2 Unix SMB/CIFS implementation.
3 struct samu access routines
4 Copyright (C) Jeremy Allison 1996-2001
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Gerald (Jerry) Carter 2000-2006
7 Copyright (C) Andrew Bartlett 2001-2002
8 Copyright (C) Stefan (metze) Metzmacher 2002
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "../libcli/auth/libcli_auth.h"
28 #define DBGC_CLASS DBGC_PASSDB
31 * @todo Redefine this to NULL, but this changes the API because
32 * much of samba assumes that the pdb_get...() funtions
33 * return strings. (ie not null-pointers).
34 * See also pdb_fill_default_sam().
37 #define PDB_NOT_QUITE_NULL ""
39 /*********************************************************************
40 Collection of get...() functions for struct samu.
41 ********************************************************************/
43 uint32 pdb_get_acct_ctrl(const struct samu *sampass)
45 return sampass->acct_ctrl;
48 time_t pdb_get_logon_time(const struct samu *sampass)
50 return sampass->logon_time;
53 time_t pdb_get_logoff_time(const struct samu *sampass)
55 return sampass->logoff_time;
58 time_t pdb_get_kickoff_time(const struct samu *sampass)
60 return sampass->kickoff_time;
63 time_t pdb_get_bad_password_time(const struct samu *sampass)
65 return sampass->bad_password_time;
68 time_t pdb_get_pass_last_set_time(const struct samu *sampass)
70 return sampass->pass_last_set_time;
73 time_t pdb_get_pass_can_change_time(const struct samu *sampass)
77 /* if the last set time is zero, it means the user cannot
78 change their password, and this time must be zero. jmcd
80 if (sampass->pass_last_set_time == 0)
83 /* if the time is max, and the field has been changed,
84 we're trying to update this real value from the sampass
85 to indicate that the user cannot change their password. jmcd
87 if (sampass->pass_can_change_time == get_time_t_max() &&
88 IS_SAM_CHANGED(sampass, PDB_CANCHANGETIME))
89 return sampass->pass_can_change_time;
91 if (!pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &allow))
94 /* in normal cases, just calculate it from policy */
95 return sampass->pass_last_set_time + allow;
98 /* we need this for loading from the backend, so that we don't overwrite
99 non-changed max times, otherwise the pass_can_change checking won't work */
100 time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
102 return sampass->pass_can_change_time;
105 time_t pdb_get_pass_must_change_time(const struct samu *sampass)
109 if (sampass->pass_last_set_time == 0)
112 if (sampass->acct_ctrl & ACB_PWNOEXP)
113 return get_time_t_max();
115 if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire)
116 || expire == (uint32)-1 || expire == 0)
117 return get_time_t_max();
119 return sampass->pass_last_set_time + expire;
122 bool pdb_get_pass_can_change(const struct samu *sampass)
124 if (sampass->pass_can_change_time == get_time_t_max() &&
125 sampass->pass_last_set_time != 0)
130 uint16 pdb_get_logon_divs(const struct samu *sampass)
132 return sampass->logon_divs;
135 uint32 pdb_get_hours_len(const struct samu *sampass)
137 return sampass->hours_len;
140 const uint8 *pdb_get_hours(const struct samu *sampass)
142 return (sampass->hours);
145 const uint8 *pdb_get_nt_passwd(const struct samu *sampass)
147 SMB_ASSERT((!sampass->nt_pw.data)
148 || sampass->nt_pw.length == NT_HASH_LEN);
149 return (uint8 *)sampass->nt_pw.data;
152 const uint8 *pdb_get_lanman_passwd(const struct samu *sampass)
154 SMB_ASSERT((!sampass->lm_pw.data)
155 || sampass->lm_pw.length == LM_HASH_LEN);
156 return (uint8 *)sampass->lm_pw.data;
159 const uint8 *pdb_get_pw_history(const struct samu *sampass, uint32 *current_hist_len)
161 SMB_ASSERT((!sampass->nt_pw_his.data)
162 || ((sampass->nt_pw_his.length % PW_HISTORY_ENTRY_LEN) == 0));
163 *current_hist_len = sampass->nt_pw_his.length / PW_HISTORY_ENTRY_LEN;
164 return (uint8 *)sampass->nt_pw_his.data;
167 /* Return the plaintext password if known. Most of the time
168 it isn't, so don't assume anything magic about this function.
