From 6a673b236dfdfdf9c73cc3d2ccf3949eb1a5ddd0 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 11 Jun 2021 12:47:37 +0200

Subject: [PATCH 3/3] entry: add passwd-user sub-command

The new command allows to set or reset a user password with the help of

an account privileged to set the password.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1952828

---

 doc/adcli.xml     |  20 +++++++

 library/adentry.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++

 library/adentry.h |   3 +

 tools/entry.c     |  99 +++++++++++++++++++++++++++++++++

 tools/tools.c     |   1 +

 tools/tools.h     |   4 ++

 6 files changed, 265 insertions(+)

diff --git a/doc/adcli.xml b/doc/adcli.xml

index 1ed5d3f..6c36297 100644

--- a/doc/adcli.xml

+++ b/doc/adcli.xml

@@ -56,6 +56,11 @@

 		<arg choice="opt">--domain=domain.example.com</arg>

 		<arg choice="plain">user</arg>

 	</cmdsynopsis>

+	<cmdsynopsis>

+		<command>adcli passwd-user</command>

+		<arg choice="opt">--domain=domain.example.com</arg>

+		<arg choice="plain">user</arg>

+	</cmdsynopsis>

 	<cmdsynopsis>

 		<command>adcli create-group</command>

 		<arg choice="opt">--domain=domain.example.com</arg>

@@ -696,6 +701,21 @@ $ adcli delete-user Fry --domain=domain.example.com

 </refsect1>

+<refsect1 id='passwd_user'>

+	<title>(Re)setting the password of a User with an Administrative Account</title>

+

+	<para><command>adcli passwd-user</command> sets or resets the password

+	of user account. The administrative account used for this operation

+	must have privileges to set a password.</para>

+

+<programlisting>

+$ adcli passwd-user Fry --domain=domain.example.com

+</programlisting>

+

+	<para>The various global options can be used.</para>

+

+</refsect1>

+

 <refsect1 id='create_group'>

 	<title>Creating a Group</title>

diff --git a/library/adentry.c b/library/adentry.c

index 13dcaf8..0d9b9af 100644

--- a/library/adentry.c

+++ b/library/adentry.c

@@ -409,6 +409,144 @@ adcli_entry_delete (adcli_entry *entry)

 	return ADCLI_SUCCESS;

 }

+static adcli_result

+adcli_entry_ensure_enabled (adcli_entry *entry)

+{

+	adcli_result res;

+	LDAP *ldap;

+	adcli_attrs *attrs;

+	uint32_t uac = 0;

+	char *uac_str;

+	unsigned long attr_val;

+	char *end;

+

+	return_unexpected_if_fail (entry->entry_attrs != NULL);

+

+	ldap = adcli_conn_get_ldap_connection (entry->conn);

+	return_unexpected_if_fail (ldap != NULL);

+

+	uac_str = _adcli_ldap_parse_value (ldap, entry->entry_attrs,

+	                                   "userAccountControl");

+	if (uac_str != NULL) {

+		attr_val = strtoul (uac_str, &end, 10);

+		if (*end != '\0' || attr_val > UINT32_MAX) {

+			_adcli_warn ("Invalid userAccountControl '%s' for %s account in directory: %s, assuming 0",

+			            uac_str, entry->object_class, entry->entry_dn);

+		} else {

+			uac = attr_val;

+		}

+		free (uac_str);

+	}

+	if (uac & UAC_ACCOUNTDISABLE) {

+		uac &= ~(UAC_ACCOUNTDISABLE);

+

+		if (asprintf (&uac_str, "%d", uac) < 0) {

+			_adcli_warn ("Cannot enable %s entry %s after password (re)set",

+			             entry->object_class, entry->entry_dn);

+			return ADCLI_ERR_UNEXPECTED;

+		}

+

+		attrs = adcli_attrs_new ();

+		adcli_attrs_replace (attrs, "userAccountControl", uac_str,

+		                     NULL);

+		res = adcli_entry_modify (entry, attrs);

+		if (res == ADCLI_SUCCESS) {

+			_adcli_info ("Enabled %s entry %s after password (re)set",

+			             entry->object_class, entry->entry_dn);

+		} else {

+			_adcli_warn ("Failed to enable %s entry %s after password (re)set",

+			             entry->object_class, entry->entry_dn);

+		}

+		free (uac_str);

+		adcli_attrs_free (attrs);

