3 * Unix SMB/Netbios implementation.
6 * Copyright (C) Jeremy Allison 1995-1998
7 * Copyright (C) Tim Potter 2001
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version.
14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
19 * You should have received a copy of the GNU General Public License along with
20 * this program; if not, write to the Free Software Foundation, Inc., 675
21 * Mass Ave, Cambridge, MA 02139, USA. */
25 extern pstring global_myname
;
26 extern BOOL AllowDebugChange
;
29 * Next two lines needed for SunOS and don't
30 * hurt anything else...
35 /* forced running in root-mode */
36 static BOOL local_mode
;
37 static BOOL joining_domain
= False
, got_pass
= False
, got_username
= False
, changing_trust_pw
= False
;
38 static int local_flags
= 0;
39 static BOOL stdin_passwd_get
= False
;
40 static fstring user_name
, user_password
;
41 static char *new_domain
= NULL
;
42 static char *new_passwd
= NULL
;
43 static char *old_passwd
= NULL
;
44 static char *remote_machine
= NULL
;
45 static pstring servicesf
= CONFIGFILE
;
48 static fstring ldap_secret
;
53 /*********************************************************
55 **********************************************************/
57 static char *strdup_x(const char *s
)
59 char *new_s
= strdup(s
);
61 fprintf(stderr
,"out of memory\n");
68 /*********************************************************
69 Print command usage on stderr and die.
70 **********************************************************/
71 static void usage(void)
73 printf("When run by root:\n");
74 printf(" smbpasswd [options] [username] [password]\n");
75 printf("otherwise:\n");
76 printf(" smbpasswd [options] [password]\n\n");
78 printf("Version: %s\n", VERSION
);
80 printf(" -L local mode (must be first option)\n");
81 printf(" -h print this usage message\n");
82 printf(" -s use stdin for password prompt\n");
83 printf(" -c smb.conf file Use the given path to the smb.conf file\n");
84 printf(" -D LEVEL debug level\n");
85 printf(" -r MACHINE remote machine\n");
86 printf(" -U USER remote username\n");
88 printf("extra options when run by root or in local mode:\n");
89 printf(" -a add user\n");
90 printf(" -d disable user\n");
91 printf(" -e enable user\n");
92 printf(" -m machine trust account\n");
93 printf(" -n set no password\n");
95 printf(" -w ldap admin password\n");
97 printf(" -x delete user\n");
98 printf(" -j DOMAIN join domain name\n");
99 printf(" -t DOMAIN change trust account password on domain\n");
100 printf(" -S DOMAIN Retrieve the domain SID for DOMAIN\n");
101 printf(" -R ORDER name resolve order\n");
106 static void set_line_buffering(FILE *f
)
108 setvbuf(f
, NULL
, _IOLBF
, 0);
111 /*******************************************************************
112 Process command line options
113 ******************************************************************/
114 static void process_options(int argc
, char **argv
, BOOL amroot
)
120 while ((ch
= getopt(argc
, argv
, "c:axdehmnj:t:r:sw:R:D:U:LS")) != EOF
) {
123 local_mode
= amroot
= True
;
126 pstrcpy(servicesf
,optarg
);
129 if (!amroot
) goto bad_args
;
130 local_flags
|= LOCAL_ADD_USER
;
133 if (!amroot
) goto bad_args
;
134 local_flags
|= LOCAL_DELETE_USER
;
135 new_passwd
= strdup_x("XXXXXX");
138 if (!amroot
) goto bad_args
;
139 local_flags
|= LOCAL_DISABLE_USER
