Added load_interfaces in smbpasswd to allow name resolution by broadcast and
[samba.git] / source3 / utils / smbpasswd.c
1 /*
2  * Unix SMB/Netbios implementation. Version 1.9. smbpasswd module. Copyright
3  * (C) Jeremy Allison 1995-1998
4  * 
5  * This program is free software; you can redistribute it and/or modify it under
6  * the terms of the GNU General Public License as published by the Free
7  * Software Foundation; either version 2 of the License, or (at your option)
8  * any later version.
9  * 
10  * This program is distributed in the hope that it will be useful, but WITHOUT
11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
13  * more details.
14  * 
15  * You should have received a copy of the GNU General Public License along with
16  * this program; if not, write to the Free Software Foundation, Inc., 675
17  * Mass Ave, Cambridge, MA 02139, USA.
18  */
19
20 #include "includes.h"
21
22 extern pstring myhostname;
23 extern pstring global_myname;
24 extern int DEBUGLEVEL;
25
26 /*
27  * Next two lines needed for SunOS and don't
28  * hurt anything else...
29  */
30 extern char *optarg;
31 extern int optind;
32
33 /*********************************************************
34 a strdup with exit
35 **********************************************************/
36 static char *xstrdup(char *s)
37 {
38         s = strdup(s);
39         if (!s) {
40                 fprintf(stderr,"out of memory\n");
41                 exit(1);
42         }
43         return s;
44 }
45
46
47 /*********************************************************
48  Print command usage on stderr and die.
49 **********************************************************/
50 static void usage(void)
51 {
52         if (getuid() == 0) {
53                 printf("smbpasswd [options] [username] [password]\n");
54         } else {
55                 printf("smbpasswd [options] [password]\n");
56         }
57         printf("options:\n");
58         printf("  -s                   use stdin for password prompt\n");
59         printf("  -D LEVEL             debug level\n");
60         printf("  -U USER              remote username\n");
61         printf("  -r MACHINE           remote machine\n");
62
63         if (getuid() == 0) {
64                 printf("  -R ORDER             name resolve order\n");
65                 printf("  -j DOMAIN            join domain name\n");
66                 printf("  -a                   add user\n");
67                 printf("  -d                   disable user\n");
68                 printf("  -e                   enable user\n");
69                 printf("  -n                   set no password\n");
70                 printf("  -m                   machine trust account\n");
71         }
72         exit(1);
73 }
74
75 /*********************************************************
76 Join a domain.
77 **********************************************************/
78 static int join_domain(char *domain, char *remote)
79 {
80         pstring remote_machine;
81         fstring trust_passwd;
82         unsigned char orig_trust_passwd_hash[16];
83         BOOL ret;
84
85         pstrcpy(remote_machine, remote ? remote : "");
86         fstrcpy(trust_passwd, global_myname);
87         strlower(trust_passwd);
88         E_md4hash( (uchar *)trust_passwd, orig_trust_passwd_hash);
89
90         /* Ensure that we are not trying to join a
91            domain if we are locally set up as a domain
92            controller. */
93
94         if(strequal(remote, global_myname)) {
95                 fprintf(stderr, "Cannot join domain %s as the domain controller name is our own. We cannot be a domain controller for a domain and also be a domain member.\n", domain);
96                 return 1;
97         }
98
99         /*
100          * Create the machine account password file.
101          */
102         if(!trust_password_lock( domain, global_myname, True)) {
103                 fprintf(stderr, "unable to open the machine account password file for \
104 machine %s in domain %s.\n", global_myname, domain); 
105                 return 1;
106         }
107
108         /*
109          * Write the old machine account password.
110          */
111         
112         if(!set_trust_account_password( orig_trust_passwd_hash)) {              
113                 fprintf(stderr, "unable to write the machine account password for \
114 machine %s in domain %s.\n", global_myname, domain);
115                 trust_password_unlock();
116                 return 1;
117         }
118         
119         /*
120          * If we are given a remote machine assume this is the PDC.
