Context Navigation

source: branches/samba-3.2.x/source/lib/account_pol.c

Visit:

Last change on this file was 141, checked in by Paul Smedley, 17 years ago
Update trunk to 3.2.1
File size: 12.6 KB

Line
1	/*
2	* Unix SMB/CIFS implementation.
3	* account policy storage
4	* Copyright (C) Jean François Micouleau 1998-2001.
5	* Copyright (C) Andrew Bartlett 2002
6	* Copyright (C) Guenther Deschner 2004-2005
7	*
8	* This program is free software; you can redistribute it and/or modify
9	* it under the terms of the GNU General Public License as published by
10	* the Free Software Foundation; either version 3 of the License, or
11	* (at your option) any later version.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	static struct db_context *db;
24
25	/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
26	* after this period if admins do not use pdbedit or usermanager but manipulate
27	* ldap directly) - gd */
28
29	#define DATABASE_VERSION 3
30	#define AP_TTL 60
31
32
33	struct ap_table {
34	int field;
35	const char *string;
36	uint32 default_val;
37	const char *description;
38	const char *ldap_attr;
39	};
40
41	static const struct ap_table account_policy_names[] = {
42	{AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
43	"Minimal password length (default: 5)",
44	"sambaMinPwdLength" },
45
46	{AP_PASSWORD_HISTORY, "password history", 0,
47	"Length of Password History Entries (default: 0 => off)",
48	"sambaPwdHistoryLength" },
49
50	{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
51	"Force Users to logon for password change (default: 0 => off, 2 => on)",
52	"sambaLogonToChgPwd" },
53
54	{AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
55	"Maximum password age, in seconds (default: -1 => never expire passwords)",
56	"sambaMaxPwdAge" },
57
58	{AP_MIN_PASSWORD_AGE,"minimum password age", 0,
59	"Minimal password age, in seconds (default: 0 => allow immediate password change)",
60	"sambaMinPwdAge" },
61
62	{AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
63	"Lockout duration in minutes (default: 30, -1 => forever)",
64	"sambaLockoutDuration" },
65
66	{AP_RESET_COUNT_TIME, "reset count minutes", 30,
67	"Reset time after lockout in minutes (default: 30)",
68	"sambaLockoutObservationWindow" },
69
70	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
71	"Lockout users after bad logon attempts (default: 0 => off)",
72	"sambaLockoutThreshold" },
73
74	{AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
75	"Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
76	"sambaForceLogoff" },
77
78	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
79	"Allow Machine Password changes (default: 0 => off)",
80	"sambaRefuseMachinePwdChange" },
81
82	{0, NULL, 0, "", NULL}
83	};
84
85	void account_policy_names_list(const char **names, int num_names)
86	{
87	const char **nl;
88	int i, count;
89
90	for (count=0; account_policy_names[count].string; count++) {
91	}
92	nl = SMB_MALLOC_ARRAY(const char *, count);
93	if (!nl) {
94	*num_names = 0;
95	return;
96	}
97	for (i=0; account_policy_names[i].string; i++) {
98	nl[i] = account_policy_names[i].string;
99	}
100	*num_names = count;
101	*names = nl;
102	return;
103	}
104
105	/****************************************************************************
106	Get the account policy name as a string from its #define'ed number
107	****************************************************************************/
108
109	const char *decode_account_policy_name(int field)
110	{
111	int i;
112	for (i=0; account_policy_names[i].string; i++) {
113	if (field == account_policy_names[i].field) {
114	return account_policy_names[i].string;
115	}
116	}
117	return NULL;
118	}
119
120	/****************************************************************************
121	Get the account policy LDAP attribute as a string from its #define'ed number
122	****************************************************************************/
123
124	const char *get_account_policy_attr(int field)
125	{
126	int i;
127	for (i=0; account_policy_names[i].field; i++) {
128	if (field == account_policy_names[i].field) {
129	return account_policy_names[i].ldap_attr;
130	}
131	}
132	return NULL;
133	}
134
135	/****************************************************************************
136	Get the account policy description as a string from its #define'ed number
