source3/lib/account_pol.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  account policy storage
   4  *  Copyright (C) Jean François Micouleau      1998-2001.
   5  *  Copyright (C) Andrew Bartlett              2002
   6  *  Copyright (C) Guenther Deschner            2004-2005
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License
  19  *  along with this program; if not, write to the Free Software
  20  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21  */
  22
  23 #include "includes.h"
  24 static TDB_CONTEXT *tdb;
  25
  26 /* cache all entries for 60 seconds for to save ldap-queries (cache is updated
  27  * after this period if admins do not use pdbedit or usermanager but manipulate
  28  * ldap directly) - gd */
  29
  30 #define DATABASE_VERSION        3
  31 #define AP_LASTSET              "LAST_CACHE_UPDATE"
  32 #define AP_TTL                  60
  33
  34
  35 struct ap_table {
  36         int field;
  37         const char *string;
  38         uint32 default_val;
  39         const char *description;
  40         const char *ldap_attr;
  41 };
  42
  43 static const struct ap_table account_policy_names[] = {
  44         {AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH,
  45                 "Minimal password length (default: 5)",
  46                 "sambaMinPwdLength" },
  47
  48         {AP_PASSWORD_HISTORY, "password history", 0,
  49                 "Length of Password History Entries (default: 0 => off)",
  50                 "sambaPwdHistoryLength" },
  51
  52         {AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
  53                 "Force Users to logon for password change (default: 0 => off, 2 => on)",
  54                 "sambaLogonToChgPwd" },
  55
  56         {AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
  57                 "Maximum password age, in seconds (default: -1 => never expire passwords)",
  58                 "sambaMaxPwdAge" },
  59
  60         {AP_MIN_PASSWORD_AGE,"minimum password age", 0,
  61                 "Minimal password age, in seconds (default: 0 => allow immediate password change)",
  62                 "sambaMinPwdAge" },
  63
  64         {AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
  65                 "Lockout duration in minutes (default: 30, -1 => forever)",
  66                 "sambaLockoutDuration" },
  67
  68         {AP_RESET_COUNT_TIME, "reset count minutes", 30,
  69                 "Reset time after lockout in minutes (default: 30)",
  70                 "sambaLockoutObservationWindow" },
  71
  72         {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
  73                 "Lockout users after bad logon attempts (default: 0 => off)",
  74                 "sambaLockoutThreshold" },
  75
  76         {AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
  77                 "Disconnect Users outside logon hours (default: -1 => off, 0 => on)",
  78                 "sambaForceLogoff" },
  79
  80         {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
  81                 "Allow Machine Password changes (default: 0 => off)",
  82                 "sambaRefuseMachinePwdChange" },
  83
  84         {0, NULL, 0, "", NULL}
  85 };
  86
  87 char *account_policy_names_list(void)
  88 {
  89         char *nl, *p;
  90         int i;
  91         size_t len = 0;
  92
  93         for (i=0; account_policy_names[i].string; i++) {
  94                 len += strlen(account_policy_names[i].string) + 1;
  95         }
  96         len++;
  97         nl = (char *)SMB_MALLOC(len);
  98         if (!nl) {
  99                 return NULL;
 100         }
 101         p = nl;
 102         for (i=0; account_policy_names[i].string; i++) {
 103                 memcpy(p, account_policy_names[i].string, strlen(account_policy_names[i].string) + 1);
 104                 p[strlen(account_policy_names[i].string)] = '\n';
 105                 p += strlen(account_policy_names[i].string) + 1;
 106         }
 107         *p = '\0';
 108         return nl;
 109 }
 110
 111 /****************************************************************************
 112 Get the account policy name as a string from its #define'ed number
 113 ****************************************************************************/
 114
 115 const char *decode_account_policy_name(int field)
 116 {
 117         int i;
 118         for (i=0; account_policy_names[i].string; i++) {
 119                 if (field == account_policy_names[i].field) {
 120                         return account_policy_names[i].string;
 121                 }
 122         }
 123         return NULL;
 124 }
 125
 126 /****************************************************************************
 127 Get the account policy LDAP attribute as a string from its #define'ed number
 128 ****************************************************************************/
 129
 130 const char *get_account_policy_attr(int field)
 131 {
 132         int i;
 133         for (i=0; account_policy_names[i].field; i++) {
 134                 if (field == account_policy_names[i].field) {
 135                         return account_policy_names[i].ldap_attr;
 136                 }
 137         }
 138         return NULL;
 139 }
 140
 141 /****************************************************************************
 142 Get the account policy description as a string from its #define'ed number
 143 ****************************************************************************/
 144
 145 const char *account_policy_get_desc(int field)
 146 {
 147         int i;
 148         for (i=0; account_policy_names[i].string; i++) {
 149                 if (field == account_policy_names[i].field) {
 150                         return account_policy_names[i].description;
 151                 }
 152         }
 153         return NULL;
 154 }
 155
 156 /****************************************************************************
 157 Get the account policy name as a string from its #define'ed number
