/*********************************************************
List Users
**********************************************************/
static int print_users_list (struct pdb_methods *in, BOOL verbosity, BOOL smbpwdstyle)
{
struct samu *sam_pwent=NULL;
BOOL check;
check = NT_STATUS_IS_OK(in->setsampwent(in, False, 0));
if (!check) {
return 1;
}
check = True;
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
return 1;
}
while (check && NT_STATUS_IS_OK(in->getsampwent (in, sam_pwent))) {
if (verbosity)
printf ("---------------\n");
print_sam_info (sam_pwent, verbosity, smbpwdstyle);
TALLOC_FREE(sam_pwent);
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
check = False;
}
}
if (check)
TALLOC_FREE(sam_pwent);
in->endsampwent(in);
return 0;
}
static int delete_machine_entry (struct pdb_methods *in, const char *machinename)
{
fstring name;
struct samu *samaccount = NULL;
if (strlen(machinename) == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
fstrcpy(name, machinename);
name[15] = '\0';
if (name[strlen(name)-1] != '$')
fstrcat (name, "$");
if ( (samaccount = samu_new( NULL )) == NULL ) {
return -1;
}
if (!NT_STATUS_IS_OK(in->getsampwnam(in, samaccount, name))) {
fprintf (stderr, "machine %s does not exist in the passdb\n", name);
return -1;
}
if (!NT_STATUS_IS_OK(in->delete_sam_account (in, samaccount))) {
fprintf (stderr, "Unable to delete machine %s\n", name);
return -1;
}
return 0;
}
static int delete_user_entry(const char *username)
{
struct samu *samaccount;
samaccount = samu_new(NULL);
if (!samaccount) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (!pdb_getsampwnam(samaccount, username)) {
fprintf (stderr,
"user %s does not exist in the passdb\n", username);
TALLOC_FREE(samaccount);
return -1;
}
if (!NT_STATUS_IS_OK(pdb_delete_sam_account(samaccount))) {
fprintf (stderr, "Unable to delete user %s\n", username);
TALLOC_FREE(samaccount);
return -1;
}
TALLOC_FREE(samaccount);
return 0;
}
/* Lookup groups a user is a member of. I wish Unix had a call like this! */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
uint32 *num_groups, DOM_SID **user_gids)
{
NTSTATUS result;
DOM_SID *groups = NULL;
gid_t *gids = NULL;
size_t ngroups = 0;
struct samu *user;
if ( (user = samu_new(mem_ctx)) == NULL ) {
return NT_STATUS_NO_MEMORY;
}
if ( !pdb_getsampwsid( user, user_sid ) ) {
return NT_STATUS_NO_SUCH_USER;
}
result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
TALLOC_FREE( user );
*num_groups = (uint32)ngroups;
*user_gids = groups;
return result;
}
/*********************************************************
Fix a list of Users for uninitialised passwords
**********************************************************/
static int fix_users_list(void)
{
struct pdb_search *u_search;
struct samr_displayentry userentry;
struct samu *sam_pwent;
TALLOC_CTX *tosctx;
struct dom_sid user_sid;
NTSTATUS status;
bool bret;
int ret;
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return 1;
}
u_search = pdb_search_users(tosctx, 0);
if (!u_search) {
fprintf(stderr, "User Search failed!\n");
ret = 1;
goto done;
}
while (u_search->next_entry(u_search, &userentry)) {
sam_pwent = samu_new(tosctx);
if (sam_pwent == NULL) {
fprintf(stderr, "Out of memory!\n");
ret = 1;
goto done;
}
sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
bret = pdb_getsampwsid(sam_pwent, &user_sid);
if (!bret) {
DEBUG(2, ("getsampwsid failed\n"));
TALLOC_FREE(sam_pwent);
continue;
}
status = pdb_update_sam_account(sam_pwent);
if (!NT_STATUS_IS_OK(status)) {
printf("Update of user %s failed!\n",
pdb_get_username(sam_pwent));
}
TALLOC_FREE(sam_pwent);
}
ret = 0;
done:
TALLOC_FREE(tosctx);
return ret;
}
/*********************************************************
List Users
**********************************************************/
static int print_users_list(bool verbosity, bool smbpwdstyle)
{
struct pdb_search *u_search;
struct samr_displayentry userentry;
struct samu *sam_pwent;
TALLOC_CTX *tosctx;
struct dom_sid user_sid;
bool bret;
int ret;
tosctx = talloc_tos();
if (!tosctx) {
DEBUG(0, ("talloc failed\n"));
return 1;
}
u_search = pdb_search_users(tosctx, 0);
if (!u_search) {
DEBUG(0, ("User Search failed!\n"));
ret = 1;
goto done;
}
while (u_search->next_entry(u_search, &userentry)) {
sam_pwent = samu_new(tosctx);
if (sam_pwent == NULL) {
DEBUG(0, ("talloc failed\n"));
ret = 1;
goto done;
}
sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
bret = pdb_getsampwsid(sam_pwent, &user_sid);
if (!bret) {
DEBUG(2, ("getsampwsid failed\n"));
TALLOC_FREE(sam_pwent);
continue;
}
if (verbosity) {
printf ("---------------\n");
}
print_sam_info(sam_pwent, verbosity, smbpwdstyle);
TALLOC_FREE(sam_pwent);
}
ret = 0;
done:
TALLOC_FREE(tosctx);
return ret;
}
/*********************************************************
Fix a list of Users for uninitialised passwords
**********************************************************/
static int fix_users_list (struct pdb_methods *in)
{
struct samu *sam_pwent=NULL;
BOOL check;
check = NT_STATUS_IS_OK(in->setsampwent(in, False, 0));
if (!check) {
return 1;
}
check = True;
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
return 1;
}
while (check && NT_STATUS_IS_OK(in->getsampwent (in, sam_pwent))) {
printf("Updating record for user %s\n", pdb_get_username(sam_pwent));
if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_pwent))) {
printf("Update of user %s failed!\n", pdb_get_username(sam_pwent));
}
TALLOC_FREE(sam_pwent);
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
check = False;
}
if (!check) {
fprintf(stderr, "Failed to initialise new struct samu structure (out of memory?)\n");
}
}
if (check)
TALLOC_FREE(sam_pwent);
in->endsampwent(in);
return 0;
}
/**
* update the encrypted smbpasswd file from the plaintext username and password
*
* this ugly hack needs to die, but not quite yet, I think people still use it...
**/
static BOOL update_smbpassword_file(const char *user, const char *password)
{
struct samu *sampass;
BOOL ret;
if ( !(sampass = samu_new( NULL )) ) {
return False;
}
become_root();
ret = pdb_getsampwnam(sampass, user);
unbecome_root();
if(ret == False) {
DEBUG(0,("pdb_getsampwnam returned NULL\n"));
TALLOC_FREE(sampass);
return False;
}
/*
* Remove the account disabled flag - we are updating the
* users password from a login.
