search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[GLUE] Rsync SAMBA_3_0 SVN r25598 in order to create the v3-0-test branch.
[Samba.git] / source / utils / net_sam.c
blobbf397803bc544a6432ae4a469af5e8db892a8e46
1 /*
2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21
22 #include "includes.h"
23 #include "utils/net.h"
24
25 /*
26 * Set a user's data
27 */
28
29 static int net_sam_userset(int argc, const char **argv, const char *field,
30 BOOL (*fn)(struct samu *, const char *,
31 enum pdb_value_state))
32 {
33 struct samu *sam_acct = NULL;
34 DOM_SID sid;
35 enum lsa_SidType type;
36 const char *dom, *name;
37 NTSTATUS status;
38
39 if (argc != 2) {
40 d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
41 field);
42 return -1;
43 }
44
45 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
46 &dom, &name, &sid, &type)) {
47 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
48 return -1;
49 }
50
51 if (type != SID_NAME_USER) {
52 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
53 sid_type_lookup(type));
54 return -1;
55 }
56
57 if ( !(sam_acct = samu_new( NULL )) ) {
58 d_fprintf(stderr, "Internal error\n");
59 return -1;
60 }
61
62 if (!pdb_getsampwsid(sam_acct, &sid)) {
63 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
64 return -1;
65 }
66
67 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
68 d_fprintf(stderr, "Internal error\n");
69 return -1;
70 }
71
72 status = pdb_update_sam_account(sam_acct);
73 if (!NT_STATUS_IS_OK(status)) {
74 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
75 argv[0], nt_errstr(status));
76 return -1;
77 }
78
79 TALLOC_FREE(sam_acct);
80
81 d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
82 return 0;
83 }
84
85 static int net_sam_set_fullname(int argc, const char **argv)
86 {
87 return net_sam_userset(argc, argv, "fullname",
88 pdb_set_fullname);
89 }
90
91 static int net_sam_set_logonscript(int argc, const char **argv)
92 {
93 return net_sam_userset(argc, argv, "logonscript",
94 pdb_set_logon_script);
95 }
96
97 static int net_sam_set_profilepath(int argc, const char **argv)
98 {
99 return net_sam_userset(argc, argv, "profilepath",
100 pdb_set_profile_path);
101 }
102
103 static int net_sam_set_homedrive(int argc, const char **argv)
104 {
105 return net_sam_userset(argc, argv, "homedrive",
106 pdb_set_dir_drive);
107 }
108
109 static int net_sam_set_homedir(int argc, const char **argv)
110 {
111 return net_sam_userset(argc, argv, "homedir",
112 pdb_set_homedir);
113 }
114
115 static int net_sam_set_workstations(int argc, const char **argv)
116 {
117 return net_sam_userset(argc, argv, "workstations",
118 pdb_set_workstations);
119 }
120
121 /*
122 * Set account flags
123 */
124
125 static int net_sam_set_userflag(int argc, const char **argv, const char *field,
126 uint16 flag)
127 {
128 struct samu *sam_acct = NULL;
129 DOM_SID sid;
130 enum lsa_SidType type;
131 const char *dom, *name;
132 NTSTATUS status;
133 uint16 acct_flags;
134
135 if ((argc != 2) || (!strequal(argv[1], "yes") &&
136 !strequal(argv[1], "no"))) {
137 d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
138 field);
139 return -1;
140 }
141
142 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
143 &dom, &name, &sid, &type)) {
144 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
145 return -1;
146 }
147
148 if (type != SID_NAME_USER) {
149 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
150 sid_type_lookup(type));
151 return -1;
152 }
153
154 if ( !(sam_acct = samu_new( NULL )) ) {
155 d_fprintf(stderr, "Internal error\n");
156 return -1;
157 }
158
159 if (!pdb_getsampwsid(sam_acct, &sid)) {
160 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
161 return -1;
162 }
163
164 acct_flags = pdb_get_acct_ctrl(sam_acct);
165
166 if (strequal(argv[1], "yes")) {
167 acct_flags |= flag;
168 } else {
169 acct_flags &= ~flag;
170 }
171
172 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
173
174 status = pdb_update_sam_account(sam_acct);
175 if (!NT_STATUS_IS_OK(status)) {
176 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
177 argv[0], nt_errstr(status));
178 return -1;
179 }
180
181 TALLOC_FREE(sam_acct);
182
183 d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
184 name, argv[1]);
185 return 0;
186 }
187
188 static int net_sam_set_disabled(int argc, const char **argv)
189 {
190 return net_sam_set_userflag(argc, argv, "disabled", ACB_DISABLED);
191 }
192
193 static int net_sam_set_pwnotreq(int argc, const char **argv)
194 {
195 return net_sam_set_userflag(argc, argv, "pwnotreq", ACB_PWNOTREQ);