;
140 new_passwd
= strdup_x("XXXXXX");
143 if (!amroot
) goto bad_args
;
144 local_flags
|= LOCAL_ENABLE_USER
;
147 if (!amroot
) goto bad_args
;
148 local_flags
|= LOCAL_TRUST_ACCOUNT
;
151 if (!amroot
) goto bad_args
;
152 local_flags
|= LOCAL_SET_NO_PASSWORD
;
153 new_passwd
= strdup_x("NO PASSWORD");
156 if (!amroot
) goto bad_args
;
158 strupper(new_domain
);
159 joining_domain
= True
;
162 if (!amroot
) goto bad_args
;
164 strupper(new_domain
);
165 changing_trust_pw
= True
;
168 remote_machine
= optarg
;
171 if (!amroot
) goto bad_args
;
172 local_flags
|= LOCAL_GET_DOM_SID
;
175 set_line_buffering(stdin
);
176 set_line_buffering(stdout
);
177 set_line_buffering(stderr
);
178 stdin_passwd_get
= True
;
181 if (!amroot
) goto bad_args
;
183 local_flags
|= LOCAL_SET_LDAP_ADMIN_PW
;
184 fstrcpy(ldap_secret
, optarg
);
187 printf("-w not available unless configured --with-ldapsam\n");
191 if (!amroot
) goto bad_args
;
192 lp_set_name_resolve_order(optarg
);
195 DEBUGLEVEL
= atoi(optarg
);
201 fstrcpy(user_name
, optarg
);
203 if ((lp
= strchr(user_name
, '%'))) {
205 fstrcpy(user_password
, lp
+ 1);
207 memset(strchr(optarg
, '%') + 1, 'X',
208 strlen(user_password
));
223 if (joining_domain
&& (argc
!= 0))
229 fstrcpy(user_name
, "");
233 new_passwd
= argv
[0];
238 fstrcpy(user_name
, argv
[0]);
241 if (!amroot
|| got_username
|| got_pass
)
243 fstrcpy(user_name
, argv
[0]);
244 new_passwd
= strdup_x(argv
[1]);
252 /* Initialise client credentials for authenticated pipe access */
254 void init_rpcclient_creds(struct ntuser_creds
*creds
, char* username
,
255 char* domain
, char* password
)
259 if (lp_encrypted_passwords()) {
260 pwd_make_lm_nt_16(&creds
->pwd
, password
);
262 pwd_set_cleartext(&creds
->pwd
, password
);
265 fstrcpy(creds
->user_name
, username
);
266 fstrcpy(creds
->domain
, domain
);
269 /*********************************************************
270 Join a domain using the administrator username and password
271 **********************************************************/
273 /* Macro for checking RPC error codes to make things more readable */
275 #define CHECK_RPC_ERR(rpc, msg) \
276 if (!NT_STATUS_IS_OK(result = rpc)) { \
277 DEBUG(0, (msg ": %s\n", get_nt_error_msg(result))); \
281 #define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
282 if (!NT_STATUS_IS_OK(result = rpc)) { \
283 DEBUG(0, debug_args); \
287 static int join_domain_byuser(char *domain
, char *remote
,
288 char *username
, char *password
)
290 /* libsmb variables */
293 struct nmb_name calling
, called
;
294 struct ntuser_creds creds
;
295 struct cli_state cli
;
297 struct in_addr dest_ip
;
302 POLICY_HND lsa_pol
, sam_pol
, domain_pol
, user_pol
;
310 uchar pwbuf
[516], ntpw
[16], sess_key
[16];
311 SAM_USERINFO_CTR ctr
;
312 SAM_USER_INFO_24 p24
;
313 SAM_USER_INFO_10 p10
;
320 pstrcpy(pdc_name
, remote
? remote
: "");
322 /* Connect to remote machine */
326 ZERO_STRUCT(dest_ip
); /* Make sure no nasty surprises */
328 if (!(mem_ctx
= talloc_init())) {
329 DEBUG(0, ("Could not initialise talloc context\n"));
333 if (!cli_initialise(&cli
)) {
334 DEBUG(0, ("Could not initialise client structure\n"));
338 init_rpcclient_creds(&creds
, username
, domain
, password
);
339 cli_init_creds(&cli
, &creds
);
342 * If we are given a remote machine assume this is the PDC.