*/
if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) {
TALLOC_FREE(sampass);
return False;
}
if (!pdb_set_plaintext_passwd (sampass, password)) {
TALLOC_FREE(sampass);
return False;
}
/* Now write it into the file. */
become_root();
ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass));
unbecome_root();
if (ret) {
DEBUG(3,("pdb_update_sam_account returned %d\n",ret));
}
TALLOC_FREE(sampass);
return ret;
}
static int delete_user_entry (struct pdb_methods *in, const char *username)
{
struct samu *samaccount = NULL;
if ( (samaccount = samu_new( NULL )) == NULL ) {
return -1;
}
if (!NT_STATUS_IS_OK(in->getsampwnam(in, samaccount, username))) {
fprintf (stderr, "user %s does not exist in the passdb\n", username);
return -1;
}
if (!NT_STATUS_IS_OK(in->delete_sam_account (in, samaccount))) {
fprintf (stderr, "Unable to delete user %s\n", username);
return -1;
}
return 0;
}
static int print_user_info (struct pdb_methods *in, const char *username, BOOL verbosity, BOOL smbpwdstyle)
{
struct samu *sam_pwent=NULL;
BOOL ret;
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
return -1;
}
ret = NT_STATUS_IS_OK(in->getsampwnam (in, sam_pwent, username));
if (ret==False) {
fprintf (stderr, "Username not found!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
ret=print_sam_info (sam_pwent, verbosity, smbpwdstyle);
TALLOC_FREE(sam_pwent);
return ret;
}
static int delete_machine_entry(const char *machinename)
{
struct samu *samaccount = NULL;
const char *name;
if (strlen(machinename) == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
samaccount = samu_new(NULL);
if (!samaccount) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (machinename[strlen(machinename)-1] != '$') {
name = talloc_asprintf(samaccount, "%s$", machinename);
} else {
name = machinename;
}
if (!pdb_getsampwnam(samaccount, name)) {
fprintf (stderr,
"machine %s does not exist in the passdb\n", name);
TALLOC_FREE(samaccount);
return -1;
}
if (!NT_STATUS_IS_OK(pdb_delete_sam_account(samaccount))) {
fprintf (stderr, "Unable to delete machine %s\n", name);
TALLOC_FREE(samaccount);
return -1;
}
TALLOC_FREE(samaccount);
return 0;
}
static int print_user_info(const char *username,
bool verbosity, bool smbpwdstyle)
{
struct samu *sam_pwent = NULL;
bool bret;
int ret;
sam_pwent = samu_new(NULL);
if (!sam_pwent) {
return -1;
}
bret = pdb_getsampwnam(sam_pwent, username);
if (!bret) {
fprintf (stderr, "Username not found!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
ret = print_sam_info(sam_pwent, verbosity, smbpwdstyle);
TALLOC_FREE(sam_pwent);
return ret;
}
/*********************************************************
Add New User
**********************************************************/
static int new_user(const char *username, const char *fullname,
const char *homedir, const char *drive,
const char *script, const char *profile,
char *user_sid, bool stdin_get)
{
char *pwd1 = NULL, *pwd2 = NULL;
char *err = NULL, *msg = NULL;
struct samu *sam_pwent = NULL;
TALLOC_CTX *tosctx;
NTSTATUS status;
struct dom_sid u_sid;
int flags;
int ret;
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (user_sid) {
if (get_sid_from_cli_string(&u_sid, user_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
}
pwd1 = get_pass( "new password:"******"retype new password:"******"Failed to read passwords.\n");
return -1;
}
ret = strcmp(pwd1, pwd2);
if (ret != 0) {
fprintf (stderr, "Passwords do not match!\n");
goto done;
}
flags = LOCAL_ADD_USER | LOCAL_SET_PASSWORD;
status = local_password_change(username, flags, pwd1, &err, &msg);
if (!NT_STATUS_IS_OK(status)) {
if (err) fprintf(stderr, "%s", err);
ret = -1;
goto done;
}
sam_pwent = samu_new(tosctx);
if (!sam_pwent) {
fprintf(stderr, "Out of memory!\n");
ret = -1;
goto done;
}
if (!pdb_getsampwnam(sam_pwent, username)) {
fprintf(stderr, "User %s not found!\n", username);
ret = -1;
goto done;
}
if (fullname)
pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
if (homedir)
pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED);
if (drive)
pdb_set_dir_drive(sam_pwent, drive, PDB_CHANGED);
if (script)
pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
if (profile)
pdb_set_profile_path(sam_pwent, profile, PDB_CHANGED);
if (user_sid)
pdb_set_user_sid(sam_pwent, &u_sid, PDB_CHANGED);
status = pdb_update_sam_account(sam_pwent);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"Failed to modify entry for user %s.!\n",
username);
ret = -1;
goto done;
}
print_user_info(username, True, False);
ret = 0;
done:
if (pwd1) memset(pwd1, 0, strlen(pwd1));
if (pwd2) memset(pwd2, 0, strlen(pwd2));
SAFE_FREE(pwd1);
SAFE_FREE(pwd2);
SAFE_FREE(err);
SAFE_FREE(msg);
TALLOC_FREE(sam_pwent);
return ret;
}
static int set_machine_info(const char *machinename,
const char *account_control,
const char *machine_sid)
{
struct samu *sam_pwent = NULL;
TALLOC_CTX *tosctx;
uint32_t acb_flags;
uint32_t not_settable;
uint32_t new_flags;
struct dom_sid m_sid;
char *name;
int len;
bool ret;
len = strlen(machinename);
if (len == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
sam_pwent = samu_new(tosctx);
if (!sam_pwent) {
return 1;
}
if (machinename[len-1] == '$') {
name = talloc_strdup(sam_pwent, machinename);
} else {
name = talloc_asprintf(sam_pwent, "%s$", machinename);
}
if (!name) {
fprintf(stderr, "Out of memory!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
if (!strlower_m(name)) {
fprintf(stderr, "strlower_m %s failed\n", name);
TALLOC_FREE(sam_pwent);
return -1;
}
ret = pdb_getsampwnam(sam_pwent, name);
if (!ret) {
fprintf (stderr, "Username not found!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
if (account_control) {
not_settable = ~(ACB_DISABLED);
new_flags = pdb_decode_acct_ctrl(account_control);
if (new_flags & not_settable) {
fprintf(stderr, "Can only set [D] flags\n");
TALLOC_FREE(sam_pwent);
return -1;
}
acb_flags = pdb_get_acct_ctrl(sam_pwent);
pdb_set_acct_ctrl(sam_pwent,
(acb_flags & not_settable) | new_flags,
PDB_CHANGED);
}
if (machine_sid) {
if (get_sid_from_cli_string(&m_sid, machine_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
pdb_set_user_sid(sam_pwent, &m_sid, PDB_CHANGED);
}
if (NT_STATUS_IS_OK(pdb_update_sam_account(sam_pwent))) {
print_user_info(name, True, False);
} else {
fprintf (stderr, "Unable to modify entry!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
TALLOC_FREE(sam_pwent);
return 0;
}
static int set_user_info(const char *username, const char *fullname,
const char *homedir, const char *acct_desc,
const char *drive, const char *script,
const char *profile, const char *account_control,
const char *user_sid, const char *user_domain,
