1#!/usr/bin/perl -w
2
3# LDAP to unix password sync script for samba
4# $Id: smbldap-passwd,v 1.19 2005/10/31 15:05:22 jtournier Exp $
5
6#  This code was developped by IDEALX (http://IDEALX.org/) and
7#  contributors (their names can be found in the CONTRIBUTORS file).
8#
9#                 Copyright (C) 2001-2002 IDEALX
10#
11#  This program is free software; you can redistribute it and/or
12#  modify it under the terms of the GNU General Public License
13#  as published by the Free Software Foundation; either version 2
14#  of the License, or (at your option) any later version.
15#
16#  This program is distributed in the hope that it will be useful,
17#  but WITHOUT ANY WARRANTY; without even the implied warranty of
18#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19#  GNU General Public License for more details.
20#
21#  You should have received a copy of the GNU General Public License
22#  along with this program; if not, write to the Free Software
23#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
24#  USA.
25
26#  Purpose :
27#       . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP
28#       . may also replace /bin/passwd
29
30# untaint environment
31$ENV{'PATH'}= '/bin:/usr/bin';
32$ENV{'SHELL'}= '/bin/sh';
33delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
34
35use strict;
36use FindBin;
37use FindBin qw($RealBin);
38use lib "$RealBin/";
39use smbldap_tools;
40
41use Crypt::SmbHash;
42use Digest::MD5 qw(md5);
43use Digest::SHA1 qw(sha1);
44use MIME::Base64 qw(encode_base64);
45
46# function declaration
47sub make_hash;
48sub make_salt;
49
50my $user= undef;
51my $oldpass= undef;
52
53my $arg;
54my $update_samba_passwd= 1;
55my $update_unix_passwd= 1;
56
57foreach $arg (@ARGV) {
58  if ( substr( $arg, 0, 1 ) eq '-' ) {
59    if ( $arg eq '-h' || $arg eq '-?' || $arg eq '--help' ) {
60      print_banner;
61      print "Usage: $0 [options] [username]\n";
62      print "  -h, -?, --help show this help message\n";
63      print "  -s             update only samba password\n";
64      print "  -u             update only UNIX password\n";
65      exit (6);
66    } elsif ($arg eq '-s') {
67      $update_samba_passwd= 1; $update_unix_passwd= 0;
68    } elsif ($arg eq '-u') {
69      $update_samba_passwd= 0; $update_unix_passwd= 1;
70    }
71  } else {
72    if ( $< != 0 ) {
73      die "Only root can specify username\n";
74    }
75    $user= $arg; last;
76  }
77}
78
79if (!defined($user)) {
80  $user = getpwuid($<);		# $user=$ENV{"USER"};
81}
82
83# check if $user variable is not tainted
84# [TODO] create proper user mask
85$user =~ /^([-\@\ \w.]+\$?)$/ and $user = $1 or
86  die "$0: username '$user' is tainted\n";
87
88
89my ($dn,$ldap_master);
90# First, connecting to the directory
91if ($< != 0) {
92  # non-root user
93  if (!defined($oldpass)) {
94    # prompt for password
95    print "Identity validation...\nenter your UNIX password: ";
96    system "/bin/stty -echo" if (-t STDIN);
97    chomp($oldpass=<STDIN>);
98    system "/bin/stty echo" if (-t STDIN);
99    print "\n";
100
101    $config{masterDN}="uid=$user,$config{usersdn}";
102    $config{masterPw}="$oldpass";
103    $ldap_master=connect_ldap_master();
104    $dn=$config{masterDN};
105    if (!is_user_valid($user, $dn, $oldpass)) {
106      print "Authentication failure\n";
107      exit (10);
108    }
109  }
110} else {
111  # root user
112  $ldap_master=connect_ldap_master();
113  # test existence of user in LDAP
114  my $dn_line;
115  if (!defined($dn_line = get_user_dn($user))) {
116    print "$0: user $user doesn't exist\n";
117    exit (10);
118  }
119  $dn = get_dn_from_line($dn_line);
120}
121
122my $samba = is_samba_user($user);
123
124# Printing verbose message
125if ( $samba and $update_samba_passwd ) {
126  if ( $update_unix_passwd ) {
127    print "Changing UNIX and samba passwords for $user\n";
128  } else {
129    print "Changing samba password for $user\n";
130  }
131} else {
132  if ( $update_unix_passwd ) {
133    print "Changing UNIX password for $user\n";
134  } else {
135    die "Internal error";
136  }
137}
138
139# prompt for new password
140
141my $pass;
142my $pass2;
143
144print "New password: ";
145system "/bin/stty -echo" if (-t STDIN);
146chomp($pass=<STDIN>);
147system "/bin/stty echo" if (-t STDIN);
148print "\n";
149
150print "Retype new password: ";
151system "/bin/stty -echo" if (-t STDIN);
152chomp($pass2=<STDIN>);
153system "/bin/stty echo" if (-t STDIN);
154print "\n";
155
156if ($pass ne $pass2) {
157  print "New passwords don't match!\n";
158  exit (10);
159}
160
161# Prepare '$hash_password' for 'userPassword'
162my $hash_password;
163# Generate password hash
164if ($config{with_slappasswd}) {
165  # checking if password is tainted: nothing is changed!!!!
