From 620d759f49f4b648d0fa4a84e67f1cecbbdd0f06 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 27 Apr 2006 19:50:13 +0000 Subject: r15298: Fix the build using a few hacks in the build system. Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0) --- source4/auth/sam.c | 395 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 395 insertions(+) create mode 100644 source4/auth/sam.c (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c new file mode 100644 index 0000000000..a40e844f85 --- /dev/null +++ b/source4/auth/sam.c @@ -0,0 +1,395 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Andrew Bartlett 2001-2004 + Copyright (C) Gerald Carter 2003 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "system/time.h" +#include "auth/auth.h" +#include "db_wrap.h" +#include "dsdb/samdb/samdb.h" +#include "libcli/security/security.h" +#include "libcli/ldap/ldap.h" +#include "librpc/gen_ndr/ndr_security.h" + +const char *user_attrs[] = { + /* required for the krb5 kdc */ + "objectClass", + "sAMAccountName", + "userPrincipalName", + "servicePrincipalName", + "msDS-KeyVersionNumber", + "krb5Key", + + /* passwords */ + "lmPwdHash", + "ntPwdHash", + + "userAccountControl", + + "pwdLastSet", + "accountExpires", + + "objectSid", + + /* check 'allowed workstations' */ + "userWorkstations", + + /* required for server_info, not access control: */ + "displayName", + "scriptPath", + "profilePath", + "homeDirectory", + "homeDrive", + "lastLogon", + "lastLogoff", + "accountExpires", + "badPwdCount", + "logonCount", + "primaryGroupID", + NULL, +}; + +const char *domain_ref_attrs[] = {"nETBIOSName", "nCName", + "dnsRoot", "objectClass", NULL}; + + +/**************************************************************************** + Do a specific test for a SAM_ACCOUNT being vaild for this connection + (ie not disabled, expired and the like). +****************************************************************************/ +_PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, + struct ldb_context *sam_ctx, + uint32_t logon_parameters, + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + const char *logon_workstation, + const char *name_for_logs) +{ + uint16_t acct_flags; + const char *workstation_list; + NTTIME acct_expiry; + NTTIME must_change_time; + NTTIME last_set_time; + + struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx)); + + NTTIME now; + DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs)); + + acct_flags = samdb_result_acct_flags(msg, "userAccountControl"); + + acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, + domain_dn, msg); + last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); + + workstation_list = samdb_result_string(msg, "userWorkstations", NULL); + + /* Quit if the account was disabled. */ + if (acct_flags & ACB_DISABLED) { + DEBUG(1,("authsam_account_ok: Account for user '%s' was disabled.\n", name_for_logs)); + return NT_STATUS_ACCOUNT_DISABLED; + } + + /* Quit if the account was locked out. */ + if (acct_flags & ACB_AUTOLOCK) { + DEBUG(1,("authsam_account_ok: Account for user %s was locked out.\n", name_for_logs)); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + + /* Test account expire time */ + unix_to_nt_time(&now, time(NULL)); + if (now > acct_expiry) { + DEBUG(1,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs)); + DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n", + nt_time_string(mem_ctx, acct_expiry))); + return NT_STATUS_ACCOUNT_EXPIRED; + } + + if (!(acct_flags & ACB_PWNOEXP)) { + /* check for immediate expiry "must change at next logon" */ + if (must_change_time == 0 && last_set_time != 0) { + DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", + name_for_logs)); + return NT_STATUS_PASSWORD_MUST_CHANGE; + } + + /* check for expired password */ + if ((must_change_time != 0) && (must_change_time < now)) { + DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", + name_for_logs)); + DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", + nt_time_string(mem_ctx, must_change_time))); + return NT_STATUS_PASSWORD_EXPIRED; + } + } + + /* Test workstation. Workstation list is comma separated. */ + if (logon_workstation && workstation_list && *workstation_list) { + BOOL invalid_ws = True; + int i; + const char **workstations = str_list_make(mem_ctx, workstation_list, ","); + + for (i = 0; workstations && workstations[i]; i++) { + DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n", + workstations[i], logon_workstation)); + + if (strequal(workstations[i], logon_workstation) == 0) { + invalid_ws = False; + break; + } + } + + talloc_free(workstations); + + if (invalid_ws) { + return NT_STATUS_INVALID_WORKSTATION; + } + } + + if (acct_flags & ACB_DOMTRUST) { + DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs)); + return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; + } + + if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { + if (acct_flags & ACB_SVRTRUST) { + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs)); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } + } + if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { + if (acct_flags & ACB_WSTRUST) { + DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", name_for_logs)); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } + } + + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, + struct auth_serversupplied_info **_server_info) +{ + struct auth_serversupplied_info *server_info; + struct ldb_message **group_msgs; + int group_ret; + const char *group_attrs[3] = { "sAMAccountType", "objectSid", NULL }; + /* find list of sids */ + struct dom_sid **groupSIDs = NULL; + struct dom_sid *account_sid; + struct dom_sid *primary_group_sid; + const char *str; + struct ldb_dn *ncname; + int i; + uint_t rid; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + + group_ret = gendb_search(sam_ctx, + tmp_ctx, NULL, &group_msgs, group_attrs, + "(&(member=%s)(sAMAccountType=*))", + ldb_dn_linearize(tmp_ctx, msg->dn)); + if (group_ret == -1) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + server_info = talloc(mem_ctx, struct auth_serversupplied_info); + NT_STATUS_HAVE_NO_MEMORY(server_info); + + if (group_ret > 0) { + groupSIDs = talloc_array(server_info, struct dom_sid *, group_ret); + NT_STATUS_HAVE_NO_MEMORY(groupSIDs); + } + + /* Need to unroll some nested groups, but not aliases */ + for (i = 0; i < group_ret; i++) { + groupSIDs[i] = samdb_result_dom_sid(groupSIDs, + group_msgs[i], "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]); + } + + talloc_free(tmp_ctx); + + account_sid = samdb_result_dom_sid(server_info, msg, "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(account_sid); + + primary_group_sid = dom_sid_dup(server_info, account_sid); + NT_STATUS_HAVE_NO_MEMORY(primary_group_sid); + + rid = samdb_result_uint(msg, "primaryGroupID", ~0); + if (rid == ~0) { + if (group_ret > 0) { + primary_group_sid = groupSIDs[0]; + } else { + primary_group_sid = NULL; + } + } else { + primary_group_sid->sub_auths[primary_group_sid->num_auths-1] = rid; + } + + server_info->account_sid = account_sid; + server_info->primary_group_sid = primary_group_sid; + + server_info->n_domain_groups = group_ret; + server_info->domain_groups = groupSIDs; + + server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL)); + + server_info->domain_name = talloc_steal(server_info, samdb_result_string(msg_domain_ref, "nETBIOSName", NULL)); + + str = samdb_result_string(msg, "displayName", ""); + server_info->full_name = talloc_strdup(server_info, str); + NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); + + str = samdb_result_string(msg, "scriptPath", ""); + server_info->logon_script = talloc_strdup(server_info, str); + NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + + str = samdb_result_string(msg, "profilePath", ""); + server_info->profile_path = talloc_strdup(server_info, str); + NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + + str = samdb_result_string(msg, "homeDirectory", ""); + server_info->home_directory = talloc_strdup(server_info, str); + NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + + str = samdb_result_string(msg, "homeDrive", ""); + server_info->home_drive = talloc_strdup(server_info, str); + NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + + server_info->logon_server = talloc_strdup(server_info, lp_netbios_name()); + NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); + + server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); + server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0); + server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); + + ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL); + if (!ncname) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + server_info->allow_password_change + = samdb_result_allow_password_change(sam_ctx, mem_ctx, + ncname, msg, "pwdLastSet"); + server_info->force_password_change + = samdb_result_force_password_change(sam_ctx, mem_ctx, + ncname, msg); + + server_info->logon_count = samdb_result_uint(msg, "logonCount", 0); + server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0); + + server_info->acct_flags = samdb_result_acct_flags(msg, "userAccountControl"); + + server_info->user_session_key = user_sess_key; + server_info->lm_session_key = lm_sess_key; + + server_info->authenticated = True; + + *_server_info = server_info; + + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, + TALLOC_CTX *mem_ctx, const char *principal, + struct ldb_message ***msgs, + struct ldb_message ***msgs_domain_ref) +{ + struct ldb_dn *user_dn, *domain_dn; + NTSTATUS nt_status; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + int ret; + + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + /* grab domain info from the reference */ + ret = gendb_search(sam_ctx, tmp_ctx, NULL, msgs_domain_ref, domain_ref_attrs, + "(ncName=%s)", ldb_dn_linearize(tmp_ctx, domain_dn)); + + if (ret != 1) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* pull the user attributes */ + ret = gendb_search_dn(sam_ctx, tmp_ctx, user_dn, msgs, user_attrs); + if (ret != 1) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + talloc_steal(mem_ctx, *msgs); + talloc_steal(mem_ctx, *msgs_domain_ref); + talloc_free(tmp_ctx); + + return NT_STATUS_OK; +} + +/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ +NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal, + struct auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + DATA_BLOB user_sess_key = data_blob(NULL, 0); + DATA_BLOB lm_sess_key = data_blob(NULL, 0); + + struct ldb_message **msgs; + struct ldb_message **msgs_domain_ref; + struct ldb_context *sam_ctx; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx)); + if (sam_ctx == NULL) { + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + + nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, + &msgs, &msgs_domain_ref); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, msgs[0], msgs_domain_ref[0], + user_sess_key, lm_sess_key, + server_info); + if (NT_STATUS_IS_OK(nt_status)) { + talloc_steal(mem_ctx, *server_info); + } + talloc_free(tmp_ctx); + return nt_status; +} -- cgit From e002300f238dd0937dd9f768e366c006945e8baa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Apr 2006 17:34:49 +0000 Subject: r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8) --- source4/auth/sam.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index a40e844f85..0e9fa5c02e 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -27,7 +27,6 @@ #include "dsdb/samdb/samdb.h" #include "libcli/security/security.h" #include "libcli/ldap/ldap.h" -#include "librpc/gen_ndr/ndr_security.h" const char *user_attrs[] = { /* required for the krb5 kdc */ -- cgit From 1fde679daec85e2d9c24a05566a8bae18a6ee0fb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jun 2006 23:50:58 +0000 Subject: r16238: Use a baseDN for the auth_sam searches, to allow continued function with partitions. Also fix some debug messages. Andrew Bartlett (This used to be commit a2441ae99a6c3b4bf40f5369477a9bc0f3019c34) --- source4/auth/sam.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 0e9fa5c02e..e7f70aa370 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -206,7 +206,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); group_ret = gendb_search(sam_ctx, - tmp_ctx, NULL, &group_msgs, group_attrs, + tmp_ctx, samdb_base_dn(tmp_ctx), &group_msgs, group_attrs, "(&(member=%s)(sAMAccountType=*))", ldb_dn_linearize(tmp_ctx, msg->dn)); if (group_ret == -1) { @@ -321,6 +321,7 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); int ret; + const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -333,7 +334,7 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, } /* grab domain info from the reference */ - ret = gendb_search(sam_ctx, tmp_ctx, NULL, msgs_domain_ref, domain_ref_attrs, + ret = gendb_search(sam_ctx, tmp_ctx, partitions_basedn, msgs_domain_ref, domain_ref_attrs, "(ncName=%s)", ldb_dn_linearize(tmp_ctx, domain_dn)); if (ret != 1) { -- cgit From 0fd98079425cff37c45be824ffa2695458ff12f3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 25 Aug 2006 07:08:06 +0000 Subject: r17823: get rid of most of the samdb_base_dn() calls, as they are no longer needed in searches (This used to be commit a5ea749f0ac63bf495a55ee8d9d002208ab93572) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index e7f70aa370..f616138a3e 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -206,7 +206,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); group_ret = gendb_search(sam_ctx, - tmp_ctx, samdb_base_dn(tmp_ctx), &group_msgs, group_attrs, + tmp_ctx, NULL, &group_msgs, group_attrs, "(&(member=%s)(sAMAccountType=*))", ldb_dn_linearize(tmp_ctx, msg->dn)); if (group_ret == -1) { -- cgit From b21b119cbcff175453173d7061e3be3888dc8ec3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 25 Aug 2006 07:32:18 +0000 Subject: r17824: add a wrapper for the common partitions_basedn calculation (This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index f616138a3e..0284cb9a19 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -321,7 +321,7 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); int ret; - const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); + const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/auth/sam.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 0284cb9a19..c7f0a74ac9 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -27,6 +27,7 @@ #include "dsdb/samdb/samdb.h" #include "libcli/security/security.h" #include "libcli/ldap/ldap.h" +#include "librpc/gen_ndr/ndr_netlogon.h" const char *user_attrs[] = { /* required for the krb5 kdc */ -- cgit From 4889eb9f7aae9349e426d0f6d2217adff67eaebd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 00:59:34 +0000 Subject: r19831: Big ldb_dn optimization and interfaces enhancement patch This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63) --- source4/auth/sam.