search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:net ads join: untangle assignment from check, fix return code and improve error...
[Samba.git] / source3 / utils / net_ads.c
blob22486ea7fbdeab32c997d7b93b82289eac5d8527
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "../librpc/gen_ndr/ndr_spoolss.h"
28 #include "nsswitch/libwbclient/wbclient.h"
29 #include "ads.h"
30 #include "libads/cldap.h"
31 #include "libads/dns.h"
32 #include "../libds/common/flags.h"
33 #include "librpc/gen_ndr/libnet_join.h"
34 #include "libnet/libnet_join.h"
35 #include "smb_krb5.h"
36 #include "secrets.h"
37 #include "krb5_env.h"
38 #include "../libcli/security/security.h"
39 #include "libsmb/libsmb.h"
40
41 #ifdef HAVE_ADS
42
43 /* when we do not have sufficient input parameters to contact a remote domain
44 * we always fall back to our own realm - Guenther*/
45
46 static const char *assume_own_realm(struct net_context *c)
47 {
48 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
49 return lp_realm();
50 }
51
52 return NULL;
53 }
54
55 /*
56 do a cldap netlogon query
57 */
58 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
59 {
60 char addr[INET6_ADDRSTRLEN];
61 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
62
63 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
64
65 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
66 d_fprintf(stderr, _("CLDAP query failed!\n"));
67 return -1;
68 }
69
70 d_printf(_("Information for Domain Controller: %s\n\n"),
71 addr);
72
73 d_printf(_("Response Type: "));
74 switch (reply.command) {
75 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
76 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
77 break;
78 case LOGON_SAM_LOGON_RESPONSE_EX:
79 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
80 break;
81 default:
82 d_printf("0x%x\n", reply.command);
83 break;
84 }
85
86 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
87
88 d_printf(_("Flags:\n"
89 "\tIs a PDC: %s\n"
90 "\tIs a GC of the forest: %s\n"
91 "\tIs an LDAP server: %s\n"
92 "\tSupports DS: %s\n"
93 "\tIs running a KDC: %s\n"
94 "\tIs running time services: %s\n"
95 "\tIs the closest DC: %s\n"
96 "\tIs writable: %s\n"
97 "\tHas a hardware clock: %s\n"
98 "\tIs a non-domain NC serviced by LDAP server: %s\n"
99 "\tIs NT6 DC that has some secrets: %s\n"
100 "\tIs NT6 DC that has all secrets: %s\n"),
101 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
110 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
111 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
112 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
113
114
115 printf(_("Forest:\t\t\t%s\n"), reply.forest);
116 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
117 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
118
119 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
120 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
121
122 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
123
124 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
125 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
126
127 d_printf(_("NT Version: %d\n"), reply.nt_version);
128 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
129 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
130
131 return 0;
132 }
133
134 /*
135 this implements the CLDAP based netlogon lookup requests
136 for finding the domain controller of a ADS domain
137 */
138 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
139 {
140 ADS_STRUCT *ads;
141 int ret;
142
143 if (c->display_usage) {
144 d_printf("%s\n"
145 "net ads lookup\n"
146 " %s",
147 _("Usage:"),
148 _("Find the ADS DC using CLDAP lookup.\n"));
149 return 0;
150 }
151
152 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
153 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
154 ads_destroy(&ads);
155 return -1;
156 }
157
158 if (!ads->config.realm) {
159 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
160 ads->ldap.port = 389;
161 }
162
163 ret = net_ads_cldap_netlogon(c, ads);
164 ads_destroy(&ads);
165 return ret;
166 }
167
168
169
170 static int net_ads_info(struct net_context *c, int argc, const char **argv)
171 {
172 ADS_STRUCT *ads;
173 char addr[INET6_ADDRSTRLEN];
174
175 if (c->display_usage) {
176 d_printf("%s\n"
177 "net ads info\n"
178 " %s",
179 _("Usage:"),
180 _("Display information about an Active Directory "
181 "server.\n"));
182 return 0;
183 }
184
185 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
186 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
187 return -1;
188 }
189
190 if (!ads || !ads->config.realm) {
191 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
192 ads_destroy(&ads);
193 return -1;
194 }
195
196 /* Try to set the server's current time since we didn't do a full
197 TCP LDAP session initially */
198
199 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
200 d_fprintf( stderr, _("Failed to get server's current time!\n"));
201 }
202
203 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
204
205 d_printf(_("LDAP server: %s\n"), addr);
206 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
207 d_printf(_("Realm: %s\n"), ads->config.realm);
208 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
209 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
210 d_printf(_("Server time: %s\n"),
211 http_timestring(talloc_tos(), ads->config.current_time));
212
213 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
214 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
215
216 ads_destroy(&ads);
217 return 0;
218 }
219
220 static void use_in_memory_ccache(void) {
221 /* Use in-memory credentials cache so we do not interfere with
222 * existing credentials */
223 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
224 }
225
226 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
227 uint32 auth_flags, ADS_STRUCT **ads_ret)
228 {
229 ADS_STRUCT *ads = NULL;
230 ADS_STATUS status;
231 bool need_password = false;
232 bool second_time = false;
233 char *cp;
234 const char *realm = NULL;
235 bool tried_closest_dc = false;
236
237 /* lp_realm() should be handled by a command line param,
238 However, the join requires that realm be set in smb.conf
239 and compares our realm with the remote server's so this is
240 ok until someone needs more flexibility */
241
242 *ads_ret = NULL;
243
244 retry_connect:
245 if (only_own_domain) {
246 realm = lp_realm();
247 } else {
248 realm = assume_own_realm(c);
249 }
250
251 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
252
253 if (!c->opt_user_name) {
254 c->opt_user_name = "administrator";
255 }
256
257 if (c->opt_user_specified) {
258 need_password = true;
259 }
260
261 retry:
262 if (!c->opt_password && need_password && !c->opt_machine_pass) {
263 c->opt_password = net_prompt_pass(c, c->opt_user_name);
264 if (!c->opt_password) {
265 ads_destroy(&ads);
266 return ADS_ERROR(LDAP_NO_MEMORY);
267 }
268 }
269
270 if (c->opt_password) {
271 use_in_memory_ccache();
272 SAFE_FREE(ads->auth.password);
273 ads->auth.password = smb_xstrdup(c->opt_password);
274 }
275
276 ads->auth.flags |= auth_flags;
277 SAFE_FREE(ads->auth.user_name);
278 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
279
280 /*
281 * If the username is of the form "name@realm",
282 * extract the realm and convert to upper case.
283 * This is only used to establish the connection.
284 */
285 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
286 *cp++ = '\0';
287 SAFE_FREE(ads->auth.realm);
288 ads->auth.realm = smb_xstrdup(cp);
289 strupper_m(ads->auth.realm);
290 }
291
292 status = ads_connect(ads);
293
294 if (!ADS_ERR_OK(status)) {
295
296 if (NT_STATUS_EQUAL(ads_ntstatus(status),
297 NT_STATUS_NO_LOGON_SERVERS)) {
298 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
299 ads_destroy(&ads);
300 return status;
301 }
302
303 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
304 need_password = true;
305 second_time = true;
306 goto retry;
307 } else {
308 ads_destroy(&ads);
309 return status;
310 }
311 }
312
313 /* when contacting our own domain, make sure we use the closest DC.
314 * This is done by reconnecting to ADS because only the first call to
315 * ads_connect will give us our own sitename */
316
317 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
318
319 tried_closest_dc = true; /* avoid loop */
320
321 if (!ads_closest_dc(ads)) {
322
323 namecache_delete(ads->server.realm, 0x1C);
324 namecache_delete(ads->server.workgroup, 0x1C);
325
326 ads_destroy(&ads);
327 ads = NULL;
328
329 goto retry_connect;
330 }
331 }
332
333 *ads_ret = ads;
334 return status;
335 }
336
337 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
338 {
339 return ads_startup_int(c, only_own_domain, 0, ads);
340 }
341
342 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
343 {
344 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
345 }
346
347 /*
348 Check to see if connection can be made via ads.
349 ads_startup() stores the password in opt_password if it needs to so
350 that rpc or rap can use it without re-prompting.