166  # essential for perl 5.8
167  ($pass =~ /^(.*)$/ and $pass=$1) or
168    die "$0: user password is tainted\n";
169
170  # use slappasswd to generate hash
171  if ( $config{hash_encrypt} eq "CRYPT" && defined($config{crypt_salt_format}) ) {
172    open BUF, "-|" or
173      exec "$config{slappasswd}",
174	"-h","{$config{hash_encrypt}}",
175          "-c","$config{crypt_salt_format}",
176	    "-s","$pass";
177    $hash_password = <BUF>;
178    close BUF;
179  } else {
180    open(BUF, "-|") or
181      exec "$config{slappasswd}",
182	"-h","{$config{hash_encrypt}}",
183          "-s","$pass";
184    $hash_password = <BUF>;
185    close BUF;
186  }
187} else {
188  # use perl libraries to generate hash
189  $hash_password = make_hash($pass,$config{hash_encrypt},$config{crypt_salt_format});
190}
191# check if a hash was generated, otherwise die
192defined($hash_password) or
193  die "I cannot generate the proper hash!\n";
194chomp($hash_password);
195
196# First, connecting to the directory
197if ($< != 0) {
198  # if we are not root, we close the connection to re-open it as a normal user
199  $ldap_master->unbind;
200  $config{masterDN}="uid=$user,$config{usersdn}";
201  $config{masterPw}="$oldpass";
202  $ldap_master=connect_ldap_master();
203}
204
205# only modify smb passwords if smb user
206if ( $samba and $update_samba_passwd ) {
207  if (!$config{with_smbpasswd}) {
208    # generate LanManager and NT clear text passwords
209    my ($sambaLMPassword,$sambaNTPassword) = ntlmgen $pass;
210    # the sambaPwdLastSet must be updating
211    my $date=time;
212    my @mods;
213    push(@mods, 'sambaLMPassword' => $sambaLMPassword);
214    push(@mods, 'sambaNTPassword' => $sambaNTPassword);
215    push(@mods, 'sambaPwdLastSet' => $date);
216    if (defined $config{defaultMaxPasswordAge}) {
217      my $new_sambaPwdMustChange=$date+$config{defaultMaxPasswordAge}*24*60*60;
218      push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange);
219      if ($< ==0) {
220	push(@mods, 'sambaAcctFlags' => '[U]');
221      }
222    }
223    # Let's change nt/lm passwords
224    my $modify = $ldap_master->modify ( "$dn",
225					'replace' => { @mods }
226				      );
227    $modify->code && warn "failed to modify entry: ", $modify->error ;
228
229  } else {
230    if ($< != 0) {
231      my $FILE="|$config{smbpasswd} -s >/dev/null";
232      open (FILE, $FILE) || die "$!\n";
233      print FILE <<EOF;
234$oldpass
235$pass
236$pass
237EOF
238      ;
239      close FILE;
240    } else {
241      open FILE,"|-" or
242	exec "$config{smbpasswd}","$user","-s";
243      local $SIG{PIPE} = sub {die "buffer pipe terminated" };
244      print FILE <<EOF;
245$pass
246$pass
247EOF
248      ;
249      close FILE;
250    }
251  }
252}
253
254# Update 'userPassword' field
255if ( $update_unix_passwd ) {
256  my $modify = $ldap_master->modify ( "$dn",
257				      changes => [
258						  replace => [userPassword => "$hash_password"]
259						 ]
260				    );
261  $modify->code && warn "Unable to change password: ", $modify->error ;
262}
263
264# take down session
265$ldap_master->unbind;
266
267exit 0;
268
269# Generates hash to be one of the following RFC 2307 schemes:
270# CRYPT,  MD5,  SMD5,  SHA, SSHA,  and  CLEARTEXT
