2 * Unix SMB/Netbios implementation. Version 1.9. smbpasswd module. Copyright
3 * (C) Jeremy Allison 1995-1998
5 * This program is free software; you can redistribute it and/or modify it under
6 * the terms of the GNU General Public License as published by the Free
7 * Software Foundation; either version 2 of the License, or (at your option)
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
15 * You should have received a copy of the GNU General Public License along with
16 * this program; if not, write to the Free Software Foundation, Inc., 675
17 * Mass Ave, Cambridge, MA 02139, USA.
23 extern pstring myhostname
;
24 extern pstring global_myname
;
25 extern fstring global_myworkgroup
;
27 static char *prog_name
;
29 /*********************************************************
30 Print command usage on stderr and die.
31 **********************************************************/
33 static void usage(char *name
, BOOL is_root
)
36 fprintf(stderr
, "Usage is : %s [-D DEBUGLEVEL] [-a] [-d] [-e] [-m] [-n] [username] [password]\n\
37 %s: [-R <name resolve order>] [-D DEBUGLEVEL] [-j DOMAINNAME] [-r machine] [-U remote_username] [username] [password]\n%s: [-h]\n", name
, name
, name
);
39 fprintf(stderr
, "Usage is : %s [-h] [-D DEBUGLEVEL] [-r machine] [-U remote_username] [password]\n", name
);
43 /*********************************************************
45 **********************************************************/
47 static int join_domain( char *domain
, char *remote
)
49 pstring remote_machine
;
51 unsigned char orig_trust_passwd_hash
[16];
54 pstrcpy(remote_machine
, remote
? remote
: "");
55 fstrcpy(trust_passwd
, global_myname
);
56 strlower(trust_passwd
);
57 E_md4hash( (uchar
*)trust_passwd
, orig_trust_passwd_hash
);
59 /* Ensure that we are not trying to join a
60 domain if we are locally set up as a domain
63 if(lp_domain_controller() && strequal(lp_workgroup(), domain
)) {
64 fprintf(stderr
, "%s: Cannot join domain %s as we already configured as \
65 domain controller for that domain.\n", prog_name
, domain
);
70 * Create the machine account password file.
72 if(!trust_password_lock( domain
, global_myname
, True
)) {
73 fprintf(stderr
, "%s: unable to open the machine account password file for \
74 machine %s in domain %s.\n", prog_name
, global_myname
, domain
);
79 * Write the old machine account password.
82 if(!set_trust_account_password( orig_trust_passwd_hash
)) {
83 fprintf(stderr
, "%s: unable to write the machine account password for \
84 machine %s in domain %s.\n", prog_name
, global_myname
, domain
);
85 trust_password_unlock();
90 * If we are given a remote machine assume this is the PDC.
94 pstrcpy(remote_machine
, lp_passwordserver());
96 if(!*remote_machine
) {
97 fprintf(stderr
, "%s: No password server list given in smb.conf - \
98 unable to join domain.\n", prog_name
);
99 trust_password_unlock();
103 ret
= change_trust_account_password( domain
, remote_machine
);
104 trust_password_unlock();
107 trust_password_delete( domain
, global_myname
);
108 fprintf(stderr
,"%s: Unable to join domain %s.\n", prog_name
, domain
);
110 printf("%s: Joined domain %s.\n", prog_name
, domain
);
116 /*************************************************************
117 Utility function to create password hashes.
118 *************************************************************/
120 static void create_new_hashes( char *new_passwd
, uchar
*new_p16
, uchar
*new_nt_p16
)
122 memset(new_nt_p16
, '\0', 16);
123 E_md4hash((uchar
*) new_passwd
, new_nt_p16
);
125 /* Mangle the password into Lanman format */
126 new_passwd
[14] = '\0';
127 strupper(new_passwd
);
130 * Calculate the SMB (lanman) hash functions of the new password.