351 */
352 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
353 {
354 ADS_STRUCT *ads;
355 ADS_STATUS status;
356
357 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
358 return -1;
359 }
360
361 ads->auth.flags |= ADS_AUTH_NO_BIND;
362
363 status = ads_connect(ads);
364 if ( !ADS_ERR_OK(status) ) {
365 return -1;
366 }
367
368 ads_destroy(&ads);
369 return 0;
370 }
371
372 int net_ads_check_our_domain(struct net_context *c)
373 {
374 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
375 }
376
377 int net_ads_check(struct net_context *c)
378 {
379 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
380 }
381
382 /*
383 determine the netbios workgroup name for a domain
384 */
385 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
386 {
387 ADS_STRUCT *ads;
388 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
389
390 if (c->display_usage) {
391 d_printf ("%s\n"
392 "net ads workgroup\n"
393 " %s\n",
394 _("Usage:"),
395 _("Print the workgroup name"));
396 return 0;
397 }
398
399 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
400 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
401 return -1;
402 }
403
404 if (!ads->config.realm) {
405 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
406 ads->ldap.port = 389;
407 }
408
409 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
410 d_fprintf(stderr, _("CLDAP query failed!\n"));
411 ads_destroy(&ads);
412 return -1;
413 }
414
415 d_printf(_("Workgroup: %s\n"), reply.domain_name);
416
417 ads_destroy(&ads);
418
419 return 0;
420 }
421
422
423
424 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
425 {
426 char **disp_fields = (char **) data_area;
427
428 if (!field) { /* must be end of record */
429 if (disp_fields[0]) {
430 if (!strchr_m(disp_fields[0], '$')) {
431 if (disp_fields[1])
432 d_printf("%-21.21s %s\n",
433 disp_fields[0], disp_fields[1]);
434 else
435 d_printf("%s\n", disp_fields[0]);
436 }
437 }
438 SAFE_FREE(disp_fields[0]);
439 SAFE_FREE(disp_fields[1]);
440 return true;
441 }
442 if (!values) /* must be new field, indicate string field */
443 return true;
444 if (strcasecmp_m(field, "sAMAccountName") == 0) {
445 disp_fields[0] = SMB_STRDUP((char *) values[0]);
446 }
447 if (strcasecmp_m(field, "description") == 0)
448 disp_fields[1] = SMB_STRDUP((char *) values[0]);
449 return true;
450 }
451
452 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
453 {
454 return net_user_usage(c, argc, argv);
455 }
456
457 static int ads_user_add(struct net_context *c, int argc, const char **argv)
458 {
459 ADS_STRUCT *ads;
460 ADS_STATUS status;
461 char *upn, *userdn;
462 LDAPMessage *res=NULL;
463 int rc = -1;
464 char *ou_str = NULL;
465
466 if (argc < 1 || c->display_usage)
467 return net_ads_user_usage(c, argc, argv);
468
469 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
470 return -1;
471 }
472
473 status = ads_find_user_acct(ads, &res, argv[0]);
474
475 if (!ADS_ERR_OK(status)) {
476 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
477 goto done;
478 }
479
480 if (ads_count_replies(ads, res)) {
481 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
482 argv[0]);
483 goto done;
484 }
485
486 if (c->opt_container) {
487 ou_str = SMB_STRDUP(c->opt_container);
488 } else {
489 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
490 }
491
492 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
493
494 if (!ADS_ERR_OK(status)) {
495 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
496 ads_errstr(status));
497 goto done;
498 }
499
500 /* if no password is to be set, we're done */
501 if (argc == 1) {
502 d_printf(_("User %s added\n"), argv[0]);
503 rc = 0;
504 goto done;
505 }
506
507 /* try setting the password */
508 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
509 goto done;
510 }
511 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
512 ads->auth.time_offset);
513 SAFE_FREE(upn);
514 if (ADS_ERR_OK(status)) {
515 d_printf(_("User %s added\n"), argv[0]);
516 rc = 0;
517 goto done;
518 }
519
520 /* password didn't set, delete account */
521 d_fprintf(stderr, _("Could not add user %s. "
522 "Error setting password %s\n"),
523 argv[0], ads_errstr(status));
524 ads_msgfree(ads, res);
525 status=ads_find_user_acct(ads, &res, argv[0]);
526 if (ADS_ERR_OK(status)) {
527 userdn = ads_get_dn(ads, talloc_tos(), res);
528 ads_del_dn(ads, userdn);
529 TALLOC_FREE(userdn);
530 }
531
532 done:
533 if (res)
534 ads_msgfree(ads, res);
535 ads_destroy(&ads);
536 SAFE_FREE(ou_str);
537 return rc;
538 }
539
540 static int ads_user_info(struct net_context *c, int argc, const char **argv)
541 {
542 ADS_STRUCT *ads = NULL;
543 ADS_STATUS rc;
544 LDAPMessage *res = NULL;
545 TALLOC_CTX *frame;
546 int ret = 0;
547 wbcErr wbc_status;
548 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
549 char *searchstring=NULL;
550 char **grouplist;
551 char *primary_group;
552 char *escaped_user;
553 struct dom_sid primary_group_sid;
554 uint32_t group_rid;
555 enum wbcSidType type;
556
557 if (argc < 1 || c->display_usage) {
558 return net_ads_user_usage(c, argc, argv);
559 }
560
561 frame = talloc_new(talloc_tos());
562 if (frame == NULL) {
563 return -1;
564 }
565
566 escaped_user = escape_ldap_string(frame, argv[0]);
567 if (!escaped_user) {
568 d_fprintf(stderr,
569 _("ads_user_info: failed to escape user %s\n"),
570 argv[0]);
571 return -1;
572 }
573
574 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
575 ret = -1;
576 goto error;
577 }
578
579 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
580 ret =-1;
581 goto error;
582 }
583 rc = ads_search(ads, &res, searchstring, attrs);
584 SAFE_FREE(searchstring);
585
586 if (!ADS_ERR_OK(rc)) {
587 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
588 ret = -1;
589 goto error;
590 }
591
592 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
593 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
594 ret = -1;
595 goto error;
596 }
597
598 rc = ads_domain_sid(ads, &primary_group_sid);
599 if (!ADS_ERR_OK(rc)) {
600 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
601 ret = -1;
602 goto error;
603 }
604
605 sid_append_rid(&primary_group_sid, group_rid);
606
607 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
608 NULL, /* don't look up domain */
609 &primary_group,
610 &type);
611 if (!WBC_ERROR_IS_OK(wbc_status)) {
612 d_fprintf(stderr, "wbcLookupSid: %s\n",
613 wbcErrorString(wbc_status));
614 ret = -1;
615 goto error;
616 }
617
618 d_printf("%s\n", primary_group);
619
620 wbcFreeMemory(primary_group);
621
622 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
623 (LDAPMessage *)res, "memberOf");
624
625 if (grouplist) {
626 int i;
627 char **groupname;
628 for (i=0;grouplist[i];i++) {
629 groupname = ldap_explode_dn(grouplist[i], 1);
630 d_printf("%s\n", groupname[0]);
631 ldap_value_free(groupname);
632 }
633 ldap_value_free(grouplist);
634 }
635
636 error:
637 if (res) ads_msgfree(ads, res);
638 if (ads) ads_destroy(&ads);
639 TALLOC_FREE(frame);
640 return ret;
641 }
642
643 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
644 {
645 ADS_STRUCT *ads;
646 ADS_STATUS rc;
647 LDAPMessage *res = NULL;
648 char *userdn;
649
650 if (argc < 1) {
651 return net_ads_user_usage(c, argc, argv);
652 }
653
654 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
655 return -1;
656 }
657
658 rc = ads_find_user_acct(ads, &res, argv[0]);
659 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
660 d_printf(_("User %s does not exist.\n"), argv[0]);
661 ads_msgfree(ads, res);
662 ads_destroy(&ads);
663 return -1;
664 }
665 userdn = ads_get_dn(ads, talloc_tos(), res);
666 ads_msgfree(ads, res);
667 rc = ads_del_dn(ads, userdn);
668 TALLOC_FREE(userdn);
669 if (ADS_ERR_OK(rc)) {
670 d_printf(_("User %s deleted\n"), argv[0]);
671 ads_destroy(&ads);
672 return 0;
673 }
674 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
675 ads_errstr(rc));
676 ads_destroy(&ads);
677 return -1;
678 }
679
680 int net_ads_user(struct net_context *c, int argc, const char **argv)
681 {
682 struct functable func[] = {
683 {
684 "add",
685 ads_user_add,
686 NET_TRANSPORT_ADS,
687 N_("Add an AD user"),
688 N_("net ads user add\n"
689 " Add an AD user")
690 },
691 {
692 "info",
693 ads_user_info,
694 NET_TRANSPORT_ADS,
695 N_("Display information about an AD user"),
696 N_("net ads user info\n"
697 " Display information about an AD user")
698 },
699 {
700 "delete",
701 ads_user_delete,
702 NET_TRANSPORT_ADS,
703 N_("Delete an AD user"),
704 N_("net ads user delete\n"
705 " Delete an AD user")
706 },
707 {NULL, NULL, 0, NULL, NULL}
708 };
709 ADS_STRUCT *ads;
710 ADS_STATUS rc;
711 const char *shortattrs[] = {"sAMAccountName", NULL};
712 const char *longattrs[] = {"sAMAccountName", "description", NULL};
713 char *disp_fields[2] = {NULL, NULL};
714
715 if (argc == 0) {
716 if (c->display_usage) {
717 d_printf( "%s\n"
718 "net ads user\n"
719 " %s\n",
720 _("Usage:"),
721 _("List AD users"));
722 net_display_usage_from_functable(func);
723 return 0;
724 }
725
726 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
727 return -1;
728 }
729
730 if (c->opt_long_list_entries)
731 d_printf(_("\nUser name Comment"
732 "\n-----------------------------\n"));
733
734 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
735 LDAP_SCOPE_SUBTREE,
736 "(objectCategory=user)",
737 c->opt_long_list_entries ? longattrs :
738 shortattrs, usergrp_display,
739 disp_fields);
740 ads_destroy(&ads);
741 return ADS_ERR_OK(rc) ? 0 : -1;
742 }
743
744 return net_run_function(c, argc, argv, "net ads user", func);
745 }
746
747 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
748 {
749 return net_group_usage(c, argc, argv);
750 }
751
752 static int ads_group_add(struct net_context *c, int argc, const char **argv)
753 {
754 ADS_STRUCT *ads;
755 ADS_STATUS status;
756 LDAPMessage *res=NULL;
757 int rc = -1;
758 char *ou_str = NULL;
759
760 if (argc < 1 || c->display_usage) {
761 return net_ads_group_usage(c, argc, argv);
