/* Unix SMB/CIFS implementation. interface functions for the sam database Copyright (C) Andrew Tridgell 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "includes.h" struct samdb_context { struct ldb_context *ldb; }; /* this is used to catch debug messages from ldb */ void samdb_debug(void *context, enum ldb_debug_level level, const char *fmt, va_list ap) { char *s = NULL; if (DEBUGLEVEL < 4 && level > LDB_DEBUG_WARNING) { return; } vasprintf(&s, fmt, ap); if (!s) return; DEBUG(level, ("samdb: %s\n", s)); free(s); } /* connect to the SAM database return an opaque context pointer on success, or NULL on failure */ void *samdb_connect(void) { struct samdb_context *ctx; /* the way that unix fcntl locking works forces us to have a static ldb handle here rather than a much more sensible approach of having the ldb handle as part of the samr_Connect() pipe state. Otherwise we would try to open the ldb more than once, and tdb would rightly refuse the second open due to the broken nature of unix locking. */ static struct ldb_context *static_sam_db; if (static_sam_db == NULL) { static_sam_db = ldb_connect(lp_sam_url(), 0, NULL); if (static_sam_db == NULL) { return NULL; } } ldb_set_debug(static_sam_db, samdb_debug, NULL); ctx = malloc_p(struct samdb_context); if (!ctx) { errno = ENOMEM; return NULL; } ctx->ldb = static_sam_db; return ctx; } /* close a connection to the sam */ void samdb_close(void *ctx) { struct samdb_context *sam_ctx = ctx; /* we don't actually close due to broken posix locking semantics */ sam_ctx->ldb = NULL; free(sam_ctx); } /* a alloc function for ldb */ static void *samdb_alloc(void *context, void *ptr, size_t size) { return talloc_realloc((TALLOC_CTX *)context, ptr, size); } /* search the sam for the specified attributes - va_list varient */ int samdb_search_v(void *ctx, TALLOC_CTX *mem_ctx, const char *basedn, struct ldb_message ***res, const char * const *attrs, const char *format, va_list ap) { struct samdb_context *sam_ctx = ctx; char *expr = NULL; int count; vasprintf(&expr, format, ap); if (expr == NULL) { return -1; } ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); count = ldb_search(sam_ctx->ldb, basedn, LDB_SCOPE_SUBTREE, expr, attrs, res); DEBUG(4,("samdb_search_v: %s %s -> %d\n", basedn?basedn:"NULL", expr, count)); free(expr); return count; } /* search the sam for the specified attributes - varargs varient */ int samdb_search(void *ctx, TALLOC_CTX *mem_ctx, const char *basedn, struct ldb_message ***res, const char * const *attrs, const char *format, ...) { va_list ap; int count; va_start(ap, format); count = samdb_search_v(ctx, mem_ctx, basedn, res, attrs, format, ap); va_end(ap); return count; } /* free up a search result */ int samdb_search_free(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message **res) { struct samdb_context *sam_ctx = ctx; ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_search_free(sam_ctx->ldb, res); } /* search the sam for a single string attribute in exactly 1 record */ const char *samdb_search_string_v(void *ctx, TALLOC_CTX *mem_ctx, const char *basedn, const char *attr_name, const char *format, va_list ap) { int count; const char * const attrs[2] = { attr_name, NULL }; struct ldb_message **res = NULL; count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap); if (count > 1) { DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n", attr_name, format, count)); } if (count != 1) { samdb_search_free(ctx, mem_ctx, res); return NULL; } return samdb_result_string(res[0], attr_name, NULL); } /* search the sam for a single string attribute in exactly 1 record */ const char *samdb_search_string(void *ctx, TALLOC_CTX *mem_ctx, const char *basedn, const char *attr_name, const char *format, ...) { va_list ap; const char *str; va_start(ap, format); str = samdb_search_string_v(ctx, mem_ctx, basedn, attr_name, format, ap); va_end(ap); return str; } /* search the sam