+	} else {

+		res = ADCLI_SUCCESS;

+	}

+

+	return res;

+}

+

+adcli_result

+adcli_entry_set_passwd (adcli_entry *entry, const char *user_pwd)

+{

+	adcli_result res;

+	LDAP *ldap;

+	krb5_error_code code;

+	krb5_context k5;

+	krb5_ccache ccache;

+	krb5_data result_string = { 0, };

+	krb5_data result_code_string = { 0, };

+	int result_code;

+	char *message;

+	krb5_principal user_principal;

+

+	ldap = adcli_conn_get_ldap_connection (entry->conn);

+	return_unexpected_if_fail (ldap != NULL);

+

+	/* Find the user */

+	res = update_entry_from_domain (entry, ldap);

+	if (res != ADCLI_SUCCESS)

+		return res;

+

+	if (!entry->entry_dn) {

+		_adcli_err ("Cannot find the %s entry %s in the domain",

+		            entry->object_class, entry->sam_name);

+		return ADCLI_ERR_CONFIG;

+	}

+

+	k5 = adcli_conn_get_krb5_context (entry->conn);

+	return_unexpected_if_fail (k5 != NULL);

+

+	code = _adcli_krb5_build_principal (k5, entry->sam_name,

+	                                    adcli_conn_get_domain_realm (entry->conn),

+	                                    &user_principal);

+	return_unexpected_if_fail (code == 0);

+

+	ccache = adcli_conn_get_login_ccache (entry->conn);

+	return_unexpected_if_fail (ccache != NULL);

+

+	memset (&result_string, 0, sizeof (result_string));

+	memset (&result_code_string, 0, sizeof (result_code_string));

+

+	code = krb5_set_password_using_ccache (k5, ccache, user_pwd,

+	                                       user_principal, &result_code,

+	                                       &result_code_string, &result_string);

+

+	if (code != 0) {

+		_adcli_err ("Couldn't set password for %s account: %s: %s",

+		            entry->object_class,

+		            entry->sam_name, krb5_get_error_message (k5, code));

+		/* TODO: Parse out these values */

+		res = ADCLI_ERR_DIRECTORY;

+

+	} else if (result_code != 0) {

+#ifdef HAVE_KRB5_CHPW_MESSAGE

+		if (krb5_chpw_message (k5, &result_string, &message) != 0)

+			message = NULL;

+#else

+		message = NULL;

+		if (result_string.length)

+			message = _adcli_str_dupn (result_string.data, result_string.length);

+#endif

+		_adcli_err ("Cannot set %s password: %.*s%s%s",

+		            entry->object_class,

+		            (int)result_code_string.length, result_code_string.data,

+		            message ? ": " : "", message ? message : "");

+		res = ADCLI_ERR_CREDENTIALS;

+#ifdef HAVE_KRB5_CHPW_MESSAGE

+		krb5_free_string (k5, message);

+#else

+		free (message);

+#endif

+	} else {

+		_adcli_info ("Password (re)setted for %s: %s", entry->object_class, entry->entry_dn);

+

+		res = adcli_entry_ensure_enabled (entry);

+	}

+

+	return res;

+}

+

 const char *

 adcli_entry_get_sam_name (adcli_entry *entry)

 {

diff --git a/library/adentry.h b/library/adentry.h

index ae90689..f2382b1 100644

--- a/library/adentry.h

+++ b/library/adentry.h

@@ -49,6 +49,9 @@ adcli_result       adcli_entry_modify                   (adcli_entry *entry,

 adcli_result       adcli_entry_delete                   (adcli_entry *entry);

+adcli_result       adcli_entry_set_passwd               (adcli_entry *entry,

+                                                         const char *user_pwd);

+

 const char *       adcli_entry_get_domain_ou            (adcli_entry *entry);

 void               adcli_entry_set_domain_ou            (adcli_entry *entry,

diff --git a/tools/entry.c b/tools/entry.c

index 05e4313..52d2546 100644

--- a/tools/entry.c

+++ b/tools/entry.c

@@ -24,6 +24,7 @@

 #include "config.h"

 #include "adcli.h"

+#include "adprivate.h"

 #include "adattrs.h"

 #include "tools.h"

@@ -385,6 +386,104 @@ adcli_tool_user_delete (adcli_conn *conn,

 	return 0;

 }

+int

+adcli_tool_user_passwd (adcli_conn *conn,

+                        int argc,

+                        char *argv[])