196 }
197
198 static int net_sam_set_autolock(int argc, const char **argv)
199 {
200 return net_sam_set_userflag(argc, argv, "autolock", ACB_AUTOLOCK);
201 }
202
203 static int net_sam_set_pwnoexp(int argc, const char **argv)
204 {
205 return net_sam_set_userflag(argc, argv, "pwnoexp", ACB_PWNOEXP);
206 }
207
208 /*
209 * Set pass last change time, based on force pass change now
210 */
211
212 static int net_sam_set_pwdmustchangenow(int argc, const char **argv)
213 {
214 struct samu *sam_acct = NULL;
215 DOM_SID sid;
216 enum lsa_SidType type;
217 const char *dom, *name;
218 NTSTATUS status;
219
220 if ((argc != 2) || (!strequal(argv[1], "yes") &&
221 !strequal(argv[1], "no"))) {
222 d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
223 return -1;
224 }
225
226 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
227 &dom, &name, &sid, &type)) {
228 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
229 return -1;
230 }
231
232 if (type != SID_NAME_USER) {
233 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
234 sid_type_lookup(type));
235 return -1;
236 }
237
238 if ( !(sam_acct = samu_new( NULL )) ) {
239 d_fprintf(stderr, "Internal error\n");
240 return -1;
241 }
242
243 if (!pdb_getsampwsid(sam_acct, &sid)) {
244 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
245 return -1;
246 }
247
248 if (strequal(argv[1], "yes")) {
249 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
250 } else {
251 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
252 }
253
254 status = pdb_update_sam_account(sam_acct);
255 if (!NT_STATUS_IS_OK(status)) {
256 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
257 argv[0], nt_errstr(status));
258 return -1;
259 }
260
261 TALLOC_FREE(sam_acct);
262
263 d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
264 name, argv[1]);
265 return 0;
266 }
267
268
269 /*
270 * Set a user's or a group's comment
271 */
272
273 static int net_sam_set_comment(int argc, const char **argv)
274 {
275 GROUP_MAP map;
276 DOM_SID sid;
277 enum lsa_SidType type;
278 const char *dom, *name;
279 NTSTATUS status;
280
281 if (argc != 2) {
282 d_fprintf(stderr, "usage: net sam set comment <name> "
283 "<comment>\n");
284 return -1;
285 }
286
287 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
288 &dom, &name, &sid, &type)) {
289 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
290 return -1;
291 }
292
293 if (type == SID_NAME_USER) {
294 return net_sam_userset(argc, argv, "comment",
295 pdb_set_acct_desc);
296 }
297
298 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
299 (type != SID_NAME_WKN_GRP)) {
300 d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
301 sid_type_lookup(type));
302 return -1;
303 }
304
305 if (!pdb_getgrsid(&map, sid)) {
306 d_fprintf(stderr, "Could not load group %s\n", argv[0]);
307 return -1;
308 }
309
310 fstrcpy(map.comment, argv[1]);
311
312 status = pdb_update_group_mapping_entry(&map);
313
314 if (!NT_STATUS_IS_OK(status)) {
315 d_fprintf(stderr, "Updating group mapping entry failed with "
316 "%s\n", nt_errstr(status));
317 return -1;
318 }
319
320 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
321 argv[1]);
322
323 return 0;
324 }
325
326 static int net_sam_set(int argc, const char **argv)
327 {
328 struct functable2 func[] = {
329 { "homedir", net_sam_set_homedir,
330 "Change a user's home directory" },
331 { "profilepath", net_sam_set_profilepath,
332 "Change a user's profile path" },
333 { "comment", net_sam_set_comment,
334 "Change a users or groups description" },
335 { "fullname", net_sam_set_fullname,
336 "Change a user's full name" },
337 { "logonscript", net_sam_set_logonscript,
338 "Change a user's logon script" },
339 { "homedrive", net_sam_set_homedrive,
340 "Change a user's home drive" },
341 { "workstations", net_sam_set_workstations,
342 "Change a user's allowed workstations" },
343 { "disabled", net_sam_set_disabled,
344 "Disable/Enable a user" },
345 { "pwnotreq", net_sam_set_pwnotreq,
346 "Disable/Enable the password not required flag" },
347 { "autolock", net_sam_set_autolock,
348 "Disable/Enable a user's lockout flag" },
349 { "pwnoexp", net_sam_set_pwnoexp,
350 "Disable/Enable whether a user's pw does not expire" },
351 { "pwdmustchangenow", net_sam_set_pwdmustchangenow,
352 "Force users password must change at next logon" },
353 {NULL, NULL}
354 };
355
356 return net_run_function2(argc, argv, "net sam set", func);
357 }
358
359 /*
360 * Manage account policies
361 */
362
363 static int net_sam_policy_set(int argc, const char **argv)
364 {