762 }
763
764 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
765 return -1;
766 }
767
768 status = ads_find_user_acct(ads, &res, argv[0]);
769
770 if (!ADS_ERR_OK(status)) {
771 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
772 goto done;
773 }
774
775 if (ads_count_replies(ads, res)) {
776 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
777 goto done;
778 }
779
780 if (c->opt_container) {
781 ou_str = SMB_STRDUP(c->opt_container);
782 } else {
783 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
784 }
785
786 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
787
788 if (ADS_ERR_OK(status)) {
789 d_printf(_("Group %s added\n"), argv[0]);
790 rc = 0;
791 } else {
792 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
793 ads_errstr(status));
794 }
795
796 done:
797 if (res)
798 ads_msgfree(ads, res);
799 ads_destroy(&ads);
800 SAFE_FREE(ou_str);
801 return rc;
802 }
803
804 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
805 {
806 ADS_STRUCT *ads;
807 ADS_STATUS rc;
808 LDAPMessage *res = NULL;
809 char *groupdn;
810
811 if (argc < 1 || c->display_usage) {
812 return net_ads_group_usage(c, argc, argv);
813 }
814
815 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
816 return -1;
817 }
818
819 rc = ads_find_user_acct(ads, &res, argv[0]);
820 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
821 d_printf(_("Group %s does not exist.\n"), argv[0]);
822 ads_msgfree(ads, res);
823 ads_destroy(&ads);
824 return -1;
825 }
826 groupdn = ads_get_dn(ads, talloc_tos(), res);
827 ads_msgfree(ads, res);
828 rc = ads_del_dn(ads, groupdn);
829 TALLOC_FREE(groupdn);
830 if (ADS_ERR_OK(rc)) {
831 d_printf(_("Group %s deleted\n"), argv[0]);
832 ads_destroy(&ads);
833 return 0;
834 }
835 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
836 ads_errstr(rc));
837 ads_destroy(&ads);
838 return -1;
839 }
840
841 int net_ads_group(struct net_context *c, int argc, const char **argv)
842 {
843 struct functable func[] = {
844 {
845 "add",
846 ads_group_add,
847 NET_TRANSPORT_ADS,
848 N_("Add an AD group"),
849 N_("net ads group add\n"
850 " Add an AD group")
851 },
852 {
853 "delete",
854 ads_group_delete,
855 NET_TRANSPORT_ADS,
856 N_("Delete an AD group"),
857 N_("net ads group delete\n"
858 " Delete an AD group")
859 },
860 {NULL, NULL, 0, NULL, NULL}
861 };
862 ADS_STRUCT *ads;
863 ADS_STATUS rc;
864 const char *shortattrs[] = {"sAMAccountName", NULL};
865 const char *longattrs[] = {"sAMAccountName", "description", NULL};
866 char *disp_fields[2] = {NULL, NULL};
867
868 if (argc == 0) {
869 if (c->display_usage) {
870 d_printf( "%s\n"
871 "net ads group\n"
872 " %s\n",
873 _("Usage:"),
874 _("List AD groups"));
875 net_display_usage_from_functable(func);
876 return 0;
877 }
878
879 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
880 return -1;
881 }
882
883 if (c->opt_long_list_entries)
884 d_printf(_("\nGroup name Comment"
885 "\n-----------------------------\n"));
886 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
887 LDAP_SCOPE_SUBTREE,
888 "(objectCategory=group)",
889 c->opt_long_list_entries ? longattrs :
890 shortattrs, usergrp_display,
891 disp_fields);
892
893 ads_destroy(&ads);
894 return ADS_ERR_OK(rc) ? 0 : -1;
895 }
896 return net_run_function(c, argc, argv, "net ads group", func);
897 }
898
899 static int net_ads_status(struct net_context *c, int argc, const char **argv)
900 {
901 ADS_STRUCT *ads;
902 ADS_STATUS rc;
903 LDAPMessage *res;
904
905 if (c->display_usage) {
906 d_printf( "%s\n"
907 "net ads status\n"
908 " %s\n",
909 _("Usage:"),
910 _("Display machine account details"));
911 return 0;
912 }
913
914 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
915 return -1;
916 }
917
918 rc = ads_find_machine_acct(ads, &res, lp_netbios_name());
919 if (!ADS_ERR_OK(rc)) {
920 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
921 ads_destroy(&ads);
922 return -1;
923 }
924
925 if (ads_count_replies(ads, res) == 0) {
926 d_fprintf(stderr, _("No machine account for '%s' found\n"), lp_netbios_name());
927 ads_destroy(&ads);
928 return -1;
929 }
930
931 ads_dump(ads, res);
932 ads_destroy(&ads);
933 return 0;
934 }
935
936 /*******************************************************************
937 Leave an AD domain. Windows XP disables the machine account.
938 We'll try the same. The old code would do an LDAP delete.
939 That only worked using the machine creds because added the machine
940 with full control to the computer object's ACL.
941 *******************************************************************/
942
943 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
944 {
945 TALLOC_CTX *ctx;
946 struct libnet_UnjoinCtx *r = NULL;
947 WERROR werr;
948
949 if (c->display_usage) {
950 d_printf( "%s\n"
951 "net ads leave\n"
952 " %s\n",
953 _("Usage:"),
954 _("Leave an AD domain"));
955 return 0;
956 }
957
958 if (!*lp_realm()) {
959 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
960 return -1;
961 }
962
963 if (!(ctx = talloc_init("net_ads_leave"))) {
964 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
965 return -1;
966 }
967
968 if (!c->opt_kerberos) {
969 use_in_memory_ccache();
970 }
971
972 if (!c->msg_ctx) {
973 d_fprintf(stderr, _("Could not initialise message context. "
974 "Try running as root\n"));
975 return -1;
976 }
977
978 werr = libnet_init_UnjoinCtx(ctx, &r);
979 if (!W_ERROR_IS_OK(werr)) {
980 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
981 return -1;
982 }
983
984 r->in.debug = true;
985 r->in.use_kerberos = c->opt_kerberos;
986 r->in.dc_name = c->opt_host;
987 r->in.domain_name = lp_realm();
988 r->in.admin_account = c->opt_user_name;
989 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
990 r->in.modify_config = lp_config_backend_is_registry();
991
992 /* Try to delete it, but if that fails, disable it. The
993 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
994 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
995 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
996 r->in.delete_machine_account = true;
997 r->in.msg_ctx = c->msg_ctx;
998
999 werr = libnet_Unjoin(ctx, r);
1000 if (!W_ERROR_IS_OK(werr)) {
1001 d_printf(_("Failed to leave domain: %s\n"),
1002 r->out.error_string ? r->out.error_string :
1003 get_friendly_werror_msg(werr));
1004 goto done;
1005 }
1006
1007 if (r->out.deleted_machine_account) {
1008 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1009 r->in.machine_name, r->out.dns_domain_name);
1010 goto done;
1011 }
1012
1013 /* We couldn't delete it - see if the disable succeeded. */
1014 if (r->out.disabled_machine_account) {
1015 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1016 r->in.machine_name, r->out.dns_domain_name);
1017 werr = WERR_OK;
1018 goto done;
1019 }
1020
1021 /* Based on what we requseted, we shouldn't get here, but if
1022 we did, it means the secrets were removed, and therefore
1023 we have left the domain */
1024 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1025 r->in.machine_name, r->out.dns_domain_name);
1026
1027 done:
1028 TALLOC_FREE(r);
1029 TALLOC_FREE(ctx);
1030
1031 if (W_ERROR_IS_OK(werr)) {
1032 return 0;
1033 }
1034
1035 return -1;
1036 }
1037
1038 static NTSTATUS net_ads_join_ok(struct net_context *c)
1039 {
1040 ADS_STRUCT *ads = NULL;
1041 ADS_STATUS status;
1042 fstring dc_name;
1043 struct sockaddr_storage dcip;
1044
1045 if (!secrets_init()) {
1046 DEBUG(1,("Failed to initialise secrets database\n"));
1047 return NT_STATUS_ACCESS_DENIED;
1048 }
1049
1050 net_use_krb_machine_account(c);
1051
1052 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1053
1054 status = ads_startup(c, true, &ads);
1055 if (!ADS_ERR_OK(status)) {
1056 return ads_ntstatus(status);
1057 }
1058
1059 ads_destroy(&ads);
1060 return NT_STATUS_OK;
1061 }
1062
1063 /*
1064 check that an existing join is OK
1065 */
1066 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1067 {
1068 NTSTATUS status;
1069 use_in_memory_ccache();
1070
1071 if (c->display_usage) {
1072 d_printf( "%s\n"
1073 "net ads testjoin\n"
1074 " %s\n",
1075 _("Usage:"),
1076 _("Test if the existing join is ok"));
1077 return 0;
1078 }
1079
1080 /* Display success or failure */
1081 status = net_ads_join_ok(c);
1082 if (!NT_STATUS_IS_OK(status)) {
1083 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1084 get_friendly_nt_error_msg(status));
1085 return -1;
1086 }
1087
1088 printf(_("Join is OK\n"));
1089 return 0;
1090 }
1091
1092 /*******************************************************************
1093 Simple configu checks before beginning the join
1094 ********************************************************************/
1095
1096 static WERROR check_ads_config( void )
1097 {
1098 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1099 d_printf(_("Host is not configured as a member server.\n"));
1100 return WERR_INVALID_DOMAIN_ROLE;
1101 }
1102
1103 if (strlen(lp_netbios_name()) > 15) {
1104 d_printf(_("Our netbios name can be at most 15 chars long, "
1105 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1106 (unsigned int)strlen(lp_netbios_name()));
1107 return WERR_INVALID_COMPUTERNAME;
1108 }
1109
1110 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1111 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1112 "join to succeed.\n"), get_dyn_CONFIGFILE());
1113 return WERR_INVALID_PARAM;
1114 }
1115
1116 return WERR_OK;
1117 }
1118
1119 /*******************************************************************
1120 Send a DNS update request
1121 *******************************************************************/
1122
1123 #if defined(WITH_DNS_UPDATES)
1124 #include "../lib/addns/dns.h"
1125 DNS_ERROR DoDNSUpdate(char *pszServerName,
1126 const char *pszDomainName, const char *pszHostName,
1127 const struct sockaddr_storage *sslist,
1128 size_t num_addrs );
1129
1130 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1131 const char *machine_name,
1132 const struct sockaddr_storage *addrs,
1133 int num_addrs)