 158 ****************************************************************************/
 159
 160 int account_policy_name_to_fieldnum(const char *name)
 161 {
 162         int i;
 163         for (i=0; account_policy_names[i].string; i++) {
 164                 if (strcmp(name, account_policy_names[i].string) == 0) {
 165                         return account_policy_names[i].field;
 166                 }
 167         }
 168         return 0;
 169 }
 170
 171 /*****************************************************************************
 172 Update LAST-Set counter inside the cache
 173 *****************************************************************************/
 174
 175 static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update,
 176                                            const char *ap_name)
 177 {
 178         pstring key;
 179         uint32 val = 0;
 180         time_t now;
 181
 182         if (ap_name == NULL)
 183                 return False;
 184
 185         slprintf(key, sizeof(key)-1, "%s/%s", ap_name, AP_LASTSET);
 186
 187         if (!init_account_policy()) {
 188                 return False;
 189         }
 190
 191         if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
 192                 DEBUG(10,("failed to get last set timestamp of cache\n"));
 193                 return False;
 194         }
 195
 196         *value = val;
 197
 198         DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
 199
 200         if (update) {
 201
 202                 now = time(NULL);
 203
 204                 if (!tdb_store_uint32(tdb, key, (uint32)now)) {
 205                         DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
 206                         return False;
 207                 }
 208                 DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
 209                 *value = now;
 210         }
 211
 212         return True;
 213 }
 214
 215 /*****************************************************************************
 216 Get default value for account policy
 217 *****************************************************************************/
 218
 219 BOOL account_policy_get_default(int account_policy, uint32 *val)
 220 {
 221         int i;
 222         for (i=0; account_policy_names[i].field; i++) {
 223                 if (account_policy_names[i].field == account_policy) {
 224                         *val = account_policy_names[i].default_val;
 225                         return True;
 226                 }
 227         }
 228         DEBUG(0,("no default for account_policy index %d found. This should never happen\n",
 229                 account_policy));
 230         return False;
 231 }
 232
 233 /*****************************************************************************
 234  Set default for a field if it is empty
 235 *****************************************************************************/
 236
 237 static BOOL account_policy_set_default_on_empty(int account_policy)
 238 {
 239
 240         uint32 value;
 241
 242         if (!account_policy_get(account_policy, &value) &&
 243             !account_policy_get_default(account_policy, &value)) {
 244                 return False;
 245         }
 246
 247         return account_policy_set(account_policy, value);
 248 }
 249
 250 /*****************************************************************************
 251  Open the account policy tdb.
 252 ***`*************************************************************************/
 253
 254 BOOL init_account_policy(void)
 255 {
 256
 257         const char *vstring = "INFO/version";
 258         uint32 version;
 259         int i;
 260
 261         if (tdb) {
 262                 return True;
 263         }
 264
 265         tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR, 0600);
 266         if (!tdb) { /* the account policies files does not exist or open failed, try to create a new one */
 267                 tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
 268                 if (!tdb) {
 269                         DEBUG(0,("Failed to open account policy database\n"));
 270                         return False;
 271                 }
 272                 /* creation was successful */
 273                 /* add AP_MIGRATED_TO_PASSDB speacial key */
 274                 /* so that you do not need to migrate policies */
 275                 /* on brand new servers as it does not make sense */
 276                 account_policy_migrated(True);
 277         }
 278
 279         /* handle a Samba upgrade */
 280         tdb_lock_bystring(tdb, vstring);
 281         if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
 282
 283                 tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
 284
 285                 for (i=0; account_policy_names[i].field; i++) {
 286
 287                         if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
 288                                 DEBUG(0,("failed to set default value in account policy tdb\n"));
 289                                 return False;
 290                         }
 291                 }
 292         }
 293
 294         tdb_unlock_bystring(tdb, vstring);
 295
 296         /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
 297
 298         privilege_create_account( &global_sid_World );
 299         privilege_create_account( &global_sid_Builtin_Account_Operators );
 300         privilege_create_account( &global_sid_Builtin_Server_Operators );
 301         privilege_create_account( &global_sid_Builtin_Print_Operators );
 302         privilege_create_account( &global_sid_Builtin_Backup_Operators );
 303
 304         /* BUILTIN\Administrators get everything -- *always* */
 305
 306         if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
 307                 DEBUG(0,("init_account_policy: Failed to grant privileges to BUILTIN\\Administrators!\n"));
 308         }
 309
 310         return True;
 311 }
 312