170 Used to pass the plaintext to passdb backends that might
171 want to store more than just the NTLM hashes.
173 const char *pdb_get_plaintext_passwd(const struct samu *sampass)
175 return sampass->plaintext_pw;
178 const DOM_SID *pdb_get_user_sid(const struct samu *sampass)
180 return &sampass->user_sid;
183 const DOM_SID *pdb_get_group_sid(struct samu *sampass)
188 /* Return the cached group SID if we have that */
189 if ( sampass->group_sid ) {
190 return sampass->group_sid;
193 /* generate the group SID from the user's primary Unix group */
195 if ( !(gsid = TALLOC_ZERO_P( sampass, DOM_SID )) ) {
199 /* No algorithmic mapping, meaning that we have to figure out the
200 primary group SID according to group mapping and the user SID must
201 be a newly allocated one. We rely on the user's Unix primary gid.
202 We have no choice but to fail if we can't find it. */
204 if ( sampass->unix_pw ) {
205 pwd = sampass->unix_pw;
207 pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) );
211 DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
215 gid_to_sid(gsid, pwd->pw_gid);
216 if (!is_null_sid(gsid)) {
217 enum lsa_SidType type = SID_NAME_UNKNOWN;
220 const DOM_SID *usid = pdb_get_user_sid(sampass);
224 sid_copy(&dgsid, gsid);
225 sid_split_rid(&dgsid, &rid);
226 if (sid_equal(&dgsid, get_global_sam_sid())) {
228 * As shortcut for the expensive lookup_sid call
229 * compare the domain sid part
232 case DOMAIN_RID_ADMINS:
233 case DOMAIN_RID_USERS:
234 sampass->group_sid = gsid;
235 return sampass->group_sid;
239 mem_ctx = talloc_init("pdb_get_group_sid");
244 DEBUG(10,("do lookup_sid(%s) for group of user %s\n",
245 sid_string_dbg(gsid), sid_string_dbg(usid)));
247 /* Now check that it's actually a domain group and not something else */
249 lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type);
251 TALLOC_FREE( mem_ctx );
253 if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) {
254 sampass->group_sid = gsid;
255 return sampass->group_sid;
258 DEBUG(3, ("Primary group %s for user %s is a %s and not a domain group\n",
259 sid_string_dbg(gsid), pwd->pw_name, sid_type_lookup(type)));
262 /* Just set it to the 'Domain Users' RID of 513 which will
263 always resolve to a name */
265 sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
267 sampass->group_sid = gsid;
269 return sampass->group_sid;
273 * Get flags showing what is initalised in the struct samu
274 * @param sampass the struct samu in question
275 * @return the flags indicating the members initialised in the struct.
278 enum pdb_value_state pdb_get_init_flags(const struct samu *sampass, enum pdb_elements element)
280 enum pdb_value_state ret = PDB_DEFAULT;
282 if (!sampass->change_flags || !sampass->set_flags)
285 if (bitmap_query(sampass->set_flags, element)) {
286 DEBUG(11, ("element %d: SET\n", element));
290 if (bitmap_query(sampass->change_flags, element)) {
291 DEBUG(11, ("element %d: CHANGED\n", element));
295 if (ret == PDB_DEFAULT) {
296 DEBUG(11, ("element %d: DEFAULT\n", element));
302 const char *pdb_get_username(const struct samu *sampass)
304 return sampass->username;
307 const char *pdb_get_domain(const struct samu *sampass)
309 return sampass->domain;
312 const char *pdb_get_nt_username(const struct samu *sampass)
314 return sampass->nt_username;
317 const char *pdb_get_fullname(const struct samu *sampass)
319 return sampass->full_name;
322 const char *pdb_get_homedir(const struct samu *sampass)
324 return sampass->home_dir;
327 const char *pdb_get_dir_drive(const struct samu *sampass)
329 return sampass->dir_drive;
332 const char *pdb_get_logon_script(const struct samu *sampass)
334 return sampass->logon_script;
337 const char *pdb_get_profile_path(const struct samu *sampass)
339 return sampass->profile_path;
342 const char *pdb_get_acct_desc(const struct samu *sampass)
344 return sampass->acct_desc;
347 const char *pdb_get_workstations(const struct samu *sampass)
349 return sampass->workstations;
352 const char *pdb_get_comment(const struct samu *sampass)
354 return sampass->comment;
357 const char *pdb_get_munged_dial(const struct samu *sampass)
359 return sampass->munged_dial;
362 uint16 pdb_get_bad_password_count(const struct samu *sampass)
364 return sampass->bad_password_count;
367 uint16 pdb_get_logon_count(const struct samu *sampass)
369 return sampass->logon_count;
372 uint32 pdb_get_unknown_6(const struct samu *sampass)
374 return sampass->unknown_6;
377 void *pdb_get_backend_private_data(const struct samu *sampass, const struct pdb_methods *my_methods)
379 if (my_methods == sampass->backend_private_methods) {
380 return sampass->backend_private_data;
