Change UNIX/SAMBA password

2010-12-25

Change UNIX/SAMBA Password with a Web Form

This is a Perl script to present a web form with which you can change both UNIX and SAMBA passwords at the same time. The script is based on Rajeev Kumar's passwd_sync.pl script. I updated it and fitted to my needs. Here are the instructions on how to install and use it.

Important Notes
Download
Configure
Install
Screenshots
Changelog + Developer Notes

Important Notes

The script runs with SUID root privileges which is a security risk. For your security be very aware what you are doing.

IMPORTANT: the script overrides the SAMBA user status. If you have disabled a SAMBA account but the SAMBA user still exists, this script will override the status. It is left for the responsibility of the system administrator to take this into account! This is on the issue list of the script.

Download

Download the script here: passwd.cgi.

Optionally you can download the older version from Rajeev Kumar's web page http://www.rajeevnet.com > Unix/Win pass_sync if it suits you better. However, take into account it is deprecated as for password change mechanisms.

What else you need:

perl-suid (in Ubuntu perl-suid package)
Perl::Expect module (in Ubuntu libperl-expect package)
Auth::Simple::PAM Perl module (in Ubuntu libauth-simple-pam-perl

Configure

Edit the script to suit your system and other preferences. There is a section in the script for user options, shown below.

################## Edit_Section: site specific variables below ####################

$html_title="Change password";		# Common title used on all pages and the form subject
$pdbedit="/usr/bin/pdbedit";		# Location of pdbedit(8) command
$p_domain_controller="localhost";  #Netbios Name (your Primary domain controller)
$cgiserver=$ENV{'SERVER_NAME'};  # The web server - will use the one from URL
$cgi_url="http://$cgiserver/cgi-bin/passwd.cgi";  #Exact cgi-bin URL for this script
$priv_uid=1000;  #Unix uid below which (but not equal to) this program won't setup passwd

# Styles
$bgcolor = "#cccc99";
$title_style = "color:#000000;font-size:18pt;font-family:Arial, Helvetica,
sans-serif;font-weight:bold;text-align:center;";
$error_style = "color:#990000;font-size:12pt;font-family:Arial, Helvetica, sans-serif;font-weight:bold;";
$normal_style = "color:#000000;font-size:11pt;font-family:Arial, Helvetica, sans-serif;";
$success_style = "color:#112255;font-size:12pt;font-family:Arial, Helvetica, sans-serif;font-weight:bold;";

################# No need to edit after this ######################################

Install

After configuring the script, copy it to the CGI directory of your system. In Ubuntu + Apache2 web server the default directory is /usr/lib/cgi-bin/. You can change the name of the script to whatever you want.

Change script owner and group to root:root. Change script privileges to SUID root by giving command chmod u+s <script-name>. WARNING: be aware what you are doing here! Running things with SUID root is a security risk.

Now point your web browser to http://<hostname>/cgi-bin/passwd.cgi to test the sript. Use Apache2 documentation if you see the script is not working.

Other installation hints:

Make Apache to use HTTPS by default. This is strongly recommended to avoid sending unencrypted passwords over the network.
You can make a ScriptAlias in Apache2 to use just URL http://<hostname>/passwd to access the script.

Screenshots

Main view

Password changed

Changelog + Developer Notes

This is from script's comment section.

# First release(v1.0): Sep/07/2001
# Bug Fix(v1.01): (Sept/11/2001) : Soft close soft_close() call added. On some system 
#                           without this call expect commands are not completing
#                           properly.
#
# 2010-12-15 (v1.1) (Henrik Pitkala <hpitkalaSPAMhotmail>):
# This version changes both UNIX and SAMBA passwords, not just either of
# them. Authentication happens only by UNIX passwd. SAMBA password is forced
# by SUID root and requires that the user exists in the Samba user database.
# This requirement prevents the users being able to add themselves to
# Samba users.
# The reason for removing UNIX and SAMBA selection was because it was not
# important for me... sorry... I think it would be better to have
# some option to use or not to use SAMBA password options.
#
# Changes:
# - changed yppasswd to passwd (not using NIS)
# - changed smbpasswd to pdbedit as smbpasswd cannot run with setuid
#   This comes from Samba progress: smbpasswd is probably going to deprecate
#   in the future.
# - using Authen::Simple::PAM for user authentication instead of /etc/passwd
#   because it simply doesn't work when using /etc/shadow. Currently maybe
#   most systems use /etc/shadow.
# - completely removed the possibility to select between SAMBA and UNIX accounts
# - a lot of text changed, typos corrected, formatting cleaned
# - added inline styles
# - added "Try again" link to the error message.
# - added some comments and instructions for Ubuntu Linux environment
#
# TODO:
# - add option to select whether to show and change also SAMBA password as
#   it was before!
# - maybe add option to complain about missing SAMBA user
# - check that SAMBA user doesn't get activated if the user account has been disabled
#   Result: it does activate it. So, need to fix it.
#
# Other notes:
# - Also this is quite nice: http://changepassword.sourceforge.net/
#   but it seems to be even more deprecated than this script was.

Home