search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib: Give lib/util/util_file.c its own header file
[Samba.git] / source3 / utils / net_ads.c
blobd1a0b93469fbf11198dd3c63d5f7a3bf2b4ee96c
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "libsmb/namequery.h"
26 #include "rpc_client/cli_pipe.h"
27 #include "librpc/gen_ndr/ndr_krb5pac.h"
28 #include "../librpc/gen_ndr/ndr_spoolss.h"
29 #include "nsswitch/libwbclient/wbclient.h"
30 #include "ads.h"
31 #include "libads/cldap.h"
32 #include "../lib/addns/dnsquery.h"
33 #include "../libds/common/flags.h"
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "libnet/libnet_join.h"
36 #include "smb_krb5.h"
37 #include "secrets.h"
38 #include "krb5_env.h"
39 #include "../libcli/security/security.h"
40 #include "libsmb/libsmb.h"
41 #include "lib/param/loadparm.h"
42 #include "utils/net_dns.h"
43 #include "auth/kerberos/pac_utils.h"
44 #include "lib/util/string_wrappers.h"
45 #include "lib/util/util_file.h"
46
47 #ifdef HAVE_JANSSON
48 #include <jansson.h>
49 #include "audit_logging.h" /* various JSON helpers */
50 #include "auth/common_auth.h"
51 #endif /* [HAVE_JANSSON] */
52
53 #ifdef HAVE_ADS
54
55 /* when we do not have sufficient input parameters to contact a remote domain
56 * we always fall back to our own realm - Guenther*/
57
58 static const char *assume_own_realm(struct net_context *c)
59 {
60 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
61 return lp_realm();
62 }
63
64 return NULL;
65 }
66
67 #ifdef HAVE_JANSSON
68
69 /*
70 * note: JSON output deliberately bypasses gettext so as to provide the same
71 * output irrespective of the locale.
72 */
73
74 static int output_json(const struct json_object *jsobj)
75 {
76 TALLOC_CTX *ctx = NULL;
77 char *json = NULL;
78
79 if (json_is_invalid(jsobj)) {
80 return -1;
81 }
82
83 ctx = talloc_new(NULL);
84 if (ctx == NULL) {
85 d_fprintf(stderr, _("Out of memory\n"));
86 return -1;
87 }
88
89 json = json_to_string(ctx, jsobj);
90 if (!json) {
91 d_fprintf(stderr, _("error encoding to JSON\n"));
92 return -1;
93 }
94
95 d_printf("%s\n", json);
96 TALLOC_FREE(ctx);
97
98 return 0;
99 }
100
101 static int net_ads_cldap_netlogon_json
102 (ADS_STRUCT *ads,
103 const char *addr,
104 const struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply)
105 {
106 struct json_object jsobj = json_new_object();
107 struct json_object flagsobj = json_new_object();
108 char response_type [32] = { '\0' };
109 int ret = 0;
110
111 if (json_is_invalid(&jsobj) || json_is_invalid(&flagsobj)) {
112 d_fprintf(stderr, _("error setting up JSON value\n"));
113
114 goto failure;
115 }
116
117 switch (reply->command) {
118 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
119 strncpy(response_type,
120 "LOGON_SAM_LOGON_USER_UNKNOWN_EX",
121 sizeof(response_type));
122 break;
123 case LOGON_SAM_LOGON_RESPONSE_EX:
124 strncpy(response_type, "LOGON_SAM_LOGON_RESPONSE_EX",
125 sizeof(response_type));
126 break;
127 default:
128 snprintf(response_type, sizeof(response_type), "0x%x",
129 reply->command);
130 break;
131 }
132
133 ret = json_add_string(&jsobj, "Information for Domain Controller",
134 addr);
135 if (ret != 0) {
136 goto failure;
137 }
138
139 ret = json_add_string(&jsobj, "Response Type", response_type);
140 if (ret != 0) {
141 goto failure;
142 }
143
144 ret = json_add_guid(&jsobj, "GUID", &reply->domain_uuid);
145 if (ret != 0) {
146 goto failure;
147 }
148
149 ret = json_add_bool(&flagsobj, "Is a PDC",
150 reply->server_type & NBT_SERVER_PDC);
151 if (ret != 0) {
152 goto failure;
153 }
154
155 ret = json_add_bool(&flagsobj, "Is a GC of the forest",
156 reply->server_type & NBT_SERVER_GC);
157 if (ret != 0) {
158 goto failure;
159 }
160
161 ret = json_add_bool(&flagsobj, "Is an LDAP server",
162 reply->server_type & NBT_SERVER_LDAP);
163 if (ret != 0) {
164 goto failure;
165 }
166
167 ret = json_add_bool(&flagsobj, "Supports DS",
168 reply->server_type & NBT_SERVER_DS);
169 if (ret != 0) {
170 goto failure;
171 }
172
173 ret = json_add_bool(&flagsobj, "Is running a KDC",
174 reply->server_type & NBT_SERVER_KDC);
175 if (ret != 0) {
176 goto failure;
177 }
178
179 ret = json_add_bool(&flagsobj, "Is running time services",
180 reply->server_type & NBT_SERVER_TIMESERV);
181 if (ret != 0) {
182 goto failure;
183 }
184
185 ret = json_add_bool(&flagsobj, "Is the closest DC",
186 reply->server_type & NBT_SERVER_CLOSEST);
187 if (ret != 0) {
188 goto failure;
189 }
190
191 ret = json_add_bool(&flagsobj, "Is writable",
192 reply->server_type & NBT_SERVER_WRITABLE);
193 if (ret != 0) {
194 goto failure;
195 }
196
197 ret = json_add_bool(&flagsobj, "Has a hardware clock",
198 reply->server_type & NBT_SERVER_GOOD_TIMESERV);
199 if (ret != 0) {
200 goto failure;
201 }
202
203 ret = json_add_bool(&flagsobj,
204 "Is a non-domain NC serviced by LDAP server",
205 reply->server_type & NBT_SERVER_NDNC);
206 if (ret != 0) {
207 goto failure;
208 }
209
210 ret = json_add_bool
211 (&flagsobj, "Is NT6 DC that has some secrets",
212 reply->server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6);
213 if (ret != 0) {
214 goto failure;
215 }
216
217 ret = json_add_bool
218 (&flagsobj, "Is NT6 DC that has all secrets",
219 reply->server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6);
220 if (ret != 0) {
221 goto failure;
222 }
223
224 ret = json_add_bool(&flagsobj, "Runs Active Directory Web Services",
225 reply->server_type & NBT_SERVER_ADS_WEB_SERVICE);
226 if (ret != 0) {
227 goto failure;
228 }
229
230 ret = json_add_bool(&flagsobj, "Runs on Windows 2012 or later",
231 reply->server_type & NBT_SERVER_DS_8);
232 if (ret != 0) {
233 goto failure;
234 }
235
236 ret = json_add_bool(&flagsobj, "Runs on Windows 2012R2 or later",
237 reply->server_type & NBT_SERVER_DS_9);
238 if (ret != 0) {
239 goto failure;
240 }
241
242 ret = json_add_bool(&flagsobj, "Runs on Windows 2016 or later",
243 reply->server_type & NBT_SERVER_DS_10);
244 if (ret != 0) {
245 goto failure;
246 }
247
248 ret = json_add_bool(&flagsobj, "Has a DNS name",
249 reply->server_type & NBT_SERVER_HAS_DNS_NAME);
250 if (ret != 0) {
251 goto failure;
252 }
253
254 ret = json_add_bool(&flagsobj, "Is a default NC",
255 reply->server_type & NBT_SERVER_IS_DEFAULT_NC);
256 if (ret != 0) {
257 goto failure;
258 }
259
260 ret = json_add_bool(&flagsobj, "Is the forest root",
261 reply->server_type & NBT_SERVER_FOREST_ROOT);
262 if (ret != 0) {
263 goto failure;
264 }
265
266 ret = json_add_string(&jsobj, "Forest", reply->forest);
267 if (ret != 0) {
268 goto failure;
269 }
270
271 ret = json_add_string(&jsobj, "Domain", reply->dns_domain);
272 if (ret != 0) {
273 goto failure;
274 }
275
276 ret = json_add_string(&jsobj, "Domain Controller", reply->pdc_dns_name);
277 if (ret != 0) {
278 goto failure;
279 }
280
281
282 ret = json_add_string(&jsobj, "Pre-Win2k Domain", reply->domain_name);
283 if (ret != 0) {
284 goto failure;
285 }
286
287 ret = json_add_string(&jsobj, "Pre-Win2k Hostname", reply->pdc_name);
288 if (ret != 0) {
289 goto failure;
290 }
291
292 if (*reply->user_name) {
293 ret = json_add_string(&jsobj, "User name", reply->user_name);
294 if (ret != 0) {
295 goto failure;
296 }
297 }
298
299 ret = json_add_string(&jsobj, "Server Site Name", reply->server_site);
300 if (ret != 0) {
301 goto failure;
302 }
303
304 ret = json_add_string(&jsobj, "Client Site Name", reply->client_site);
305 if (ret != 0) {
306 goto failure;
307 }
308
309 ret = json_add_int(&jsobj, "NT Version", reply->nt_version);
310 if (ret != 0) {
311 goto failure;
312 }
313
314 ret = json_add_int(&jsobj, "LMNT Token", reply->lmnt_token);
315 if (ret != 0) {
316 goto failure;
317 }
318
319 ret = json_add_int(&jsobj, "LM20 Token", reply->lm20_token);
320 if (ret != 0) {
321 goto failure;
322 }
323
324 ret = json_add_object(&jsobj, "Flags", &flagsobj);
325 if (ret != 0) {
326 goto failure;
327 }
328
329 ret = output_json(&jsobj);
330 json_free(&jsobj); /* frees flagsobj recursively */
331
332 return ret;
333
334 failure:
335 json_free(&flagsobj);
336 json_free(&jsobj);
337
338 return ret;
339 }
340
341 #else /* [HAVE_JANSSON] */
342
343 static int net_ads_cldap_netlogon_json
344 (ADS_STRUCT *ads,
345 const char *addr,
346 const struct NETLOGON_SAM_LOGON_RESPONSE_EX * reply)
347 {
348 d_fprintf(stderr, _("JSON support not available\n"));
349
350 return -1;
351 }
352
353 #endif /* [HAVE_JANSSON] */
354
355 /*
356 do a cldap netlogon query
357 */
358 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
359 {
360 char addr[INET6_ADDRSTRLEN];
361 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
362
363 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
364
365 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
366 d_fprintf(stderr, _("CLDAP query failed!\n"));
367 return -1;
368 }
369
370 if (c->opt_json) {
371 return net_ads_cldap_netlogon_json(ads, addr, &reply);
372 }
373
374 d_printf(_("Information for Domain Controller: %s\n\n"),
375 addr);
376
377 d_printf(_("Response Type: "));
378 switch (reply.command) {
379 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
380 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
381 break;
382 case LOGON_SAM_LOGON_RESPONSE_EX:
383 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
384 break;
385 default:
386 d_printf("0x%x\n", reply.command);
387 break;
388 }
389
390 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
391
392 d_printf(_("Flags:\n"
393 "\tIs a PDC: %s\n"
394 "\tIs a GC of the forest: %s\n"
395 "\tIs an LDAP server: %s\n"
396 "\tSupports DS: %s\n"
397 "\tIs running a KDC: %s\n"
398 "\tIs running time services: %s\n"
399 "\tIs the closest DC: %s\n"
400 "\tIs writable: %s\n"
401 "\tHas a hardware clock: %s\n"
402 "\tIs a non-domain NC serviced by LDAP server: %s\n"
403 "\tIs NT6 DC that has some secrets: %s\n"
404 "\tIs NT6 DC that has all secrets: %s\n"
405 "\tRuns Active Directory Web Services: %s\n"
406 "\tRuns on Windows 2012 or later: %s\n"
407 "\tRuns on Windows 2012R2 or later: %s\n"
408 "\tRuns on Windows 2016 or later: %s\n"
409 "\tHas a DNS name: %s\n"
410 "\tIs a default NC: %s\n"
411 "\tIs the forest root: %s\n"),
412 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
413 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
414 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
415 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
416 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
417 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
418 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
419 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
420 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
421 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
422 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
423 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"),
424 (reply.server_type & NBT_SERVER_ADS_WEB_SERVICE) ? _("yes") : _("no"),
425 (reply.server_type & NBT_SERVER_DS_8) ? _("yes") : _("no"),
426 (reply.server_type & NBT_SERVER_DS_9) ? _("yes") : _("no"),
427 (reply.server_type & NBT_SERVER_DS_10) ? _("yes") : _("no"),
428 (reply.server_type & NBT_SERVER_HAS_DNS_NAME) ? _("yes") : _("no"),
429 (reply.server_type & NBT_SERVER_IS_DEFAULT_NC) ? _("yes") : _("no"),
430 (reply.server_type & NBT_SERVER_FOREST_ROOT) ? _("yes") : _("no"));
431
432
433 printf(_("Forest: %s\n"), reply.forest);
434 printf(_("Domain: %s\n"), reply.dns_domain);
435 printf(_("Domain Controller: %s\n"), reply.pdc_dns_name);
436
437 printf(_("Pre-Win2k Domain: %s\n"), reply.domain_name);
438 printf(_("Pre-Win2k Hostname: %s\n"), reply.pdc_name);
439
440 if (*reply.user_name) printf(_("User name: %s\n"), reply.user_name);
441
442 printf(_("Server Site Name: %s\n"), reply.server_site);
443 printf(_("Client Site Name: %s\n"), reply.client_site);
444
445 d_printf(_("NT Version: %d\n"), reply.nt_version);
446 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
447 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
448
449 return 0;
450 }
451
452 /*
453 this implements the CLDAP based netlogon lookup requests
454 for finding the domain controller of a ADS domain
455 */
456 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
457 {
458 TALLOC_CTX *tmp_ctx = talloc_stackframe();
459 ADS_STRUCT *ads = NULL;
460 ADS_STATUS status;
461 int ret = -1;
462
463 if (c->display_usage) {
464 d_printf("%s\n"
465 "net ads lookup\n"
466 " %s",
467 _("Usage:"),
468 _("Find the ADS DC using CLDAP lookup.\n"));
469 TALLOC_FREE(tmp_ctx);
470 return -1;
471 }
472
473 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
474 if (!ADS_ERR_OK(status)) {
475 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
476 goto out;
477 }
478
479 if (!ads->config.realm) {
480 ads->config.realm = talloc_strdup(ads, c->opt_target_workgroup);
481 if (ads->config.realm == NULL) {
482 d_fprintf(stderr, _("Out of memory\n"));
483 goto out;
484 }
485 ads->ldap.port = 389;
486 }
487
488 ret = net_ads_cldap_netlogon(c, ads);