133 memset(new_p16
, '\0', 16);
134 E_P16((uchar
*) new_passwd
, new_p16
);
137 /*************************************************************
138 Utility function to prompt for new password.
139 *************************************************************/
141 static void prompt_for_new_password(char *new_passwd
)
145 new_passwd
[0] = '\0';
147 p
= getpass("New SMB password:");
149 strncpy(new_passwd
, p
, sizeof(fstring
));
150 new_passwd
[sizeof(fstring
)-1] = '\0';
152 p
= getpass("Retype new SMB password:");
154 if (strncmp(p
, new_passwd
, sizeof(fstring
)-1))
156 fprintf(stderr
, "%s: Mismatch - password unchanged.\n", prog_name
);
160 if (new_passwd
[0] == '\0') {
161 printf("Password not set\n");
166 /*********************************************************
168 **********************************************************/
170 int main(int argc
, char **argv
)
174 extern int DEBUGLEVEL
;
176 struct passwd
*pwd
= NULL
;
180 uchar new_nt_p16
[16];
182 struct smb_passwd
*smb_pwent
;
186 BOOL is_root
= False
;
188 BOOL remote_user_name
= False
;
189 char *remote_machine
= NULL
;
190 BOOL add_user
= False
;
191 BOOL got_new_pass
= False
;
192 BOOL trust_account
= False
;
193 BOOL disable_user
= False
;
194 BOOL enable_user
= False
;
195 BOOL set_no_password
= False
;
196 BOOL joining_domain
= False
;
197 char *new_domain
= NULL
;
198 pstring servicesf
= CONFIGFILE
;
200 struct nmb_name calling
, called
;
203 new_passwd
[0] = '\0';
206 memset(old_passwd
, '\0', sizeof(old_passwd
));
207 memset(new_passwd
, '\0', sizeof(new_passwd
));
213 setup_logging(prog_name
,True
);
215 charset_initialise();
217 if(!initialize_password_db()) {
218 fprintf(stderr
, "%s: Can't setup password database vectors.\n", prog_name
);
222 if (!lp_load(servicesf
,True
,False
,False
)) {
223 fprintf(stderr
, "%s: Can't load %s - run testparm to debug it\n", prog_name
, servicesf
);
227 if(!get_myname(myhostname
,NULL
)) {
228 fprintf(stderr
, "%s: unable to get my hostname.\n", prog_name
);
233 * Set the machine NETBIOS name if not already
234 * set from the config file.
239 fstrcpy( global_myname
, myhostname
);
240 p
= strchr( global_myname
, '.' );
244 strupper( global_myname
);
246 codepage_initialise(lp_client_code_page());
248 /* Get the real uid */
251 /* Check the effective uid */
252 if ((geteuid() == 0) && (real_uid
!= 0)) {
253 fprintf(stderr
, "%s: Must *NOT* be setuid root.\n", prog_name
);
257 is_root
= (real_uid
== 0);
259 while ((ch
= getopt(argc
, argv
, "adehmnj:r:R:D:U:")) != EOF
) {
265 usage(prog_name
, is_root
);
271 fstrcpy(new_passwd
, "XXXXXX");
273 usage(prog_name
, is_root
);
279 fstrcpy(new_passwd
, "XXXXXX");
281 usage(prog_name
, is_root
);
284 DEBUGLEVEL
= atoi(optarg
);
288 set_no_password
= True
;
290 fstrcpy(new_passwd
, "NO PASSWORD");
292 usage(prog_name
, is_root
);
294 remote_machine
= optarg
;
298 lp_set_name_resolve_order(optarg
);
301 usage(prog_name
, is_root
);
304 trust_account
= True
;
306 usage(prog_name
, is_root
);
311 strupper(new_domain
);
312 joining_domain
= True
;
314 usage(prog_name
, is_root
);
317 remote_user_name
= True
;
318 pstrcpy(user_name
, optarg
);
322 usage(prog_name
, is_root
);
329 if (!is_root
&& remote_user_name
&& !remote_machine
) {
330 fprintf(stderr
, "%s: You can only use -U with -r.\n", prog_name
);
331 usage(prog_name
, False
);
335 * Ensure add_user and either remote machine or join domain are
339 if(add_user
&& ((remote_machine
!= NULL
) || joining_domain
))
340 usage(prog_name
, True
);
343 * Deal with joining a domain.
345 if(joining_domain
&& argc
!= 0)
346 usage(prog_name
, True
);
349 return join_domain( new_domain
, remote_machine
);
355 * Deal with root - can add a user, but only locally.