1134 {
1135 struct dns_rr_ns *nameservers = NULL;
1136 int ns_count = 0, i;
1137 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1138 DNS_ERROR dns_err;
1139 fstring dns_server;
1140 const char *dnsdomain = NULL;
1141 char *root_domain = NULL;
1142
1143 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1144 d_printf(_("No DNS domain configured for %s. "
1145 "Unable to perform DNS Update.\n"), machine_name);
1146 status = NT_STATUS_INVALID_PARAMETER;
1147 goto done;
1148 }
1149 dnsdomain++;
1150
1151 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1152 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1153 /* Child domains often do not have NS records. Look
1154 for the NS record for the forest root domain
1155 (rootDomainNamingContext in therootDSE) */
1156
1157 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1158 LDAPMessage *msg = NULL;
1159 char *root_dn;
1160 ADS_STATUS ads_status;
1161
1162 if ( !ads->ldap.ld ) {
1163 ads_status = ads_connect( ads );
1164 if ( !ADS_ERR_OK(ads_status) ) {
1165 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1166 goto done;
1167 }
1168 }
1169
1170 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1171 "(objectclass=*)", rootname_attrs, &msg);
1172 if (!ADS_ERR_OK(ads_status)) {
1173 goto done;
1174 }
1175
1176 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1177 if ( !root_dn ) {
1178 ads_msgfree( ads, msg );
1179 goto done;
1180 }
1181
1182 root_domain = ads_build_domain( root_dn );
1183
1184 /* cleanup */
1185 ads_msgfree( ads, msg );
1186
1187 /* try again for NS servers */
1188
1189 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1190
1191 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1192 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1193 "realm\n", ads->config.realm));
1194 goto done;
1195 }
1196
1197 dnsdomain = root_domain;
1198
1199 }
1200
1201 for (i=0; i < ns_count; i++) {
1202
1203 status = NT_STATUS_UNSUCCESSFUL;
1204
1205 /* Now perform the dns update - we'll try non-secure and if we fail,
1206 we'll follow it up with a secure update */
1207
1208 fstrcpy( dns_server, nameservers[i].hostname );
1209
1210 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1211 if (ERR_DNS_IS_OK(dns_err)) {
1212 status = NT_STATUS_OK;
1213 goto done;
1214 }
1215
1216 if (ERR_DNS_EQUAL(dns_err, ERROR_DNS_INVALID_NAME_SERVER) ||
1217 ERR_DNS_EQUAL(dns_err, ERROR_DNS_CONNECTION_FAILED) ||
1218 ERR_DNS_EQUAL(dns_err, ERROR_DNS_SOCKET_ERROR)) {
1219 DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
1220 dns_errstr(dns_err)));
1221 continue;
1222 }
1223
1224 d_printf(_("DNS Update for %s failed: %s\n"),
1225 machine_name, dns_errstr(dns_err));
1226 status = NT_STATUS_UNSUCCESSFUL;
1227 goto done;
1228 }
1229
1230 done:
1231
1232 SAFE_FREE( root_domain );
1233
1234 return status;
1235 }
1236
1237 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1238 const char *hostname,
1239 struct sockaddr_storage *iplist,
1240 int num_addrs)
1241 {
1242 struct sockaddr_storage *iplist_alloc = NULL;
1243 fstring machine_name;
1244 NTSTATUS status;
1245
1246 if (hostname) {
1247 fstrcpy(machine_name, hostname);
1248 } else {
1249 name_to_fqdn( machine_name, lp_netbios_name() );
1250 }
1251 strlower_m( machine_name );
1252
1253 if (num_addrs == 0 || iplist == NULL) {
1254 /*
1255 * Get our ip address
1256 * (not the 127.0.0.x address but a real ip address)
1257 */
1258 num_addrs = get_my_ip_address(&iplist_alloc);
1259 if ( num_addrs <= 0 ) {
1260 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1261 "non-loopback IP addresses!\n"));
1262 return NT_STATUS_INVALID_PARAMETER;
1263 }
1264 iplist = iplist_alloc;
1265 }
1266
1267 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1268 iplist, num_addrs);
1269
1270 SAFE_FREE(iplist_alloc);
1271 return status;
1272 }
1273
1274 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1275 {
1276 NTSTATUS status;
1277
1278 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1279 return status;
1280 }
1281 #endif
1282
1283
1284 /*******************************************************************
1285 ********************************************************************/
1286
1287 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1288 {
1289 d_printf(_("net ads join [options]\n"
1290 "Valid options:\n"));
1291 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1292 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1293 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1294 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1295 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1296 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1297 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1298 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1299 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1300 " NB: osName and osVer must be specified together for either to take effect.\n"
1301 " Also, the operatingSystemService attribute is also set when along with\n"
1302 " the two other attributes.\n"));
1303
1304 return -1;
1305 }
1306
1307 /*******************************************************************
1308 ********************************************************************/
1309
1310 int net_ads_join(struct net_context *c, int argc, const char **argv)
1311 {
1312 TALLOC_CTX *ctx = NULL;
1313 struct libnet_JoinCtx *r = NULL;
1314 const char *domain = lp_realm();
1315 WERROR werr = WERR_SETUP_NOT_JOINED;
1316 bool createupn = false;
1317 const char *machineupn = NULL;
1318 const char *create_in_ou = NULL;
1319 int i;
1320 const char *os_name = NULL;
1321 const char *os_version = NULL;
1322 bool modify_config = lp_config_backend_is_registry();
1323
1324 if (c->display_usage)
1325 return net_ads_join_usage(c, argc, argv);
1326
1327 if (!modify_config) {
1328
1329 werr = check_ads_config();
1330 if (!W_ERROR_IS_OK(werr)) {
1331 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1332 goto fail;
1333 }
1334 }
1335
1336 if (!(ctx = talloc_init("net_ads_join"))) {
1337 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1338 werr = WERR_NOMEM;
1339 goto fail;
1340 }
1341
1342 if (!c->opt_kerberos) {
1343 use_in_memory_ccache();
1344 }
1345
1346 werr = libnet_init_JoinCtx(ctx, &r);
1347 if (!W_ERROR_IS_OK(werr)) {
1348 goto fail;
1349 }
1350
1351 /* process additional command line args */
1352
1353 for ( i=0; i<argc; i++ ) {
1354 if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
1355 createupn = true;
1356 machineupn = get_string_param(argv[i]);
1357 }
1358 else if ( !strncasecmp_m(argv[i], "createcomputer", strlen("createcomputer")) ) {
1359 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1360 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1361 werr = WERR_INVALID_PARAM;
1362 goto fail;
1363 }
1364 }
1365 else if ( !strncasecmp_m(argv[i], "osName", strlen("osName")) ) {
1366 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1367 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1368 werr = WERR_INVALID_PARAM;
1369 goto fail;
1370 }
1371 }
1372 else if ( !strncasecmp_m(argv[i], "osVer", strlen("osVer")) ) {
1373 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1374 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1375 werr = WERR_INVALID_PARAM;
1376 goto fail;
1377 }
1378 }
1379 else {
1380 domain = argv[i];
1381 }
1382 }
1383
1384 if (!*domain) {
1385 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1386 werr = WERR_INVALID_PARAM;
1387 goto fail;
1388 }
1389
1390 if (!c->msg_ctx) {
1391 d_fprintf(stderr, _("Could not initialise message context. "
1392 "Try running as root\n"));
1393 werr = WERR_ACCESS_DENIED;
1394 goto fail;
1395 }
1396
1397 /* Do the domain join here */
1398
1399 r->in.domain_name = domain;
1400 r->in.create_upn = createupn;
1401 r->in.upn = machineupn;
1402 r->in.account_ou = create_in_ou;
1403 r->in.os_name = os_name;
1404 r->in.os_version = os_version;
1405 r->in.dc_name = c->opt_host;
1406 r->in.admin_account = c->opt_user_name;
1407 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1408 r->in.debug = true;
1409 r->in.use_kerberos = c->opt_kerberos;
1410 r->in.modify_config = modify_config;
1411 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1412 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1413 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1414 r->in.msg_ctx = c->msg_ctx;
1415
1416 werr = libnet_Join(ctx, r);
1417 if (W_ERROR_EQUAL(werr, WERR_DCNOTFOUND) &&
1418 strequal(domain, lp_realm())) {
1419 r->in.domain_name = lp_workgroup();
1420 werr = libnet_Join(ctx, r);
1421 }
1422 if (!W_ERROR_IS_OK(werr)) {
1423 goto fail;
1424 }
1425
1426 /* Check the short name of the domain */
1427
1428 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1429 d_printf(_("The workgroup in %s does not match the short\n"
1430 "domain name obtained from the server.\n"
1431 "Using the name [%s] from the server.\n"
1432 "You should set \"workgroup = %s\" in %s.\n"),
1433 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1434 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1435 }
1436
1437 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1438
1439 if (r->out.dns_domain_name) {
1440 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1441 r->out.dns_domain_name);
1442 } else {
1443 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1444 r->out.netbios_domain_name);
1445 }
1446
1447 #if defined(WITH_DNS_UPDATES)
1448 /*
1449 * In a clustered environment, don't do dynamic dns updates:
1450 * Registering the set of ip addresses that are assigned to
1451 * the interfaces of the node that performs the join does usually
1452 * not have the desired effect, since the local interfaces do not
1453 * carry the complete set of the cluster's public IP addresses.
1454 * And it can also contain internal addresses that should not
1455 * be visible to the outside at all.
1456 * In order to do dns updates in a clustererd setup, use
1457 * net ads dns register.