489 out:
490 TALLOC_FREE(tmp_ctx);
491 return ret;
492 }
493
494
495 #ifdef HAVE_JANSSON
496
497 static int net_ads_info_json(ADS_STRUCT *ads)
498 {
499 int ret = 0;
500 char addr[INET6_ADDRSTRLEN];
501 time_t pass_time;
502 struct json_object jsobj = json_new_object();
503
504 if (json_is_invalid(&jsobj)) {
505 d_fprintf(stderr, _("error setting up JSON value\n"));
506
507 goto failure;
508 }
509
510 pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
511
512 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
513
514 ret = json_add_string (&jsobj, "LDAP server", addr);
515 if (ret != 0) {
516 goto failure;
517 }
518
519 ret = json_add_string (&jsobj, "LDAP server name",
520 ads->config.ldap_server_name);
521 if (ret != 0) {
522 goto failure;
523 }
524
525 ret = json_add_string (&jsobj, "Workgroup", ads->config.workgroup);
526 if (ret != 0) {
527 goto failure;
528 }
529
530 ret = json_add_string (&jsobj, "Realm", ads->config.realm);
531 if (ret != 0) {
532 goto failure;
533 }
534
535 ret = json_add_string (&jsobj, "Bind Path", ads->config.bind_path);
536 if (ret != 0) {
537 goto failure;
538 }
539
540 ret = json_add_int (&jsobj, "LDAP port", ads->ldap.port);
541 if (ret != 0) {
542 goto failure;
543 }
544
545 ret = json_add_int (&jsobj, "Server time", ads->config.current_time);
546 if (ret != 0) {
547 goto failure;
548 }
549
550 ret = json_add_string (&jsobj, "KDC server", ads->auth.kdc_server);
551 if (ret != 0) {
552 goto failure;
553 }
554
555 ret = json_add_int (&jsobj, "Server time offset",
556 ads->auth.time_offset);
557 if (ret != 0) {
558 goto failure;
559 }
560
561 ret = json_add_int (&jsobj, "Last machine account password change",
562 pass_time);
563 if (ret != 0) {
564 goto failure;
565 }
566
567 ret = output_json(&jsobj);
568 failure:
569 json_free(&jsobj);
570
571 return ret;
572 }
573
574 #else /* [HAVE_JANSSON] */
575
576 static int net_ads_info_json(ADS_STRUCT *ads)
577 {
578 d_fprintf(stderr, _("JSON support not available\n"));
579
580 return -1;
581 }
582
583 #endif /* [HAVE_JANSSON] */
584
585
586
587 static int net_ads_info(struct net_context *c, int argc, const char **argv)
588 {
589 TALLOC_CTX *tmp_ctx = talloc_stackframe();
590 ADS_STRUCT *ads = NULL;
591 ADS_STATUS status;
592 char addr[INET6_ADDRSTRLEN];
593 time_t pass_time;
594 int ret = -1;
595
596 if (c->display_usage) {
597 d_printf("%s\n"
598 "net ads info\n"
599 " %s",
600 _("Usage:"),
601 _("Display information about an Active Directory "
602 "server.\n"));
603 TALLOC_FREE(tmp_ctx);
604 return -1;
605 }
606
607 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
608 if (!ADS_ERR_OK(status)) {
609 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
610 goto out;
611 }
612
613 if (!ads || !ads->config.realm) {
614 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
615 goto out;
616 }
617
618 /* Try to set the server's current time since we didn't do a full
619 TCP LDAP session initially */
620
621 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
622 d_fprintf( stderr, _("Failed to get server's current time!\n"));
623 }
624
625 if (c->opt_json) {
626 ret = net_ads_info_json(ads);
627 goto out;
628 }
629
630 pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
631
632 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
633
634 d_printf(_("LDAP server: %s\n"), addr);
635 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
636 d_printf(_("Workgroup: %s\n"), ads->config.workgroup);
637 d_printf(_("Realm: %s\n"), ads->config.realm);
638 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
639 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
640 d_printf(_("Server time: %s\n"),
641 http_timestring(tmp_ctx, ads->config.current_time));
642
643 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
644 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
645
646 d_printf(_("Last machine account password change: %s\n"),
647 http_timestring(tmp_ctx, pass_time));
648
649 ret = 0;
650 out:
651 TALLOC_FREE(tmp_ctx);
652 return ret;
653 }
654
655 static ADS_STATUS ads_startup_int(struct net_context *c,
656 bool only_own_domain,
657 uint32_t auth_flags,
658 TALLOC_CTX *mem_ctx,
659 ADS_STRUCT **ads_ret)
660 {
661 ADS_STRUCT *ads = NULL;
662 ADS_STATUS status;
663 bool need_password = false;
664 bool second_time = false;
665 char *cp;
666 const char *realm = NULL;
667 bool tried_closest_dc = false;
668 enum credentials_use_kerberos krb5_state =
669 CRED_USE_KERBEROS_DISABLED;
670
671 /* lp_realm() should be handled by a command line param,
672 However, the join requires that realm be set in smb.conf
673 and compares our realm with the remote server's so this is
674 ok until someone needs more flexibility */
675
676 *ads_ret = NULL;
677
678 retry_connect:
679 if (only_own_domain) {
680 realm = lp_realm();
681 } else {
682 realm = assume_own_realm(c);
683 }
684
685 ads = ads_init(mem_ctx,
686 realm,
687 c->opt_target_workgroup,
688 c->opt_host,
689 ADS_SASL_PLAIN);
690 if (ads == NULL) {
691 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
692 }
693
694 if (!c->opt_user_name) {
695 c->opt_user_name = "administrator";
696 }
697
698 if (c->opt_user_specified) {
699 need_password = true;
700 }
701
702 retry:
703 if (!c->opt_password && need_password && !c->opt_machine_pass) {
704 c->opt_password = net_prompt_pass(c, c->opt_user_name);
705 if (!c->opt_password) {
706 TALLOC_FREE(ads);
707 return ADS_ERROR(LDAP_NO_MEMORY);
708 }
709 }
710
711 if (c->opt_password) {
712 use_in_memory_ccache();
713 ADS_TALLOC_CONST_FREE(ads->auth.password);
714 ads->auth.password = talloc_strdup(ads, c->opt_password);
715 if (ads->auth.password == NULL) {
716 TALLOC_FREE(ads);
717 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
718 }
719 }
720
721 ADS_TALLOC_CONST_FREE(ads->auth.user_name);
722 ads->auth.user_name = talloc_strdup(ads, c->opt_user_name);
723 if (ads->auth.user_name == NULL) {
724 TALLOC_FREE(ads);
725 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
726 }
727
728 ads->auth.flags |= auth_flags;
729
730 /* The ADS code will handle FIPS mode */
731 krb5_state = cli_credentials_get_kerberos_state(c->creds);
732 switch (krb5_state) {
733 case CRED_USE_KERBEROS_REQUIRED:
734 ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
735 ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
736 break;
737 case CRED_USE_KERBEROS_DESIRED:
738 ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
739 ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
740 break;
741 case CRED_USE_KERBEROS_DISABLED:
742 ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
743 ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
744 break;
745 }
746
747 /*
748 * If the username is of the form "name@realm",
749 * extract the realm and convert to upper case.
750 * This is only used to establish the connection.
751 */
752 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
753 *cp++ = '\0';
754 ADS_TALLOC_CONST_FREE(ads->auth.realm);
755 ads->auth.realm = talloc_asprintf_strupper_m(ads, "%s", cp);
756 if (ads->auth.realm == NULL) {
757 TALLOC_FREE(ads);
758 return ADS_ERROR(LDAP_NO_MEMORY);
759 }
760 } else if (ads->auth.realm == NULL) {
761 const char *c_realm = cli_credentials_get_realm(c->creds);
762
763 if (c_realm != NULL) {
764 ads->auth.realm = talloc_strdup(ads, c_realm);
765 if (ads->auth.realm == NULL) {
766 TALLOC_FREE(ads);
767 return ADS_ERROR(LDAP_NO_MEMORY);
768 }
769 }
770 }
771
772 status = ads_connect(ads);
773
774 if (!ADS_ERR_OK(status)) {
775
776 if (NT_STATUS_EQUAL(ads_ntstatus(status),
777 NT_STATUS_NO_LOGON_SERVERS)) {
778 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
779 TALLOC_FREE(ads);
780 return status;
781 }
782
783 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
784 need_password = true;
785 second_time = true;
786 goto retry;
787 } else {
788 TALLOC_FREE(ads);
789 return status;
790 }
791 }
792
793 /* when contacting our own domain, make sure we use the closest DC.
794 * This is done by reconnecting to ADS because only the first call to
795 * ads_connect will give us our own sitename */
796
797 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
798
799 tried_closest_dc = true; /* avoid loop */
800
801 if (!ads_closest_dc(ads)) {
802
803 namecache_delete(ads->server.realm, 0x1C);
804 namecache_delete(ads->server.workgroup, 0x1C);
805
806 TALLOC_FREE(ads);
807
808 goto retry_connect;
809 }
810 }
811
812 *ads_ret = talloc_move(mem_ctx, &ads);
813 return status;
814 }
815
816 ADS_STATUS ads_startup(struct net_context *c,
817 bool only_own_domain,
818 TALLOC_CTX *mem_ctx,
819 ADS_STRUCT **ads)
820 {
821 return ads_startup_int(c, only_own_domain, 0, mem_ctx, ads);
822 }
823
824 ADS_STATUS ads_startup_nobind(struct net_context *c,
825 bool only_own_domain,
826 TALLOC_CTX *mem_ctx,
827 ADS_STRUCT **ads)
828 {
829 return ads_startup_int(c,
830 only_own_domain,
831 ADS_AUTH_NO_BIND,
832 mem_ctx,
833 ads);
834 }
835
836 /*
837 Check to see if connection can be made via ads.
838 ads_startup() stores the password in opt_password if it needs to so
839 that rpc or rap can use it without re-prompting.
840 */
841 static int net_ads_check_int(struct net_context *c,
842 const char *realm,
843 const char *workgroup,
844 const char *host)
845 {
846 TALLOC_CTX *tmp_ctx = talloc_stackframe();
847 ADS_STRUCT *ads;
848 ADS_STATUS status;
849 int ret = -1;
850
851 ads = ads_init(tmp_ctx, realm, workgroup, host, ADS_SASL_PLAIN);
852 if (ads == NULL) {
853 goto out;
854 }
855
856 ads->auth.flags |= ADS_AUTH_NO_BIND;
857
858 status = ads_connect(ads);
859 if ( !ADS_ERR_OK(status) ) {
860 goto out;
861 }
862
863 ret = 0;
864 out:
865 TALLOC_FREE(tmp_ctx);
866 return ret;
867 }
868
869 int net_ads_check_our_domain(struct net_context *c)
870 {
871 return net_ads_check_int(c, lp_realm(), lp_workgroup(), NULL);
872 }
873
874 int net_ads_check(struct net_context *c)
875 {
876 return net_ads_check_int(c, NULL, c->opt_workgroup, c->opt_host);
877 }
878
879 /*
880 determine the netbios workgroup name for a domain
881 */
882 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
883 {
884 TALLOC_CTX *tmp_ctx = talloc_stackframe();
885 ADS_STRUCT *ads = NULL;
886 ADS_STATUS status;
887 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
888 bool ok = false;
889 int ret = -1;
890
891 if (c->display_usage) {
892 d_printf ("%s\n"
893 "net ads workgroup\n"
894 " %s\n",
895 _("Usage:"),
896 _("Print the workgroup name"));
897 TALLOC_FREE(tmp_ctx);
898 return -1;
899 }
900
901 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
902 if (!ADS_ERR_OK(status)) {
903 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
904 goto out;
905 }
906
907 if (!ads->config.realm) {
908 ads->config.realm = talloc_strdup(ads, c->opt_target_workgroup);
909 if (ads->config.realm == NULL) {
910 d_fprintf(stderr, _("Out of memory\n"));
911 goto out;
912 }
913 ads->ldap.port = 389;
914 }
915
916 ok = ads_cldap_netlogon_5(tmp_ctx,
917 &ads->ldap.ss, ads->server.realm, &reply);
918 if (!ok) {
919 d_fprintf(stderr, _("CLDAP query failed!\n"));
920 goto out;
921 }
922
923 d_printf(_("Workgroup: %s\n"), reply.domain_name);
924
925 ret = 0;
926 out:
927 TALLOC_FREE(tmp_ctx);
928
929 return ret;
930 }
931
932
933
934 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
935 {
936 char **disp_fields = (char **) data_area;
937
938 if (!field) { /* must be end of record */
939 if (disp_fields[0]) {
940 if (!strchr_m(disp_fields[0], '$')) {
941 if (disp_fields[1])
942 d_printf("%-21.21s %s\n",
943 disp_fields[0], disp_fields[1]);
944 else
945 d_printf("%s\n", disp_fields[0]);
946 }
947 }
948 SAFE_FREE(disp_fields[0]);
949 SAFE_FREE(disp_fields[1]);
950 return true;
951 }
952 if (!values) /* must be new field, indicate string field */
953 return true;
954 if (strcasecmp_m(field, "sAMAccountName") == 0) {
955 disp_fields[0] = SMB_STRDUP((char *) values[0]);
956 }
957 if (strcasecmp_m(field, "description") == 0)
958 disp_fields[1] = SMB_STRDUP((char *) values[0]);
959 return true;
960 }
961
962 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
963 {
964 return net_user_usage(c, argc, argv);
965 }
966
967 static int ads_user_add(struct net_context *c, int argc, const char **argv)
968 {
969 TALLOC_CTX *tmp_ctx = talloc_stackframe();
970 ADS_STRUCT *ads = NULL;
971 ADS_STATUS status;
972 char *upn, *userdn;
973 LDAPMessage *res=NULL;
974 int rc = -1;
975 char *ou_str = NULL;
976
977 if (argc < 1 || c->display_usage) {
978 TALLOC_FREE(tmp_ctx);
979 return net_ads_user_usage(c, argc, argv);
980 }
981
982 status = ads_startup(c, false, tmp_ctx, &ads);
983 if (!ADS_ERR_OK(status)) {
984 goto done;
985 }
986
987 status = ads_find_user_acct(ads, &res, argv[0]);
988 if (!ADS_ERR_OK(status)) {
989 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
990 goto done;
991 }
992
993 if (ads_count_replies(ads, res)) {
994 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
995 argv[0]);
996 goto done;
997 }
998
999 if (c->opt_container) {
