The branch, master has been updated
via 20e7b4e s3-auth: The unlock of the account is now done by the
get_sampwnam call.
via c5cfad1 s3-passdb: Try to unlock the account if it is locked out.
via 2ab0b63 s3-passdb: Added a pdb_try_account_unlock function.
via 9dd7e7f s3-auth: Use SamInfo3_for_guest to create guest server_info.
from 5f419ea packaging: Build with -O3
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 20e7b4ec744dead1544a4b7625dc3fcb5d802418
Author: Andreas Schneider <[email protected]>
Date: Mon Aug 23 23:02:44 2010 +0200
s3-auth: The unlock of the account is now done by the get_sampwnam call.
Signed-off-by: Simo Sorce <[email protected]>
commit c5cfad142c6bc5cd4819726cf2444108bc7639c3
Author: Andreas Schneider <[email protected]>
Date: Mon Aug 23 10:08:53 2010 +0200
s3-passdb: Try to unlock the account if it is locked out.
Signed-off-by: Simo Sorce <[email protected]>
commit 2ab0b63bd89d2d833695dc33aecec7a63ccbab0c
Author: Andreas Schneider <[email protected]>
Date: Mon Aug 23 10:08:34 2010 +0200
s3-passdb: Added a pdb_try_account_unlock function.
The function checks if the account has been autolocked. If we have a
lockout_duration and a bad password time it checks if we can unlock the
account.
Signed-off-by: Simo Sorce <[email protected]>
commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 18 17:17:42 2010 +0200
s3-auth: Use SamInfo3_for_guest to create guest server_info.
Signed-off-by: Simo Sorce <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_util.c | 89 +++++++++++++++++++++------
source3/auth/check_samsec.c | 7 +--
source3/passdb/pdb_interface.c | 131 +++++++++++++++++++++++++++++++++++++--
3 files changed, 196 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1ff9714..23f557a 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -25,6 +25,7 @@
#include "smbd/globals.h"
#include "../libcli/auth/libcli_auth.h"
#include "../lib/crypto/arcfour.h"
+#include "rpc_client/init_lsa.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -631,6 +632,54 @@ NTSTATUS make_server_info_pw(struct
auth_serversupplied_info **server_info,
return NT_STATUS_OK;
}
+static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
+ struct netr_SamInfo3 *info3)
+{
+ const char *guest_account = lp_guestaccount();
+ struct dom_sid domain_sid;
+ struct passwd *pwd;
+ const char *tmp;
+ NTSTATUS status;
+
+ pwd = getpwnam_alloc(mem_ctx, guest_account);
+ if (pwd == NULL) {
+ DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
+ "account [%s]!\n", guest_account));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ /* Set acount name */
+ tmp = talloc_strdup(mem_ctx, pwd->pw_name);
+ if (tmp == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ init_lsa_String(&info3->base.account_name, tmp);
+
+ /* Set domain name */
+ tmp = talloc_strdup(mem_ctx, get_global_sam_name());
+ if (tmp == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ init_lsa_StringLarge(&info3->base.domain, tmp);
+
+ /* Domain sid */
+ sid_copy(&domain_sid, get_global_sam_sid());
+
+ info3->base.domain_sid = sid_dup_talloc(mem_ctx, &domain_sid);
+ if (info3->base.domain_sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Guest rid */
+ info3->base.rid = DOMAIN_RID_GUEST;
+
+ /* Primary gid */
+ info3->base.primary_gid = BUILTIN_RID_GUESTS;
+
+ TALLOC_FREE(pwd);
+ return status;
+}
+
/***************************************************************************
Make (and fill) a user_info struct for a guest login.
