search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Arrrgh, one more fix. Restores of long file names were
[Samba/gebeck_regimport.git] / source3 / utils / smbpasswd.c
blobc9742fc4987172aba37d165f773798f4bc1eb568
1 /*
2 * Unix SMB/Netbios implementation. Version 1.9. smbpasswd module. Copyright
3 * (C) Jeremy Allison 1995-1998
4 *
5 * This program is free software; you can redistribute it and/or modify it under
6 * the terms of the GNU General Public License as published by the Free
7 * Software Foundation; either version 2 of the License, or (at your option)
8 * any later version.
9 *
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * more details.
14 *
15 * You should have received a copy of the GNU General Public License along with
16 * this program; if not, write to the Free Software Foundation, Inc., 675
17 * Mass Ave, Cambridge, MA 02139, USA.
18 */
19
20 #include "includes.h"
21
22 extern pstring myhostname;
23 extern pstring global_myname;
24 extern fstring global_myworkgroup;
25
26 static char *prog_name;
27
28 /*********************************************************
29 Print command usage on stderr and die.
30 **********************************************************/
31
32 static void usage(char *name, BOOL is_root)
33 {
34 if(is_root)
35 fprintf(stderr, "Usage is : %s [-D DEBUGLEVEL] [-a] [-d] [-m] [-n] [username] [password]\n\
36 %s: [-R <name resolve order>] [-D DEBUGLEVEL] [-j DOMAINNAME] [-r machine] [username] [password]\n%s: [-h]\n", name, name, name);
37 else
38 fprintf(stderr, "Usage is : %s [-h] [-D DEBUGLEVEL] [-r machine] [password]\n", name);
39 exit(1);
40 }
41
42 /*********************************************************
43 Join a domain.
44 **********************************************************/
45
46 static int join_domain( char *domain, char *remote)
47 {
48 pstring remote_machine;
49 fstring trust_passwd;
50 unsigned char orig_trust_passwd_hash[16];
51 BOOL ret;
52
53 pstrcpy(remote_machine, remote ? remote : "");
54 fstrcpy(trust_passwd, global_myname);
55 strlower(trust_passwd);
56 E_md4hash( (uchar *)trust_passwd, orig_trust_passwd_hash);
57
58 /* Ensure that we are not trying to join a
59 domain if we are locally set up as a domain
60 controller. */
61
62 if(lp_domain_controller() && strequal(lp_workgroup(), domain)) {
63 fprintf(stderr, "%s: Cannot join domain %s as we already configured as \
64 domain controller for that domain.\n", prog_name, domain);
65 return 1;
66 }
67
68 /*
69 * Create the machine account password file.
70 */
71 if(!trust_password_lock( domain, global_myname, True)) {
72 fprintf(stderr, "%s: unable to open the machine account password file for \
73 machine %s in domain %s.\n", prog_name, global_myname, domain);
74 return 1;
75 }
76
77 /*
78 * Write the old machine account password.
79 */
80
81 if(!set_trust_account_password( orig_trust_passwd_hash)) {
82 fprintf(stderr, "%s: unable to write the machine account password for \
83 machine %s in domain %s.\n", prog_name, global_myname, domain);
84 trust_password_unlock();
85 return 1;
86 }
87
88 /*
89 * If we are given a remote machine assume this is the PDC.
90 */
91
92 if(remote == NULL)
93 pstrcpy(remote_machine, lp_passwordserver());
94
95 if(!*remote_machine) {
96 fprintf(stderr, "%s: No password server list given in smb.conf - \
97 unable to join domain.\n", prog_name);
98 trust_password_unlock();
99 return 1;
100 }
101
102 ret = change_trust_account_password( domain, remote_machine);
103 trust_password_unlock();
104
105 if(!ret) {
106 trust_password_delete( domain, global_myname);
107 fprintf(stderr,"%s: Unable to join domain %s.\n", prog_name, domain);
108 } else {
109 printf("%s: Joined domain %s.\n", prog_name, domain);
110 }
111
112 return (int)ret;