365 const char *account_policy = NULL;
366 uint32 value, old_value;
367 int field;
368 char *endptr;
369
370 if (argc != 2) {
371 d_fprintf(stderr, "usage: net sam policy set "
372 "\"<account policy>\" <value> \n");
373 return -1;
374 }
375
376 account_policy = argv[0];
377 field = account_policy_name_to_fieldnum(account_policy);
378
379 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
380 || strequal(argv[1], "off")) {
381 value = -1;
382 }
383 else {
384 value = strtoul(argv[1], &endptr, 10);
385
386 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
387 d_printf("Unable to set policy \"%s\"! Invalid value "
388 "\"%s\".\n",
389 account_policy, argv[1]);
390 return -1;
391 }
392 }
393
394 if (field == 0) {
395 const char **names;
396 int i, count;
397
398 account_policy_names_list(&names, &count);
399 d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
400 d_fprintf(stderr, "Valid account policies are:\n");
401
402 for (i=0; i<count; i++) {
403 d_fprintf(stderr, "%s\n", names[i]);
404 }
405
406 SAFE_FREE(names);
407 return -1;
408 }
409
410 if (!pdb_get_account_policy(field, &old_value)) {
411 d_fprintf(stderr, "Valid account policy, but unable to fetch "
412 "value!\n");
413 }
414
415 if (!pdb_set_account_policy(field, value)) {
416 d_fprintf(stderr, "Valid account policy, but unable to "
417 "set value!\n");
418 return -1;
419 }
420
421 d_printf("Account policy \"%s\" value was: %d\n", account_policy,
422 old_value);
423
424 d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
425 value);
426 return 0;
427 }
428
429 static int net_sam_policy_show(int argc, const char **argv)
430 {
431 const char *account_policy = NULL;
432 uint32 old_value;
433 int field;
434
435 if (argc != 1) {
436 d_fprintf(stderr, "usage: net sam policy show"
437 " \"<account policy>\" \n");
438 return -1;
439 }
440
441 account_policy = argv[0];
442 field = account_policy_name_to_fieldnum(account_policy);
443
444 if (field == 0) {
445 const char **names;
446 int count;
447 int i;
448 account_policy_names_list(&names, &count);
449 d_fprintf(stderr, "No account policy by that name!\n");
450 if (count != 0) {
451 d_fprintf(stderr, "Valid account policies "
452 "are:\n");
453 for (i=0; i<count; i++) {
454 d_fprintf(stderr, "%s\n", names[i]);
455 }
456 }
457 SAFE_FREE(names);
458 return -1;
459 }
460
461 if (!pdb_get_account_policy(field, &old_value)) {
462 fprintf(stderr, "Valid account policy, but unable to "
463 "fetch value!\n");
464 return -1;
465 }
466
467 printf("Account policy \"%s\" description: %s\n",
468 account_policy, account_policy_get_desc(field));
469 printf("Account policy \"%s\" value is: %d\n", account_policy,
470 old_value);
471 return 0;
472 }
473
474 static int net_sam_policy_list(int argc, const char **argv)
475 {
476 const char **names;
477 int count;
478 int i;
479 account_policy_names_list(&names, &count);
480 if (count != 0) {
481 d_fprintf(stderr, "Valid account policies "
482 "are:\n");
483 for (i = 0; i < count ; i++) {
484 d_fprintf(stderr, "%s\n", names[i]);
485 }
486 }
487 SAFE_FREE(names);
488 return -1;
489 }
490
491 static int net_sam_policy(int argc, const char **argv)
492 {
493 struct functable2 func[] = {
494 { "list", net_sam_policy_list,
495 "List account policies" },
496 { "show", net_sam_policy_show,
497 "Show account policies" },
498 { "set", net_sam_policy_set,
499 "Change account policies" },
500 {NULL, NULL}
501 };
502
503 return net_run_function2(argc, argv, "net sam policy", func);
504 }
505
506 /*
507 * Map a unix group to a domain group
508 */
509
510 static int net_sam_mapunixgroup(int argc, const char **argv)
511 {
512 NTSTATUS status;
513 GROUP_MAP map;
514 struct group *grp;
515
516 if (argc != 1) {
517 d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
518 return -1;
519 }
520
521 grp = getgrnam(argv[0]);
522 if (grp == NULL) {
523 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
524 return -1;
525 }
526
527 status = map_unix_group(grp, &map);
528
529 if (!NT_STATUS_IS_OK(status)) {
530 d_fprintf(stderr, "Mapping group %s failed with %s\n",
531 argv[0], nt_errstr(status));
532 return -1;
533 }
534
535 d_printf("Mapped unix group %s to SID %s\n", argv[0],
536 sid_string_static(&map.sid));
537
538 return 0;
539 }
540
541 /*
542 * Create a local group
543 */
544
545 static int net_sam_createlocalgroup(int argc, const char **argv)
546 {
547 NTSTATUS status;
548 uint32 rid;
549
550 if (argc != 1) {
551 d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
552 return -1;
553 }
554
555 if (!winbind_ping()) {
556 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
