search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixes from Toomas Soome <tsoome@ut.ee> code unicode problems, plus
[Samba.git] / source / utils / smbpasswd.c
blob524cd5b8ad0b84aeca95dd612366c0d226b70911
1 /*
2 * Unix SMB/Netbios implementation. Version 1.9. smbpasswd module. Copyright
3 * (C) Jeremy Allison 1995-1998
4 *
5 * This program is free software; you can redistribute it and/or modify it under
6 * the terms of the GNU General Public License as published by the Free
7 * Software Foundation; either version 2 of the License, or (at your option)
8 * any later version.
9 *
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * more details.
14 *
15 * You should have received a copy of the GNU General Public License along with
16 * this program; if not, write to the Free Software Foundation, Inc., 675
17 * Mass Ave, Cambridge, MA 02139, USA.
18 */
19
20 #include "includes.h"
21
22 extern pstring global_myname;
23 extern int DEBUGLEVEL;
24
25 /*
26 * Next two lines needed for SunOS and don't
27 * hurt anything else...
28 */
29 extern char *optarg;
30 extern int optind;
31
32 /*********************************************************
33 a strdup with exit
34 **********************************************************/
35 static char *xstrdup(char *s)
36 {
37 s = strdup(s);
38 if (!s) {
39 fprintf(stderr,"out of memory\n");
40 exit(1);
41 }
42 return s;
43 }
44
45
46 /*********************************************************
47 Print command usage on stderr and die.
48 **********************************************************/
49 static void usage(void)
50 {
51 if (getuid() == 0) {
52 printf("smbpasswd [options] [username] [password]\n");
53 } else {
54 printf("smbpasswd [options] [password]\n");
55 }
56 printf("options:\n");
57 printf(" -s use stdin for password prompt\n");
58 printf(" -D LEVEL debug level\n");
59 printf(" -U USER remote username\n");
60 printf(" -r MACHINE remote machine\n");
61
62 if (getuid() == 0) {
63 printf(" -R ORDER name resolve order\n");
64 printf(" -j DOMAIN join domain name\n");
65 printf(" -a add user\n");
66 printf(" -x delete user\n");
67 printf(" -d disable user\n");
68 printf(" -e enable user\n");
69 printf(" -n set no password\n");
70 printf(" -m machine trust account\n");
71 }
72 exit(1);
73 }
74
75 /*********************************************************
76 Join a domain.
77 **********************************************************/
78 static int join_domain(char *domain, char *remote)
79 {
80 pstring remote_machine;
81 fstring trust_passwd;
82 unsigned char orig_trust_passwd_hash[16];
83 BOOL ret;
84
85 pstrcpy(remote_machine, remote ? remote : "");
86 fstrcpy(trust_passwd, global_myname);
87 strlower(trust_passwd);
88 E_md4hash( (uchar *)trust_passwd, orig_trust_passwd_hash);
89
90 /* Ensure that we are not trying to join a
91 domain if we are locally set up as a domain
92 controller. */
93
94 if(strequal(remote, global_myname)) {
95 fprintf(stderr, "Cannot join domain %s as the domain controller name is our own. We cannot be a domain controller for a domain and also be a domain member.\n", domain);
96 return 1;
97 }
98
99 /*
100 * Write the old machine account password.
101 */
102
103 if(!secrets_store_trust_account_password(domain, orig_trust_passwd_hash)) {
104 fprintf(stderr, "Unable to write the machine account password for \
105 machine %s in domain %s.\n", global_myname, domain);
106 return 1;
107 }
108
109 /*
110 * If we are given a remote machine assume this is the PDC.
111 */
112
113 if(remote == NULL) {
114 pstrcpy(remote_machine, lp_passwordserver());
115 }
116
117 if(!*remote_machine) {
118 fprintf(stderr, "No password server list given in smb.conf - \
119 unable to join domain.\n");
120 return 1;
121 }
122
123 ret = change_trust_account_password( domain, remote_machine);
124
125 if(!ret) {
126 trust_password_delete(domain);
127 fprintf(stderr,"Unable to join domain %s.\n",domain);
128 } else {
129 printf("Joined domain %s.\n",domain);
130 }
131
132 return (int)ret;
133 }
134
135
136 static void set_line_buffering(FILE *f)
137 {
138 setvbuf(f, NULL, _IOLBF, 0);
139 }
140
141 /*************************************************************
142 Utility function to prompt for passwords from stdin. Each
143 password entered must end with a newline.