1000 ou_str = SMB_STRDUP(c->opt_container);
1001 } else {
1002 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
1003 }
1004
1005 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
1006 if (!ADS_ERR_OK(status)) {
1007 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
1008 ads_errstr(status));
1009 goto done;
1010 }
1011
1012 /* if no password is to be set, we're done */
1013 if (argc == 1) {
1014 d_printf(_("User %s added\n"), argv[0]);
1015 rc = 0;
1016 goto done;
1017 }
1018
1019 /* try setting the password */
1020 upn = talloc_asprintf(tmp_ctx,
1021 "%s@%s",
1022 argv[0],
1023 ads->config.realm);
1024 if (upn == NULL) {
1025 goto done;
1026 }
1027
1028 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
1029 ads->auth.time_offset);
1030 if (ADS_ERR_OK(status)) {
1031 d_printf(_("User %s added\n"), argv[0]);
1032 rc = 0;
1033 goto done;
1034 }
1035 TALLOC_FREE(upn);
1036
1037 /* password didn't set, delete account */
1038 d_fprintf(stderr, _("Could not add user %s. "
1039 "Error setting password %s\n"),
1040 argv[0], ads_errstr(status));
1041
1042 ads_msgfree(ads, res);
1043 res = NULL;
1044
1045 status=ads_find_user_acct(ads, &res, argv[0]);
1046 if (ADS_ERR_OK(status)) {
1047 userdn = ads_get_dn(ads, tmp_ctx, res);
1048 ads_del_dn(ads, userdn);
1049 TALLOC_FREE(userdn);
1050 }
1051
1052 done:
1053 ads_msgfree(ads, res);
1054 SAFE_FREE(ou_str);
1055 TALLOC_FREE(tmp_ctx);
1056 return rc;
1057 }
1058
1059 static int ads_user_info(struct net_context *c, int argc, const char **argv)
1060 {
1061 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1062 ADS_STRUCT *ads = NULL;
1063 ADS_STATUS status;
1064 LDAPMessage *res = NULL;
1065 int ret = -1;
1066 wbcErr wbc_status;
1067 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
1068 char *searchstring = NULL;
1069 char **grouplist = NULL;
1070 char *primary_group = NULL;
1071 char *escaped_user = NULL;
1072 struct dom_sid primary_group_sid;
1073 uint32_t group_rid;
1074 enum wbcSidType type;
1075
1076 if (argc < 1 || c->display_usage) {
1077 TALLOC_FREE(tmp_ctx);
1078 return net_ads_user_usage(c, argc, argv);
1079 }
1080
1081 escaped_user = escape_ldap_string(tmp_ctx, argv[0]);
1082 if (!escaped_user) {
1083 d_fprintf(stderr,
1084 _("ads_user_info: failed to escape user %s\n"),
1085 argv[0]);
1086 goto out;
1087 }
1088
1089 status = ads_startup(c, false, tmp_ctx, &ads);
1090 if (!ADS_ERR_OK(status)) {
1091 goto out;
1092 }
1093
1094 searchstring = talloc_asprintf(tmp_ctx,
1095 "(sAMAccountName=%s)",
1096 escaped_user);
1097 if (searchstring == NULL) {
1098 goto out;
1099 }
1100
1101 status = ads_search(ads, &res, searchstring, attrs);
1102 if (!ADS_ERR_OK(status)) {
1103 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(status));
1104 goto out;
1105 }
1106
1107 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
1108 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
1109 goto out;
1110 }
1111
1112 status = ads_domain_sid(ads, &primary_group_sid);
1113 if (!ADS_ERR_OK(status)) {
1114 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(status));
1115 goto out;
1116 }
1117
1118 sid_append_rid(&primary_group_sid, group_rid);
1119
1120 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
1121 NULL, /* don't look up domain */
1122 &primary_group,
1123 &type);
1124 if (!WBC_ERROR_IS_OK(wbc_status)) {
1125 d_fprintf(stderr, "wbcLookupSid: %s\n",
1126 wbcErrorString(wbc_status));
1127 goto out;
1128 }
1129
1130 d_printf("%s\n", primary_group);
1131
1132 wbcFreeMemory(primary_group);
1133
1134 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
1135 (LDAPMessage *)res, "memberOf");
1136
1137 if (grouplist) {
1138 int i;
1139 char **groupname;
1140 for (i=0;grouplist[i];i++) {
1141 groupname = ldap_explode_dn(grouplist[i], 1);
1142 d_printf("%s\n", groupname[0]);
1143 ldap_value_free(groupname);
1144 }
1145 ldap_value_free(grouplist);
1146 }
1147
1148 ret = 0;
1149 out:
1150 TALLOC_FREE(escaped_user);
1151 TALLOC_FREE(searchstring);
1152 ads_msgfree(ads, res);
1153 TALLOC_FREE(tmp_ctx);
1154 return ret;
1155 }
1156
1157 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
1158 {
1159 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1160 ADS_STRUCT *ads = NULL;
1161 ADS_STATUS status;
1162 LDAPMessage *res = NULL;
1163 char *userdn = NULL;
1164 int ret = -1;
1165
1166 if (argc < 1) {
1167 TALLOC_FREE(tmp_ctx);
1168 return net_ads_user_usage(c, argc, argv);
1169 }
1170
1171 status = ads_startup(c, false, tmp_ctx, &ads);
1172 if (!ADS_ERR_OK(status)) {
1173 goto out;
1174 }
1175
1176 status = ads_find_user_acct(ads, &res, argv[0]);
1177 if (!ADS_ERR_OK(status) || ads_count_replies(ads, res) != 1) {
1178 d_printf(_("User %s does not exist.\n"), argv[0]);
1179 goto out;
1180 }
1181
1182 userdn = ads_get_dn(ads, tmp_ctx, res);
1183 if (userdn == NULL) {
1184 goto out;
1185 }
1186
1187 status = ads_del_dn(ads, userdn);
1188 if (!ADS_ERR_OK(status)) {
1189 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
1190 ads_errstr(status));
1191 goto out;
1192 }
1193
1194 d_printf(_("User %s deleted\n"), argv[0]);
1195
1196 ret = 0;
1197 out:
1198 ads_msgfree(ads, res);
1199 TALLOC_FREE(tmp_ctx);
1200 return ret;
1201 }
1202
1203 int net_ads_user(struct net_context *c, int argc, const char **argv)
1204 {
1205 struct functable func[] = {
1206 {
1207 "add",
1208 ads_user_add,
1209 NET_TRANSPORT_ADS,
1210 N_("Add an AD user"),
1211 N_("net ads user add\n"
1212 " Add an AD user")
1213 },
1214 {
1215 "info",
1216 ads_user_info,
1217 NET_TRANSPORT_ADS,
1218 N_("Display information about an AD user"),
1219 N_("net ads user info\n"
1220 " Display information about an AD user")
1221 },
1222 {
1223 "delete",
1224 ads_user_delete,
1225 NET_TRANSPORT_ADS,
1226 N_("Delete an AD user"),
1227 N_("net ads user delete\n"
1228 " Delete an AD user")
1229 },
1230 {NULL, NULL, 0, NULL, NULL}
1231 };
1232 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1233 ADS_STRUCT *ads = NULL;
1234 ADS_STATUS status;
1235 const char *shortattrs[] = {"sAMAccountName", NULL};
1236 const char *longattrs[] = {"sAMAccountName", "description", NULL};
1237 char *disp_fields[2] = {NULL, NULL};
1238 int ret = -1;
1239
1240 if (argc > 0) {
1241 TALLOC_FREE(tmp_ctx);
1242 return net_run_function(c, argc, argv, "net ads user", func);
1243 }
1244
1245 if (c->display_usage) {
1246 d_printf( "%s\n"
1247 "net ads user\n"
1248 " %s\n",
1249 _("Usage:"),
1250 _("List AD users"));
1251 net_display_usage_from_functable(func);
1252 TALLOC_FREE(tmp_ctx);
1253 return -1;
1254 }
1255
1256 status = ads_startup(c, false, tmp_ctx, &ads);
1257 if (!ADS_ERR_OK(status)) {
1258 goto out;
1259 }
1260
1261 if (c->opt_long_list_entries)
1262 d_printf(_("\nUser name Comment"
1263 "\n-----------------------------\n"));
1264
1265 status = ads_do_search_all_fn(ads,
1266 ads->config.bind_path,
1267 LDAP_SCOPE_SUBTREE,
1268 "(objectCategory=user)",
1269 c->opt_long_list_entries ?
1270 longattrs : shortattrs,
1271 usergrp_display,
1272 disp_fields);
1273 if (!ADS_ERR_OK(status)) {
1274 goto out;
1275 }
1276
1277 ret = 0;
1278 out:
1279 TALLOC_FREE(tmp_ctx);
1280 return ret;
1281 }
1282
1283 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
1284 {
1285 return net_group_usage(c, argc, argv);
1286 }
1287
1288 static int ads_group_add(struct net_context *c, int argc, const char **argv)
1289 {
1290 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1291 ADS_STRUCT *ads = NULL;
1292 ADS_STATUS status;
1293 LDAPMessage *res = NULL;
1294 int ret = -1;
1295 char *ou_str = NULL;
1296
1297 if (argc < 1 || c->display_usage) {
1298 TALLOC_FREE(tmp_ctx);
1299 return net_ads_group_usage(c, argc, argv);
1300 }
1301
1302 status = ads_startup(c, false, tmp_ctx, &ads);
1303 if (!ADS_ERR_OK(status)) {
1304 goto out;
1305 }
1306
1307 status = ads_find_user_acct(ads, &res, argv[0]);
1308 if (!ADS_ERR_OK(status)) {
1309 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
1310 goto out;
1311 }
1312
1313 if (ads_count_replies(ads, res)) {
1314 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
1315 goto out;
1316 }
1317
1318 if (c->opt_container) {
1319 ou_str = SMB_STRDUP(c->opt_container);
1320 } else {
1321 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
1322 }
1323
1324 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
1325 if (!ADS_ERR_OK(status)) {
1326 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
1327 ads_errstr(status));
1328 goto out;
1329 }
1330
1331 d_printf(_("Group %s added\n"), argv[0]);
1332
1333 ret = 0;
1334 out:
1335 ads_msgfree(ads, res);
1336 SAFE_FREE(ou_str);
1337 TALLOC_FREE(tmp_ctx);
1338 return ret;
1339 }
1340
1341 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
1342 {
1343 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1344 ADS_STRUCT *ads = NULL;
1345 ADS_STATUS status;
1346 LDAPMessage *res = NULL;
1347 char *groupdn = NULL;
1348 int ret = -1;
1349
1350 if (argc < 1 || c->display_usage) {
1351 TALLOC_FREE(tmp_ctx);
1352 return net_ads_group_usage(c, argc, argv);
1353 }
1354
1355 status = ads_startup(c, false, tmp_ctx, &ads);
1356 if (!ADS_ERR_OK(status)) {
1357 goto out;
1358 }
1359
1360 status = ads_find_user_acct(ads, &res, argv[0]);
1361 if (!ADS_ERR_OK(status) || ads_count_replies(ads, res) != 1) {
1362 d_printf(_("Group %s does not exist.\n"), argv[0]);
1363 goto out;
1364 }
1365
1366 groupdn = ads_get_dn(ads, tmp_ctx, res);
1367 if (groupdn == NULL) {
1368 goto out;
1369 }
1370
1371 status = ads_del_dn(ads, groupdn);
1372 if (!ADS_ERR_OK(status)) {
1373 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
1374 ads_errstr(status));
1375 goto out;
1376 }
1377 d_printf(_("Group %s deleted\n"), argv[0]);
1378
1379 ret = 0;
1380 out:
1381 ads_msgfree(ads, res);
1382 TALLOC_FREE(tmp_ctx);
1383 return ret;
1384 }
1385
1386 int net_ads_group(struct net_context *c, int argc, const char **argv)
1387 {
1388 struct functable func[] = {
1389 {
1390 "add",
1391 ads_group_add,
1392 NET_TRANSPORT_ADS,
1393 N_("Add an AD group"),
1394 N_("net ads group add\n"
1395 " Add an AD group")
1396 },
1397 {
1398 "delete",
1399 ads_group_delete,
1400 NET_TRANSPORT_ADS,
1401 N_("Delete an AD group"),
1402 N_("net ads group delete\n"
1403 " Delete an AD group")
1404 },
1405 {NULL, NULL, 0, NULL, NULL}
1406 };
1407 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1408 ADS_STRUCT *ads = NULL;
1409 ADS_STATUS status;
1410 const char *shortattrs[] = {"sAMAccountName", NULL};
1411 const char *longattrs[] = {"sAMAccountName", "description", NULL};
1412 char *disp_fields[2] = {NULL, NULL};
1413 int ret = -1;
1414
1415 if (argc >= 0) {
1416 TALLOC_FREE(tmp_ctx);
1417 return net_run_function(c, argc, argv, "net ads group", func);
1418 }
1419
1420 if (c->display_usage) {
1421 d_printf( "%s\n"
1422 "net ads group\n"
1423 " %s\n",
1424 _("Usage:"),
1425 _("List AD groups"));
1426 net_display_usage_from_functable(func);
1427 TALLOC_FREE(tmp_ctx);
1428 return -1;
1429 }
1430
1431 status = ads_startup(c, false, tmp_ctx, &ads);
1432 if (!ADS_ERR_OK(status)) {
1433 goto out;
1434 }
1435
1436 if (c->opt_long_list_entries)
1437 d_printf(_("\nGroup name Comment"
1438 "\n-----------------------------\n"));
1439
1440 status = ads_do_search_all_fn(ads,
1441 ads->config.bind_path,
1442 LDAP_SCOPE_SUBTREE,
1443 "(objectCategory=group)",
1444 c->opt_long_list_entries ?
1445 longattrs : shortattrs,
1446 usergrp_display,
1447 disp_fields);
1448 if (!ADS_ERR_OK(status)) {
1449 goto out;
1450 }
1451
1452 ret = 0;
1453 out:
1454 TALLOC_FREE(tmp_ctx);
1455 return ret;
1456 }
1457
1458 static int net_ads_status(struct net_context *c, int argc, const char **argv)
1459 {
1460 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1461 ADS_STRUCT *ads = NULL;
1462 ADS_STATUS status;
1463 LDAPMessage *res = NULL;
1464 int ret = -1;
1465
1466 if (c->display_usage) {
1467 d_printf( "%s\n"
1468 "net ads status\n"
1469 " %s\n",
1470 _("Usage:"),
1471 _("Display machine account details"));
1472 TALLOC_FREE(tmp_ctx);
1473 return -1;
1474 }
1475
1476 net_warn_member_options();
1477
1478 status = ads_startup(c, true, tmp_ctx, &ads);
1479 if (!ADS_ERR_OK(status)) {
1480 goto out;
1481 }
1482
1483 status = ads_find_machine_acct(ads, &res, lp_netbios_name());
1484 if (!ADS_ERR_OK(status)) {
1485 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"),
1486 ads_errstr(status));
1487 goto out;
1488 }
1489
1490 if (ads_count_replies(ads, res) == 0) {
1491 d_fprintf(stderr, _("No machine account for '%s' found\n"),
1492 lp_netbios_name());
1493 goto out;
1494 }
1495
1496 ads_dump(ads, res);
1497
1498 ret = 0;
1499 out:
1500 ads_msgfree(ads, res);
1501 TALLOC_FREE(tmp_ctx);
1502 return ret;
1503 }
1504
1505 /*******************************************************************
1506 Leave an AD domain. Windows XP disables the machine account.
1507 We'll try the same. The old code would do an LDAP delete.
1508 That only worked using the machine creds because added the machine
1509 with full control to the computer object's ACL.
