - DEBUG(10,("account_policy_set: %s:%d\n", name, value)); + DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value)); return True; } +/**************************************************************************** +Set an account policy in the cache +****************************************************************************/ + +BOOL cache_account_policy_set(int field, uint32 value) +{ + uint32 lastset; + const char *policy_name = NULL; + + policy_name = decode_account_policy_name(field); + if (policy_name == NULL) { + DEBUG(0,("cache_account_policy_set: no policy found\n")); + return False; + } + + DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); + + if (!account_policy_set(field, value)) { + return False; + } + + if (!account_policy_cache_timestamp(&lastset, True, policy_name)) + { + DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n")); + return False; + } + + DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL))); + + return True; +} + +/***************************************************************************** +Get an account policy from the cache +*****************************************************************************/ + +BOOL cache_account_policy_get(int field, uint32 *value) +{ + uint32 lastset; + + if (!account_policy_cache_timestamp(&lastset, False, + decode_account_policy_name(field))) + { + DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n")); + return False; + } + + if ((lastset + AP_TTL) < (uint32)time(NULL) ) { + DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n")); + return False; + } + + return account_policy_get(field, value); +} + + /**************************************************************************** ****************************************************************************/ -- cgit From 5ac6b21f097b87657c4a3d2a3b4e32d091833d22 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 20 Dec 2005 15:10:41 +0000 Subject: r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151) --- source3/lib/account_pol.c | 85 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 73 insertions(+), 12 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index b02edc5b40..75a1d62ee7 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -73,7 +73,7 @@ static const struct ap_table account_policy_names[] = { "Lockout users after bad logon attempts (default: 0 => off)", "sambaLockoutThreshold" }, - {AP_TIME_TO_LOGOUT, "disconnect time", -1, + {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1, "Disconnect Users outside logon hours (default: -1 => off, 0 => on)", "sambaForceLogoff" }, @@ -116,8 +116,9 @@ const char *decode_account_policy_name(int field) { int i; for (i=0; account_policy_names[i].string; i++) { - if (field == account_policy_names[i].field) + if (field == account_policy_names[i].field) { return account_policy_names[i].string; + } } return NULL; } @@ -130,8 +131,9 @@ const char *get_account_policy_attr(int field) { int i; for (i=0; account_policy_names[i].field; i++) { - if (field == account_policy_names[i].field) + if (field == account_policy_names[i].field) { return account_policy_names[i].ldap_attr; + } } return NULL; } @@ -144,8 +146,9 @@ const char *account_policy_get_desc(int field) { int i; for (i=0; account_policy_names[i].string; i++) { - if (field == account_policy_names[i].field) + if (field == account_policy_names[i].field) { return account_policy_names[i].description; + } } return NULL; } @@ -158,8 +161,9 @@ int account_policy_name_to_fieldnum(const char *name) { int i; for (i=0; account_policy_names[i].string; i++) { - if (strcmp(name, account_policy_names[i].string) == 0) + if (strcmp(name, account_policy_names[i].string) == 0) { return account_policy_names[i].field; + } } return 0; } @@ -180,8 +184,9 @@ static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update, slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET); - if (!init_account_policy()) + if (!init_account_policy()) { return False; + } if (!tdb_fetch_uint32(tdb, key, &val) && !update) { DEBUG(10,("failed to get last set timestamp of cache\n")); @@ -253,8 +258,9 @@ BOOL init_account_policy(void) uint32 version; int i; - if (tdb) + if (tdb) { return True; + } tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -300,23 +306,28 @@ BOOL account_policy_get(int field, uint32 *value) fstring name; uint32 regval; - if (!init_account_policy()) + if (!init_account_policy()) { return False; + } - if (value) + if (value) { *value = 0; + } fstrcpy(name, decode_account_policy_name(field)); if (!