1458 */
1459 if (lp_clustering()) {
1460 d_fprintf(stderr, _("Not doing automatic DNS update in a "
1461 "clustered setup.\n"));
1462 goto done;
1463 }
1464
1465 if (r->out.domain_is_ad) {
1466 /* We enter this block with user creds */
1467 ADS_STRUCT *ads_dns = NULL;
1468 int ret;
1469
1470 ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
1471
1472 if (ads_dns == NULL) {
1473 d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
1474 goto done;
1475 }
1476
1477 /* kinit with the machine password */
1478
1479 use_in_memory_ccache();
1480
1481 ret = asprintf(&ads_dns->auth.user_name, "%s$", lp_netbios_name());
1482 if (ret == -1) {
1483 d_fprintf(stderr, _("DNS update failed: out of memory\n"));
1484 goto dns_done;
1485 }
1486
1487 ads_dns->auth.password = secrets_fetch_machine_password(
1488 r->out.netbios_domain_name, NULL, NULL);
1489 ads_dns->auth.realm = SMB_STRDUP(r->out.dns_domain_name);
1490 strupper_m(ads_dns->auth.realm);
1491 ads_kinit_password(ads_dns);
1492
1493 if (!NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL))) {
1494 d_fprintf( stderr, _("DNS update failed!\n"));
1495 }
1496
1497 /* exit from this block using machine creds */
1498 dns_done:
1499 ads_destroy(&ads_dns);
1500 }
1501
1502 done:
1503 #endif
1504
1505 TALLOC_FREE(r);
1506 TALLOC_FREE( ctx );
1507
1508 return 0;
1509
1510 fail:
1511 /* issue an overall failure message at the end. */
1512 d_printf(_("Failed to join domain: %s\n"),
1513 r && r->out.error_string ? r->out.error_string :
1514 get_friendly_werror_msg(werr));
1515 TALLOC_FREE( ctx );
1516
1517 return -1;
1518 }
1519
1520 /*******************************************************************
1521 ********************************************************************/
1522
1523 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1524 {
1525 #if defined(WITH_DNS_UPDATES)
1526 ADS_STRUCT *ads;
1527 ADS_STATUS status;
1528 NTSTATUS ntstatus;
1529 TALLOC_CTX *ctx;
1530 const char *hostname = NULL;
1531 const char **addrs_list = NULL;
1532 struct sockaddr_storage *addrs = NULL;
1533 int num_addrs = 0;
1534 int count;
1535
1536 #ifdef DEVELOPER
1537 talloc_enable_leak_report();
1538 #endif
1539
1540 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1541 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1542 "detection of addresses in a clustered "
1543 "setup.\n"));
1544 c->display_usage = true;
1545 }
1546
1547 if (c->display_usage) {
1548 d_printf( "%s\n"
1549 "net ads dns register [hostname [IP [IP...]]]\n"
1550 " %s\n",
1551 _("Usage:"),
1552 _("Register hostname with DNS\n"));
1553 return -1;
1554 }
1555
1556 if (!(ctx = talloc_init("net_ads_dns"))) {
1557 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1558 return -1;
1559 }
1560
1561 if (argc >= 1) {
1562 hostname = argv[0];
1563 }
1564
1565 if (argc > 1) {
1566 num_addrs = argc - 1;
1567 addrs_list = &argv[1];
1568 } else if (lp_clustering()) {
1569 addrs_list = lp_cluster_addresses();
1570 num_addrs = str_list_length(addrs_list);
1571 }
1572
1573 if (num_addrs > 0) {
1574 addrs = talloc_zero_array(ctx, struct sockaddr_storage, num_addrs);
1575 if (addrs == NULL) {
1576 d_fprintf(stderr, _("Error allocating memory!\n"));
1577 talloc_free(ctx);
1578 return -1;
1579 }
1580 }
1581
1582 for (count = 0; count < num_addrs; count++) {
1583 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1584 d_fprintf(stderr, "%s '%s'.\n",
1585 _("Cannot interpret address"),
1586 addrs_list[count]);
1587 talloc_free(ctx);
1588 return -1;
1589 }
1590 }
1591
1592 status = ads_startup(c, true, &ads);
1593 if ( !ADS_ERR_OK(status) ) {
1594 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1595 TALLOC_FREE(ctx);
1596 return -1;
1597 }
1598
1599 ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
1600 if (!NT_STATUS_IS_OK(ntstatus)) {
1601 d_fprintf( stderr, _("DNS update failed!\n") );
1602 ads_destroy( &ads );
1603 TALLOC_FREE( ctx );
1604 return -1;
1605 }
1606
1607 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1608
1609 ads_destroy(&ads);
1610 TALLOC_FREE( ctx );
1611
1612 return 0;
1613 #else
1614 d_fprintf(stderr,
1615 _("DNS update support not enabled at compile time!\n"));
1616 return -1;
1617 #endif
1618 }
1619
1620 #if defined(WITH_DNS_UPDATES)
1621 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1622 #endif
1623
1624 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1625 {
1626 #if defined(WITH_DNS_UPDATES)
1627 DNS_ERROR err;
1628
1629 #ifdef DEVELOPER
1630 talloc_enable_leak_report();
1631 #endif
1632
1633 if (argc != 2 || c->display_usage) {
1634 d_printf( "%s\n"
1635 " %s\n"
1636 " %s\n",
1637 _("Usage:"),
1638 _("net ads dns gethostbyname <server> <name>\n"),
1639 _(" Look up hostname from the AD\n"
1640 " server\tName server to use\n"
1641 " name\tName to look up\n"));
1642 return -1;
1643 }
1644
1645 err = do_gethostbyname(argv[0], argv[1]);
1646
1647 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1648 dns_errstr(err), ERROR_DNS_V(err));
1649 #endif
1650 return 0;
1651 }
1652
1653 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1654 {
1655 struct functable func[] = {
1656 {
1657 "register",
1658 net_ads_dns_register,
1659 NET_TRANSPORT_ADS,
1660 N_("Add host dns entry to AD"),
1661 N_("net ads dns register\n"
1662 " Add host dns entry to AD")
1663 },
1664 {
1665 "gethostbyname",
1666 net_ads_dns_gethostbyname,
1667 NET_TRANSPORT_ADS,
1668 N_("Look up host"),
1669 N_("net ads dns gethostbyname\n"
1670 " Look up host")
1671 },
1672 {NULL, NULL, 0, NULL, NULL}
1673 };
1674
1675 return net_run_function(c, argc, argv, "net ads dns", func);
1676 }
1677
1678 /*******************************************************************
1679 ********************************************************************/
1680
1681 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1682 {
1683 d_printf(_(
1684 "\nnet ads printer search <printer>"
1685 "\n\tsearch for a printer in the directory\n"
1686 "\nnet ads printer info <printer> <server>"
1687 "\n\tlookup info in directory for printer on server"
1688 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1689 "\nnet ads printer publish <printername>"
1690 "\n\tpublish printer in directory"
1691 "\n\t(note: printer name is required)\n"
1692 "\nnet ads printer remove <printername>"
1693 "\n\tremove printer from directory"
1694 "\n\t(note: printer name is required)\n"));
1695 return -1;
1696 }
1697
1698 /*******************************************************************
1699 ********************************************************************/
1700
1701 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1702 {
1703 ADS_STRUCT *ads;
1704 ADS_STATUS rc;
1705 LDAPMessage *res = NULL;
1706
1707 if (c->display_usage) {
1708 d_printf( "%s\n"
1709 "net ads printer search\n"
1710 " %s\n",
1711 _("Usage:"),
1712 _("List printers in the AD"));
1713 return 0;
1714 }
1715
1716 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1717 return -1;
1718 }
1719
1720 rc = ads_find_printers(ads, &res);
1721
1722 if (!ADS_ERR_OK(rc)) {
1723 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1724 ads_msgfree(ads, res);
1725 ads_destroy(&ads);
1726 return -1;
1727 }
1728
1729 if (ads_count_replies(ads, res) == 0) {
1730 d_fprintf(stderr, _("No results found\n"));
1731 ads_msgfree(ads, res);
1732 ads_destroy(&ads);
1733 return -1;
1734 }
1735
1736 ads_dump(ads, res);
1737 ads_msgfree(ads, res);
1738 ads_destroy(&ads);
1739 return 0;
1740 }
1741
1742 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1743 {
1744 ADS_STRUCT *ads;
1745 ADS_STATUS rc;
1746 const char *servername, *printername;
1747 LDAPMessage *res = NULL;
1748
1749 if (c->display_usage) {
1750 d_printf("%s\n%s",
1751 _("Usage:"),
1752 _("net ads printer info [printername [servername]]\n"
1753 " Display printer info from AD\n"
1754 " printername\tPrinter name or wildcard\n"
1755 " servername\tName of the print server\n"));
1756 return 0;
1757 }
1758
1759 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1760 return -1;
1761 }
1762
1763 if (argc > 0) {
1764 printername = argv[0];
1765 } else {
1766 printername = "*";
1767 }
1768
1769 if (argc > 1) {
1770 servername = argv[1];
1771 } else {
1772 servername = lp_netbios_name();
1773 }
1774
1775 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1776
1777 if (!ADS_ERR_OK(rc)) {
1778 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1779 servername, ads_errstr(rc));
1780 ads_msgfree(ads, res);
1781 ads_destroy(&ads);
1782 return -1;
1783 }
1784
1785 if (ads_count_replies(ads, res) == 0) {
1786 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1787 ads_msgfree(ads, res);
1788 ads_destroy(&ads);
1789 return -1;
1790 }
1791
1792 ads_dump(ads, res);