1510 *******************************************************************/
1511
1512 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
1513 {
1514 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1515 struct libnet_UnjoinCtx *r = NULL;
1516 WERROR werr;
1517 int ret = -1;
1518
1519 if (c->display_usage) {
1520 d_printf( "%s\n"
1521 "net ads leave [--keep-account]\n"
1522 " %s\n",
1523 _("Usage:"),
1524 _("Leave an AD domain"));
1525 TALLOC_FREE(tmp_ctx);
1526 return -1;
1527 }
1528
1529 if (!*lp_realm()) {
1530 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
1531 TALLOC_FREE(tmp_ctx);
1532 return -1;
1533 }
1534
1535 if (!c->opt_kerberos) {
1536 use_in_memory_ccache();
1537 }
1538
1539 if (!c->msg_ctx) {
1540 d_fprintf(stderr, _("Could not initialise message context. "
1541 "Try running as root\n"));
1542 goto done;
1543 }
1544
1545 werr = libnet_init_UnjoinCtx(tmp_ctx, &r);
1546 if (!W_ERROR_IS_OK(werr)) {
1547 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
1548 goto done;
1549 }
1550
1551 r->in.debug = true;
1552 r->in.use_kerberos = c->opt_kerberos;
1553 r->in.dc_name = c->opt_host;
1554 r->in.domain_name = lp_realm();
1555 r->in.admin_account = c->opt_user_name;
1556 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1557 r->in.modify_config = lp_config_backend_is_registry();
1558
1559 /* Try to delete it, but if that fails, disable it. The
1560 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
1561 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1562 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
1563 if (c->opt_keep_account) {
1564 r->in.delete_machine_account = false;
1565 } else {
1566 r->in.delete_machine_account = true;
1567 }
1568
1569 r->in.msg_ctx = c->msg_ctx;
1570
1571 werr = libnet_Unjoin(tmp_ctx, r);
1572 if (!W_ERROR_IS_OK(werr)) {
1573 d_printf(_("Failed to leave domain: %s\n"),
1574 r->out.error_string ? r->out.error_string :
1575 get_friendly_werror_msg(werr));
1576 goto done;
1577 }
1578
1579 if (r->out.deleted_machine_account) {
1580 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1581 r->in.machine_name, r->out.dns_domain_name);
1582 ret = 0;
1583 goto done;
1584 }
1585
1586 /* We couldn't delete it - see if the disable succeeded. */
1587 if (r->out.disabled_machine_account) {
1588 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1589 r->in.machine_name, r->out.dns_domain_name);
1590 ret = 0;
1591 goto done;
1592 }
1593
1594 /* Based on what we requested, we shouldn't get here, but if
1595 we did, it means the secrets were removed, and therefore
1596 we have left the domain */
1597 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1598 r->in.machine_name, r->out.dns_domain_name);
1599
1600 ret = 0;
1601 done:
1602 TALLOC_FREE(tmp_ctx);
1603 return ret;
1604 }
1605
1606 static ADS_STATUS net_ads_join_ok(struct net_context *c)
1607 {
1608 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1609 ADS_STRUCT *ads = NULL;
1610 ADS_STATUS status;
1611 fstring dc_name;
1612 struct sockaddr_storage dcip;
1613
1614 if (!secrets_init()) {
1615 DEBUG(1,("Failed to initialise secrets database\n"));
1616 TALLOC_FREE(tmp_ctx);
1617 return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
1618 }
1619
1620 net_warn_member_options();
1621
1622 net_use_krb_machine_account(c);
1623
1624 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1625
1626 status = ads_startup(c, true, tmp_ctx, &ads);
1627 if (!ADS_ERR_OK(status)) {
1628 goto out;
1629 }
1630
1631 status = ADS_ERROR_NT(NT_STATUS_OK);
1632 out:
1633 TALLOC_FREE(tmp_ctx);
1634 return status;
1635 }
1636
1637 /*
1638 check that an existing join is OK
1639 */
1640 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1641 {
1642 ADS_STATUS status;
1643 use_in_memory_ccache();
1644
1645 if (c->display_usage) {
1646 d_printf( "%s\n"
1647 "net ads testjoin\n"
1648 " %s\n",
1649 _("Usage:"),
1650 _("Test if the existing join is ok"));
1651 return -1;
1652 }
1653
1654 net_warn_member_options();
1655
1656 /* Display success or failure */
1657 status = net_ads_join_ok(c);
1658 if (!ADS_ERR_OK(status)) {
1659 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1660 get_friendly_nt_error_msg(ads_ntstatus(status)));
1661 return -1;
1662 }
1663
1664 printf(_("Join is OK\n"));
1665 return 0;
1666 }
1667
1668 /*******************************************************************
1669 Simple config checks before beginning the join
1670 ********************************************************************/
1671
1672 static WERROR check_ads_config( void )
1673 {
1674 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1675 d_printf(_("Host is not configured as a member server.\n"));
1676 return WERR_INVALID_DOMAIN_ROLE;
1677 }
1678
1679 if (strlen(lp_netbios_name()) > 15) {
1680 d_printf(_("Our netbios name can be at most 15 chars long, "
1681 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1682 (unsigned int)strlen(lp_netbios_name()));
1683 return WERR_INVALID_COMPUTERNAME;
1684 }
1685
1686 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1687 d_fprintf(stderr, _("realm must be set in %s for ADS "
1688 "join to succeed.\n"), get_dyn_CONFIGFILE());
1689 return WERR_INVALID_PARAMETER;
1690 }
1691
1692 return WERR_OK;
1693 }
1694
1695 /*******************************************************************
1696 ********************************************************************/
1697
1698 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1699 {
1700 d_printf(_("net ads join [--no-dns-updates] [options]\n"
1701 "Valid options:\n"));
1702 d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
1703 " The default is in the form netbiosname.dnsdomain\n"));
1704 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1705 " The default UPN is in the form host/netbiosname@REALM.\n"));
1706 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1707 " The OU string read from top to bottom without RDNs\n"
1708 " and delimited by a '/'.\n"
1709 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1710 " NB: A backslash '\\' is used as escape at multiple\n"
1711 " levels and may need to be doubled or even\n"
1712 " quadrupled. It is not used as a separator.\n"));
1713 d_printf(_(" machinepass=PASS Set the machine password to a specific value during\n"
1714 " the join. The default password is random.\n"));
1715 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1716 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during join.\n"
1717 " NB: osName and osVer must be specified together for\n"
1718 " either to take effect. The operatingSystemService\n"
1719 " attribute is then also set along with the two\n"
1720 " other attributes.\n"));
1721 d_printf(_(" osServicePack=string Set the operatingSystemServicePack attribute\n"
1722 " during the join.\n"
1723 " NB: If not specified then by default the samba\n"
1724 " version string is used instead.\n"));
1725 return -1;
1726 }
1727
1728
1729 int net_ads_join(struct net_context *c, int argc, const char **argv)
1730 {
1731 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1732 struct libnet_JoinCtx *r = NULL;
1733 const char *domain = lp_realm();
1734 WERROR werr = WERR_NERR_SETUPNOTJOINED;
1735 bool createupn = false;
1736 const char *dnshostname = NULL;
1737 const char *machineupn = NULL;
1738 const char *machine_password = NULL;
1739 const char *create_in_ou = NULL;
1740 int i;
1741 const char *os_name = NULL;
1742 const char *os_version = NULL;
1743 const char *os_servicepack = NULL;
1744 bool modify_config = lp_config_backend_is_registry();
1745 enum libnetjoin_JoinDomNameType domain_name_type = JoinDomNameTypeDNS;
1746 int ret = -1;
1747
1748 if (c->display_usage) {
1749 TALLOC_FREE(tmp_ctx);
1750 return net_ads_join_usage(c, argc, argv);
1751 }
1752
1753 net_warn_member_options();
1754
1755 if (!modify_config) {
1756 werr = check_ads_config();
1757 if (!W_ERROR_IS_OK(werr)) {
1758 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1759 goto fail;
1760 }
1761 }
1762
1763 if (!c->opt_kerberos) {
1764 use_in_memory_ccache();
1765 }
1766
1767 werr = libnet_init_JoinCtx(tmp_ctx, &r);
1768 if (!W_ERROR_IS_OK(werr)) {
1769 goto fail;
1770 }
1771
1772 /* process additional command line args */
1773
1774 for ( i=0; i<argc; i++ ) {
1775 if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
1776 dnshostname = get_string_param(argv[i]);
1777 }
1778 else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
1779 createupn = true;
1780 machineupn = get_string_param(argv[i]);
1781 }
1782 else if ( !strncasecmp_m(argv[i], "createcomputer", strlen("createcomputer")) ) {
1783 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1784 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1785 werr = WERR_INVALID_PARAMETER;
1786 goto fail;
1787 }
1788 }
1789 else if ( !strncasecmp_m(argv[i], "osName", strlen("osName")) ) {
1790 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1791 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1792 werr = WERR_INVALID_PARAMETER;
1793 goto fail;
1794 }
1795 }
1796 else if ( !strncasecmp_m(argv[i], "osVer", strlen("osVer")) ) {
1797 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1798 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1799 werr = WERR_INVALID_PARAMETER;
1800 goto fail;
1801 }
1802 }
1803 else if ( !strncasecmp_m(argv[i], "osServicePack", strlen("osServicePack")) ) {
1804 if ( (os_servicepack = get_string_param(argv[i])) == NULL ) {
1805 d_fprintf(stderr, _("Please supply a valid servicepack identifier.\n"));
1806 werr = WERR_INVALID_PARAMETER;
1807 goto fail;
1808 }
1809 }
1810 else if ( !strncasecmp_m(argv[i], "machinepass", strlen("machinepass")) ) {
1811 if ( (machine_password = get_string_param(argv[i])) == NULL ) {
1812 d_fprintf(stderr, _("Please supply a valid password to set as trust account password.\n"));
1813 werr = WERR_INVALID_PARAMETER;
1814 goto fail;
1815 }
1816 } else {
1817 domain = argv[i];
1818 if (strchr(domain, '.') == NULL) {
1819 domain_name_type = JoinDomNameTypeUnknown;
1820 } else {
1821 domain_name_type = JoinDomNameTypeDNS;
1822 }
1823 }
1824 }
1825
1826 if (!*domain) {
1827 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1828 werr = WERR_INVALID_PARAMETER;
1829 goto fail;
1830 }
1831
1832 if (!c->msg_ctx) {
1833 d_fprintf(stderr, _("Could not initialise message context. "
1834 "Try running as root\n"));
1835 werr = WERR_ACCESS_DENIED;
1836 goto fail;
1837 }
1838
1839 /* Do the domain join here */
1840
1841 r->in.domain_name = domain;
1842 r->in.domain_name_type = domain_name_type;
1843 r->in.create_upn = createupn;
1844 r->in.upn = machineupn;
1845 r->in.dnshostname = dnshostname;
1846 r->in.account_ou = create_in_ou;
1847 r->in.os_name = os_name;
1848 r->in.os_version = os_version;
1849 r->in.os_servicepack = os_servicepack;
1850 r->in.dc_name = c->opt_host;
1851 r->in.admin_account = c->opt_user_name;
1852 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1853 r->in.machine_password = machine_password;
1854 r->in.debug = true;
1855 r->in.use_kerberos = c->opt_kerberos;
1856 r->in.modify_config = modify_config;
1857 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1858 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1859 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1860 r->in.msg_ctx = c->msg_ctx;
1861
1862 werr = libnet_Join(tmp_ctx, r);
1863 if (W_ERROR_EQUAL(werr, WERR_NERR_DCNOTFOUND) &&
1864 strequal(domain, lp_realm())) {
1865 r->in.domain_name = lp_workgroup();
1866 r->in.domain_name_type = JoinDomNameTypeNBT;
1867 werr = libnet_Join(tmp_ctx, r);
1868 }
1869 if (!W_ERROR_IS_OK(werr)) {
1870 goto fail;
1871 }
1872
1873 /* Check the short name of the domain */
1874
1875 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1876 d_printf(_("The workgroup in %s does not match the short\n"
1877 "domain name obtained from the server.\n"
1878 "Using the name [%s] from the server.\n"
1879 "You should set \"workgroup = %s\" in %s.\n"),
1880 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1881 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1882 }
1883
1884 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1885
1886 if (r->out.dns_domain_name) {
1887 d_printf(_("Joined '%s' to dns domain '%s'\n"), r->in.machine_name,
1888 r->out.dns_domain_name);
1889 } else {
1890 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1891 r->out.netbios_domain_name);
1892 }
1893
1894 /* print out informative error string in case there is one */
1895 if (r->out.error_string != NULL) {
1896 d_printf("%s\n", r->out.error_string);
1897 }
1898
1899 /*
1900 * We try doing the dns update (if it was compiled in
1901 * and if it was not disabled on the command line).
1902 * If the dns update fails, we still consider the join
1903 * operation as succeeded if we came this far.