*name) { DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field)); return False; } + if (!tdb_fetch_uint32(tdb, name, ®val)) { DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name)); return False; } - if (value) + + if (value) { *value = regval; + } DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval)); return True; @@ -331,8 +342,9 @@ BOOL account_policy_set(int field, uint32 value) { fstring name; - if (!init_account_policy()) + if (!init_account_policy()) { return False; + } fstrcpy(name, decode_account_policy_name(field)); if (!*name) { @@ -382,6 +394,54 @@ BOOL cache_account_policy_set(int field, uint32 value) return True; } +/***************************************************************************** +Check whether account policies have been migrated to passdb +*****************************************************************************/ + +BOOL account_policy_migrated(BOOL init) +{ + pstring key; + uint32 val; + time_t now; + + slprintf(key, sizeof(key)-1, "AP_MIGRATED_TO_PASSDB"); + + if (!init_account_policy()) { + return False; + } + + if (init) { + now = time(NULL); + + if (!tdb_store_uint32(tdb, key, (uint32)now)) { + DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); + return False; + } + + return True; + } + + if (!tdb_fetch_uint32(tdb, key, &val)) { + return False; + } + + return True; +} + +/***************************************************************************** + Remove marker that informs that account policies have been migrated to passdb +*****************************************************************************/ + +BOOL remove_account_policy_migrated(void) +{ + if (!init_account_policy()) { + return False; + } + + return tdb_delete_bystring(tdb, "AP_MIGRATED_TO_PASSDB"); +} + + /***************************************************************************** Get an account policy from the cache *****************************************************************************/ @@ -413,8 +473,9 @@ TDB_CONTEXT *get_account_pol_tdb( void ) { if ( !tdb ) { - if ( !init_account_policy() ) + if ( !init_account_policy() ) { return NULL; + } } return tdb; -- cgit From f39c02e945dcb93cb156b9e28656d1cd4b0483da Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 05:50:52 +0000 Subject: r14432: Give in and grant BUILT\Administrators all privileges (This used to be commit b6170910604dba6533b727de8d7f0cc75256d14f) --- source3/lib/account_pol.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 75a1d62ee7..0694b1c3f8 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -288,12 +288,17 @@ BOOL init_account_policy(void) /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ privilege_create_account( &global_sid_World ); - privilege_create_account( &global_sid_Builtin_Administrators ); privilege_create_account( &global_sid_Builtin_Account_Operators ); privilege_create_account( &global_sid_Builtin_Server_Operators ); privilege_create_account( &global_sid_Builtin_Print_Operators ); privilege_create_account( &global_sid_Builtin_Backup_Operators ); + /* BUILTIN\Administrators get everything -- *always* */ + + if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) { + DEBUG(0,("init_account_policy: Failed to grant privileges to BUILTIN\\Administrators!\n")); + } + return True; } -- cgit From e17302200c138eec7df504a7f4b2bde46073a810 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 17 Apr 2006 11:49:06 +0000 Subject: r15101: Little step towards getting Samba4 tdb into 3: tdb_lock_bystring does not have the timeout argument in Samba4. Add a new routine tdb_lock_bystring_with_timeout. Volker (This used to be commit b9c6e3f55602fa505859a4b2cd137b74105d685f) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 0694b1c3f8..6bf7346fe7 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -269,7 +269,7 @@ BOOL init_account_policy(void) } /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring,0); + tdb_lock_bystring(tdb, vstring); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { tdb_store_uint32(tdb, vstring, DATABASE_VERSION); -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/lib/account_pol.