362 /* If we are root we can change another's password. */
363 pstrcpy(user_name
, argv
[0]);
366 pstrcpy(user_name
, argv
[0]);
367 fstrcpy(new_passwd
, argv
[1]);
371 usage(prog_name
, True
);
377 int username_len
= strlen(user_name
);
378 if(username_len
>= sizeof(pstring
) - 1) {
379 fprintf(stderr
, "%s: machine account name too long.\n", user_name
);
383 if(user_name
[username_len
-1] != '$') {
384 user_name
[username_len
] = '$';
385 user_name
[username_len
+1] = '\0';
389 if(!remote_machine
&& ((pwd
= Get_Pwnam(user_name
, True
)) == NULL
)) {
390 fprintf(stderr
, "%s: User \"%s\" was not found in system password file.\n",
391 prog_name
, user_name
);
395 if((pwd
= getpwuid(real_uid
)) != NULL
)
396 pstrcpy( user_name
, pwd
->pw_name
);
402 fprintf(stderr
, "%s: Only root can add a user.\n", prog_name
);
403 usage(prog_name
, False
);
407 fprintf(stderr
, "%s: Only root can disable a user.\n", prog_name
);
408 usage(prog_name
, False
);
412 fprintf(stderr
, "%s: Only root can enable a user.\n", prog_name
);
413 usage(prog_name
, False
);
417 usage(prog_name
, False
);
420 fstrcpy(new_passwd
, argv
[0]);
424 if(!remote_user_name
&& ((pwd
= getpwuid(real_uid
)) != NULL
))
425 pstrcpy( user_name
, pwd
->pw_name
);
428 * A non-root user is always setting a password
429 * via a remote machine (even if that machine is
433 if(remote_machine
== NULL
)
434 remote_machine
= "127.0.0.1";
437 if (*user_name
== '\0') {
438 fprintf(stderr
, "%s: Unable to get a user name for password change.\n", prog_name
);
443 * If we are adding a machine account then pretend
444 * we already have the new password, we will be using
445 * the machinename as the password.
448 if(add_user
&& trust_account
) {
450 strncpy(new_passwd
, user_name
, sizeof(fstring
));
451 new_passwd
[sizeof(fstring
)-1] = '\0';
452 strlower(new_passwd
);
453 if(new_passwd
[strlen(new_passwd
)-1] == '$')
454 new_passwd
[strlen(new_passwd
)-1] = '\0';
458 * If we are root we don't ask for the old password (unless it's on a
462 if (remote_machine
!= NULL
) {
463 p
= getpass("Old SMB password:");
464 fstrcpy(old_passwd
, p
);
468 prompt_for_new_password(new_passwd
);
470 if (new_passwd
[0] == '\0') {
471 printf("Password not set\n");
476 * Now do things differently depending on if we're changing the
477 * password on a remote machine. Remember - a normal user is
478 * always using this code, looping back to the local smbd.
481 if(remote_machine
!= NULL
) {
482 struct cli_state cli
;
485 if(!resolve_name( remote_machine
, &ip
)) {
486 fprintf(stderr
, "%s: unable to find an IP address for machine %s.\n",
487 prog_name
, remote_machine
);
493 if (!cli_initialise(&cli
) || !cli_connect(&cli
, remote_machine
, &ip
)) {
494 fprintf(stderr
, "%s: unable to connect to SMB server on machine %s. Error was : %s.\n",
495 prog_name
, remote_machine
, cli_errstr(&cli
) );
499 make_nmb_name(&calling
, global_myname
, 0x0 , scope
);
500 make_nmb_name(&called
, remote_machine
, 0x20, scope
);
502 if (!cli_session_request(&cli
, &calling
, &called
))
504 fprintf(stderr
, "%s: machine %s rejected the session setup. Error was : %s.\n",
505 prog_name
, remote_machine
, cli_errstr(&cli
) );
510 cli
.protocol
= PROTOCOL_NT1
;
512 if (!cli_negprot(&cli
)) {
513 fprintf(stderr
, "%s: machine %s rejected the negotiate protocol. Error was : %s.\n",
514 prog_name
, remote_machine
, cli_errstr(&cli
) );
519 if (!cli_session_setup(&cli
, user_name
, old_passwd
, strlen(old_passwd
),
521 fprintf(stderr
, "%s: machine %s rejected the session setup. Error was : %s.\n",
522 prog_name
, remote_machine
, cli_errstr(&cli
) );
527 if (!cli_send_tconX(&cli
, "IPC$", "IPC", "", 1)) {
528 fprintf(stderr
, "%s: machine %s rejected the tconX on the IPC$ share. Error was : %s.\n",
529 prog_name
, remote_machine
, cli_errstr(&cli
) );
534 if(!cli_oem_change_password(&cli
, user_name
, new_passwd
, old_passwd
)) {
535 fprintf(stderr
, "%s: machine %s rejected the password change: Error was : %s.\n",
536 prog_name
, remote_machine
, cli_errstr(&cli
) );
546 * Check for a machine account.