386 /*********************************************************************
387 Collection of set...() functions for struct samu.
388 ********************************************************************/
390 bool pdb_set_acct_ctrl(struct samu *sampass, uint32 acct_ctrl, enum pdb_value_state flag)
392 sampass->acct_ctrl = acct_ctrl;
393 return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
396 bool pdb_set_logon_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
398 sampass->logon_time = mytime;
399 return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
402 bool pdb_set_logoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
404 sampass->logoff_time = mytime;
405 return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
408 bool pdb_set_kickoff_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
410 sampass->kickoff_time = mytime;
411 return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
414 bool pdb_set_bad_password_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
416 sampass->bad_password_time = mytime;
417 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_TIME, flag);
420 bool pdb_set_pass_can_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
422 sampass->pass_can_change_time = mytime;
423 return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
426 bool pdb_set_pass_must_change_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
428 sampass->pass_must_change_time = mytime;
429 return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
432 bool pdb_set_pass_last_set_time(struct samu *sampass, time_t mytime, enum pdb_value_state flag)
434 sampass->pass_last_set_time = mytime;
435 return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
438 bool pdb_set_hours_len(struct samu *sampass, uint32 len, enum pdb_value_state flag)
440 sampass->hours_len = len;
441 return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
444 bool pdb_set_logon_divs(struct samu *sampass, uint16 hours, enum pdb_value_state flag)
446 sampass->logon_divs = hours;
447 return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
451 * Set flags showing what is initalised in the struct samu
452 * @param sampass the struct samu in question
453 * @param flag The *new* flag to be set. Old flags preserved
454 * this flag is only added.
457 bool pdb_set_init_flags(struct samu *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
459 if (!sampass->set_flags) {
460 if ((sampass->set_flags =
461 bitmap_talloc(sampass,
463 DEBUG(0,("bitmap_talloc failed\n"));
467 if (!sampass->change_flags) {
468 if ((sampass->change_flags =
469 bitmap_talloc(sampass,
471 DEBUG(0,("bitmap_talloc failed\n"));
478 if (!bitmap_set(sampass->change_flags, element)) {
479 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
482 if (!bitmap_set(sampass->set_flags, element)) {
483 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
486 DEBUG(11, ("element %d -> now CHANGED\n", element));
489 if (!bitmap_clear(sampass->change_flags, element)) {
490 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
493 if (!bitmap_set(sampass->set_flags, element)) {
494 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
497 DEBUG(11, ("element %d -> now SET\n", element));
501 if (!bitmap_clear(sampass->change_flags, element)) {
502 DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
505 if (!bitmap_clear(sampass->set_flags, element)) {
506 DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
509 DEBUG(11, ("element %d -> now DEFAULT\n", element));
516 bool pdb_set_user_sid(struct samu *sampass, const DOM_SID *u_sid, enum pdb_value_state flag)
521 sid_copy(&sampass->user_sid, u_sid);
523 DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
524 sid_string_dbg(&sampass->user_sid)));
526 return pdb_set_init_flags(sampass, PDB_USERSID, flag);
529 bool pdb_set_user_sid_from_string(struct samu *sampass, fstring u_sid, enum pdb_value_state flag)
536 DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
539 if (!string_to_sid(&new_sid, u_sid)) {
540 DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
544 if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
545 DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on struct samu!\n", u_sid));
552 /********************************************************************
553 We never fill this in from a passdb backend but rather set is
554 based on the user's primary group membership. However, the
555 struct samu* is overloaded and reused in domain memship code
556 as well and built from the netr_SamInfo3 or PAC so we
557 have to allow the explicitly setting of a group SID here.