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 6bf7346fe7..8d844741f5 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -262,10 +262,18 @@ BOOL init_account_policy(void) return True; } - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { - DEBUG(0,("Failed to open account policy database\n")); - return False; + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); + if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */ + tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open account policy database\n")); + return False; + } + /* creation was successful */ + /* add AP_MIGRATED_TO_PASSDB speacial key */ + /* so that you do not need to migrate policies */ + /* on brand new servers as it does not make sense */ + account_policy_migrated(True); } /* handle a Samba upgrade */ -- cgit From 1cf1e648feed823244731eef5f56bd34e15cb045 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 31 Jul 2006 04:30:55 +0000 Subject: r17334: Some C++ warnings (This used to be commit 8ae7ed1f3cecbb5285313d17b5f9511e2e622f0b) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 8d844741f5..de5a37aea9 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -94,7 +94,7 @@ char *account_policy_names_list(void) len += strlen(account_policy_names[i].string) + 1; } len++; - nl = SMB_MALLOC(len); + nl = (char *)SMB_MALLOC(len); if (!nl) { return NULL; } -- cgit From 1a6ffd139176f7b19ed0a7acfb13354adae03062 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 6 Sep 2006 15:17:25 +0000 Subject: r18182: only grant privs to Administrators if privileges are enabled to avoid bopgus error messages (This used to be commit 7d5356fd5db6ece2504c9c140d1f454056be7164) --- source3/lib/account_pol.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index de5a37aea9..e6ef8dbbe4 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -303,8 +303,11 @@ BOOL init_account_policy(void) /* BUILTIN\Administrators get everything -- *always* */ - if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) { - DEBUG(0,("init_account_policy: Failed to grant privileges to BUILTIN\\Administrators!\n")); + if ( lp_enable_privileges() ) { + if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) { + DEBUG(1,("init_account_policy: Failed to grant privileges " + "to BUILTIN\\Administrators!\n")); + } } return True; -- cgit From 716f7245d99d17b7b3e6bda05dc2edf7334463a5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Sep 2006 22:27:06 +0000 Subject: r18313: Nobody said "no" (yet.... gd?), so commit it: Remove the account_policy_migrated() thingy, and make cache_account_policy_set use gencache. Account policies are now handled like groups and users are with respect to "passdb backend". Volker (This used to be commit fa8b2e2a585ab0c00a5fbde7aa790043261caf2e) --- source3/lib/account_pol.c | 167 ++++++++++++---------------------------------- 1 file changed, 42 insertions(+), 125 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index e6ef8dbbe4..4cb0b77e74 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -28,7 +28,6 @@ static TDB_CONTEXT *tdb; * ldap directly) - gd */ #define DATABASE_VERSION 3 -#define AP_LASTSET "LAST_CACHE_UPDATE" #define AP_TTL 60 @@ -168,50 +167,6 @@ int account_policy_name_to_fieldnum(const char *name) return 0; } -/***************************************************************************** -Update LAST-Set counter inside the cache -*****************************************************************************/ - -static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update, - const char *ap_name) -{ - pstring key; - uint32 val = 0; - time_t now; - - if (ap_name == NULL) - return False; - - slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET); - - if (!init_account_policy()) { - return False; - } - - if (!tdb_fetch_uint32(tdb, key, &val) && !update) { - DEBUG(10,("failed to get last set timestamp of cache\n")); - return False; - } - - *value = val; - - DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val))); - - if (update) { - - now = time(NULL); - - if (!tdb_store_uint32(tdb, key, (uint32)now)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now))); - *value = now; - } - - return True; -} - /***************************************************************************** Get default value for account policy *****************************************************************************/ @@ -269,11 +224,6 @@ BOOL init_account_policy(void) DEBUG(0,("Failed to open account policy database\n")); return False; } - /* creation was successful */ - /* add AP_MIGRATED_TO_PASSDB speacial key */ - /* so that you do not need to migrate policies */ - /* on brand new servers as it does not make sense */ - account_policy_migrated(True); } /* handle a Samba upgrade */ @@ -319,7 +269,7 @@ Get an account policy (from tdb) BOOL account_policy_get(int field, uint32 *value) { - fstring name; + const char *name; uint32 regval; if (!init_account_policy()) { @@ -330,8 +280,8 @@ BOOL account_policy_get(int field, uint32 *value) *value = 0; } - fstrcpy(name, decode_account_policy_name(field)); - if (!*name) { + name = decode_account_policy_name(field); + if (name == NULL) { DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field)); return False; } @@ -356,14 +306,14 @@ Set an account policy (in tdb) BOOL account_policy_set(int field, uint32 value) { - fstring name; + const char *name; if (!init_account_policy()) { return False; } - fstrcpy(name, decode_account_policy_name(field)); - if (!