/* Helper function for adding a user to the db. */
static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
const char *name, struct samu *sampass, bool exist)
{
char *err_str = NULL;
char *msg_str = NULL;
const char *pass = NULL;
int retval;
TALLOC_CTX *frame = talloc_stackframe();
/* Get the authtok; if we don't have one, silently fail. */
retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
if (retval != PAM_SUCCESS) {
_log_err(pamh, LOG_ALERT
, "pam_get_item returned error to pam_sm_authenticate" );
TALLOC_FREE(frame);
return PAM_AUTHTOK_RECOVER_ERR;
}
/* Add the user to the db if they aren't already there. */
if (!exist) {
retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD,
pass, &err_str, &msg_str));
if (!retval && err_str) {
make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
} else if (msg_str) {
make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
pass = NULL;
SAFE_FREE(err_str);
SAFE_FREE(msg_str);
TALLOC_FREE(frame);
return PAM_IGNORE;
} else {
/* mimick 'update encrypted' as long as the 'no pw req' flag is not set */
if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) {
retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_SET_PASSWORD,
pass, &err_str, &msg_str));
if (!retval && err_str) {
make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
} else if (msg_str) {
make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
}
}
SAFE_FREE(err_str);
SAFE_FREE(msg_str);
pass = NULL;
TALLOC_FREE(frame);
return PAM_IGNORE;
}
int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new )
{
int retval;
pstring err_str;
pstring msg_str;
err_str[0] = '\0';
msg_str[0] = '\0';
retval = local_password_change( user, LOCAL_SET_PASSWORD, pass_new,
err_str, sizeof(err_str),
msg_str, sizeof(msg_str) );
if (!retval) {
if (*err_str) {
err_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
}
/* FIXME: what value is appropriate here? */
retval = PAM_AUTHTOK_ERR;
} else {
if (*msg_str) {
msg_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
retval = PAM_SUCCESS;
}
return retval;
}
static NTSTATUS password_change(const char *remote_mach, char *username,
char *old_passwd, char *new_pw,
int local_flags)
{
NTSTATUS ret;
pstring err_str;
pstring msg_str;
if (remote_mach != NULL) {
if (local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER|LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|
LOCAL_TRUST_ACCOUNT|LOCAL_SET_NO_PASSWORD)) {
/* these things can't be done remotely yet */
return NT_STATUS_UNSUCCESSFUL;
}
ret = remote_password_change(remote_mach, username,
old_passwd, new_pw, err_str, sizeof(err_str));
if(*err_str)
fprintf(stderr, "%s", err_str);
return ret;
}
ret = local_password_change(username, local_flags, new_pw,
err_str, sizeof(err_str), msg_str, sizeof(msg_str));
if(*msg_str)
printf("%s", msg_str);
if(*err_str)
fprintf(stderr, "%s", err_str);
return ret;
}
static NTSTATUS password_change(const char *remote_mach, char *username,
char *old_passwd, char *new_pw,
int local_flags)
{
NTSTATUS ret;
char *err_str = NULL;
char *msg_str = NULL;
if (remote_mach != NULL) {
if (local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER|
LOCAL_DISABLE_USER|LOCAL_ENABLE_USER|
LOCAL_TRUST_ACCOUNT|LOCAL_SET_NO_PASSWORD)) {
/* these things can't be done remotely yet */
fprintf(stderr, "Invalid remote operation!\n");
return NT_STATUS_UNSUCCESSFUL;
}
ret = remote_password_change(remote_mach, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
&err_str, &msg_str);
}
if (msg_str) {
printf("%s", msg_str);
}
if (err_str) {
fprintf(stderr, "%s", err_str);
}
if (!NT_STATUS_IS_OK(ret) && !err_str) {
fprintf(stderr, "Failed to change password!\n");
}
SAFE_FREE(msg_str);
SAFE_FREE(err_str);
return ret;
}
static int new_machine(const char *machinename, char *machine_sid)
{
char *err = NULL, *msg = NULL;
struct samu *sam_pwent = NULL;
TALLOC_CTX *tosctx;
NTSTATUS status;
struct dom_sid m_sid;
char *compatpwd;
char *name;
int flags;
int len;
int ret;
len = strlen(machinename);
if (len == 0) {
fprintf(stderr, "No machine name given\n");
return -1;
}
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (machine_sid) {
if (get_sid_from_cli_string(&m_sid, machine_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
}
compatpwd = talloc_strdup(tosctx, machinename);
if (!compatpwd) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (machinename[len-1] == '$') {
name = talloc_strdup(tosctx, machinename);
compatpwd[len-1] = '\0';
} else {
name = talloc_asprintf(tosctx, "%s$", machinename);
}