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index c7f0a74ac9..34ce34540a 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -89,7 +89,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, NTTIME must_change_time; NTTIME last_set_time; - struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx)); + struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); NTTIME now; DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs)); @@ -287,7 +287,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); - ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL); + ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); if (!ncname) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -322,7 +322,7 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); int ret; - const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); + struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; -- cgit From a9e31b33b55a873c2f01db5e348560176adf863d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 02:05:19 +0000 Subject: r19832: better prototypes for the linearization functions: - ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd) --- source4/auth/sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 34ce34540a..a44eb9017e 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -209,7 +209,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte group_ret = gendb_search(sam_ctx, tmp_ctx, NULL, &group_msgs, group_attrs, "(&(member=%s)(sAMAccountType=*))", - ldb_dn_linearize(tmp_ctx, msg->dn)); + ldb_dn_get_linearized(msg->dn)); if (group_ret == -1) { talloc_free(tmp_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -336,7 +336,7 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, /* grab domain info from the reference */ ret = gendb_search(sam_ctx, tmp_ctx, partitions_basedn, msgs_domain_ref, domain_ref_attrs, - "(ncName=%s)", ldb_dn_linearize(tmp_ctx, domain_dn)); + "(ncName=%s)", ldb_dn_get_linearized(domain_dn)); if (ret != 1) { talloc_free(tmp_ctx); -- cgit From 3b14713f6d583a33fc2b2bb8c2c3aab6f5928630 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Feb 2007 12:54:58 +0000 Subject: r21362: rename: "ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad) --- source4/auth/sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index a44eb9017e..f9f801c800 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -39,8 +39,8 @@ const char *user_attrs[] = { "krb5Key", /* passwords */ - "lmPwdHash", - "ntPwdHash", + "dBCSPwd", + "unicodePwd", "userAccountControl", -- cgit From 6e2d85e38baa2221c2d31d2246567e7523e00fd6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 18 Feb 2007 22:01:02 +0000 Subject: r21434: - get rid of "krb5Key" - use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index f9f801c800..7299078747 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -36,7 +36,7 @@ const char *user_attrs[] = { "userPrincipalName", "servicePrincipalName", "msDS-KeyVersionNumber", - "krb5Key", + "supplementalCredentials", /* passwords */ "dBCSPwd", -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/sam.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 7299078747..681576c1c7 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 06a6194eadef9fa9c9f6b3c200c41d2a59dc76af Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 27 Jul 2007 06:31:12 +0000 Subject: r24061: Anther part of bug #4823, which is that until now Samba4 didn't parse the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505) --- source4/auth/sam.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 681576c1c7..2fb0a239ff 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -45,6 +45,7 @@ const char *user_attrs[] = { "pwdLastSet", "accountExpires", + "logonHours", "objectSid", @@ -67,8 +68,69 @@ const char *user_attrs[] = { }; const char *domain_ref_attrs[] = {"nETBIOSName", "nCName", - "dnsRoot", "objectClass", NULL}; + "dnsRoot", "objectClass", NULL}; +/**************************************************************************** + Check if a user is allowed to logon at this time. Note this is the + servers local time, as logon hours are just specified as a weekly + bitmask. +****************************************************************************/ + +static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) +{ + /* In logon hours first bit is Sunday from 12AM to 1AM */ + const struct ldb_val *hours; + struct tm *utctime; + time_t lasttime; + const char *asct; + uint8_t bitmask, bitpos; + + hours = ldb_msg_find_ldb_val(msg, "logonHours"); + if (!hours) { + DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n", name_for_logs)); + return True; + } + + if (hours->length != 168/8) { + DEBUG(5,("logon_hours_ok: malformed logon hours restrictions for user %s\n", name_for_logs)); + return True; + } + + lasttime = time(NULL); + utctime = gmtime(&lasttime); + if (!utctime) { + DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n", + name_for_logs)); + return False; + } + + /* find the corresponding byte and bit */ + bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; + bitmask = 1 << (bitpos % 8); + + if (! (hours->data[bitpos/8] & bitmask)) { + struct tm *t = localtime(&lasttime); + if (!t) { + asct = "INVALID TIME"; + } else { + asct = asctime(t); + if (!asct) { + asct = "INVALID TIME"; + } + } + + DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to " + "logon at this time (%s).\n", + name_for_logs, asct )); + return False; + } + + asct = asctime(utctime); + DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n", + name_for_logs, asct ? asct : "UNKNOWN TIME" )); + + return True; +} /**************************************************************************** Do a specific test for a SAM_ACCOUNT being vaild for this connection @@ -164,6 +226,10 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } } + if (!logon_hours_ok(msg, name_for_logs)) { + return NT_STATUS_INVALID_LOGON_HOURS; + } + if (acct_flags & ACB_DOMTRUST) { DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; -- cgit From 649d4bf8aa1e957d6a059dd265d5c9b313a43f15 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Jul 2007 08:58:39 +0000 Subject: r24074: Test both permitted logon hours and permitted workstations in the RPC-SAMLOGON test. This showed that, as noted by bug #4823, we didn't test for invalid workstations. In fact, the code had been ported across, but because untested code is broken code, it never worked... Andrew Bartlett (This used to be commit 5e07417ada56d189a911ef888b0c87adebe60763) --- source4/auth/sam.