From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 18 Aug 2017 16:08:46 +0200 Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29) --- source3/include/proto.h | 3 ++- source3/libsmb/passchange.c | 5 +++-- source3/utils/smbpasswd.c | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index baa579995a5..9deb27b416b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -834,7 +834,8 @@ bool get_dc_name(const char *domain, /* The following definitions come from libsmb/passchange.c */ -NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, +NTSTATUS remote_password_change(const char *remote_machine, + const char *domain, const char *user_name, const char *old_passwd, const char *new_passwd, char **err_str); diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index c89b7ca85d1..48ffba8036f 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -30,7 +30,8 @@ Change a password on a remote machine using IPC calls. *************************************************************/ -NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, +NTSTATUS remote_password_change(const char *remote_machine, + const char *domain, const char *user_name, const char *old_passwd, const char *new_passwd, char **err_str) { @@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam creds = cli_session_creds_init(cli, user_name, - NULL, /* domain */ + domain, NULL, /* realm */ old_passwd, false, /* use_kerberos */ diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 437a5e551bb..4d7a3c739bc 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username, fprintf(stderr, "Invalid remote operation!\n"); return NT_STATUS_UNSUCCESSFUL; } - ret = remote_password_change(remote_mach, username, + ret = remote_password_change(remote_mach, + NULL, username, old_passwd, new_pw, &err_str); } else { ret = local_password_change(username, local_flags, new_pw, -- 2.14.1 From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 18 Aug 2017 16:10:06 +0200 Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950) --- source3/include/proto.h | 7 ------- source3/libsmb/proto.h | 10 ++++++++++ source3/utils/smbpasswd.c | 1 + 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 9deb27b416b..67e1a9d750e 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -832,13 +832,6 @@ bool get_dc_name(const char *domain, fstring srv_name, struct sockaddr_storage *ss_out); -/* The following definitions come from libsmb/passchange.c */ - -NTSTATUS remote_password_change(const char *remote_machine, - const char *domain, const char *user_name, - const char *old_passwd, const char *new_passwd, - char **err_str); - /* The following definitions come from libsmb/smberr.c */ const char *smb_dos_err_name(uint8_t e_class, uint16_t num); diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h index a583a8ee159..44f4d04cff5 100644 --- a/source3/libsmb/proto.h +++ b/source3/libsmb/proto.h @@ -31,6 +31,9 @@ struct smb_trans_enc_state; struct cli_credentials; +struct cli_state; +struct file_info; +struct print_job_info; /* The following definitions come from libsmb/cliconnect.c */ @@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname, TALLOC_CTX *mem_ctx, char **psubstitute_name, char **pprint_name, uint32_t *pflags); +/* The following definitions come from libsmb/passchange.c */ + +NTSTATUS remote_password_change(const char *remote_machine, + const char *domain, const char *user_name, + const char *old_passwd, const char *new_passwd, + char **err_str); + #endif /* _LIBSMB_PROTO_H_ */ diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 4d7a3c739bc..6eb2deb7a3b 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -21,6 +21,7 @@ #include "secrets.h" #include "../librpc/gen_ndr/samr.h" #include "../lib/util/util_pw.h" +#include "libsmb/proto.h" #include "passdb.h" /* -- 2.14.1 From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 18 Aug 2017 16:13:15 +0200 Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change() in smbpasswd BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373) --- source3/utils/smbpasswd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 6eb2deb7a3b..b0e08cc0e58 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get) Change a password either locally or remotely. *************************************************************/ -static NTSTATUS password_change(const char *remote_mach, char *username, - char *old_passwd, char *new_pw, +static NTSTATUS password_change(const char *remote_mach, + const char *username, + const char *old_passwd, const char *new_pw, int local_flags) { NTSTATUS ret; -- 2.14.1 From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 18 Aug 2017 16:14:57 +0200 Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit b483340639157fe95777672f5723455c48c3c616) --- source3/utils/smbpasswd.