const bool badpw, const bool hours,
const char *kickoff_time)
{
bool updated_autolock = False, updated_badpw = False;
struct samu *sam_pwent;
uint8_t hours_array[MAX_HOURS_LEN];
uint32_t hours_len;
uint32_t acb_flags;
uint32_t not_settable;
uint32_t new_flags;
struct dom_sid u_sid;
bool ret;
sam_pwent = samu_new(NULL);
if (!sam_pwent) {
return 1;
}
ret = pdb_getsampwnam(sam_pwent, username);
if (!ret) {
fprintf (stderr, "Username not found!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
if (hours) {
hours_len = pdb_get_hours_len(sam_pwent);
memset(hours_array, 0xff, hours_len);
pdb_set_hours(sam_pwent, hours_array, hours_len, PDB_CHANGED);
}
if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) {
DEBUG(2,("pdb_update_autolock_flag failed.\n"));
}
if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) {
DEBUG(2,("pdb_update_bad_password_count failed.\n"));
}
if (fullname)
pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
if (acct_desc)
pdb_set_acct_desc(sam_pwent, acct_desc, PDB_CHANGED);
if (homedir)
pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED);
if (drive)
pdb_set_dir_drive(sam_pwent,drive, PDB_CHANGED);
if (script)
pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
if (profile)
pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED);
if (user_domain)
pdb_set_domain(sam_pwent, user_domain, PDB_CHANGED);
if (account_control) {
not_settable = ~(ACB_DISABLED | ACB_HOMDIRREQ |
ACB_PWNOTREQ | ACB_PWNOEXP | ACB_AUTOLOCK);
new_flags = pdb_decode_acct_ctrl(account_control);
if (new_flags & not_settable) {
fprintf(stderr, "Can only set [NDHLX] flags\n");
TALLOC_FREE(sam_pwent);
return -1;
}
acb_flags = pdb_get_acct_ctrl(sam_pwent);
pdb_set_acct_ctrl(sam_pwent,
(acb_flags & not_settable) | new_flags,
PDB_CHANGED);
}
if (user_sid) {
if (get_sid_from_cli_string(&u_sid, user_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
pdb_set_user_sid(sam_pwent, &u_sid, PDB_CHANGED);
}
if (badpw) {
pdb_set_bad_password_count(sam_pwent, 0, PDB_CHANGED);
pdb_set_bad_password_time(sam_pwent, 0, PDB_CHANGED);
}
if (kickoff_time) {
char *endptr;
time_t value = get_time_t_max();
if (strcmp(kickoff_time, "never") != 0) {
uint32_t num = strtoul(kickoff_time, &endptr, 10);
if ((endptr == kickoff_time) || (endptr[0] != '\0')) {
fprintf(stderr, "Failed to parse kickoff time\n");
return -1;
}
value = convert_uint32_t_to_time_t(num);
}
pdb_set_kickoff_time(sam_pwent, value, PDB_CHANGED);
}
if (NT_STATUS_IS_OK(pdb_update_sam_account(sam_pwent))) {
print_user_info(username, True, False);
} else {
fprintf (stderr, "Unable to modify entry!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
TALLOC_FREE(sam_pwent);
return 0;
}
static int export_database (struct pdb_methods *in,
struct pdb_methods *out,
const char *username)
{
struct samu *user = NULL;
NTSTATUS status;
DEBUG(3, ("export_database: username=\"%s\"\n", username ? username : "******"));
status = in->setsampwent(in, 0, 0);
if ( NT_STATUS_IS_ERR(status) ) {
fprintf(stderr, "Unable to set account database iterator for %s!\n",
in->name);
return 1;
}
if ( ( user = samu_new( NULL ) ) == NULL ) {
fprintf(stderr, "export_database: Memory allocation failure!\n");
return 1;
}
while ( NT_STATUS_IS_OK(in->getsampwent(in, user)) )
{
DEBUG(4, ("Processing account %s\n", user->username));
/* If we don't have a specific user or if we do and
the login name matches */
if ( !username || (strcmp(username, user->username) == 0)) {
struct samu *account;
if ( (account = samu_new( NULL )) == NULL ) {
fprintf(stderr, "export_database: Memory allocation failure!\n");
TALLOC_FREE( user );
in->endsampwent( in );
return 1;
}
printf("Importing account for %s...", user->username);
if ( !NT_STATUS_IS_OK(out->getsampwnam( out, account, user->username )) ) {
status = out->add_sam_account(out, user);
} else {
status = out->update_sam_account( out, user );
}
if ( NT_STATUS_IS_OK(status) ) {
printf( "ok\n");
} else {
printf( "failed\n");
}
TALLOC_FREE( account );
}
/* clean up and get ready for another run */
TALLOC_FREE( user );
if ( ( user = samu_new( NULL ) ) == NULL ) {
fprintf(stderr, "export_database: Memory allocation failure!\n");
return 1;
}
}
TALLOC_FREE( user );
in->endsampwent(in);
return 0;
}
static int new_machine (struct pdb_methods *in, const char *machine_in)
{
struct samu *sam_pwent=NULL;
fstring machinename;
fstring machineaccount;
struct passwd *pwd = NULL;
get_global_sam_sid();
if (strlen(machine_in) == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
fstrcpy(machinename, machine_in);
machinename[15]= '\0';
if (machinename[strlen (machinename) -1] == '$')
machinename[strlen (machinename) -1] = '\0';
strlower_m(machinename);
fstrcpy(machineaccount, machinename);
fstrcat(machineaccount, "$");
if ((pwd = getpwnam_alloc(NULL, machineaccount))) {
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
fprintf(stderr, "Memory allocation error!\n");
TALLOC_FREE(pwd);
return -1;
}
if ( !NT_STATUS_IS_OK(samu_set_unix(sam_pwent, pwd )) ) {
fprintf(stderr, "Could not init sam from pw\n");
TALLOC_FREE(pwd);
return -1;
}
TALLOC_FREE(pwd);
} else {
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
fprintf(stderr, "Could not init sam from pw\n");
return -1;
}
}
pdb_set_plaintext_passwd (sam_pwent, machinename);
pdb_set_username (sam_pwent, machineaccount, PDB_CHANGED);
pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST, PDB_CHANGED);
if (NT_STATUS_IS_OK(in->add_sam_account (in, sam_pwent))) {
print_user_info (in, machineaccount, True, False);
} else {
fprintf (stderr, "Unable to add machine! (does it already exist?)\n");
TALLOC_FREE(sam_pwent);
return -1;
}
TALLOC_FREE(sam_pwent);
return 0;
}
static int process_root(int local_flags)
{
struct passwd *pwd;
int result = 0;
char *old_passwd = NULL;
if (local_flags & LOCAL_SET_LDAP_ADMIN_PW) {
char *ldap_admin_dn = lp_ldap_admin_dn();
if ( ! *ldap_admin_dn ) {
DEBUG(0,("ERROR: 'ldap admin dn' not defined! Please check your smb.conf\n"));
goto done;
}
printf("Setting stored password for \"%s\" in secrets.tdb\n", ldap_admin_dn);
if ( ! *ldap_secret ) {
new_passwd = prompt_for_new_password(stdin_passwd_get);
fstrcpy(ldap_secret, new_passwd);
}
if (!store_ldap_admin_pw(ldap_secret)) {
DEBUG(0,("ERROR: Failed to store the ldap admin password!\n"));
}
goto done;
}
/* Ensure passdb startup(). */
if(!initialize_password_db(False)) {
DEBUG(0, ("Failed to open passdb!\n"));
exit(1);
}
/* Ensure we have a SAM sid. */
get_global_sam_sid();
/*
* Ensure both add/delete user are not set
* Ensure add/delete user and either remote machine or join domain are
* not both set.
