From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- source3/utils/net_rpc_sh_acct.c | 489 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 489 insertions(+) create mode 100644 source3/utils/net_rpc_sh_acct.c (limited to 'source3/utils/net_rpc_sh_acct.c') diff --git a/source3/utils/net_rpc_sh_acct.c b/source3/utils/net_rpc_sh_acct.c new file mode 100644 index 0000000..3fc6568 --- /dev/null +++ b/source3/utils/net_rpc_sh_acct.c @@ -0,0 +1,489 @@ +/* + Samba Unix/Linux SMB client library + Distributed SMB/CIFS Server Management Utility + Copyright (C) 2006 Volker Lendecke (vl@samba.org) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include "includes.h" +#include "utils/net.h" +#include "rpc_client/rpc_client.h" +#include "../librpc/gen_ndr/ndr_samr_c.h" +#include "../libcli/security/security.h" + +/* + * Do something with the account policies. Read them all, run a function on + * them and possibly write them back. "fn" has to return the container index + * it has modified, it can return 0 for no change. + */ + +static NTSTATUS rpc_sh_acct_do(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv, + int (*fn)(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv)) +{ + struct policy_handle connect_pol, domain_pol; + NTSTATUS status, result; + union samr_DomainInfo *info1 = NULL; + union samr_DomainInfo *info3 = NULL; + union samr_DomainInfo *info12 = NULL; + int store; + struct dcerpc_binding_handle *b = pipe_hnd->binding_handle; + + ZERO_STRUCT(connect_pol); + ZERO_STRUCT(domain_pol); + + /* Get sam policy handle */ + + status = dcerpc_samr_Connect2(b, mem_ctx, + pipe_hnd->desthost, + MAXIMUM_ALLOWED_ACCESS, + &connect_pol, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + /* Get domain policy handle */ + + status = dcerpc_samr_OpenDomain(b, mem_ctx, + &connect_pol, + MAXIMUM_ALLOWED_ACCESS, + ctx->domain_sid, + &domain_pol, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + status = dcerpc_samr_QueryDomainInfo(b, mem_ctx, + &domain_pol, + 1, + &info1, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + d_fprintf(stderr, _("query_domain_info level 1 failed: %s\n"), + nt_errstr(result)); + goto done; + } + + status = dcerpc_samr_QueryDomainInfo(b, mem_ctx, + &domain_pol, + 3, + &info3, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + d_fprintf(stderr, _("query_domain_info level 3 failed: %s\n"), + nt_errstr(result)); + goto done; + } + + status = dcerpc_samr_QueryDomainInfo(b, mem_ctx, + &domain_pol, + 12, + &info12, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + d_fprintf(stderr, _("query_domain_info level 12 failed: %s\n"), + nt_errstr(result)); + goto done; + } + + store = fn(c, mem_ctx, ctx, &info1->info1, &info3->info3, + &info12->info12, argc, argv); + + if (store <= 0) { + /* Don't save anything */ + goto done; + } + + switch (store) { + case 1: + status = dcerpc_samr_SetDomainInfo(b, mem_ctx, + &domain_pol, + 1, + info1, + &result); + break; + case 3: + status = dcerpc_samr_SetDomainInfo(b, mem_ctx, + &domain_pol, + 3, + info3, + &result); + break; + case 12: + status = dcerpc_samr_SetDomainInfo(b, mem_ctx, + &domain_pol, + 12, + info12, + &result); + break; + default: + d_fprintf(stderr, _("Got unexpected info level %d\n"), store); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + status = result; + + done: + if (is_valid_policy_hnd(&domain_pol)) { + dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result); + } + if (is_valid_policy_hnd(&connect_pol)) { + dcerpc_samr_Close(b, mem_ctx, &connect_pol, &result); + } + + return status; +} + +static int account_show(struct net_context *c, + TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 0) { + d_fprintf(stderr, "%s %s\n", _("Usage:"), ctx->whoami); + return -1; + } + + d_printf(_("Minimum password length: %d\n"), i1->min_password_length); + d_printf(_("Password history length: %d\n"), + i1->password_history_length); + + d_printf(_("Minimum password age: ")); + if (!nt_time_is_zero((NTTIME *)&i1->min_password_age)) { + time_t t = nt_time_to_unix_abs((NTTIME *)&i1->min_password_age); + d_printf(_("%d seconds\n"), (int)t); + } else { + d_printf(_("not set\n")); + } + + d_printf(_("Maximum password age: ")); + if (nt_time_is_set((NTTIME *)&i1->max_password_age)) { + time_t t = nt_time_to_unix_abs((NTTIME *)&i1->max_password_age); + d_printf(_("%d seconds\n"), (int)t); + } else { + d_printf(_("not set\n")); + } + + d_printf(_("Bad logon attempts: %d\n"), i12->lockout_threshold); + + if (i12->lockout_threshold != 0) { + + d_printf(_("Account lockout duration: ")); + if (nt_time_is_set(&i12->lockout_duration)) { + time_t t = nt_time_to_unix_abs(&i12->lockout_duration); + d_printf(_("%d seconds\n"), (int)t); + } else { + d_printf(_("not set\n")); + } + + d_printf(_("Bad password count reset after: ")); + if (nt_time_is_set(&i12->lockout_window)) { + time_t