558 ********************************************************************/
560 bool pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_value_state flag)
567 if ( !(sampass->group_sid = TALLOC_P( sampass, DOM_SID )) ) {
571 /* if we cannot resolve the SID to gid, then just ignore it and
572 store DOMAIN_USERS as the primary groupSID */
574 if ( sid_to_gid( g_sid, &gid ) ) {
575 sid_copy(sampass->group_sid, g_sid);
577 sid_compose(sampass->group_sid, get_global_sam_sid(),
578 DOMAIN_GROUP_RID_USERS);
581 DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
582 sid_string_dbg(sampass->group_sid)));
584 return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
587 /*********************************************************************
588 Set the user's UNIX name.
589 ********************************************************************/
591 bool pdb_set_username(struct samu *sampass, const char *username, enum pdb_value_state flag)
594 DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
595 (sampass->username)?(sampass->username):"NULL"));
597 sampass->username = talloc_strdup(sampass, username);
599 if (!sampass->username) {
600 DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
604 sampass->username = PDB_NOT_QUITE_NULL;
607 return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
610 /*********************************************************************
612 ********************************************************************/
614 bool pdb_set_domain(struct samu *sampass, const char *domain, enum pdb_value_state flag)
617 DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
618 (sampass->domain)?(sampass->domain):"NULL"));
620 sampass->domain = talloc_strdup(sampass, domain);
622 if (!sampass->domain) {
623 DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
627 sampass->domain = PDB_NOT_QUITE_NULL;
630 return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
633 /*********************************************************************
634 Set the user's NT name.
635 ********************************************************************/
637 bool pdb_set_nt_username(struct samu *sampass, const char *nt_username, enum pdb_value_state flag)
640 DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
641 (sampass->nt_username)?(sampass->nt_username):"NULL"));
643 sampass->nt_username = talloc_strdup(sampass, nt_username);
645 if (!sampass->nt_username) {
646 DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
650 sampass->nt_username = PDB_NOT_QUITE_NULL;
653 return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
656 /*********************************************************************
657 Set the user's full name.
658 ********************************************************************/
660 bool pdb_set_fullname(struct samu *sampass, const char *full_name, enum pdb_value_state flag)
663 DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
664 (sampass->full_name)?(sampass->full_name):"NULL"));
666 sampass->full_name = talloc_strdup(sampass, full_name);
668 if (!sampass->full_name) {
669 DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
673 sampass->full_name = PDB_NOT_QUITE_NULL;
676 return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
679 /*********************************************************************
680 Set the user's logon script.
681 ********************************************************************/
683 bool pdb_set_logon_script(struct samu *sampass, const char *logon_script, enum pdb_value_state flag)
686 DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
687 (sampass->logon_script)?(sampass->logon_script):"NULL"));
689 sampass->logon_script = talloc_strdup(sampass, logon_script);
691 if (!sampass->logon_script) {
692 DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
696 sampass->logon_script = PDB_NOT_QUITE_NULL;
699 return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
702 /*********************************************************************
703 Set the user's profile path.
704 ********************************************************************/
706 bool pdb_set_profile_path(struct samu *sampass, const char *profile_path, enum pdb_value_state flag)
709 DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
710 (sampass->profile_path)?(sampass->profile_path):"NULL"));
712 sampass->profile_path = talloc_strdup(sampass, profile_path);
714 if (!sampass->profile_path) {
715 DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
719 sampass->profile_path = PDB_NOT_QUITE_NULL;
722 return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
725 /*********************************************************************
726 Set the user's directory drive.
727 ********************************************************************/
729 bool pdb_set_dir_drive(struct samu *sampass, const char *dir_drive, enum pdb_value_state flag)
732 DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
733 (sampass->dir_drive)?(sampass->dir_drive):"NULL"));
735 sampass->dir_drive = talloc_strdup(sampass, dir_drive);
737 if (!sampass->dir_drive) {
738 DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
743 sampass->dir_drive = PDB_NOT_QUITE_NULL;