+{

+	adcli_result res;

+	adcli_entry *entry;

+	int opt;

+	char *user_pwd = NULL;

+

+	struct option options[] = {

+		{ "domain", required_argument, NULL, opt_domain },

+		{ "domain-realm", required_argument, NULL, opt_domain_realm },

+		{ "domain-controller", required_argument, NULL, opt_domain_controller },

+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },

+		{ "login-user", required_argument, NULL, opt_login_user },

+		{ "login-ccache", optional_argument, NULL, opt_login_ccache },

+		{ "no-password", no_argument, 0, opt_no_password },

+		{ "stdin-password", no_argument, 0, opt_stdin_password },

+		{ "prompt-password", no_argument, 0, opt_prompt_password },

+		{ "verbose", no_argument, NULL, opt_verbose },

+		{ "help", no_argument, NULL, 'h' },

+		{ 0 },

+	};

+

+	static adcli_tool_desc usages[] = {

+		{ 0, "usage: adcli passwd-user --domain=xxxx user" },

+		{ 0 },

+	};

+

+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {

+		switch (opt) {

+		case 'h':

+		case '?':

+		case ':':

+			adcli_tool_usage (options, usages);

+			adcli_tool_usage (options, common_usages);

+			return opt == 'h' ? 0 : 2;

+		default:

+			res = parse_option ((Option)opt, optarg, conn);

+			if (res != ADCLI_SUCCESS) {

+				return res;

+			}

+			break;

+		}

+	}

+

+	argc -= optind;

+	argv += optind;

+

+	if (argc != 1) {

+		warnx ("specify one user name to (re)set password");

+		return 2;

+	}

+

+	entry = adcli_entry_new_user (conn, argv[0]);

+	if (entry == NULL) {

+		warnx ("unexpected memory problems");

+		return -1;

+	}

+

+	adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);

+

+	res = adcli_conn_connect (conn);

+	if (res != ADCLI_SUCCESS) {

+		warnx ("couldn't connect to %s domain: %s",

+		       adcli_conn_get_domain_name (conn),

+		       adcli_get_last_error ());

+		adcli_entry_unref (entry);

+		return -res;

+	}

+

+	user_pwd = adcli_prompt_password_func (ADCLI_LOGIN_USER_ACCOUNT,

+	                                       adcli_entry_get_sam_name(entry),

+	                                       0, NULL);

+	if (user_pwd == NULL || *user_pwd == '\0') {

+		warnx ("missing password");

+		_adcli_password_free (user_pwd);

+		adcli_entry_unref (entry);

+		return 2;

+	}

+

+	res = adcli_entry_set_passwd (entry, user_pwd);

+	_adcli_password_free (user_pwd);

+	if (res != ADCLI_SUCCESS) {

+		warnx ("(re)setting password for user %s in domain %s failed: %s",

+		       adcli_entry_get_sam_name (entry),

+		       adcli_conn_get_domain_name (conn),

+		       adcli_get_last_error ());

+		adcli_entry_unref (entry);

+		return -res;

+	}

+

+	adcli_entry_unref (entry);

+

+	return 0;

+}

+

 int

 adcli_tool_group_create (adcli_conn *conn,

                          int argc,

diff --git a/tools/tools.c b/tools/tools.c

index 84bbba9..a14b9ca 100644

--- a/tools/tools.c

+++ b/tools/tools.c

@@ -63,6 +63,7 @@ struct {

 	{ "create-msa", adcli_tool_computer_managed_service_account, "Create a managed service account in the given AD domain", },

 	{ "create-user", adcli_tool_user_create, "Create a user account", },

 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },

+	{ "passwd-user", adcli_tool_user_passwd, "(Re)set a user password", },

 	{ "create-group", adcli_tool_group_create, "Create a group", },

 	{ "delete-group", adcli_tool_group_delete, "Delete a group", },

 	{ "add-member", adcli_tool_member_add, "Add users to a group", },

diff --git a/tools/tools.h b/tools/tools.h

index 82d5e4e..d38aa32 100644

--- a/tools/tools.h

+++ b/tools/tools.h

@@ -94,6 +94,10 @@ int       adcli_tool_user_delete       (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

+int       adcli_tool_user_passwd       (adcli_conn *conn,

+                                        int argc,

+                                        char *argv[]);

+

 int       adcli_tool_group_create      (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

-- 

2.31.1