search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:net: add net_update_dns_ext() that accepts a list of addresses as parameter (bug...
[Samba.git] / source3 / utils / net_ads.c
blob75b115e28bcd63590cb95e2b3f92c8b966bb8500
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
28
29 #ifdef HAVE_ADS
30
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
33
34 static const char *assume_own_realm(struct net_context *c)
35 {
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
37 return lp_realm();
38 }
39
40 return NULL;
41 }
42
43 /*
44 do a cldap netlogon query
45 */
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
47 {
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
50
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
54 return -1;
55 }
56
57 d_printf(_("Information for Domain Controller: %s\n\n"),
58 addr);
59
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
64 break;
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
67 break;
68 default:
69 d_printf("0x%x\n", reply.command);
70 break;
71 }
72
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
74
75 d_printf(_("Flags:\n"
76 "\tIs a PDC: %s\n"
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
79 "\tSupports DS: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
83 "\tIs writable: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
100
101
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
105
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
108
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
110
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
113
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
117
118 return 0;
119 }
120
121 /*
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
124 */
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
126 {
127 ADS_STRUCT *ads;
128 int ret;
129
130 if (c->display_usage) {
131 d_printf("%s\n"
132 "net ads lookup\n"
133 " %s",
134 _("Usage:"),
135 _("Find the ADS DC using CLDAP lookup.\n"));
136 return 0;
137 }
138
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
141 ads_destroy(&ads);
142 return -1;
143 }
144
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
148 }
149
150 ret = net_ads_cldap_netlogon(c, ads);
151 ads_destroy(&ads);
152 return ret;
153 }
154
155
156
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
158 {
159 ADS_STRUCT *ads;
160 char addr[INET6_ADDRSTRLEN];
161
162 if (c->display_usage) {
163 d_printf("%s\n"
164 "net ads info\n"
165 " %s",
166 _("Usage:"),
167 _("Display information about an Active Directory "
168 "server.\n"));
169 return 0;
170 }
171
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
174 return -1;
175 }
176
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
179 ads_destroy(&ads);
180 return -1;
181 }
182
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
185
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
188 }
189
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
191
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
199
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
202
203 ads_destroy(&ads);
204 return 0;
205 }
206
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
211 }
212
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
215 {
216 ADS_STRUCT *ads = NULL;
217 ADS_STATUS status;
218 bool need_password = false;
219 bool second_time = false;
220 char *cp;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
223
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
228
229 *ads_ret = NULL;
230
231 retry_connect:
232 if (only_own_domain) {
233 realm = lp_realm();
234 } else {
235 realm = assume_own_realm(c);
236 }
237
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
239
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
242 }
243
244 if (c->opt_user_specified) {
245 need_password = true;
246 }
247
248 retry:
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
252 ads_destroy(&ads);
253 return ADS_ERROR(LDAP_NO_MEMORY);
254 }
255 }
256
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
261 }
262
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
266
267 /*
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
271 */
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
273 *cp++ = '\0';
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
277 }
278
279 status = ads_connect(ads);
280
281 if (!ADS_ERR_OK(status)) {
282
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
286 ads_destroy(&ads);
287 return status;
288 }
289
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
292 second_time = true;
293 goto retry;
294 } else {
295 ads_destroy(&ads);
296 return status;
297 }
298 }
299
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
303
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
305
306 tried_closest_dc = true; /* avoid loop */
307
308 if (!ads_closest_dc(ads)) {
309
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
312
313 ads_destroy(&ads);
314 ads = NULL;
315
316 goto retry_connect;
317 }
318 }
319
320 *ads_ret = ads;
321 return status;
322 }
323
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
325 {
326 return ads_startup_int(c, only_own_domain, 0, ads);
327 }
328
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
330 {
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
332 }
333
334 /*
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
338 */
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
340 {
341 ADS_STRUCT *ads;
342 ADS_STATUS status;
343
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
345 return -1;
346 }
347
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
349
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
352 return -1;
353 }
354
355 ads_destroy(&ads);
356 return 0;
357 }
358
359 int net_ads_check_our_domain(struct net_context *c)
360 {
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
362 }
363
364 int net_ads_check(struct net_context *c)
365 {
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
367 }
368
369 /*
370 determine the netbios workgroup name for a domain
371 */
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
373 {
374 ADS_STRUCT *ads;
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
377
378 if (c->display_usage) {
379 d_printf ("%s\n"
380 "net ads workgroup\n"
381 " %s\n",
382 _("Usage:"),
383 _("Print the workgroup name"));
384 return 0;
385 }
386
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
389 return -1;
390 }
391
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
395 }
396
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
400 ads_destroy(&ads);
401 return -1;
402 }
403
404 d_printf(_("Workgroup: %s\n"), reply.domain);
405
406 ads_destroy(&ads);
407
408 return 0;
409 }
410
411
412
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
414 {
415 char **disp_fields = (char **) data_area;
416
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
420 if (disp_fields[1])
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
423 else
424 d_printf("%s\n", disp_fields[0]);
425 }
426 }
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
429 return true;
430 }
431 if (!values) /* must be new field, indicate string field */
432 return true;
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
435 }
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
438 return true;
439 }
440
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
442 {
443 return net_user_usage(c, argc, argv);
444 }
445
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
447 {
448 ADS_STRUCT *ads;
449 ADS_STATUS status;
450 char *upn, *userdn;
451 LDAPMessage *res=NULL;
452 int rc = -1;
453 char *ou_str = NULL;
454
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
457
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
459 return -1;
460 }
461
462 status = ads_find_user_acct(ads, &res, argv[0]);
463
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
466 goto done;
467 }
468
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
471 argv[0]);
472 goto done;
473 }
474
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
477 } else {
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
479 }
480
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
482
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
485 ads_errstr(status));
486 goto done;
487 }
488
489 /* if no password is to be set, we're done */
490 if (argc == 1) {
491 d_printf(_("User %s added\n"), argv[0]);
492 rc = 0;
493 goto done;
494 }
495
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
498 goto done;
499 }
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
502 SAFE_FREE(upn);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
505 rc = 0;
506 goto done;
507 }
508
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
518 TALLOC_FREE(userdn);
519 }
520
521 done:
522 if (res)
523 ads_msgfree(ads, res);
524 ads_destroy(&ads);
525 SAFE_FREE(ou_str);
526 return rc;
527 }
528
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
530 {
531 ADS_STRUCT *ads = NULL;
532 ADS_STATUS rc;
533 LDAPMessage *res = NULL;
534 TALLOC_CTX *frame;
535 int ret = 0;