*name) { + name = decode_account_policy_name(field); + if (name == NULL) { DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field)); return False; } @@ -384,8 +334,10 @@ Set an account policy in the cache BOOL cache_account_policy_set(int field, uint32 value) { - uint32 lastset; const char *policy_name = NULL; + char *cache_key = NULL; + char *cache_value = NULL; + BOOL ret = False; policy_name = decode_account_policy_name(field); if (policy_name == NULL) { @@ -393,94 +345,59 @@ BOOL cache_account_policy_set(int field, uint32 value) return False; } - DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); - - if (!account_policy_set(field, value)) { - return False; - } - - if (!account_policy_cache_timestamp(&lastset, True, policy_name)) - { - DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n")); - return False; - } - - DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL))); - - return True; -} - -/***************************************************************************** -Check whether account policies have been migrated to passdb -*****************************************************************************/ - -BOOL account_policy_migrated(BOOL init) -{ - pstring key; - uint32 val; - time_t now; - - slprintf(key, sizeof(key)-1, "AP_MIGRATED_TO_PASSDB"); - - if (!init_account_policy()) { - return False; - } - - if (init) { - now = time(NULL); - - if (!tdb_store_uint32(tdb, key, (uint32)now)) { - DEBUG(1, ("tdb_store_uint32 failed for %s\n", key)); - return False; - } - - return True; + if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) { + DEBUG(0, ("asprintf failed\n")); + goto done; } - if (!tdb_fetch_uint32(tdb, key, &val)) { - return False; + if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) { + DEBUG(0, ("asprintf failed\n")); + goto done; } - return True; -} + DEBUG(10,("cache_account_policy_set: updating account pol cache\n")); -/***************************************************************************** - Remove marker that informs that account policies have been migrated to passdb -*****************************************************************************/ + ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL); -BOOL remove_account_policy_migrated(void) -{ - if (!init_account_policy()) { - return False; - } - - return tdb_delete_bystring(tdb, "AP_MIGRATED_TO_PASSDB"); + done: + SAFE_FREE(cache_key); + SAFE_FREE(cache_value); + return ret; } - /***************************************************************************** Get an account policy from the cache *****************************************************************************/ BOOL cache_account_policy_get(int field, uint32 *value) { - uint32 lastset; + const char *policy_name = NULL; + char *cache_key = NULL; + char *cache_value = NULL; + BOOL ret = False; - if (!account_policy_cache_timestamp(&lastset, False, - decode_account_policy_name(field))) - { - DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n")); + policy_name = decode_account_policy_name(field); + if (policy_name == NULL) { + DEBUG(0,("cache_account_policy_set: no policy found\n")); return False; } - if ((lastset + AP_TTL) < (uint32)time(NULL) ) { - DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n")); - return False; - } + if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) { + DEBUG(0, ("asprintf failed\n")); + goto done; + } - return account_policy_get(field, value); -} + if (gencache_get(cache_key, &cache_value, NULL)) { + uint32 tmp = strtoul(cache_value, NULL, 10); + *value = tmp; + ret = True; + } + done: + SAFE_FREE(cache_key); + SAFE_FREE(cache_value); + return ret; +} /**************************************************************************** ****************************************************************************/ -- cgit From e2bebe486550374978af200232334ddc7757ba8d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 1 Dec 2006 14:54:31 +0000 Subject: r19978: More "net sam policy" improvements. Thanks to Karolin Seeger Volker (This used to be commit fde042f29e9e9ac19ed3380e8fbe45fa8441e705) --- source3/lib/account_pol.