1904 */
1905 if (!c->opt_no_dns_updates) {
1906 net_ads_join_dns_updates(c, tmp_ctx, r);
1907 }
1908
1909 ret = 0;
1910
1911 fail:
1912 if (ret != 0) {
1913 /* issue an overall failure message at the end. */
1914 d_printf(_("Failed to join domain: %s\n"),
1915 r && r->out.error_string ? r->out.error_string :
1916 get_friendly_werror_msg(werr));
1917 }
1918
1919 TALLOC_FREE(tmp_ctx);
1920
1921 return ret;
1922 }
1923
1924 /*******************************************************************
1925 ********************************************************************/
1926
1927 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1928 {
1929 #if defined(HAVE_KRB5)
1930 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1931 ADS_STRUCT *ads = NULL;
1932 ADS_STATUS status;
1933 NTSTATUS ntstatus;
1934 const char *hostname = NULL;
1935 const char **addrs_list = NULL;
1936 struct sockaddr_storage *addrs = NULL;
1937 int num_addrs = 0;
1938 int count;
1939 int ret = -1;
1940
1941 #ifdef DEVELOPER
1942 talloc_enable_leak_report();
1943 #endif
1944
1945 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1946 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1947 "detection of addresses in a clustered "
1948 "setup.\n"));
1949 c->display_usage = true;
1950 }
1951
1952 if (c->display_usage) {
1953 d_printf( "%s\n"
1954 "net ads dns register [hostname [IP [IP...]]] "
1955 "[--force] [--dns-ttl TTL]\n"
1956 " %s\n",
1957 _("Usage:"),
1958 _("Register hostname with DNS\n"));
1959 TALLOC_FREE(tmp_ctx);
1960 return -1;
1961 }
1962
1963 if (argc >= 1) {
1964 hostname = argv[0];
1965 }
1966
1967 if (argc > 1) {
1968 num_addrs = argc - 1;
1969 addrs_list = &argv[1];
1970 } else if (lp_clustering()) {
1971 addrs_list = lp_cluster_addresses();
1972 num_addrs = str_list_length(addrs_list);
1973 }
1974
1975 if (num_addrs > 0) {
1976 addrs = talloc_zero_array(tmp_ctx,
1977 struct sockaddr_storage,
1978 num_addrs);
1979 if (addrs == NULL) {
1980 d_fprintf(stderr, _("Error allocating memory!\n"));
1981 goto out;
1982 }
1983 }
1984
1985 for (count = 0; count < num_addrs; count++) {
1986 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1987 d_fprintf(stderr, "%s '%s'.\n",
1988 _("Cannot interpret address"),
1989 addrs_list[count]);
1990 goto out;
1991 }
1992 }
1993
1994 status = ads_startup(c, true, tmp_ctx, &ads);
1995 if ( !ADS_ERR_OK(status) ) {
1996 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1997 goto out;
1998 }
1999
2000 ntstatus = net_update_dns_ext(c,
2001 tmp_ctx,
2002 ads,
2003 hostname,
2004 addrs,
2005 num_addrs,
2006 false);
2007 if (!NT_STATUS_IS_OK(ntstatus)) {
2008 d_fprintf( stderr, _("DNS update failed!\n") );
2009 goto out;
2010 }
2011
2012 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
2013
2014 ret = 0;
2015 out:
2016 TALLOC_FREE(tmp_ctx);
2017
2018 return ret;
2019 #else
2020 d_fprintf(stderr,
2021 _("DNS update support not enabled at compile time!\n"));
2022 return -1;
2023 #endif
2024 }
2025
2026 static int net_ads_dns_unregister(struct net_context *c,
2027 int argc,
2028 const char **argv)
2029 {
2030 #if defined(HAVE_KRB5)
2031 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2032 ADS_STRUCT *ads = NULL;
2033 ADS_STATUS status;
2034 NTSTATUS ntstatus;
2035 const char *hostname = NULL;
2036 int ret = -1;
2037
2038 #ifdef DEVELOPER
2039 talloc_enable_leak_report();
2040 #endif
2041
2042 if (argc != 1) {
2043 c->display_usage = true;
2044 }
2045
2046 if (c->display_usage) {
2047 d_printf( "%s\n"
2048 "net ads dns unregister [hostname]\n"
2049 " %s\n",
2050 _("Usage:"),
2051 _("Remove all IP Address entries for a given\n"
2052 " hostname from the Active Directory server.\n"));
2053 TALLOC_FREE(tmp_ctx);
2054 return -1;
2055 }
2056
2057 /* Get the hostname for un-registering */
2058 hostname = argv[0];
2059
2060 status = ads_startup(c, true, tmp_ctx, &ads);
2061 if ( !ADS_ERR_OK(status) ) {
2062 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
2063 goto out;
2064 }
2065
2066 ntstatus = net_update_dns_ext(c,
2067 tmp_ctx,
2068 ads,
2069 hostname,
2070 NULL,
2071 0,
2072 true);
2073 if (!NT_STATUS_IS_OK(ntstatus)) {
2074 d_fprintf( stderr, _("DNS update failed!\n") );
2075 goto out;
2076 }
2077
2078 d_fprintf( stderr, _("Successfully un-registered hostname from DNS\n"));
2079
2080 ret = 0;
2081 out:
2082 TALLOC_FREE(tmp_ctx);
2083
2084 return ret;
2085 #else
2086 d_fprintf(stderr,
2087 _("DNS update support not enabled at compile time!\n"));
2088 return -1;
2089 #endif
2090 }
2091
2092
2093 static int net_ads_dns_async(struct net_context *c, int argc, const char **argv)
2094 {
2095 size_t num_names = 0;
2096 char **hostnames = NULL;
2097 size_t i = 0;
2098 struct samba_sockaddr *addrs = NULL;
2099 NTSTATUS status;
2100
2101 if (argc != 1 || c->display_usage) {
2102 d_printf( "%s\n"
2103 " %s\n"
2104 " %s\n",
2105 _("Usage:"),
2106 _("net ads dns async <name>\n"),
2107 _(" Async look up hostname from the DNS server\n"
2108 " hostname\tName to look up\n"));
2109 return -1;
2110 }
2111
2112 status = ads_dns_lookup_a(talloc_tos(),
2113 argv[0],
2114 &num_names,
2115 &hostnames,
2116 &addrs);
2117 if (!NT_STATUS_IS_OK(status)) {
2118 d_printf("Looking up A record for %s got error %s\n",
2119 argv[0],
2120 nt_errstr(status));
2121 return -1;
2122 }
2123 d_printf("Async A record lookup - got %u names for %s\n",
2124 (unsigned int)num_names,
2125 argv[0]);
2126 for (i = 0; i < num_names; i++) {
2127 char addr_buf[INET6_ADDRSTRLEN];
2128 print_sockaddr(addr_buf,
2129 sizeof(addr_buf),
2130 &addrs[i].u.ss);
2131 d_printf("hostname[%u] = %s, IPv4addr = %s\n",
2132 (unsigned int)i,
2133 hostnames[i],
2134 addr_buf);
2135 }
2136
2137 #if defined(HAVE_IPV6)
2138 status = ads_dns_lookup_aaaa(talloc_tos(),
2139 argv[0],
2140 &num_names,
2141 &hostnames,
2142 &addrs);
2143 if (!NT_STATUS_IS_OK(status)) {
2144 d_printf("Looking up AAAA record for %s got error %s\n",
2145 argv[0],
2146 nt_errstr(status));
2147 return -1;
2148 }
2149 d_printf("Async AAAA record lookup - got %u names for %s\n",
2150 (unsigned int)num_names,
2151 argv[0]);
2152 for (i = 0; i < num_names; i++) {
2153 char addr_buf[INET6_ADDRSTRLEN];
2154 print_sockaddr(addr_buf,
2155 sizeof(addr_buf),
2156 &addrs[i].u.ss);
2157 d_printf("hostname[%u] = %s, IPv6addr = %s\n",
2158 (unsigned int)i,
2159 hostnames[i],
2160 addr_buf);
2161 }
2162 #endif
2163 return 0;
2164 }
2165
2166
2167 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
2168 {
2169 struct functable func[] = {
2170 {
2171 "register",
2172 net_ads_dns_register,
2173 NET_TRANSPORT_ADS,
2174 N_("Add host dns entry to AD"),
2175 N_("net ads dns register\n"
2176 " Add host dns entry to AD")
2177 },
2178 {
2179 "unregister",
2180 net_ads_dns_unregister,
2181 NET_TRANSPORT_ADS,
2182 N_("Remove host dns entry from AD"),
2183 N_("net ads dns unregister\n"
2184 " Remove host dns entry from AD")
2185 },
2186 {
2187 "async",
2188 net_ads_dns_async,
2189 NET_TRANSPORT_ADS,
2190 N_("Look up host"),
2191 N_("net ads dns async\n"
2192 " Look up host using async DNS")
2193 },
2194 {NULL, NULL, 0, NULL, NULL}
2195 };
2196
2197 return net_run_function(c, argc, argv, "net ads dns", func);
2198 }
2199
2200 /*******************************************************************
2201 ********************************************************************/
2202
2203 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
2204 {
2205 d_printf(_(
2206 "\nnet ads printer search <printer>"
2207 "\n\tsearch for a printer in the directory\n"
2208 "\nnet ads printer info <printer> <server>"
2209 "\n\tlookup info in directory for printer on server"
2210 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
2211 "\nnet ads printer publish <printername>"
2212 "\n\tpublish printer in directory"
2213 "\n\t(note: printer name is required)\n"
2214 "\nnet ads printer remove <printername>"
2215 "\n\tremove printer from directory"
2216 "\n\t(note: printer name is required)\n"));
2217 return -1;
2218 }
2219
2220 /*******************************************************************
2221 ********************************************************************/
2222
2223 static int net_ads_printer_search(struct net_context *c,
2224 int argc,
2225 const char **argv)
2226 {
2227 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2228 ADS_STRUCT *ads = NULL;
2229 ADS_STATUS status;
2230 LDAPMessage *res = NULL;
2231 int ret = -1;
2232
2233 if (c->display_usage) {
2234 d_printf( "%s\n"
2235 "net ads printer search\n"
2236 " %s\n",
2237 _("Usage:"),
2238 _("List printers in the AD"));
2239 TALLOC_FREE(tmp_ctx);
2240 return -1;
2241 }
2242
2243 status = ads_startup(c, false, tmp_ctx, &ads);
2244 if (!ADS_ERR_OK(status)) {
2245 goto out;
2246 }
2247
2248 status = ads_find_printers(ads, &res);
2249 if (!ADS_ERR_OK(status)) {
2250 d_fprintf(stderr, _("ads_find_printer: %s\n"),
2251 ads_errstr(status));
2252 goto out;
2253 }
2254
2255 if (ads_count_replies(ads, res) == 0) {
2256 d_fprintf(stderr, _("No results found\n"));
2257 goto out;
2258 }
2259
2260 ads_dump(ads, res);
2261
2262 ret = 0;
2263 out:
2264 ads_msgfree(ads, res);
2265 TALLOC_FREE(tmp_ctx);
2266 return ret;
2267 }
2268
2269 static int net_ads_printer_info(struct net_context *c,
2270 int argc,
2271 const char **argv)
2272 {
2273 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2274 ADS_STRUCT *ads = NULL;
2275 ADS_STATUS status;
2276 const char *servername = NULL;
2277 const char *printername = NULL;
2278 LDAPMessage *res = NULL;
2279 int ret = -1;
2280
2281 if (c->display_usage) {
2282 d_printf("%s\n%s",
2283 _("Usage:"),
2284 _("net ads printer info [printername [servername]]\n"
2285 " Display printer info from AD\n"
2286 " printername\tPrinter name or wildcard\n"
2287 " servername\tName of the print server\n"));
2288 TALLOC_FREE(tmp_ctx);
2289 return -1;
2290 }
2291
2292 status = ads_startup(c, false, tmp_ctx, &ads);
2293 if (!ADS_ERR_OK(status)) {
2294 goto out;
2295 }
2296
2297 if (argc > 0) {
2298 printername = argv[0];
2299 } else {
2300 printername = "*";
2301 }
2302
2303 if (argc > 1) {
2304 servername = argv[1];
2305 } else {
2306 servername = lp_netbios_name();
2307 }
2308
2309 status = ads_find_printer_on_server(ads, &res, printername, servername);
2310 if (!ADS_ERR_OK(status)) {
2311 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
2312 servername, ads_errstr(status));
2313 goto out;
2314 }
2315
2316 if (ads_count_replies(ads, res) == 0) {
2317 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
2318 goto out;
2319 }
2320
2321 ads_dump(ads, res);
2322
2323 ret = 0;
2324 out:
2325 ads_msgfree(ads, res);
2326 TALLOC_FREE(tmp_ctx);
2327 return ret;
2328 }
2329
2330 static int net_ads_printer_publish(struct net_context *c,
2331 int argc,
2332 const char **argv)
2333 {
2334 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2335 ADS_STRUCT *ads = NULL;
2336 ADS_STATUS status;
2337 const char *servername = NULL;
2338 const char *printername = NULL;
2339 struct cli_state *cli = NULL;
2340 struct rpc_pipe_client *pipe_hnd = NULL;
2341 struct sockaddr_storage server_ss = { 0 };
2342 NTSTATUS nt_status;
2343 ADS_MODLIST mods = NULL;
2344 char *prt_dn = NULL;
2345 char *srv_dn = NULL;
2346 char **srv_cn = NULL;
2347 char *srv_cn_escaped = NULL;
2348 char *printername_escaped = NULL;
2349 LDAPMessage *res = NULL;
2350 bool ok;
2351 int ret = -1;
2352
2353 if (argc < 1 || c->display_usage) {
2354 d_printf("%s\n%s",
2355 _("Usage:"),
2356 _("net ads printer publish <printername> [servername]\n"
2357 " Publish printer in AD\n"
2358 " printername\tName of the printer\n"
2359 " servername\tName of the print server\n"));
2360 TALLOC_FREE(tmp_ctx);
2361 return -1;
2362 }
2363
2364 mods = ads_init_mods(tmp_ctx);
2365 if (mods == NULL) {
2366 d_fprintf(stderr, _("Out of memory\n"));
2367 goto out;
2368 }
2369
2370 status = ads_startup(c, true, tmp_ctx, &ads);
2371 if (!ADS_ERR_OK(status)) {
2372 goto out;
2373 }
2374
2375 printername = argv[0];
2376
2377 if (argc == 2) {
2378 servername = argv[1];
2379 } else {
2380 servername = lp_netbios_name();
2381 }
2382
2383 /* Get printer data from SPOOLSS */
2384
2385 ok = resolve_name(servername, &server_ss, 0x20, false);
2386 if (!ok) {
2387 d_fprintf(stderr, _("Could not find server %s\n"),
2388 servername);
2389 goto out;
2390 }
2391
2392 cli_credentials_set_kerberos_state(c->creds,
2393 CRED_USE_KERBEROS_REQUIRED,
2394 CRED_SPECIFIED);
2395
2396 nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
2397 &server_ss, 0,
2398 "IPC$", "IPC",
2399 c->creds,
2400 CLI_FULL_CONNECTION_IPC);
2401
2402 if (NT_STATUS_IS_ERR(nt_status)) {
2403 d_fprintf(stderr, _("Unable to open a connection to %s to "
2404 "obtain data for %s\n"),
2405 servername, printername);
2406 goto out;
2407 }
2408
2409 /* Publish on AD server */
2410
2411 ads_find_machine_acct(ads, &res, servername);
2412
2413 if (ads_count_replies(ads, res) == 0) {
2414 d_fprintf(stderr, _("Could not find machine account for server "
2415 "%s\n"),
2416 servername);
2417 goto out;
2418 }
2419
2420 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
2421 srv_cn = ldap_explode_dn(srv_dn, 1);
2422
2423 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
2424 printername_escaped = escape_rdn_val_string_alloc(printername);
2425 if (!srv_cn_escaped || !printername_escaped) {
2426 SAFE_FREE(srv_cn_escaped);
2427 SAFE_FREE(printername_escaped);
2428 d_fprintf(stderr, _("Internal error, out of memory!"));
2429 goto out;
2430 }
2431
2432 prt_dn = talloc_asprintf(tmp_ctx,
2433 "cn=%s-%s,%s",
2434 srv_cn_escaped,
2435 printername_escaped,
2436 srv_dn);
2437 if (prt_dn == NULL) {
2438 SAFE_FREE(srv_cn_escaped);
2439 SAFE_FREE(printername_escaped);
2440 d_fprintf(stderr, _("Internal error, out of memory!"));
2441 goto out;
2442 }
2443
2444 SAFE_FREE(srv_cn_escaped);
2445 SAFE_FREE(printername_escaped);
2446
2447 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
2448 if (!NT_STATUS_IS_OK(nt_status)) {
2449 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
2450 servername);
2451 goto out;
2452 }
2453
2454 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd,
2455 tmp_ctx,
2456 &mods,
2457 printername))) {
2458 goto out;
2459 }
2460
2461 status = ads_add_printer_entry(ads, prt_dn, tmp_ctx, &mods);
2462 if (!ADS_ERR_OK(status)) {
2463 d_fprintf(stderr, "ads_publish_printer: %s\n",
2464 ads_errstr(status));
2465 goto out;
2466 }
2467
2468 d_printf("published printer\n");
2469
2470 ret = 0;
2471 out:
2472 talloc_destroy(tmp_ctx);
2473
2474 return ret;
2475 }
2476
2477 static int net_ads_printer_remove(struct net_context *c,
2478 int argc,
2479 const char **argv)
2480 {
2481 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2482 ADS_STRUCT *ads = NULL;
2483 ADS_STATUS status;
2484 const char *servername = NULL;
2485 char *prt_dn = NULL;
2486 LDAPMessage *res = NULL;
2487 int ret = -1;
2488
2489 if (argc < 1 || c->display_usage) {
2490 d_printf("%s\n%s",
2491 _("Usage:"),