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 2fb0a239ff..6e160941d8 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -46,7 +46,6 @@ const char *user_attrs[] = { "pwdLastSet", "accountExpires", "logonHours", - "objectSid", /* check 'allowed workstations' */ @@ -213,7 +212,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n", workstations[i], logon_workstation)); - if (strequal(workstations[i], logon_workstation) == 0) { + if (strequal(workstations[i], logon_workstation)) { invalid_ws = False; break; } -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/auth/sam.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 6e160941d8..ed01c0bd93 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -27,6 +27,7 @@ #include "libcli/security/security.h" #include "libcli/ldap/ldap.h" #include "librpc/gen_ndr/ndr_netlogon.h" +#include "param/param.h" const char *user_attrs[] = { /* required for the krb5 kdc */ -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ed01c0bd93..ec019b3fe6 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -344,7 +344,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->home_drive = talloc_strdup(server_info, str); NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); - server_info->logon_server = talloc_strdup(server_info, lp_netbios_name()); + server_info->logon_server = talloc_strdup(server_info, lp_netbios_name(global_loadparm)); NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); -- cgit From 3642f3b40d755209a843745f160a9d7962a6deca Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:16:19 +0000 Subject: r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245) --- source4/auth/sam.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ec019b3fe6..ad8d77ecf8 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -76,7 +76,7 @@ const char *domain_ref_attrs[] = {"nETBIOSName", "nCName", bitmask. ****************************************************************************/ -static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) +static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) { /* In logon hours first bit is Sunday from 12AM to 1AM */ const struct ldb_val *hours; @@ -88,12 +88,12 @@ static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) hours = ldb_msg_find_ldb_val(msg, "logonHours"); if (!hours) { DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n", name_for_logs)); - return True; + return true; } if (hours->length != 168/8) { DEBUG(5,("logon_hours_ok: malformed logon hours restrictions for user %s\n", name_for_logs)); - return True; + return true; } lasttime = time(NULL); @@ -101,7 +101,7 @@ static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) if (!utctime) { DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n", name_for_logs)); - return False; + return false; } /* find the corresponding byte and bit */ @@ -122,14 +122,14 @@ static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to " "logon at this time (%s).\n", name_for_logs, asct )); - return False; + return false; } asct = asctime(utctime); DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n", name_for_logs, asct ? asct : "UNKNOWN TIME" )); - return True; + return true; } /**************************************************************************** @@ -205,7 +205,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, /* Test workstation. Workstation list is comma separated. */ if (logon_workstation && workstation_list && *workstation_list) { - BOOL invalid_ws = True; + bool invalid_ws = true; int i; const char **workstations = str_list_make(mem_ctx, workstation_list, ","); @@ -214,7 +214,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, workstations[i], logon_workstation)); if (strequal(workstations[i], logon_workstation)) { - invalid_ws = False; + invalid_ws = false; break; } } @@ -371,7 +371,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->user_session_key = user_sess_key; server_info->lm_session_key = lm_sess_key; - server_info->authenticated = True; + server_info->authenticated = true; *_server_info = server_info; -- cgit From ca0b72a1fdb7bd965065e833df34662afef0423e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 16 Nov 2007 20:12:00 +0100 Subject: r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies. (This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555) --- source4/auth/sam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ad8d77ecf8..6a212b8cfe 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -22,7 +22,8 @@ #include "includes.h" #include "system/time.h" #include "auth/auth.h" -#include "db_wrap.h" +#include +#include "util/util_ldb.h" #include "dsdb/samdb/samdb.h" #include "libcli/security/security.h" #include "libcli/ldap/ldap.h" -- cgit From f4a1083cf9f64b4d2b65b68942e93861409ea90f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:09:52 +0100 Subject: r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 6a212b8cfe..ce02821e83 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -439,7 +439,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, global_loadparm, system_session(tmp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; -- cgit From ab69eb8d8901d23794c6a298718e67656ef4820e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 15:53:17 +0100 Subject: r26250: Avoid global_loadparm in a couple more places. (This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43) --- source4/auth/sam.