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index b0e08cc0e58..92712e38f6b 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get) *************************************************************/ static NTSTATUS password_change(const char *remote_mach, - const char *username, + const char *domain, const char *username, const char *old_passwd, const char *new_pw, int local_flags) { @@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach, return NT_STATUS_UNSUCCESSFUL; } ret = remote_password_change(remote_mach, - NULL, username, + domain, username, old_passwd, new_pw, &err_str); } else { ret = local_password_change(username, local_flags, new_pw, @@ -466,7 +466,8 @@ static int process_root(int local_flags) } } - if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, + if (!NT_STATUS_IS_OK(password_change(remote_machine, + NULL, user_name, old_passwd, new_passwd, local_flags))) { result = 1; @@ -566,8 +567,9 @@ static int process_nonroot(int local_flags) exit(1); } - if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw, - new_pw, 0))) { + if (!NT_STATUS_IS_OK(password_change(remote_machine, + NULL, user_name, + old_pw, new_pw, 0))) { result = 1; goto done; } -- 2.14.1 From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 18 Aug 2017 16:17:08 +0200 Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name in smbpasswd If a local user wants to change his password using smbpasswd and the machine is a domain member, we need to make sure we authenticate against our SAM and not ask winbind. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02) --- source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 92712e38f6b..556e6869da7 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -58,7 +58,7 @@ static void usage(void) printf(" -c smb.conf file Use the given path to the smb.conf file\n"); printf(" -D LEVEL debug level\n"); printf(" -r MACHINE remote machine\n"); - printf(" -U USER remote username\n"); + printf(" -U USER remote username (e.g. SAM/user)\n"); printf("extra options when run by root or in local mode:\n"); printf(" -a add user\n"); @@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags) user_name[0] = '\0'; - while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { + while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) { switch(ch) { case 'L': if (getuid() != 0) { @@ -519,6 +519,9 @@ static int process_nonroot(int local_flags) int result = 0; char *old_pw = NULL; char *new_pw = NULL; + const char *username = user_name; + const char *domain = NULL; + char *p = NULL; if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) { /* Extra flags that we can't honor non-root */ @@ -536,6 +539,15 @@ static int process_nonroot(int local_flags) } } + /* Allow domain as part of the username */ + if ((p = strchr_m(user_name, '\\')) || + (p = strchr_m(user_name, '/')) || + (p = strchr_m(user_name, *lp_winbind_separator()))) { + *p = '\0'; + username = p + 1; + domain = user_name; + } + /* * A non-root user is always setting a password * via a remote machine (even if that machine is @@ -544,8 +556,18 @@ static int process_nonroot(int local_flags) load_interfaces(); /* Delayed from main() */ - if (remote_machine == NULL) { + if (remote_machine != NULL) { + if (!is_ipaddress(remote_machine)) { + domain = remote_machine; + } + } else { remote_machine = "127.0.0.1"; + + /* + * If we deal with a local user, change the password for the + * user in our SAM. + */ + domain = get_global_sam_name(); } if (remote_machine != NULL) { @@ -568,13 +590,13 @@ static int process_nonroot(int local_flags) } if (!NT_STATUS_IS_OK(password_change(remote_machine, - NULL, user_name, + domain, username, old_pw, new_pw, 0))) { result = 1; goto done; } - printf("Password changed for user %s\n", user_name); + printf("Password changed for user %s\n", username); done: SAFE_FREE(old_pw); -- 2.14.1 From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 22 Aug 2017 15:46:07 +0200 Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 Review with: git show -U20 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet (cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e) --- source3/utils/smbpasswd.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 556e6869da7..fb7ad283995 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -570,12 +570,10 @@ static int process_nonroot(int local_flags) domain = get_global_sam_name(); } - if (remote_machine != NULL) { - old_pw = get_pass("Old SMB password:",stdin_passwd_get); - if (old_pw == NULL) { - fprintf(stderr, "Unable to get old password.\n"); - exit(1); - } + old_pw = get_pass("Old SMB password:",stdin_passwd_get); + if (old_pw == NULL) { + fprintf(stderr, "Unable to get old password.\n"); + exit(1); } if (!new_passwd) { -- 2.14.1