345 if(remote
== NULL
|| !strcmp(remote
, "*")) {
346 struct in_addr
*ip_list
;
348 if (!get_dc_list(True
/* PDC only*/, domain
, &ip_list
, &addr_count
)) {
349 fprintf(stderr
, "Unable to find the domain controller for domain %s.\n", domain
);
352 if ((addr_count
< 1) || (is_zero_ip(ip_list
[0]))) {
353 fprintf(stderr
, "Incorrect entries returned when finding the domain controller for domain %s.\n", domain
);
357 if (!lookup_dc_name(global_myname
, domain
, &ip_list
[0], pdc_name
)) {
358 fprintf(stderr
, "Unable to lookup the name for the domain controller for domain %s.\n", domain
);
361 dest_ip
= ip_list
[0];
364 make_nmb_name(&called
, pdc_name
, 0x20);
365 make_nmb_name(&calling
, dns_to_netbios_name(global_myname
), 0);
367 if (!cli_establish_connection(&cli
, pdc_name
, &dest_ip
, &calling
,
368 &called
, "IPC$", "IPC", False
, True
)) {
369 if (!NT_STATUS_IS_OK(cli_nt_error(&cli
))) {
370 DEBUG(0, ("Error connecting to %s - %s\n", pdc_name
,cli_errstr(&cli
)));
372 DEBUG(0, ("Error connecting to %s\n", pdc_name
));
377 /* Fetch domain sid */
379 if (!cli_nt_session_open(&cli
, PIPE_LSARPC
)) {
380 DEBUG(0, ("Error connecting to SAM pipe\n"));
385 CHECK_RPC_ERR(cli_lsa_open_policy(&cli
, mem_ctx
, True
,
386 SEC_RIGHTS_MAXIMUM_ALLOWED
,
388 "error opening lsa policy handle");
390 CHECK_RPC_ERR(cli_lsa_query_info_policy(&cli
, mem_ctx
, &lsa_pol
,
391 5, domain
, &domain_sid
),
392 "error querying info policy");
394 cli_lsa_close(&cli
, mem_ctx
, &lsa_pol
);
396 cli_nt_session_close(&cli
); /* Done with this pipe */
398 /* Create domain user */
400 if (!cli_nt_session_open(&cli
, PIPE_SAMR
)) {
401 DEBUG(0, ("Error connecting to SAM pipe\n"));
405 CHECK_RPC_ERR(cli_samr_connect(&cli
, mem_ctx
,
406 SEC_RIGHTS_MAXIMUM_ALLOWED
,
408 "could not connect to SAM database");
411 CHECK_RPC_ERR(cli_samr_open_domain(&cli
, mem_ctx
, &sam_pol
,
412 SEC_RIGHTS_MAXIMUM_ALLOWED
,
413 &domain_sid
, &domain_pol
),
414 "could not open domain");
416 /* Create domain user */
418 fstrcpy(acct_name
, global_myname
);
419 fstrcat(acct_name
, "$");
424 uint32 unknown
= 0xe005000b;
426 result
= cli_samr_create_dom_user(&cli
, mem_ctx
, &domain_pol
,
427 acct_name
, ACB_WSTRUST
,
433 if (NT_STATUS_IS_OK(result
)) {
435 /* We *must* do this.... don't ask... */
437 CHECK_RPC_ERR_DEBUG(cli_samr_close(&cli
, mem_ctx
, &user_pol
), ("error closing user policy"));
438 result
= NT_STATUS_USER_EXISTS
;
441 if (NT_STATUS_V(result
) == NT_STATUS_V(NT_STATUS_USER_EXISTS
)) {
442 uint32 num_rids
, *name_types
, *user_rids
;
443 uint32 flags
= 0x3e8;
446 /* Look up existing rid */
448 names
= (char *)&acct_name
[0];
451 cli_samr_lookup_names(&cli
, mem_ctx
,
453 1, &names
, &num_rids
,
454 &user_rids
, &name_types
),
455 ("error looking up rid for user %s: %s\n",
456 acct_name
, get_nt_error_msg(result
)));
458 if (name_types
[0] != SID_NAME_USER
) {
459 DEBUG(0, ("%s is not a user account\n", acct_name
));
463 user_rid
= user_rids
[0];
465 /* Open handle on user */
468 cli_samr_open_user(&cli
, mem_ctx
, &domain_pol
,
469 SEC_RIGHTS_MAXIMUM_ALLOWED
,
470 user_rid
, &user_pol
),
471 ("could not re-open existing user %s: %s\n",
472 acct_name
, get_nt_error_msg(result
)));
474 } else if (!NT_STATUS_IS_OK(result
)) {
475 DEBUG(0, ("error creating domain user: %s\n",
476 get_nt_error_msg(result
)));
480 /* Create a random machine account password */
483 UNISTR2 upw
; /* Unicode password */
485 upw
.buffer
= (uint16
