Add a script to set the Windows passwords into Samba for all active login users.

tbsetup/GNUmakefile.in

@@ -34,12 +34,12 @@ SBIN_STUFF	= resetvlans console_setup.proxy sched_reload named_setup \
 		  sfskey_update sfskey_update.proxy rmuser idleswap \
 		  newnode_reboot savelogs.proxy eventsys.proxy \
 		  elabinelab snmpit.proxy panic repos_daemon node_attributes \
-		  nfstrace plabinelab
+		  nfstrace plabinelab smbpasswd_setup smbpasswd_setup.proxy
 
 CTRLBIN_STUFF   = console_setup.proxy sfskey_update.proxy \
 		  savelogs.proxy eventsys.proxy
 
-FSBIN_STUFF	= exports_setup.proxy
+FSBIN_STUFF	= exports_setup.proxy smbpasswd_setup.proxy
 
 LIBEXEC_STUFF	= rmproj wanlinksolve wanlinkinfo \
 		  os_setup mkexpdir console_setup webnscheck webreport \

tbsetup/smbpasswd_setup.in

+#!/usr/bin/perl -wT
+
+#
+# EMULAB-COPYRIGHT
+# Copyright (c) 2006 University of Utah and the Flux Group.
+# All rights reserved.
+#
+
+use English;
+
+#
+# smbpasswd_setup - Run this on Boss as root.
+# 
+# For each active user in the Emulab database, it sets their Samba password on
+# Fs to their Windows password, using the smbpasswd_setup.proxy .
+#
+# usage: smbpasswd_setup [debug_level]
+#
+
+my $dbg = 0;
+if ($#ARGV+1 > 0) {
+    # 0 = no debug, 1 = remote dbg, 2 = local dbg.
+    $dbg = $ARGV[0];
+}
+if ($dbg =~ /^([-\w]+)$/i) {
+    $dbg = $1;
+}
+else {
+    die("Tainted argument: $dbg\n");
+}
+
+#
+# Configure variables.
+#
+my $TB		= "@prefix@";
+my $FSNODE      = "@FSNODE@";
+my $WINSUPPORT  = @WINSUPPORT@;
+
+# Note no -n option to ssh.  We pipe stdin below.
+my $SSH		= "$TB/bin/sshtb -l root -host $FSNODE";
+my $PROG	= "$TB/sbin/smbpasswd_setup.proxy";
+
+#
+# We don't want to run this script unless its the real version or local debug.
+#
+if ($EUID != 0 and $dbg < 2) {
+    die("*** $0:\n".
+	"    Must be root! Maybe its a development version?\n");
+}
+
+die("*** $0:\n".
+    "    Nothing to do if no Windows support in this copy of Emulab.\n")
+    if (!$WINSUPPORT);
+
+# un-taint path
+$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin:/usr/local/bin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+#
+# Turn off line buffering on output
+#
+$| = 1;
+
+#
+# Testbed Support libraries
+# 
+use lib "@prefix@/lib";
+use libdb;
+use libtestbed;
+
+my $USERROOT  = USERROOT();
+
+# Just do active, login accounts with real (unstarred) passwords.
+# (The unix_pwd is set to "frozen" on frozen accounts.)
+my $users_result =
+    DBQueryFatal("select uid, usr_w_pswd, usr_pswd from users " .
+		 "where status = '" . USERSTATUS_ACTIVE() . "'" .
+		 "  and wikionly = '0' and webonly = '0'" . 
+		 "  and usr_pswd != '*'");
+
+{
+    local $SIG{PIPE} = sub { die "$PROG pipe broke" };
+
+    # Open a pipe to a proxy on Ops.
+    (open(PROXY, "| $SSH $PROG $dbg")
+     || fatal("Failed: '| $SSH $PROG $dbg' $! $?"))
+	if ($dbg < 2);
+
+    while (my @usersrow = $users_result->fetchrow_array) {
+	my $uid = $usersrow[0];
+	my $w_pwd = $usersrow[1];
+	my $unix_pwd = $usersrow[2];
+
+	# If there's no user Windows password set, use the initial random default
+	# for the Windows Password.  This based on the Unix encrypted password, in
+	# particular the random salt if it's an MD5 crypt, consisting of the 8
+	# characters after an initial "$1$" and followed by a "$".
+	if (! defined($w_pwd)) {
+	    # When there's no $ at the beginning, its not an MD5 hash.
+	    if ($unix_pwd !~ m/\$1\$/) {
+		$w_pwd = substr($unix_pwd,0,8);
+	    }
+	    else {
+		$w_pwd = substr($unix_pwd,3,8); # The MD5 salt string.
+	    }
+	}
+
+	if (-d "$USERROOT/$uid") {
+	    if ($dbg >= 2) {
+		print "$uid, $w_pwd, $unix_pwd\n";
+	    }
+	    else {
+		print PROXY "$uid $w_pwd\n";
+	    }
+	}
+	else {
+	    print STDERR "*** smbpasswd_setup: ".
+		"$USERROOT/$uid does not exist!\n";
+	}
+    }
+
+    (close(PROXY)
+     || fatal("Failed, closing: '| $SSH $PROG $dbg' $! $?"))
+	if ($dbg < 2);
+}
+
+exit(0);