113 }
114
115 /*********************************************************
116 Start here.
117 **********************************************************/
118
119 int main(int argc, char **argv)
120 {
121 extern char *optarg;
122 extern int optind;
123 extern int DEBUGLEVEL;
124 int real_uid;
125 struct passwd *pwd;
126 fstring old_passwd;
127 fstring new_passwd;
128 uchar new_p16[16];
129 uchar new_nt_p16[16];
130 char *p;
131 struct smb_passwd *smb_pwent;
132 FILE *fp;
133 int ch;
134 int err;
135 BOOL is_root = False;
136 pstring user_name;
137 char *remote_machine = NULL;
138 BOOL add_user = False;
139 BOOL got_new_pass = False;
140 BOOL trust_account = False;
141 BOOL disable_user = False;
142 BOOL set_no_password = False;
143 BOOL joining_domain = False;
144 char *new_domain = NULL;
145 pstring servicesf = CONFIGFILE;
146 void *vp;
147
148 new_passwd[0] = '\0';
149 user_name[0] = '\0';
150
151 memset(old_passwd, '\0', sizeof(old_passwd));
152 memset(new_passwd, '\0', sizeof(new_passwd));
153
154 prog_name = argv[0];
155
156 TimeInit();
157
158 setup_logging(prog_name,True);
159
160 charset_initialise();
161
162 if(!initialize_password_db()) {
163 fprintf(stderr, "%s: Can't setup password database vectors.\n", prog_name);
164 exit(1);
165 }
166
167 if (!lp_load(servicesf,True,False,False)) {
168 fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n", prog_name, servicesf);
169 exit(1);
170 }
171
172 if(!get_myname(myhostname,NULL)) {
173 fprintf(stderr, "%s: unable to get my hostname.\n", prog_name );
174 exit(1);
175 }
176
177 /*
178 * Set the machine NETBIOS name if not already
179 * set from the config file.
180 */
181
182 if (!*global_myname)
183 {
184 fstrcpy( global_myname, myhostname );
185 p = strchr( global_myname, '.' );
186 if (p)
187 *p = 0;
188 }
189 strupper( global_myname );
190
191 codepage_initialise(lp_client_code_page());
192
193 /* Get the real uid */
194 real_uid = getuid();
195
196 /* Check the effective uid */
197 if ((geteuid() == 0) && (real_uid != 0)) {
198 fprintf(stderr, "%s: Must *NOT* be setuid root.\n", prog_name);
199 exit(1);
200 }
201
202 is_root = (real_uid == 0);
203
204 while ((ch = getopt(argc, argv, "adhmnj:r:R:D:")) != EOF) {
205 switch(ch) {
206 case 'a':
207 if(is_root)
208 add_user = True;
209 else
210 usage(prog_name, is_root);
211 break;
212 case 'd':
213 if(is_root) {
214 disable_user = True;
215 got_new_pass = True;
216 fstrcpy(new_passwd, "XXXXXX");
217 } else
218 usage(prog_name, is_root);
219 break;
220 case 'D':
221 DEBUGLEVEL = atoi(optarg);
222 break;
223 case 'n':
224 if(is_root) {
225 set_no_password = True;
226 got_new_pass = True;
227 fstrcpy(new_passwd, "NO PASSWORD");
228 } else
229 usage(prog_name, is_root);
230 case 'r':
231 remote_machine = optarg;
232 break;
233 case 'R':
234 if(is_root) {
235 lp_set_name_resolve_order(optarg);
236 break;
237 } else
238 usage(prog_name, is_root);
239 case 'm':
240 if(is_root) {
241 trust_account = True;
242 } else
243 usage(prog_name, is_root);
244 break;
245 case 'j':
246 if(is_root) {
247 new_domain = optarg;
248 strupper(new_domain);
249 joining_domain = True;
250 } else
251 usage(prog_name, is_root);
252 break;
253 case 'h':
254 default:
255 usage(prog_name, is_root);
256 }
257 }
258
259 argc -= optind;
260 argv += optind;
261
262 /*
263 * Ensure add_user and either remote machine or join domain are
264 * not both set.