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 4cb0b77e74..f4008457ac 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -83,28 +83,24 @@ static const struct ap_table account_policy_names[] = { {0, NULL, 0, "", NULL} }; -char *account_policy_names_list(void) -{ - char *nl, *p; - int i; - size_t len = 0; +void account_policy_names_list(const char ***names, int *num_names) +{ + const char **nl; + int i, count; - for (i=0; account_policy_names[i].string; i++) { - len += strlen(account_policy_names[i].string) + 1; + for (count=0; account_policy_names[count].string; count++) { } - len++; - nl = (char *)SMB_MALLOC(len); + nl = SMB_MALLOC_ARRAY(const char *, count); if (!nl) { - return NULL; + *num_names = 0; + return; } - p = nl; for (i=0; account_policy_names[i].string; i++) { - memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1); - p[strlen(account_policy_names[i].string)] = '\n'; - p += strlen(account_policy_names[i].string) + 1; + nl[i] = account_policy_names[i].string; } - *p = '\0'; - return nl; + *num_names = count; + *names = nl; + return; } /**************************************************************************** -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index f4008457ac..b0eb57f760 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -7,7 +7,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/lib/account_pol.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index b0eb57f760..516755426a 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -16,8 +16,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "includes.h" -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/lib/account_pol.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 516755426a..96a471cf06 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -166,7 +166,7 @@ int account_policy_name_to_fieldnum(const char *name) Get default value for account policy *****************************************************************************/ -BOOL account_policy_get_default(int account_policy, uint32 *val) +bool account_policy_get_default(int account_policy, uint32 *val) { int i; for (i=0; account_policy_names[i].field; i++) { @@ -184,7 +184,7 @@ BOOL account_policy_get_default(int account_policy, uint32 *val) Set default for a field if it is empty *****************************************************************************/ -static BOOL account_policy_set_default_on_empty(int account_policy) +static bool account_policy_set_default_on_empty(int account_policy) { uint32 value; @@ -201,7 +201,7 @@ static BOOL account_policy_set_default_on_empty(int account_policy) Open the account policy tdb. ***`*************************************************************************/ -BOOL init_account_policy(void) +bool init_account_policy(void) { const char *vstring = "INFO/version"; @@ -262,7 +262,7 @@ BOOL init_account_policy(void) Get an account policy (from tdb) *****************************************************************************/ -BOOL account_policy_get(int field, uint32 *value) +bool account_policy_get(int field, uint32 *value) { const char *name; uint32 regval; @@ -299,7 +299,7 @@ BOOL account_policy_get(int field, uint32 *value) Set an account policy (in tdb) ****************************************************************************/ -BOOL account_policy_set(int field, uint32 value) +bool account_policy_set(int field, uint32 value) { const char *name; @@ -327,12 +327,12 @@ BOOL account_policy_set(int field, uint32 value) Set an account policy in the cache ****************************************************************************/ -BOOL cache_account_policy_set(int field, uint32 value) +bool cache_account_policy_set(int field, uint32 value) { const char *policy_name = NULL; char *cache_key = NULL; char *cache_value = NULL; - BOOL ret = False; + bool ret = False; policy_name = decode_account_policy_name(field); if (policy_name == NULL) { @@ -364,12 +364,12 @@ BOOL cache_account_policy_set(int field, uint32 value) Get an account policy from the cache *****************************************************************************/ -BOOL cache_account_policy_get(int field, uint32 *value) +bool cache_account_policy_get(int field, uint32 *value) { const char *policy_name = NULL; char *cache_key = NULL; char *cache_value = NULL; - BOOL ret = False; + bool ret = False; policy_name = decode_account_policy_name(field); if (policy_name == NULL) { -- cgit From 88ee61625a5de5e443d14c54eab91a90d87cda85 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Thu, 1 Nov 2007 15:53:44 -0400 Subject: Patch 2 of 3 from Debian Samba packagers: The point is doing the following associations: - non discardable state data (all TDB files that may need to be backed up) go to statedir - shared data (codepage stuff) go to codepagedir The patch *does not change* the default location for these directories. So, there is no behaviour change when applying it. The main change is for samba developers who have to