557 "only works when winbind runs.\n");
558 return -1;
559 }
560
561 status = pdb_create_alias(argv[0], &rid);
562
563 if (!NT_STATUS_IS_OK(status)) {
564 d_fprintf(stderr, "Creating %s failed with %s\n",
565 argv[0], nt_errstr(status));
566 return -1;
567 }
568
569 d_printf("Created local group %s with RID %d\n", argv[0], rid);
570
571 return 0;
572 }
573
574 /*
575 * Create a local group
576 */
577
578 static int net_sam_createbuiltingroup(int argc, const char **argv)
579 {
580 NTSTATUS status;
581 uint32 rid;
582 enum lsa_SidType type;
583 fstring groupname;
584 DOM_SID sid;
585
586 if (argc != 1) {
587 d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
588 return -1;
589 }
590
591 if (!winbind_ping()) {
592 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
593 "only works when winbind runs.\n");
594 return -1;
595 }
596
597 /* validate the name and get the group */
598
599 fstrcpy( groupname, "BUILTIN\\" );
600 fstrcat( groupname, argv[0] );
601
602 if ( !lookup_name(tmp_talloc_ctx(), groupname, LOOKUP_NAME_ALL, NULL,
603 NULL, &sid, &type)) {
604 d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
605 return -1;
606 }
607
608 if ( !sid_peek_rid( &sid, &rid ) ) {
609 d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
610 return -1;
611 }
612
613 status = pdb_create_builtin_alias( rid );
614
615 if (!NT_STATUS_IS_OK(status)) {
616 d_fprintf(stderr, "Creating %s failed with %s\n",
617 argv[0], nt_errstr(status));
618 return -1;
619 }
620
621 d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
622
623 return 0;
624 }
625
626 /*
627 * Add a group member
628 */
629
630 static int net_sam_addmem(int argc, const char **argv)
631 {
632 const char *groupdomain, *groupname, *memberdomain, *membername;
633 DOM_SID group, member;
634 enum lsa_SidType grouptype, membertype;
635 NTSTATUS status;
636
637 if (argc != 2) {
638 d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
639 return -1;
640 }
641
642 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
643 &groupdomain, &groupname, &group, &grouptype)) {
644 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
645 return -1;
646 }
647
648 /* check to see if the member to be added is a name or a SID */
649
650 if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
651 &memberdomain, &membername, &member, &membertype))
652 {
653 /* try it as a SID */
654
655 if ( !string_to_sid( &member, argv[1] ) ) {
656 d_fprintf(stderr, "Could not find member %s\n", argv[1]);
657 return -1;
658 }
659
660 if ( !lookup_sid(tmp_talloc_ctx(), &member, &memberdomain,
661 &membername, &membertype) )
662 {
663 d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
664 return -1;
665 }
666 }
667
668 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
669 if ((membertype != SID_NAME_USER) &&
670 (membertype != SID_NAME_DOM_GRP)) {
671 d_fprintf(stderr, "%s is a local group, only users "
672 "and domain groups can be added.\n"
673 "%s is a %s\n", argv[0], argv[1],
674 sid_type_lookup(membertype));
675 return -1;
676 }
677 status = pdb_add_aliasmem(&group, &member);
678
679 if (!NT_STATUS_IS_OK(status)) {
680 d_fprintf(stderr, "Adding local group member failed "
681 "with %s\n", nt_errstr(status));
682 return -1;
683 }
684 } else {
685 d_fprintf(stderr, "Can only add members to local groups so "
686 "far, %s is a %s\n", argv[0],
687 sid_type_lookup(grouptype));
688 return -1;
689 }
690
691 d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
692 groupdomain, groupname);
693
694 return 0;
695 }
696
697 /*
698 * Delete a group member
699 */
700
701 static int net_sam_delmem(int argc, const char **argv)
702 {
703 const char *groupdomain, *groupname;
704 const char *memberdomain = NULL;
705 const char *membername = NULL;
706 DOM_SID group, member;
707 enum lsa_SidType grouptype;
708 NTSTATUS status;
709
710 if (argc != 2) {
711 d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
712 return -1;
713 }
714
715 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
716 &groupdomain, &groupname, &group, &grouptype)) {
717 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
718 return -1;
719 }
720
721 if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
722 &memberdomain, &membername, &member, NULL)) {
723 if (!string_to_sid(&member, argv[1])) {
724 d_fprintf(stderr, "Could not find member %s\n",
725 argv[1]);
726 return -1;
727 }
728 }
729
730 if ((grouptype == SID_NAME_ALIAS) ||
731 (grouptype == SID_NAME_WKN_GRP)) {
732 status = pdb_del_aliasmem(&group, &member);
733
734 if (!NT_STATUS_IS_OK(status)) {