536 wbcErr wbc_status;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
539 char **grouplist;
540 char *primary_group;
541 char *escaped_user;
542 DOM_SID primary_group_sid;
543 uint32_t group_rid;
544 enum wbcSidType type;
545
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
548 }
549
550 frame = talloc_new(talloc_tos());
551 if (frame == NULL) {
552 return -1;
553 }
554
555 escaped_user = escape_ldap_string(frame, argv[0]);
556 if (!escaped_user) {
557 d_fprintf(stderr,
558 _("ads_user_info: failed to escape user %s\n"),
559 argv[0]);
560 return -1;
561 }
562
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
564 ret = -1;
565 goto error;
566 }
567
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
569 ret =-1;
570 goto error;
571 }
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
574
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
577 ret = -1;
578 goto error;
579 }
580
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
583 ret = -1;
584 goto error;
585 }
586
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
590 ret = -1;
591 goto error;
592 }
593
594 sid_append_rid(&primary_group_sid, group_rid);
595
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
598 &primary_group,
599 &type);
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
603 ret = -1;
604 goto error;
605 }
606
607 d_printf("%s\n", primary_group);
608
609 wbcFreeMemory(primary_group);
610
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
613
614 if (grouplist) {
615 int i;
616 char **groupname;
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
621 }
622 ldap_value_free(grouplist);
623 }
624
625 error:
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
628 TALLOC_FREE(frame);
629 return ret;
630 }
631
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
633 {
634 ADS_STRUCT *ads;
635 ADS_STATUS rc;
636 LDAPMessage *res = NULL;
637 char *userdn;
638
639 if (argc < 1) {
640 return net_ads_user_usage(c, argc, argv);
641 }
642
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
644 return -1;
645 }
646
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
651 ads_destroy(&ads);
652 return -1;
653 }
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
657 TALLOC_FREE(userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
660 ads_destroy(&ads);
661 return 0;
662 }
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
664 ads_errstr(rc));
665 ads_destroy(&ads);
666 return -1;
667 }
668
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
670 {
671 struct functable func[] = {
672 {
673 "add",
674 ads_user_add,
675 NET_TRANSPORT_ADS,
676 N_("Add an AD user"),
677 N_("net ads user add\n"
678 " Add an AD user")
679 },
680 {
681 "info",
682 ads_user_info,
683 NET_TRANSPORT_ADS,
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
687 },
688 {
689 "delete",
690 ads_user_delete,
691 NET_TRANSPORT_ADS,
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
695 },
696 {NULL, NULL, 0, NULL, NULL}
697 };
698 ADS_STRUCT *ads;
699 ADS_STATUS rc;
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
703
704 if (argc == 0) {
705 if (c->display_usage) {
706 d_printf( "%s\n"
707 "net ads user\n"
708 " %s\n",
709 _("Usage:"),
710 _("List AD users"));
711 net_display_usage_from_functable(func);
712 return 0;
713 }
714
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
716 return -1;
717 }
718
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
722
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
724 LDAP_SCOPE_SUBTREE,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
728 disp_fields);
729 ads_destroy(&ads);
730 return ADS_ERR_OK(rc) ? 0 : -1;
731 }
732
733 return net_run_function(c, argc, argv, "net ads user", func);
734 }
735
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
737 {
738 return net_group_usage(c, argc, argv);
739 }
740
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
742 {
743 ADS_STRUCT *ads;
744 ADS_STATUS status;
745 LDAPMessage *res=NULL;
746 int rc = -1;
747 char *ou_str = NULL;
748
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
751 }
752
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
754 return -1;
755 }
756
757 status = ads_find_user_acct(ads, &res, argv[0]);
758
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
761 goto done;
762 }
763
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
766 goto done;
767 }
768
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
771 } else {
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
773 }
774
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
776
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
779 rc = 0;
780 } else {
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
782 ads_errstr(status));
783 }
784
785 done:
786 if (res)
787 ads_msgfree(ads, res);
788 ads_destroy(&ads);
789 SAFE_FREE(ou_str);
790 return rc;
791 }
792
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
794 {
795 ADS_STRUCT *ads;
796 ADS_STATUS rc;
797 LDAPMessage *res = NULL;
798 char *groupdn;
799
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
802 }
803
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
805 return -1;
806 }
807
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
812 ads_destroy(&ads);
813 return -1;
814 }
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
821 ads_destroy(&ads);
822 return 0;
823 }
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
825 ads_errstr(rc));
826 ads_destroy(&ads);
827 return -1;
828 }
829
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
831 {
832 struct functable func[] = {
833 {
834 "add",
835 ads_group_add,
836 NET_TRANSPORT_ADS,
837 N_("Add an AD group"),
838 N_("net ads group add\n"
839 " Add an AD group")
840 },
841 {
842 "delete",
843 ads_group_delete,
844 NET_TRANSPORT_ADS,
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
848 },
849 {NULL, NULL, 0, NULL, NULL}
850 };
851 ADS_STRUCT *ads;
852 ADS_STATUS rc;
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
856
857 if (argc == 0) {
858 if (c->display_usage) {
859 d_printf( "%s\n"
860 "net ads group\n"
861 " %s\n",
862 _("Usage:"),
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
865 return 0;
866 }
867
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
869 return -1;
870 }
871
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
876 LDAP_SCOPE_SUBTREE,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
880 disp_fields);
881
882 ads_destroy(&ads);
883 return ADS_ERR_OK(rc) ? 0 : -1;
884 }
885 return net_run_function(c, argc, argv, "net ads group", func);
886 }
887
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
889 {
890 ADS_STRUCT *ads;
891 ADS_STATUS rc;
892 LDAPMessage *res;
893
894 if (c->display_usage) {
895 d_printf( "%s\n"
896 "net ads status\n"
897 " %s\n",
898 _("Usage:"),
899 _("Display machine account details"));
900 return 0;
901 }
902
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
904 return -1;
905 }
906
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
910 ads_destroy(&ads);
911 return -1;
912 }
913
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
916 ads_destroy(&ads);
917 return -1;
918 }
919
920 ads_dump(ads, res);
921 ads_destroy(&ads);
922 return 0;
923 }
924
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
931
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
933 {
934 TALLOC_CTX *ctx;
935 struct libnet_UnjoinCtx *r = NULL;
936 WERROR werr;
937
938 if (c->display_usage) {
939 d_printf( "%s\n"
940 "net ads leave\n"
941 " %s\n",
942 _("Usage:"),
943 _("Leave an AD domain"));
944 return 0;
945 }
946
947 if (!*lp_realm()) {
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
949 return -1;
950 }
951
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
954 return -1;
955 }
956
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
959 }
960
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
964 return -1;
965 }
966
967 r->in.debug = true;
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
974
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
980
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
986 goto done;
987 }
988
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
992 goto done;
993 }
994
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
999 werr = WERR_OK;
1000 goto done;
1001 }
1002
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1008
1009 done:
1010 TALLOC_FREE(r);
1011 TALLOC_FREE(ctx);
1012
1013 if (W_ERROR_IS_OK(werr)) {
1014 return 0;
1015 }
1016
1017 return -1;
1018 }
1019
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1021 {
1022 ADS_STRUCT *ads = NULL;
1023 ADS_STATUS status;
1024 fstring dc_name;
1025 struct sockaddr_storage dcip;
1026
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1030 }
1031
1032 net_use_krb_machine_account(c);
1033
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1035
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1039 }
1040
1041 ads_destroy(&ads);
1042 return NT_STATUS_OK;
1043 }
1044
1045 /*
1046 check that an existing join is OK
1047 */
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1049 {
1050 NTSTATUS status;
