From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 18 Aug 2017 16:08:46 +0200

Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)

---

 source3/include/proto.h     | 3 ++-

 source3/libsmb/passchange.c | 5 +++--

 source3/utils/smbpasswd.c   | 3 ++-

 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h

index baa579995a5..9deb27b416b 100644

--- a/source3/include/proto.h

+++ b/source3/include/proto.h

@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,

 /* The following definitions come from libsmb/passchange.c  */

-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 

+NTSTATUS remote_password_change(const char *remote_machine,

+				const char *domain, const char *user_name,

 				const char *old_passwd, const char *new_passwd,

 				char **err_str);

diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c

index c89b7ca85d1..48ffba8036f 100644

--- a/source3/libsmb/passchange.c

+++ b/source3/libsmb/passchange.c

@@ -30,7 +30,8 @@

  Change a password on a remote machine using IPC calls.

 *************************************************************/

-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 

+NTSTATUS remote_password_change(const char *remote_machine,

+				const char *domain, const char *user_name,

 				const char *old_passwd, const char *new_passwd,

 				char **err_str)

 {

@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam

 	creds = cli_session_creds_init(cli,

 				       user_name,

-				       NULL, /* domain */

+				       domain,

 				       NULL, /* realm */

 				       old_passwd,

 				       false, /* use_kerberos */

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index 437a5e551bb..4d7a3c739bc 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,

 			fprintf(stderr, "Invalid remote operation!\n");

 			return NT_STATUS_UNSUCCESSFUL;

 		}

-		ret = remote_password_change(remote_mach, username,

+		ret = remote_password_change(remote_mach,

+					     NULL, username,

 					     old_passwd, new_pw, &err_str);

 	} else {

 		ret = local_password_change(username, local_flags, new_pw,

-- 

2.14.1

From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 18 Aug 2017 16:10:06 +0200

Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)

---

 source3/include/proto.h   |  7 -------

 source3/libsmb/proto.h    | 10 ++++++++++

 source3/utils/smbpasswd.c |  1 +

 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h

index 9deb27b416b..67e1a9d750e 100644

--- a/source3/include/proto.h

+++ b/source3/include/proto.h

@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,

 		fstring srv_name,

 		struct sockaddr_storage *ss_out);

-/* The following definitions come from libsmb/passchange.c  */

-

-NTSTATUS remote_password_change(const char *remote_machine,

-				const char *domain, const char *user_name,

-				const char *old_passwd, const char *new_passwd,

-				char **err_str);

-

 /* The following definitions come from libsmb/smberr.c  */

 const char *smb_dos_err_name(uint8_t e_class, uint16_t num);

diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h

index a583a8ee159..44f4d04cff5 100644

--- a/source3/libsmb/proto.h

+++ b/source3/libsmb/proto.h

@@ -31,6 +31,9 @@

 struct smb_trans_enc_state;

 struct cli_credentials;

+struct cli_state;

+struct file_info;

+struct print_job_info;

 /* The following definitions come from libsmb/cliconnect.c  */

@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,

 		       TALLOC_CTX *mem_ctx, char **psubstitute_name,

 		      char **pprint_name, uint32_t *pflags);

+/* The following definitions come from libsmb/passchange.c  */

+

+NTSTATUS remote_password_change(const char *remote_machine,

+				const char *domain, const char *user_name,

+				const char *old_passwd, const char *new_passwd,

+				char **err_str);

+

 #endif /* _LIBSMB_PROTO_H_ */

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index 4d7a3c739bc..6eb2deb7a3b 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -21,6 +21,7 @@

 #include "secrets.h"

 #include "../librpc/gen_ndr/samr.h"

 #include "../lib/util/util_pw.h"

+#include "libsmb/proto.h"

 #include "passdb.h"

 /*

-- 

2.14.1

From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 18 Aug 2017 16:13:15 +0200

Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()

 in smbpasswd

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)

---

 source3/utils/smbpasswd.c | 5 +++--

 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index 6eb2deb7a3b..b0e08cc0e58 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)

  Change a password either locally or remotely.