1793 ads_msgfree(ads, res);
1794 ads_destroy(&ads);
1795
1796 return 0;
1797 }
1798
1799 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1800 {
1801 ADS_STRUCT *ads;
1802 ADS_STATUS rc;
1803 const char *servername, *printername;
1804 struct cli_state *cli = NULL;
1805 struct rpc_pipe_client *pipe_hnd = NULL;
1806 struct sockaddr_storage server_ss;
1807 NTSTATUS nt_status;
1808 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1809 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1810 char *prt_dn, *srv_dn, **srv_cn;
1811 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1812 LDAPMessage *res = NULL;
1813
1814 if (argc < 1 || c->display_usage) {
1815 d_printf("%s\n%s",
1816 _("Usage:"),
1817 _("net ads printer publish <printername> [servername]\n"
1818 " Publish printer in AD\n"
1819 " printername\tName of the printer\n"
1820 " servername\tName of the print server\n"));
1821 talloc_destroy(mem_ctx);
1822 return -1;
1823 }
1824
1825 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1826 talloc_destroy(mem_ctx);
1827 return -1;
1828 }
1829
1830 printername = argv[0];
1831
1832 if (argc == 2) {
1833 servername = argv[1];
1834 } else {
1835 servername = lp_netbios_name();
1836 }
1837
1838 /* Get printer data from SPOOLSS */
1839
1840 resolve_name(servername, &server_ss, 0x20, false);
1841
1842 nt_status = cli_full_connection(&cli, lp_netbios_name(), servername,
1843 &server_ss, 0,
1844 "IPC$", "IPC",
1845 c->opt_user_name, c->opt_workgroup,
1846 c->opt_password ? c->opt_password : "",
1847 CLI_FULL_CONNECTION_USE_KERBEROS,
1848 SMB_SIGNING_DEFAULT);
1849
1850 if (NT_STATUS_IS_ERR(nt_status)) {
1851 d_fprintf(stderr, _("Unable to open a connection to %s to "
1852 "obtain data for %s\n"),
1853 servername, printername);
1854 ads_destroy(&ads);
1855 talloc_destroy(mem_ctx);
1856 return -1;
1857 }
1858
1859 /* Publish on AD server */
1860
1861 ads_find_machine_acct(ads, &res, servername);
1862
1863 if (ads_count_replies(ads, res) == 0) {
1864 d_fprintf(stderr, _("Could not find machine account for server "
1865 "%s\n"),
1866 servername);
1867 ads_destroy(&ads);
1868 talloc_destroy(mem_ctx);
1869 return -1;
1870 }
1871
1872 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1873 srv_cn = ldap_explode_dn(srv_dn, 1);
1874
1875 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1876 printername_escaped = escape_rdn_val_string_alloc(printername);
1877 if (!srv_cn_escaped || !printername_escaped) {
1878 SAFE_FREE(srv_cn_escaped);
1879 SAFE_FREE(printername_escaped);
1880 d_fprintf(stderr, _("Internal error, out of memory!"));
1881 ads_destroy(&ads);
1882 talloc_destroy(mem_ctx);
1883 return -1;
1884 }
1885
1886 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1887 SAFE_FREE(srv_cn_escaped);
1888 SAFE_FREE(printername_escaped);
1889 d_fprintf(stderr, _("Internal error, out of memory!"));
1890 ads_destroy(&ads);
1891 talloc_destroy(mem_ctx);
1892 return -1;
1893 }
1894
1895 SAFE_FREE(srv_cn_escaped);
1896 SAFE_FREE(printername_escaped);
1897
1898 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1899 if (!NT_STATUS_IS_OK(nt_status)) {
1900 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
1901 servername);
1902 SAFE_FREE(prt_dn);
1903 ads_destroy(&ads);
1904 talloc_destroy(mem_ctx);
1905 return -1;
1906 }
1907
1908 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1909 printername))) {
1910 SAFE_FREE(prt_dn);
1911 ads_destroy(&ads);
1912 talloc_destroy(mem_ctx);
1913 return -1;
1914 }
1915
1916 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1917 if (!ADS_ERR_OK(rc)) {
1918 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1919 SAFE_FREE(prt_dn);
1920 ads_destroy(&ads);
1921 talloc_destroy(mem_ctx);
1922 return -1;
1923 }
1924
1925 d_printf("published printer\n");
1926 SAFE_FREE(prt_dn);
1927 ads_destroy(&ads);
1928 talloc_destroy(mem_ctx);
1929
1930 return 0;
1931 }
1932
1933 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1934 {
1935 ADS_STRUCT *ads;
1936 ADS_STATUS rc;
1937 const char *servername;
1938 char *prt_dn;
1939 LDAPMessage *res = NULL;
1940
1941 if (argc < 1 || c->display_usage) {
1942 d_printf("%s\n%s",
1943 _("Usage:"),
1944 _("net ads printer remove <printername> [servername]\n"
1945 " Remove a printer from the AD\n"
1946 " printername\tName of the printer\n"
1947 " servername\tName of the print server\n"));
1948 return -1;
1949 }
1950
1951 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1952 return -1;
1953 }
1954
1955 if (argc > 1) {
1956 servername = argv[1];
1957 } else {
1958 servername = lp_netbios_name();
1959 }
1960
1961 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1962
1963 if (!ADS_ERR_OK(rc)) {
1964 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1965 ads_msgfree(ads, res);
1966 ads_destroy(&ads);
1967 return -1;
1968 }
1969
1970 if (ads_count_replies(ads, res) == 0) {
1971 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1972 ads_msgfree(ads, res);
1973 ads_destroy(&ads);
1974 return -1;
1975 }
1976
1977 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1978 ads_msgfree(ads, res);
1979 rc = ads_del_dn(ads, prt_dn);
1980 TALLOC_FREE(prt_dn);
1981
1982 if (!ADS_ERR_OK(rc)) {
1983 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1984 ads_destroy(&ads);
1985 return -1;
1986 }
1987
1988 ads_destroy(&ads);
1989 return 0;
1990 }
1991
1992 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1993 {
1994 struct functable func[] = {
1995 {
1996 "search",
1997 net_ads_printer_search,
1998 NET_TRANSPORT_ADS,
1999 N_("Search for a printer"),
2000 N_("net ads printer search\n"
2001 " Search for a printer")
2002 },
2003 {
2004 "info",
2005 net_ads_printer_info,
2006 NET_TRANSPORT_ADS,
2007 N_("Display printer information"),
2008 N_("net ads printer info\n"
2009 " Display printer information")
2010 },
2011 {
2012 "publish",
2013 net_ads_printer_publish,
2014 NET_TRANSPORT_ADS,
2015 N_("Publish a printer"),
2016 N_("net ads printer publish\n"
2017 " Publish a printer")
2018 },
2019 {
2020 "remove",
2021 net_ads_printer_remove,
2022 NET_TRANSPORT_ADS,
2023 N_("Delete a printer"),
2024 N_("net ads printer remove\n"
2025 " Delete a printer")
2026 },
2027 {NULL, NULL, 0, NULL, NULL}
2028 };
2029
2030 return net_run_function(c, argc, argv, "net ads printer", func);
2031 }
2032
2033
2034 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2035 {
2036 ADS_STRUCT *ads;
2037 const char *auth_principal = c->opt_user_name;
2038 const char *auth_password = c->opt_password;
2039 const char *realm = NULL;
2040 const char *new_password = NULL;
2041 char *chr, *prompt;
2042 const char *user;
2043 ADS_STATUS ret;
2044
2045 if (c->display_usage) {
2046 d_printf("%s\n%s",
2047 _("Usage:"),
2048 _("net ads password <username>\n"
2049 " Change password for user\n"
2050 " username\tName of user to change password for\n"));
2051 return 0;
2052 }
2053
2054 if (c->opt_user_name == NULL || c->opt_password == NULL) {
2055 d_fprintf(stderr, _("You must supply an administrator "
2056 "username/password\n"));
2057 return -1;
2058 }
2059
2060 if (argc < 1) {
2061 d_fprintf(stderr, _("ERROR: You must say which username to "
2062 "change password for\n"));
2063 return -1;
2064 }
2065
2066 user = argv[0];
2067 if (!strchr_m(user, '@')) {
2068 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
2069 return -1;
2070 }
2071 user = chr;
2072 }
2073
2074 use_in_memory_ccache();
2075 chr = strchr_m(auth_principal, '@');
2076 if (chr) {
2077 realm = ++chr;
2078 } else {
2079 realm = lp_realm();
2080 }
2081
2082 /* use the realm so we can eventually change passwords for users
2083 in realms other than default */
2084 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
2085 return -1;
2086 }
2087
2088 /* we don't actually need a full connect, but it's the easy way to
2089 fill in the KDC's addresss */
2090 ads_connect(ads);
2091
2092 if (!ads->config.realm) {
2093 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2094 ads_destroy(&ads);
2095 return -1;
2096 }
2097
2098 if (argv[1]) {
2099 new_password = (const char *)argv[1];
2100 } else {
2101 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
2102 return -1;
2103 }
2104 new_password = getpass(prompt);
2105 free(prompt);
2106 }
2107
2108 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2109 auth_password, user, new_password, ads->auth.time_offset);
2110 if (!ADS_ERR_OK(ret)) {
2111 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2112 ads_destroy(&ads);
2113 return -1;
2114 }
2115
2116 d_printf(_("Password change for %s completed.\n"), user);
2117 ads_destroy(&ads);
2118
2119 return 0;
2120 }
2121
2122 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2123 {
2124 ADS_STRUCT *ads;
2125 char *host_principal;