1051 use_in_memory_ccache();
1052
1053 if (c->display_usage) {
1054 d_printf( "%s\n"
1055 "net ads testjoin\n"
1056 " %s\n",
1057 _("Usage:"),
1058 _("Test if the existing join is ok"));
1059 return 0;
1060 }
1061
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1067 return -1;
1068 }
1069
1070 printf(_("Join is OK\n"));
1071 return 0;
1072 }
1073
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1077
1078 static WERROR check_ads_config( void )
1079 {
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1083 }
1084
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1090 }
1091
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1096 }
1097
1098 return WERR_OK;
1099 }
1100
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1104
1105 #if defined(WITH_DNS_UPDATES)
1106 #include "dns.h"
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1110 size_t num_addrs );
1111
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1115 int num_addrs)
1116 {
1117 struct dns_rr_ns *nameservers = NULL;
1118 int ns_count = 0;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1120 DNS_ERROR dns_err;
1121 fstring dns_server;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1124
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1129 goto done;
1130 }
1131 dnsdomain++;
1132
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1138
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1141 char *root_dn;
1142 ADS_STATUS ads_status;
1143
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1148 goto done;
1149 }
1150 }
1151
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1155 goto done;
1156 }
1157
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1159 if ( !root_dn ) {
1160 ads_msgfree( ads, msg );
1161 goto done;
1162 }
1163
1164 root_domain = ads_build_domain( root_dn );
1165
1166 /* cleanup */
1167 ads_msgfree( ads, msg );
1168
1169 /* try again for NS servers */
1170
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1172
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1176 goto done;
1177 }
1178
1179 dnsdomain = root_domain;
1180
1181 }
1182
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1185
1186 fstrcpy( dns_server, nameservers[0].hostname );
1187
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1191 }
1192
1193 done:
1194
1195 SAFE_FREE( root_domain );
1196
1197 return status;
1198 }
1199
1200 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1201 const char *hostname,
1202 struct sockaddr_storage *iplist,
1203 int num_addrs)
1204 {
1205 struct sockaddr_storage *iplist_alloc = NULL;
1206 fstring machine_name;
1207 NTSTATUS status;
1208
1209 if (hostname) {
1210 fstrcpy(machine_name, hostname);
1211 } else {
1212 name_to_fqdn( machine_name, global_myname() );
1213 }
1214 strlower_m( machine_name );
1215
1216 if (num_addrs == 0 || iplist == NULL) {
1217 /*
1218 * Get our ip address
1219 * (not the 127.0.0.x address but a real ip address)
1220 */
1221 num_addrs = get_my_ip_address(&iplist_alloc);
1222 if ( num_addrs <= 0 ) {
1223 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1224 "non-loopback IP addresses!\n"));
1225 return NT_STATUS_INVALID_PARAMETER;
1226 }
1227 iplist = iplist_alloc;
1228 }
1229
1230 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1231 iplist, num_addrs);
1232
1233 SAFE_FREE(iplist_alloc);
1234 return status;
1235 }
1236
1237 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1238 {
1239 NTSTATUS status;
1240
1241 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1242 return status;
1243 }
1244 #endif
1245
1246
1247 /*******************************************************************
1248 ********************************************************************/
1249
1250 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1251 {
1252 d_printf(_("net ads join [options]\n"
1253 "Valid options:\n"));
1254 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1255 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1256 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1257 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1258 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1259 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1260 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1261 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1262 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1263 " NB: osName and osVer must be specified together for either to take effect.\n"
1264 " Also, the operatingSystemService attribute is also set when along with\n"
1265 " the two other attributes.\n"));
1266
1267 return -1;
1268 }
1269
1270 /*******************************************************************
1271 ********************************************************************/
1272
1273 int net_ads_join(struct net_context *c, int argc, const char **argv)
1274 {
1275 TALLOC_CTX *ctx = NULL;
1276 struct libnet_JoinCtx *r = NULL;
1277 const char *domain = lp_realm();
1278 WERROR werr = WERR_SETUP_NOT_JOINED;
1279 bool createupn = false;
1280 const char *machineupn = NULL;
1281 const char *create_in_ou = NULL;
1282 int i;
1283 const char *os_name = NULL;
1284 const char *os_version = NULL;
1285 bool modify_config = lp_config_backend_is_registry();
1286
1287 if (c->display_usage)
1288 return net_ads_join_usage(c, argc, argv);
1289
1290 if (!modify_config) {
1291
1292 werr = check_ads_config();
1293 if (!W_ERROR_IS_OK(werr)) {
1294 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1295 goto fail;
1296 }
1297 }
1298
1299 if (!(ctx = talloc_init("net_ads_join"))) {
1300 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1301 werr = WERR_NOMEM;
1302 goto fail;
1303 }
1304
1305 if (!c->opt_kerberos) {
1306 use_in_memory_ccache();
1307 }
1308
1309 werr = libnet_init_JoinCtx(ctx, &r);
1310 if (!W_ERROR_IS_OK(werr)) {
1311 goto fail;
1312 }
1313
1314 /* process additional command line args */
1315
1316 for ( i=0; i<argc; i++ ) {
1317 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1318 createupn = true;
1319 machineupn = get_string_param(argv[i]);
1320 }
1321 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1322 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1323 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1324 werr = WERR_INVALID_PARAM;
1325 goto fail;
1326 }
1327 }
1328 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1329 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1330 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1331 werr = WERR_INVALID_PARAM;
1332 goto fail;
1333 }
1334 }
1335 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1336 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1337 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1338 werr = WERR_INVALID_PARAM;
1339 goto fail;
1340 }
1341 }
1342 else {
1343 domain = argv[i];
1344 }
1345 }
1346
1347 if (!*domain) {
1348 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1349 werr = WERR_INVALID_PARAM;
1350 goto fail;
1351 }
1352
1353 /* Do the domain join here */
1354
1355 r->in.domain_name = domain;
1356 r->in.create_upn = createupn;
1357 r->in.upn = machineupn;
1358 r->in.account_ou = create_in_ou;
1359 r->in.os_name = os_name;
1360 r->in.os_version = os_version;
1361 r->in.dc_name = c->opt_host;
1362 r->in.admin_account = c->opt_user_name;
1363 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1364 r->in.debug = true;
1365 r->in.use_kerberos = c->opt_kerberos;
1366 r->in.modify_config = modify_config;
1367 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1368 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1369 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1370
1371 werr = libnet_Join(ctx, r);
1372 if (!W_ERROR_IS_OK(werr)) {
1373 goto fail;
1374 }
1375
1376 /* Check the short name of the domain */
1377
1378 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1379 d_printf(_("The workgroup in %s does not match the short\n"
1380 "domain name obtained from the server.\n"
1381 "Using the name [%s] from the server.\n"
1382 "You should set \"workgroup = %s\" in %s.\n"),
1383 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1384 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1385 }
1386
1387 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1388
1389 if (r->out.dns_domain_name) {
1390 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1391 r->out.dns_domain_name);
1392 } else {
1393 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1394 r->out.netbios_domain_name);
1395 }
1396
1397 #if defined(WITH_DNS_UPDATES)
1398 /*
1399 * In a clustered environment, don't do dynamic dns updates:
1400 * Registering the set of ip addresses that are assigned to
1401 * the interfaces of the node that performs the join does usually
1402 * not have the desired effect, since the local interfaces do not
1403 * carry the complete set of the cluster's public IP addresses.
1404 * And it can also contain internal addresses that should not
1405 * be visible to the outside at all.
1406 * In order to do dns updates in a clustererd setup, use
1407 * net ads dns register.