2492 _("net ads printer remove <printername> [servername]\n"
2493 " Remove a printer from the AD\n"
2494 " printername\tName of the printer\n"
2495 " servername\tName of the print server\n"));
2496 TALLOC_FREE(tmp_ctx);
2497 return -1;
2498 }
2499
2500 status = ads_startup(c, true, tmp_ctx, &ads);
2501 if (!ADS_ERR_OK(status)) {
2502 goto out;
2503 }
2504
2505 if (argc > 1) {
2506 servername = argv[1];
2507 } else {
2508 servername = lp_netbios_name();
2509 }
2510
2511 status = ads_find_printer_on_server(ads, &res, argv[0], servername);
2512 if (!ADS_ERR_OK(status)) {
2513 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"),
2514 ads_errstr(status));
2515 goto out;
2516 }
2517
2518 if (ads_count_replies(ads, res) == 0) {
2519 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
2520 goto out;
2521 }
2522
2523 prt_dn = ads_get_dn(ads, tmp_ctx, res);
2524 if (prt_dn == NULL) {
2525 d_fprintf(stderr, _("Out of memory\n"));
2526 goto out;
2527 }
2528
2529 status = ads_del_dn(ads, prt_dn);
2530 if (!ADS_ERR_OK(status)) {
2531 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(status));
2532 goto out;
2533 }
2534
2535 ret = 0;
2536 out:
2537 ads_msgfree(ads, res);
2538 TALLOC_FREE(tmp_ctx);
2539 return ret;
2540 }
2541
2542 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
2543 {
2544 struct functable func[] = {
2545 {
2546 "search",
2547 net_ads_printer_search,
2548 NET_TRANSPORT_ADS,
2549 N_("Search for a printer"),
2550 N_("net ads printer search\n"
2551 " Search for a printer")
2552 },
2553 {
2554 "info",
2555 net_ads_printer_info,
2556 NET_TRANSPORT_ADS,
2557 N_("Display printer information"),
2558 N_("net ads printer info\n"
2559 " Display printer information")
2560 },
2561 {
2562 "publish",
2563 net_ads_printer_publish,
2564 NET_TRANSPORT_ADS,
2565 N_("Publish a printer"),
2566 N_("net ads printer publish\n"
2567 " Publish a printer")
2568 },
2569 {
2570 "remove",
2571 net_ads_printer_remove,
2572 NET_TRANSPORT_ADS,
2573 N_("Delete a printer"),
2574 N_("net ads printer remove\n"
2575 " Delete a printer")
2576 },
2577 {NULL, NULL, 0, NULL, NULL}
2578 };
2579
2580 return net_run_function(c, argc, argv, "net ads printer", func);
2581 }
2582
2583
2584 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2585 {
2586 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2587 ADS_STRUCT *ads = NULL;
2588 const char *auth_principal = cli_credentials_get_username(c->creds);
2589 const char *auth_password = cli_credentials_get_password(c->creds);
2590 const char *realm = NULL;
2591 char *new_password = NULL;
2592 char *chr = NULL;
2593 char *prompt = NULL;
2594 const char *user = NULL;
2595 char pwd[256] = {0};
2596 ADS_STATUS status;
2597 int ret = 0;
2598
2599 if (c->display_usage) {
2600 d_printf("%s\n%s",
2601 _("Usage:"),
2602 _("net ads password <username>\n"
2603 " Change password for user\n"
2604 " username\tName of user to change password for\n"));
2605 TALLOC_FREE(tmp_ctx);
2606 return -1;
2607 }
2608
2609 if (auth_principal == NULL || auth_password == NULL) {
2610 d_fprintf(stderr, _("You must supply an administrator "
2611 "username/password\n"));
2612 TALLOC_FREE(tmp_ctx);
2613 return -1;
2614 }
2615
2616 if (argc < 1) {
2617 d_fprintf(stderr, _("ERROR: You must say which username to "
2618 "change password for\n"));
2619 TALLOC_FREE(tmp_ctx);
2620 return -1;
2621 }
2622
2623 if (strchr_m(argv[0], '@')) {
2624 user = talloc_strdup(tmp_ctx, argv[0]);
2625 } else {
2626 user = talloc_asprintf(tmp_ctx, "%s@%s", argv[0], lp_realm());
2627 }
2628 if (user == NULL) {
2629 d_fprintf(stderr, _("Out of memory\n"));
2630 goto out;
2631 }
2632
2633 use_in_memory_ccache();
2634 chr = strchr_m(auth_principal, '@');
2635 if (chr) {
2636 realm = ++chr;
2637 } else {
2638 realm = lp_realm();
2639 }
2640
2641 /* use the realm so we can eventually change passwords for users
2642 in realms other than default */
2643 ads = ads_init(tmp_ctx,
2644 realm,
2645 c->opt_workgroup,
2646 c->opt_host,
2647 ADS_SASL_PLAIN);
2648 if (ads == NULL) {
2649 goto out;
2650 }
2651
2652 /* we don't actually need a full connect, but it's the easy way to
2653 fill in the KDC's address */
2654 ads_connect(ads);
2655
2656 if (!ads->config.realm) {
2657 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2658 goto out;
2659 }
2660
2661 if (argv[1] != NULL) {
2662 new_password = talloc_strdup(tmp_ctx, argv[1]);
2663 } else {
2664 int rc;
2665
2666 prompt = talloc_asprintf(tmp_ctx, _("Enter new password for %s:"), user);
2667 if (prompt == NULL) {
2668 d_fprintf(stderr, _("Out of memory\n"));
2669 goto out;
2670 }
2671
2672 rc = samba_getpass(prompt, pwd, sizeof(pwd), false, true);
2673 if (rc < 0) {
2674 goto out;
2675 }
2676 new_password = talloc_strdup(tmp_ctx, pwd);
2677 memset(pwd, '\0', sizeof(pwd));
2678 }
2679
2680 if (new_password == NULL) {
2681 d_fprintf(stderr, _("Out of memory\n"));
2682 goto out;
2683 }
2684
2685 status = kerberos_set_password(ads->auth.kdc_server,
2686 auth_principal,
2687 auth_password,
2688 user,
2689 new_password,
2690 ads->auth.time_offset);
2691 memset(new_password, '\0', strlen(new_password));
2692 if (!ADS_ERR_OK(status)) {
2693 d_fprintf(stderr, _("Password change failed: %s\n"),
2694 ads_errstr(status));
2695 goto out;
2696 }
2697
2698 d_printf(_("Password change for %s completed.\n"), user);
2699
2700 ret = 0;
2701 out:
2702 TALLOC_FREE(tmp_ctx);
2703 return ret;
2704 }
2705
2706 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2707 {
2708 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2709 ADS_STRUCT *ads = NULL;
2710 char *host_principal = NULL;
2711 char *my_name = NULL;
2712 ADS_STATUS status;
2713 int ret = -1;
2714
2715 if (c->display_usage) {
2716 d_printf( "%s\n"
2717 "net ads changetrustpw\n"
2718 " %s\n",
2719 _("Usage:"),
2720 _("Change the machine account's trust password"));
2721 TALLOC_FREE(tmp_ctx);
2722 return -1;
2723 }
2724
2725 if (!secrets_init()) {
2726 DEBUG(1,("Failed to initialise secrets database\n"));
2727 goto out;
2728 }
2729
2730 net_warn_member_options();
2731
2732 net_use_krb_machine_account(c);
2733
2734 use_in_memory_ccache();
2735
2736 status = ads_startup(c, true, tmp_ctx, &ads);
2737 if (!ADS_ERR_OK(status)) {
2738 goto out;
2739 }
2740
2741 my_name = talloc_asprintf_strlower_m(tmp_ctx, "%s", lp_netbios_name());
2742 if (my_name == NULL) {
2743 d_fprintf(stderr, _("Out of memory\n"));
2744 goto out;
2745 }
2746
2747 host_principal = talloc_asprintf(tmp_ctx, "%s$@%s", my_name, ads->config.realm);
2748 if (host_principal == NULL) {
2749 d_fprintf(stderr, _("Out of memory\n"));
2750 goto out;
2751 }
2752
2753 d_printf(_("Changing password for principal: %s\n"), host_principal);
2754
2755 status = ads_change_trust_account_password(ads, host_principal);
2756 if (!ADS_ERR_OK(status)) {
2757 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(status));
2758 goto out;
2759 }
2760
2761 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2762
2763 if (USE_SYSTEM_KEYTAB) {
2764 d_printf(_("Attempting to update system keytab with new password.\n"));
2765 if (ads_keytab_create_default(ads)) {
2766 d_printf(_("Failed to update system keytab.\n"));
2767 }
2768 }
2769
2770 ret = 0;
2771 out:
2772 TALLOC_FREE(tmp_ctx);
2773
2774 return ret;
2775 }
2776
2777 /*
2778 help for net ads search
2779 */
2780 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2781 {
2782 d_printf(_(
2783 "\nnet ads search <expression> <attributes...>\n"
2784 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2785 "The expression is a standard LDAP search expression, and the\n"
2786 "attributes are a list of LDAP fields to show in the results.\n\n"
2787 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2788 ));
2789 net_common_flags_usage(c, argc, argv);
2790 return -1;
2791 }
2792
2793
2794 /*
2795 general ADS search function. Useful in diagnosing problems in ADS
2796 */
2797 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2798 {
2799 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2800 ADS_STRUCT *ads = NULL;
2801 ADS_STATUS status;
2802 const char *ldap_exp = NULL;
2803 const char **attrs = NULL;
2804 LDAPMessage *res = NULL;
2805 int ret = -1;
2806
2807 if (argc < 1 || c->display_usage) {
2808 TALLOC_FREE(tmp_ctx);
2809 return net_ads_search_usage(c, argc, argv);
2810 }
2811
2812 status = ads_startup(c, false, tmp_ctx, &ads);
2813 if (!ADS_ERR_OK(status)) {
2814 goto out;
2815 }
2816
2817 ldap_exp = argv[0];
2818 attrs = (argv + 1);
2819
2820 status = ads_do_search_retry(ads,
2821 ads->config.bind_path,
2822 LDAP_SCOPE_SUBTREE,
2823 ldap_exp,
2824 attrs,
2825 &res);
2826 if (!ADS_ERR_OK(status)) {
2827 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2828 goto out;
2829 }
2830
2831 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2832
2833 /* dump the results */
2834 ads_dump(ads, res);
2835
2836 ret = 0;
2837 out:
2838 ads_msgfree(ads, res);
2839 TALLOC_FREE(tmp_ctx);
2840 return ret;
2841 }
2842
2843
2844 /*
2845 help for net ads search
2846 */
2847 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2848 {
2849 d_printf(_(
2850 "\nnet ads dn <dn> <attributes...>\n"
2851 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2852 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2853 "to show in the results\n\n"
2854 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2855 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2856 ));
2857 net_common_flags_usage(c, argc, argv);
2858 return -1;
2859 }
2860
2861
2862 /*
2863 general ADS search function. Useful in diagnosing problems in ADS
2864 */
2865 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2866 {
2867 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2868 ADS_STRUCT *ads = NULL;
2869 ADS_STATUS status;
2870 const char *dn = NULL;
2871 const char **attrs = NULL;
2872 LDAPMessage *res = NULL;
2873 int ret = -1;
2874
2875 if (argc < 1 || c->display_usage) {
2876 TALLOC_FREE(tmp_ctx);
2877 return net_ads_dn_usage(c, argc, argv);
2878 }
2879
2880 status = ads_startup(c, false, tmp_ctx, &ads);
2881 if (!ADS_ERR_OK(status)) {
2882 goto out;
2883 }
2884
2885 dn = argv[0];
2886 attrs = (argv + 1);
2887
2888 status = ads_do_search_all(ads,
2889 dn,
2890 LDAP_SCOPE_BASE,
2891 "(objectclass=*)",
2892 attrs,
2893 &res);
2894 if (!ADS_ERR_OK(status)) {
2895 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2896 goto out;
2897 }
2898
2899 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2900
2901 /* dump the results */
2902 ads_dump(ads, res);
2903
2904 ret = 0;
2905 out:
2906 ads_msgfree(ads, res);
2907 TALLOC_FREE(tmp_ctx);
2908 return ret;
2909 }
2910
2911 /*
2912 help for net ads sid search
2913 */
2914 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2915 {
2916 d_printf(_(
2917 "\nnet ads sid <sid> <attributes...>\n"
2918 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2919 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2920 "to show in the results\n\n"
2921 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2922 ));
2923 net_common_flags_usage(c, argc, argv);
2924 return -1;
2925 }
2926
2927
2928 /*
2929 general ADS search function. Useful in diagnosing problems in ADS
2930 */
2931 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2932 {
2933 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2934 ADS_STRUCT *ads = NULL;
2935 ADS_STATUS status;
2936 const char *sid_string = NULL;
2937 const char **attrs = NULL;
2938 LDAPMessage *res = NULL;
2939 struct dom_sid sid = { 0 };
2940 int ret = -1;
2941
2942 if (argc < 1 || c->display_usage) {
2943 TALLOC_FREE(tmp_ctx);
2944 return net_ads_sid_usage(c, argc, argv);
2945 }
2946
2947 status = ads_startup(c, false, tmp_ctx, &ads);
2948 if (!ADS_ERR_OK(status)) {
2949 goto out;
2950 }
2951
2952 sid_string = argv[0];
2953 attrs = (argv + 1);
2954
2955 if (!string_to_sid(&sid, sid_string)) {
2956 d_fprintf(stderr, _("could not convert sid\n"));
2957 goto out;
2958 }
2959
2960 status = ads_search_retry_sid(ads, &res, &sid, attrs);
2961 if (!ADS_ERR_OK(status)) {
2962 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2963 goto out;
2964 }
2965
2966 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2967
2968 /* dump the results */
2969 ads_dump(ads, res);
2970
2971 ret = 0;
2972 out:
2973 ads_msgfree(ads, res);
2974 TALLOC_FREE(tmp_ctx);
2975 return ret;
2976 }
2977
2978 static int net_ads_keytab_flush(struct net_context *c,
2979 int argc,
2980 const char **argv)
2981 {
2982 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2983 ADS_STRUCT *ads = NULL;
2984 ADS_STATUS status;
2985 int ret = -1;
2986
2987 if (c->display_usage) {
2988 d_printf( "%s\n"
2989 "net ads keytab flush\n"
2990 " %s\n",
2991 _("Usage:"),
2992 _("Delete the whole keytab"));
2993 TALLOC_FREE(tmp_ctx);
2994 return -1;
2995 }
2996
2997 if (!c->opt_user_specified && c->opt_password == NULL) {
2998 net_use_krb_machine_account(c);
2999 }
3000
3001 status = ads_startup(c, true, tmp_ctx, &ads);
3002 if (!ADS_ERR_OK(status)) {
3003 goto out;
3004 }
3005
3006 ret = ads_keytab_flush(ads);
3007 out:
3008 TALLOC_FREE(tmp_ctx);
3009 return ret;
3010 }
3011
3012 static int net_ads_keytab_add(struct net_context *c,
3013 int argc,
3014 const char **argv,
3015 bool update_ads)
3016 {
3017 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3018 ADS_STRUCT *ads = NULL;
3019 ADS_STATUS status;
3020 int i;
3021 int ret = -1;
3022
3023 if (c->display_usage) {
3024 d_printf("%s\n%s",
3025 _("Usage:"),
3026 _("net ads keytab add <principal> [principal ...]\n"
3027 " Add principals to local keytab\n"
3028 " principal\tKerberos principal to add to "
3029 "keytab\n"));
3030 TALLOC_FREE(tmp_ctx);
3031 return -1;
3032 }
3033
3034 net_warn_member_options();
3035
3036 d_printf(_("Processing principals to add...\n"));
3037
3038 if (!c->opt_user_specified && c->opt_password == NULL) {
3039 net_use_krb_machine_account(c);
3040 }
3041
3042 status = ads_startup(c, true, tmp_ctx, &ads);
3043 if (!ADS_ERR_OK(status)) {
3044 goto out;
3045 }
3046
3047 for (ret = 0, i = 0; i < argc; i++) {
3048 ret |= ads_keytab_add_entry(ads, argv[i], update_ads);
3049 }
3050 out:
3051 TALLOC_FREE(tmp_ctx);
3052 return ret;
3053 }
3054
3055 static int net_ads_keytab_add_default(struct net_context *c,
3056 int argc,
3057 const char **argv)
3058 {
3059 return net_ads_keytab_add(c, argc, argv, false);
3060 }
3061
3062 static int net_ads_keytab_add_update_ads(struct net_context *c,
3063 int argc,
3064 const char **argv)
3065 {
3066 return net_ads_keytab_add(c, argc, argv, true);
3067 }
3068
3069 static int net_ads_keytab_delete(struct net_context *c,
3070 int argc,
3071 const char **argv)
3072 {
3073 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3074 ADS_STRUCT *ads = NULL;
3075 ADS_STATUS status;
3076 int i;
3077 int ret = -1;
3078
3079 if (c->display_usage) {
3080 d_printf("%s\n%s",
3081 _("Usage:"),
3082 _("net ads keytab delete <principal> [principal ...]\n"
3083 " Remove entries for service principal, "
3084 " from the keytab file only."