*/
if(((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) == (LOCAL_ADD_USER|LOCAL_DELETE_USER)) ||
((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) &&
(remote_machine != NULL))) {
usage();
}
/* Only load interfaces if we are doing network operations. */
if (remote_machine) {
load_interfaces();
}
if (!user_name[0] && (pwd = getpwuid_alloc(NULL, geteuid()))) {
fstrcpy(user_name, pwd->pw_name);
TALLOC_FREE(pwd);
}
if (!user_name[0]) {
fprintf(stderr,"You must specify a username\n");
exit(1);
}
if (local_flags & LOCAL_TRUST_ACCOUNT) {
/* add the $ automatically */
static fstring buf;
/*
* Remove any trailing '$' before we
* generate the initial machine password.
*/
if (user_name[strlen(user_name)-1] == '$') {
user_name[strlen(user_name)-1] = 0;
}
if (local_flags & LOCAL_ADD_USER) {
SAFE_FREE(new_passwd);
new_passwd = smb_xstrdup(user_name);
strlower_m(new_passwd);
}
/*
* Now ensure the username ends in '$' for
* the machine add.
*/
slprintf(buf, sizeof(buf)-1, "%s$", user_name);
fstrcpy(user_name, buf);
} else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
static fstring buf;
if ((local_flags & LOCAL_ADD_USER) && (new_passwd == NULL)) {
/*
* Prompt for trusting domain's account password
*/
new_passwd = prompt_for_new_password(stdin_passwd_get);
if(!new_passwd) {
fprintf(stderr, "Unable to get newpassword.\n");
exit(1);
}
}
/* prepare uppercased and '$' terminated username */
slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
fstrcpy(user_name, buf);
} else {
if (remote_machine != NULL) {
old_passwd = get_pass("Old SMB password:"******"talloc fail for struct samu.\n");
exit(1);
}
if (!pdb_getsampwnam(sampass, user_name)) {
fprintf(stderr, "Failed to find user %s in passdb backend.\n",
user_name );
exit(1);
}
if(pdb_get_nt_passwd(sampass) == NULL) {
local_flags |= LOCAL_SET_PASSWORD;
}
TALLOC_FREE(sampass);
}
}
if((local_flags & LOCAL_SET_PASSWORD) && (new_passwd == NULL)) {
new_passwd = prompt_for_new_password(stdin_passwd_get);
if(!new_passwd) {
fprintf(stderr, "Unable to get new password.\n");
exit(1);
}
}
}
if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
old_passwd, new_passwd,
local_flags))) {
fprintf(stderr,"Failed to modify password entry for user %s\n", user_name);
result = 1;
goto done;
}
if(remote_machine) {
printf("Password changed for user %s on %s.\n", user_name, remote_machine );
} else if(!(local_flags & (LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|LOCAL_DELETE_USER|LOCAL_SET_NO_PASSWORD|LOCAL_SET_PASSWORD))) {
struct samu *sampass = NULL;
sampass = samu_new( NULL );
if (!sampass) {
fprintf(stderr, "talloc fail for struct samu.\n");
exit(1);
}
if (!pdb_getsampwnam(sampass, user_name)) {
fprintf(stderr, "Failed to find user %s in passdb backend.\n",
user_name );
exit(1);
}
printf("Password changed for user %s.", user_name );
if(pdb_get_acct_ctrl(sampass)&ACB_DISABLED) {
printf(" User has disabled flag set.");
}
if(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) {
printf(" User has no password flag set.");
}
printf("\n");
TALLOC_FREE(sampass);
}
done:
SAFE_FREE(new_passwd);
return result;
}
/*********************************************************
Add New User
**********************************************************/
static int new_user (struct pdb_methods *in, const char *username,
const char *fullname, const char *homedir,
const char *drive, const char *script,
const char *profile, char *user_sid, BOOL stdin_get)
{
struct samu *sam_pwent;
char *password1, *password2;
int rc_pwd_cmp;
struct passwd *pwd;
get_global_sam_sid();
if ( !(pwd = getpwnam_alloc( NULL, username )) ) {
DEBUG(0,("Cannot locate Unix account for %s\n", username));
return -1;
}
if ( (sam_pwent = samu_new( NULL )) == NULL ) {
DEBUG(0, ("Memory allocation failure!\n"));
return -1;
}
if (!NT_STATUS_IS_OK(samu_alloc_rid_unix(sam_pwent, pwd ))) {
TALLOC_FREE( sam_pwent );
TALLOC_FREE( pwd );
DEBUG(0, ("could not create account to add new user %s\n", username));
return -1;
}
password1 = get_pass( "new password:"******"retype new password:"******"Passwords do not match!\n");
TALLOC_FREE(sam_pwent);
} else {
pdb_set_plaintext_passwd(sam_pwent, password1);
}
memset(password1, 0, strlen(password1));
SAFE_FREE(password1);
memset(password2, 0, strlen(password2));
SAFE_FREE(password2);
/* pwds do _not_ match? */
if (rc_pwd_cmp)
return -1;
if (fullname)
pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
if (homedir)
pdb_set_homedir (sam_pwent, homedir, PDB_CHANGED);
if (drive)
pdb_set_dir_drive (sam_pwent, drive, PDB_CHANGED);
if (script)
pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
if (profile)
pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED);
if (user_sid) {
DOM_SID u_sid;
if (!string_to_sid(&u_sid, user_sid)) {
/* not a complete sid, may be a RID, try building a SID */
int u_rid;
if (sscanf(user_sid, "%d", &u_rid) != 1) {
fprintf(stderr, "Error passed string is not a complete user SID or RID!\n");
TALLOC_FREE(sam_pwent);
return -1;
}
sid_copy(&u_sid, get_global_sam_sid());
sid_append_rid(&u_sid, u_rid);
}
pdb_set_user_sid (sam_pwent, &u_sid, PDB_CHANGED);
}
pdb_set_acct_ctrl (sam_pwent, ACB_NORMAL, PDB_CHANGED);
if (NT_STATUS_IS_OK(in->add_sam_account (in, sam_pwent))) {
print_user_info (in, username, True, False);
} else {
fprintf (stderr, "Unable to add user! (does it already exist?)\n");
TALLOC_FREE(sam_pwent);
return -1;
}
TALLOC_FREE(sam_pwent);
return 0;
}
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
if (mapped_to_guest) {
status = make_server_info_guest(mem_ctx, &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_guest failed: %s!\n",
nt_errstr(status)));
return status;
}
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
&logon_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
return status;
}
} else {
/*