137	****************************************************************************/
138
139	const char *account_policy_get_desc(int field)
140	{
141	int i;
142	for (i=0; account_policy_names[i].string; i++) {
143	if (field == account_policy_names[i].field) {
144	return account_policy_names[i].description;
145	}
146	}
147	return NULL;
148	}
149
150	/****************************************************************************
151	Get the account policy name as a string from its #define'ed number
152	****************************************************************************/
153
154	int account_policy_name_to_fieldnum(const char *name)
155	{
156	int i;
157	for (i=0; account_policy_names[i].string; i++) {
158	if (strcmp(name, account_policy_names[i].string) == 0) {
159	return account_policy_names[i].field;
160	}
161	}
162	return 0;
163	}
164
165	/*****************************************************************************
166	Get default value for account policy
167	*****************************************************************************/
168
169	bool account_policy_get_default(int account_policy, uint32 *val)
170	{
171	int i;
172	for (i=0; account_policy_names[i].field; i++) {
173	if (account_policy_names[i].field == account_policy) {
174	*val = account_policy_names[i].default_val;
175	return True;
176	}
177	}
178	DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
179	account_policy));
180	return False;
181	}
182
183	/*****************************************************************************
184	Set default for a field if it is empty
185	*****************************************************************************/
186
187	static bool account_policy_set_default_on_empty(int account_policy)
188	{
189
190	uint32 value;
191
192	if (!account_policy_get(account_policy, &value) &&
193	!account_policy_get_default(account_policy, &value)) {
194	return False;
195	}
196
197	return account_policy_set(account_policy, value);
198	}
199
200	/*****************************************************************************
201	Open the account policy tdb.
202	*`***********************************************************************/
203
204	bool init_account_policy(void)
205	{
206
207	const char *vstring = "INFO/version";
208	uint32 version;
209	int i;
210
211	if (db != NULL) {
212	return True;
213	}
214
215	db = db_open_trans(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
216	O_RDWR, 0600);
217
218	if (db == NULL) { /* the account policies files does not exist or open
219	* failed, try to create a new one */
220	db = db_open_trans(NULL, state_path("account_policy.tdb"), 0,
221	TDB_DEFAULT, O_RDWR\|O_CREAT, 0600);
222	if (db == NULL) {
223	DEBUG(0,("Failed to open account policy database\n"));
224	return False;
225	}
226	}
227
228	version = dbwrap_fetch_int32(db, vstring);
229	if (version == DATABASE_VERSION) {
230	return true;
231	}
232
233	/* handle a Samba upgrade */
234
235	if (db->transaction_start(db) != 0) {
236	DEBUG(0, ("transaction_start failed\n"));
237	TALLOC_FREE(db);
238	return false;
239	}
240
241	version = dbwrap_fetch_int32(db, vstring);
242	if (version == DATABASE_VERSION) {
243	/*
244	* Race condition
245	*/
246	if (db->transaction_cancel(db)) {
247	smb_panic("transaction_cancel failed");
248	}
249	return true;
250	}
251
252	if (version != DATABASE_VERSION) {
253	if (dbwrap_store_uint32(db, vstring, DATABASE_VERSION) != 0) {
254	DEBUG(0, ("dbwrap_store_uint32 failed\n"));
255	goto cancel;
256	}
257
258	for (i=0; account_policy_names[i].field; i++) {
259
260	if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
261	DEBUG(0,("failed to set default value in account policy tdb\n"));
262	goto cancel;
263	}
264	}
265	}
266
267	/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
268
269	privilege_create_account( &global_sid_World );
270	privilege_create_account( &global_sid_Builtin_Account_Operators );
271	privilege_create_account( &global_sid_Builtin_Server_Operators );
272	privilege_create_account( &global_sid_Builtin_Print_Operators );
273	privilege_create_account( &global_sid_Builtin_Backup_Operators );
274
275	/* BUILTIN\Administrators get everything -- always */
276
277	if ( lp_enable_privileges() ) {
278	if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
279	DEBUG(1,("init_account_policy: Failed to grant privileges "
280	"to BUILTIN\\Administrators!\n"));
281	}
282	}
283
284	if (db->transaction_commit(db) != 0) {