2126 fstring my_name;
2127 ADS_STATUS ret;
2128
2129 if (c->display_usage) {
2130 d_printf( "%s\n"
2131 "net ads changetrustpw\n"
2132 " %s\n",
2133 _("Usage:"),
2134 _("Change the machine account's trust password"));
2135 return 0;
2136 }
2137
2138 if (!secrets_init()) {
2139 DEBUG(1,("Failed to initialise secrets database\n"));
2140 return -1;
2141 }
2142
2143 net_use_krb_machine_account(c);
2144
2145 use_in_memory_ccache();
2146
2147 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2148 return -1;
2149 }
2150
2151 fstrcpy(my_name, lp_netbios_name());
2152 strlower_m(my_name);
2153 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2154 ads_destroy(&ads);
2155 return -1;
2156 }
2157 d_printf(_("Changing password for principal: %s\n"), host_principal);
2158
2159 ret = ads_change_trust_account_password(ads, host_principal);
2160
2161 if (!ADS_ERR_OK(ret)) {
2162 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2163 ads_destroy(&ads);
2164 SAFE_FREE(host_principal);
2165 return -1;
2166 }
2167
2168 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2169
2170 if (USE_SYSTEM_KEYTAB) {
2171 d_printf(_("Attempting to update system keytab with new password.\n"));
2172 if (ads_keytab_create_default(ads)) {
2173 d_printf(_("Failed to update system keytab.\n"));
2174 }
2175 }
2176
2177 ads_destroy(&ads);
2178 SAFE_FREE(host_principal);
2179
2180 return 0;
2181 }
2182
2183 /*
2184 help for net ads search
2185 */
2186 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2187 {
2188 d_printf(_(
2189 "\nnet ads search <expression> <attributes...>\n"
2190 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2191 "The expression is a standard LDAP search expression, and the\n"
2192 "attributes are a list of LDAP fields to show in the results.\n\n"
2193 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2194 ));
2195 net_common_flags_usage(c, argc, argv);
2196 return -1;
2197 }
2198
2199
2200 /*
2201 general ADS search function. Useful in diagnosing problems in ADS
2202 */
2203 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2204 {
2205 ADS_STRUCT *ads;
2206 ADS_STATUS rc;
2207 const char *ldap_exp;
2208 const char **attrs;
2209 LDAPMessage *res = NULL;
2210
2211 if (argc < 1 || c->display_usage) {
2212 return net_ads_search_usage(c, argc, argv);
2213 }
2214
2215 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2216 return -1;
2217 }
2218
2219 ldap_exp = argv[0];
2220 attrs = (argv + 1);
2221
2222 rc = ads_do_search_all(ads, ads->config.bind_path,
2223 LDAP_SCOPE_SUBTREE,
2224 ldap_exp, attrs, &res);
2225 if (!ADS_ERR_OK(rc)) {
2226 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2227 ads_destroy(&ads);
2228 return -1;
2229 }
2230
2231 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2232
2233 /* dump the results */
2234 ads_dump(ads, res);
2235
2236 ads_msgfree(ads, res);
2237 ads_destroy(&ads);
2238
2239 return 0;
2240 }
2241
2242
2243 /*
2244 help for net ads search
2245 */
2246 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2247 {
2248 d_printf(_(
2249 "\nnet ads dn <dn> <attributes...>\n"
2250 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2251 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2252 "to show in the results\n\n"
2253 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2254 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2255 ));
2256 net_common_flags_usage(c, argc, argv);
2257 return -1;
2258 }
2259
2260
2261 /*
2262 general ADS search function. Useful in diagnosing problems in ADS
2263 */
2264 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2265 {
2266 ADS_STRUCT *ads;
2267 ADS_STATUS rc;
2268 const char *dn;
2269 const char **attrs;
2270 LDAPMessage *res = NULL;
2271
2272 if (argc < 1 || c->display_usage) {
2273 return net_ads_dn_usage(c, argc, argv);
2274 }
2275
2276 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2277 return -1;
2278 }
2279
2280 dn = argv[0];
2281 attrs = (argv + 1);
2282
2283 rc = ads_do_search_all(ads, dn,
2284 LDAP_SCOPE_BASE,
2285 "(objectclass=*)", attrs, &res);
2286 if (!ADS_ERR_OK(rc)) {
2287 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2288 ads_destroy(&ads);
2289 return -1;
2290 }
2291
2292 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2293
2294 /* dump the results */
2295 ads_dump(ads, res);
2296
2297 ads_msgfree(ads, res);
2298 ads_destroy(&ads);
2299
2300 return 0;
2301 }
2302
2303 /*
2304 help for net ads sid search
2305 */
2306 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2307 {
2308 d_printf(_(
2309 "\nnet ads sid <sid> <attributes...>\n"
2310 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2311 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2312 "to show in the results\n\n"
2313 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2314 ));
2315 net_common_flags_usage(c, argc, argv);
2316 return -1;
2317 }
2318
2319
2320 /*
2321 general ADS search function. Useful in diagnosing problems in ADS
2322 */
2323 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2324 {
2325 ADS_STRUCT *ads;
2326 ADS_STATUS rc;
2327 const char *sid_string;
2328 const char **attrs;
2329 LDAPMessage *res = NULL;
2330 struct dom_sid sid;
2331
2332 if (argc < 1 || c->display_usage) {
2333 return net_ads_sid_usage(c, argc, argv);
2334 }
2335
2336 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2337 return -1;
2338 }
2339
2340 sid_string = argv[0];
2341 attrs = (argv + 1);
2342
2343 if (!string_to_sid(&sid, sid_string)) {
2344 d_fprintf(stderr, _("could not convert sid\n"));
2345 ads_destroy(&ads);
2346 return -1;
2347 }
2348
2349 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2350 if (!ADS_ERR_OK(rc)) {
2351 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2352 ads_destroy(&ads);
2353 return -1;
2354 }
2355
2356 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2357
2358 /* dump the results */
2359 ads_dump(ads, res);
2360
2361 ads_msgfree(ads, res);
2362 ads_destroy(&ads);
2363
2364 return 0;
2365 }
2366
2367 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2368 {
2369 int ret;
2370 ADS_STRUCT *ads;
2371
2372 if (c->display_usage) {
2373 d_printf( "%s\n"
2374 "net ads keytab flush\n"
2375 " %s\n",
2376 _("Usage:"),
2377 _("Delete the whole keytab"));
2378 return 0;
2379 }
2380
2381 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2382 return -1;
2383 }
2384 ret = ads_keytab_flush(ads);
2385 ads_destroy(&ads);
2386 return ret;
2387 }
2388
2389 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2390 {
2391 int i;
2392 int ret = 0;
2393 ADS_STRUCT *ads;
2394
2395 if (c->display_usage) {
2396 d_printf("%s\n%s",
2397 _("Usage:"),
2398 _("net ads keytab add <principal> [principal ...]\n"
2399 " Add principals to local keytab\n"
2400 " principal\tKerberos principal to add to "
2401 "keytab\n"));
2402 return 0;
2403 }
2404
2405 d_printf(_("Processing principals to add...\n"));
2406 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2407 return -1;
2408 }
2409 for (i = 0; i < argc; i++) {
2410 ret |= ads_keytab_add_entry(ads, argv[i]);
2411 }
2412 ads_destroy(&ads);
2413 return ret;
2414 }
2415
2416 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2417 {
2418 ADS_STRUCT *ads;
2419 int ret;
2420
2421 if (c->display_usage) {
2422 d_printf( "%s\n"
2423 "net ads keytab create\n"
2424 " %s\n",
2425 _("Usage:"),
2426 _("Create new default keytab"));
2427 return 0;
2428 }
2429
2430 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2431 return -1;
2432 }
2433 ret = ads_keytab_create_default(ads);
2434 ads_destroy(&ads);
2435 return ret;
2436 }
2437
2438 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2439 {
2440 const char *keytab = NULL;
2441
2442 if (c->display_usage) {
2443 d_printf("%s\n%s",
2444 _("Usage:"),
2445 _("net ads keytab list [keytab]\n"
2446 " List a local keytab\n"
2447 " keytab\tKeytab to list\n"));
2448 return 0;
2449 }
2450
2451 if (argc >= 1) {
2452 keytab = argv[0];
2453 }
2454
2455 return ads_keytab_list(keytab);
2456 }
2457
2458
2459 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2460 {
2461 struct functable func[] = {
2462 {
2463 "add",
2464 net_ads_keytab_add,
2465 NET_TRANSPORT_ADS,
2466 N_("Add a service principal"),
2467 N_("net ads keytab add\n"
2468 " Add a service principal")
2469 },
2470 {
2471 "create",
2472 net_ads_keytab_create,
2473 NET_TRANSPORT_ADS,
2474 N_("Create a fresh keytab"),
2475 N_("net ads keytab create\n"
2476 " Create a fresh keytab")
2477 },
2478 {
2479 "flush",
2480 net_ads_keytab_flush,
2481 NET_TRANSPORT_ADS,
2482 N_("Remove all keytab entries"),
2483 N_("net ads keytab flush\n"
2484 " Remove all keytab entries")
2485 },
2486 {
2487 "list",
2488 net_ads_keytab_list,
2489 NET_TRANSPORT_ADS,