735 d_fprintf(stderr, "Deleting local group member failed "
736 "with %s\n", nt_errstr(status));
737 return -1;
738 }
739 } else {
740 d_fprintf(stderr, "Can only delete members from local groups "
741 "so far, %s is a %s\n", argv[0],
742 sid_type_lookup(grouptype));
743 return -1;
744 }
745
746 if (membername != NULL) {
747 d_printf("Deleted %s\\%s from %s\\%s\n",
748 memberdomain, membername, groupdomain, groupname);
749 } else {
750 d_printf("Deleted %s from %s\\%s\n",
751 sid_string_static(&member), groupdomain, groupname);
752 }
753
754 return 0;
755 }
756
757 /*
758 * List group members
759 */
760
761 static int net_sam_listmem(int argc, const char **argv)
762 {
763 const char *groupdomain, *groupname;
764 DOM_SID group;
765 enum lsa_SidType grouptype;
766 NTSTATUS status;
767
768 if (argc != 1) {
769 d_fprintf(stderr, "usage: net sam listmem <group>\n");
770 return -1;
771 }
772
773 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
774 &groupdomain, &groupname, &group, &grouptype)) {
775 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
776 return -1;
777 }
778
779 if ((grouptype == SID_NAME_ALIAS) ||
780 (grouptype == SID_NAME_WKN_GRP)) {
781 DOM_SID *members = NULL;
782 size_t i, num_members = 0;
783
784 status = pdb_enum_aliasmem(&group, &members, &num_members);
785
786 if (!NT_STATUS_IS_OK(status)) {
787 d_fprintf(stderr, "Listing group members failed with "
788 "%s\n", nt_errstr(status));
789 return -1;
790 }
791
792 d_printf("%s\\%s has %u members\n", groupdomain, groupname,
793 (unsigned int)num_members);
794 for (i=0; i<num_members; i++) {
795 const char *dom, *name;
796 if (lookup_sid(tmp_talloc_ctx(), &members[i],
797 &dom, &name, NULL)) {
798 d_printf(" %s\\%s\n", dom, name);
799 } else {
800 d_printf(" %s\n",
801 sid_string_static(&members[i]));
802 }
803 }
804 } else {
805 d_fprintf(stderr, "Can only list local group members so far.\n"
806 "%s is a %s\n", argv[0], sid_type_lookup(grouptype));
807 return -1;
808 }
809
810 return 0;
811 }
812
813 /*
814 * Do the listing
815 */
816 static int net_sam_do_list(int argc, const char **argv,
817 struct pdb_search *search, const char *what)
818 {
819 BOOL verbose = (argc == 1);
820
821 if ((argc > 1) ||
822 ((argc == 1) && !strequal(argv[0], "verbose"))) {
823 d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
824 return -1;
825 }
826
827 if (search == NULL) {
828 d_fprintf(stderr, "Could not start search\n");
829 return -1;
830 }
831
832 while (True) {
833 struct samr_displayentry entry;
834 if (!search->next_entry(search, &entry)) {
835 break;
836 }
837 if (verbose) {
838 d_printf("%s:%d:%s\n",
839 entry.account_name,
840 entry.rid,
841 entry.description);
842 } else {
843 d_printf("%s\n", entry.account_name);
844 }
845 }
846
847 search->search_end(search);
848 return 0;
849 }
850
851 static int net_sam_list_users(int argc, const char **argv)
852 {
853 return net_sam_do_list(argc, argv, pdb_search_users(ACB_NORMAL),
854 "users");
855 }
856
857 static int net_sam_list_groups(int argc, const char **argv)
858 {
859 return net_sam_do_list(argc, argv, pdb_search_groups(), "groups");
860 }
861
862 static int net_sam_list_localgroups(int argc, const char **argv)
863 {
864 return net_sam_do_list(argc, argv,
865 pdb_search_aliases(get_global_sam_sid()),
866 "localgroups");
867 }
868
869 static int net_sam_list_builtin(int argc, const char **argv)
870 {
871 return net_sam_do_list(argc, argv,
872 pdb_search_aliases(&global_sid_Builtin),
873 "builtin");
874 }
875
876 static int net_sam_list_workstations(int argc, const char **argv)
877 {
878 return net_sam_do_list(argc, argv,
879 pdb_search_users(ACB_WSTRUST),
880 "workstations");
881 }
882
883 /*
884 * List stuff
885 */
886
887 static int net_sam_list(int argc, const char **argv)
888 {
889 struct functable2 func[] = {
890 { "users", net_sam_list_users,
891 "List SAM users" },
892 { "groups", net_sam_list_groups,
893 "List SAM groups" },
894 { "localgroups", net_sam_list_localgroups,
895 "List SAM local groups" },
896 { "builtin", net_sam_list_builtin,
897 "List builtin groups" },
898 { "workstations", net_sam_list_workstations,
899 "List domain member workstations" },
900 {NULL, NULL}
901 };
902
903 return net_run_function2(argc, argv, "net sam list", func);
904 }
905
906 /*
907 * Show details of SAM entries
908 */
909
910 static int net_sam_show(int argc, const char **argv)
911 {
912 DOM_SID sid;
913 enum lsa_SidType type;
914 const char *dom, *name;
915
916 if (argc != 1) {
917 d_fprintf(stderr, "usage: net sam show <name>\n");
918 return -1;
