search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add 'net rpc join' to match the ADS equiv.
[Samba/ekacnet.git] / source / utils / smbpasswd.c
blob92136bea7a163500d2a754059618a9b48855cd19
1 /*
2 * Unix SMB/Netbios implementation.
3 * Copyright (C) Jeremy Allison 1995-1998
4 * Copyright (C) Tim Potter 2001
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
14 * more details.
15 *
16 * You should have received a copy of the GNU General Public License along with
17 * this program; if not, write to the Free Software Foundation, Inc., 675
18 * Mass Ave, Cambridge, MA 02139, USA. */
19
20 #include "includes.h"
21
22 extern pstring global_myname;
23
24 /*
25 * Next two lines needed for SunOS and don't
26 * hurt anything else...
27 */
28 extern char *optarg;
29 extern int optind;
30
31 /** forced running in root-mode **/
32 static BOOL local_mode;
33
34 /**
35 * Print command usage on stderr and die.
36 **/
37 static void usage(void)
38 {
39 printf("When run by root:\n");
40 printf(" smbpasswd [options] [username] [password]\n");
41 printf("otherwise:\n");
42 printf(" smbpasswd [options] [password]\n\n");
43
44 printf("options:\n");
45 printf(" -s use stdin for password prompt\n");
46 printf(" -D LEVEL debug level\n");
47 printf(" -U USER remote username\n");
48 printf(" -r MACHINE remote machine\n");
49
50 printf("extra options when run by root or in local mode:\n");
51 printf(" -L local mode (must be first option)\n");
52 printf(" -R ORDER name resolve order\n");
53 printf(" -j DOMAIN join domain name\n");
54 printf(" -a add user\n");
55 printf(" -x delete user\n");
56 printf(" -d disable user\n");
57 printf(" -e enable user\n");
58 printf(" -n set no password\n");
59 printf(" -m machine trust account\n");
60
61 exit(1);
62 }
63
64 /*********************************************************
65 Join a domain.
66 **********************************************************/
67 static int join_domain(char *domain, char *remote)
68 {
69 pstring remote_machine;
70 fstring trust_passwd;
71 unsigned char orig_trust_passwd_hash[16];
72 BOOL ret;
73
74 pstrcpy(remote_machine, remote ? remote : "");
75 fstrcpy(trust_passwd, global_myname);
76 strlower(trust_passwd);
77 E_md4hash( (uchar *)trust_passwd, orig_trust_passwd_hash);
78
79 /* Ensure that we are not trying to join a
80 domain if we are locally set up as a domain
81 controller. */
82
83 if(strequal(remote, global_myname)) {
84 fprintf(stderr, "Cannot join domain %s as the domain controller name is our own. We cannot be a domain controller for a domain and also be a domain member.\n", domain);
85 return 1;
86 }
87
88 /*
89 * Write the old machine account password.
90 */
91
92 if(!secrets_store_trust_account_password(domain, orig_trust_passwd_hash)) {
93 fprintf(stderr, "Unable to write the machine account password for \
94 machine %s in domain %s.\n", global_myname, domain);
95 return 1;
96 }
97
98 /*
99 * If we are given a remote machine assume this is the PDC.
100 */
101
102 if(remote == NULL) {
103 pstrcpy(remote_machine, lp_passwordserver());
104 }
105
106 if(!*remote_machine) {
107 fprintf(stderr, "No password server list given in smb.conf - \
108 unable to join domain.\n");
109 return 1;
110 }
111
112 ret = change_trust_account_password( domain, remote_machine);
113
114 if(!ret) {
115 trust_password_delete(domain);
116 fprintf(stderr,"Unable to join domain %s.\n",domain);
117 } else {
118 printf("Joined domain %s.\n",domain);
119 }
120
121 return (int)ret;
122 }
123
124
125 static void set_line_buffering(FILE *f)
126 {
127 setvbuf(f, NULL, _IOLBF, 0);
128 }
129
130 /*************************************************************
131 Utility function to prompt for passwords from stdin. Each
132 password entered must end with a newline.
133 *************************************************************/
134 static char *stdin_new_passwd(void)
135 {
136 static fstring new_passwd;
137 size_t len;
138
139 ZERO_ARRAY(new_passwd);
140
141 /*
142 * if no error is reported from fgets() and string at least contains
143 * the newline that ends the password, then replace the newline with
144 * a null terminator.
145 */
146 if ( fgets(new_passwd, sizeof(new_passwd), stdin) != NULL) {
147 if ((len = strlen(new_passwd)) > 0) {
148 if(new_passwd[len-1] == '\n')
149 new_passwd[len - 1] = 0;
150 }
151 }
152 return(new_passwd);
153 }
154
155
156 /*************************************************************
157 Utility function to get passwords via tty or stdin
158 Used if the '-s' option is set to silently get passwords
159 to enable scripting.