* We didn't get a PAC, we have to make up the user
* ourselves. Try to ask the pdb backend to provide
* SID consistency with ntlmssp session setup
*/
struct samu *sampass;
/* The stupid make_server_info_XX functions here
don't take a talloc context. */
struct auth_serversupplied_info *tmp = NULL;
sampass = samu_new(talloc_tos());
if (sampass == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (pdb_getsampwnam(sampass, username)) {
DEBUG(10, ("found user %s in passdb, calling "
"make_server_info_sam\n", username));
status = make_server_info_sam(&tmp, sampass);
} else {
/*
* User not in passdb, make it up artificially
*/
DEBUG(10, ("didn't find user %s in passdb, calling "
"make_server_info_pw\n", username));
status = make_server_info_pw(&tmp, username, pw);
}
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_[sam|pw] failed: %s!\n",
nt_errstr(status)));
return status;
}
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->info3 != NULL) {
server_info->info3->base.domain.string =
talloc_strdup(server_info->info3, ntdomain);
}
}
server_info->nss_token |= username_was_mapped;
status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
/***************************************************************************
Renames a struct samu
- check for the posix user/rename user script
- Add and lock the new user record
- rename the posix user
- rewrite the rid->username record
- delete the old user
- unlock the new user record
***************************************************************************/
static NTSTATUS tdbsam_rename_sam_account(struct pdb_methods *my_methods,
struct samu *old_acct,
const char *newname)
{
struct samu *new_acct = NULL;
char *rename_script = NULL;
int rename_ret;
fstring oldname_lower;
fstring newname_lower;
/* can't do anything without an external script */
if ( !(new_acct = samu_new( talloc_tos() )) ) {
return NT_STATUS_NO_MEMORY;
}
rename_script = lp_rename_user_script(new_acct);
if (!rename_script) {
TALLOC_FREE(new_acct);
return NT_STATUS_NO_MEMORY;
}
if (!*rename_script) {
TALLOC_FREE(new_acct);
return NT_STATUS_ACCESS_DENIED;
}
if ( !pdb_copy_sam_account(new_acct, old_acct)
|| !pdb_set_username(new_acct, newname, PDB_CHANGED))
{
TALLOC_FREE(new_acct);
return NT_STATUS_NO_MEMORY;
}
/* open the database */
if ( !tdbsam_open( tdbsam_filename ) ) {
DEBUG(0, ("tdbsam_getsampwnam: failed to open %s!\n",
tdbsam_filename));
TALLOC_FREE(new_acct);
return NT_STATUS_ACCESS_DENIED;
}
if (dbwrap_transaction_start(db_sam) != 0) {
DEBUG(0, ("Could not start transaction\n"));
TALLOC_FREE(new_acct);
return NT_STATUS_ACCESS_DENIED;
}
/* add the new account and lock it */
if ( !tdb_update_samacct_only(new_acct, TDB_INSERT) ) {
goto cancel;
}
/* Rename the posix user. Follow the semantics of _samr_create_user()
so that we lower case the posix name but preserve the case in passdb */
fstrcpy( oldname_lower, pdb_get_username(old_acct) );
if (!strlower_m( oldname_lower )) {
goto cancel;
}
fstrcpy( newname_lower, newname );
if (!strlower_m( newname_lower )) {
goto cancel;
}
rename_script = talloc_string_sub2(new_acct,
rename_script,
"%unew",
newname_lower,
true,
false,
true);
if (!rename_script) {
goto cancel;
}
rename_script = talloc_string_sub2(new_acct,
rename_script,
"%uold",
oldname_lower,
true,
false,
true);
if (!rename_script) {
goto cancel;
}
rename_ret = smbrun(rename_script, NULL, NULL);
DEBUG(rename_ret ? 0 : 3,("Running the command `%s' gave %d\n",
rename_script, rename_ret));
if (rename_ret != 0) {
goto cancel;
}
smb_nscd_flush_user_cache();
/* rewrite the rid->username record */
if ( !tdb_update_ridrec_only( new_acct, TDB_MODIFY) ) {
goto cancel;
}
tdb_delete_samacct_only( old_acct );
if (dbwrap_transaction_commit(db_sam) != 0) {
/*
* Ok, we're screwed. We've changed the posix account, but
* could not adapt passdb.tdb. Shall we change the posix
* account back?
*/
DEBUG(0, ("transaction_commit failed\n"));
TALLOC_FREE(new_acct);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
TALLOC_FREE(new_acct );
return NT_STATUS_OK;
cancel:
if (dbwrap_transaction_cancel(db_sam) != 0) {
smb_panic("transaction_cancel failed");
}
TALLOC_FREE(new_acct);
return NT_STATUS_ACCESS_DENIED;
}
static bool tdb_update_sam(struct pdb_methods *my_methods, struct samu* newpwd,
int flag)
{
uint32_t oldrid;
uint32_t newrid;
if (!(newrid = pdb_get_user_rid(newpwd))) {
DEBUG(0,("tdb_update_sam: struct samu (%s) with no RID!\n",
pdb_get_username(newpwd)));
return False;
}
oldrid = newrid;
/* open the database */
if ( !tdbsam_open( tdbsam_filename ) ) {
DEBUG(0,("tdbsam_getsampwnam: failed to open %s!\n", tdbsam_filename));
return False;
}
if (dbwrap_transaction_start(db_sam) != 0) {
DEBUG(0, ("Could not start transaction\n"));
return false;
}
/* If we are updating, we may be changing this users RID. Retrieve the old RID
so we can check. */
if (flag == TDB_MODIFY) {
struct samu *account = samu_new(talloc_tos());
if (account == NULL) {
DEBUG(0,("tdb_update_sam: samu_new() failed\n"));
goto cancel;
}
if (!NT_STATUS_IS_OK(tdbsam_getsampwnam(my_methods, account, pdb_get_username(newpwd)))) {
DEBUG(0,("tdb_update_sam: tdbsam_getsampwnam() for %s failed\n",
pdb_get_username(newpwd)));
TALLOC_FREE(account);
goto cancel;
}
if (!(oldrid = pdb_get_user_rid(account))) {
DEBUG(0,("tdb_update_sam: pdb_get_user_rid() failed\n"));
TALLOC_FREE(account);
goto cancel;
}
TALLOC_FREE(account);
}
/* Update the new samu entry. */
if (!tdb_update_samacct_only(newpwd, flag)) {
goto cancel;
}
/* Now take care of the case where the RID changed. We need
* to delete the old RID key and add the new. */
if (flag == TDB_MODIFY && newrid != oldrid) {
fstring keystr;
/* Delete old RID key */
DEBUG(10, ("tdb_update_sam: Deleting key for RID %u\n", oldrid));
fstr_sprintf(keystr, "%s%.8x", RIDPREFIX, oldrid);
if (!NT_STATUS_IS_OK(dbwrap_delete_bystring(db_sam, keystr))) {