549 if(trust_account
&& !pwd
) {
550 fprintf(stderr
, "%s: User %s does not exist in system password file \
551 (usually /etc/passwd). Cannot add machine account without a valid system user.\n",
552 prog_name
, user_name
);
556 /* Calculate the MD4 hash (NT compatible) of the new password. */
558 create_new_hashes( new_passwd
, new_p16
, new_nt_p16
);
561 * Open the smbpaswd file.
563 vp
= startsmbpwent(True
);
564 if (!vp
&& errno
== ENOENT
) {
565 fprintf(stderr
,"%s: smbpasswd file did not exist - attempting to create it.\n", prog_name
);
566 fp
= fopen(lp_smb_passwd_file(), "w");
568 fprintf(fp
, "# Samba SMB password file\n");
570 vp
= startsmbpwent(True
);
575 fprintf(stderr
, "%s: Failed to open password file %s.\n",
576 prog_name
, lp_smb_passwd_file());
582 /* Get the smb passwd entry for this user */
583 smb_pwent
= getsmbpwnam(user_name
);
584 if (smb_pwent
== NULL
) {
585 if(add_user
== False
) {
586 fprintf(stderr
, "%s: Failed to find entry for user %s.\n",
587 prog_name
, pwd
->pw_name
);
592 /* Create a new smb passwd entry and set it to the given password. */
594 struct smb_passwd new_smb_pwent
;
596 new_smb_pwent
.smb_userid
= pwd
->pw_uid
;
597 new_smb_pwent
.smb_name
= pwd
->pw_name
;
598 new_smb_pwent
.smb_passwd
= NULL
;
599 new_smb_pwent
.smb_nt_passwd
= NULL
;
600 new_smb_pwent
.acct_ctrl
= (trust_account
? ACB_WSTRUST
: ACB_NORMAL
);
603 new_smb_pwent
.acct_ctrl
|= ACB_DISABLED
;
604 } else if (set_no_password
) {
605 new_smb_pwent
.acct_ctrl
|= ACB_PWNOTREQ
;
607 new_smb_pwent
.smb_passwd
= new_p16
;
608 new_smb_pwent
.smb_nt_passwd
= new_nt_p16
;
611 if(add_smbpwd_entry(&new_smb_pwent
) == False
) {
612 fprintf(stderr
, "%s: Failed to add entry for user %s.\n",
613 prog_name
, pwd
->pw_name
);
619 printf("%s: Added user %s.\n", prog_name
, user_name
);
623 /* the entry already existed */
628 * We are root - just write the new password
629 * and the valid last change time.
633 smb_pwent
->acct_ctrl
|= ACB_DISABLED
;
634 else if (enable_user
) {
635 if(smb_pwent
->smb_passwd
== NULL
) {
636 prompt_for_new_password(new_passwd
);
637 create_new_hashes( new_passwd
, new_p16
, new_nt_p16
);
638 smb_pwent
->smb_passwd
= new_p16
;
639 smb_pwent
->smb_nt_passwd
= new_nt_p16
;
641 smb_pwent
->acct_ctrl
&= ~ACB_DISABLED
;
642 } else if (set_no_password
) {
643 smb_pwent
->acct_ctrl
|= ACB_PWNOTREQ
;
644 /* This is needed to preserve ACB_PWNOTREQ in mod_smbfilepwd_entry */
645 smb_pwent
->smb_passwd
= NULL
;
646 smb_pwent
->smb_nt_passwd
= NULL
;
648 smb_pwent
->acct_ctrl
&= ~ACB_PWNOTREQ
;
649 smb_pwent
->smb_passwd
= new_p16
;
650 smb_pwent
->smb_nt_passwd
= new_nt_p16
;
653 if(mod_smbpwd_entry(smb_pwent
,True
) == False
) {
654 fprintf(stderr
, "%s: Failed to modify entry for user %s.\n",
655 prog_name
, pwd
->pw_name
);
662 printf("User %s disabled.\n", user_name
);
664 printf("User %s enabled.\n", user_name
);
665 else if (set_no_password
)
666 printf("User %s - set to no password.\n", user_name
);
668 printf("Password changed for user %s.\n", user_name
);