160 *************************************************************/
161 static char *get_pass( char *prompt, BOOL stdin_get)
162 {
163 char *p;
164 if (stdin_get) {
165 p = stdin_new_passwd();
166 } else {
167 p = getpass(prompt);
168 }
169 return smb_xstrdup(p);
170 }
171
172 /*************************************************************
173 Utility function to prompt for new password.
174 *************************************************************/
175 static char *prompt_for_new_password(BOOL stdin_get)
176 {
177 char *p;
178 fstring new_passwd;
179
180 ZERO_ARRAY(new_passwd);
181
182 p = get_pass("New SMB password:", stdin_get);
183
184 fstrcpy(new_passwd, p);
185 SAFE_FREE(p);
186
187 p = get_pass("Retype new SMB password:", stdin_get);
188
189 if (strcmp(p, new_passwd)) {
190 fprintf(stderr, "Mismatch - password unchanged.\n");
191 ZERO_ARRAY(new_passwd);
192 SAFE_FREE(p);
193 return NULL;
194 }
195
196 return p;
197 }
198
199
200 /*************************************************************
201 Change a password either locally or remotely.
202 *************************************************************/
203
204 static BOOL password_change(const char *remote_machine, char *user_name,
205 char *old_passwd, char *new_passwd, int local_flags)
206 {
207 BOOL ret;
208 pstring err_str;
209 pstring msg_str;
210
211 if (remote_machine != NULL) {
212 if (local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|
213 LOCAL_TRUST_ACCOUNT|LOCAL_SET_NO_PASSWORD)) {
214 /* these things can't be done remotely yet */
215 return False;
216 }
217 ret = remote_password_change(remote_machine, user_name,
218 old_passwd, new_passwd, err_str, sizeof(err_str));
219 if(*err_str)
220 fprintf(stderr, err_str);
221 return ret;
222 }
223
224 ret = local_password_change(user_name, local_flags, new_passwd,
225 err_str, sizeof(err_str), msg_str, sizeof(msg_str));
226
227 if(*msg_str)
228 printf(msg_str);
229 if(*err_str)
230 fprintf(stderr, err_str);
231
232 return ret;
233 }
234
235
236 /*************************************************************
237 Handle password changing for root.
238 *************************************************************/
239
240 static int process_root(int argc, char *argv[])
241 {
242 struct passwd *pwd;
243 int result = 0, ch;
244 BOOL joining_domain = False, got_pass = False, got_username = False;
245 int local_flags = LOCAL_SET_PASSWORD;
246 BOOL stdin_passwd_get = False;
247 fstring user_name, user_password;
248 char *new_domain = NULL;
249 char *new_passwd = NULL;
250 char *old_passwd = NULL;
251 char *remote_machine = NULL;
252
253 ZERO_STRUCT(user_name);
254 ZERO_STRUCT(user_password);
255
256 user_name[0] = '\0';
257
258 while ((ch = getopt(argc, argv, "axdehmnj:r:sR:D:U:L")) != EOF) {
259 switch(ch) {
260 case 'L':
261 local_mode = True;
262 break;
263 case 'a':
264 local_flags |= LOCAL_ADD_USER;
265 break;
266 case 'x':
267 local_flags |= LOCAL_DELETE_USER;
268 local_flags &= ~LOCAL_SET_PASSWORD;
269 break;
270 case 'd':
271 local_flags |= LOCAL_DISABLE_USER;
272 local_flags &= ~LOCAL_SET_PASSWORD;
273 break;
274 case 'e':
275 local_flags |= LOCAL_ENABLE_USER;
276 local_flags &= ~LOCAL_SET_PASSWORD;
277 break;
278 case 'm':
279 local_flags |= LOCAL_TRUST_ACCOUNT;
280 break;
281 case 'n':
282 local_flags |= LOCAL_SET_NO_PASSWORD;
283 local_flags &= ~LOCAL_SET_PASSWORD;
284 break;
285 case 'j':
286 new_domain = optarg;
287 strupper(new_domain);
288 joining_domain = True;
289 break;
290 case 'r':
291 remote_machine = optarg;
292 break;
293 case 's':
294 set_line_buffering(stdin);
295 set_line_buffering(stdout);
296 set_line_buffering(stderr);
297 stdin_passwd_get = True;
298 break;
299 case 'R':
300 lp_set_name_resolve_order(optarg);
301 break;
302 case 'D':
303 DEBUGLEVEL = atoi(optarg);
304 break;
305 case 'U': {
306 char *lp;
307
308 got_username = True;
309 fstrcpy(user_name, optarg);
310
311 if ((lp = strchr_m(user_name, '%'))) {
312 *lp = 0;
313 fstrcpy(user_password, lp + 1);
314 got_pass = True;
315 memset(strchr_m(optarg, '%') + 1, 'X',
316 strlen(user_password));
317 }
318
319 break;
320 }
321 case 'h':
322 default:
323 usage();
324 }
325 }
326
327 argc -= optind;
328 argv += optind;
329
330 /*
331 * Ensure both add/delete user are not set
332 * Ensure add/delete user and either remote machine or join domain are
333 * not both set.