DEBUG(0, ("tdb_update_sam: Can't delete %s\n", keystr));
goto cancel;
}
/* Insert new RID key */
DEBUG(10, ("tdb_update_sam: Inserting key for RID %u\n", newrid));
if (!tdb_update_ridrec_only(newpwd, TDB_INSERT)) {
goto cancel;
}
} else {
DEBUG(10, ("tdb_update_sam: %s key for RID %u\n",
flag == TDB_MODIFY ? "Updating" : "Inserting", newrid));
if (!tdb_update_ridrec_only(newpwd, flag)) {
goto cancel;
}
}
if (dbwrap_transaction_commit(db_sam) != 0) {
DEBUG(0, ("Could not commit transaction\n"));
return false;
}
return true;
cancel:
if (dbwrap_transaction_cancel(db_sam) != 0) {
smb_panic("transaction_cancel failed");
}
return false;
}
int main(int argc, char **argv)
{
TALLOC_CTX *ctx;
struct samu *out = NULL;
struct samu *in = NULL;
NTSTATUS rv;
int i;
struct timeval tv;
BOOL error = False;
struct passwd *pwd;
uint8 *buf;
uint32 expire, min_age, history;
struct pdb_methods *pdb;
poptContext pc;
static const char *backend = NULL;
static const char *unix_user = "******";
struct poptOption long_options[] = {
{"username", 'u', POPT_ARG_STRING, &unix_user, 0, "Unix user to use for testing", "USERNAME" },
{"backend", 'b', POPT_ARG_STRING, &backend, 0, "Backend to use if not default", "BACKEND[:SETTINGS]" },
POPT_AUTOHELP
POPT_COMMON_SAMBA
POPT_TABLEEND
};
load_case_tables();
pc = poptGetContext("vfstest", argc, (const char **) argv,
long_options, 0);
poptSetOtherOptionHelp(pc, "backend[:settings] username");
while(poptGetNextOpt(pc) != -1);
poptFreeContext(pc);
/* Load configuration */
lp_load(dyn_CONFIGFILE, False, False, True, True);
setup_logging("pdbtest", True);
if (backend == NULL) {
backend = lp_passdb_backend();
}
rv = make_pdb_method_name(&pdb, backend);
if (NT_STATUS_IS_ERR(rv)) {
fprintf(stderr, "Error initializing '%s': %s\n", backend, get_friendly_nt_error_msg(rv));
exit(1);
}
ctx = talloc_init("PDBTEST");
if (!(out = samu_new(ctx))) {
fprintf(stderr, "Can't create samu structure.\n");
exit(1);
}
if ((pwd = getpwnam_alloc(ctx, unix_user)) == NULL) {
fprintf(stderr, "Error getting user information for %s\n", unix_user);
exit(1);
}
samu_set_unix(out, pwd);
pdb_set_profile_path(out, "\\\\torture\\profile", PDB_SET);
pdb_set_homedir(out, "\\\\torture\\home", PDB_SET);
pdb_set_logon_script(out, "torture_script.cmd", PDB_SET);
pdb_get_account_policy(AP_PASSWORD_HISTORY, &history);
if (history * PW_HISTORY_ENTRY_LEN < NT_HASH_LEN) {
buf = (uint8 *)TALLOC(ctx, NT_HASH_LEN);
} else {
buf = (uint8 *)TALLOC(ctx, history * PW_HISTORY_ENTRY_LEN);
}
/* Generate some random hashes */
GetTimeOfDay(&tv);
srand(tv.tv_usec);
for (i = 0; i < NT_HASH_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_nt_passwd(out, buf, PDB_SET);
for (i = 0; i < LM_HASH_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_lanman_passwd(out, buf, PDB_SET);
for (i = 0; i < history * PW_HISTORY_ENTRY_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_pw_history(out, buf, history, PDB_SET);
pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire);
pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age);
pdb_set_pass_last_set_time(out, time(NULL), PDB_SET);
if (expire == 0 || expire == (uint32)-1) {
pdb_set_pass_must_change_time(out, get_time_t_max(), PDB_SET);
} else {
pdb_set_pass_must_change_time(out, time(NULL)+expire, PDB_SET);
}
if (min_age == (uint32)-1) {
pdb_set_pass_can_change_time(out, 0, PDB_SET);
} else {
pdb_set_pass_can_change_time(out, time(NULL)+min_age, PDB_SET);
}
/* Create account */
if (!NT_STATUS_IS_OK(rv = pdb->add_sam_account(pdb, out))) {
fprintf(stderr, "Error in add_sam_account: %s\n",
get_friendly_nt_error_msg(rv));
exit(1);
}
if (!(in = samu_new(ctx))) {
fprintf(stderr, "Can't create samu structure.\n");
exit(1);
}
/* Get account information through getsampwnam() */
if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, out->username))) {
fprintf(stderr, "Error getting sampw of added user %s.\n",
out->username);
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",
get_friendly_nt_error_msg(rv));
}
TALLOC_FREE(ctx);
}
/* Verify integrity */
if (samu_correct(out, in)) {
printf("User info written correctly\n");
} else {
printf("User info NOT written correctly\n");
error = True;
}
/* Delete account */
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",
get_friendly_nt_error_msg(rv));
}
pdb->setsampwent(pdb, False, 0);
while (NT_STATUS_IS_OK(pdb->getsampwent(pdb, out))) {
if (pdb_get_username(out) == NULL) {
fprintf(stderr, "Got bad username through getsampwent()\n");
error = True;
break;
}
if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, pdb_get_username(out)))) {
fprintf(stderr, "Error getting samu through getsampwnam() of an account we got through getsampwent!\n");
error = True;
continue;
}
if (!samu_correct(out, in)) {
printf("Record gotten through getsampwnam() differs from same record through getsampwent()\n");
}
}
pdb->endsampwent(pdb);
TALLOC_FREE(ctx);
if (error) {
return 1;
}
return 0;
}
NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
char *unix_username,
struct passwd *pwd)
{
NTSTATUS status;
struct samu *sampass = NULL;
char *qualified_name = NULL;
TALLOC_CTX *mem_ctx = NULL;
struct dom_sid u_sid;
enum lsa_SidType type;
struct auth_serversupplied_info *result;
/*
* The SID returned in server_info->sam_account is based
* on our SAM sid even though for a pure UNIX account this should
* not be the case as it doesn't really exist in the SAM db.
* This causes lookups on "[in]valid users" to fail as they
* will lookup this name as a "Unix User" SID to check against
* the user token. Fix this by adding the "Unix User"\unix_username
* SID to the sid array. The correct fix should probably be
* changing the server_info->sam_account user SID to be a
* S-1-22 Unix SID, but this might break old configs where
* plaintext passwords were used with no SAM backend.
