[PATCH] Fix 'smbpasswd' as local user in domain member case
Andreas Schneider
asn at samba.org
Fri Aug 18 14:39:00 UTC 2017
Hi,
the attached patch fixes calling 'smbpasswd' as a local user if the machine is
a domain member.
Before we authenticated with the workgroup as the domain name, so we contacted
winbind instead of our SAM.
Review and push apprecaited!
Thanks,
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
>From d52e06e532e36ff35ec8a36d0477a2c22466e5b8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 18 Aug 2017 16:08:46 +0200
Subject: [PATCH 1/5] s3:libsmb: Pass domain to remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/include/proto.h | 3 ++-
source3/libsmb/passchange.c | 5 +++--
source3/utils/smbpasswd.c | 3 ++-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index c8f6c282b68..976f3f92156 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -823,7 +823,8 @@ bool get_dc_name(const char *domain,
/* The following definitions come from libsmb/passchange.c */
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str);
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index c89b7ca85d1..48ffba8036f 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -30,7 +30,8 @@
Change a password on a remote machine using IPC calls.
*************************************************************/
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str)
{
@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
creds = cli_session_creds_init(cli,
user_name,
- NULL, /* domain */
+ domain,
NULL, /* realm */
old_passwd,
false, /* use_kerberos */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index ae9862606f1..00d2acf2a5f 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
fprintf(stderr, "Invalid remote operation!\n");
return NT_STATUS_UNSUCCESSFUL;
}
- ret = remote_password_change(remote_mach, username,
+ ret = remote_password_change(remote_mach,
+ NULL, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
--
2.14.0
>From 7a6d3b75c14844721debc154bfe8c186ccf84630 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 18 Aug 2017 16:10:06 +0200
Subject: [PATCH 2/5] s3:libsmb: Move prototye of remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/include/proto.h | 7 -------
source3/libsmb/proto.h | 10 ++++++++++
source3/utils/smbpasswd.c | 1 +
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 976f3f92156..b2c3a03a193 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -821,13 +821,6 @@ bool get_dc_name(const char *domain,
fstring srv_name,
struct sockaddr_storage *ss_out);
-/* The following definitions come from libsmb/passchange.c */
-
-NTSTATUS remote_password_change(const char *remote_machine,
- const char *domain, const char *user_name,
- const char *old_passwd, const char *new_passwd,
- char **err_str);
-
/* The following definitions come from libsmb/smberr.c */
const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 05d91f79f83..a74433f623e 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -30,6 +30,9 @@
struct smb_trans_enc_state;
struct cli_credentials;
+struct cli_state;
+struct file_info;
+struct print_job_info;
/* The following definitions come from libsmb/cliconnect.c */
@@ -970,4 +973,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
TALLOC_CTX *mem_ctx, char **psubstitute_name,
char **pprint_name, uint32_t *pflags);
+/* The following definitions come from libsmb/passchange.c */
+
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
+ const char *old_passwd, const char *new_passwd,
+ char **err_str);
+
#endif /* _LIBSMB_PROTO_H_ */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 00d2acf2a5f..ec162fdbfb0 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -21,6 +21,7 @@
#include "secrets.h"
#include "../librpc/gen_ndr/samr.h"
#include "../lib/util/util_pw.h"
+#include "libsmb/proto.h"
#include "passdb.h"
/*
--
2.14.0
>From 7f849409f215bed972ff340b37874697d2b3fd92 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 18 Aug 2017 16:13:15 +0200
Subject: [PATCH 3/5] s3:utils: Make strings const passed to password_change()
in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/utils/smbpasswd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index ec162fdbfb0..5c75f48189d 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
Change a password either locally or remotely.
*************************************************************/
-static NTSTATUS password_change(const char *remote_mach, char *username,
- char *old_passwd, char *new_pw,
+static NTSTATUS password_change(const char *remote_mach,
+ const char *username,
+ const char *old_passwd, const char *new_pw,
int local_flags)
{
NTSTATUS ret;
--
2.14.0
>From 3e0f7e4c19ef04dd409a3e0b3f27867f887ef5ab Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 18 Aug 2017 16:14:57 +0200
Subject: [PATCH 4/5] s3:utils: Pass domain to password_change() in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/utils/smbpasswd.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 5c75f48189d..b8a8e9c71b6 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
*************************************************************/
static NTSTATUS password_change(const char *remote_mach,
- const char *username,
+ const char *domain, const char *username,
const char *old_passwd, const char *new_pw,
int local_flags)
{
@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
return NT_STATUS_UNSUCCESSFUL;
}
ret = remote_password_change(remote_mach,
- NULL, username,
+ domain, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
@@ -466,7 +466,8 @@ static int process_root(int local_flags)
}
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
old_passwd, new_passwd,
local_flags))) {
result = 1;
@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
exit(1);
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
- new_pw, 0))) {
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
+ old_pw, new_pw, 0))) {
result = 1;
goto done;
}
--
2.14.0
>From f2a24c006239629ab730c9264f9e9134d0aec744 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 18 Aug 2017 16:17:08 +0200
Subject: [PATCH 5/5] s3:utils: Make sure we authenticate against our SAM name
in smbpasswd
If a local user wants to change his password using smbpasswd and the
machine is a domain member, we need to make sure we authenticate against
our SAM and not ask winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/utils/smbpasswd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index b8a8e9c71b6..a31b5fad0d9 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -519,6 +519,7 @@ static int process_nonroot(int local_flags)
int result = 0;
char *old_pw = NULL;
char *new_pw = NULL;
+ const char *domain = NULL;
if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
/* Extra flags that we can't honor non-root */
@@ -534,6 +535,13 @@ static int process_nonroot(int local_flags)
fprintf(stderr, "smbpasswd: cannot lookup user name for uid %u\n", (unsigned int)getuid());
exit(1);
}
+
+ /*
+ * If we deal with a local user we need to make sure to check
+ * our user against our SAM and not winbind during
+ * authentication.
+ */
+ domain = lp_netbios_name();
}
/*
@@ -568,7 +576,7 @@ static int process_nonroot(int local_flags)
}
if (!NT_STATUS_IS_OK(password_change(remote_machine,
- NULL, user_name,
+ domain, user_name,
old_pw, new_pw, 0))) {
result = 1;
goto done;
--
2.14.0
More information about the samba-technical
mailing list