1408 */
1409 if (lp_clustering()) {
1410 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1411 "clustered setup.\n"));
1412 goto done;
1413 }
1414
1415 if (r->out.domain_is_ad) {
1416 /* We enter this block with user creds */
1417 ADS_STRUCT *ads_dns = NULL;
1418
1419 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1420 /* kinit with the machine password */
1421
1422 use_in_memory_ccache();
1423 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1424 goto fail;
1425 }
1426 ads_dns->auth.password = secrets_fetch_machine_password(
1427 r->out.netbios_domain_name, NULL, NULL );
1428 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1429 strupper_m(ads_dns->auth.realm );
1430 ads_kinit_password( ads_dns );
1431 }
1432
1433 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1434 d_fprintf( stderr, _("DNS update failed!\n") );
1435 }
1436
1437 /* exit from this block using machine creds */
1438 ads_destroy(&ads_dns);
1439 }
1440 #endif
1441
1442 done:
1443 TALLOC_FREE(r);
1444 TALLOC_FREE( ctx );
1445
1446 return 0;
1447
1448 fail:
1449 /* issue an overall failure message at the end. */
1450 d_printf(_("Failed to join domain: %s\n"),
1451 r && r->out.error_string ? r->out.error_string :
1452 get_friendly_werror_msg(werr));
1453 TALLOC_FREE( ctx );
1454
1455 return -1;
1456 }
1457
1458 /*******************************************************************
1459 ********************************************************************/
1460
1461 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1462 {
1463 #if defined(WITH_DNS_UPDATES)
1464 ADS_STRUCT *ads;
1465 ADS_STATUS status;
1466 TALLOC_CTX *ctx;
1467
1468 #ifdef DEVELOPER
1469 talloc_enable_leak_report();
1470 #endif
1471
1472 if (argc > 1 || c->display_usage) {
1473 d_printf( "%s\n"
1474 "net ads dns register [hostname]\n"
1475 " %s\n",
1476 _("Usage:"),
1477 _("Register hostname with DNS\n"));
1478 return -1;
1479 }
1480
1481 if (!(ctx = talloc_init("net_ads_dns"))) {
1482 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1483 return -1;
1484 }
1485
1486 status = ads_startup(c, true, &ads);
1487 if ( !ADS_ERR_OK(status) ) {
1488 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1489 TALLOC_FREE(ctx);
1490 return -1;
1491 }
1492
1493 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
1494 d_fprintf( stderr, _("DNS update failed!\n") );
1495 ads_destroy( &ads );
1496 TALLOC_FREE( ctx );
1497 return -1;
1498 }
1499
1500 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1501
1502 ads_destroy(&ads);
1503 TALLOC_FREE( ctx );
1504
1505 return 0;
1506 #else
1507 d_fprintf(stderr,
1508 _("DNS update support not enabled at compile time!\n"));
1509 return -1;
1510 #endif
1511 }
1512
1513 #if defined(WITH_DNS_UPDATES)
1514 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1515 #endif
1516
1517 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1518 {
1519 #if defined(WITH_DNS_UPDATES)
1520 DNS_ERROR err;
1521
1522 #ifdef DEVELOPER
1523 talloc_enable_leak_report();
1524 #endif
1525
1526 if (argc != 2 || c->display_usage) {
1527 d_printf( "%s\n"
1528 " %s\n"
1529 " %s\n",
1530 _("Usage:"),
1531 _("net ads dns gethostbyname <server> <name>\n"),
1532 _(" Look up hostname from the AD\n"
1533 " server\tName server to use\n"
1534 " name\tName to look up\n"));
1535 return -1;
1536 }
1537
1538 err = do_gethostbyname(argv[0], argv[1]);
1539
1540 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1541 #endif
1542 return 0;
1543 }
1544
1545 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1546 {
1547 struct functable func[] = {
1548 {
1549 "register",
1550 net_ads_dns_register,
1551 NET_TRANSPORT_ADS,
1552 N_("Add host dns entry to AD"),
1553 N_("net ads dns register\n"
1554 " Add host dns entry to AD")
1555 },
1556 {
1557 "gethostbyname",
1558 net_ads_dns_gethostbyname,
1559 NET_TRANSPORT_ADS,
1560 N_("Look up host"),
1561 N_("net ads dns gethostbyname\n"
1562 " Look up host")
1563 },
1564 {NULL, NULL, 0, NULL, NULL}
1565 };
1566
1567 return net_run_function(c, argc, argv, "net ads dns", func);
1568 }
1569
1570 /*******************************************************************
1571 ********************************************************************/
1572
1573 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1574 {
1575 d_printf(_(
1576 "\nnet ads printer search <printer>"
1577 "\n\tsearch for a printer in the directory\n"
1578 "\nnet ads printer info <printer> <server>"
1579 "\n\tlookup info in directory for printer on server"
1580 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1581 "\nnet ads printer publish <printername>"
1582 "\n\tpublish printer in directory"
1583 "\n\t(note: printer name is required)\n"
1584 "\nnet ads printer remove <printername>"
1585 "\n\tremove printer from directory"
1586 "\n\t(note: printer name is required)\n"));
1587 return -1;
1588 }
1589
1590 /*******************************************************************
1591 ********************************************************************/
1592
1593 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1594 {
1595 ADS_STRUCT *ads;
1596 ADS_STATUS rc;
1597 LDAPMessage *res = NULL;
1598
1599 if (c->display_usage) {
1600 d_printf( "%s\n"
1601 "net ads printer search\n"
1602 " %s\n",
1603 _("Usage:"),
1604 _("List printers in the AD"));
1605 return 0;
1606 }
1607
1608 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1609 return -1;
1610 }
1611
1612 rc = ads_find_printers(ads, &res);
1613
1614 if (!ADS_ERR_OK(rc)) {
1615 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1616 ads_msgfree(ads, res);
1617 ads_destroy(&ads);
1618 return -1;
1619 }
1620
1621 if (ads_count_replies(ads, res) == 0) {
1622 d_fprintf(stderr, _("No results found\n"));
1623 ads_msgfree(ads, res);
1624 ads_destroy(&ads);
1625 return -1;
1626 }
1627
1628 ads_dump(ads, res);
1629 ads_msgfree(ads, res);
1630 ads_destroy(&ads);
1631 return 0;
1632 }
1633
1634 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1635 {
1636 ADS_STRUCT *ads;
1637 ADS_STATUS rc;
1638 const char *servername, *printername;
1639 LDAPMessage *res = NULL;
1640
1641 if (c->display_usage) {
1642 d_printf("%s\n%s",
1643 _("Usage:"),
1644 _("net ads printer info [printername [servername]]\n"
1645 " Display printer info from AD\n"
1646 " printername\tPrinter name or wildcard\n"
1647 " servername\tName of the print server\n"));
1648 return 0;
1649 }
1650
1651 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1652 return -1;
1653 }
1654
1655 if (argc > 0) {
1656 printername = argv[0];
1657 } else {
1658 printername = "*";
1659 }
1660
1661 if (argc > 1) {
1662 servername = argv[1];
1663 } else {