265 */
266
267 if(add_user && ((remote_machine != NULL) || joining_domain))
268 usage(prog_name, True);
269
270 /*
271 * Deal with joining a domain.
272 */
273 if(joining_domain && argc != 0)
274 usage(prog_name, True);
275
276 if(joining_domain) {
277 return join_domain( new_domain, remote_machine);
278 }
279
280 if(is_root) {
281
282 /*
283 * Deal with root - can add a user, but only locally.
284 */
285
286 switch(argc) {
287 case 0:
288 break;
289 case 1:
290 /* If we are root we can change another's password. */
291 pstrcpy(user_name, argv[0]);
292 break;
293 case 2:
294 pstrcpy(user_name, argv[0]);
295 fstrcpy(new_passwd, argv[1]);
296 got_new_pass = True;
297 break;
298 default:
299 usage(prog_name, True);
300 }
301
302 if(*user_name) {
303
304 if(trust_account) {
305 int username_len = strlen(user_name);
306 if(username_len >= sizeof(pstring) - 1) {
307 fprintf(stderr, "%s: machine account name too long.\n", user_name);
308 exit(1);
309 }
310
311 if(user_name[username_len-1] != '$') {
312 user_name[username_len] = '$';
313 user_name[username_len+1] = '\0';
314 }
315 }
316
317 /*
318 * Setup the pwd struct to point to known
319 * values for a machine account (it doesn't
320 * exist in /etc/passwd).
321 */
322 if((pwd = Get_Pwnam(user_name, True)) == NULL) {
323 fprintf(stderr, "%s: User \"%s\" was not found in system password file.\n",
324 prog_name, user_name);
325 exit(1);
326 }
327 } else {
328 if((pwd = getpwuid(real_uid)) != NULL)
329 pstrcpy( user_name, pwd->pw_name);
330 }
331
332 } else {
333
334 if(add_user) {
335 fprintf(stderr, "%s: Only root can set anothers password.\n", prog_name);
336 usage(prog_name, False);
337 }
338
339 if(argc > 1)
340 usage(prog_name, False);
341
342 if(argc == 1) {
343 fstrcpy(new_passwd, argv[0]);
344 got_new_pass = True;
345 }
346
347 if((pwd = getpwuid(real_uid)) != NULL)
348 pstrcpy( user_name, pwd->pw_name);
349
350 /*
351 * A non-root user is always setting a password
352 * via a remote machine (even if that machine is
353 * localhost).
354 */
355
356 if(remote_machine == NULL)
357 remote_machine = "127.0.0.1";
358 }
359
360 if (*user_name == '\0') {
361 fprintf(stderr, "%s: Unable to get a user name for password change.\n", prog_name);
362 exit(1);
363 }
364
365 /*
366 * If we are adding a machine account then pretend
367 * we already have the new password, we will be using
368 * the machinename as the password.
369 */
370
371 if(add_user && trust_account) {
372 got_new_pass = True;
373 strncpy(new_passwd, user_name, sizeof(fstring));
374 new_passwd[sizeof(fstring)-1] = '\0';
375 strlower(new_passwd);
376 if(new_passwd[strlen(new_passwd)-1] == '$')
377 new_passwd[strlen(new_passwd)-1] = '\0';
378 }
379
380 /*
381 * If we are root we don't ask for the old password (unless it's on a
382 * remote machine.