334 */
335 if(((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) == (LOCAL_ADD_USER|LOCAL_DELETE_USER)) ||
336 ((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) &&
337 ((remote_machine != NULL) || joining_domain))) {
338 usage();
339 }
340
341 /* Only load interfaces if we are doing network operations. */
342
343 if (joining_domain || remote_machine) {
344 load_interfaces();
345 }
346
347 /* Join a domain */
348
349 if (joining_domain) {
350
351 if (argc != 0)
352 usage();
353
354 /* Are we joining by specifing an admin username and
355 password? */
356
357 if (user_name[0]) {
358
359 /* Get administrator password if not specified */
360
361 if (!got_pass) {
362 char *pass = getpass("Password: ");
363
364 if (pass)
365 pstrcpy(user_password, pass);
366 }
367
368 d_printf("use net rpc join to do this now.\n");
369 return 1;
370
371 } else {
372
373 /* Or just with the server manager? */
374
375 return join_domain(new_domain, remote_machine);
376 }
377 }
378
379 /*
380 * Deal with root - can add a user, but only locally.
381 */
382
383 switch(argc) {
384 case 0:
385 if (!got_username)
386 fstrcpy(user_name, "");
387 break;
388 case 1:
389 if (got_username)
390 usage();
391 fstrcpy(user_name, argv[0]);
392 break;
393 case 2:
394 if (got_username || got_pass)
395 usage();
396 fstrcpy(user_name, argv[0]);
397 new_passwd = smb_xstrdup(argv[1]);
398 break;
399 default:
400 usage();
401 }
402
403 if (!user_name[0] && (pwd = sys_getpwuid(geteuid()))) {
404 fstrcpy(user_name, pwd->pw_name);
405 }
406
407 if (!user_name[0]) {
408 fprintf(stderr,"You must specify a username\n");
409 exit(1);
410 }
411
412 if (local_flags & LOCAL_TRUST_ACCOUNT) {
413 /* add the $ automatically */
414 static fstring buf;
415
416 /*
417 * Remove any trailing '$' before we
418 * generate the initial machine password.
419 */
420
421 if (user_name[strlen(user_name)-1] == '$') {
422 user_name[strlen(user_name)-1] = 0;
423 }
424
425 if (local_flags & LOCAL_ADD_USER) {
426 SAFE_FREE(new_passwd);
427 new_passwd = smb_xstrdup(user_name);
428 strlower(new_passwd);
429 }
430
431 /*
432 * Now ensure the username ends in '$' for
433 * the machine add.
434 */
435
436 slprintf(buf, sizeof(buf)-1, "%s$", user_name);
437 fstrcpy(user_name, buf);
438 }
439
440 if (remote_machine != NULL) {
441 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
442 }
443
444 if (!(local_flags & LOCAL_SET_PASSWORD)) {
445
446 /*
447 * If we are trying to enable a user, first we need to find out
448 * if they are using a modern version of the smbpasswd file that
449 * disables a user by just writing a flag into the file. If so
450 * then we can re-enable a user without prompting for a new
451 * password. If not (ie. they have a no stored password in the
452 * smbpasswd file) then we need to prompt for a new password.