1664 servername = global_myname();
1665 }
1666
1667 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1668
1669 if (!ADS_ERR_OK(rc)) {
1670 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1671 servername, ads_errstr(rc));
1672 ads_msgfree(ads, res);
1673 ads_destroy(&ads);
1674 return -1;
1675 }
1676
1677 if (ads_count_replies(ads, res) == 0) {
1678 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1679 ads_msgfree(ads, res);
1680 ads_destroy(&ads);
1681 return -1;
1682 }
1683
1684 ads_dump(ads, res);
1685 ads_msgfree(ads, res);
1686 ads_destroy(&ads);
1687
1688 return 0;
1689 }
1690
1691 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1692 {
1693 ADS_STRUCT *ads;
1694 ADS_STATUS rc;
1695 const char *servername, *printername;
1696 struct cli_state *cli = NULL;
1697 struct rpc_pipe_client *pipe_hnd = NULL;
1698 struct sockaddr_storage server_ss;
1699 NTSTATUS nt_status;
1700 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1701 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1702 char *prt_dn, *srv_dn, **srv_cn;
1703 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1704 LDAPMessage *res = NULL;
1705
1706 if (argc < 1 || c->display_usage) {
1707 d_printf("%s\n%s",
1708 _("Usage:"),
1709 _("net ads printer publish <printername> [servername]\n"
1710 " Publish printer in AD\n"
1711 " printername\tName of the printer\n"
1712 " servername\tName of the print server\n"));
1713 talloc_destroy(mem_ctx);
1714 return -1;
1715 }
1716
1717 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1718 talloc_destroy(mem_ctx);
1719 return -1;
1720 }
1721
1722 printername = argv[0];
1723
1724 if (argc == 2) {
1725 servername = argv[1];
1726 } else {
1727 servername = global_myname();
1728 }
1729
1730 /* Get printer data from SPOOLSS */
1731
1732 resolve_name(servername, &server_ss, 0x20, false);
1733
1734 nt_status = cli_full_connection(&cli, global_myname(), servername,
1735 &server_ss, 0,
1736 "IPC$", "IPC",
1737 c->opt_user_name, c->opt_workgroup,
1738 c->opt_password ? c->opt_password : "",
1739 CLI_FULL_CONNECTION_USE_KERBEROS,
1740 Undefined, NULL);
1741
1742 if (NT_STATUS_IS_ERR(nt_status)) {
1743 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1744 "obtain data for %s\n"),
1745 servername, printername);
1746 ads_destroy(&ads);
1747 talloc_destroy(mem_ctx);
1748 return -1;
1749 }
1750
1751 /* Publish on AD server */
1752
1753 ads_find_machine_acct(ads, &res, servername);
1754
1755 if (ads_count_replies(ads, res) == 0) {
1756 d_fprintf(stderr, _("Could not find machine account for server "
1757 "%s\n"),
1758 servername);
1759 ads_destroy(&ads);
1760 talloc_destroy(mem_ctx);
1761 return -1;
1762 }
1763
1764 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1765 srv_cn = ldap_explode_dn(srv_dn, 1);
1766
1767 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1768 printername_escaped = escape_rdn_val_string_alloc(printername);
1769 if (!srv_cn_escaped || !printername_escaped) {
1770 SAFE_FREE(srv_cn_escaped);
1771 SAFE_FREE(printername_escaped);
1772 d_fprintf(stderr, _("Internal error, out of memory!"));
1773 ads_destroy(&ads);
1774 talloc_destroy(mem_ctx);
1775 return -1;
1776 }
1777
1778 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1779 SAFE_FREE(srv_cn_escaped);
1780 SAFE_FREE(printername_escaped);
1781 d_fprintf(stderr, _("Internal error, out of memory!"));
1782 ads_destroy(&ads);
1783 talloc_destroy(mem_ctx);
1784 return -1;
1785 }
1786
1787 SAFE_FREE(srv_cn_escaped);
1788 SAFE_FREE(printername_escaped);
1789
1790 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1791 if (!NT_STATUS_IS_OK(nt_status)) {
1792 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1793 servername);
1794 SAFE_FREE(prt_dn);
1795 ads_destroy(&ads);
1796 talloc_destroy(mem_ctx);
1797 return -1;
1798 }
1799
1800 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1801 printername))) {
1802 SAFE_FREE(prt_dn);
1803 ads_destroy(&ads);
1804 talloc_destroy(mem_ctx);
1805 return -1;
1806 }
1807
1808 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1809 if (!ADS_ERR_OK(rc)) {
1810 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1811 SAFE_FREE(prt_dn);
1812 ads_destroy(&ads);
1813 talloc_destroy(mem_ctx);
1814 return -1;
1815 }
1816
1817 d_printf("published printer\n");
1818 SAFE_FREE(prt_dn);
1819 ads_destroy(&ads);
1820 talloc_destroy(mem_ctx);
1821
1822 return 0;
1823 }
1824
1825 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1826 {
1827 ADS_STRUCT *ads;
1828 ADS_STATUS rc;
1829 const char *servername;
1830 char *prt_dn;
1831 LDAPMessage *res = NULL;
1832
1833 if (argc < 1 || c->display_usage) {
1834 d_printf("%s\n%s",
1835 _("Usage:"),
1836 _("net ads printer remove <printername> [servername]\n"
1837 " Remove a printer from the AD\n"
1838 " printername\tName of the printer\n"
1839 " servername\tName of the print server\n"));
1840 return -1;
1841 }
1842
1843 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1844 return -1;
1845 }
1846
1847 if (argc > 1) {
1848 servername = argv[1];
1849 } else {
1850 servername = global_myname();
1851 }
1852
1853 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1854
1855 if (!ADS_ERR_OK(rc)) {
1856 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1857 ads_msgfree(ads, res);
1858 ads_destroy(&ads);
1859 return -1;
1860 }
1861
1862 if (ads_count_replies(ads, res) == 0) {
1863 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1864 ads_msgfree(ads, res);
1865 ads_destroy(&ads);
1866 return -1;
1867 }
1868
1869 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1870 ads_msgfree(ads, res);
1871 rc = ads_del_dn(ads, prt_dn);
1872 TALLOC_FREE(prt_dn);
1873
1874 if (!ADS_ERR_OK(rc)) {
1875 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1876 ads_destroy(&ads);
1877 return -1;
1878 }
1879
1880 ads_destroy(&ads);
1881 return 0;
1882 }
1883
1884 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1885 {
1886 struct functable func[] = {
1887 {
1888 "search",
1889 net_ads_printer_search,
1890 NET_TRANSPORT_ADS,
1891 N_("Search for a printer"),
1892 N_("net ads printer search\n"
1893 " Search for a printer")
1894 },
1895 {
1896 "info",
1897 net_ads_printer_info,
1898 NET_TRANSPORT_ADS,
1899 N_("Display printer information"),
1900 N_("net ads printer info\n"
1901 " Display printer information")
1902 },
1903 {
1904 "publish",
1905 net_ads_printer_publish,
1906 NET_TRANSPORT_ADS,
1907 N_("Publish a printer"),
1908 N_("net ads printer publish\n"
1909 " Publish a printer")
1910 },
1911 {
1912 "remove",
1913 net_ads_printer_remove,
1914 NET_TRANSPORT_ADS,
1915 N_("Delete a printer"),
1916 N_("net ads printer remove\n"
