1#!/usr/bin/perl -w 2 3# LDAP to unix password sync script for samba 4# $Id: smbldap-passwd,v 1.19 2005/10/31 15:05:22 jtournier Exp $ 5 6# This code was developped by IDEALX (http://IDEALX.org/) and 7# contributors (their names can be found in the CONTRIBUTORS file). 8# 9# Copyright (C) 2001-2002 IDEALX 10# 11# This program is free software; you can redistribute it and/or 12# modify it under the terms of the GNU General Public License 13# as published by the Free Software Foundation; either version 2 14# of the License, or (at your option) any later version. 15# 16# This program is distributed in the hope that it will be useful, 17# but WITHOUT ANY WARRANTY; without even the implied warranty of 18# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19# GNU General Public License for more details. 20# 21# You should have received a copy of the GNU General Public License 22# along with this program; if not, write to the Free Software 23# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 24# USA. 25 26# Purpose : 27# . ldap-unix passwd sync for SAMBA>2.2.2 + LDAP 28# . may also replace /bin/passwd 29 30# untaint environment 31$ENV{'PATH'}= '/bin:/usr/bin'; 32$ENV{'SHELL'}= '/bin/sh'; 33delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; 34 35use strict; 36use FindBin; 37use FindBin qw($RealBin); 38use lib "$RealBin/"; 39use smbldap_tools; 40 41use Crypt::SmbHash; 42use Digest::MD5 qw(md5); 43use Digest::SHA1 qw(sha1); 44use MIME::Base64 qw(encode_base64); 45 46# function declaration 47sub make_hash; 48sub make_salt; 49 50my $user= undef; 51my $oldpass= undef; 52 53my $arg; 54my $update_samba_passwd= 1; 55my $update_unix_passwd= 1; 56 57foreach $arg (@ARGV) { 58 if ( substr( $arg, 0, 1 ) eq '-' ) { 59 if ( $arg eq '-h' || $arg eq '-?' || $arg eq '--help' ) { 60 print_banner; 61 print "Usage: $0 [options] [username]\n"; 62 print " -h, -?, --help show this help message\n"; 63 print " -s update only samba password\n"; 64 print " -u update only UNIX password\n"; 65 exit (6); 66 } elsif ($arg eq '-s') { 67 $update_samba_passwd= 1; $update_unix_passwd= 0; 68 } elsif ($arg eq '-u') { 69 $update_samba_passwd= 0; $update_unix_passwd= 1; 70 } 71 } else { 72 if ( $< != 0 ) { 73 die "Only root can specify username\n"; 74 } 75 $user= $arg; last; 76 } 77} 78 79if (!defined($user)) { 80 $user = getpwuid($<); # $user=$ENV{"USER"}; 81} 82 83# check if $user variable is not tainted 84# [TODO] create proper user mask 85$user =~ /^([-\@\ \w.]+\$?)$/ and $user = $1 or 86 die "$0: username '$user' is tainted\n"; 87 88 89my ($dn,$ldap_master); 90# First, connecting to the directory 91if ($< != 0) { 92 # non-root user 93 if (!defined($oldpass)) { 94 # prompt for password 95 print "Identity validation...\nenter your UNIX password: "; 96 system "/bin/stty -echo" if (-t STDIN); 97 chomp($oldpass=<STDIN>); 98 system "/bin/stty echo" if (-t STDIN); 99 print "\n"; 100 101 $config{masterDN}="uid=$user,$config{usersdn}"; 102 $config{masterPw}="$oldpass"; 103 $ldap_master=connect_ldap_master(); 104 $dn=$config{masterDN}; 105 if (!is_user_valid($user, $dn, $oldpass)) { 106 print "Authentication failure\n"; 107 exit (10); 108 } 109 } 110} else { 111 # root user 112 $ldap_master=connect_ldap_master(); 113 # test existence of user in LDAP 114 my $dn_line; 115 if (!defined($dn_line = get_user_dn($user))) { 116 print "$0: user $user doesn't exist\n"; 117 exit (10); 118 } 119 $dn = get_dn_from_line($dn_line); 120} 121 122my $samba = is_samba_user($user); 123 124# Printing verbose message 125if ( $samba and $update_samba_passwd ) { 126 if ( $update_unix_passwd ) { 127 print "Changing UNIX and samba passwords for $user\n"; 128 } else { 129 print "Changing samba password for $user\n"; 130 } 131} else { 132 if ( $update_unix_passwd ) { 133 print "Changing UNIX password for $user\n"; 134 } else { 135 die "Internal error"; 136 } 137} 138 139# prompt for new password 140 141my $pass; 142my $pass2; 143 144print "New password: "; 145system "/bin/stty -echo" if (-t STDIN); 146chomp($pass=<STDIN>); 147system "/bin/stty echo" if (-t STDIN); 148print "\n"; 149 150print "Retype new password: "; 151system "/bin/stty -echo" if (-t STDIN); 152chomp($pass2=<STDIN>); 153system "/bin/stty echo" if (-t STDIN); 154print "\n"; 155 156if ($pass ne $pass2) { 157 print "New passwords don't match!\n"; 158 exit (10); 159} 160 161# Prepare '$hash_password' for 'userPassword' 162my $hash_password; 163# Generate password hash 164if ($config{with_slappasswd}) { 165 # checking if password is tainted: nothing is changed!!!! 166 # essential for perl 5.8 167 ($pass =~ /^(.*)$/ and $pass=$1) or 168 die "$0: user password is tainted\n"; 169 170 # use slappasswd to generate hash 171 if ( $config{hash_encrypt} eq "CRYPT" && defined($config{crypt_salt_format}) ) { 172 open BUF, "-|" or 173 exec "$config{slappasswd}", 174 "-h","{$config{hash_encrypt}}", 175 "-c","$config{crypt_salt_format}", 176 "-s","$pass"; 177 $hash_password = <BUF>; 178 close BUF; 179 } else { 180 open(BUF, "-|") or 181 exec "$config{slappasswd}", 182 "-h","{$config{hash_encrypt}}", 183 "-s","$pass"; 184 $hash_password = <BUF>; 185 close BUF; 186 } 187} else { 188 # use perl libraries to generate hash 189 $hash_password = make_hash($pass,$config{hash_encrypt},$config{crypt_salt_format}); 190} 191# check if a hash was generated, otherwise die 192defined($hash_password) or 193 die "I cannot generate the proper hash!\n"; 194chomp($hash_password); 195 196# First, connecting to the directory 197if ($< != 0) { 198 # if we are not root, we close the connection to re-open it as a normal user 199 $ldap_master->unbind; 200 $config{masterDN}="uid=$user,$config{usersdn}"; 201 $config{masterPw}="$oldpass"; 202 $ldap_master=connect_ldap_master(); 203} 204 205# only modify smb passwords if smb user 206if ( $samba and $update_samba_passwd ) { 207 if (!$config{with_smbpasswd}) { 208 # generate LanManager and NT clear text passwords 209 my ($sambaLMPassword,$sambaNTPassword) = ntlmgen $pass; 210 # the sambaPwdLastSet must be updating 211 my $date=time; 212 my @mods; 213 push(@mods, 'sambaLMPassword' => $sambaLMPassword); 214 push(@mods, 'sambaNTPassword' => $sambaNTPassword); 215 push(@mods, 'sambaPwdLastSet' => $date); 216 if (defined $config{defaultMaxPasswordAge}) { 217 my $new_sambaPwdMustChange=$date+$config{defaultMaxPasswordAge}*24*60*60; 218 push(@mods, 'sambaPwdMustChange' => $new_sambaPwdMustChange); 219 if ($< ==0) { 220 push(@mods, 'sambaAcctFlags' => '[U]'); 221 } 222 } 223 # Let's change nt/lm passwords 224 my $modify = $ldap_master->modify ( "$dn", 225 'replace' => { @mods } 226 ); 227 $modify->code && warn "failed to modify entry: ", $modify->error ; 228 229 } else { 230 if ($< != 0) { 231 my $FILE="|$config{smbpasswd} -s >/dev/null"; 232 open (FILE, $FILE) || die "$!