919 }
920
921 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
922 &dom, &name, &sid, &type)) {
923 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
924 return -1;
925 }
926
927 d_printf("%s\\%s is a %s with SID %s\n", dom, name,
928 sid_type_lookup(type), sid_string_static(&sid));
929
930 return 0;
931 }
932
933 #ifdef HAVE_LDAP
934
935 /*
936 * Init an LDAP tree with default users and Groups
937 * if ldapsam:editposix is enabled
938 */
939
940 static int net_sam_provision(int argc, const char **argv)
941 {
942 TALLOC_CTX *tc;
943 char *ldap_bk;
944 char *ldap_uri = NULL;
945 char *p;
946 struct smbldap_state *ls;
947 GROUP_MAP gmap;
948 DOM_SID gsid;
949 gid_t domusers_gid = -1;
950 gid_t domadmins_gid = -1;
951 struct samu *samuser;
952 struct passwd *pwd;
953
954 tc = talloc_new(NULL);
955 if (!tc) {
956 d_fprintf(stderr, "Out of Memory!\n");
957 return -1;
958 }
959
960 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
961 d_fprintf(stderr, "talloc failed\n");
962 talloc_free(tc);
963 return -1;
964 }
965 p = strchr(ldap_bk, ':');
966 if (p) {
967 *p = 0;
968 ldap_uri = talloc_strdup(tc, p+1);
969 trim_char(ldap_uri, ' ', ' ');
970 }
971
972 trim_char(ldap_bk, ' ', ' ');
973
974 if (strcmp(ldap_bk, "ldapsam") != 0) {
975 d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
976 goto failed;
977 }
978
979 if (!lp_parm_bool(-1, "ldapsam", "trusted", False) ||
980 !lp_parm_bool(-1, "ldapsam", "editposix", False)) {
981
982 d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
983 " and ldapsam:editposix are enabled.\n");
984 goto failed;
985 }
986
987 if (!winbind_ping()) {
988 d_fprintf(stderr, "winbind seems not to run. Provisioning "
989 "LDAP only works when winbind runs.\n");
990 goto failed;
991 }
992
993 if (!NT_STATUS_IS_OK(smbldap_init(tc, ldap_uri, &ls))) {
994 d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
995 goto failed;
996 }
997
998 d_printf("Checking for Domain Users group.\n");
999
1000 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
1001
1002 if (!pdb_getgrsid(&gmap, gsid)) {
1003 LDAPMod **mods = NULL;
1004 char *dn;
1005 char *uname;
1006 char *wname;
1007 char *gidstr;
1008 char *gtype;
1009 int rc;
1010
1011 d_printf("Adding the Domain Users group.\n");
1012
1013 /* lets allocate a new groupid for this group */
1014 if (!winbind_allocate_gid(&domusers_gid)) {
1015 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
1016 goto domu_done;
1017 }
1018
1019 uname = talloc_strdup(tc, "domusers");
1020 wname = talloc_strdup(tc, "Domain Users");
1021 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1022 gidstr = talloc_asprintf(tc, "%d", domusers_gid);
1023 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1024
1025 if (!uname || !wname || !dn || !gidstr || !gtype) {
1026 d_fprintf(stderr, "Out of Memory!\n");
1027 goto failed;
1028 }
1029
1030 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1031 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1032 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1033 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1034 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1035 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1036 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1037
1038 talloc_autofree_ldapmod(tc, mods);
1039
1040 rc = smbldap_add(ls, dn, mods);
1041
1042 if (rc != LDAP_SUCCESS) {
1043 d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
1044 }
1045 } else {
1046 domusers_gid = gmap.gid;
1047 d_printf("found!\n");
1048 }
1049
1050 domu_done:
1051
1052 d_printf("Checking for Domain Admins group.\n");
1053
1054 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
1055
1056 if (!pdb_getgrsid(&gmap, gsid)) {
1057 LDAPMod **mods = NULL;
1058 char *dn;
1059 char *uname;
1060 char *wname;
1061 char *gidstr;
1062 char *gtype;
1063 int rc;
1064
1065 d_printf("Adding the Domain Admins group.\n");
1066
1067 /* lets allocate a new groupid for this group */
1068 if (!winbind_allocate_gid(&domadmins_gid)) {
1069 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
1070 goto doma_done;
1071 }
1072
1073 uname = talloc_strdup(tc, "domadmins");
1074 wname = talloc_strdup(tc, "Domain Admins");
1075 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1076 gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
1077 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1078
1079 if (!uname || !wname || !dn || !gidstr || !gtype) {
1080 d_fprintf(stderr, "Out of Memory!\n");
1081 goto failed;
1082 }
1083