1917 " Delete a printer")
1918 },
1919 {NULL, NULL, 0, NULL, NULL}
1920 };
1921
1922 return net_run_function(c, argc, argv, "net ads printer", func);
1923 }
1924
1925
1926 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1927 {
1928 ADS_STRUCT *ads;
1929 const char *auth_principal = c->opt_user_name;
1930 const char *auth_password = c->opt_password;
1931 char *realm = NULL;
1932 char *new_password = NULL;
1933 char *chr, *prompt;
1934 const char *user;
1935 ADS_STATUS ret;
1936
1937 if (c->display_usage) {
1938 d_printf("%s\n%s",
1939 _("Usage:"),
1940 _("net ads password <username>\n"
1941 " Change password for user\n"
1942 " username\tName of user to change password for\n"));
1943 return 0;
1944 }
1945
1946 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1947 d_fprintf(stderr, _("You must supply an administrator "
1948 "username/password\n"));
1949 return -1;
1950 }
1951
1952 if (argc < 1) {
1953 d_fprintf(stderr, _("ERROR: You must say which username to "
1954 "change password for\n"));
1955 return -1;
1956 }
1957
1958 user = argv[0];
1959 if (!strchr_m(user, '@')) {
1960 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1961 return -1;
1962 }
1963 user = chr;
1964 }
1965
1966 use_in_memory_ccache();
1967 chr = strchr_m(auth_principal, '@');
1968 if (chr) {
1969 realm = ++chr;
1970 } else {
1971 realm = lp_realm();
1972 }
1973
1974 /* use the realm so we can eventually change passwords for users
1975 in realms other than default */
1976 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1977 return -1;
1978 }
1979
1980 /* we don't actually need a full connect, but it's the easy way to
1981 fill in the KDC's addresss */
1982 ads_connect(ads);
1983
1984 if (!ads->config.realm) {
1985 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1986 ads_destroy(&ads);
1987 return -1;
1988 }
1989
1990 if (argv[1]) {
1991 new_password = (char *)argv[1];
1992 } else {
1993 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1994 return -1;
1995 }
1996 new_password = getpass(prompt);
1997 free(prompt);
1998 }
1999
2000 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2001 auth_password, user, new_password, ads->auth.time_offset);
2002 if (!ADS_ERR_OK(ret)) {
2003 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2004 ads_destroy(&ads);
2005 return -1;
2006 }
2007
2008 d_printf(_("Password change for %s completed.\n"), user);
2009 ads_destroy(&ads);
2010
2011 return 0;
2012 }
2013
2014 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2015 {
2016 ADS_STRUCT *ads;
2017 char *host_principal;
2018 fstring my_name;
2019 ADS_STATUS ret;
2020
2021 if (c->display_usage) {
2022 d_printf( "%s\n"
2023 "net ads changetrustpw\n"
2024 " %s\n",
2025 _("Usage:"),
2026 _("Change the machine account's trust password"));
2027 return 0;
2028 }
2029
2030 if (!secrets_init()) {
2031 DEBUG(1,("Failed to initialise secrets database\n"));
2032 return -1;
2033 }
2034
2035 net_use_krb_machine_account(c);
2036
2037 use_in_memory_ccache();
2038
2039 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2040 return -1;
2041 }
2042
2043 fstrcpy(my_name, global_myname());
2044 strlower_m(my_name);
2045 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2046 ads_destroy(&ads);
2047 return -1;
2048 }
2049 d_printf(_("Changing password for principal: %s\n"), host_principal);
2050
2051 ret = ads_change_trust_account_password(ads, host_principal);
2052
2053 if (!ADS_ERR_OK(ret)) {
2054 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2055 ads_destroy(&ads);
2056 SAFE_FREE(host_principal);
2057 return -1;
2058 }
2059
2060 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2061
2062 if (USE_SYSTEM_KEYTAB) {
2063 d_printf(_("Attempting to update system keytab with new password.\n"));
2064 if (ads_keytab_create_default(ads)) {
2065 d_printf(_("Failed to update system keytab.\n"));
2066 }
2067 }
2068
2069 ads_destroy(&ads);
2070 SAFE_FREE(host_principal);
2071
2072 return 0;
2073 }
2074
2075 /*
2076 help for net ads search
2077 */
2078 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2079 {
2080 d_printf(_(
2081 "\nnet ads search <expression> <attributes...>\n"
2082 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2083 "The expression is a standard LDAP search expression, and the\n"
2084 "attributes are a list of LDAP fields to show in the results.\n\n"
2085 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2086 ));
2087 net_common_flags_usage(c, argc, argv);
2088 return -1;
2089 }
2090
2091
2092 /*
2093 general ADS search function. Useful in diagnosing problems in ADS
2094 */
2095 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2096 {
2097 ADS_STRUCT *ads;
2098 ADS_STATUS rc;
2099 const char *ldap_exp;
2100 const char **attrs;
2101 LDAPMessage *res = NULL;
2102
2103 if (argc < 1 || c->display_usage) {
2104 return net_ads_search_usage(c, argc, argv);
2105 }
2106
2107 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2108 return -1;
2109 }
2110
2111 ldap_exp = argv[0];
2112 attrs = (argv + 1);
2113
2114 rc = ads_do_search_all(ads, ads->config.bind_path,
2115 LDAP_SCOPE_SUBTREE,
2116 ldap_exp, attrs, &res);
2117 if (!ADS_ERR_OK(rc)) {
2118 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2119 ads_destroy(&ads);
2120 return -1;
2121 }
2122
2123 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2124
2125 /* dump the results */
2126 ads_dump(ads, res);
2127
2128 ads_msgfree(ads, res);
2129 ads_destroy(&ads);
2130
2131 return 0;
2132 }
2133
2134
2135 /*
2136 help for net ads search
2137 */
2138 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2139 {
2140 d_printf(_(
2141 "\nnet ads dn <dn> <attributes...>\n"
2142 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2143 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2144 "to show in the results\n\n"
2145 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2146 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2147 ));
2148 net_common_flags_usage(c, argc, argv);
2149 return -1;
2150 }
2151
2152
2153 /*
2154 general ADS search function. Useful in diagnosing problems in ADS
2155 */
2156 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2157 {
2158 ADS_STRUCT *ads;
2159 ADS_STATUS rc;
2160 const char *dn;
2161 const char **attrs;
2162 LDAPMessage *res = NULL;
2163
2164 if (argc < 1 || c->display_usage) {
2165 return net_ads_dn_usage(c, argc, argv);
2166 }
2167
2168 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2169 return -1;
2170 }
2171
2172 dn = argv[0];
2173 attrs = (argv + 1);
2174
2175 rc = ads_do_search_all(ads, dn,
2176 LDAP_SCOPE_BASE,
2177 "(objectclass=*)", attrs, &res);
2178 if (!ADS_ERR_OK(rc)) {