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ce02821e83..47d0910650 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -253,10 +253,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, - struct ldb_message *msg, - struct ldb_message *msg_domain_ref, - DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info) + const char *netbios_name, + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, + struct auth_serversupplied_info **_server_info) { struct auth_serversupplied_info *server_info; struct ldb_message **group_msgs; @@ -345,7 +346,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->home_drive = talloc_strdup(server_info, str); NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); - server_info->logon_server = talloc_strdup(server_info, lp_netbios_name(global_loadparm)); + server_info->logon_server = talloc_strdup(server_info, netbios_name); NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); @@ -423,7 +424,9 @@ _PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, } /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ -NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal, +NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *principal, struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; @@ -439,7 +442,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, global_loadparm, system_session(tmp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; @@ -451,7 +454,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa return nt_status; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, msgs[0], msgs_domain_ref[0], + nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(lp_ctx), + msgs[0], msgs_domain_ref[0], user_sess_key, lm_sess_key, server_info); if (NT_STATUS_IS_OK(nt_status)) { -- cgit From 43696d2752e2faad34fb3ed2a7dbf01d40ffdc46 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 15:53:28 +0100 Subject: r26252: Specify loadparm_context explicitly when creating sessions. (This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 47d0910650..fdd7de7c71 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -442,7 +442,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; -- cgit From 5043215f219f90a899a8dc75518540a04b93301f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 28 Feb 2008 08:50:00 +1100 Subject: Generate ACB_PW_EXPIRED correctly More correctly handle expired passwords, and do not expire machine accounts. Test that the behaviour is consistant with windows, using the RPC-SAMR test. Change NETLOGON to directly query the userAccountControl, just because we don't want to do the extra expiry processing here. Andrew Bartlett (This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661) --- source4/auth/sam.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index fdd7de7c71..abcb72f292 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -156,7 +156,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, NTTIME now; DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs)); - acct_flags = samdb_result_acct_flags(msg, "userAccountControl"); + acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, @@ -186,22 +186,20 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_EXPIRED; } - if (!(acct_flags & ACB_PWNOEXP)) { - /* check for immediate expiry "must change at next logon" */ - if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", - name_for_logs)); - return NT_STATUS_PASSWORD_MUST_CHANGE; - } + /* check for immediate expiry "must change at next logon" */ + if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) { + DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", + name_for_logs)); + return NT_STATUS_PASSWORD_MUST_CHANGE; + } - /* check for expired password */ - if ((must_change_time != 0) && (must_change_time < now)) { - DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", - name_for_logs)); - DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", - nt_time_string(mem_ctx, must_change_time))); - return NT_STATUS_PASSWORD_EXPIRED; - } + /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */ + if (acct_flags & ACB_PW_EXPIRED) { + DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", + name_for_logs)); + DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", + nt_time_string(mem_ctx, must_change_time))); + return NT_STATUS_PASSWORD_EXPIRED; } /* Test workstation. Workstation list is comma separated. */ @@ -267,6 +265,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte struct dom_sid **groupSIDs = NULL; struct dom_sid *account_sid; struct dom_sid *primary_group_sid; + struct