2490 N_("List a keytab"),
2491 N_("net ads keytab list\n"
2492 " List a keytab")
2493 },
2494 {NULL, NULL, 0, NULL, NULL}
2495 };
2496
2497 if (!USE_KERBEROS_KEYTAB) {
2498 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2499 "keytab method to use keytab functions.\n"));
2500 }
2501
2502 return net_run_function(c, argc, argv, "net ads keytab", func);
2503 }
2504
2505 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2506 {
2507 int ret = -1;
2508
2509 if (c->display_usage) {
2510 d_printf( "%s\n"
2511 "net ads kerberos renew\n"
2512 " %s\n",
2513 _("Usage:"),
2514 _("Renew TGT from existing credential cache"));
2515 return 0;
2516 }
2517
2518 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2519 if (ret) {
2520 d_printf(_("failed to renew kerberos ticket: %s\n"),
2521 error_message(ret));
2522 }
2523 return ret;
2524 }
2525
2526 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2527 {
2528 struct PAC_LOGON_INFO *info = NULL;
2529 TALLOC_CTX *mem_ctx = NULL;
2530 NTSTATUS status;
2531 int ret = -1;
2532 const char *impersonate_princ_s = NULL;
2533
2534 if (c->display_usage) {
2535 d_printf( "%s\n"
2536 "net ads kerberos pac\n"
2537 " %s\n",
2538 _("Usage:"),
2539 _("Dump the Kerberos PAC"));
2540 return 0;
2541 }
2542
2543 mem_ctx = talloc_init("net_ads_kerberos_pac");
2544 if (!mem_ctx) {
2545 goto out;
2546 }
2547
2548 if (argc > 0) {
2549 impersonate_princ_s = argv[0];
2550 }
2551
2552 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2553
2554 status = kerberos_return_pac(mem_ctx,
2555 c->opt_user_name,
2556 c->opt_password,
2557 0,
2558 NULL,
2559 NULL,
2560 NULL,
2561 true,
2562 true,
2563 2592000, /* one month */
2564 impersonate_princ_s,
2565 &info);
2566 if (!NT_STATUS_IS_OK(status)) {
2567 d_printf(_("failed to query kerberos PAC: %s\n"),
2568 nt_errstr(status));
2569 goto out;
2570 }
2571
2572 if (info) {
2573 const char *s;
2574 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2575 d_printf(_("The Pac: %s\n"), s);
2576 }
2577
2578 ret = 0;
2579 out:
2580 TALLOC_FREE(mem_ctx);
2581 return ret;
2582 }
2583
2584 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2585 {
2586 TALLOC_CTX *mem_ctx = NULL;
2587 int ret = -1;
2588 NTSTATUS status;
2589
2590 if (c->display_usage) {
2591 d_printf( "%s\n"
2592 "net ads kerberos kinit\n"
2593 " %s\n",
2594 _("Usage:"),
2595 _("Get Ticket Granting Ticket (TGT) for the user"));
2596 return 0;
2597 }
2598
2599 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2600 if (!mem_ctx) {
2601 goto out;
2602 }
2603
2604 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2605
2606 ret = kerberos_kinit_password_ext(c->opt_user_name,
2607 c->opt_password,
2608 0,
2609 NULL,
2610 NULL,
2611 NULL,
2612 true,
2613 true,
2614 2592000, /* one month */
2615 &status);
2616 if (ret) {
2617 d_printf(_("failed to kinit password: %s\n"),
2618 nt_errstr(status));
2619 }
2620 out:
2621 return ret;
2622 }
2623
2624 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2625 {
2626 struct functable func[] = {
2627 {
2628 "kinit",
2629 net_ads_kerberos_kinit,
2630 NET_TRANSPORT_ADS,
2631 N_("Retrieve Ticket Granting Ticket (TGT)"),
2632 N_("net ads kerberos kinit\n"
2633 " Receive Ticket Granting Ticket (TGT)")
2634 },
2635 {
2636 "renew",
2637 net_ads_kerberos_renew,
2638 NET_TRANSPORT_ADS,
2639 N_("Renew Ticket Granting Ticket from credential cache"),
2640 N_("net ads kerberos renew\n"
2641 " Renew Ticket Granting Ticket (TGT) from "
2642 "credential cache")
2643 },
2644 {
2645 "pac",
2646 net_ads_kerberos_pac,
2647 NET_TRANSPORT_ADS,
2648 N_("Dump Kerberos PAC"),
2649 N_("net ads kerberos pac\n"
2650 " Dump Kerberos PAC")
2651 },
2652 {NULL, NULL, 0, NULL, NULL}
2653 };
2654
2655 return net_run_function(c, argc, argv, "net ads kerberos", func);
2656 }
2657
2658 int net_ads(struct net_context *c, int argc, const char **argv)
2659 {
2660 struct functable func[] = {
2661 {
2662 "info",
2663 net_ads_info,
2664 NET_TRANSPORT_ADS,
2665 N_("Display details on remote ADS server"),
2666 N_("net ads info\n"
2667 " Display details on remote ADS server")
2668 },
2669 {
2670 "join",
2671 net_ads_join,
2672 NET_TRANSPORT_ADS,
2673 N_("Join the local machine to ADS realm"),
2674 N_("net ads join\n"
2675 " Join the local machine to ADS realm")
2676 },
2677 {
2678 "testjoin",
2679 net_ads_testjoin,
2680 NET_TRANSPORT_ADS,
2681 N_("Validate machine account"),
2682 N_("net ads testjoin\n"
2683 " Validate machine account")
2684 },
2685 {
2686 "leave",
2687 net_ads_leave,
2688 NET_TRANSPORT_ADS,
2689 N_("Remove the local machine from ADS"),
2690 N_("net ads leave\n"
2691 " Remove the local machine from ADS")
2692 },
2693 {
2694 "status",
2695 net_ads_status,
2696 NET_TRANSPORT_ADS,
2697 N_("Display machine account details"),
2698 N_("net ads status\n"
2699 " Display machine account details")
2700 },
2701 {
2702 "user",
2703 net_ads_user,
2704 NET_TRANSPORT_ADS,
2705 N_("List/modify users"),
2706 N_("net ads user\n"
2707 " List/modify users")
2708 },
2709 {
2710 "group",
2711 net_ads_group,
2712 NET_TRANSPORT_ADS,
2713 N_("List/modify groups"),
2714 N_("net ads group\n"
2715 " List/modify groups")
2716 },
2717 {
2718 "dns",
2719 net_ads_dns,
2720 NET_TRANSPORT_ADS,
2721 N_("Issue dynamic DNS update"),
2722 N_("net ads dns\n"
2723 " Issue dynamic DNS update")
2724 },
2725 {
2726 "password",
2727 net_ads_password,
2728 NET_TRANSPORT_ADS,
2729 N_("Change user passwords"),
2730 N_("net ads password\n"
2731 " Change user passwords")
2732 },
2733 {
2734 "changetrustpw",
2735 net_ads_changetrustpw,
2736 NET_TRANSPORT_ADS,
2737 N_("Change trust account password"),
2738 N_("net ads changetrustpw\n"
2739 " Change trust account password")
2740 },
2741 {
2742 "printer",
2743 net_ads_printer,
2744 NET_TRANSPORT_ADS,
2745 N_("List/modify printer entries"),
2746 N_("net ads printer\n"
2747 " List/modify printer entries")
2748 },
2749 {
2750 "search",
2751 net_ads_search,
2752 NET_TRANSPORT_ADS,
2753 N_("Issue LDAP search using filter"),
2754 N_("net ads search\n"
2755 " Issue LDAP search using filter")
2756 },
2757 {
2758 "dn",
2759 net_ads_dn,
2760 NET_TRANSPORT_ADS,
2761 N_("Issue LDAP search by DN"),
2762 N_("net ads dn\n"
2763 " Issue LDAP search by DN")
2764 },
2765 {
2766 "sid",
2767 net_ads_sid,
2768 NET_TRANSPORT_ADS,
2769 N_("Issue LDAP search by SID"),
2770 N_("net ads sid\n"
2771 " Issue LDAP search by SID")
2772 },
2773 {
2774 "workgroup",
2775 net_ads_workgroup,
2776 NET_TRANSPORT_ADS,
2777 N_("Display workgroup name"),
2778 N_("net ads workgroup\n"
2779 " Display the workgroup name")
2780 },
2781 {
2782 "lookup",
2783 net_ads_lookup,
2784 NET_TRANSPORT_ADS,
2785 N_("Perfom CLDAP query on DC"),
2786 N_("net ads lookup\n"
2787 " Find the ADS DC using CLDAP lookups")
2788 },
2789 {
2790 "keytab",
2791 net_ads_keytab,
2792 NET_TRANSPORT_ADS,
2793 N_("Manage local keytab file"),
2794 N_("net ads keytab\n"
2795 " Manage local keytab file")
2796 },
2797 {
2798 "gpo",
2799 net_ads_gpo,
2800 NET_TRANSPORT_ADS,
2801 N_("Manage group policy objects"),
2802 N_("net ads gpo\n"
2803 " Manage group policy objects")
2804 },
2805 {
2806 "kerberos",
2807 net_ads_kerberos,
2808 NET_TRANSPORT_ADS,
2809 N_("Manage kerberos keytab"),
2810 N_("net ads kerberos\n"
2811 " Manage kerberos keytab")
2812 },
2813 {NULL, NULL, 0, NULL, NULL}
2814 };
2815
2816 return net_run_function(c, argc, argv, "net ads", func);
2817 }
2818
2819 #else
2820
2821 static int net_ads_noads(void)
2822 {
2823 d_fprintf(stderr, _("ADS support not compiled in\n"));
2824 return -1;
2825 }
2826
2827 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2828 {
2829 return net_ads_noads();
2830 }
2831
2832 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2833 {
2834 return net_ads_noads();
2835 }
2836
2837 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2838 {
2839 return net_ads_noads();
2840 }
2841
2842 int net_ads_join(struct net_context *c, int argc, const char **argv)
2843 {
2844 return net_ads_noads();
2845 }
2846
2847 int net_ads_user(struct net_context *c, int argc, const char **argv)
2848 {
2849 return net_ads_noads();
2850 }
2851
2852 int net_ads_group(struct net_context *c, int argc, const char **argv)
2853 {
2854 return net_ads_noads();
2855 }
2856
2857 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2858 {
2859 return net_ads_noads();
2860 }
2861
2862 /* this one shouldn't display a message */
2863 int net_ads_check(struct net_context *c)
2864 {
2865 return -1;
2866 }
2867
2868 int net_ads_check_our_domain(struct net_context *c)
2869 {
2870 return -1;
2871 }
2872
2873 int net_ads(struct net_context *c, int argc, const char **argv)
2874 {
2875 return net_ads_noads();
2876 }
2877
2878 #endif /* HAVE_ADS */
Samba GIT mirror