1084 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1085 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1086 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1087 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1088 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1089 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1090 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1091
1092 talloc_autofree_ldapmod(tc, mods);
1093
1094 rc = smbldap_add(ls, dn, mods);
1095
1096 if (rc != LDAP_SUCCESS) {
1097 d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
1098 }
1099 } else {
1100 domadmins_gid = gmap.gid;
1101 d_printf("found!\n");
1102 }
1103
1104 doma_done:
1105
1106 d_printf("Check for Administrator account.\n");
1107
1108 samuser = samu_new(tc);
1109 if (!samuser) {
1110 d_fprintf(stderr, "Out of Memory!\n");
1111 goto failed;
1112 }
1113
1114 if (!pdb_getsampwnam(samuser, "Administrator")) {
1115 LDAPMod **mods = NULL;
1116 DOM_SID sid;
1117 char *dn;
1118 char *name;
1119 char *uidstr;
1120 char *gidstr;
1121 char *shell;
1122 char *dir;
1123 uid_t uid;
1124 int rc;
1125
1126 d_printf("Adding the Administrator user.\n");
1127
1128 if (domadmins_gid == -1) {
1129 d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
1130 goto done;
1131 }
1132 if (!winbind_allocate_uid(&uid)) {
1133 d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
1134 goto done;
1135 }
1136 name = talloc_strdup(tc, "Administrator");
1137 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1138 uidstr = talloc_asprintf(tc, "%d", uid);
1139 gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
1140 dir = talloc_sub_specified(tc, lp_template_homedir(),
1141 "Administrator",
1142 get_global_sam_name(),
1143 uid, domadmins_gid);
1144 shell = talloc_sub_specified(tc, lp_template_shell(),
1145 "Administrator",
1146 get_global_sam_name(),
1147 uid, domadmins_gid);
1148
1149 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1150 d_fprintf(stderr, "Out of Memory!\n");
1151 goto failed;
1152 }
1153
1154 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
1155
1156 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1157 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1158 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1159 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1160 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1161 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1162 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1163 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1164 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1165 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1166 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
1167 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1168 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1169 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1170
1171 talloc_autofree_ldapmod(tc, mods);
1172
1173 rc = smbldap_add(ls, dn, mods);
1174
1175 if (rc != LDAP_SUCCESS) {
1176 d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
1177 }
1178 } else {
1179 d_printf("found!\n");
1180 }
1181
1182 d_printf("Checking for Guest user.\n");
1183
1184 samuser = samu_new(tc);
1185 if (!samuser) {
1186 d_fprintf(stderr, "Out of Memory!\n");
1187 goto failed;
1188 }
1189
1190 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1191 LDAPMod **mods = NULL;
1192 DOM_SID sid;
1193 char *dn;
1194 char *uidstr;
1195 char *gidstr;
1196 int rc;
1197
1198 d_printf("Adding the Guest user.\n");
1199
1200 pwd = getpwnam_alloc(tc, lp_guestaccount());
1201
1202 if (!pwd) {
1203 if (domusers_gid == -1) {
1204 d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
1205 goto done;
1206 }
1207 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1208 d_fprintf(stderr, "talloc failed\n");
1209 goto done;
1210 }
1211 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1212 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1213 d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
1214 goto done;
1215 }
1216 pwd->pw_gid = domusers_gid;
1217 pwd->pw_dir = talloc_strdup(tc, "/");
1218 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1219 if (!pwd->pw_dir || !pwd->pw_shell) {
1220 d_fprintf(stderr, "Out of Memory!\n");
1221 goto failed;
1222 }
1223 }
1224
1225 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
1226
1227 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1228 uidstr = talloc_asprintf(tc, "%d", pwd->pw_uid);
1229 gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
1230 if (!dn || !uidstr || !gidstr) {