144 *************************************************************/
145 static char *stdin_new_passwd(void)
146 {
147 static fstring new_passwd;
148 size_t len;
149
150 ZERO_ARRAY(new_passwd);
151
152 /*
153 * if no error is reported from fgets() and string at least contains
154 * the newline that ends the password, then replace the newline with
155 * a null terminator.
156 */
157 if ( fgets(new_passwd, sizeof(new_passwd), stdin) != NULL) {
158 if ((len = strlen(new_passwd)) > 0) {
159 if(new_passwd[len-1] == '\n')
160 new_passwd[len - 1] = 0;
161 }
162 }
163 return(new_passwd);
164 }
165
166
167 /*************************************************************
168 Utility function to get passwords via tty or stdin
169 Used if the '-s' option is set to silently get passwords
170 to enable scripting.
171 *************************************************************/
172 static char *get_pass( char *prompt, BOOL stdin_get)
173 {
174 char *p;
175 if (stdin_get) {
176 p = stdin_new_passwd();
177 } else {
178 p = getpass(prompt);
179 }
180 return xstrdup(p);
181 }
182
183 /*************************************************************
184 Utility function to prompt for new password.
185 *************************************************************/
186 static char *prompt_for_new_password(BOOL stdin_get)
187 {
188 char *p;
189 fstring new_passwd;
190
191 ZERO_ARRAY(new_passwd);
192
193 p = get_pass("New SMB password:", stdin_get);
194
195 fstrcpy(new_passwd, p);
196 safe_free(p);
197
198 p = get_pass("Retype new SMB password:", stdin_get);
199
200 if (strcmp(p, new_passwd)) {
201 fprintf(stderr, "Mismatch - password unchanged.\n");
202 ZERO_ARRAY(new_passwd);
203 safe_free(p);
204 return NULL;
205 }
206
207 return p;
208 }
209
210
211 /*************************************************************
212 Change a password either locally or remotely.
213 *************************************************************/
214
215 static BOOL password_change(const char *remote_machine, char *user_name,
216 char *old_passwd, char *new_passwd, int local_flags)
217 {
218 BOOL ret;
219 pstring err_str;
220 pstring msg_str;
221
222 if (remote_machine != NULL) {
223 if (local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|
224 LOCAL_TRUST_ACCOUNT|LOCAL_SET_NO_PASSWORD)) {
225 /* these things can't be done remotely yet */
226 return False;
227 }
228 ret = remote_password_change(remote_machine, user_name,
229 old_passwd, new_passwd, err_str, sizeof(err_str));
230 if(*err_str)
231 fprintf(stderr, err_str);
232 return ret;
233 }
234
235 ret = local_password_change(user_name, local_flags, new_passwd,
236 err_str, sizeof(err_str), msg_str, sizeof(msg_str));
237
238 if(*msg_str)
239 printf(msg_str);
240 if(*err_str)
241 fprintf(stderr, err_str);
242
243 return ret;
244 }
245
246
247 /*************************************************************
248 Handle password changing for root.
249 *************************************************************/
250
251 static int process_root(int argc, char *argv[])
252 {
253 struct passwd *pwd;
254 int result = 0, ch;
255 BOOL joining_domain = False;
256 int local_flags = 0;
257 BOOL stdin_passwd_get = False;
258 char *user_name = NULL;
259 char *new_domain = NULL;
260 char *new_passwd = NULL;
261 char *old_passwd = NULL;
262 char *remote_machine = NULL;
263
264 while ((ch = getopt(argc, argv, "ax:d:e:mnj:r:sR:D:U:")) != EOF) {
265 switch(ch) {
266 case 'a':
267 local_flags |= LOCAL_ADD_USER;
268 break;
269 case 'x':
270 local_flags |= LOCAL_DELETE_USER;
271 user_name = optarg;
272 new_passwd = xstrdup("XXXXXX");
273 break;
274 case 'd':
275 local_flags |= LOCAL_DISABLE_USER;
276 user_name = optarg;
277 new_passwd = xstrdup("XXXXXX");
278 break;
279 case 'e':
280 local_flags |= LOCAL_ENABLE_USER;
281 user_name = optarg;
282 break;
283 case 'm':
284 local_flags |= LOCAL_TRUST_ACCOUNT;
285 break;
286 case 'n':
287 local_flags |= LOCAL_SET_NO_PASSWORD;
288 new_passwd = xstrdup("NO PASSWORD");
289 break;
290 case 'j':
291 new_domain = optarg;
292 strupper(new_domain);
293 joining_domain = True;
294 break;
295 case 'r':
296 remote_machine = optarg;
297 break;
298 case 's':
299 set_line_buffering(stdin);
300 set_line_buffering(stdout);
301 set_line_buffering(stderr);
302 stdin_passwd_get = True;
303 break;
304 case 'R':
305 lp_set_name_resolve_order(optarg);
306 break;
307 case 'D':
308 DEBUGLEVEL = atoi(optarg);
309 break;
310 case 'U':
311 user_name = optarg;
312 break;
313 default:
314 usage();
315 }
316 }
317
318 argc -= optind;
319 argv += optind;
320
321 /*
322 * Ensure add/delete user and either remote machine or join domain are
323 * not both set.