*)talloc_zero(mem_ctx
, 0xc *
488 upw
.uni_str_len
= 0xc;
489 upw
.uni_max_len
= 0xc;
491 machine_pwd
= (char *)upw
.buffer
;
492 plen
= upw
.uni_str_len
* 2;
493 generate_random_buffer((unsigned char *)machine_pwd
, plen
, True
);
495 encode_pw_buffer((char *)pwbuf
, machine_pwd
, plen
, False
);
497 mdfour( ntpw
, (unsigned char *)upw
.buffer
, plen
);
500 /* Set password on machine account */
505 init_sam_user_info24(&p24
, (char *)pwbuf
,24);
507 ctr
.switch_value
= 24;
508 ctr
.info
.id24
= &p24
;
510 /* I don't think this is quite the right place for this
511 calculation. It should be moved somewhere where the credentials
512 are calculated. )-: */
514 mdfour(sess_key
, cli
.pwd
.smb_nt_pwd
, 16);
516 CHECK_RPC_ERR(cli_samr_set_userinfo(&cli
, mem_ctx
, &user_pol
, 24,
518 "error setting trust account password");
520 /* Why do we have to try to (re-)set the ACB to be the same as what
521 we passed in the samr_create_dom_user() call? When a NT
522 workstation is joined to a domain by an administrator the
523 acb_info is set to 0x80. For a normal user with "Add
524 workstations to the domain" rights the acb_info is 0x84. I'm
525 not sure whether it is supposed to make a difference or not. NT
526 seems to cope with either value so don't bomb out if the set
527 userinfo2 level 0x10 fails. -tpot */
530 ctr
.switch_value
= 0x10;
531 ctr
.info
.id10
= &p10
;
533 init_sam_user_info10(&p10
, ACB_WSTRUST
);
535 /* Ignoring the return value is necessary for joining a domain
536 as a normal user with "Add workstation to domain" privilege. */
538 result
= cli_samr_set_userinfo2(&cli
, mem_ctx
, &user_pol
, 0x10,
541 /* Now store the secret in the secrets database */
545 if (!secrets_store_domain_sid(domain
, &domain_sid
) ||
546 !secrets_store_trust_account_password(domain
, ntpw
)) {
547 DEBUG(0, ("error storing domain secrets\n"));
551 retval
= 0; /* Success! */
554 /* Close down pipe - this will clean up open policy handles */
556 if (cli
.nt_pipe_fnum
)
557 cli_nt_session_close(&cli
);
559 /* Display success or failure */
562 trust_password_delete(domain
);
563 fprintf(stderr
,"Unable to join domain %s.\n",domain
);
565 printf("Joined domain %s.\n",domain
);
571 /*********************************************************
572 Join a domain. Old server manager method.
573 **********************************************************/
575 static int join_domain(char *domain
, char *remote
)
578 fstring trust_passwd
;
579 unsigned char orig_trust_passwd_hash
[16];
583 pstrcpy(pdc_name
, remote
? remote
: "");
584 fstrcpy(trust_passwd
, global_myname
);
585 strlower(trust_passwd
);
588 * Machine names can be 15 characters, but the max length on
589 * a password is 14. --jerry
591 trust_passwd
[14] = '\0';
593 E_md4hash( (uchar
*)trust_passwd
, orig_trust_passwd_hash
);
595 /* Ensure that we are not trying to join a
596 domain if we are locally set up as a domain
599 if(strequal(remote
, global_myname
)) {
600 fprintf(stderr
, "Cannot join domain %s as the domain controller name is our own. We cannot be a domain controller for a domain and also be a domain member.\n", domain
);
605 * Write the old machine account password.
608 if(!secrets_store_trust_account_password(domain
, orig_trust_passwd_hash
)) {
609 fprintf(stderr
, "Unable to write the machine account password for \
610 machine %s in domain %s.\n", global_myname
, domain
);
615 * If we are given a remote machine assume this is the PDC.
