svn commit: samba r1778 - branches/SAMBA_3_0/source/auth

Thu, 12 Aug 2004 11:20:45 -0700 

Author: jra
Date: 2004-08-12 18:20:02 +0000 (Thu, 12 Aug 2004)
New Revision: 1778
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/&rev=1778&nolog=1
Log:
Fix based on code from Richard Renard <[EMAIL PROTECTED]> to
enforce logon hours. ldap fixes to follow.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/auth/auth_sam.c

Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_sam.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_sam.c   2004-08-12 18:19:57 UTC (rev 1777)
+++ branches/SAMBA_3_0/source/auth/auth_sam.c   2004-08-12 18:20:02 UTC (rev 1778)
@@ -65,7 +65,44 @@
                                   lm_pw, nt_pw, user_sess_key, lm_sess_key);
 }
 
+/****************************************************************************
+ Check if a user is allowed to logon at this time. Note this is the
+ servers local time, as logon hours are just specified as a weekly
+ bitmask.
+****************************************************************************/
+                                                                                      
                        
+static BOOL logon_hours_ok(SAM_ACCOUNT *sampass)
+{
+       /* In logon hours first bit is Sunday from 12AM to 1AM */
+       extern struct timeval smb_last_time;
+       const uint8 *hours;
+       struct tm *utctime;
+       uint8 bitmask, bitpos;
 
+       hours = pdb_get_hours(sampass);
+       if (!hours) {
+               DEBUG(5,("logon_hours_ok: No hours restrictions for user 
%s\n",pdb_get_username(sampass)));
+               return True;
+       }
+
+       utctime = localtime(&smb_last_time.tv_sec);
+
+       /* find the corresponding byte and bit */
+       bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168;
+       bitmask = 1 << (bitpos % 8);
+
+       if (! (hours[bitpos/8] & bitmask)) {
+               DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at 
this time (UTC %s).\n",
+                       pdb_get_username(sampass), asctime(utctime) ));
+               return False;
+       }
+
+       DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (UTC %s)\n",
+               pdb_get_username(sampass), asctime(utctime) ));
+
+       return True;
+}
+
 /****************************************************************************
  Do a specific test for a SAM_ACCOUNT being vaild for this connection 
  (ie not disabled, expired and the like).
@@ -93,6 +130,11 @@
                return NT_STATUS_ACCOUNT_LOCKED_OUT;
        }
 
+       /* Quit if the account is not allowed to logon at this time. */
+       if (! logon_hours_ok(sampass)) {
+               return NT_STATUS_INVALID_LOGON_HOURS;
+       }
+
        /* Test account expire time */
        
        kickoff_time = pdb_get_kickoff_time(sampass);

Reply via email to