271# SSHA is default
272# '%s' is a default crypt_salt_format
273# A substitute for slappasswd tool
274sub make_hash
275  {
276    my $hash_encrypt;
277    my $crypt_salt_format;
278
279    my $clear_pass=$_[0] or return undef;
280    $hash_encrypt='{' . $_[1] . '}' or $hash_encrypt = "{SSHA}";
281    $crypt_salt_format=$_[2] or $crypt_salt_format = '%s';
282
283    my $hash_pass;
284    if ($hash_encrypt eq "{CRYPT}" && defined($crypt_salt_format)) {
285      # Generate CRYPT hash
286      # for unix md5crypt $crypt_salt_format = '$1$%.8s'
287      my $salt = sprintf($crypt_salt_format,make_salt());
288      $hash_pass = "{CRYPT}" . crypt($clear_pass,$salt);
289
290    } elsif ($hash_encrypt eq "{MD5}") {
291      # Generate MD5 hash
292      $hash_pass = "{MD5}" . encode_base64( md5($clear_pass),'' );
293
294    } elsif ($hash_encrypt eq "{SMD5}") {
295      # Generate SMD5 hash (MD5 with salt)
296      my $salt = make_salt(4);
297      $hash_pass = "{SMD5}" . encode_base64( md5($clear_pass . $salt) . $salt,'');
298
299    } elsif ($hash_encrypt eq "{SHA}") {
300      # Generate SHA1 hash
301      $hash_pass = "{SHA}" . encode_base64( sha1($clear_pass),'' );
302
303    } elsif ($hash_encrypt eq "{SSHA}") {
304      # Generate SSHA hash (SHA1 with salt)
305      my $salt = make_salt(4);
306      $hash_pass = "{SSHA}" . encode_base64( sha1($clear_pass . $salt) . $salt,'' );
307
308    } elsif ($hash_encrypt eq "{CLEARTEXT}") {
309      $hash_pass=$clear_pass;
310
311    } else {
312      $hash_pass=undef;
313    }
314    return $hash_pass;
315  }
316
317# Generates salt
318# Similar to Crypt::Salt module from CPAN
319sub make_salt
320  {
321    my $length=32;
322    $length = $_[0] if exists($_[0]);
323
324    my @tab = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
325    return join "",@tab[map {rand 64} (1..$length)];
326  }
327
328# - The End
329
330=head1 NAME
331
332smbldap-passwd - change user password
333
334=head1 SYNOPSIS
335
336smbldap-passwd [-?|--help|-s|-u] [name]
337
338=head1 DESCRIPTION
339
340smbldap-passwd changes passwords for user accounts. A normal user may only change the password for their own account, the super user may change the password for any account.
341
342If option -s specified then changed only samba password.
343If options -u specified then changed only UNIX password.
344With no options then changed both - UNIX and samba passwords.
345
346Password Changes
347 The user is first prompted for their old password, if one is present. This password is then tested against the stored password by binding to the server. The user has only one chance to enter the correct passwword. The super user is permitted to bypass this step so that forgotten passwords may be changed.
348 The user is then prompted for a replacement password. As a general guideline, passwords should consist of 6 to 8 characters including one or more from each of following sets:
349
350Lower case alphabetics
351
352Upper case alphabetics
353
354Digits 0 thru 9
355
356Punctuation marks
357
358Password will prompt again and compare the second entry against the first. Both entries are require to match in order for the password to be changed.
359
360=head1 SEE ALSO
361
362       passwd(1)
363
364=cut
365
366#'
367