746 return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
749 /*********************************************************************
750 Set the user's home directory.
751 ********************************************************************/
753 bool pdb_set_homedir(struct samu *sampass, const char *home_dir, enum pdb_value_state flag)
756 DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
757 (sampass->home_dir)?(sampass->home_dir):"NULL"));
759 sampass->home_dir = talloc_strdup(sampass, home_dir);
761 if (!sampass->home_dir) {
762 DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
766 sampass->home_dir = PDB_NOT_QUITE_NULL;
769 return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
772 /*********************************************************************
773 Set the user's account description.
774 ********************************************************************/
776 bool pdb_set_acct_desc(struct samu *sampass, const char *acct_desc, enum pdb_value_state flag)
779 sampass->acct_desc = talloc_strdup(sampass, acct_desc);
781 if (!sampass->acct_desc) {
782 DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
786 sampass->acct_desc = PDB_NOT_QUITE_NULL;
789 return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
792 /*********************************************************************
793 Set the user's workstation allowed list.
794 ********************************************************************/
796 bool pdb_set_workstations(struct samu *sampass, const char *workstations, enum pdb_value_state flag)
799 DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
800 (sampass->workstations)?(sampass->workstations):"NULL"));
802 sampass->workstations = talloc_strdup(sampass, workstations);
804 if (!sampass->workstations) {
805 DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
809 sampass->workstations = PDB_NOT_QUITE_NULL;
812 return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
815 /*********************************************************************
816 ********************************************************************/
818 bool pdb_set_comment(struct samu *sampass, const char *comment, enum pdb_value_state flag)
821 sampass->comment = talloc_strdup(sampass, comment);
823 if (!sampass->comment) {
824 DEBUG(0, ("pdb_set_comment: talloc_strdup() failed!\n"));
828 sampass->comment = PDB_NOT_QUITE_NULL;
831 return pdb_set_init_flags(sampass, PDB_COMMENT, flag);
834 /*********************************************************************
835 Set the user's dial string.
836 ********************************************************************/
838 bool pdb_set_munged_dial(struct samu *sampass, const char *munged_dial, enum pdb_value_state flag)
841 sampass->munged_dial = talloc_strdup(sampass, munged_dial);
843 if (!sampass->munged_dial) {
844 DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
848 sampass->munged_dial = PDB_NOT_QUITE_NULL;
851 return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
854 /*********************************************************************
855 Set the user's NT hash.
856 ********************************************************************/
858 bool pdb_set_nt_passwd(struct samu *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
860 data_blob_clear_free(&sampass->nt_pw);
864 data_blob_talloc(sampass, pwd, NT_HASH_LEN);
866 sampass->nt_pw = data_blob_null;
869 return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
872 /*********************************************************************
873 Set the user's LM hash.
874 ********************************************************************/
876 bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
878 data_blob_clear_free(&sampass->lm_pw);
880 /* on keep the password if we are allowing LANMAN authentication */
882 if (pwd && lp_lanman_auth() ) {
883 sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
885 sampass->lm_pw = data_blob_null;
888 return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
891 /*********************************************************************
892 Set the user's password history hash. historyLen is the number of
893 PW_HISTORY_SALT_LEN+SALTED_MD5_HASH_LEN length
894 entries to store in the history - this must match the size of the uint8 array
896 ********************************************************************/
898 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag)
900 if (historyLen && pwd){
901 data_blob_free(&(sampass->nt_pw_his));
902 sampass->nt_pw_his = data_blob_talloc(sampass,
903 pwd, historyLen*PW_HISTORY_ENTRY_LEN);
904 if (!sampass->nt_pw_his.length) {
905 DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
909 sampass->nt_pw_his = data_blob_talloc(sampass, NULL, 0);
912 return pdb_set_init_flags(sampass, PDB_PWHISTORY, flag);
915 /*********************************************************************
916 Set the user's plaintext password only (base procedure, see helper
918 ********************************************************************/
920 bool pdb_set_plaintext_pw_only(struct samu *sampass, const char *password, enum pdb_value_state flag)