3085 " Remove principals from local keytab\n"
3086 " principal\tKerberos principal to remove from "
3087 "keytab\n"));
3088 TALLOC_FREE(tmp_ctx);
3089 return -1;
3090 }
3091
3092 d_printf(_("Processing principals to delete...\n"));
3093
3094 if (!c->opt_user_specified && c->opt_password == NULL) {
3095 net_use_krb_machine_account(c);
3096 }
3097
3098 status = ads_startup(c, true, tmp_ctx, &ads);
3099 if (!ADS_ERR_OK(status)) {
3100 goto out;
3101 }
3102
3103 for (ret = 0, i = 0; i < argc; i++) {
3104 ret |= ads_keytab_delete_entry(ads, argv[i]);
3105 }
3106 out:
3107 TALLOC_FREE(tmp_ctx);
3108 return ret;
3109 }
3110
3111 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
3112 {
3113 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3114 ADS_STRUCT *ads = NULL;
3115 ADS_STATUS status;
3116 int ret = -1;
3117
3118 if (c->display_usage) {
3119 d_printf( "%s\n"
3120 "net ads keytab create\n"
3121 " %s\n",
3122 _("Usage:"),
3123 _("Create new default keytab"));
3124 TALLOC_FREE(tmp_ctx);
3125 return -1;
3126 }
3127
3128 net_warn_member_options();
3129
3130 if (!c->opt_user_specified && c->opt_password == NULL) {
3131 net_use_krb_machine_account(c);
3132 }
3133
3134 status = ads_startup(c, true, tmp_ctx, &ads);
3135 if (!ADS_ERR_OK(status)) {
3136 goto out;
3137 }
3138
3139 ret = ads_keytab_create_default(ads);
3140 out:
3141 TALLOC_FREE(tmp_ctx);
3142 return ret;
3143 }
3144
3145 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
3146 {
3147 const char *keytab = NULL;
3148
3149 if (c->display_usage) {
3150 d_printf("%s\n%s",
3151 _("Usage:"),
3152 _("net ads keytab list [keytab]\n"
3153 " List a local keytab\n"
3154 " keytab\tKeytab to list\n"));
3155 return -1;
3156 }
3157
3158 if (argc >= 1) {
3159 keytab = argv[0];
3160 }
3161
3162 return ads_keytab_list(keytab);
3163 }
3164
3165
3166 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
3167 {
3168 struct functable func[] = {
3169 {
3170 "add",
3171 net_ads_keytab_add_default,
3172 NET_TRANSPORT_ADS,
3173 N_("Add a service principal"),
3174 N_("net ads keytab add\n"
3175 " Add a service principal, updates keytab file only.")
3176 },
3177 {
3178 "delete",
3179 net_ads_keytab_delete,
3180 NET_TRANSPORT_ADS,
3181 N_("Delete a service principal"),
3182 N_("net ads keytab delete\n"
3183 " Remove entries for service principal, from the keytab file only.")
3184 },
3185 {
3186 "add_update_ads",
3187 net_ads_keytab_add_update_ads,
3188 NET_TRANSPORT_ADS,
3189 N_("Add a service principal"),
3190 N_("net ads keytab add_update_ads\n"
3191 " Add a service principal, depending on the param passed may update ADS computer object in addition to the keytab file.")
3192 },
3193 {
3194 "create",
3195 net_ads_keytab_create,
3196 NET_TRANSPORT_ADS,
3197 N_("Create a fresh keytab"),
3198 N_("net ads keytab create\n"
3199 " Create a fresh keytab or update existing one.")
3200 },
3201 {
3202 "flush",
3203 net_ads_keytab_flush,
3204 NET_TRANSPORT_ADS,
3205 N_("Remove all keytab entries"),
3206 N_("net ads keytab flush\n"
3207 " Remove all keytab entries")
3208 },
3209 {
3210 "list",
3211 net_ads_keytab_list,
3212 NET_TRANSPORT_ADS,
3213 N_("List a keytab"),
3214 N_("net ads keytab list\n"
3215 " List a keytab")
3216 },
3217 {NULL, NULL, 0, NULL, NULL}
3218 };
3219
3220 if (!USE_KERBEROS_KEYTAB) {
3221 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
3222 "keytab method to use keytab functions.\n"));
3223 }
3224
3225 return net_run_function(c, argc, argv, "net ads keytab", func);
3226 }
3227
3228 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
3229 {
3230 int ret = -1;
3231
3232 if (c->display_usage) {
3233 d_printf( "%s\n"
3234 "net ads kerberos renew\n"
3235 " %s\n",
3236 _("Usage:"),
3237 _("Renew TGT from existing credential cache"));
3238 return -1;
3239 }
3240
3241 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
3242 if (ret) {
3243 d_printf(_("failed to renew kerberos ticket: %s\n"),
3244 error_message(ret));
3245 }
3246 return ret;
3247 }
3248
3249 static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
3250 struct PAC_DATA_CTR **pac_data_ctr)
3251 {
3252 NTSTATUS status;
3253 int ret = -1;
3254 const char *impersonate_princ_s = NULL;
3255 const char *local_service = NULL;
3256 int i;
3257
3258 for (i=0; i<argc; i++) {
3259 if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
3260 impersonate_princ_s = get_string_param(argv[i]);
3261 if (impersonate_princ_s == NULL) {
3262 return -1;
3263 }
3264 }
3265 if (strnequal(argv[i], "local_service", strlen("local_service"))) {
3266 local_service = get_string_param(argv[i]);
3267 if (local_service == NULL) {
3268 return -1;
3269 }
3270 }
3271 }
3272
3273 if (local_service == NULL) {
3274 local_service = talloc_asprintf(c, "%s$@%s",
3275 lp_netbios_name(), lp_realm());
3276 if (local_service == NULL) {
3277 goto out;
3278 }
3279 }
3280
3281 c->opt_password = net_prompt_pass(c, c->opt_user_name);
3282
3283 status = kerberos_return_pac(c,
3284 c->opt_user_name,
3285 c->opt_password,
3286 0,
3287 NULL,
3288 NULL,
3289 NULL,
3290 true,
3291 true,
3292 2592000, /* one month */
3293 impersonate_princ_s,
3294 local_service,
3295 NULL,
3296 NULL,
3297 pac_data_ctr);
3298 if (!NT_STATUS_IS_OK(status)) {
3299 d_printf(_("failed to query kerberos PAC: %s\n"),
3300 nt_errstr(status));
3301 goto out;
3302 }
3303
3304 ret = 0;
3305 out:
3306 return ret;
3307 }
3308
3309 static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
3310 {
3311 struct PAC_DATA_CTR *pac_data_ctr = NULL;
3312 int i, num_buffers;
3313 int ret = -1;
3314 enum PAC_TYPE type = 0;
3315
3316 if (c->display_usage) {
3317 d_printf( "%s\n"
3318 "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
3319 " %s\n",
3320 _("Usage:"),
3321 _("Dump the Kerberos PAC"));
3322 return -1;
3323 }
3324
3325 for (i=0; i<argc; i++) {
3326 if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
3327 type = get_int_param(argv[i]);
3328 }
3329 }
3330
3331 ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
3332 if (ret) {
3333 return ret;
3334 }
3335
3336 if (type == 0) {
3337
3338 char *s = NULL;
3339
3340 s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
3341 pac_data_ctr->pac_data);
3342 if (s != NULL) {
3343 d_printf(_("The Pac: %s\n"), s);
3344 talloc_free(s);
3345 }
3346
3347 return 0;
3348 }
3349
3350 num_buffers = pac_data_ctr->pac_data->num_buffers;
3351
3352 for (i=0; i<num_buffers; i++) {
3353
3354 char *s = NULL;
3355
3356 if (pac_data_ctr->pac_data->buffers[i].type != type) {
3357 continue;
3358 }
3359
3360 s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
3361 pac_data_ctr->pac_data->buffers[i].info);
3362 if (s != NULL) {
3363 d_printf(_("The Pac: %s\n"), s);
3364 talloc_free(s);
3365 }
3366 break;
3367 }
3368
3369 return 0;
3370 }
3371
3372 static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
3373 {
3374 struct PAC_DATA_CTR *pac_data_ctr = NULL;
3375 char *filename = NULL;
3376 int ret = -1;
3377 int i;
3378
3379 if (c->display_usage) {
3380 d_printf( "%s\n"
3381 "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
3382 " %s\n",
3383 _("Usage:"),
3384 _("Save the Kerberos PAC"));
3385 return -1;
3386 }
3387
3388 for (i=0; i<argc; i++) {
3389 if (strnequal(argv[i], "filename", strlen("filename"))) {
3390 filename = get_string_param(argv[i]);
3391 if (filename == NULL) {
3392 return -1;
3393 }
3394 }
3395 }
3396
3397 ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
3398 if (ret) {
3399 return ret;
3400 }
3401
3402 if (filename == NULL) {
3403 d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
3404 return -1;
3405 }
3406
3407 /* save the raw format */
3408 if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
3409 d_printf(_("failed to save PAC in %s\n"), filename);
3410 return -1;
3411 }
3412
3413 return 0;
3414 }
3415
3416 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
3417 {
3418 struct functable func[] = {
3419 {
3420 "dump",
3421 net_ads_kerberos_pac_dump,
3422 NET_TRANSPORT_ADS,
3423 N_("Dump Kerberos PAC"),
3424 N_("net ads kerberos pac dump\n"
3425 " Dump a Kerberos PAC to stdout")
3426 },
3427 {
3428 "save",
3429 net_ads_kerberos_pac_save,
3430 NET_TRANSPORT_ADS,
3431 N_("Save Kerberos PAC"),
3432 N_("net ads kerberos pac save\n"
3433 " Save a Kerberos PAC in a file")
3434 },
3435
3436 {NULL, NULL, 0, NULL, NULL}
3437 };
3438
3439 return net_run_function(c, argc, argv, "net ads kerberos pac", func);
3440 }
3441
3442 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
3443 {
3444 int ret = -1;
3445 NTSTATUS status;
3446
3447 if (c->display_usage) {
3448 d_printf( "%s\n"
3449 "net ads kerberos kinit\n"
3450 " %s\n",
3451 _("Usage:"),
3452 _("Get Ticket Granting Ticket (TGT) for the user"));
3453 return -1;
3454 }
3455
3456 c->opt_password = net_prompt_pass(c, c->opt_user_name);
3457
3458 ret = kerberos_kinit_password_ext(c->opt_user_name,
3459 c->opt_password,
3460 0,
3461 NULL,
3462 NULL,
3463 NULL,
3464 true,
3465 true,
3466 2592000, /* one month */
3467 NULL,
3468 NULL,
3469 NULL,
3470 &status);
3471 if (ret) {
3472 d_printf(_("failed to kinit password: %s\n"),
3473 nt_errstr(status));
3474 }
3475 return ret;
3476 }
3477
3478 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
3479 {
3480 struct functable func[] = {
3481 {
3482 "kinit",
3483 net_ads_kerberos_kinit,
3484 NET_TRANSPORT_ADS,
3485 N_("Retrieve Ticket Granting Ticket (TGT)"),
3486 N_("net ads kerberos kinit\n"
3487 " Receive Ticket Granting Ticket (TGT)")
3488 },
3489 {
3490 "renew",
3491 net_ads_kerberos_renew,
3492 NET_TRANSPORT_ADS,
3493 N_("Renew Ticket Granting Ticket from credential cache"),
3494 N_("net ads kerberos renew\n"
3495 " Renew Ticket Granting Ticket (TGT) from "
3496 "credential cache")
3497 },
3498 {
3499 "pac",
3500 net_ads_kerberos_pac,
3501 NET_TRANSPORT_ADS,
3502 N_("Dump Kerberos PAC"),
3503 N_("net ads kerberos pac\n"
3504 " Dump Kerberos PAC")
3505 },
3506 {NULL, NULL, 0, NULL, NULL}
3507 };
3508
3509 return net_run_function(c, argc, argv, "net ads kerberos", func);
3510 }
3511
3512 static int net_ads_setspn_list(struct net_context *c,
3513 int argc,
3514 const char **argv)
3515 {
3516 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3517 ADS_STRUCT *ads = NULL;
3518 ADS_STATUS status;
3519 bool ok = false;
3520 int ret = -1;
3521
3522 if (c->display_usage) {
3523 d_printf("%s\n%s",
3524 _("Usage:"),
3525 _("net ads setspn list <machinename>\n"));
3526 TALLOC_FREE(tmp_ctx);
3527 return -1;
3528 }
3529
3530 status = ads_startup(c, true, tmp_ctx, &ads);
3531 if (!ADS_ERR_OK(status)) {
3532 goto out;
3533 }
3534
3535 if (argc) {
3536 ok = ads_setspn_list(ads, argv[0]);
3537 } else {
3538 ok = ads_setspn_list(ads, lp_netbios_name());
3539 }
3540
3541 ret = ok ? 0 : -1;
3542 out:
3543 TALLOC_FREE(tmp_ctx);
3544 return ret;
3545 }
3546
3547 static int net_ads_setspn_add(struct net_context *c, int argc, const char **argv)
3548 {
3549 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3550 ADS_STRUCT *ads = NULL;
3551 ADS_STATUS status;
3552 bool ok = false;
3553 int ret = -1;
3554
3555 if (c->display_usage || argc < 1) {
3556 d_printf("%s\n%s",
3557 _("Usage:"),
3558 _("net ads setspn add <machinename> SPN\n"));
3559 TALLOC_FREE(tmp_ctx);
3560 return -1;
3561 }
3562
3563 status = ads_startup(c, true, tmp_ctx, &ads);
3564 if (!ADS_ERR_OK(status)) {
3565 goto out;
3566 }
3567
3568 if (argc > 1) {
3569 ok = ads_setspn_add(ads, argv[0], argv[1]);
3570 } else {
3571 ok = ads_setspn_add(ads, lp_netbios_name(), argv[0]);
3572 }
3573
3574 ret = ok ? 0 : -1;
3575 out:
3576 TALLOC_FREE(tmp_ctx);
3577 return ret;
3578 }
3579
3580 static int net_ads_setspn_delete(struct net_context *c, int argc, const char **argv)