285	DEBUG(0, ("transaction_commit failed\n"));
286	goto cancel;
287	}
288
289	return True;
290
291	cancel:
292	if (db->transaction_cancel(db)) {
293	smb_panic("transaction_cancel failed");
294	}
295	TALLOC_FREE(db);
296
297	return false;
298	}
299
300	/*****************************************************************************
301	Get an account policy (from tdb)
302	*****************************************************************************/
303
304	bool account_policy_get(int field, uint32 *value)
305	{
306	const char *name;
307	uint32 regval;
308
309	if (!init_account_policy()) {
310	return False;
311	}
312
313	if (value) {
314	*value = 0;
315	}
316
317	name = decode_account_policy_name(field);
318	if (name == NULL) {
319	DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field));
320	return False;
321	}
322
323	if (!dbwrap_fetch_uint32(db, name, &regval)) {
324	DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
325	return False;
326	}
327
328	if (value) {
329	*value = regval;
330	}
331
332	DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
333	return True;
334	}
335
336
337	/****************************************************************************
338	Set an account policy (in tdb)
339	****************************************************************************/
340
341	bool account_policy_set(int field, uint32 value)
342	{
343	const char *name;
344	NTSTATUS status;
345
346	if (!init_account_policy()) {
347	return False;
348	}
349
350	name = decode_account_policy_name(field);
351	if (name == NULL) {
352	DEBUG(1, ("Field %d is not a valid account policy type! Cannot set.\n", field));
353	return False;
354	}
355
356	status = dbwrap_trans_store_uint32(db, name, value);
357	if (!NT_STATUS_IS_OK(status)) {
358	DEBUG(1, ("store_uint32 failed for field %d (%s) on value "
359	"%u: %s\n", field, name, value, nt_errstr(status)));
360	return False;
361	}
362
363	DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
364
365	return True;
366	}
367
368	/****************************************************************************
369	Set an account policy in the cache
370	****************************************************************************/
371
372	bool cache_account_policy_set(int field, uint32 value)
373	{
374	const char *policy_name = NULL;
375	char *cache_key = NULL;
376	char *cache_value = NULL;
377	bool ret = False;
378
379	policy_name = decode_account_policy_name(field);
380	if (policy_name == NULL) {
381	DEBUG(0,("cache_account_policy_set: no policy found\n"));
382	return False;
383	}
384
385	if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
386	DEBUG(0, ("asprintf failed\n"));
387	goto done;
388	}
389
390	if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
391	DEBUG(0, ("asprintf failed\n"));
392	goto done;
393	}
394
395	DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
396
397	ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
398
399	done:
400	SAFE_FREE(cache_key);
401	SAFE_FREE(cache_value);
402	return ret;
403	}
404
405	/*****************************************************************************
406	Get an account policy from the cache
407	*****************************************************************************/
408
409	bool cache_account_policy_get(int field, uint32 *value)
410	{
411	const char *policy_name = NULL;
412	char *cache_key = NULL;
413	char *cache_value = NULL;
414	bool ret = False;
415
416	policy_name = decode_account_policy_name(field);
417	if (policy_name == NULL) {
418	DEBUG(0,("cache_account_policy_set: no policy found\n"));
419	return False;
420	}
421
422	if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
423	DEBUG(0, ("asprintf failed\n"));
424	goto done;
425	}
426
427	if (gencache_get(cache_key, &cache_value, NULL)) {
428	uint32 tmp = strtoul(cache_value, NULL, 10);
429	*value = tmp;
430	ret = True;
431	}
432
433	done:
434	SAFE_FREE(cache_key);
435	SAFE_FREE(cache_value);
436	return ret;
437	}
438
439	/****************************************************************************
440	****************************************************************************/
441
442	struct db_context *get_account_pol_db( void )
443	{
444
445	if ( db == NULL ) {
446	if ( !init_account_policy() ) {
447	return NULL;
448	}
449	}
450
451	return db;
452	}
453

Note: See TracBrowser for help on using the repository browser.

Download in other formats: