source: branches/samba-3.0/source/lib/account_pol.c

Last change on this file was 1, checked in by Paul Smedley, 18 years ago

Initial code import
File size: 11.5 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * account policy storage
4 * Copyright (C) Jean François Micouleau 1998-2001.
5 * Copyright (C) Andrew Bartlett 2002
6 * Copyright (C) Guenther Deschner 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23#include "includes.h"
24static TDB_CONTEXT *tdb;
25
26/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
27 * after this period if admins do not use pdbedit or usermanager but manipulate
28 * ldap directly) - gd */
29
30#define DATABASE_VERSION 3
31#define AP_TTL 60
32
33
34struct ap_table {
35 int field;
36 const char *string;
37 uint32 default_val;
38 const char *description;
39 const char *ldap_attr;
40};
41
42static const struct ap_table account_policy_names[] = {
43 {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
44 "Minimal password length (default: 5)",
45 "sambaMinPwdLength" },
46
47 {AP_PASSWORD_HISTORY, "password history", 0,
48 "Length of Password History Entries (default: 0 => off)",
49 "sambaPwdHistoryLength" },
50
51 {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
52 "Force Users to logon for password change (default: 0 => off, 2 => on)",
53 "sambaLogonToChgPwd" },
54
55 {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
56 "Maximum password age, in seconds (default: -1 => never expire passwords)",
57 "sambaMaxPwdAge" },
58
59 {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
60 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
61 "sambaMinPwdAge" },
62
63 {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
64 "Lockout duration in minutes (default: 30, -1 => forever)",
65 "sambaLockoutDuration" },
66
67 {AP_RESET_COUNT_TIME, "reset count minutes", 30,
68 "Reset time after lockout in minutes (default: 30)",
69 "sambaLockoutObservationWindow" },
70
71 {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
72 "Lockout users after bad logon attempts (default: 0 => off)",
73 "sambaLockoutThreshold" },
74
75 {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
76 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
77 "sambaForceLogoff" },
78
79 {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
80 "Allow Machine Password changes (default: 0 => off)",
81 "sambaRefuseMachinePwdChange" },
82
83 {0, NULL, 0, "", NULL}
84};
85
86void account_policy_names_list(const char ***names, int *num_names)
87{
88 const char **nl;
89 int i, count;
90
91 for (count=0; account_policy_names[count].string; count++) {
92 }
93 nl = SMB_MALLOC_ARRAY(const char *, count);
94 if (!nl) {
95 *num_names = 0;
96 return;
97 }
98 for (i=0; account_policy_names[i].string; i++) {
99 nl[i] = account_policy_names[i].string;
100 }
101 *num_names = count;
102 *names = nl;
103 return;
104}
105
106/****************************************************************************
107Get the account policy name as a string from its #define'ed number
108****************************************************************************/
109
110const char *decode_account_policy_name(int field)
111{
112 int i;
113 for (i=0; account_policy_names[i].string; i++) {
114 if (field == account_policy_names[i].field) {
115 return account_policy_names[i].string;
116 }
117 }
118 return NULL;
119}
120
121/****************************************************************************
122Get the account policy LDAP attribute as a string from its #define'ed number
123****************************************************************************/
124
125const char *get_account_policy_attr(int field)
126{
127 int i;
128 for (i=0; account_policy_names[i].field; i++) {
129 if (field == account_policy_names[i].field) {
130 return account_policy_names[i].ldap_attr;
131 }
132 }
133 return NULL;
134}
135
136/****************************************************************************
137Get the account policy description as a string from its #define'ed number
138****************************************************************************/
139
140const char *account_policy_get_desc(int field)
141{
142 int i;
143 for (i=0; account_policy_names[i].string; i++) {
144 if (field == account_policy_names[i].field) {
145 return account_policy_names[i].description;
146 }
147 }
148 return NULL;
149}
150
151/****************************************************************************
152Get the account policy name as a string from its #define'ed number
153****************************************************************************/
154
155int account_policy_name_to_fieldnum(const char *name)
156{
157 int i;
158 for (i=0; account_policy_names[i].string; i++) {
159 if (strcmp(name, account_policy_names[i].string) == 0) {
160 return account_policy_names[i].field;
161 }
162 }
163 return 0;
164}
165
166/*****************************************************************************
167Get default value for account policy
168*****************************************************************************/
169
170BOOL account_policy_get_default(int account_policy, uint32 *val)
171{
172 int i;
173 for (i=0; account_policy_names[i].field; i++) {
174 if (account_policy_names[i].field == account_policy) {
175 *val = account_policy_names[i].default_val;
176 return True;
177 }
178 }
179 DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
180 account_policy));
181 return False;
182}
183
184/*****************************************************************************
185 Set default for a field if it is empty
186*****************************************************************************/
187
188static BOOL account_policy_set_default_on_empty(int account_policy)
189{
190
191 uint32 value;
192
193 if (!account_policy_get(account_policy, &value) &&
194 !account_policy_get_default(account_policy, &value)) {
195 return False;
196 }
197
198 return account_policy_set(account_policy, value);
199}
200
201/*****************************************************************************