383 */
384
385 if (remote_machine != NULL) {
386 p = getpass("Old SMB password:");
387 fstrcpy(old_passwd, p);
388 }
389
390 if (!got_new_pass) {
391 new_passwd[0] = '\0';
392
393 p = getpass("New SMB password:");
394
395 strncpy(new_passwd, p, sizeof(fstring));
396 new_passwd[sizeof(fstring)-1] = '\0';
397
398 p = getpass("Retype new SMB password:");
399
400 if (strncmp(p, new_passwd, sizeof(fstring)-1))
401 {
402 fprintf(stderr, "%s: Mismatch - password unchanged.\n", prog_name);
403 exit(1);
404 }
405 }
406
407 if (new_passwd[0] == '\0') {
408 printf("Password not set\n");
409 exit(0);
410 }
411
412 /*
413 * Now do things differently depending on if we're changing the
414 * password on a remote machine. Remember - a normal user is
415 * always using this code, looping back to the local smbd.
416 */
417
418 if(remote_machine != NULL) {
419 struct cli_state cli;
420 struct in_addr ip;
421
422 if(!resolve_name( remote_machine, &ip)) {
423 fprintf(stderr, "%s: unable to find an IP address for machine %s.\n",
424 prog_name, remote_machine );
425 exit(1);
426 }
427
428 memset(&cli, '\0', sizeof(struct cli_state));
429
430 if (!cli_initialise(&cli) || !cli_connect(&cli, remote_machine, &ip)) {
431 fprintf(stderr, "%s: unable to connect to SMB server on machine %s. Error was : %s.\n",
432 prog_name, remote_machine, cli_errstr(&cli) );
433 exit(1);
434 }
435
436 if (!cli_session_request(&cli, remote_machine, 0x20, global_myname)) {
437 fprintf(stderr, "%s: machine %s rejected the session setup. Error was : %s.\n",
438 prog_name, remote_machine, cli_errstr(&cli) );
439 cli_shutdown(&cli);
440 exit(1);
441 }
442
443 cli.protocol = PROTOCOL_NT1;
444
445 if (!cli_negprot(&cli)) {
446 fprintf(stderr, "%s: machine %s rejected the negotiate protocol. Error was : %s.\n",
447 prog_name, remote_machine, cli_errstr(&cli) );
448 cli_shutdown(&cli);
449 exit(1);
450 }
451
452 if (!cli_session_setup(&cli, user_name, old_passwd, strlen(old_passwd),
453 "", 0, "")) {
454 fprintf(stderr, "%s: machine %s rejected the session setup. Error was : %s.\n",
455 prog_name, remote_machine, cli_errstr(&cli) );
456 cli_shutdown(&cli);
457 exit(1);
458 }
459
460 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
461 fprintf(stderr, "%s: machine %s rejected the tconX on the IPC$ share. Error was : %s.\n",
462 prog_name, remote_machine, cli_errstr(&cli) );
463 cli_shutdown(&cli);
464 exit(1);
465 }
466
467 if(!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
468 fprintf(stderr, "%s: machine %s rejected the password change: Error was : %s.\n",
469 prog_name, remote_machine, cli_errstr(&cli) );
470 cli_shutdown(&cli);
471 exit(1);
472 }
473
474 cli_shutdown(&cli);
475 exit(0);
476 }
477
478 /*
479 * Check for a machine account.
480 */
481
482 if(trust_account && !pwd) {
483 fprintf(stderr, "%s: User %s does not exist in system password file \
484 (usually /etc/passwd). Cannot add machine account without a valid system user.\n",
485 prog_name, user_name);
486 exit(1);
487 }
488
489 /* Calculate the MD4 hash (NT compatible) of the new password. */
490
491 memset(new_nt_p16, '\0', 16);
492 E_md4hash((uchar *) new_passwd, new_nt_p16);
493
494 /* Mangle the password into Lanman format */
495 new_passwd[14] = '\0';
496 strupper(new_passwd);
497
498 /*
499 * Calculate the SMB (lanman) hash functions of the new password.