121          */
122         
123         if(remote == NULL) {
124                 pstrcpy(remote_machine, lp_passwordserver());
125         }
126
127         if(!*remote_machine) {
128                 fprintf(stderr, "No password server list given in smb.conf - \
129 unable to join domain.\n");
130                 trust_password_unlock();
131                 return 1;
132         }
133
134         ret = change_trust_account_password( domain, remote_machine);
135         trust_password_unlock();
136         
137         if(!ret) {
138                 trust_password_delete( domain, global_myname);
139                 fprintf(stderr,"Unable to join domain %s.\n",domain);
140         } else {
141                 printf("Joined domain %s.\n",domain);
142         }
143         
144         return (int)ret;
145 }
146
147
148 static void set_line_buffering(FILE *f)
149 {
150         setvbuf(f, NULL, _IOLBF, 0);
151 }
152
153 /*************************************************************
154  Utility function to prompt for passwords from stdin. Each
155  password entered must end with a newline.
156 *************************************************************/
157 static char *stdin_new_passwd(void)
158 {
159         static fstring new_passwd;
160         size_t len;
161
162         ZERO_ARRAY(new_passwd);
163
164         /*
165          * if no error is reported from fgets() and string at least contains
166          * the newline that ends the password, then replace the newline with
167          * a null terminator.
168          */
169         if ( fgets(new_passwd, sizeof(new_passwd), stdin) != NULL) {
170                 if ((len = strlen(new_passwd)) > 0) {
171                         if(new_passwd[len-1] == '\n')
172                                 new_passwd[len - 1] = 0; 
173                 }
174         }
175         return(new_passwd);
176 }
177
178
179 /*************************************************************
180  Utility function to get passwords via tty or stdin
181  Used if the '-s' option is set to silently get passwords
182  to enable scripting.
183 *************************************************************/
184 static char *get_pass( char *prompt, BOOL stdin_get)
185 {
186         char *p;
187         if (stdin_get) {
188                 p = stdin_new_passwd();
189         } else {
190                 p = getpass(prompt);
191         }
192         return xstrdup(p);
193 }
194
195 /*************************************************************
196  Utility function to prompt for new password.
197 *************************************************************/
198 static char *prompt_for_new_password(BOOL stdin_get)
199 {
200         char *p;
201         fstring new_passwd;
202
203         ZERO_ARRAY(new_passwd);
204  
205         p = get_pass("New SMB password:", stdin_get);
206
207         fstrcpy(new_passwd, p);
208
209         p = get_pass("Retype new SMB password:", stdin_get);
210
211         if (strcmp(p, new_passwd)) {
212                 fprintf(stderr, "Mismatch - password unchanged.\n");
213                 return NULL;
214         }
215
216         return xstrdup(p);
217 }
218
219
220 /*************************************************************
221 change a password either locally or remotely
222 *************************************************************/
223 static BOOL password_change(const char *remote_machine, char *user_name, 
224                             char *old_passwd, char *new_passwd, 
225                             BOOL add_user, BOOL enable_user, 
226                             BOOL disable_user, BOOL set_no_password,
227                             BOOL trust_account)
228 {
229         BOOL ret;
230         pstring err_str;
231         pstring msg_str;
232
233         if (remote_machine != NULL) {
234                 if (add_user || enable_user || disable_user || set_no_password || trust_account) {
235                         /* these things can't be done remotely yet */
236                         return False;
237                 }
238                 ret = remote_password_change(remote_machine, user_name, 
239                                                                          old_passwd, new_passwd, err_str, sizeof(err_str));
240                 if(*err_str)
241                         fprintf(stderr, err_str);
242                 return ret;
243         }
244         
245         ret = local_password_change(user_name, trust_account, add_user, enable_user, 
246                                      disable_user, set_no_password, new_passwd, 
247                                      err_str, sizeof(err_str), msg_str, sizeof(msg_str));
248
249         if(*msg_str)
250                 printf(msg_str);
251         if(*err_str)
252                 fprintf(stderr, err_str);
253
254         return ret;
255 }
256
257
258 /*************************************************************
259 handle password changing for root
260 *************************************************************/
261 static int process_root(int argc, char *argv[])
262 {
263         struct passwd  *pwd;
264         int ch;
265         BOOL joining_domain = False;
266         BOOL trust_account = False;
267         BOOL add_user = False;
268         BOOL disable_user = False;
269         BOOL enable_user = False;
270         BOOL set_no_password = False;
271         BOOL stdin_passwd_get = False;
272         char *user_name = NULL;
273         char *new_domain = NULL;
274         char *new_passwd = NULL;
275         char *old_passwd = NULL;
276         char *remote_machine = NULL;
277
278         while ((ch = getopt(argc, argv, "adehmnj:r:sR:D:U:")) != EOF) {
279                 switch(ch) {
280                 case 'a':
281                         add_user = True;
282                         break;
283                 case 'd':
284                         disable_user = True;
285                         new_passwd = "XXXXXX";
286                         break;
287                 case 'e':
288                         enable_user = True;
289                         break;
290                 case 'D':
291                         DEBUGLEVEL = atoi(optarg);
292                         break;
293                 case 'n':
294                         set_no_password = True;
295                         new_passwd = "NO PASSWORD";
296                 case 'r':
297                         remote_machine = optarg;
298                         break;
299                 case 's':
300                         set_line_buffering(stdin);
301                         set_line_buffering(stdout);
302                         set_line_buffering(stderr);
303                         stdin_passwd_get = True;
304                         break;
305                 case 'R':
306                         lp_set_name_resolve_order(optarg);
307                         break;
308                 case 'm':
309                         trust_account = True;
310                         break;
311                 case 'j':
312                         new_domain = optarg;
313                         strupper(new_domain);
314                         joining_domain = True;
315                         break;
316                 case 'U':
317                         user_name = optarg;
318                         break;
319                 default:
320                         usage();
321                 }
322         }
323         
324         argc -= optind;
325         argv += optind;
326
327
328         /*
329          * Ensure add_user and either remote machine or join domain are
330          * not both set.