2179 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2180 ads_destroy(&ads);
2181 return -1;
2182 }
2183
2184 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2185
2186 /* dump the results */
2187 ads_dump(ads, res);
2188
2189 ads_msgfree(ads, res);
2190 ads_destroy(&ads);
2191
2192 return 0;
2193 }
2194
2195 /*
2196 help for net ads sid search
2197 */
2198 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2199 {
2200 d_printf(_(
2201 "\nnet ads sid <sid> <attributes...>\n"
2202 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2203 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2204 "to show in the results\n\n"
2205 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2206 ));
2207 net_common_flags_usage(c, argc, argv);
2208 return -1;
2209 }
2210
2211
2212 /*
2213 general ADS search function. Useful in diagnosing problems in ADS
2214 */
2215 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2216 {
2217 ADS_STRUCT *ads;
2218 ADS_STATUS rc;
2219 const char *sid_string;
2220 const char **attrs;
2221 LDAPMessage *res = NULL;
2222 DOM_SID sid;
2223
2224 if (argc < 1 || c->display_usage) {
2225 return net_ads_sid_usage(c, argc, argv);
2226 }
2227
2228 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2229 return -1;
2230 }
2231
2232 sid_string = argv[0];
2233 attrs = (argv + 1);
2234
2235 if (!string_to_sid(&sid, sid_string)) {
2236 d_fprintf(stderr, _("could not convert sid\n"));
2237 ads_destroy(&ads);
2238 return -1;
2239 }
2240
2241 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2242 if (!ADS_ERR_OK(rc)) {
2243 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2244 ads_destroy(&ads);
2245 return -1;
2246 }
2247
2248 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2249
2250 /* dump the results */
2251 ads_dump(ads, res);
2252
2253 ads_msgfree(ads, res);
2254 ads_destroy(&ads);
2255
2256 return 0;
2257 }
2258
2259 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2260 {
2261 int ret;
2262 ADS_STRUCT *ads;
2263
2264 if (c->display_usage) {
2265 d_printf( "%s\n"
2266 "net ads keytab flush\n"
2267 " %s\n",
2268 _("Usage:"),
2269 _("Delete the whole keytab"));
2270 return 0;
2271 }
2272
2273 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2274 return -1;
2275 }
2276 ret = ads_keytab_flush(ads);
2277 ads_destroy(&ads);
2278 return ret;
2279 }
2280
2281 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2282 {
2283 int i;
2284 int ret = 0;
2285 ADS_STRUCT *ads;
2286
2287 if (c->display_usage) {
2288 d_printf("%s\n%s",
2289 _("Usage:"),
2290 _("net ads keytab add <principal> [principal ...]\n"
2291 " Add principals to local keytab\n"
2292 " principal\tKerberos principal to add to "
2293 "keytab\n"));
2294 return 0;
2295 }
2296
2297 d_printf(_("Processing principals to add...\n"));
2298 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2299 return -1;
2300 }
2301 for (i = 0; i < argc; i++) {
2302 ret |= ads_keytab_add_entry(ads, argv[i]);
2303 }
2304 ads_destroy(&ads);
2305 return ret;
2306 }
2307
2308 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2309 {
2310 ADS_STRUCT *ads;
2311 int ret;
2312
2313 if (c->display_usage) {
2314 d_printf( "%s\n"
2315 "net ads keytab create\n"
2316 " %s\n",
2317 _("Usage:"),
2318 _("Create new default keytab"));
2319 return 0;
2320 }
2321
2322 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2323 return -1;
2324 }
2325 ret = ads_keytab_create_default(ads);
2326 ads_destroy(&ads);
2327 return ret;
2328 }
2329
2330 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2331 {
2332 const char *keytab = NULL;
2333
2334 if (c->display_usage) {
2335 d_printf("%s\n%s",
2336 _("Usage:"),
2337 _("net ads keytab list [keytab]\n"
2338 " List a local keytab\n"
2339 " keytab\tKeytab to list\n"));
2340 return 0;
2341 }
2342
2343 if (argc >= 1) {
2344 keytab = argv[0];
2345 }
2346
2347 return ads_keytab_list(keytab);
2348 }
2349
2350
2351 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2352 {
2353 struct functable func[] = {
2354 {
2355 "add",
2356 net_ads_keytab_add,
2357 NET_TRANSPORT_ADS,
2358 N_("Add a service principal"),
2359 N_("net ads keytab add\n"
2360 " Add a service principal")
2361 },
2362 {
2363 "create",
2364 net_ads_keytab_create,
2365 NET_TRANSPORT_ADS,
2366 N_("Create a fresh keytab"),
2367 N_("net ads keytab create\n"
2368 " Create a fresh keytab")
2369 },
2370 {
2371 "flush",
2372 net_ads_keytab_flush,
2373 NET_TRANSPORT_ADS,
2374 N_("Remove all keytab entries"),
2375 N_("net ads keytab flush\n"
2376 " Remove all keytab entries")
2377 },
2378 {
2379 "list",
2380 net_ads_keytab_list,
2381 NET_TRANSPORT_ADS,
2382 N_("List a keytab"),
2383 N_("net ads keytab list\n"
2384 " List a keytab")
2385 },
2386 {NULL, NULL, 0, NULL, NULL}
2387 };
2388
2389 if (!USE_KERBEROS_KEYTAB) {
2390 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2391 "keytab method to use keytab functions.\n"));
2392 }
2393
2394 return net_run_function(c, argc, argv, "net ads keytab", func);
2395 }
2396
2397 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2398 {
2399 int ret = -1;
2400
2401 if (c->display_usage) {
2402 d_printf( "%s\n"
2403 "net ads kerberos renew\n"
2404 " %s\n",
2405 _("Usage:"),
2406 _("Renew TGT from existing credential cache"));
2407 return 0;
2408 }
2409
2410 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2411 if (ret) {
2412 d_printf(_("failed to renew kerberos ticket: %s\n"),
2413 error_message(ret));
2414 }
2415 return ret;
2416 }
2417
2418 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2419 {
2420 struct PAC_DATA *pac = NULL;
2421 struct PAC_LOGON_INFO *info = NULL;
2422 TALLOC_CTX *mem_ctx = NULL;
2423 NTSTATUS status;
2424 int ret = -1;
2425 const char *impersonate_princ_s = NULL;
2426
2427 if (c->display_usage) {
2428 d_printf( "%s\n"
2429 "net ads kerberos pac\n"
2430 " %s\n",
2431 _("Usage:"),
2432 _("Dump the Kerberos PAC"));
2433 return 0;
2434 }
2435
2436 mem_ctx = talloc_init("net_ads_kerberos_pac");
2437 if (!mem_ctx) {
2438 goto out;
2439 }
2440
2441 if (argc > 0) {
2442 impersonate_princ_s = argv[0];
2443 }
2444
2445 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2446
2447 status = kerberos_return_pac(mem_ctx,
2448 c->opt_user_name,
2449 c->opt_password,
2450 0,
2451 NULL,
2452 NULL,
2453 NULL,
2454 true,
2455 true,
2456 2592000, /* one month */
2457 impersonate_princ_s,
2458 &pac);
2459 if (!NT_STATUS_IS_OK(status)) {
2460 d_printf(_("failed to query kerberos PAC: %s\n"),
2461 nt_errstr(status));
2462 goto out;
2463 }
2464
2465 info = get_logon_info_from_pac(pac);
2466 if (info) {
2467 const char *s;
2468 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2469 d_printf(_("The Pac: %s\n"), s);