500 */
501
502 memset(new_p16, '\0', 16);
503 E_P16((uchar *) new_passwd, new_p16);
504
505 /*
506 * Open the smbpaswd file.
507 */
508 vp = startsmbpwent(True);
509 if (!vp && errno == ENOENT) {
510 fp = fopen(lp_smb_passwd_file(), "w");
511 if (fp) {
512 fprintf(fp, "# Samba SMB password file\n");
513 fclose(fp);
514 vp = startsmbpwent(True);
515 }
516 }
517 if (!vp) {
518 err = errno;
519 fprintf(stderr, "%s: Failed to open password file %s.\n",
520 prog_name, lp_smb_passwd_file());
521 errno = err;
522 perror(prog_name);
523 exit(err);
524 }
525
526 /* Get the smb passwd entry for this user */
527 smb_pwent = getsmbpwnam(user_name);
528 if (smb_pwent == NULL) {
529 if(add_user == False) {
530 fprintf(stderr, "%s: Failed to find entry for user %s.\n",
531 prog_name, pwd->pw_name);
532 endsmbpwent(vp);
533 exit(1);
534 }
535
536 /* Create a new smb passwd entry and set it to the given password. */
537 {
538 struct smb_passwd new_smb_pwent;
539
540 new_smb_pwent.smb_userid = pwd->pw_uid;
541 new_smb_pwent.smb_name = pwd->pw_name;
542 new_smb_pwent.smb_passwd = NULL;
543 new_smb_pwent.smb_nt_passwd = NULL;
544 new_smb_pwent.acct_ctrl = (trust_account ? ACB_WSTRUST : ACB_NORMAL);
545
546 if(disable_user) {
547 new_smb_pwent.acct_ctrl |= ACB_DISABLED;
548 } else if (set_no_password) {
549 new_smb_pwent.acct_ctrl |= ACB_PWNOTREQ;
550 } else {
551 new_smb_pwent.smb_passwd = new_p16;
552 new_smb_pwent.smb_nt_passwd = new_nt_p16;
553 }
554
555 if(add_smbpwd_entry(&new_smb_pwent) == False) {
556 fprintf(stderr, "%s: Failed to add entry for user %s.\n",
557 prog_name, pwd->pw_name);
558 endsmbpwent(vp);
559 exit(1);
560 }
561
562 endsmbpwent(vp);
563 printf("%s: Added user %s.\n", prog_name, user_name);
564 exit(0);
565 }
566 } else {
567 /* the entry already existed */
568 add_user = False;
569 }
570
571 /*
572 * We are root - just write the new password
573 * and the valid last change time.
574 */
575
576 if(disable_user) {
577 /*
578 * This currently won't work as it means changing
579 * the length of the record. JRA.
580 */
581 smb_pwent->acct_ctrl |= ACB_DISABLED;
582 smb_pwent->smb_passwd = NULL;
583 smb_pwent->smb_nt_passwd = NULL;
584 } else if (set_no_password) {
585 /*
586 * This currently won't work as it means changing
587 * the length of the record. JRA.
588 */
589 smb_pwent->acct_ctrl |= ACB_PWNOTREQ;
590 smb_pwent->smb_passwd = NULL;
591 smb_pwent->smb_nt_passwd = NULL;
592 } else {
593 smb_pwent->smb_passwd = new_p16;
594 smb_pwent->smb_nt_passwd = new_nt_p16;
595 }
596
597 if(mod_smbpwd_entry(smb_pwent,True) == False) {
598 fprintf(stderr, "%s: Failed to modify entry for user %s.\n",
599 prog_name, pwd->pw_name);
600 endsmbpwent(vp);
601 exit(1);
602 }
603
604 endsmbpwent(vp);
605 if(disable_user)
606 printf("User %s disabled.\n", user_name);
607 else if (set_no_password)
608 printf("User %s - set to no password.\n", user_name);
609 else
610 printf("Password changed for user %s.\n", user_name);
611 return 0;
612 }
reg import