tbsetup/smbpasswd_setup.proxy.in

+#!/usr/bin/perl -wT
+
+#
+# EMULAB-COPYRIGHT
+# Copyright (c) 2006 University of Utah and the Flux Group.
+# All rights reserved.
+#
+
+use English;
+
+#
+# smbpasswd_setup.proxy - This is run remotely on Fs as root, with stdin piped
+# from smbpasswd_setup on Boss.
+#
+# It sets the Samba password on Fs for each active user to specified (Emulab
+# Windows) password.
+#
+# usage: smbpasswd_setup.proxy [debug_level]
+#
+
+my $dbg = 0;
+if ($#ARGV+1 > 0) {
+    $dbg = $ARGV[0];
+}
+if ($dbg =~ /^([-\w]+)$/i) {
+    $dbg = $1;
+}
+else {
+    die("Tainted argument: $dbg\n");
+}
+
+#
+# Configure variables.
+#
+my $WINSUPPORT  = @WINSUPPORT@;
+
+my $SMBPASSWD	= "/usr/local/bin/smbpasswd";
+
+#
+# We don't want to run this script unless its the real version (or debugging.)
+#
+if ($EUID != 0 and !$dbg) {
+    die("*** $0:\n".
+	"    Must be root! Maybe its a development version?\n");
+}
+
+die("*** $0:\n".
+    "    Nothing to do if no Windows support in this copy of Emulab.\n")
+    if (!$WINSUPPORT);
+
+# un-taint path
+$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin:/usr/local/bin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $log = "/tmp/smbpasswd_setup_proxy.log";
+open(LOG, "> $log")
+    || fatal("Couldn't open $log.\n");
+{
+    local $SIG{PIPE} = sub { die "$SMBPASSWD pipe broke" };
+
+    # Each line on stdin is "uid w_pswd".
+    my ($uid, $w_pwd);
+    while (<STDIN>) {
+	if (! (($uid, $w_pswd) = m/^(\S+) (.+)/)) {
+	    print LOG "BAD LINE: $_\n";
+	}
+	else {
+	    print LOG "$uid, '$w_pswd'\n";
+	}
+
+	if (! $dbg) {
+	    # Tell smbpasswd the password, and again to confirm.
+	    # -s == Silent: no prompts, read from stdin.
+	    # -a == Add the uid if necessary.
+	    my $cmd = "| $SMBPASSWD -s -a $uid";
+	    open(PWD, $cmd );
+	    print PWD "$w_pswd\n$w_pswd\n";
+	    my $stat = close PWD;
+	    if (0 && $stat) { # XXX it's succeeding, but returning 1.
+		print LOG "FAILED, closing: '$cmd', $stat\n";
+		exit($stat);
+	    }
+	}
+    }
+}
+close(LOG);
+
+exit(0);
+
+
+