ldb_dn *domain_dn; const char *str; struct ldb_dn *ncname; int i; @@ -368,7 +367,10 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->logon_count = samdb_result_uint(msg, "logonCount", 0); server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0); - server_info->acct_flags = samdb_result_acct_flags(msg, "userAccountControl"); + domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); + + server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, + msg, domain_dn); server_info->user_session_key = user_sess_key; server_info->lm_session_key = lm_sess_key; -- cgit From 3abf47fe87e72b18c94157c3f993b7f2fca8c248 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 29 Feb 2008 08:47:42 +1100 Subject: Simplify the 'password must change' logic This takes the previous patches further, so we catch all the cases (the KDC looked at the time directly). Andrew Bartlett (This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf) --- source4/auth/sam.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index abcb72f292..9a8045f62d 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -149,7 +149,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - NTTIME last_set_time; struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); @@ -159,9 +158,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + + /* Check for when we must change this password, taking the + * userAccountControl flags into account */ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); - last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); workstation_list = samdb_result_string(msg, "userWorkstations", NULL); @@ -187,14 +188,14 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } /* check for immediate expiry "must change at next logon" */ - if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) { + if (must_change_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", name_for_logs)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */ - if (acct_flags & ACB_PW_EXPIRED) { + /* check for expired password */ + if (must_change_time < now) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", name_for_logs)); DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", -- cgit From 20c701400961901e92315b4cd02038fff086e33d Mon Sep 17 00:00:00 2001 From: Andrew Kroeger Date: Thu, 6 Mar 2008 06:07:28 -0600 Subject: Update account expiration to use new samdb_result_account_expires() function. (This used to be commit 2b6b4e5a1611744eea5dd9ec17c416916d7edab4) --- source4/auth/sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 9a8045f62d..882196343c 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -157,7 +157,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); - acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + acct_expiry = samdb_result_account_expires(msg, 0); /* Check for when we must change this password, taking the * userAccountControl flags into account */ @@ -351,7 +351,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0); - server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + server_info->acct_expiry = samdb_result_account_expires(msg, 0); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); -- cgit From dc49ae599eacd6c118dc355609bca657b05c5dee Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Mar 2008 15:25:13 +1100 Subject: Remove useless extra argument to samdb_result_account_expires(). Andrew Bartlett (This used to be commit bc607c334ff86624b891886a6f874da2bcff113e) --- source4/auth/sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 882196343c..b171fc57b9 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -157,7 +157,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); - acct_expiry = samdb_result_account_expires(msg, 0); + acct_expiry = samdb_result_account_expires(msg); /* Check for when we must change this password, taking the * userAccountControl flags into account */ @@ -351,7 +351,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0); - server_info->acct_expiry = samdb_result_account_expires(msg, 0); + server_info->acct_expiry = samdb_result_account_expires(msg); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/auth/sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index b171fc57b9..ed44754993 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -383,7 +383,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte return NT_STATUS_OK; } -_PUBLIC_ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, +NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *principal, struct ldb_message ***msgs, struct ldb_message ***msgs_domain_ref) -- cgit From 21fc7673780aa1d7c0caab7b17ff9171238913ba Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 12:23:44 +0200 Subject: Specify event_context to ldb_wrap_connect explicitly. (This used to be commit b4e1ae07a284c044704322446c94351c2decff91) --- source4/auth/sam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/sam.c') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ed44754993..a2090afcdc 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -428,6 +428,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *principal, struct auth_serversupplied_info **server_info) @@ -445,7 +446,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; -- cgit