 313 /*****************************************************************************
 314 Get an account policy (from tdb)
 315 *****************************************************************************/
 316
 317 BOOL account_policy_get(int field, uint32 *value)
 318 {
 319         fstring name;
 320         uint32 regval;
 321
 322         if (!init_account_policy()) {
 323                 return False;
 324         }
 325
 326         if (value) {
 327                 *value = 0;
 328         }
 329
 330         fstrcpy(name, decode_account_policy_name(field));
 331         if (!*name) {
 332                 DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type!  Cannot get, returning 0.\n", field));
 333                 return False;
 334         }
 335
 336         if (!tdb_fetch_uint32(tdb, name, &regval)) {
 337                 DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
 338                 return False;
 339         }
 340
 341         if (value) {
 342                 *value = regval;
 343         }
 344
 345         DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
 346         return True;
 347 }
 348
 349
 350 /****************************************************************************
 351 Set an account policy (in tdb)
 352 ****************************************************************************/
 353
 354 BOOL account_policy_set(int field, uint32 value)
 355 {
 356         fstring name;
 357
 358         if (!init_account_policy()) {
 359                 return False;
 360         }
 361
 362         fstrcpy(name, decode_account_policy_name(field));
 363         if (!*name) {
 364                 DEBUG(1, ("Field %d is not a valid account policy type!  Cannot set.\n", field));
 365                 return False;
 366         }
 367
 368         if (!tdb_store_uint32(tdb, name, value)) {
 369                 DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
 370                 return False;
 371         }
 372
 373         DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
 374
 375         return True;
 376 }
 377
 378 /****************************************************************************
 379 Set an account policy in the cache
 380 ****************************************************************************/
 381
 382 BOOL cache_account_policy_set(int field, uint32 value)
 383 {
 384         uint32 lastset;
 385         const char *policy_name = NULL;
 386
 387         policy_name = decode_account_policy_name(field);
 388         if (policy_name == NULL) {
 389                 DEBUG(0,("cache_account_policy_set: no policy found\n"));
 390                 return False;
 391         }
 392
 393         DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
 394
 395         if (!account_policy_set(field, value)) {
 396                 return False;
 397         }
 398
 399         if (!account_policy_cache_timestamp(&lastset, True, policy_name))
 400         {
 401                 DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
 402                 return False;
 403         }
 404
 405         DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
 406
 407         return True;
 408 }
 409
 410 /*****************************************************************************
 411 Check whether account policies have been migrated to passdb
 412 *****************************************************************************/
 413
 414 BOOL account_policy_migrated(BOOL init)
 415 {
 416         pstring key;
 417         uint32 val;
 418         time_t now;
 419
 420         slprintf(key, sizeof(key)-1, "AP_MIGRATED_TO_PASSDB");
 421
 422         if (!init_account_policy()) {
 423                 return False;
 424         }
 425
 426         if (init) {
 427                 now = time(NULL);
 428
 429                 if (!tdb_store_uint32(tdb, key, (uint32)now)) {
 430                         DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
 431                         return False;
 432                 }
 433
 434                 return True;
 435         }
 436
 437         if (!tdb_fetch_uint32(tdb, key, &val)) {
 438                 return False;
 439         }
 440
 441         return True;
 442 }
 443
 444 /*****************************************************************************
 445  Remove marker that informs that account policies have been migrated to passdb
 446 *****************************************************************************/
 447
 448 BOOL remove_account_policy_migrated(void)
 449 {
 450         if (!init_account_policy()) {
 451                 return False;
 452         }
 453
 454         return tdb_delete_bystring(tdb, "AP_MIGRATED_TO_PASSDB");
 455 }
 456
 457
 458 /*****************************************************************************
 459 Get an account policy from the cache
 460 *****************************************************************************/
 461
 462 BOOL cache_account_policy_get(int field, uint32 *value)
 463 {
 464         uint32 lastset;
 465
 466         if (!account_policy_cache_timestamp(&lastset, False,
 467                                             decode_account_policy_name(field)))
 468         {
 469                 DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
 470                 return False;
 471         }
 472
 473         if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
 474                 DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
 475                 return False;
 476         }
 477
 478         return account_policy_get(field, value);
 479 }
 480
 481
 482 /****************************************************************************
 483 ****************************************************************************/
 484
 485 TDB_CONTEXT *get_account_pol_tdb( void )
 486 {
 487
 488         if ( !tdb ) {
 489                 if ( !init_account_policy() ) {
 490                         return NULL;
 491                 }
 492         }
 493
 494         return tdb;
 495 }
 496