for a single integer attribute in exactly 1 record */ uint_t samdb_search_uint(void *ctx, TALLOC_CTX *mem_ctx, uint_t default_value, const char *basedn, const char *attr_name, const char *format, ...) { va_list ap; int count; struct ldb_message **res; const char * const attrs[2] = { attr_name, NULL }; va_start(ap, format); count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count != 1) { return default_value; } return samdb_result_uint(res[0], attr_name, default_value); } /* search the sam for multipe records each giving a single string attribute return the number of matches, or -1 on error */ int samdb_search_string_multiple(void *ctx, TALLOC_CTX *mem_ctx, const char *basedn, const char ***strs, const char *attr_name, const char *format, ...) { va_list ap; int count, i; const char * const attrs[2] = { attr_name, NULL }; struct ldb_message **res = NULL; va_start(ap, format); count = samdb_search_v(ctx, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count <= 0) { return count; } /* make sure its single valued */ for (i=0;inum_elements != 1) { DEBUG(1,("samdb: search for %s %s not single valued\n", attr_name, format)); samdb_search_free(ctx, mem_ctx, res); return -1; } } *strs = talloc_array_p(mem_ctx, const char *, count+1); if (! *strs) { samdb_search_free(ctx, mem_ctx, res); return -1; } for (i=0;isub_auths[sid->num_auths-1]; } /* pull a NTTIME in a result set. */ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, const char *default_value) { const char *str = ldb_msg_find_string(msg, attr, default_value); return nttime_from_string(str); } /* pull a double (really a large integer) from a result set. */ double samdb_result_double(struct ldb_message *msg, const char *attr, double default_value) { return ldb_msg_find_double(msg, attr, default_value); } /* construct the allow_pwd_change field from the PwdLastSet attribute and the domain password settings */ NTTIME samdb_result_allow_pwd_change(void *ctx, TALLOC_CTX *mem_ctx, const char *domain_dn, struct ldb_message *msg, const char *attr) { double attr_time = samdb_result_double(msg, attr, 0); if (attr_time > 0) { const char *minPwdAge = samdb_search_string(ctx, mem_ctx, NULL, "minPwdAge", "dn=%s", domain_dn); if (minPwdAge) { /* yes, this is a -= not a += as minPwdAge is stored as the negative of the number of 100-nano-seconds */ attr_time -= strtod(minPwdAge, NULL); } } return nttime_from_double_nt(attr_time); } /* construct the force_pwd_change field from the PwdLastSet attribute and the domain password settings */ NTTIME samdb_result_force_pwd_change(void *ctx, TALLOC_CTX *mem_ctx, const char *domain_dn, struct ldb_message *msg, const char *attr) { double attr_time = samdb_result_double(msg, attr, 0); if (attr_time > 0) { const char *maxPwdAge = samdb_search_string(ctx, mem_ctx, NULL, "maxPwdAge", "dn=%s", domain_dn); if (!maxPwdAge || strcmp(maxPwdAge, "0") == 0) { attr_time = 0; } else { attr_time -= strtod(maxPwdAge, NULL); } } return nttime_from_double_nt(attr_time); } /* pull a samr_Hash structutre from a result set. */ struct samr_Hash samdb_result_hash(struct ldb_message *msg, const char *attr) { struct samr_Hash hash; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); ZERO_STRUCT(hash); if (val) { memcpy(hash.hash, val->data, MIN(val->length, 16)); } return hash; } /* pull an array of samr_Hash structutres from a result set. */ uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr, struct samr_Hash **hashes) { uint_t count = 0; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); int i; *hashes = NULL; if (!val) { return 0; } count = val->length / 16; if (count == 0) { return 0; } *hashes = talloc_array_p(mem_ctx, struct samr_Hash, count); if (! *hashes) { return 0; } for (i=0;idata, 16); } return count; } /* pull a samr_LogonHours structutre from a result set. */ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr) { struct samr_LogonHours hours; const int units_per_week = 168; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); ZERO_STRUCT(hours); hours.bitmap = talloc_array_p(mem_ctx, uint8, units_per_week); if (!hours.bitmap) { return hours; } hours.units_per_week = units_per_week; memset(hours.bitmap, 0xFF, units_per_week); if (val) { memcpy(hours.bitmap, val->data, MIN(val->length, units_per_week)); } return hours; } /* mapping between ADS userAccountControl and SAMR acct_flags */ static const struct { uint32 uf, acb; } acct_flags_map[] = { { UF_ACCOUNTDISABLE, ACB_DISABLED }, { UF_HOMEDIR_REQUIRED, ACB_HOMDIRREQ }, { UF_PASSWD_NOTREQD, ACB_PWNOTREQ }, { UF_TEMP_DUPLICATE_ACCOUNT, ACB_TEMPDUP }, { UF_NORMAL_ACCOUNT, ACB_NORMAL }, { UF_MNS_LOGON_ACCOUNT, ACB_MNS }, { UF_INTERDOMAIN_TRUST_ACCOUNT, ACB_DOMTRUST }, { UF_WORKSTATION_TRUST_ACCOUNT, ACB_WSTRUST }, { UF_SERVER_TRUST_ACCOUNT, ACB_SVRTRUST }, { UF_DONT_EXPIRE_PASSWD, ACB_PWNOEXP }, { UF_LOCKOUT, ACB_AUTOLOCK } }; /* pull a set of account_flags from a result set. */ uint32 samdb_result_acct_flags(struct ldb_message *msg, const char *attr) { uint_t userAccountControl = ldb_msg_find_uint(msg, attr, 0); uint32 i, ret = 0; for (i=0;inum_elements;i++) { struct ldb_message_element *el = &t->elements[i]; /* some elements should not be copied from the template */ if (strcasecmp(el->name, "cn") == 0 || strcasecmp(el->name, "name") == 0 || strcasecmp(el->name, "sAMAccountName") == 0) { continue; } for (j=0;jnum_values;j++) { if (strcasecmp(el->name, "objectClass") == 0 && (strcasecmp((char *)el->values[j].data, "Template") == 0 || strcasecmp((char *)el->values[j].data, "userTemplate") == 0 || strcasecmp((char *)el->values[j].data, "groupTemplate") == 0)) { continue; } samdb_msg_add_string(ctx, mem_ctx, msg, el->name, (char *)el->values[j].data); } } return 0; } /* allocate a new id, attempting to do it atomically return 0 on failure, the id on success */ static NTSTATUS _samdb_allocate_next_id(void *ctx, TALLOC_CTX *mem_ctx, const char *dn, const char *attr, uint32 *id) { struct samdb_context *sam_ctx = ctx; struct ldb_message msg; int ret; const char *str; struct ldb_val vals[2]; struct ldb_message_element els[2]; str = samdb_search_string(ctx, mem_ctx, NULL, attr, "dn=%s", dn); if (!str) { DEBUG(1,("id not found at %s %s\n", dn, attr)); return NT_STATUS_OBJECT_NAME_INVALID; } *id = strtol(str, NULL, 0); if ((*id)+1 == 0) { /* out of IDs ! */ return NT_STATUS_INSUFFICIENT_RESOURCES; } /* we do a delete and add as a single operation. That prevents a race */ ZERO_STRUCT(msg); msg.dn = talloc_strdup(mem_ctx, dn); if (!msg.dn) { return NT_STATUS_NO_MEMORY; } msg.num_elements = 2; msg.elements = els; els[0].num_values = 1; els[0].values = &vals[0]; els[0].flags = LDB_FLAG_MOD_DELETE; els[0].name = talloc_strdup(mem_ctx, attr); if (!els[0].name) { return NT_STATUS_NO_MEMORY; } els[1].num_values = 1; els[1].values = &vals[1]; els[1].flags = LDB_FLAG_MOD_ADD; els[1].name = els[0].name; vals[0].data = talloc_asprintf(mem_ctx, "%u", *id); if (!vals[0].data) { return NT_STATUS_NO_MEMORY; } vals[0].length = strlen(vals[0].data); vals[1].data = talloc_asprintf(mem_ctx, "%u", (*id)+1); if (!vals[1].data) { return NT_STATUS_NO_MEMORY; } vals[1].length = strlen(vals[1].data); ret = ldb_modify(sam_ctx->ldb, &msg); if (ret != 0) { return NT_STATUS_UNEXPECTED_IO_ERROR; } (*id)++; return NT_STATUS_OK; } /* allocate a new id, attempting to do it atomically return 0 on failure, the id on success */ NTSTATUS samdb_allocate_next_id(void *ctx, TALLOC_CTX *mem_ctx, const char *dn, const char *attr, uint32 *id) { int tries = 10; NTSTATUS status; /* we need to try multiple times to cope with two account creations at the same time */ while (tries--) { status = _samdb_allocate_next_id(ctx, mem_ctx, dn, attr, id); if (!NT_STATUS_EQUAL(NT_STATUS_UNEXPECTED_IO_ERROR, status)) { break; } } if (NT_STATUS_EQUAL(NT_STATUS_UNEXPECTED_IO_ERROR, status)) { DEBUG(1,("Failed to increment id %s at %s\n", attr, dn)); } return status; } /* add a string element to a message */ int samdb_msg_add_string(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const char *str) { struct samdb_context *sam_ctx = ctx; char *s = talloc_strdup(mem_ctx, str); char *a = talloc_strdup(mem_ctx, attr_name); if (s == NULL || a == NULL) { return -1; } ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_msg_add_string(sam_ctx->ldb, msg, a, s); } /* add a delete element operation to a message */ int samdb_msg_add_delete(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name) { struct samdb_context *sam_ctx = ctx; char *a = talloc_strdup(mem_ctx, attr_name); if (a == NULL) { return -1; } ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_msg_add_empty(sam_ctx->ldb, msg, a, LDB_FLAG_MOD_DELETE); } /* add a uint_t element to a message */ int samdb_msg_add_uint(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, uint_t v) { const char *s = talloc_asprintf(mem_ctx, "%u", v); return samdb_msg_add_string(ctx, mem_ctx, msg, attr_name, s); } /* add a double element to a message (actually a large integer) */ int samdb_msg_add_double(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, double v) { const char *s = talloc_asprintf(mem_ctx, "%.0f", v); return samdb_msg_add_string(ctx, mem_ctx, msg, attr_name, s); } /* add a samr_Hash element to a message */ int samdb_msg_add_hash(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, struct samr_Hash hash) { struct samdb_context *sam_ctx = ctx; struct ldb_val val; val.data = talloc(mem_ctx, 16); val.length = 16; if (!val.data) { return -1; } memcpy(val.data, hash.hash, 16); ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val); } /* add a samr_Hash array to a message */ int samdb_msg_add_hashes(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, struct samr_Hash *hashes, uint_t count) { struct samdb_context *sam_ctx = ctx; struct ldb_val val; int i; val.data = talloc(mem_ctx, count*16); val.length = count*16; if (!val.data) { return -1; } for (i=0;ildb, samdb_alloc, mem_ctx); return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val); } /* add a acct_flags element to a message */ int samdb_msg_add_acct_flags(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, uint32 v) { uint_t i, flags = 0; for (i=0;ildb, samdb_alloc, mem_ctx); return ldb_msg_add_value(sam_ctx->ldb, msg, attr_name, &val); } /* set a string element in a message */ int samdb_msg_set_string(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const char *str) { struct samdb_context *sam_ctx = ctx; struct ldb_message_element *el; ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); el = ldb_msg_find_element(msg, attr_name); if (el) { el->num_values = 0; } return samdb_msg_add_string(ctx, mem_ctx, msg, attr_name, str); } /* set a ldaptime element in a message */ int samdb_msg_set_ldaptime(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, time_t t) { char *str = ldap_timestring(mem_ctx, t); if (!str) { return -1; } return samdb_msg_set_string(ctx, mem_ctx, msg, attr_name, str); } /* add a record */ int samdb_add(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg) { struct samdb_context *sam_ctx = ctx; ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_add(sam_ctx->ldb, msg); } /* delete a record */ int samdb_delete(void *ctx, TALLOC_CTX *mem_ctx, const char *dn) { struct samdb_context *sam_ctx = ctx; ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_delete(sam_ctx->ldb, dn); } /* modify a record */ int samdb_modify(void *ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg) { struct samdb_context *sam_ctx = ctx; ldb_set_alloc(sam_ctx->ldb, samdb_alloc, mem_ctx); return ldb_modify(sam_ctx->ldb, msg); } /* check that a password is sufficiently complex */ static BOOL samdb_password_complexity_ok(const char *pass) { return check_password_quality(pass); } /* set the user password using plaintext, obeying any user or domain password restrictions */ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx, const char *user_dn, const char *domain_dn, struct ldb_message *mod, const char *new_pass) { const char * const user_attrs[] = { "userAccountControl", "lmPwdHistory", "ntPwdHistory", "unicodePwd", "lmPwdHash", "ntPwdHash", "badPwdCount", NULL }; const char * const domain_attrs[] = { "pwdProperties", "pwdHistoryLength", "maxPwdAge", "minPwdAge", "minPwdLength", "pwdLastSet", NULL }; const char *unicodePwd; double minPwdAge, pwdLastSet; uint_t minPwdLength, pwdProperties, pwdHistoryLength; uint_t userAccountControl, badPwdCount; struct samr_Hash *lmPwdHistory, *ntPwdHistory, lmPwdHash, ntPwdHash; struct samr_Hash *new_lmPwdHistory, *new_ntPwdHistory; struct samr_Hash lmNewHash, ntNewHash; uint_t lmPwdHistory_len, ntPwdHistory_len; struct ldb_message **res; int count; time_t now = time(NULL); NTTIME now_nt; double now_double; int i; BOOL lm_hash_ok; /* we need to know the time to compute password age */ unix_to_nt_time(&now_nt, now); now_double = nttime_to_double_nt(now_nt); /* pull all the user parameters */ count = samdb_search(ctx, mem_ctx, NULL, &res, user_attrs, "dn=%s", user_dn); if (count != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } unicodePwd = samdb_result_string(res[0], "unicodePwd", NULL); userAccountControl = samdb_result_uint(res[0], "userAccountControl", 0); badPwdCount = samdb_result_uint(res[0], "badPwdCount", 0); lmPwdHistory_len = samdb_result_hashes(mem_ctx, res[0], "lmPwdHistory", &lmPwdHistory); ntPwdHistory_len = samdb_result_hashes(mem_ctx, res[0], "ntPwdHistory", &ntPwdHistory); lmPwdHash = samdb_result_hash(res[0], "lmPwdHash"); ntPwdHash = samdb_result_hash(res[0], "ntPwdHash"); pwdLastSet = samdb_result_double(res[0], "pwdLastSet", 0); /* pull the domain parameters */ count = samdb_search(ctx, mem_ctx, NULL, &res, domain_attrs, "dn=%s", domain_dn); if (count != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } pwdProperties = samdb_result_uint(res[0], "pwdProperties", 0); pwdHistoryLength = samdb_result_uint(res[0], "pwdHistoryLength", 0); minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0); minPwdAge = samdb_result_double(res[0], "minPwdAge", 0); /* are all password changes disallowed? */ if (pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) { return NT_STATUS_PASSWORD_RESTRICTION; } /* can this user change password? */ if (userAccountControl & UF_PASSWD_CANT_CHANGE) { return NT_STATUS_PASSWORD_RESTRICTION; } /* check the various password restrictions */ if (minPwdLength > str_charnum(new_pass)) { return NT_STATUS_PASSWORD_RESTRICTION; } /* yes, this is a minus. The ages are in negative 100nsec units! */ if (pwdLastSet - minPwdAge > now_double) { return NT_STATUS_PASSWORD_RESTRICTION; } /* possibly check password complexity */ if (pwdProperties & DOMAIN_PASSWORD_COMPLEX && !samdb_password_complexity_ok(new_pass)) { return NT_STATUS_PASSWORD_RESTRICTION; } /* compute the new nt and lm hashes */ lm_hash_ok = E_deshash(new_pass, lmNewHash.hash); E_md4hash(new_pass, ntNewHash.hash); /* check the immediately past password */ if (pwdHistoryLength > 0) { if (lm_hash_ok && memcmp(lmNewHash.hash, lmPwdHash.hash, 16) == 0) { return NT_STATUS_PASSWORD_RESTRICTION; } if (memcmp(ntNewHash.hash, ntPwdHash.hash, 16) == 0) { return NT_STATUS_PASSWORD_RESTRICTION; } } /* check the password history */ lmPwdHistory_len = MIN(lmPwdHistory_len, pwdHistoryLength); ntPwdHistory_len = MIN(ntPwdHistory_len, pwdHistoryLength); if (pwdHistoryLength > 0) { if (unicodePwd && strcmp(unicodePwd, new_pass) == 0) { return NT_STATUS_PASSWORD_RESTRICTION; } if (lm_hash_ok && memcmp(lmNewHash.hash, lmPwdHash.hash, 16) == 0) { return NT_STATUS_PASSWORD_RESTRICTION; } if (memcmp(ntNewHash.hash, ntPwdHash.hash, 16) == 0) { return NT_STATUS_PASSWORD_RESTRICTION; } } for (i=0;lm_hash_ok && i