618 if(remote
== NULL
|| !strcmp(remote
, "*")) {
619 struct in_addr
*ip_list
= NULL
;
621 if (!get_dc_list(True
/* PDC only*/, domain
, &ip_list
, &addr_count
)) {
622 fprintf(stderr
, "Unable to find the domain controller for domain %s.\n", domain
);
625 if ((addr_count
< 1) || (is_zero_ip(ip_list
[0]))) {
626 fprintf(stderr
, "Incorrect entries returned when finding the domain controller for domain %s.\n", domain
);
630 if (!lookup_dc_name(global_myname
, domain
, &ip_list
[0], pdc_name
)) {
631 fprintf(stderr
, "Unable to lookup the name for the domain controller for domain %s.\n", domain
);
636 if (!fetch_domain_sid( domain
, pdc_name
, &domain_sid
) ||
637 !secrets_store_domain_sid(domain
, &domain_sid
)) {
638 fprintf(stderr
,"Failed to get domain SID. Unable to join domain %s.\n",domain
);
642 ret
= change_trust_account_password( domain
, pdc_name
);
645 trust_password_delete(domain
);
646 fprintf(stderr
,"Unable to join domain %s.\n",domain
);
649 printf("Joined domain %s.\n",domain
);
655 static int set_domain_sid_from_dc( char *domain
, char *remote
)
661 pstrcpy(pdc_name
, remote
? remote
: "");
663 if(strequal(pdc_name
, global_myname
)) {
664 fprintf(stderr
, "Cannot fetch domain sid for %s as the domain controller name is our own.\n", domain
);
668 if(remote
== NULL
|| !strcmp(remote
, "*")) {
669 struct in_addr
*ip_list
= NULL
;
671 if (!get_dc_list(False
, domain
, &ip_list
, &addr_count
)) {
672 fprintf(stderr
, "Unable to find the domain controller for domain %s.\n", domain
);
675 if ((addr_count
< 1) || (is_zero_ip(ip_list
[0]))) {
676 fprintf(stderr
, "Incorrect entries returned when finding the domain controller for domain %s.\n", domain
);
680 if (!lookup_dc_name(global_myname
, domain
, &ip_list
[0], pdc_name
)) {
681 fprintf(stderr
, "Unable to lookup the name for the domain controller for domain %s.\n", domain
);
686 if (!fetch_domain_sid( domain
, pdc_name
, &domain_sid
)
687 || !secrets_store_domain_sid(global_myname
, &domain_sid
))
689 fprintf(stderr
,"Failed to get domain SID for %s.\n",domain
);
693 sid_to_string(sid_str
, &domain_sid
);
694 printf("Successfully set domain SID to %s.\n", sid_str
);
700 /*************************************************************
701 Utility function to prompt for passwords from stdin. Each
702 password entered must end with a newline.
703 *************************************************************/
704 static char *stdin_new_passwd(void)
706 static fstring new_pwd
;
712 * if no error is reported from fgets() and string at least contains
713 * the newline that ends the password, then replace the newline with
716 if ( fgets(new_pwd
, sizeof(new_pwd
), stdin
) != NULL
) {
717 if ((len
= strlen(new_pwd
)) > 0) {
718 if(new_pwd
[len
-1] == '\n')
719 new_pwd
[len
- 1] = 0;
726 /*************************************************************
727 Utility function to get passwords via tty or stdin
728 Used if the '-s' option is set to silently get passwords
730 *************************************************************/
731 static char *get_pass( char *prompt
, BOOL stdin_get
)
735 p
= stdin_new_passwd();
742 /*************************************************************
743 Utility function to prompt for new password.
744 *************************************************************/
745 static char *prompt_for_new_password(BOOL stdin_get
)
752 p
= get_pass("New SMB password:", stdin_get
);
757 p
= get_pass("Retype new SMB password:", stdin_get
);
759 if (strcmp(p
, new_pwd
)) {
760 fprintf(stderr
, "Mismatch - password unchanged.\n");
770 /*************************************************************
771 Change a password either locally or remotely.
772 *************************************************************/
774 static BOOL
password_change(const char *rem_machine
, char *usr_name
,
775 char *old_pwd
, char *new_pwd
, int loc_flags
)
781 if (rem_machine
!= NULL
) {
782 if (loc_flags
& (LOCAL_ADD_USER
|LOCAL_DELETE_USER
|LOCAL_DISABLE_USER
|LOCAL_ENABLE_USER
|
783 LOCAL_TRUST_ACCOUNT
|LOCAL_SET_NO_PASSWORD
)) {
784 /* these things can't be done remotely yet */
787 ret
= remote_password_change(rem_machine
, usr_name
,
788 old_pwd
, new_pwd
, err_str
, sizeof(err_str
));
790 fprintf(stderr
, err_str
);
794 ret
= local_password_change(usr_name
, loc_flags
, new_pwd
,
795 err_str
, sizeof(err_str
), msg_str
, sizeof(msg_str
));
800 fprintf(stderr
, err_str
);
806 /*******************************************************************
807 Store the LDAP admin password in secrets.tdb
808 ******************************************************************/
809 static BOOL
store_ldap_admin_pw (char* pw
)
817 return secrets_store_ldap_pw(lp_ldap_admin_dn(), pw
);