*/
mem_ctx = talloc_init("make_server_info_pw_tmp");
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
unix_users_domain_name(),
unix_username );
if (!qualified_name) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
NULL, NULL,
&u_sid, &type)) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_SUCH_USER;
}
TALLOC_FREE(mem_ctx);
if (type != SID_NAME_USER) {
return NT_STATUS_NO_SUCH_USER;
}
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
status = samu_set_unix( sampass, pwd );
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* In pathological cases the above call can set the account
* name to the DOMAIN\username form. Reset the account name
* using unix_username */
pdb_set_username(sampass, unix_username, PDB_SET);
/* set the user sid to be the calculated u_sid */
pdb_set_user_sid(sampass, &u_sid, PDB_SET);
result = make_server_info(NULL);
if (result == NULL) {
TALLOC_FREE(sampass);
return NT_STATUS_NO_MEMORY;
}
status = samu_to_SamInfo3(result, sampass, global_myname(),
&result->info3, &result->extra);
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Failed to convert samu to info3: %s\n",
nt_errstr(status)));
TALLOC_FREE(result);
return status;
}
result->unix_name = talloc_strdup(result, unix_username);
result->sanitized_username = sanitize_username(result, unix_username);
if ((result->unix_name == NULL)
|| (result->sanitized_username == NULL)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
*server_info = result;
return NT_STATUS_OK;
}
static NTSTATUS check_sam_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
struct samu *sampass=NULL;
BOOL ret;
NTSTATUS nt_status;
NTSTATUS update_login_attempts_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
BOOL updated_autolock = False, updated_badpw = False;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
}
/* Can't use the talloc version here, because the returned struct gets
kept on the server_info */
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
/* get the account information */
become_root();
ret = pdb_getsampwnam(sampass, user_info->internal_username);
unbecome_root();
if (ret == False) {
DEBUG(3,("check_sam_security: Couldn't find user '%s' in "
"passdb.\n", user_info->internal_username));
TALLOC_FREE(sampass);
return NT_STATUS_NO_SUCH_USER;
}
/* see if autolock flag needs to be updated */
if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
pdb_update_autolock_flag(sampass, &updated_autolock);
/* Quit if the account was locked out. */
if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass)));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
nt_status = sam_password_ok(auth_context, mem_ctx, sampass,
user_info, &user_sess_key, &lm_sess_key);
/* Notify passdb backend of login success/failure. If not NT_STATUS_OK the backend doesn't like the login */
update_login_attempts_status = pdb_update_login_attempts(sampass, NT_STATUS_IS_OK(nt_status));
if (!NT_STATUS_IS_OK(update_login_attempts_status))
nt_status = update_login_attempts_status;
if (!NT_STATUS_IS_OK(nt_status)) {
if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) &&
pdb_get_acct_ctrl(sampass) &ACB_NORMAL) {
pdb_increment_bad_password_count(sampass);
updated_badpw = True;
} else {
pdb_update_bad_password_count(sampass,
&updated_badpw);
}
if (updated_autolock || updated_badpw){
become_root();
if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass)))
DEBUG(1, ("Failed to modify entry.\n"));
unbecome_root();
}
data_blob_free(&user_sess_key);
data_blob_free(&lm_sess_key);
TALLOC_FREE(sampass);
return nt_status;
}
if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
(pdb_get_bad_password_count(sampass) > 0)){
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
updated_badpw = True;
}
if (updated_autolock || updated_badpw){
become_root();
if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass)))
DEBUG(1, ("Failed to modify entry.\n"));
unbecome_root();
}
nt_status = sam_account_ok(mem_ctx, sampass, user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(sampass);
data_blob_free(&user_sess_key);
data_blob_free(&lm_sess_key);
return nt_status;
}
become_root();
nt_status = make_server_info_sam(server_info, sampass);
unbecome_root();
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
TALLOC_FREE(sampass);
data_blob_free(&user_sess_key);
data_blob_free(&lm_sess_key);
return nt_status;
}
(*server_info)->user_session_key =
data_blob_talloc(*server_info, user_sess_key.data,
user_sess_key.length);
data_blob_free(&user_sess_key);
(*server_info)->lm_session_key =
data_blob_talloc(*server_info, lm_sess_key.data,
lm_sess_key.length);
data_blob_free(&lm_sess_key);
(*server_info)->was_mapped |= user_info->was_mapped;
return nt_status;
}
static int new_machine(const char *machinename, char *machine_sid)
{
char *err = NULL, *msg = NULL;
struct samu *sam_pwent = NULL;
TALLOC_CTX *tosctx;
NTSTATUS status;
struct dom_sid m_sid;
char *compatpwd;
char *name;
int flags;
int len;
int ret;
len = strlen(machinename);
if (len == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (machine_sid) {
if (get_sid_from_cli_string(&m_sid, machine_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
}
compatpwd = talloc_strdup(tosctx, machinename);
if (!compatpwd) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (machinename[len-1] == '$') {
name = talloc_strdup(tosctx, machinename);
compatpwd[len-1] = '\0';
} else {
name = talloc_asprintf(tosctx, "%s$", machinename);
}
if (!name) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (!strlower_m(name)) {
fprintf(stderr, "strlower_m %s failed\n", name);
return -1;
}
flags = LOCAL_ADD_USER | LOCAL_TRUST_ACCOUNT | LOCAL_SET_PASSWORD;
status = local_password_change(name, flags, compatpwd, &err, &msg);
if (!NT_STATUS_IS_OK(status)) {
if (err) fprintf(stderr, "%s", err);
ret = -1;
}
sam_pwent = samu_new(tosctx);
if (!sam_pwent) {
fprintf(stderr, "Out of memory!\n");
ret = -1;
goto done;
}
if (!pdb_getsampwnam(sam_pwent, name)) {
fprintf(stderr, "Machine %s not found!\n", name);
ret = -1;
goto done;
}
if (machine_sid)
pdb_set_user_sid(sam_pwent, &m_sid, PDB_CHANGED);
status = pdb_update_sam_account(sam_pwent);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"Failed to modify entry for %s.!\n", name);
ret = -1;
goto done;
}
print_user_info(name, True, False);
ret = 0;
done:
SAFE_FREE(err);
SAFE_FREE(msg);
TALLOC_FREE(sam_pwent);
return ret;
}
static int export_database (struct pdb_methods *in,
struct pdb_methods *out,
const char *username)
{
NTSTATUS status;
struct pdb_search *u_search;
struct samr_displayentry userentry;
DEBUG(3, ("export_database: username=\"%s\"\n", username ? username : "******"));
u_search = pdb_search_init(talloc_tos(), PDB_USER_SEARCH);
if (u_search == NULL) {
DEBUG(0, ("pdb_search_init failed\n"));
return 1;
}
if (!in->search_users(in, u_search, 0)) {
DEBUG(0, ("Could not start searching users\n"));
TALLOC_FREE(u_search);
return 1;
}
while (u_search->next_entry(u_search, &userentry)) {
struct samu *user;
struct samu *account;
struct dom_sid user_sid;
DEBUG(4, ("Processing account %s\n", userentry.account_name));
if ((username != NULL)
&& (strcmp(username, userentry.account_name) != 0)) {
/*
* ignore unwanted users
*/
continue;
}
user = samu_new(talloc_tos());
if (user == NULL) {
DEBUG(0, ("talloc failed\n"));
break;
}
sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
status = in->getsampwsid(in, user, &user_sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("getsampwsid failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(user);
continue;
}
account = samu_new(NULL);
if (account == NULL) {
fprintf(stderr, "export_database: Memory allocation "
"failure!\n");
TALLOC_FREE( user );
TALLOC_FREE(u_search);
return 1;
}
printf("Importing account for %s...", user->username);