\n"; 233 print FILE <<EOF; 234$oldpass 235$pass 236$pass 237EOF 238 ; 239 close FILE; 240 } else { 241 open FILE,"|-" or 242 exec "$config{smbpasswd}","$user","-s"; 243 local $SIG{PIPE} = sub {die "buffer pipe terminated" }; 244 print FILE <<EOF; 245$pass 246$pass 247EOF 248 ; 249 close FILE; 250 } 251 } 252} 253 254# Update 'userPassword' field 255if ( $update_unix_passwd ) { 256 my $modify = $ldap_master->modify ( "$dn", 257 changes => [ 258 replace => [userPassword => "$hash_password"] 259 ] 260 ); 261 $modify->code && warn "Unable to change password: ", $modify->error ; 262} 263 264# take down session 265$ldap_master->unbind; 266 267exit 0; 268 269# Generates hash to be one of the following RFC 2307 schemes: 270# CRYPT, MD5, SMD5, SHA, SSHA, and CLEARTEXT 271# SSHA is default 272# '%s' is a default crypt_salt_format 273# A substitute for slappasswd tool 274sub make_hash 275 { 276 my $hash_encrypt; 277 my $crypt_salt_format; 278 279 my $clear_pass=$_[0] or return undef; 280 $hash_encrypt='{' . $_[1] . '}' or $hash_encrypt = "{SSHA}"; 281 $crypt_salt_format=$_[2] or $crypt_salt_format = '%s'; 282 283 my $hash_pass; 284 if ($hash_encrypt eq "{CRYPT}" && defined($crypt_salt_format)) { 285 # Generate CRYPT hash 286 # for unix md5crypt $crypt_salt_format = '$1$%.8s' 287 my $salt = sprintf($crypt_salt_format,make_salt()); 288 $hash_pass = "{CRYPT}" . crypt($clear_pass,$salt); 289 290 } elsif ($hash_encrypt eq "{MD5}") { 291 # Generate MD5 hash 292 $hash_pass = "{MD5}" . encode_base64( md5($clear_pass),'' ); 293 294 } elsif ($hash_encrypt eq "{SMD5}") { 295 # Generate SMD5 hash (MD5 with salt) 296 my $salt = make_salt(4); 297 $hash_pass = "{SMD5}" . encode_base64( md5($clear_pass . $salt) . $salt,''); 298 299 } elsif ($hash_encrypt eq "{SHA}") { 300 # Generate SHA1 hash 301 $hash_pass = "{SHA}" . encode_base64( sha1($clear_pass),'' ); 302 303 } elsif ($hash_encrypt eq "{SSHA}") { 304 # Generate SSHA hash (SHA1 with salt) 305 my $salt = make_salt(4); 306 $hash_pass = "{SSHA}" . encode_base64( sha1($clear_pass . $salt) . $salt,'' ); 307 308 } elsif ($hash_encrypt eq "{CLEARTEXT}") { 309 $hash_pass=$clear_pass; 310 311 } else { 312 $hash_pass=undef; 313 } 314 return $hash_pass; 315 } 316 317# Generates salt 318# Similar to Crypt::Salt module from CPAN 319sub make_salt 320 { 321 my $length=32; 322 $length = $_[0] if exists($_[0]); 323 324 my @tab = ('.', '/', 0..9, 'A'..'Z', 'a'..'z'); 325 return join "",@tab[map {rand 64} (1..$length)]; 326 } 327 328# - The End 329 330=head1 NAME 331 332smbldap-passwd - change user password 333 334=head1 SYNOPSIS 335 336smbldap-passwd [-?|--help|-s|-u] [name] 337 338=head1 DESCRIPTION 339 340smbldap-passwd changes passwords for user accounts. A normal user may only change the password for their own account, the super user may change the password for any account. 341 342If option -s specified then changed only samba password. 343If options -u specified then changed only UNIX password. 344With no options then changed both - UNIX and samba passwords. 345 346Password Changes 347 The user is first prompted for their old password, if one is present. This password is then tested against the stored password by binding to the server. The user has only one chance to enter the correct passwword. The super user is permitted to bypass this step so that forgotten passwords may be changed. 348 The user is then prompted for a replacement password. As a general guideline, passwords should consist of 6 to 8 characters including one or more from each of following sets: 349 350Lower case alphabetics 351 352Upper case alphabetics 353 354Digits 0 thru 9 355 356Punctuation marks 357 358Password will prompt again and compare the second entry against the first. Both entries are require to match in order for the password to be changed. 359 360=head1 SEE ALSO 361 362 passwd(1) 363 364=cut 365 366#' 367