1 files changed, 85 insertions, 15 deletions

diff --git a/source/lib/account_pol.c b/source/lib/account_pol.c
index aa593832584..72d6e77ddda 100644
--- a/source/lib/account_pol.c
+++ b/source/lib/account_pol.c
@@ -20,9 +20,29 @@
  */
 
 #include "includes.h"
-static TDB_CONTEXT *tdb; /* used for driver files */
+static TDB_CONTEXT *tdb; 
+
+#define DATABASE_VERSION 2
+
+extern DOM_SID global_sid_World;
+extern DOM_SID global_sid_Builtin_Administrators;
+extern DOM_SID global_sid_Builtin_Account_Operators;
+extern DOM_SID global_sid_Builtin_Server_Operators;
+extern DOM_SID global_sid_Builtin_Print_Operators;
+extern DOM_SID global_sid_Builtin_Backup_Operators;
 
-#define DATABASE_VERSION 1
+
+/****************************************************************************
+ Set default for a field if it is empty
+****************************************************************************/
+
+static void set_default_on_empty(int field, uint32 value)
+{
+	if (account_policy_get(field, NULL))
+		return;
+	account_policy_set(field, value);
+	return;
+}
 
 /****************************************************************************
  Open the account policy tdb.
@@ -44,21 +64,50 @@ BOOL init_account_policy(void)
 	/* handle a Samba upgrade */
 	tdb_lock_bystring(tdb, vstring,0);
 	if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
-		tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
 		tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
 		
-		account_policy_set(AP_MIN_PASSWORD_LEN, MINPASSWDLENGTH);   /* 5 chars minimum             */
-		account_policy_set(AP_PASSWORD_HISTORY, 0);		    /* don't keep any old password */
-		account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, 0);	    /* don't force user to logon   */
-		account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)-1);        /* don't expire		   */
-		account_policy_set(AP_MIN_PASSWORD_AGE, 0);		    /* 0 days                      */
-		account_policy_set(AP_LOCK_ACCOUNT_DURATION, 30);	    /* lockout for 30 minutes      */
-		account_policy_set(AP_RESET_COUNT_TIME, 30);		    /* reset after 30 minutes      */
-		account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, 0);		    /* don't lockout               */
-		account_policy_set(AP_TIME_TO_LOGOUT, -1);		    /* don't force logout          */
+		set_default_on_empty(
+			AP_MIN_PASSWORD_LEN, 
+			MINPASSWDLENGTH);/* 5 chars minimum             */
+		set_default_on_empty(
+			AP_PASSWORD_HISTORY, 
+			0);		/* don't keep any old password	*/
+		set_default_on_empty(
+			AP_USER_MUST_LOGON_TO_CHG_PASS, 
+			0);		/* don't force user to logon	*/
+		set_default_on_empty(
+			AP_MAX_PASSWORD_AGE, 
+			(uint32)-1);	/* don't expire			*/
+		set_default_on_empty(
+			AP_MIN_PASSWORD_AGE, 
+			0);		/* 0 days                      */
+		set_default_on_empty(
+			AP_LOCK_ACCOUNT_DURATION, 
+			30);		/* lockout for 30 minutes      */
+		set_default_on_empty(
+			AP_RESET_COUNT_TIME, 
+			30);		/* reset after 30 minutes      */
+		set_default_on_empty(
+			AP_BAD_ATTEMPT_LOCKOUT, 
+			0);		/* don't lockout               */
+		set_default_on_empty(
+			AP_TIME_TO_LOGOUT, 
+			-1);		/* don't force logout          */
+		set_default_on_empty(
+			AP_REFUSE_MACHINE_PW_CHANGE, 
+			0);		/* allow machine pw changes    */
 	}
 	tdb_unlock_bystring(tdb, vstring);
 
+	/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
+
+	privilege_create_account( &global_sid_World );
+	privilege_create_account( &global_sid_Builtin_Administrators );
+	privilege_create_account( &global_sid_Builtin_Account_Operators );
+	privilege_create_account( &global_sid_Builtin_Server_Operators );
+	privilege_create_account( &global_sid_Builtin_Print_Operators );
+	privilege_create_account( &global_sid_Builtin_Backup_Operators );
+	
 	return True;
 }
 
@@ -75,6 +124,7 @@ static const struct {
 	{AP_RESET_COUNT_TIME, "reset count minutes"},
 	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
 	{AP_TIME_TO_LOGOUT, "disconnect time"},
+	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
 	{0, NULL}
 };
 
@@ -138,21 +188,26 @@ int account_policy_name_to_fieldnum(const char *name)
 BOOL account_policy_get(int field, uint32 *value)
 {
 	fstring name;
+	uint32 regval;
 
 	if(!init_account_policy())return False;
 
-	*value = 0;
+	if (value)
+		*value = 0;
 
 	fstrcpy(name, decode_account_policy_name(field));
 	if (!*name) {
 		DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type!  Cannot get, returning 0.\n", field));
 		return False;
 	}
-	if (!tdb_fetch_uint32(tdb, name, value)) {
+	if (!tdb_fetch_uint32(tdb, name, &regval)) {
 		DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
 		return False;
 	}
-	DEBUG(10,("account_policy_get: %s:%d\n", name, *value));
+	if (value)
+		*value = regval;
+
+	DEBUG(10,("account_policy_get: %s:%d\n", name, regval));
 	return True;
 }
 
@@ -180,3 +235,18 @@ BOOL account_policy_set(int field, uint32 value)
 	
 	return True;
 }
+
+/****************************************************************************
+****************************************************************************/
+
+TDB_CONTEXT *get_account_pol_tdb( void )
+{
+
+	if ( !tdb ) {
+		if ( !init_account_policy() )
+			return NULL;
+	}
+
+	return tdb;
+}
+