samba - Apr 2008 - tmp-admin-pwreset.pl - temporary administrative password reset tool

I have written a Samba administrative perl script that I wanted to share with
the community.

We use Samba3 with a tdbsam backend (set to be synchronized with the UNIX
password database). Our users are Windows XP clients with roaming profiles.
During the course of supporting our users, our techs frequently need to login
*as* specific users to work on their windows profile, such as Outlook profile
settings, check out their user specific problem reports, etc. The trouble is
that if we don't know their password (which we don't generally want to
know) we have to change their password, and then somehow alert them to the new
password so that they can login and reset their password when they get back to
their PC after we've worked on it.

This has been a cumbersome problem for us for a while, and to solve it, I
finally wrote tmp-admin-pwreset.pl. What it does is simple: you pass it a list
of usernames and a temporary password. It will reset the password of all the
supplied users (Samba and UNIX) to the temporary password, but first will backup
the current password *hashes* for each of the users to a file, so that they can
be reset to their original values later on. You then call the script in another
mode ("--restore") and it sets all the password hashes for both UNIX
and Samba to what they were originally.

This effectively allows administrators to be able login as specific users
without knowing their password, and without having to change their password
either. Users won't even know anything changed at all (and won't call
the helpdesk because they can't login; didn't see the note, didn't
listen to the voicemail, etc).

I wrote this for our own use, however, I thought it might be useful to others,
so I am sharing it.

If anyone is interested, the script and documentation can be downloaded here:

http://devzone.intellitree.com/projects/tmp-admin-pwreset

Best regards,

Henry Van Styn
IntelliTree Solutions llc
http://www.intellitree.com

I have written a Samba administrative perl script that I wanted to 
share with the community.

We use Samba3 with a tdbsam backend (set to be synchronized with the 
UNIX password database). Our users are Windows XP clients with 
roaming profiles. During the course of supporting our users, our 
techs frequently need to login *as* specific users to work on their 
windows profile, such as Outlook profile settings, check out their 
user specific problem reports, etc. The trouble is that if we don't 
know their password (which we don't generally want to know) we have 
to change their password, and then somehow alert them to the new 
password so that they can login and reset their password when they 
get back to their PC after we've worked on it.

This has been a cumbersome problem for us for a while, and to solve 
it, I finally wrote tmp-admin-pwreset.pl. What it does is simple: 
you pass it a list of usernames and a temporary password. It will 
reset the password of all the supplied users (Samba and UNIX) to the 
temporary password, but first will backup the current password 
*hashes* for each of the users to a file, so that they can be reset 
to their original values later on. You then call the script in 
another mode ("--restore") and it sets all the password hashes for 
both UNIX and Samba to what they were originally.

This effectively allows administrators to be able login as specific 
users without knowing their password, and without having to change 
their password either. Users won't even know anything changed at all 
(and won't call the helpdesk because they can't login; didn't see 
the note, didn't listen to the voicemail, etc).

I wrote this for our own use, however, I thought it might be useful 
to others, so I am sharing it.

If anyone is interested, the script and documentation can be 
downloaded here:

http://devzone.intellitree.com/projects/tmp-admin-pwreset

Best regards,

Henry Van Styn
IntelliTree Solutions llc
http://www.intellitree.com