822 /*************************************************************
823 Handle password changing for root.
824 *************************************************************/
826 static int process_root(void)
832 if (local_flags
& LOCAL_SET_LDAP_ADMIN_PW
)
834 printf("Setting stored password for \"%s\" in secrets.tdb\n",
836 if (!store_ldap_admin_pw(ldap_secret
))
837 DEBUG(0,("ERROR: Failed to store the ldap admin password!\n"));
843 * Ensure both add/delete user are not set
844 * Ensure add/delete user and either remote machine or join domain are
847 if ( ((local_flags
& (LOCAL_ADD_USER
|LOCAL_DELETE_USER
)) == (LOCAL_ADD_USER
|LOCAL_DELETE_USER
))
848 || ( (local_flags
& (LOCAL_ADD_USER
|LOCAL_DELETE_USER
))
849 && ((remote_machine
!= NULL
) || joining_domain
|| changing_trust_pw
) ) )
854 /* Only load interfaces if we are doing network operations. */
856 if ( joining_domain
|| remote_machine
|| (local_flags
& LOCAL_GET_DOM_SID
) ) {
862 if (joining_domain
) {
864 /* smb.conf must specify both security = domain and encrypt passwords = yes */
866 if (!lp_encrypted_passwords() || lp_security() != SEC_DOMAIN
) {
867 DEBUG(0,("ERROR: Must have both SECURITY = DOMAIN and ENCRYPT PASSWORDS = YES!\n"));
871 /* Are we joining by specifing an admin username and
876 /* Get administrator password if not specified */
879 char *pass
= getpass("Password: ");
882 pstrcpy(user_password
, pass
);
885 return join_domain_byuser(new_domain
, remote_machine
,
886 user_name
, user_password
);
889 /* Or just with the server manager? */
891 return join_domain(new_domain
, remote_machine
);
896 /* Change Trust Password */
898 if (changing_trust_pw
) {
899 if (change_trust_account_password(new_domain
, remote_machine
)) {
907 * get the domain sid from a PDC and store it in secrets.tdb
908 * Used for Samba PDC/BDC installations.
911 if (local_flags
& LOCAL_GET_DOM_SID
) {
912 return set_domain_sid_from_dc(lp_workgroup(), remote_machine
);
916 * Deal with root - can add a user, but only locally.
919 if (!user_name
[0] && (pwd
= sys_getpwuid(0))) {
920 fstrcpy(user_name
, pwd
->pw_name
);
924 fprintf(stderr
,"You must specify a username\n");
928 if (local_flags
& LOCAL_TRUST_ACCOUNT
) {
929 /* add the $ automatically */
933 * Remove any trailing '$' before we
934 * generate the initial machine password.
937 if (user_name
[strlen(user_name
)-1] == '$') {
938 user_name
[strlen(user_name
)-1] = 0;
941 if (local_flags
& LOCAL_ADD_USER
) {
942 safe_free(new_passwd
);
943 new_passwd
= strdup_x(user_name
);
944 strlower(new_passwd
);
948 * Now ensure the username ends in '$' for
952 slprintf(buf
, sizeof(buf
)-1, "%s$", user_name
);
953 fstrcpy(user_name
, buf
);
956 if (remote_machine
!= NULL
) {
957 old_passwd
= get_pass("Old SMB password:",stdin_passwd_get
);
963 * If we are trying to enable a user, first we need to find out
964 * if they are using a modern version of the smbpasswd file that
965 * disables a user by just writing a flag into the file. If so
966 * then we can re-enable a user without prompting for a new
967 * password. If not (ie. they have a no stored password in the
968 * smbpasswd file) then we need to prompt for a new password.
