Author: jmcd Date: 2005-01-10 18:30:02 +0000 (Mon, 10 Jan 2005) New Revision: 4652
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4652 Log: Add "refuse machine password change" policy field. This update will just return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. Modified: trunk/source/include/smb.h trunk/source/lib/account_pol.c trunk/source/rpc_server/srv_reg_nt.c Changeset: Modified: trunk/source/include/smb.h =================================================================== --- trunk/source/include/smb.h 2005-01-10 18:29:52 UTC (rev 4651) +++ trunk/source/include/smb.h 2005-01-10 18:30:02 UTC (rev 4652) @@ -642,8 +642,8 @@ #define AP_RESET_COUNT_TIME 7 #define AP_BAD_ATTEMPT_LOCKOUT 8 #define AP_TIME_TO_LOGOUT 9 +#define AP_REFUSE_MACHINE_PW_CHANGE 10 - /* * Flags for local user manipulation. */ Modified: trunk/source/lib/account_pol.c =================================================================== --- trunk/source/lib/account_pol.c 2005-01-10 18:29:52 UTC (rev 4651) +++ trunk/source/lib/account_pol.c 2005-01-10 18:30:02 UTC (rev 4652) @@ -22,9 +22,21 @@ #include "includes.h" static TDB_CONTEXT *tdb; /* used for driver files */ -#define DATABASE_VERSION 1 +#define DATABASE_VERSION 2 /**************************************************************************** + Set default for a field if it is empty +****************************************************************************/ + +static void set_default_on_empty(int field, uint32 value) +{ + if (account_policy_get(field, NULL)) + return; + account_policy_set(field, value); + return; +} + +/**************************************************************************** Open the account policy tdb. ****************************************************************************/ @@ -44,18 +56,38 @@ /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { - tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); tdb_store_uint32(tdb, vstring, DATABASE_VERSION); - account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH); /* 5 chars minimum */ - account_policy_set(AP_PASSWORD_HISTORY, 0); /* don't keep any old password */ - account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0); /* don't force user to logon */ - account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1); /* don't expire */ - account_policy_set(AP_MIN_PASSWORD_AGE, 0); /* 0 days */ - account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30); /* lockout for 30 minutes */ - account_policy_set(AP_RESET_COUNT_TIME, 30); /* reset after 30 minutes */ - account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0); /* don't lockout */ - account_policy_set(AP_TIME_TO_LOGOUT, -1); /* don't force logout */ + set_default_on_empty( + AP_MIN_PASSWORD_LEN, + MINPASSWDLENGTH);/* 5 chars minimum */ + set_default_on_empty( + AP_PASSWORD_HISTORY, + 0); /* don't keep any old password */ + set_default_on_empty( + AP_USER_MUST_LOGON_TO_CHG_PASS, + 0); /* don't force user to logon */ + set_default_on_empty( + AP_MAX_PASSWORD_AGE, + (uint32)-1); /* don't expire */ + set_default_on_empty( + AP_MIN_PASSWORD_AGE, + 0); /* 0 days */ + set_default_on_empty( + AP_LOCK_ACCOUNT_DURATION, + 30); /* lockout for 30 minutes */ + set_default_on_empty( + AP_RESET_COUNT_TIME, + 30); /* reset after 30 minutes */ + set_default_on_empty( + AP_BAD_ATTEMPT_LOCKOUT, + 0); /* don't lockout */ + set_default_on_empty( + AP_TIME_TO_LOGOUT, + -1); /* don't force logout */ + set_default_on_empty( + AP_REFUSE_MACHINE_PW_CHANGE, + 0); /* allow machine pw changes */ } tdb_unlock_bystring(tdb, vstring); @@ -75,6 +107,7 @@ {AP_RESET_COUNT_TIME, "reset count minutes"}, {AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"}, {AP_TIME_TO_LOGOUT, "disconnect time"}, + {AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"}, {0, NULL} }; @@ -138,21 +171,26 @@ BOOL account_policy_get(int field, uint32 *value) { fstring name; + uint32 regval; if(!init_account_policy())return False; - *value = 0; + if (value) + *value = 0; fstrcpy(name, decode_account_policy_name(field)); if (!*name) { DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type! Cannot get, returning 0.\n", field)); return False; } - if (!tdb_fetch_uint32(tdb, name, value)) { + if (!tdb_fetch_uint32(tdb, name, ®val)) { DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name)); return False; } - DEBUG(10,("account_policy_get: %s:%d\n", name, *value)); + if (value) + *value = regval; + + DEBUG(10,("account_policy_get: %s:%d\n", name, regval)); return True; } Modified: trunk/source/rpc_server/srv_reg_nt.c =================================================================== --- trunk/source/rpc_server/srv_reg_nt.c 2005-01-10 18:29:52 UTC (rev 4651) +++ trunk/source/rpc_server/srv_reg_nt.c 2005-01-10 18:30:02 UTC (rev 4652) @@ -373,11 +373,22 @@ /* couple of hard coded registry values */ if ( strequal(name, "RefusePasswordChange") ) { + uint32 dwValue; + if ( (val = SMB_MALLOC_P(REGISTRY_VALUE)) == NULL ) { DEBUG(0,("_reg_info: malloc() failed!\n")); return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP( val ); + + if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue)) + dwValue = 0; + regval_ctr_addvalue(®vals, "RefusePasswordChange", + REG_DWORD, + (const char*)&dwValue, sizeof(dwValue)); + val = dup_registry_value( + regval_ctr_specific_value( ®vals, 0 ) ); + + status = NT_STATUS_OK; goto out; }