324 */
325 if((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) && ((remote_machine != NULL) || joining_domain)) {
326 usage();
327 }
328
329 /* Only load interfaces if we are doing network operations. */
330
331 if (joining_domain || remote_machine) {
332 load_interfaces();
333 }
334
335 if(joining_domain) {
336 if (argc != 0)
337 usage();
338 return join_domain(new_domain, remote_machine);
339 }
340
341 /*
342 * Deal with root - can add a user, but only locally.
343 */
344
345 switch(argc) {
346 case 0:
347 break;
348 case 1:
349 user_name = argv[0];
350 break;
351 case 2:
352 user_name = argv[0];
353 new_passwd = xstrdup(argv[1]);
354 break;
355 default:
356 usage();
357 }
358
359 if (!user_name && (pwd = sys_getpwuid(0))) {
360 user_name = xstrdup(pwd->pw_name);
361 }
362
363 if (!user_name) {
364 fprintf(stderr,"You must specify a username\n");
365 exit(1);
366 }
367
368 if (local_flags & LOCAL_TRUST_ACCOUNT) {
369 /* add the $ automatically */
370 static fstring buf;
371
372 /*
373 * Remove any trailing '$' before we
374 * generate the initial machine password.
375 */
376
377 if (user_name[strlen(user_name)-1] == '$') {
378 user_name[strlen(user_name)-1] = 0;
379 }
380
381 if (local_flags & LOCAL_ADD_USER) {
382 safe_free(new_passwd);
383 new_passwd = xstrdup(user_name);
384 strlower(new_passwd);
385 }
386
387 /*
388 * Now ensure the username ends in '$' for
389 * the machine add.
390 */
391
392 slprintf(buf, sizeof(buf)-1, "%s$", user_name);
393 user_name = buf;
394 }
395
396 if (remote_machine != NULL) {
397 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
398 }
399
400 if (!new_passwd) {
401
402 /*
403 * If we are trying to enable a user, first we need to find out
404 * if they are using a modern version of the smbpasswd file that
405 * disables a user by just writing a flag into the file. If so
406 * then we can re-enable a user without prompting for a new
407 * password. If not (ie. they have a no stored password in the
408 * smbpasswd file) then we need to prompt for a new password.