202 Open the account policy tdb.
203***`*************************************************************************/
204
205BOOL init_account_policy(void)
206{
207
208 const char *vstring = "INFO/version";
209 uint32 version;
210 int i;
211
212 if (tdb) {
213 return True;
214 }
215
216 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
217 if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
218 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
219 if (!tdb) {
220 DEBUG(0,("Failed to open account policy database\n"));
221 return False;
222 }
223 }
224
225 /* handle a Samba upgrade */
226 tdb_lock_bystring(tdb, vstring);
227 if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
228
229 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
230
231 for (i=0; account_policy_names[i].field; i++) {
232
233 if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
234 DEBUG(0,("failed to set default value in account policy tdb\n"));
235 return False;
236 }
237 }
238 }
239
240 tdb_unlock_bystring(tdb, vstring);
241
242 /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
243
244 privilege_create_account( &global_sid_World );
245 privilege_create_account( &global_sid_Builtin_Account_Operators );
246 privilege_create_account( &global_sid_Builtin_Server_Operators );
247 privilege_create_account( &global_sid_Builtin_Print_Operators );
248 privilege_create_account( &global_sid_Builtin_Backup_Operators );
249
250 /* BUILTIN\Administrators get everything -- *always* */
251
252 if ( lp_enable_privileges() ) {
253 if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
254 DEBUG(1,("init_account_policy: Failed to grant privileges "
255 "to BUILTIN\\Administrators!\n"));
256 }
257 }
258
259 return True;
260}
261
262/*****************************************************************************
263Get an account policy (from tdb)
264*****************************************************************************/
265
266BOOL account_policy_get(int field, uint32 *value)
267{
268 const char *name;
269 uint32 regval;
270
271 if (!init_account_policy()) {
272 return False;
273 }
274
275 if (value) {
276 *value = 0;
277 }
278
279 name = decode_account_policy_name(field);
280 if (name == NULL) {
281 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
282 return False;
283 }
284
285 if (!tdb_fetch_uint32(tdb, name, &regval)) {
286 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
287 return False;
288 }
289
290 if (value) {
291 *value = regval;
292 }
293
294 DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
295 return True;
296}
297
298
299/****************************************************************************
300Set an account policy (in tdb)
301****************************************************************************/
302
303BOOL account_policy_set(int field, uint32 value)
304{
305 const char *name;
306
307 if (!init_account_policy()) {
308 return False;
309 }
310
311 name = decode_account_policy_name(field);
312 if (name == NULL) {
313 DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
314 return False;
315 }
316
317 if (!tdb_store_uint32(tdb, name, value)) {
318 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
319 return False;
320 }
321
322 DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
323
324 return True;
325}
326
327/****************************************************************************
328Set an account policy in the cache
329****************************************************************************/
330
331BOOL cache_account_policy_set(int field, uint32 value)
332{
333 const char *policy_name = NULL;
334 char *cache_key = NULL;
335 char *cache_value = NULL;
336 BOOL ret = False;
337
338 policy_name = decode_account_policy_name(field);
339 if (policy_name == NULL) {
340 DEBUG(0,("cache_account_policy_set: no policy found\n"));
341 return False;
342 }
343
344 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
345 DEBUG(0, ("asprintf failed\n"));
346 goto done;
347 }
348
349 if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
350 DEBUG(0, ("asprintf failed\n"));
351 goto done;
352 }
353
354 DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
355
356 ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
357
358 done:
359 SAFE_FREE(cache_key);
360 SAFE_FREE(cache_value);
361 return ret;
362}
363
364/*****************************************************************************
365Get an account policy from the cache
366*****************************************************************************/
367
368BOOL cache_account_policy_get(int field, uint32 *value)
369{
370 const char *policy_name = NULL;
371 char *cache_key = NULL;
372 char *cache_value = NULL;
373 BOOL ret = False;
374
375 policy_name = decode_account_policy_name(field);
376 if (policy_name == NULL) {
377 DEBUG(0,("cache_account_policy_set: no policy found\n"));
378 return False;
379 }
380
381 if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
382 DEBUG(0, ("asprintf failed\n"));
383 goto done;
384 }
385
386 if (gencache_get(cache_key, &cache_value, NULL)) {
387 uint32 tmp = strtoul(cache_value, NULL, 10);
388 *value = tmp;
389 ret = True;
390 }
391
392 done:
393 SAFE_FREE(cache_key);
394 SAFE_FREE(cache_value);
395 return ret;
396}
397
398/****************************************************************************
399****************************************************************************/
400
401TDB_CONTEXT *get_account_pol_tdb( void )
402{
403
404 if ( !tdb ) {
405 if ( !init_account_policy() ) {
406 return NULL;
407 }
408 }
409
410 return tdb;
411}
412
Note: See TracBrowser for help on using the repository browser.