[SCM] Samba Shared Repository - branch master updated

Simo Sorce idra at samba.org
Mon Aug 30 08:44:23 MDT 2010


The branch, master has been updated
       via  20e7b4e s3-auth: The unlock of the account is now done by the get_sampwnam call.
       via  c5cfad1 s3-passdb: Try to unlock the account if it is locked out.
       via  2ab0b63 s3-passdb: Added a pdb_try_account_unlock function.
       via  9dd7e7f s3-auth: Use SamInfo3_for_guest to create guest server_info.
      from  5f419ea packaging: Build with -O3

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 20e7b4ec744dead1544a4b7625dc3fcb5d802418
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 23 23:02:44 2010 +0200

    s3-auth: The unlock of the account is now done by the get_sampwnam call.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit c5cfad142c6bc5cd4819726cf2444108bc7639c3
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 23 10:08:53 2010 +0200

    s3-passdb: Try to unlock the account if it is locked out.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 2ab0b63bd89d2d833695dc33aecec7a63ccbab0c
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 23 10:08:34 2010 +0200

    s3-passdb: Added a pdb_try_account_unlock function.
    
    The function checks if the account has been autolocked. If we have a
    lockout_duration and a bad password time it checks if we can unlock the
    account.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 18 17:17:42 2010 +0200

    s3-auth: Use SamInfo3_for_guest to create guest server_info.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth_util.c       |   89 +++++++++++++++++++++------
 source3/auth/check_samsec.c    |    7 +--
 source3/passdb/pdb_interface.c |  131 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 196 insertions(+), 31 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1ff9714..23f557a 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -25,6 +25,7 @@
 #include "smbd/globals.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../lib/crypto/arcfour.h"
+#include "rpc_client/init_lsa.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -631,6 +632,54 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
+				struct netr_SamInfo3 *info3)
+{
+	const char *guest_account = lp_guestaccount();
+	struct dom_sid domain_sid;
+	struct passwd *pwd;
+	const char *tmp;
+	NTSTATUS status;
+
+	pwd = getpwnam_alloc(mem_ctx, guest_account);
+	if (pwd == NULL) {
+		DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
+			 "account [%s]!\n", guest_account));
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	/* Set acount name */
+	tmp = talloc_strdup(mem_ctx, pwd->pw_name);
+	if (tmp == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	init_lsa_String(&info3->base.account_name, tmp);
+
+	/* Set domain name */
+	tmp = talloc_strdup(mem_ctx, get_global_sam_name());
+	if (tmp == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	init_lsa_StringLarge(&info3->base.domain, tmp);
+
+	/* Domain sid */
+	sid_copy(&domain_sid, get_global_sam_sid());
+
+	info3->base.domain_sid = sid_dup_talloc(mem_ctx, &domain_sid);
+	if (info3->base.domain_sid == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* Guest rid */
+	info3->base.rid = DOMAIN_RID_GUEST;
+
+	/* Primary gid */
+	info3->base.primary_gid = BUILTIN_RID_GUESTS;
+
+	TALLOC_FREE(pwd);
+	return status;
+}
+
 /***************************************************************************
  Make (and fill) a user_info struct for a guest login.
  This *must* succeed for smbd to start. If there is no mapping entry for
@@ -639,43 +688,42 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
 
 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
 {
+	static const char zeros[16] = {0};
+	const char *guest_account = lp_guestaccount();
+	const char *domain = global_myname();
+	struct netr_SamInfo3 info3;
+	TALLOC_CTX *tmp_ctx;
 	NTSTATUS status;
-	struct samu *sampass = NULL;
-	struct dom_sid guest_sid;
-	bool ret;
-	static const char zeros[16] = {0, };
 	fstring tmp;
 
-	if ( !(sampass = samu_new( NULL )) ) {
+	tmp_ctx = talloc_stackframe();
+	if (tmp_ctx == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
+	ZERO_STRUCT(info3);
 
-	become_root();
-	ret = pdb_getsampwsid(sampass, &guest_sid);
-	unbecome_root();
-
-	if (!ret) {
-		TALLOC_FREE(sampass);
-		return NT_STATUS_NO_SUCH_USER;
+	status = get_guest_info3(tmp_ctx, &info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
 	}
 
-	status = make_server_info_sam(server_info, sampass);
+	status = make_server_info_info3(tmp_ctx,
+					guest_account,
+					domain,
+					server_info,
+					&info3);
 	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sampass);
-		return status;
+		goto done;
 	}
 
-	TALLOC_FREE(sampass);
-
 	(*server_info)->guest = True;
 
 	status = create_local_token(*server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("create_local_token failed: %s\n",
 			   nt_errstr(status)));
-		return status;
+		goto done;
 	}
 
 	/* annoying, but the Guest really does have a session key, and it is
@@ -687,6 +735,9 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser
 		     ". _-$", sizeof(tmp));
 	(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
 
+	status = NT_STATUS_OK;
+done:
+	TALLOC_FREE(tmp_ctx);
 	return NT_STATUS_OK;
 }
 