453 */
454
455 if(local_flags & LOCAL_ENABLE_USER) {
456 SAM_ACCOUNT *sampass = NULL;
457 BOOL ret;
458
459 pdb_init_sam(&sampass);
460 ret = pdb_getsampwnam(sampass, user_name);
461 if((sampass != False) && (pdb_get_lanman_passwd(sampass) == NULL)) {
462 local_flags |= LOCAL_SET_PASSWORD;
463 }
464 pdb_free_sam(&sampass);
465 }
466 }
467
468 if(local_flags & LOCAL_SET_PASSWORD) {
469 new_passwd = prompt_for_new_password(stdin_passwd_get);
470
471 if(!new_passwd) {
472 fprintf(stderr, "Unable to get new password.\n");
473 exit(1);
474 }
475 }
476
477 if (!password_change(remote_machine, user_name, old_passwd, new_passwd, local_flags)) {
478 fprintf(stderr,"Failed to modify password entry for user %s\n", user_name);
479 result = 1;
480 goto done;
481 }
482
483 if(!(local_flags & (LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|LOCAL_DELETE_USER|LOCAL_SET_NO_PASSWORD|LOCAL_SET_PASSWORD))) {
484 SAM_ACCOUNT *sampass = NULL;
485 BOOL ret;
486
487 pdb_init_sam(&sampass);
488 ret = pdb_getsampwnam(sampass, user_name);
489
490 printf("Password changed for user %s.", user_name );
491 if( (ret != False) && (pdb_get_acct_ctrl(sampass)&ACB_DISABLED) )
492 printf(" User has disabled flag set.");
493 if((ret != False) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) )
494 printf(" User has no password flag set.");
495 printf("\n");
496 pdb_free_sam(&sampass);
497 }
498
499 done:
500 SAFE_FREE(new_passwd);
501 return result;
502 }
503
504
505 /**
506 handle password changing for non-root
507 **/
508 static int process_nonroot(int argc, char *argv[])
509 {
510 struct passwd *pwd = NULL;
511 int result = 0, ch;
512 BOOL stdin_passwd_get = False;
513 char *old_passwd = NULL;
514 char *remote_machine = NULL;
515 char *user_name = NULL;
516 char *new_passwd = NULL;
517
518 while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF) {
519 switch(ch) {
520 case 'D':
521 DEBUGLEVEL = atoi(optarg);
522 break;
523 case 'r':
524 remote_machine = optarg;
525 break;
526 case 's':
527 set_line_buffering(stdin);
528 set_line_buffering(stdout);
529 set_line_buffering(stderr);
530 stdin_passwd_get = True;
531 break;
532 case 'U':
533 user_name = optarg;
534 break;
535 default:
536 usage();
537 }
538 }
539
540 argc -= optind;
541 argv += optind;
542
543 if(argc > 1) {
544 usage();
545 }
546
547 if (argc == 1) {
548 new_passwd = argv[0];
549 }
550
551 if (!user_name) {
552 pwd = sys_getpwuid(getuid());
553 if (pwd) {
554 user_name = smb_xstrdup(pwd->pw_name);
555 } else {
556 fprintf(stderr, "smbpasswd: you don't exist - go away\n");
557 exit(1);
558 }
559 }
560
561 /*
562 * A non-root user is always setting a password
563 * via a remote machine (even if that machine is
564 * localhost).
565 */
566
567 load_interfaces(); /* Delayed from main() */
568
569 if (remote_machine == NULL) {
570 remote_machine = "127.0.0.1";
571 }
572
573 if (remote_machine != NULL) {
574 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
575 }
576
577 if (!new_passwd) {
578 new_passwd = prompt_for_new_password(stdin_passwd_get);
579 }
580
581 if (!new_passwd) {
582 fprintf(stderr, "Unable to get new password.\n");
583 exit(1);
584 }
585
586 if (!password_change(remote_machine, user_name, old_passwd, new_passwd, 0)) {
587 fprintf(stderr,"Failed to change password for %s\n", user_name);
588 result = 1;
589 goto done;
590 }
591
592 printf("Password changed for user %s\n", user_name);
593
594 done:
595 SAFE_FREE(old_passwd);
596 SAFE_FREE(new_passwd);
597
598 return result;
599 }
600
601
602
603 /*********************************************************
604 Start here.
605 **********************************************************/
606 int main(int argc, char **argv)
607 {
608 #if defined(HAVE_SET_AUTH_PARAMETERS)
609 set_auth_parameters(argc, argv);
610 #endif /* HAVE_SET_AUTH_PARAMETERS */
611
612 setup_logging("smbpasswd", True);
613
614 if(!initialize_password_db(True)) {
615 fprintf(stderr, "Can't setup password database vectors.\n");
616 exit(1);
617 }
618
619 if (!lp_load(dyn_CONFIGFILE,True,False,False)) {
620 fprintf(stderr, "Can't load %s - run testparm to debug it\n",
621 dyn_CONFIGFILE);
622 exit(1);
623 }
624
625 /*
626 * Set the machine NETBIOS name if not already
627 * set from the config file.
628 */
629
630 if (!*global_myname) {
631 char *p;
632 fstrcpy(global_myname, myhostname());
633 p = strchr_m(global_myname, '.' );
634 if (p) *p = 0;
635 }
636 strupper(global_myname);
637
638 /* Check the effective uid - make sure we are not setuid */
639 if (is_setuid_root()) {
640 fprintf(stderr, "smbpasswd must *NOT* be setuid root.\n");
641 exit(1);
642 }
643
644 /* pre-check for local mode option as first option. We can't
645 do this via normal getopt as getopt can't be called
646 twice. */
647 if (argc > 1 && strcmp(argv[1], "-L") == 0) {
648 local_mode = True;
649 }
650
651 if (local_mode || getuid() == 0) {
652 secrets_init();
653 return process_root(argc, argv);
654 }
655
656 return process_nonroot(argc, argv);
657 }