This *must* succeed for smbd to start. If there is no mapping entry for
@@ -639,43 +688,42 @@ NTSTATUS make_server_info_pw(struct
auth_serversupplied_info **server_info,
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info
**server_info)
{
+ static const char zeros[16] = {0};
+ const char *guest_account = lp_guestaccount();
+ const char *domain = global_myname();
+ struct netr_SamInfo3 info3;
+ TALLOC_CTX *tmp_ctx;
NTSTATUS status;
- struct samu *sampass = NULL;
- struct dom_sid guest_sid;
- bool ret;
- static const char zeros[16] = {0, };
fstring tmp;
- if ( !(sampass = samu_new( NULL )) ) {
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
- sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
+ ZERO_STRUCT(info3);
- become_root();
- ret = pdb_getsampwsid(sampass, &guest_sid);
- unbecome_root();
-
- if (!ret) {
- TALLOC_FREE(sampass);
- return NT_STATUS_NO_SUCH_USER;
+ status = get_guest_info3(tmp_ctx, &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
}
- status = make_server_info_sam(server_info, sampass);
+ status = make_server_info_info3(tmp_ctx,
+ guest_account,
+ domain,
+ server_info,
+ &info3);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sampass);
- return status;
+ goto done;
}
- TALLOC_FREE(sampass);
-
(*server_info)->guest = True;
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(status)));
- return status;
+ goto done;
}
/* annoying, but the Guest really does have a session key, and it is
@@ -687,6 +735,9 @@ static NTSTATUS make_new_server_info_guest(struct
auth_serversupplied_info **ser
". _-$", sizeof(tmp));
(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
+ status = NT_STATUS_OK;
+done:
+ TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 3b2f471..8460110 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -403,9 +403,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
nt_pw = pdb_get_nt_passwd(sampass);
lm_pw = pdb_get_lanman_passwd(sampass);
- /* see if autolock flag needs to be updated */
- if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
- pdb_update_autolock_flag(sampass, &updated_autolock);
/* Quit if the account was locked out. */
if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
DEBUG(3,("check_sam_security: Account for user %s was locked
out.\n", username));
@@ -441,7 +438,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
pdb_update_bad_password_count(sampass,
&updated_badpw);
}
- if (updated_autolock || updated_badpw){
+ if (updated_badpw){
NTSTATUS status;
become_root();
@@ -463,7 +460,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
updated_badpw = True;
}
- if (updated_autolock || updated_badpw){
+ if (updated_badpw){
NTSTATUS status;
become_root();
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index ddc7ad4..4f93b33 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -220,14 +220,107 @@ struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX
*mem_ctx)
return pdb->get_domain_info(pdb, mem_ctx);
}
+/**
+ * @brief Check if the user account has been locked out and try to unlock it.
+ *
+ * If the user has been automatically locked out and a lockout duration is set,
+ * then check if we can unlock the account and reset the bad password values.
+ *
+ * @param[in] sampass The sam user to check.
+ *
+ * @return True if the function was successfull, false on an
error.
+ */
+static bool pdb_try_account_unlock(struct samu *sampass)
+{
+ uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+ if (acb_info & (ACB_NORMAL|ACB_AUTOLOCK)) {
+ uint32_t lockout_duration;
+ time_t bad_password_time;
+ time_t now = time(NULL);
+ bool ok;
+
+ ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
+ &lockout_duration);
+ if (!ok) {
+ DEBUG(0, ("pdb_try_account_unlock: "
+ "pdb_get_account_policy failed.\n"));
+ return false;
+ }
+
+ if (lockout_duration == (uint32_t) -1 ||
+ lockout_duration == 0) {
+ DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
+ "can't reset autolock\n"));
+ return false;
+ }
+ lockout_duration *= 60;
+
+ bad_password_time = pdb_get_bad_password_time(sampass);
+ if (bad_password_time == (time_t) 0) {
+ DEBUG(2, ("pdb_try_account_unlock: Account %s "
+ "administratively locked out "
+ "with no bad password "
+ "time. Leaving locked out.\n",
+ pdb_get_username(sampass)));
+ return true;
+ }
+
+ if ((bad_password_time +
+ convert_uint32_t_to_time_t(lockout_duration)) < now) {
+ NTSTATUS status;
+
+ pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
+ PDB_CHANGED);
+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("_samr_OpenUser: Couldn't "
+ "update account %s - %s\n",
+ pdb_get_username(sampass),
+ nt_errstr(status)));
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] username The username to look for.
+ *
+ * @return True on success, false on error.
+ */
bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
{
struct pdb_methods *pdb = pdb_get_methods();
struct samu *for_cache;
const struct dom_sid *user_sid;
+ NTSTATUS status;
+ bool ok;
- if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) {
- return False;
+ status = pdb->getsampwnam(pdb, sam_acct, username);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
+ username));
}
for_cache = samu_new(NULL);
@@ -271,14 +364,26 @@ static bool guest_user_info( struct samu *user )
return NT_STATUS_IS_OK( result );
}
-/**********************************************************************
-**********************************************************************/
-
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] sid The user SDI to look up.
+ *
+ * @return True on success, false on error.
+ */
bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
{
struct pdb_methods *pdb = pdb_get_methods();
uint32_t rid;
void *cache_data;
+ bool ok = false;
/* hard code the Guest RID of 501 */
@@ -299,10 +404,22 @@ bool pdb_getsampwsid(struct samu *sam_acct, const struct
dom_sid *sid)
struct samu *cache_copy = talloc_get_type_abort(
cache_data, struct samu);
- return pdb_copy_sam_account(sam_acct, cache_copy);
+ ok = pdb_copy_sam_account(sam_acct, cache_copy);
+ } else {
+ ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+ }
+
+ if (!ok) {
+ return false;
+ }
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
+ sam_acct->username));
}
- return NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+ return true;
}
static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
--
Samba Shared Repository