409 */
410
411 if(local_flags & LOCAL_ENABLE_USER) {
412 struct smb_passwd *smb_pass = getsmbpwnam(user_name);
413 if((smb_pass != NULL) && (smb_pass->smb_passwd != NULL)) {
414 new_passwd = xstrdup("XXXX"); /* Don't care. */
415 }
416 }
417
418 if(!new_passwd)
419 new_passwd = prompt_for_new_password(stdin_passwd_get);
420
421 if(!new_passwd) {
422 fprintf(stderr, "Unable to get new password.\n");
423 exit(1);
424 }
425 }
426
427 if (!password_change(remote_machine, user_name, old_passwd, new_passwd, local_flags)) {
428 fprintf(stderr,"Failed to modify password entry for user %s\n", user_name);
429 result = 1;
430 goto done;
431 }
432
433 if(!(local_flags & (LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|LOCAL_DELETE_USER|LOCAL_SET_NO_PASSWORD))) {
434 struct smb_passwd *smb_pass = getsmbpwnam(user_name);
435 printf("Password changed for user %s.", user_name );
436 if((smb_pass != NULL) && (smb_pass->acct_ctrl & ACB_DISABLED ))
437 printf(" User has disabled flag set.");
438 if((smb_pass != NULL) && (smb_pass->acct_ctrl & ACB_PWNOTREQ))
439 printf(" User has no password flag set.");
440 printf("\n");
441 }
442
443 done:
444 safe_free(new_passwd);
445 return result;
446 }
447
448
449 /*************************************************************
450 handle password changing for non-root
451 *************************************************************/
452 static int process_nonroot(int argc, char *argv[])
453 {
454 struct passwd *pwd = NULL;
455 int result = 0, ch;
456 BOOL stdin_passwd_get = False;
457 char *old_passwd = NULL;
458 char *remote_machine = NULL;
459 char *user_name = NULL;
460 char *new_passwd = NULL;
461
462 while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF) {
463 switch(ch) {
464 case 'D':
465 DEBUGLEVEL = atoi(optarg);
466 break;
467 case 'r':
468 remote_machine = optarg;
469 break;
470 case 's':
471 set_line_buffering(stdin);
472 set_line_buffering(stdout);
473 set_line_buffering(stderr);
474 stdin_passwd_get = True;
475 break;
476 case 'U':
477 user_name = optarg;
478 break;
479 default:
480 usage();
481 }
482 }
483
484 argc -= optind;
485 argv += optind;
486
487 if(argc > 1) {
488 usage();
489 }
490
491 if (argc == 1) {
492 new_passwd = argv[0];
493 }
494
495 if (!user_name) {
496 pwd = sys_getpwuid(getuid());
497 if (pwd) {
498 user_name = xstrdup(pwd->pw_name);
499 } else {
500 fprintf(stderr,"you don't exist - go away\n");
501 exit(1);
502 }
503 }
504
505 /*
506 * A non-root user is always setting a password
507 * via a remote machine (even if that machine is
508 * localhost).
509 */
510
511 load_interfaces(); /* Delayed from main() */
512
513 if (remote_machine == NULL) {
514 remote_machine = "127.0.0.1";
515 }
516
517 if (remote_machine != NULL) {
518 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
519 }
520
521 if (!new_passwd) {
522 new_passwd = prompt_for_new_password(stdin_passwd_get);
523 }
524
525 if (!new_passwd) {
526 fprintf(stderr, "Unable to get new password.\n");
527 exit(1);
528 }
529
530 if (!password_change(remote_machine, user_name, old_passwd, new_passwd, 0)) {
531 fprintf(stderr,"Failed to change password for %s\n", user_name);
532 result = 1;
533 goto done;
534 }
535
536 printf("Password changed for user %s\n", user_name);
537
538 done:
539 safe_free(old_passwd);
540 safe_free(new_passwd);
541
542 return result;
543 }
544
545
546
547 /*********************************************************
548 Start here.
549 **********************************************************/
550 int main(int argc, char **argv)
551 {
552 static pstring servicesf = CONFIGFILE;
553
554 #if defined(HAVE_SET_AUTH_PARAMETERS)
555 set_auth_parameters(argc, argv);
556 #endif /* HAVE_SET_AUTH_PARAMETERS */
557
558 TimeInit();
559
560 setup_logging("smbpasswd", True);
561
562 charset_initialise();
563
564 if(!initialize_password_db()) {
565 fprintf(stderr, "Can't setup password database vectors.\n");
566 exit(1);
567 }
568
569 if (!lp_load(servicesf,True,False,False)) {
570 fprintf(stderr, "Can't load %s - run testparm to debug it\n",
571 servicesf);
572 exit(1);
573 }
574
575 /*
576 * Set the machine NETBIOS name if not already
577 * set from the config file.
578 */
579
580 if (!*global_myname) {
581 char *p;
582 fstrcpy(global_myname, myhostname());
583 p = strchr(global_myname, '.' );
584 if (p) *p = 0;
585 }
586 strupper(global_myname);
587
588 codepage_initialise(lp_client_code_page());
589
590 secrets_init();
591
592 /* Check the effective uid - make sure we are not setuid */
593 if ((geteuid() == (uid_t)0) && (getuid() != (uid_t)0)) {
594 fprintf(stderr, "smbpasswd must *NOT* be setuid root.\n");
595 exit(1);
596 }
597
598 if (getuid() == 0) {
599 return process_root(argc, argv);
600 }
601
602 return process_nonroot(argc, argv);
603 }
Samba GIT mirror