331          */     
332         if(add_user && ((remote_machine != NULL) || joining_domain)) {
333                 usage();
334         }
335         
336         if(joining_domain) {
337                 if (argc != 0) usage();
338                 return join_domain(new_domain, remote_machine);
339         }
340
341         /*
342          * Deal with root - can add a user, but only locally.
343          */
344
345         switch(argc) {
346         case 0:
347                 break;
348         case 1:
349                 user_name = argv[0];
350                 break;
351         case 2:
352                 user_name = argv[0];
353                 new_passwd = argv[1];
354                 break;
355         default:
356                 usage();
357         }
358
359         if (!user_name && (pwd = getpwuid(0))) {
360                 user_name = xstrdup(pwd->pw_name);
361         } 
362
363         if (!user_name) {
364                 fprintf(stderr,"You must specify a username\n");
365                 exit(1);
366         }
367
368         if (trust_account) {
369                 /* add the $ automatically */
370                 static fstring buf;
371
372                 /*
373                  * Remove any trailing '$' before we
374                  * generate the initial machine password.
375                  */
376
377                 if (user_name[strlen(user_name)-1] == '$') {
378                         user_name[strlen(user_name)-1] = 0;
379                 }
380
381                 if (add_user) {
382                         new_passwd = xstrdup(user_name);
383                         strlower(new_passwd);
384                 }
385
386                 /*
387                  * Now ensure the username ends in '$' for
388                  * the machine add.
389                  */
390
391                 slprintf(buf, sizeof(buf)-1, "%s$", user_name);
392                 user_name = buf;
393         }
394
395         if (!remote_machine && !Get_Pwnam(user_name, True)) {
396                 fprintf(stderr, "User \"%s\" was not found in system password file.\n", 
397                         user_name);
398                 exit(1);
399         }
400
401         if (remote_machine != NULL) {
402                 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
403         }
404         
405         if (!new_passwd) {
406
407                 /*
408                  * If we are trying to enable a user, first we need to find out
409                  * if they are using a modern version of the smbpasswd file that
410                  * disables a user by just writing a flag into the file. If so
411                  * then we can re-enable a user without prompting for a new
412                  * password. If not (ie. they have a no stored password in the
413                  * smbpasswd file) then we need to prompt for a new password.