1231 d_fprintf(stderr, "Out of Memory!\n");
1232 goto failed;
1233 }
1234
1235 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1236 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1237 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1238 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1239 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1240 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1241 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1242 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1243 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1244 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1245 }
1246 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1247 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1248 }
1249 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
1250 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1251 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1252 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1253
1254 talloc_autofree_ldapmod(tc, mods);
1255
1256 rc = smbldap_add(ls, dn, mods);
1257
1258 if (rc != LDAP_SUCCESS) {
1259 d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
1260 }
1261 } else {
1262 d_printf("found!\n");
1263 }
1264
1265 d_printf("Checking Guest's group.\n");
1266
1267 pwd = getpwnam_alloc(NULL, lp_guestaccount());
1268 if (!pwd) {
1269 d_fprintf(stderr, "Failed to find just created Guest account!\n"
1270 " Is nss properly configured?!\n");
1271 goto failed;
1272 }
1273
1274 if (pwd->pw_gid == domusers_gid) {
1275 d_printf("found!\n");
1276 goto done;
1277 }
1278
1279 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1280 LDAPMod **mods = NULL;
1281 char *dn;
1282 char *uname;
1283 char *wname;
1284 char *gidstr;
1285 char *gtype;
1286 int rc;
1287
1288 d_printf("Adding the Domain Guests group.\n");
1289
1290 uname = talloc_strdup(tc, "domguests");
1291 wname = talloc_strdup(tc, "Domain Guests");
1292 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1293 gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
1294 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1295
1296 if (!uname || !wname || !dn || !gidstr || !gtype) {
1297 d_fprintf(stderr, "Out of Memory!\n");
1298 goto failed;
1299 }
1300
1301 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
1302
1303 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1304 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1305 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1306 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1307 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1308 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1309 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1310
1311 talloc_autofree_ldapmod(tc, mods);
1312
1313 rc = smbldap_add(ls, dn, mods);
1314
1315 if (rc != LDAP_SUCCESS) {
1316 d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
1317 }
1318 } else {
1319 d_printf("found!\n");
1320 }
1321
1322
1323 done:
1324 talloc_free(tc);
1325 return 0;
1326
1327 failed:
1328 talloc_free(tc);
1329 return -1;
1330 }
1331
1332 #endif
1333
1334 /***********************************************************
1335 migrated functionality from smbgroupedit
1336 **********************************************************/
1337 int net_sam(int argc, const char **argv)
1338 {
1339 struct functable2 func[] = {
1340 { "createbuiltingroup", net_sam_createbuiltingroup,
1341 "Create a new BUILTIN group" },
1342 { "createlocalgroup", net_sam_createlocalgroup,
1343 "Create a new local group" },
1344 { "mapunixgroup", net_sam_mapunixgroup,
1345 "Map a unix group to a domain group" },
1346 { "addmem", net_sam_addmem,
1347 "Add a member to a group" },
1348 { "delmem", net_sam_delmem,
1349 "Delete a member from a group" },
1350 { "listmem", net_sam_listmem,
1351 "List group members" },
1352 { "list", net_sam_list,
1353 "List users, groups and local groups" },
1354 { "show", net_sam_show,
1355 "Show details of a SAM entry" },
1356 { "set", net_sam_set,
1357 "Set details of a SAM account" },
1358 { "policy", net_sam_policy,
1359 "Set account policies" },
1360 #ifdef HAVE_LDAP
1361 { "provision", net_sam_provision,
1362 "Provision a clean User Database" },
1363 #endif
1364 { NULL, NULL, NULL }
1365 };
1366
1367 /* we shouldn't have silly checks like this */
1368 if (getuid() != 0) {
1369 d_fprintf(stderr, "You must be root to edit the SAM "
1370 "directly.\n");
1371 return -1;
1372 }
1373
1374 return net_run_function2(argc, argv, "net sam", func);
1375 }
1376
Samba GIT mirror