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 3b2f471..8460110 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -403,9 +403,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 	nt_pw = pdb_get_nt_passwd(sampass);
 	lm_pw = pdb_get_lanman_passwd(sampass);
 
-	/* see if autolock flag needs to be updated */
-	if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
-		pdb_update_autolock_flag(sampass, &updated_autolock);
 	/* Quit if the account was locked out. */
 	if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
 		DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
@@ -441,7 +438,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 			pdb_update_bad_password_count(sampass,
 						      &updated_badpw);
 		}
-		if (updated_autolock || updated_badpw){
+		if (updated_badpw){
 			NTSTATUS status;
 
 			become_root();
@@ -463,7 +460,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 		updated_badpw = True;
 	}
 
-	if (updated_autolock || updated_badpw){
+	if (updated_badpw){
 		NTSTATUS status;
 
 		become_root();
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index ddc7ad4..4f93b33 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -220,14 +220,107 @@ struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
 	return pdb->get_domain_info(pdb, mem_ctx);
 }
 
+/**
+ * @brief Check if the user account has been locked out and try to unlock it.
+ *
+ * If the user has been automatically locked out and a lockout duration is set,
+ * then check if we can unlock the account and reset the bad password values.
+ *
+ * @param[in]  sampass  The sam user to check.
+ *
+ * @return              True if the function was successfull, false on an error.
+ */
+static bool pdb_try_account_unlock(struct samu *sampass)
+{
+	uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+	if (acb_info & (ACB_NORMAL|ACB_AUTOLOCK)) {
+		uint32_t lockout_duration;
+		time_t bad_password_time;
+		time_t now = time(NULL);
+		bool ok;
+
+		ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
+					    &lockout_duration);
+		if (!ok) {
+			DEBUG(0, ("pdb_try_account_unlock: "
+				  "pdb_get_account_policy failed.\n"));
+			return false;
+		}
+
+		if (lockout_duration == (uint32_t) -1 ||
+		    lockout_duration == 0) {
+			DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
+				  "can't reset autolock\n"));
+			return false;
+		}
+		lockout_duration *= 60;
+
+		bad_password_time = pdb_get_bad_password_time(sampass);
+		if (bad_password_time == (time_t) 0) {
+			DEBUG(2, ("pdb_try_account_unlock: Account %s "
+				  "administratively locked out "
+				  "with no bad password "
+				  "time. Leaving locked out.\n",
+				  pdb_get_username(sampass)));
+			return true;
+		}
+
+		if ((bad_password_time +
+		     convert_uint32_t_to_time_t(lockout_duration)) < now) {
+			NTSTATUS status;
+
+			pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
+					  PDB_CHANGED);
+			pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+			pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+
+			become_root();
+			status = pdb_update_sam_account(sampass);
+			unbecome_root();
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(0, ("_samr_OpenUser: Couldn't "
+					  "update account %s - %s\n",
+					  pdb_get_username(sampass),
+					  nt_errstr(status)));
+				return false;
+			}
+		}
+	}
+
+	return true;
+}
+
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ * @param[in]  sam_acct  The sam user structure to fill.
+ *
+ * @param[in]  username  The username to look for.
+ *
+ * @return               True on success, false on error.
+ */
 bool pdb_getsampwnam(struct samu *sam_acct, const char *username) 
 {
 	struct pdb_methods *pdb = pdb_get_methods();
 	struct samu *for_cache;
 	const struct dom_sid *user_sid;
+	NTSTATUS status;
+	bool ok;
 
-	if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) {
-		return False;
+	status = pdb->getsampwnam(pdb, sam_acct, username);
+	if (!NT_STATUS_IS_OK(status)) {
+		return false;
+	}
+
+	ok = pdb_try_account_unlock(sam_acct);
+	if (!ok) {
+		DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
+			  username));
 	}
 
 	for_cache = samu_new(NULL);
@@ -271,14 +364,26 @@ static bool guest_user_info( struct samu *user )
 	return NT_STATUS_IS_OK( result );
 }
 
-/**********************************************************************
-**********************************************************************/
-
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ *
+ * @param[in]  sam_acct  The sam user structure to fill.
+ *
+ * @param[in]  sid       The user SDI to look up.
+ *
+ * @return               True on success, false on error.
+ */
 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
 {
 	struct pdb_methods *pdb = pdb_get_methods();
 	uint32_t rid;
 	void *cache_data;
+	bool ok = false;
 
 	/* hard code the Guest RID of 501 */
 
@@ -299,10 +404,22 @@ bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
 		struct samu *cache_copy = talloc_get_type_abort(
 			cache_data, struct samu);
 
-		return pdb_copy_sam_account(sam_acct, cache_copy);
+		ok = pdb_copy_sam_account(sam_acct, cache_copy);
+	} else {
+		ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+	}
+
+	if (!ok) {
+		return false;
+	}
+
+	ok = pdb_try_account_unlock(sam_acct);
+	if (!ok) {
+		DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
+			  sam_acct->username));
 	}
 
-	return NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+	return true;
 }
 
 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list