414                  */
415
416                 if(enable_user) {
417                         struct smb_passwd *smb_pass = getsmbpwnam(user_name);
418                         if((smb_pass != NULL) && (smb_pass->smb_passwd != NULL)) {
419                                 new_passwd = "XXXX"; /* Don't care. */
420                         }
421                 }
422
423                 if(!new_passwd)
424                         new_passwd = prompt_for_new_password(stdin_passwd_get);
425         }
426         
427         if (!password_change(remote_machine, user_name, old_passwd, new_passwd,
428                              add_user, enable_user, disable_user, set_no_password,
429                              trust_account)) {
430                 fprintf(stderr,"Failed to change password entry for %s\n", user_name);
431                 return 1;
432         } 
433
434         if(disable_user) {
435                 printf("User %s disabled.\n", user_name);
436         } else if(enable_user) {
437                 printf("User %s enabled.\n", user_name);
438         } else if (set_no_password) {
439                 printf("User %s - set to no password.\n", user_name);
440         } else {
441                 printf("Password changed for user %s\n", user_name);
442         }
443         return 0;
444 }
445
446
447 /*************************************************************
448 handle password changing for non-root
449 *************************************************************/
450 static int process_nonroot(int argc, char *argv[])
451 {
452         struct passwd  *pwd = NULL;
453         int ch;
454         BOOL stdin_passwd_get = False;
455         char *old_passwd = NULL;
456         char *remote_machine = NULL;
457         char *user_name = NULL;
458         char *new_passwd = NULL;
459
460         while ((ch = getopt(argc, argv, "hD:r:sU:")) != EOF) {
461                 switch(ch) {
462                 case 'D':
463                         DEBUGLEVEL = atoi(optarg);
464                         break;
465                 case 'r':
466                         remote_machine = optarg;
467                         break;
468                 case 's':
469                         set_line_buffering(stdin);
470                         set_line_buffering(stdout);
471                         set_line_buffering(stderr);
472                         stdin_passwd_get = True;
473                         break;
474                 case 'U':
475                         user_name = optarg;
476                         break;
477                 default:
478                         usage();
479                 }
480         }
481         
482         argc -= optind;
483         argv += optind;
484
485         if(argc > 1) {
486                 usage();
487         }
488         
489         if (argc == 1) {
490                 new_passwd = argv[0];
491         }
492         
493         if (!user_name) {
494                 pwd = getpwuid(getuid());
495                 if (pwd) {
496                         user_name = xstrdup(pwd->pw_name);
497                 } else {
498                         fprintf(stderr,"you don't exist - go away\n");
499                         exit(1);
500                 }
501         }
502         
503         /*
504          * A non-root user is always setting a password
505          * via a remote machine (even if that machine is
506          * localhost).
507          */     
508         if (remote_machine == NULL) {
509                 remote_machine = "127.0.0.1";
510         }
511
512
513         if (remote_machine != NULL) {
514                 old_passwd = get_pass("Old SMB password:",stdin_passwd_get);
515         }
516         
517         if (!new_passwd) {
518                 new_passwd = prompt_for_new_password(stdin_passwd_get);
519         }
520         
521         if (!new_passwd) {
522                 printf("unable to get new password\n");
523                 exit(0);
524         }
525
526         if (!password_change(remote_machine, user_name, old_passwd, new_passwd,
527                              False, False, False, False, False)) {
528                 fprintf(stderr,"Failed to change password for %s\n", user_name);
529                 return 1;
530         }
531
532         printf("Password changed for user %s\n", user_name);
533         return 0;
534 }
535
536
537
538 /*********************************************************
539  Start here.
540 **********************************************************/
541 int main(int argc, char **argv)
542 {       
543         static pstring servicesf = CONFIGFILE;
544
545         TimeInit();
546         
547         setup_logging("smbpasswd", True);
548         
549         charset_initialise();
550         
551         if (!lp_load(servicesf,True,False,False)) {
552                 fprintf(stderr, "Can't load %s - run testparm to debug it\n", 
553                         servicesf);
554                 exit(1);
555         }
556
557         if(!get_myname(myhostname,NULL)) {
558                 fprintf(stderr, "unable to get my hostname.\n");
559                 exit(1);
560         }
561
562         /*
563          * Set the machine NETBIOS name if not already
564          * set from the config file. 
565          */ 
566     
567         if (!*global_myname) {   
568                 char *p;
569                 fstrcpy(global_myname, myhostname);
570                 p = strchr(global_myname, '.' );
571                 if (p) *p = 0;
572         }           
573         strupper(global_myname);
574
575         codepage_initialise(lp_client_code_page());
576
577         load_interfaces();
578
579         if(!pwdb_initialise(False))
580         {
581                 fprintf(stderr, "Can't setup password database vectors.\n");
582                 exit(1);
583         }
584
585         /* Check the effective uid - make sure we are not setuid */
586         if ((geteuid() == (uid_t)0) && (getuid() != (uid_t)0)) {
587                 fprintf(stderr, "smbpasswd must *NOT* be setuid root.\n");
588                 exit(1);
589         }
590
591         if (getuid() == 0) {
592                 return process_root(argc, argv);
593         } 
594
595         return process_nonroot(argc, argv);
596 }