t = nt_time_to_unix_abs(&i12->lockout_window); + d_printf(_("%d seconds\n"), (int)t); + } else { + d_printf(_("not set\n")); + } + } + + d_printf(_("Disconnect users when logon hours expire: %s\n"), + nt_time_is_zero(&i3->force_logoff_time) ? _("yes") : _("no")); + + d_printf(_("User must logon to change password: %s\n"), + (i1->password_properties & 0x2) ? _("yes") : _("no")); + + return 0; /* Don't save */ +} + +static NTSTATUS rpc_sh_acct_pol_show(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) { + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_show); +} + +static int account_set_badpw(struct net_context *c, + TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, "%s %s \n", _("Usage:"), ctx->whoami); + return -1; + } + + i12->lockout_threshold = atoi(argv[0]); + d_printf(_("Setting bad password count to %d\n"), + i12->lockout_threshold); + + return 12; +} + +static NTSTATUS rpc_sh_acct_set_badpw(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_badpw); +} + +static int account_set_lockduration(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + unix_to_nt_time_abs(&i12->lockout_duration, atoi(argv[0])); + d_printf(_("Setting lockout duration to %d seconds\n"), + (int)nt_time_to_unix_abs(&i12->lockout_duration)); + + return 12; +} + +static NTSTATUS rpc_sh_acct_set_lockduration(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_lockduration); +} + +static int account_set_resetduration(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + unix_to_nt_time_abs(&i12->lockout_window, atoi(argv[0])); + d_printf(_("Setting bad password reset duration to %d seconds\n"), + (int)nt_time_to_unix_abs(&i12->lockout_window)); + + return 12; +} + +static NTSTATUS rpc_sh_acct_set_resetduration(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_resetduration); +} + +static int account_set_minpwage(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + unix_to_nt_time_abs((NTTIME *)&i1->min_password_age, atoi(argv[0])); + d_printf(_("Setting minimum password age to %d seconds\n"), + (int)nt_time_to_unix_abs((NTTIME *)&i1->min_password_age)); + + return 1; +} + +static NTSTATUS rpc_sh_acct_set_minpwage(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_minpwage); +} + +static int account_set_maxpwage(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + unix_to_nt_time_abs((NTTIME *)&i1->max_password_age, atoi(argv[0])); + d_printf(_("Setting maximum password age to %d seconds\n"), + (int)nt_time_to_unix_abs((NTTIME *)&i1->max_password_age)); + + return 1; +} + +static NTSTATUS rpc_sh_acct_set_maxpwage(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_maxpwage); +} + +static int account_set_minpwlen(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + i1->min_password_length = atoi(argv[0]); + d_printf(_("Setting minimum password length to %d\n"), + i1->min_password_length); + + return 1; +} + +static NTSTATUS rpc_sh_acct_set_minpwlen(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_minpwlen); +} + +static int account_set_pwhistlen(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct samr_DomInfo1 *i1, + struct samr_DomInfo3 *i3, + struct samr_DomInfo12 *i12, + int argc, const char **argv) +{ + if (argc != 1) { + d_fprintf(stderr, _("Usage: %s \n"), ctx->whoami); + return -1; + } + + i1->password_history_length = atoi(argv[0]); + d_printf(_("Setting password history length to %d\n"), + i1->password_history_length); + + return 1; +} + +static NTSTATUS rpc_sh_acct_set_pwhistlen(struct net_context *c, + TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx, + struct rpc_pipe_client *pipe_hnd, + int argc, const char **argv) +{ + return rpc_sh_acct_do(c, mem_ctx, ctx, pipe_hnd, argc, argv, + account_set_pwhistlen); +} + +struct rpc_sh_cmd *net_rpc_acct_cmds(struct net_context *c, TALLOC_CTX *mem_ctx, + struct rpc_sh_ctx *ctx) +{ + static struct rpc_sh_cmd cmds[9] = { + { "show", NULL, &ndr_table_samr, rpc_sh_acct_pol_show, + N_("Show current account policy settings") }, + { "badpw", NULL, &ndr_table_samr, rpc_sh_acct_set_badpw, + N_("Set bad password count before lockout") }, + { "lockduration", NULL, &ndr_table_samr, rpc_sh_acct_set_lockduration, + N_("Set account lockout duration") }, + { "resetduration", NULL, &ndr_table_samr, + rpc_sh_acct_set_resetduration, + N_("Set bad password count reset duration") }, + { "minpwage", NULL, &ndr_table_samr, rpc_sh_acct_set_minpwage, + N_("Set minimum password age") }, + { "maxpwage", NULL, &ndr_table_samr, rpc_sh_acct_set_maxpwage, + N_("Set maximum password age") }, + { "minpwlen", NULL, &ndr_table_samr, rpc_sh_acct_set_minpwlen, + N_("Set minimum password length") }, + { "pwhistlen", NULL, &ndr_table_samr, rpc_sh_acct_set_pwhistlen, + N_("Set the password history length") }, + { NULL, NULL, 0, NULL, NULL } + }; + + return cmds; +} -- cgit v1.2.3