if (!name) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (!strlower_m(name)) {
fprintf(stderr, "strlower_m %s failed\n", name);
return -1;
}
flags = LOCAL_ADD_USER | LOCAL_TRUST_ACCOUNT | LOCAL_SET_PASSWORD;
status = local_password_change(name, flags, compatpwd, &err, &msg);
if (!NT_STATUS_IS_OK(status)) {
if (err) fprintf(stderr, "%s", err);
ret = -1;
}
sam_pwent = samu_new(tosctx);
if (!sam_pwent) {
fprintf(stderr, "Out of memory!\n");
ret = -1;
goto done;
}
if (!pdb_getsampwnam(sam_pwent, name)) {
fprintf(stderr, "Machine %s not found!\n", name);
ret = -1;
goto done;
}
if (machine_sid)
pdb_set_user_sid(sam_pwent, &m_sid, PDB_CHANGED);
status = pdb_update_sam_account(sam_pwent);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"Failed to modify entry for %s.!\n", name);
ret = -1;
goto done;
}
print_user_info(name, True, False);
ret = 0;
done:
SAFE_FREE(err);
SAFE_FREE(msg);
TALLOC_FREE(sam_pwent);
return ret;
}
/*********************************************************
Add New User
**********************************************************/
static int new_user(const char *username, const char *fullname,
const char *homedir, const char *drive,
const char *script, const char *profile,
char *user_sid, bool stdin_get)
{
char *pwd1 = NULL, *pwd2 = NULL;
char *err = NULL, *msg = NULL;
struct samu *sam_pwent = NULL;
TALLOC_CTX *tosctx;
NTSTATUS status;
struct dom_sid u_sid;
int flags;
int ret;
tosctx = talloc_tos();
if (!tosctx) {
fprintf(stderr, "Out of memory!\n");
return -1;
}
if (user_sid) {
if (get_sid_from_cli_string(&u_sid, user_sid)) {
fprintf(stderr, "Failed to parse SID\n");
return -1;
}
}
pwd1 = get_pass( "new password:"******"retype new password:"******"Failed to read passwords.\n");
return -1;
}
ret = strcmp(pwd1, pwd2);
if (ret != 0) {
fprintf (stderr, "Passwords do not match!\n");
goto done;
}
flags = LOCAL_ADD_USER | LOCAL_SET_PASSWORD;
status = local_password_change(username, flags, pwd1, &err, &msg);
if (!NT_STATUS_IS_OK(status)) {
if (err) fprintf(stderr, "%s", err);
ret = -1;
goto done;
}
sam_pwent = samu_new(tosctx);
if (!sam_pwent) {
fprintf(stderr, "Out of memory!\n");
ret = -1;
goto done;
}
if (!pdb_getsampwnam(sam_pwent, username)) {
fprintf(stderr, "User %s not found!\n", username);
ret = -1;
goto done;
}
if (fullname)
pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
if (homedir)
pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED);
if (drive)
pdb_set_dir_drive(sam_pwent, drive, PDB_CHANGED);
if (script)
pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
if (profile)
pdb_set_profile_path(sam_pwent, profile, PDB_CHANGED);
if (user_sid)
pdb_set_user_sid(sam_pwent, &u_sid, PDB_CHANGED);
status = pdb_update_sam_account(sam_pwent);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"Failed to modify entry for user %s.!\n",
username);
ret = -1;
goto done;
}
print_user_info(username, True, False);
ret = 0;
done:
if (pwd1) memset(pwd1, 0, strlen(pwd1));
if (pwd2) memset(pwd2, 0, strlen(pwd2));
SAFE_FREE(pwd1);
SAFE_FREE(pwd2);
SAFE_FREE(err);
SAFE_FREE(msg);
TALLOC_FREE(sam_pwent);
return ret;
}
/* Helper function for adding a user to the db. */
static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
const char *name, SAM_ACCOUNT *sampass, BOOL exist)
{
pstring err_str;
pstring msg_str;
const char *pass = NULL;
int retval;
err_str[0] = '\0';
msg_str[0] = '\0';
/* Get the authtok; if we don't have one, silently fail. */
retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
if (retval != PAM_SUCCESS) {
_log_err( LOG_ALERT
, "pam_get_item returned error to pam_sm_authenticate" );
return PAM_AUTHTOK_RECOVER_ERR;
} else if (pass == NULL) {
return PAM_AUTHTOK_RECOVER_ERR;
}
/* Add the user to the db if they aren't already there. */
if (!exist) {
retval = local_password_change( name, LOCAL_ADD_USER,
pass, err_str,
sizeof(err_str),
msg_str, sizeof(msg_str) );
if (!retval && *err_str)
{
err_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
}
else if (*msg_str)
{
msg_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
pass = NULL;
return PAM_IGNORE;
}
else {
/* Change the user's password IFF it's null. */
if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
{
retval = local_password_change( name, 0, pass, err_str, sizeof(err_str),
msg_str, sizeof(msg_str) );
if (!retval && *err_str)
{
err_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
}
else if (*msg_str)
{
msg_str[PSTRING_LEN-1] = '\0';
make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
}
}
pass = NULL;
return PAM_IGNORE;
}