think when dealing with files that previously pertained to libdir whether they: - go in statedir - go in codepagedir - stay in libdir (This used to be commit d6cdbfd875bb2653e831d314726c3240beb0a96b) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 96a471cf06..2540b49314 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -212,9 +212,9 @@ bool init_account_policy(void) return True; } - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); + tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */ - tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { DEBUG(0,("Failed to open account policy database\n")); return False; -- cgit From 9aa8d0c627773c1509b2beb1cf007a52c57d233e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Mar 2008 12:09:56 +0100 Subject: Convert account_pol.tdb to dbwrap Signed-off-by: Stefan Metzmacher (This used to be commit 0b36871a0d795183f0e9dc78b654788b1988f06e) --- source3/lib/account_pol.c | 84 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 18 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 2540b49314..46fbc3b7c5 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -20,7 +20,7 @@ */ #include "includes.h" -static TDB_CONTEXT *tdb; +static struct db_context *db; /* cache all entries for 60 seconds for to save ldap-queries (cache is updated * after this period if admins do not use pdbedit or usermanager but manipulate @@ -208,36 +208,62 @@ bool init_account_policy(void) uint32 version; int i; - if (tdb) { + if (db != NULL) { return True; } - tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); - if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */ - tdb = tdb_open_log(state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - if (!tdb) { + db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, + O_RDWR, 0600); + + if (db == NULL) { /* the account policies files does not exist or open + * failed, try to create a new one */ + db = db_open(NULL, state_path("account_policy.tdb"), 0, + TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (db == NULL) { DEBUG(0,("Failed to open account policy database\n")); return False; } } + version = dbwrap_fetch_int32(db, vstring); + if (version == DATABASE_VERSION) { + return true; + } + /* handle a Samba upgrade */ - tdb_lock_bystring(tdb, vstring); - if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - tdb_store_uint32(tdb, vstring, DATABASE_VERSION); + if (db->transaction_start(db) != 0) { + DEBUG(0, ("transaction_start failed\n")); + TALLOC_FREE(db); + return false; + } + + version = dbwrap_fetch_int32(db, vstring); + if (version == DATABASE_VERSION) { + /* + * Race condition + */ + if (db->transaction_cancel(db)) { + smb_panic("transaction_cancel failed"); + } + return true; + } + + if (version != DATABASE_VERSION) { + if (dbwrap_store_uint32(db, vstring, DATABASE_VERSION) != 0) { + DEBUG(0, ("dbwrap_store_uint32 failed\n")); + goto cancel; + } for (i=0; account_policy_names[i].field; i++) { if (!account_policy_set_default_on_empty(account_policy_names[i].field)) { DEBUG(0,("failed to set default value in account policy tdb\n")); - return False; + goto cancel; } } } - tdb_unlock_bystring(tdb, vstring); - /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ privilege_create_account( &global_sid_World ); @@ -255,7 +281,20 @@ bool init_account_policy(void) } } + if (db->transaction_commit(db) != 0) { + DEBUG(0, ("transaction_commit failed\n")); + goto cancel; + } + return True; + + cancel: + if (db->transaction_cancel(db)) { + smb_panic("transaction_cancel failed"); + } + TALLOC_FREE(db); + + return false; } /***************************************************************************** @@ -281,7 +320,7 @@ bool account_policy_get(int field, uint32 *value) return False; } - if (!tdb_fetch_uint32(tdb, name, ®val)) { + if (!dbwrap_fetch_uint32(db, name, ®val)) { DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name)); return False; } @@ -302,6 +341,8 @@ Set an account policy (in tdb) bool account_policy_set(int field, uint32 value) { const char *name; + uint32_t v_store; + NTSTATUS status; if (!init_account_policy()) { return False; @@ -313,8 +354,15 @@ bool account_policy_set(int field, uint32 value) return False; } - if (!tdb_store_uint32(tdb, name, value)) { - DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value)); + SIVAL(&v_store, 0, value); + + status = dbwrap_trans_store_bystring( + db, name, + make_tdb_data((const uint8 *)&v_store, sizeof(v_store)), + TDB_REPLACE); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("store_uint32 failed for field %d (%s) on value " + "%u: %s\n", field, name, value, nt_errstr(status))); return