svn commit: samba r24061 - in branches/SAMBA_4_0/source: auth kdc
abartlet at samba.org
abartlet at samba.org
Fri Jul 27 06:31:13 GMT 2007
Author: abartlet
Date: 2007-07-27 06:31:12 +0000 (Fri, 27 Jul 2007)
New Revision: 24061
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24061
Log:
Anther part of bug #4823, which is that until now Samba4 didn't parse
the logon hours, even if set.
This code happily stolen from the great work in Samba3 :-)
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/auth.h
branches/SAMBA_4_0/source/auth/sam.c
branches/SAMBA_4_0/source/kdc/hdb-ldb.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth.h
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.h 2007-07-27 03:08:15 UTC (rev 24060)
+++ branches/SAMBA_4_0/source/auth/auth.h 2007-07-27 06:31:12 UTC (rev 24061)
@@ -21,6 +21,8 @@
#ifndef _SAMBA_AUTH_H
#define _SAMBA_AUTH_H
+extern const char *user_attrs[];
+
union netr_Validation;
struct netr_SamBaseInfo;
struct netr_SamInfo3;
Modified: branches/SAMBA_4_0/source/auth/sam.c
===================================================================
--- branches/SAMBA_4_0/source/auth/sam.c 2007-07-27 03:08:15 UTC (rev 24060)
+++ branches/SAMBA_4_0/source/auth/sam.c 2007-07-27 06:31:12 UTC (rev 24061)
@@ -45,6 +45,7 @@
"pwdLastSet",
"accountExpires",
+ "logonHours",
"objectSid",
@@ -67,9 +68,70 @@
};
const char *domain_ref_attrs[] = {"nETBIOSName", "nCName",
- "dnsRoot", "objectClass", NULL};
+ "dnsRoot", "objectClass", NULL};
+/****************************************************************************
+ Check if a user is allowed to logon at this time. Note this is the
+ servers local time, as logon hours are just specified as a weekly
+ bitmask.
+****************************************************************************/
+
+static BOOL logon_hours_ok(struct ldb_message *msg, const char *name_for_logs)
+{
+ /* In logon hours first bit is Sunday from 12AM to 1AM */
+ const struct ldb_val *hours;
+ struct tm *utctime;
+ time_t lasttime;
+ const char *asct;
+ uint8_t bitmask, bitpos;
+ hours = ldb_msg_find_ldb_val(msg, "logonHours");
+ if (!hours) {
+ DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n", name_for_logs));
+ return True;
+ }
+
+ if (hours->length != 168/8) {
+ DEBUG(5,("logon_hours_ok: malformed logon hours restrictions for user %s\n", name_for_logs));
+ return True;
+ }
+
+ lasttime = time(NULL);
+ utctime = gmtime(&lasttime);
+ if (!utctime) {
+ DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n",
+ name_for_logs));
+ return False;
+ }
+
+ /* find the corresponding byte and bit */
+ bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168;
+ bitmask = 1 << (bitpos % 8);
+
+ if (! (hours->data[bitpos/8] & bitmask)) {
+ struct tm *t = localtime(&lasttime);
+ if (!t) {
+ asct = "INVALID TIME";
+ } else {
+ asct = asctime(t);
+ if (!asct) {
+ asct = "INVALID TIME";
+ }
+ }
+
+ DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to "
+ "logon at this time (%s).\n",
+ name_for_logs, asct ));
+ return False;
+ }
+
+ asct = asctime(utctime);
+ DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n",
+ name_for_logs, asct ? asct : "UNKNOWN TIME" ));
+
+ return True;
+}
+
/****************************************************************************
Do a specific test for a SAM_ACCOUNT being vaild for this connection
(ie not disabled, expired and the like).
@@ -164,6 +226,10 @@
}
}
+ if (!logon_hours_ok(msg, name_for_logs)) {
+ return NT_STATUS_INVALID_LOGON_HOURS;
+ }
+
if (acct_flags & ACB_DOMTRUST) {
DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2007-07-27 03:08:15 UTC (rev 24060)
+++ branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2007-07-27 06:31:12 UTC (rev 24061)
@@ -54,29 +54,6 @@
{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
-static const char * const krb5_attrs[] = {
- "objectClass",
- "sAMAccountName",
-
- "userPrincipalName",
- "servicePrincipalName",
-
- "userAccountControl",
-
- "pwdLastSet",
- "accountExpires",
-
- "whenCreated",
- "whenChanged",
-
- "msDS-KeyVersionNumber",
-
- "unicodePwd",
- "supplementalCredentials",
-
- NULL
-};
-
static const char *realm_ref_attrs[] = {
"nCName",
"dnsRoot",
@@ -615,7 +592,7 @@
krb5_error_code ret;
int lret;
char *filter = NULL;
- const char * const *princ_attrs = krb5_attrs;
+ const char * const *princ_attrs = user_attrs;
char *short_princ;
char *short_princ_talloc;
@@ -886,7 +863,7 @@
}
ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
- mem_ctx, user_dn, &msg, krb5_attrs);
+ mem_ctx, user_dn, &msg, user_attrs);
if (ldb_ret != 1) {
return HDB_ERR_NOENTRY;
@@ -1083,7 +1060,7 @@
lret = ldb_search(ldb_ctx, realm_dn,
LDB_SCOPE_SUBTREE, "(objectClass=user)",
- krb5_attrs, &res);
+ user_attrs, &res);
if (lret != LDB_SUCCESS) {
talloc_free(priv);
More information about the samba-cvs
mailing list