static int
change_password(krb5_context context,
krb5_principal principal,
krb5_ccache id)
{
krb5_data result_code_string, result_string;
int result_code;
krb5_error_code ret;
char pwbuf[BUFSIZ];
char *msg, *name;
int aret;
krb5_data_zero (&result_code_string);
krb5_data_zero (&result_string);
name = msg = NULL;
if (principal == NULL)
aret = asprintf(&msg, "New password: "******"krb5_unparse_name");
aret = asprintf(&msg, "New password for %s: ", name);
}
if (aret == -1 || msg == NULL)
krb5_errx (context, 1, "out of memory");
ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1);
free(msg);
if (name)
free(name);
if (ret != 0) {
return 1;
}
ret = krb5_set_password_using_ccache (context, id, pwbuf,
principal,
&result_code,
&result_code_string,
&result_string);
if (ret) {
krb5_warn (context, ret, "krb5_set_password_using_ccache");
return 1;
}
printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code),
result_string.length > 0 ? " : " : "",
(int)result_string.length,
result_string.length > 0 ? (char *)result_string.data : "");
krb5_data_free (&result_code_string);
krb5_data_free (&result_string);
return ret != 0;
}
/*
* Push a password change to Active Directory. Takes the module
* configuration, a Kerberos context, the principal whose password is being
* changed (we will have to change the realm), and the new password and its
* length. Returns a Kerberos error code.
*/
krb5_error_code
sync_ad_chpass(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, const char *password)
{
krb5_error_code code;
char *target = NULL;
krb5_ccache ccache;
krb5_principal ad_principal = NULL;
int result_code;
krb5_data result_code_string, result_string;
/* Ensure the configuration is sane. */
CHECK_CONFIG(ad_realm);
/* Get the credentials we'll use to make the change in AD. */
code = get_creds(config, ctx, &ccache);
if (code != 0)
return code;
/* Get the corresponding AD principal. */
code = get_ad_principal(config, ctx, principal, &ad_principal);
if (code != 0)
goto done;
/* This is just for logging purposes. */
code = krb5_unparse_name(ctx, ad_principal, &target);
if (code != 0)
goto done;
/* Do the actual password change and record any error. */
code = krb5_set_password_using_ccache(ctx, ccache, (char *) password,
ad_principal, &result_code,
&result_code_string, &result_string);
if (code != 0)
goto done;
if (result_code != 0) {
code = sync_error_generic(ctx, "password change failed for %s: (%d)"
" %.*s%s%.*s", target, result_code,
(int) result_code_string.length,
(char *) result_code_string.data,
result_string.length ? ": " : "",
(int) result_string.length,
(char *) result_string.data);
goto done;
}
free(result_string.data);
free(result_code_string.data);
sync_syslog_info(config, "krb5-sync: %s password changed", target);
done:
krb5_cc_destroy(ctx, ccache);
if (target != NULL)
krb5_free_unparsed_name(ctx, target);
if (ad_principal != NULL)
krb5_free_principal(ctx, ad_principal);
return code;
}
static PyObject *
k5_set_password(PyObject *self, PyObject *args)
{
int result_code;
char *name, *newpass;
krb5_context ctx;
krb5_error_code code;
krb5_principal principal;
krb5_data result_code_string, result_string;
krb5_ccache ccache;
if (!PyArg_ParseTuple(args, "ss", &name, &newpass))
return NULL;
/* Initialize parameters. */
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_parse_name(ctx, name, &principal);
RETURN_ON_ERROR("krb5_parse_name()", code);
/* Get credentials */
code = krb5_cc_default(ctx, &ccache);
RETURN_ON_ERROR("krb5_cc_default()", code);
/* Set password */
code = krb5_set_password_using_ccache(ctx, ccache, newpass, principal,
&result_code, &result_code_string,
&result_string);
RETURN_ON_ERROR("krb5_set_password_using_ccache()", code);
/* Any other error? */
if (result_code != 0)
{
_k5_set_password_error(&result_code_string, &result_string);
return NULL;
}
/* Free up results. */
if (result_code_string.data != NULL)
free(result_code_string.data);
if (result_string.data != NULL)
free(result_string.data);
Py_INCREF(Py_None);
return Py_None;
}
int main( int argc, char ** argv )
{
char * new_password;
char * new_password2;
krb5_context kcontext;
krb5_error_code kerr;
krb5_principal target_principal;
if( argc < 2 )
{
fprintf( stderr, "Usage: setpass user@REALM\n");
exit(1);
}
/*
** verify credentials -
*/
if( verify_creds() )
init_creds();
if( verify_creds() )
{
fprintf( stderr, "No user credentials available\n");
exit(1);
}
/*
** check the principal name -
*/
krb5_init_context(&kcontext);
kerr = krb5_parse_name( kcontext, argv[1], &target_principal );
{
char * pname = NULL;
kerr = krb5_unparse_name( kcontext, target_principal, &pname );
printf( "Changing password for %s:\n", pname);
fflush( stdout );
free( pname );
}
/*
** get the new password -
*/
for (;;)
{
new_password = getpass("Enter new password: "******"Verify new password: "******"Passwords do not match\n");
free( new_password );
free( new_password2 );
}
/*
** change the password -
*/
{
int pw_result;
krb5_ccache ccache;
krb5_data pw_res_string, res_string;
kerr = krb5_cc_default( kcontext, &ccache );
if( kerr == 0 )
{
kerr = krb5_set_password_using_ccache(kcontext, ccache, new_password, target_principal,
&pw_result, &pw_res_string, &res_string );
if( kerr )
fprintf( stderr, "Failed: %s\n", error_message(kerr) );
else
{
if( pw_result )
{
fprintf( stderr, "Failed(%d)", pw_result );
if( pw_res_string.length > 0 )
fprintf( stderr, ": %s", pw_res_string.data);
if( res_string.length > 0 )
fprintf( stderr, " %s", res_string.data);
fprintf( stderr, "\n");
}
}
}
}
return(0);
}