status = out->getsampwnam(out, account, user->username);
if (NT_STATUS_IS_OK(status)) {
status = out->update_sam_account( out, user );
} else {
status = out->add_sam_account(out, user);
}
if ( NT_STATUS_IS_OK(status) ) {
printf( "ok\n");
} else {
printf( "failed\n");
}
TALLOC_FREE( account );
TALLOC_FREE( user );
}
TALLOC_FREE(u_search);
return 0;
}
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
unsigned int ctrl;
int retval, *ret_data = NULL;
struct samu *sampass = NULL;
const char *name;
void (*oldsig_handler)(int) = NULL;
bool found;
/* Points to memory managed by the PAM library. Do not free. */
char *p = NULL;
/* Samba initialization. */
load_case_tables();
lp_set_in_client(True);
ctrl = set_ctrl(pamh, flags, argc, argv);
/* Get a few bytes so we can pass our return value to
pam_sm_setcred(). */
ret_data = SMB_MALLOC_P(int);
/* we need to do this before we call AUTH_RETURN */
/* Getting into places that might use LDAP -- protect the app
from a SIGPIPE it's not expecting */
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
/* get the username */
retval = pam_get_user( pamh, &name, "Username: "******"auth: could not identify user");
}
AUTH_RETURN;
}
if (on( SMB_DEBUG, ctrl )) {
_log_err(pamh, LOG_DEBUG, "username [%s] obtained", name );
}
if (geteuid() != 0) {
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
retval = PAM_AUTHINFO_UNAVAIL;
AUTH_RETURN;
}
if (!initialize_password_db(True, NULL)) {
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
retval = PAM_AUTHINFO_UNAVAIL;
AUTH_RETURN;
}
sampass = samu_new( NULL );
if (!sampass) {
_log_err(pamh, LOG_ALERT, "Cannot talloc a samu struct" );
retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
AUTH_RETURN;
}
found = pdb_getsampwnam( sampass, name );
if (on( SMB_MIGRATE, ctrl )) {
retval = _smb_add_user(pamh, ctrl, name, sampass, found);
TALLOC_FREE(sampass);
AUTH_RETURN;
}
if (!found) {
_log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", name);
retval = PAM_USER_UNKNOWN;
TALLOC_FREE(sampass);
sampass = NULL;
AUTH_RETURN;
}
/* if this user does not have a password... */
if (_smb_blankpasswd( ctrl, sampass )) {
TALLOC_FREE(sampass);
retval = PAM_SUCCESS;
AUTH_RETURN;
}
/* get this user's authentication token */
retval = _smb_read_password(pamh, ctrl, NULL, "Password: "******"auth: no password provided for [%s]", name);
TALLOC_FREE(sampass);
AUTH_RETURN;
}
/* verify the password of this user */
retval = _smb_verify_password( pamh, sampass, p, ctrl );
TALLOC_FREE(sampass);
p = NULL;
AUTH_RETURN;
}
static int tdbsam_convert_one(struct db_record *rec, void *priv)
{
struct tdbsam_convert_state *state =
(struct tdbsam_convert_state *)priv;
struct samu *user;
TDB_DATA data;
NTSTATUS status;
bool ret;
TDB_DATA key;
TDB_DATA value;
key = dbwrap_record_get_key(rec);
if (key.dsize < USERPREFIX_LEN) {
return 0;
}
if (strncmp((char *)key.dptr, USERPREFIX, USERPREFIX_LEN) != 0) {
return 0;
}
user = samu_new(talloc_tos());
if (user == NULL) {
DEBUG(0,("tdbsam_convert: samu_new() failed!\n"));
state->success = false;
return -1;
}
DEBUG(10,("tdbsam_convert: Try unpacking a record with (key:%s) "
"(version:%d)\n", (char *)key.dptr, state->from));
value = dbwrap_record_get_value(rec);
switch (state->from) {
case 0:
ret = init_samu_from_buffer(user, SAMU_BUFFER_V0,
(uint8_t *)value.dptr,
value.dsize);
break;
case 1:
ret = init_samu_from_buffer(user, SAMU_BUFFER_V1,
(uint8_t *)value.dptr,
value.dsize);
break;
case 2:
ret = init_samu_from_buffer(user, SAMU_BUFFER_V2,
(uint8_t *)value.dptr,
value.dsize);
break;
case 3:
ret = init_samu_from_buffer(user, SAMU_BUFFER_V3,
(uint8_t *)value.dptr,
value.dsize);
break;
case 4:
ret = init_samu_from_buffer(user, SAMU_BUFFER_V4,
(uint8_t *)value.dptr,
value.dsize);
break;
default:
/* unknown tdbsam version */
ret = False;
}
if (!ret) {
DEBUG(0,("tdbsam_convert: Bad struct samu entry returned "
"from TDB (key:%s) (version:%d)\n", (char *)key.dptr,
state->from));
TALLOC_FREE(user);
state->success = false;
return -1;
}
data.dsize = init_buffer_from_samu(&data.dptr, user, false);
TALLOC_FREE(user);
if (data.dsize == -1) {
DEBUG(0,("tdbsam_convert: cannot pack the struct samu into "
"the new format\n"));
state->success = false;
return -1;
}
status = dbwrap_record_store(rec, data, TDB_MODIFY);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Could not store the new record: %s\n",
nt_errstr(status)));
state->success = false;
return -1;
}
return 0;
}
NTSTATUS check_sam_security(const DATA_BLOB *challenge,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
struct samu *sampass=NULL;
bool ret;
NTSTATUS nt_status;
NTSTATUS update_login_attempts_status;
DATA_BLOB user_sess_key = data_blob_null;
DATA_BLOB lm_sess_key = data_blob_null;
bool updated_badpw = False;
const char *username;
const uint8_t *nt_pw;
const uint8_t *lm_pw;
uint32_t acct_ctrl;
/* the returned struct gets kept on the server_info, by means
of a steal further down */
sampass = samu_new(mem_ctx);
if (sampass == NULL) {
return NT_STATUS_NO_MEMORY;
}
/* get the account information */
become_root();
ret = pdb_getsampwnam(sampass, user_info->mapped.account_name);
unbecome_root();
if (ret == False) {
DEBUG(3,("check_sam_security: Couldn't find user '%s' in "
"passdb.\n", user_info->mapped.account_name));
TALLOC_FREE(sampass);
return NT_STATUS_NO_SUCH_USER;
}
acct_ctrl = pdb_get_acct_ctrl(sampass);
username = pdb_get_username(sampass);
nt_pw = pdb_get_nt_passwd(sampass);
lm_pw = pdb_get_lanman_passwd(sampass);
/* Quit if the account was locked out. */
if (acct_ctrl & ACB_AUTOLOCK) {
DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
TALLOC_FREE(sampass);
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
nt_status = sam_password_ok(mem_ctx,
username, acct_ctrl,
challenge, lm_pw, nt_pw,
user_info, &user_sess_key, &lm_sess_key);
/* Notify passdb backend of login success/failure. If not
NT_STATUS_OK the backend doesn't like the login */
update_login_attempts_status = pdb_update_login_attempts(sampass, NT_STATUS_IS_OK(nt_status));
if (!NT_STATUS_IS_OK(nt_status)) {
bool increment_bad_pw_count = false;
if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) &&
(acct_ctrl & ACB_NORMAL) &&
NT_STATUS_IS_OK(update_login_attempts_status))
{
increment_bad_pw_count =
need_to_increment_bad_pw_count(
challenge, sampass, user_info);
}
if (increment_bad_pw_count) {
pdb_increment_bad_password_count(sampass);
updated_badpw = True;
} else {
pdb_update_bad_password_count(sampass,
&updated_badpw);
}
if (updated_badpw){
NTSTATUS status;
become_root();
status = pdb_update_sam_account(sampass);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to modify entry: %s\n",
nt_errstr(status)));
}
}
goto done;
}
/*
* We must only reset the bad password count if the login was
* successful, including checking account policies
*/
nt_status = sam_account_ok(mem_ctx, sampass, user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
goto done;
}
if ((acct_ctrl & ACB_NORMAL) &&
(pdb_get_bad_password_count(sampass) > 0)){
NTSTATUS status;
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
become_root();
status = pdb_update_sam_account(sampass);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to modify entry: %s\n",
nt_errstr(status)));
}
}
become_root();
nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
unbecome_root();
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
goto done;
}
(*server_info)->session_key =
data_blob_talloc(*server_info, user_sess_key.data,
user_sess_key.length);
data_blob_free(&user_sess_key);
(*server_info)->lm_session_key =
data_blob_talloc(*server_info, lm_sess_key.data,
lm_sess_key.length);
data_blob_free(&lm_sess_key);
(*server_info)->nss_token |= user_info->was_mapped;
done:
TALLOC_FREE(sampass);
data_blob_free(&user_sess_key);
data_blob_free(&lm_sess_key);
return nt_status;
}