False; } @@ -397,15 +445,15 @@ bool cache_account_policy_get(int field, uint32 *value) /**************************************************************************** ****************************************************************************/ -TDB_CONTEXT *get_account_pol_tdb( void ) +struct db_context *get_account_pol_db( void ) { - if ( !tdb ) { + if ( db != NULL ) { if ( !init_account_policy() ) { return NULL; } } - return tdb; + return db; } -- cgit From 0d234bd3c22b1a76f0892645e41dd1568735a150 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 28 Mar 2008 20:04:35 +0100 Subject: account_pol: use dbwrap_trans_store_uint32() metze (This used to be commit b1d63c8c1116f3429fb73aa6842105073385d1e8) --- source3/lib/account_pol.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 46fbc3b7c5..4e36760c4c 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -341,7 +341,6 @@ Set an account policy (in tdb) bool account_policy_set(int field, uint32 value) { const char *name; - uint32_t v_store; NTSTATUS status; if (!init_account_policy()) { @@ -354,12 +353,7 @@ bool account_policy_set(int field, uint32 value) return False; } - SIVAL(&v_store, 0, value); - - status = dbwrap_trans_store_bystring( - db, name, - make_tdb_data((const uint8 *)&v_store, sizeof(v_store)), - TDB_REPLACE); + status = dbwrap_trans_store_uint32(db, name, value); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("store_uint32 failed for field %d (%s) on value " "%u: %s\n", field, name, value, nt_errstr(status))); -- cgit From 7704d4fb58161577aaa7f14075bbf7e9fc964e9b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 1 Apr 2008 11:26:29 +0200 Subject: account_pol: use db_open_trans() metze (This used to be commit 888c2802b7bda92baae2dd0c1596f5e04bc3bfaa) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 4e36760c4c..067f346883 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -212,12 +212,12 @@ bool init_account_policy(void) return True; } - db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, + db = db_open_trans(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); if (db == NULL) { /* the account policies files does not exist or open * failed, try to create a new one */ - db = db_open(NULL, state_path("account_policy.tdb"), 0, + db = db_open_trans(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (db == NULL) { DEBUG(0,("Failed to open account policy database\n")); -- cgit From ab976ae692bef8b374ea2c9da0839a64415ea51d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 10 Jul 2008 11:11:53 +0200 Subject: A brown paper bag bug fix for "net sam rights" (This used to be commit 8a455b012827cfb917473a160c5710a90490451a) --- source3/lib/account_pol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 067f346883..e415d10d8e 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -442,7 +442,7 @@ bool cache_account_policy_get(int field, uint32 *value) struct db_context *get_account_pol_db( void ) { - if ( db != NULL ) { + if ( db == NULL ) { if ( !init_account_policy() ) { return NULL; } -- cgit From 0f41961e4ffaa602a5b19a1e0899bffa491c886f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 7 Aug 2008 16:20:05 +1000 Subject: first cut at adding full transactions for ctdb to samba3 (This used to be commit f91a3e0f7b7737c1d0667cd961ea950e2b93e592) --- source3/lib/account_pol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index e415d10d8e..7fc565121c 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -212,12 +212,12 @@ bool init_account_policy(void) return True; } - db = db_open_trans(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, + db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600); if (db == NULL) { /* the account policies files does not exist or open * failed, try to create a new one */ - db = db_open_trans(NULL, state_path("account_policy.tdb"), 0, + db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (db == NULL) { DEBUG(0,("Failed to open account policy database\n")); -- cgit From fe3dd9b3e6daf626ea094d1ce5fc96f89c61b7ad Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Aug 2008 11:42:06 +1000 Subject: fixed lots of places that paniced on a failed transaction_commit, thinking it was a failure of a transaction cancel (This used to be commit 22dbe158ed62ae47bbcb41bba3db345294f75437) --- source3/lib/account_pol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index 7fc565121c..1e435ca53e 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -283,7 +283,8 @@ bool init_account_policy(void) if (db->transaction_commit(db) != 0) { DEBUG(0, ("transaction_commit failed\n")); - goto cancel; + TALLOC_FREE(db); + return false; } return True; -- cgit