2470 }
2471
2472 ret = 0;
2473 out:
2474 TALLOC_FREE(mem_ctx);
2475 return ret;
2476 }
2477
2478 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2479 {
2480 TALLOC_CTX *mem_ctx = NULL;
2481 int ret = -1;
2482 NTSTATUS status;
2483
2484 if (c->display_usage) {
2485 d_printf( "%s\n"
2486 "net ads kerberos kinit\n"
2487 " %s\n",
2488 _("Usage:"),
2489 _("Get Ticket Granting Ticket (TGT) for the user"));
2490 return 0;
2491 }
2492
2493 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2494 if (!mem_ctx) {
2495 goto out;
2496 }
2497
2498 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2499
2500 ret = kerberos_kinit_password_ext(c->opt_user_name,
2501 c->opt_password,
2502 0,
2503 NULL,
2504 NULL,
2505 NULL,
2506 true,
2507 true,
2508 2592000, /* one month */
2509 &status);
2510 if (ret) {
2511 d_printf(_("failed to kinit password: %s\n"),
2512 nt_errstr(status));
2513 }
2514 out:
2515 return ret;
2516 }
2517
2518 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2519 {
2520 struct functable func[] = {
2521 {
2522 "kinit",
2523 net_ads_kerberos_kinit,
2524 NET_TRANSPORT_ADS,
2525 N_("Retrieve Ticket Granting Ticket (TGT)"),
2526 N_("net ads kerberos kinit\n"
2527 " Receive Ticket Granting Ticket (TGT)")
2528 },
2529 {
2530 "renew",
2531 net_ads_kerberos_renew,
2532 NET_TRANSPORT_ADS,
2533 N_("Renew Ticket Granting Ticket from credential cache"),
2534 N_("net ads kerberos renew\n"
2535 " Renew Ticket Granting Ticket (TGT) from "
2536 "credential cache")
2537 },
2538 {
2539 "pac",
2540 net_ads_kerberos_pac,
2541 NET_TRANSPORT_ADS,
2542 N_("Dump Kerberos PAC"),
2543 N_("net ads kerberos pac\n"
2544 " Dump Kerberos PAC")
2545 },
2546 {NULL, NULL, 0, NULL, NULL}
2547 };
2548
2549 return net_run_function(c, argc, argv, "net ads kerberos", func);
2550 }
2551
2552 int net_ads(struct net_context *c, int argc, const char **argv)
2553 {
2554 struct functable func[] = {
2555 {
2556 "info",
2557 net_ads_info,
2558 NET_TRANSPORT_ADS,
2559 N_("Display details on remote ADS server"),
2560 N_("net ads info\n"
2561 " Display details on remote ADS server")
2562 },
2563 {
2564 "join",
2565 net_ads_join,
2566 NET_TRANSPORT_ADS,
2567 N_("Join the local machine to ADS realm"),
2568 N_("net ads join\n"
2569 " Join the local machine to ADS realm")
2570 },
2571 {
2572 "testjoin",
2573 net_ads_testjoin,
2574 NET_TRANSPORT_ADS,
2575 N_("Validate machine account"),
2576 N_("net ads testjoin\n"
2577 " Validate machine account")
2578 },
2579 {
2580 "leave",
2581 net_ads_leave,
2582 NET_TRANSPORT_ADS,
2583 N_("Remove the local machine from ADS"),
2584 N_("net ads leave\n"
2585 " Remove the local machine from ADS")
2586 },
2587 {
2588 "status",
2589 net_ads_status,
2590 NET_TRANSPORT_ADS,
2591 N_("Display machine account details"),
2592 N_("net ads status\n"
2593 " Display machine account details")
2594 },
2595 {
2596 "user",
2597 net_ads_user,
2598 NET_TRANSPORT_ADS,
2599 N_("List/modify users"),
2600 N_("net ads user\n"
2601 " List/modify users")
2602 },
2603 {
2604 "group",
2605 net_ads_group,
2606 NET_TRANSPORT_ADS,
2607 N_("List/modify groups"),
2608 N_("net ads group\n"
2609 " List/modify groups")
2610 },
2611 {
2612 "dns",
2613 net_ads_dns,
2614 NET_TRANSPORT_ADS,
2615 N_("Issue dynamic DNS update"),
2616 N_("net ads dns\n"
2617 " Issue dynamic DNS update")
2618 },
2619 {
2620 "password",
2621 net_ads_password,
2622 NET_TRANSPORT_ADS,
2623 N_("Change user passwords"),
2624 N_("net ads password\n"
2625 " Change user passwords")
2626 },
2627 {
2628 "changetrustpw",
2629 net_ads_changetrustpw,
2630 NET_TRANSPORT_ADS,
2631 N_("Change trust account password"),
2632 N_("net ads changetrustpw\n"
2633 " Change trust account password")
2634 },
2635 {
2636 "printer",
2637 net_ads_printer,
2638 NET_TRANSPORT_ADS,
2639 N_("List/modify printer entries"),
2640 N_("net ads printer\n"
2641 " List/modify printer entries")
2642 },
2643 {
2644 "search",
2645 net_ads_search,
2646 NET_TRANSPORT_ADS,
2647 N_("Issue LDAP search using filter"),
2648 N_("net ads search\n"
2649 " Issue LDAP search using filter")
2650 },
2651 {
2652 "dn",
2653 net_ads_dn,
2654 NET_TRANSPORT_ADS,
2655 N_("Issue LDAP search by DN"),
2656 N_("net ads dn\n"
2657 " Issue LDAP search by DN")
2658 },
2659 {
2660 "sid",
2661 net_ads_sid,
2662 NET_TRANSPORT_ADS,
2663 N_("Issue LDAP search by SID"),
2664 N_("net ads sid\n"
2665 " Issue LDAP search by SID")
2666 },
2667 {
2668 "workgroup",
2669 net_ads_workgroup,
2670 NET_TRANSPORT_ADS,
2671 N_("Display workgroup name"),
2672 N_("net ads workgroup\n"
2673 " Display the workgroup name")
2674 },
2675 {
2676 "lookup",
2677 net_ads_lookup,
2678 NET_TRANSPORT_ADS,
2679 N_("Perfom CLDAP query on DC"),
2680 N_("net ads lookup\n"
2681 " Find the ADS DC using CLDAP lookups")
2682 },
2683 {
2684 "keytab",
2685 net_ads_keytab,
2686 NET_TRANSPORT_ADS,
2687 N_("Manage local keytab file"),
2688 N_("net ads keytab\n"
2689 " Manage local keytab file")
2690 },
2691 {
2692 "gpo",
2693 net_ads_gpo,
2694 NET_TRANSPORT_ADS,
2695 N_("Manage group policy objects"),
2696 N_("net ads gpo\n"
2697 " Manage group policy objects")
2698 },
2699 {
2700 "kerberos",
2701 net_ads_kerberos,
2702 NET_TRANSPORT_ADS,
2703 N_("Manage kerberos keytab"),
2704 N_("net ads kerberos\n"
2705 " Manage kerberos keytab")
2706 },
2707 {NULL, NULL, 0, NULL, NULL}
2708 };
2709
2710 return net_run_function(c, argc, argv, "net ads", func);
2711 }
2712
2713 #else
2714
2715 static int net_ads_noads(void)
2716 {
2717 d_fprintf(stderr, _("ADS support not compiled in\n"));
2718 return -1;
2719 }
2720
2721 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2722 {
2723 return net_ads_noads();
2724 }
2725
2726 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2727 {
2728 return net_ads_noads();
2729 }
2730
2731 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2732 {
2733 return net_ads_noads();
2734 }
2735
2736 int net_ads_join(struct net_context *c, int argc, const char **argv)
2737 {
2738 return net_ads_noads();
2739 }
2740
2741 int net_ads_user(struct net_context *c, int argc, const char **argv)
2742 {
2743 return net_ads_noads();
2744 }
2745
2746 int net_ads_group(struct net_context *c, int argc, const char **argv)
2747 {
2748 return net_ads_noads();
2749 }
2750
2751 /* this one shouldn't display a message */
2752 int net_ads_check(struct net_context *c)
2753 {
2754 return -1;
2755 }
2756
2757 int net_ads_check_our_domain(struct net_context *c)
2758 {
2759 return -1;
2760 }
2761
2762 int net_ads(struct net_context *c, int argc, const char **argv)
2763 {
2764 return net_ads_noads();
2765 }
2766
2767 #endif /* WITH_ADS */
Samba GIT mirror