 *************************************************************/

-static NTSTATUS password_change(const char *remote_mach, char *username, 

-				char *old_passwd, char *new_pw,

+static NTSTATUS password_change(const char *remote_mach,

+				const char *username,

+				const char *old_passwd, const char *new_pw,

 				int local_flags)

 {

 	NTSTATUS ret;

-- 

2.14.1

From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 18 Aug 2017 16:14:57 +0200

Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)

---

 source3/utils/smbpasswd.c | 12 +++++++-----

 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index b0e08cc0e58..92712e38f6b 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)

 *************************************************************/

 static NTSTATUS password_change(const char *remote_mach,

-				const char *username,

+				const char *domain, const char *username,

 				const char *old_passwd, const char *new_pw,

 				int local_flags)

 {

@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,

 			return NT_STATUS_UNSUCCESSFUL;

 		}

 		ret = remote_password_change(remote_mach,

-					     NULL, username,

+					     domain, username,

 					     old_passwd, new_pw, &err_str);

 	} else {

 		ret = local_password_change(username, local_flags, new_pw,

@@ -466,7 +466,8 @@ static int process_root(int local_flags)

 		}

 	}

-	if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,

+	if (!NT_STATUS_IS_OK(password_change(remote_machine,

+					     NULL, user_name,

 					     old_passwd, new_passwd,

 					     local_flags))) {

 		result = 1;

@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)

 		exit(1);

 	}

-	if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,

-					     new_pw, 0))) {

+	if (!NT_STATUS_IS_OK(password_change(remote_machine,

+					     NULL, user_name,

+					     old_pw, new_pw, 0))) {

 		result = 1;

 		goto done;

 	}

-- 

2.14.1

From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 18 Aug 2017 16:17:08 +0200

Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name

 in smbpasswd

If a local user wants to change his password using smbpasswd and the

machine is a domain member, we need to make sure we authenticate against

our SAM and not ask winbind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)

---

 source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----

 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index 92712e38f6b..556e6869da7 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -58,7 +58,7 @@ static void usage(void)

 	printf("  -c smb.conf file     Use the given path to the smb.conf file\n");

 	printf("  -D LEVEL             debug level\n");

 	printf("  -r MACHINE           remote machine\n");

-	printf("  -U USER              remote username\n");

+	printf("  -U USER              remote username (e.g. SAM/user)\n");

 	printf("extra options when run by root or in local mode:\n");

 	printf("  -a                   add user\n");

@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)

 	user_name[0] = '\0';

-	while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {

+	while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {

 		switch(ch) {

 		case 'L':

 			if (getuid() != 0) {

@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)

 	int result = 0;

 	char *old_pw = NULL;

 	char *new_pw = NULL;

+	const char *username = user_name;

+	const char *domain = NULL;

+	char *p = NULL;

 	if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {

 		/* Extra flags that we can't honor non-root */

@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)

 		}

 	}

+	/* Allow domain as part of the username */

+	if ((p = strchr_m(user_name, '\\')) ||

+	    (p = strchr_m(user_name, '/')) ||

+	    (p = strchr_m(user_name, *lp_winbind_separator()))) {

+		*p = '\0';

+		username = p + 1;

+		domain = user_name;

+	}

+

 	/*

 	 * A non-root user is always setting a password

 	 * via a remote machine (even if that machine is

@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)

 	load_interfaces(); /* Delayed from main() */

-	if (remote_machine == NULL) {

+	if (remote_machine != NULL) {

+		if (!is_ipaddress(remote_machine)) {

+			domain = remote_machine;

+		}

+	} else {

 		remote_machine = "127.0.0.1";

+

+		/*

+		 * If we deal with a local user, change the password for the

+		 * user in our SAM.

+		 */

+		domain = get_global_sam_name();

 	}

 	if (remote_machine != NULL) {

@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)

 	}

 	if (!NT_STATUS_IS_OK(password_change(remote_machine,

-					     NULL, user_name,

+					     domain, username,

 					     old_pw, new_pw, 0))) {

 		result = 1;

 		goto done;

 	}

-	printf("Password changed for user %s\n", user_name);

+	printf("Password changed for user %s\n", username);

  done:

 	SAFE_FREE(old_pw);

-- 

2.14.1

From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Tue, 22 Aug 2017 15:46:07 +0200

Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975

Review with: git show -U20

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>

(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)

---

 source3/utils/smbpasswd.c | 10 ++++------

 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c

index 556e6869da7..fb7ad283995 100644

--- a/source3/utils/smbpasswd.c

+++ b/source3/utils/smbpasswd.c

@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)

 		domain = get_global_sam_name();

 	}

-	if (remote_machine != NULL) {

-		old_pw = get_pass("Old SMB password:",stdin_passwd_get);

-		if (old_pw == NULL) {

-			fprintf(stderr, "Unable to get old password.\n");

-			exit(1);

-		}

+	old_pw = get_pass("Old SMB password:",stdin_passwd_get);

+	if (old_pw == NULL) {

+		fprintf(stderr, "Unable to get old password.\n");

+		exit(1);

 	}

 	if (!new_passwd) {

-- 

2.14.1