923 if (sampass->plaintext_pw!=NULL)
924 memset(sampass->plaintext_pw,'\0',strlen(sampass->plaintext_pw)+1);
926 sampass->plaintext_pw = talloc_strdup(sampass, password);
928 if (!sampass->plaintext_pw) {
929 DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
933 sampass->plaintext_pw = NULL;
936 return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
939 bool pdb_set_bad_password_count(struct samu *sampass, uint16 bad_password_count, enum pdb_value_state flag)
941 sampass->bad_password_count = bad_password_count;
942 return pdb_set_init_flags(sampass, PDB_BAD_PASSWORD_COUNT, flag);
945 bool pdb_set_logon_count(struct samu *sampass, uint16 logon_count, enum pdb_value_state flag)
947 sampass->logon_count = logon_count;
948 return pdb_set_init_flags(sampass, PDB_LOGON_COUNT, flag);
951 bool pdb_set_unknown_6(struct samu *sampass, uint32 unkn, enum pdb_value_state flag)
953 sampass->unknown_6 = unkn;
954 return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
957 bool pdb_set_hours(struct samu *sampass, const uint8 *hours, enum pdb_value_state flag)
960 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
962 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
965 return pdb_set_init_flags(sampass, PDB_HOURS, flag);
968 bool pdb_set_backend_private_data(struct samu *sampass, void *private_data,
969 void (*free_fn)(void **),
970 const struct pdb_methods *my_methods,
971 enum pdb_value_state flag)
973 if (sampass->backend_private_data &&
974 sampass->backend_private_data_free_fn) {
975 sampass->backend_private_data_free_fn(
976 &sampass->backend_private_data);
979 sampass->backend_private_data = private_data;
980 sampass->backend_private_data_free_fn = free_fn;
981 sampass->backend_private_methods = my_methods;
983 return pdb_set_init_flags(sampass, PDB_BACKEND_PRIVATE_DATA, flag);
987 /* Helpful interfaces to the above */
989 bool pdb_set_pass_can_change(struct samu *sampass, bool canchange)
991 return pdb_set_pass_can_change_time(sampass,
992 canchange ? 0 : get_time_t_max(),
997 /*********************************************************************
998 Set the user's PLAINTEXT password. Used as an interface to the above.
999 Also sets the last change time to NOW.
1000 ********************************************************************/
1002 bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
1004 uchar new_lanman_p16[LM_HASH_LEN];
1005 uchar new_nt_p16[NT_HASH_LEN];
1008 uint32 current_history_len;
1013 /* Calculate the MD4 hash (NT compatible) of the password */
1014 E_md4hash(plaintext, new_nt_p16);
1016 if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
1019 if (!E_deshash(plaintext, new_lanman_p16)) {
1020 /* E_deshash returns false for 'long' passwords (> 14
1021 DOS chars). This allows us to match Win2k, which
1022 does not store a LM hash for these passwords (which
1023 would reduce the effective password length to 14 */
1025 if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
1028 if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
1032 if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
1035 if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
1038 if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
1040 * No password history for non-user accounts
1045 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1047 if (pwHistLen == 0) {
1048 /* Set the history length to zero. */
1049 pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
1054 * We need to make sure we don't have a race condition here -
1055 * the account policy history length can change between when
1056 * the pw_history was first loaded into the struct samu struct
1059 pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len);
1061 if ((current_history_len != 0) && (pwhistory == NULL)) {
1062 DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
1066 if (current_history_len < pwHistLen) {
1068 * Ensure we have space for the needed history. This
1069 * also takes care of an account which did not have
1070 * any history at all so far, i.e. pwhistory==NULL
1072 uchar *new_history = talloc_zero_array(
1074 pwHistLen*PW_HISTORY_ENTRY_LEN);
1080 memcpy(new_history, pwhistory,
1081 current_history_len*PW_HISTORY_ENTRY_LEN);
1083 pwhistory = new_history;
1087 * Make room for the new password in the history list.
1089 if (pwHistLen > 1) {
1090 memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
1091 (pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
1095 * Fill the salt area with 0-s: this indicates that
1096 * a plain nt hash is stored in the has area.
1097 * The old format was to store a 16 byte salt and
1098 * then an md5hash of the nt_hash concatenated with
1101 memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
1104 * Store the plain nt hash in the second 16 bytes.
1105 * The old format was to store the md5 hash of
1108 memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
1110 pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
1115 /* check for any PDB_SET/CHANGED field and fill the appropriate mask bit */
1116 uint32 pdb_build_fields_present(struct samu *sampass)
1118 /* value set to all for testing */