971 if(local_flags
& LOCAL_ENABLE_USER
) {
973 SAM_ACCOUNT
*sampass
= NULL
;
975 pdb_init_sam(&sampass
);
976 if (!pdb_getsampwnam(sampass
, user_name
)) {
977 printf("ERROR: Unable to locate %s in passdb!\n", user_name
);
978 pdb_free_sam(sampass
);
982 if((sampass
!= NULL
) && (pdb_get_lanman_passwd(sampass
) != NULL
)) {
983 new_passwd
= strdup_x("XXXX"); /* Don't care. */
986 pdb_free_sam(sampass
);
990 new_passwd
= prompt_for_new_password(stdin_passwd_get
);
993 fprintf(stderr
, "Unable to get new password.\n");
998 if (!password_change(remote_machine
, user_name
, old_passwd
, new_passwd
, local_flags
)) {
999 fprintf(stderr
,"Failed to modify password entry for user %s\n", user_name
);
1004 if(remote_machine
) {
1005 printf("Password changed for user %s on %s.\n", user_name
, remote_machine
);
1006 } else if(!(local_flags
& (LOCAL_ADD_USER
|LOCAL_DISABLE_USER
|LOCAL_ENABLE_USER
|LOCAL_DELETE_USER
|LOCAL_SET_NO_PASSWORD
))) {
1007 SAM_ACCOUNT
*sampass
= NULL
;
1010 pdb_init_sam(&sampass
);
1012 if (!pdb_getsampwnam(sampass
, user_name
)) {
1013 printf("ERROR: Unable to locate %s in passdb!\n", user_name
);
1014 pdb_free_sam(sampass
);
1019 printf("Password changed for user %s.", user_name
);
1020 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
1021 if(acct_ctrl
& ACB_DISABLED
)
1022 printf(" User has disabled flag set.");
1023 if(acct_ctrl
& ACB_PWNOTREQ
)
1024 printf(" User has no password flag set.");
1027 pdb_free_sam(sampass
);
1031 safe_free(new_passwd
);
1036 /*************************************************************
1037 Handle password changing for non-root.
1038 *************************************************************/
1040 static int process_nonroot(void)
1042 struct passwd
*pwd
= NULL
;
1045 if (!user_name
[0]) {
1046 pwd
= sys_getpwuid(getuid());
1048 fstrcpy(user_name
,pwd
->pw_name
);
1050 fprintf(stderr
,"you don't exist - go away\n");
1056 * A non-root user is always setting a password
1057 * via a remote machine (even if that machine is
1061 load_interfaces(); /* Delayed from main() */
1063 if (remote_machine
== NULL
) {
1064 remote_machine
= "127.0.0.1";
1067 if (remote_machine
!= NULL
) {
1068 old_passwd
= get_pass("Old SMB password:",stdin_passwd_get
);
1072 new_passwd
= prompt_for_new_password(stdin_passwd_get
);
1076 fprintf(stderr
, "Unable to get new password.\n");
1080 if (!password_change(remote_machine
, user_name
, old_passwd
, new_passwd
, 0)) {
1081 fprintf(stderr
,"Failed to change password for %s\n", user_name
);
1086 printf("Password changed for user %s\n", user_name
);
1089 safe_free(old_passwd
);
1090 safe_free(new_passwd
);
1097 /*********************************************************
1099 **********************************************************/
1100 int main(int argc
, char **argv
)
1102 BOOL amroot
= getuid() == 0;
1105 AllowDebugChange
= False
;
1107 #if defined(HAVE_SET_AUTH_PARAMETERS)
1108 set_auth_parameters(argc
, argv
);
1109 #endif /* HAVE_SET_AUTH_PARAMETERS */
1111 charset_initialise();
1113 process_options(argc
, argv
, amroot
);
1116 setup_logging("smbpasswd", True
);
1118 if(!initialize_password_db(False
)) {
1119 fprintf(stderr
, "Can't setup password database vectors.\n");
1123 if (!lp_load(servicesf
,True
,False
,False
)) {
1124 fprintf(stderr
, "Can't load %s - run testparm to debug it\n",
1130 * Set the machine NETBIOS name if not already
1131 * set from the config file.
1134 if (!*global_myname
) {
1136 fstrcpy(global_myname
, myhostname());
1137 p
= strchr(global_myname
, '.' );
1140 strupper(global_myname
);
1142 codepage_initialise(lp_client_code_page());
1144 /* Check the effective uid - make sure we are not setuid */
1145 if ((geteuid() == (uid_t
)0) && (getuid() != (uid_t
)0)) {
1146 fprintf(stderr
, "smbpasswd must *NOT* be setuid root.\n");
1150 if (local_mode
|| amroot
) {
1152 return process_root();
1155 return process_nonroot();