3581 {
3582 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3583 ADS_STRUCT *ads = NULL;
3584 ADS_STATUS status;
3585 bool ok = false;
3586 int ret = -1;
3587
3588 if (c->display_usage || argc < 1) {
3589 d_printf("%s\n%s",
3590 _("Usage:"),
3591 _("net ads setspn delete <machinename> SPN\n"));
3592 TALLOC_FREE(tmp_ctx);
3593 return -1;
3594 }
3595
3596 status = ads_startup(c, true, tmp_ctx, &ads);
3597 if (!ADS_ERR_OK(status)) {
3598 goto out;
3599 }
3600
3601 if (argc > 1) {
3602 ok = ads_setspn_delete(ads, argv[0], argv[1]);
3603 } else {
3604 ok = ads_setspn_delete(ads, lp_netbios_name(), argv[0]);
3605 }
3606
3607 ret = ok ? 0 : -1;
3608 out:
3609 TALLOC_FREE(tmp_ctx);
3610 return ret;
3611 }
3612
3613 int net_ads_setspn(struct net_context *c, int argc, const char **argv)
3614 {
3615 struct functable func[] = {
3616 {
3617 "list",
3618 net_ads_setspn_list,
3619 NET_TRANSPORT_ADS,
3620 N_("List Service Principal Names (SPN)"),
3621 N_("net ads setspn list machine\n"
3622 " List Service Principal Names (SPN)")
3623 },
3624 {
3625 "add",
3626 net_ads_setspn_add,
3627 NET_TRANSPORT_ADS,
3628 N_("Add Service Principal Names (SPN)"),
3629 N_("net ads setspn add machine spn\n"
3630 " Add Service Principal Names (SPN)")
3631 },
3632 {
3633 "delete",
3634 net_ads_setspn_delete,
3635 NET_TRANSPORT_ADS,
3636 N_("Delete Service Principal Names (SPN)"),
3637 N_("net ads setspn delete machine spn\n"
3638 " Delete Service Principal Names (SPN)")
3639 },
3640 {NULL, NULL, 0, NULL, NULL}
3641 };
3642
3643 return net_run_function(c, argc, argv, "net ads setspn", func);
3644 }
3645
3646 static int net_ads_enctype_lookup_account(struct net_context *c,
3647 ADS_STRUCT *ads,
3648 const char *account,
3649 LDAPMessage **res,
3650 const char **enctype_str)
3651 {
3652 const char *filter;
3653 const char *attrs[] = {
3654 "msDS-SupportedEncryptionTypes",
3655 NULL
3656 };
3657 int count;
3658 int ret = -1;
3659 ADS_STATUS status;
3660
3661 filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
3662 account);
3663 if (filter == NULL) {
3664 goto done;
3665 }
3666
3667 status = ads_search(ads, res, filter, attrs);
3668 if (!ADS_ERR_OK(status)) {
3669 d_printf(_("no account found with filter: %s\n"), filter);
3670 goto done;
3671 }
3672
3673 count = ads_count_replies(ads, *res);
3674 switch (count) {
3675 case 1:
3676 break;
3677 case 0:
3678 d_printf(_("no account found with filter: %s\n"), filter);
3679 goto done;
3680 default:
3681 d_printf(_("multiple accounts found with filter: %s\n"), filter);
3682 goto done;
3683 }
3684
3685 if (enctype_str) {
3686 *enctype_str = ads_pull_string(ads, c, *res,
3687 "msDS-SupportedEncryptionTypes");
3688 if (*enctype_str == NULL) {
3689 d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
3690 goto done;
3691 }
3692 }
3693
3694 ret = 0;
3695 done:
3696 return ret;
3697 }
3698
3699 static void net_ads_enctype_dump_enctypes(const char *username,
3700 const char *enctype_str)
3701 {
3702 int enctypes = atoi(enctype_str);
3703
3704 d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\": %d (0x%08x)\n"),
3705 username, enctypes, enctypes);
3706
3707 printf("[%s] 0x%08x DES-CBC-CRC\n",
3708 enctypes & ENC_CRC32 ? "X" : " ",
3709 ENC_CRC32);
3710 printf("[%s] 0x%08x DES-CBC-MD5\n",
3711 enctypes & ENC_RSA_MD5 ? "X" : " ",
3712 ENC_RSA_MD5);
3713 printf("[%s] 0x%08x RC4-HMAC\n",
3714 enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
3715 ENC_RC4_HMAC_MD5);
3716 printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
3717 enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
3718 ENC_HMAC_SHA1_96_AES128);
3719 printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
3720 enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
3721 ENC_HMAC_SHA1_96_AES256);
3722 printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96-SK\n",
3723 enctypes & ENC_HMAC_SHA1_96_AES256_SK ? "X" : " ",
3724 ENC_HMAC_SHA1_96_AES256_SK);
3725 printf("[%s] 0x%08x RESOURCE-SID-COMPRESSION-DISABLED\n",
3726 enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED ? "X" : " ",
3727 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED);
3728 }
3729
3730 static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
3731 {
3732 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3733 ADS_STATUS status;
3734 ADS_STRUCT *ads = NULL;
3735 LDAPMessage *res = NULL;
3736 const char *str = NULL;
3737 int ret = -1;
3738
3739 if (c->display_usage || (argc < 1)) {
3740 d_printf( "%s\n"
3741 "net ads enctypes list\n"
3742 " %s\n",
3743 _("Usage:"),
3744 _("List supported enctypes"));
3745 TALLOC_FREE(tmp_ctx);
3746 return -1;
3747 }
3748
3749 status = ads_startup(c, false, tmp_ctx, &ads);
3750 if (!ADS_ERR_OK(status)) {
3751 goto out;
3752 }
3753
3754 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
3755 if (ret) {
3756 goto out;
3757 }
3758
3759 net_ads_enctype_dump_enctypes(argv[0], str);
3760
3761 ret = 0;
3762 out:
3763 ads_msgfree(ads, res);
3764 TALLOC_FREE(tmp_ctx);
3765 return ret;
3766 }
3767
3768 static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
3769 {
3770 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3771 int ret = -1;
3772 ADS_STATUS status;
3773 ADS_STRUCT *ads = NULL;
3774 LDAPMessage *res = NULL;
3775 const char *etype_list_str = NULL;
3776 const char *dn = NULL;
3777 ADS_MODLIST mods = NULL;
3778 uint32_t etype_list;
3779 const char *str = NULL;
3780
3781 if (c->display_usage || argc < 1) {
3782 d_printf( "%s\n"
3783 "net ads enctypes set <sAMAccountName> [enctypes]\n"
3784 " %s\n",
3785 _("Usage:"),
3786 _("Set supported enctypes"));
3787 TALLOC_FREE(tmp_ctx);
3788 return -1;
3789 }
3790
3791 status = ads_startup(c, false, tmp_ctx, &ads);
3792 if (!ADS_ERR_OK(status)) {
3793 goto done;
3794 }
3795
3796 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
3797 if (ret) {
3798 goto done;
3799 }
3800
3801 dn = ads_get_dn(ads, tmp_ctx, res);
3802 if (dn == NULL) {
3803 goto done;
3804 }
3805
3806 etype_list = 0;
3807 etype_list |= ENC_RC4_HMAC_MD5;
3808 etype_list |= ENC_HMAC_SHA1_96_AES128;
3809 etype_list |= ENC_HMAC_SHA1_96_AES256;
3810
3811 if (argv[1] != NULL) {
3812 sscanf(argv[1], "%i", &etype_list);
3813 }
3814
3815 etype_list_str = talloc_asprintf(tmp_ctx, "%d", etype_list);
3816 if (!etype_list_str) {
3817 goto done;
3818 }
3819
3820 mods = ads_init_mods(tmp_ctx);
3821 if (!mods) {
3822 goto done;
3823 }
3824
3825 status = ads_mod_str(tmp_ctx, &mods, "msDS-SupportedEncryptionTypes",
3826 etype_list_str);
3827 if (!ADS_ERR_OK(status)) {
3828 goto done;
3829 }
3830
3831 status = ads_gen_mod(ads, dn, mods);
3832 if (!ADS_ERR_OK(status)) {
3833 d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
3834 ads_errstr(status));
3835 goto done;
3836 }
3837
3838 ads_msgfree(ads, res);
3839 res = NULL;
3840
3841 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
3842 if (ret) {
3843 goto done;
3844 }
3845
3846 net_ads_enctype_dump_enctypes(argv[0], str);
3847
3848 ret = 0;
3849 done:
3850 ads_msgfree(ads, res);
3851 TALLOC_FREE(tmp_ctx);
3852 return ret;
3853 }
3854
3855 static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
3856 {
3857 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3858 int ret = -1;
3859 ADS_STATUS status;
3860 ADS_STRUCT *ads = NULL;
3861 LDAPMessage *res = NULL;
3862 const char *dn = NULL;
3863 ADS_MODLIST mods = NULL;
3864
3865 if (c->display_usage || argc < 1) {
3866 d_printf( "%s\n"
3867 "net ads enctypes delete <sAMAccountName>\n"
3868 " %s\n",
3869 _("Usage:"),
3870 _("Delete supported enctypes"));
3871 TALLOC_FREE(tmp_ctx);
3872 return -1;
3873 }
3874
3875 status = ads_startup(c, false, tmp_ctx, &ads);
3876 if (!ADS_ERR_OK(status)) {
3877 goto done;
3878 }
3879
3880 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
3881 if (ret) {
3882 goto done;
3883 }
3884
3885 dn = ads_get_dn(ads, tmp_ctx, res);
3886 if (dn == NULL) {
3887 goto done;
3888 }
3889
3890 mods = ads_init_mods(tmp_ctx);
3891 if (!mods) {
3892 goto done;
3893 }
3894
3895 status = ads_mod_str(tmp_ctx, &mods, "msDS-SupportedEncryptionTypes", NULL);
3896 if (!ADS_ERR_OK(status)) {
3897 goto done;
3898 }
3899
3900 status = ads_gen_mod(ads, dn, mods);
3901 if (!ADS_ERR_OK(status)) {
3902 d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
3903 ads_errstr(status));
3904 goto done;
3905 }
3906
3907 ret = 0;
3908
3909 done:
3910 ads_msgfree(ads, res);
3911 TALLOC_FREE(tmp_ctx);
3912 return ret;
3913 }
3914
3915 static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
3916 {
3917 struct functable func[] = {
3918 {
3919 "list",
3920 net_ads_enctypes_list,
3921 NET_TRANSPORT_ADS,
3922 N_("List the supported encryption types"),
3923 N_("net ads enctypes list\n"
3924 " List the supported encryption types")
3925 },
3926 {
3927 "set",
3928 net_ads_enctypes_set,
3929 NET_TRANSPORT_ADS,
3930 N_("Set the supported encryption types"),
3931 N_("net ads enctypes set\n"
3932 " Set the supported encryption types")
3933 },
3934 {
3935 "delete",
3936 net_ads_enctypes_delete,
3937 NET_TRANSPORT_ADS,
3938 N_("Delete the supported encryption types"),
3939 N_("net ads enctypes delete\n"
3940 " Delete the supported encryption types")
3941 },
3942
3943 {NULL, NULL, 0, NULL, NULL}
3944 };
3945
3946 return net_run_function(c, argc, argv, "net ads enctypes", func);
3947 }
3948
3949
3950 int net_ads(struct net_context *c, int argc, const char **argv)
3951 {
3952 struct functable func[] = {
3953 {
3954 "info",
3955 net_ads_info,
3956 NET_TRANSPORT_ADS,
3957 N_("Display details on remote ADS server"),
3958 N_("net ads info\n"
3959 " Display details on remote ADS server")
3960 },
3961 {
3962 "join",
3963 net_ads_join,
3964 NET_TRANSPORT_ADS,
3965 N_("Join the local machine to ADS realm"),
3966 N_("net ads join\n"
3967 " Join the local machine to ADS realm")
3968 },
3969 {
3970 "testjoin",
3971 net_ads_testjoin,
3972 NET_TRANSPORT_ADS,
3973 N_("Validate machine account"),
3974 N_("net ads testjoin\n"
3975 " Validate machine account")
3976 },
3977 {
3978 "leave",
3979 net_ads_leave,
3980 NET_TRANSPORT_ADS,
3981 N_("Remove the local machine from ADS"),
3982 N_("net ads leave\n"
3983 " Remove the local machine from ADS")
3984 },
3985 {
3986 "status",
3987 net_ads_status,
3988 NET_TRANSPORT_ADS,
3989 N_("Display machine account details"),
3990 N_("net ads status\n"
3991 " Display machine account details")
3992 },
3993 {
3994 "user",
3995 net_ads_user,
3996 NET_TRANSPORT_ADS,
3997 N_("List/modify users"),
3998 N_("net ads user\n"
3999 " List/modify users")
4000 },
4001 {
4002 "group",
4003 net_ads_group,
4004 NET_TRANSPORT_ADS,
4005 N_("List/modify groups"),
4006 N_("net ads group\n"
4007 " List/modify groups")
4008 },
4009 {
4010 "dns",
4011 net_ads_dns,
4012 NET_TRANSPORT_ADS,
4013 N_("Issue dynamic DNS update"),
4014 N_("net ads dns\n"
4015 " Issue dynamic DNS update")
4016 },
4017 {
4018 "password",
4019 net_ads_password,
4020 NET_TRANSPORT_ADS,
4021 N_("Change user passwords"),
4022 N_("net ads password\n"
4023 " Change user passwords")
4024 },
4025 {
4026 "changetrustpw",
4027 net_ads_changetrustpw,
4028 NET_TRANSPORT_ADS,
4029 N_("Change trust account password"),
4030 N_("net ads changetrustpw\n"
4031 " Change trust account password")
4032 },
4033 {
4034 "printer",
4035 net_ads_printer,
4036 NET_TRANSPORT_ADS,
4037 N_("List/modify printer entries"),
4038 N_("net ads printer\n"
4039 " List/modify printer entries")
4040 },
4041 {
4042 "search",
4043 net_ads_search,
4044 NET_TRANSPORT_ADS,
4045 N_("Issue LDAP search using filter"),
4046 N_("net ads search\n"
4047 " Issue LDAP search using filter")
4048 },
4049 {
4050 "dn",
4051 net_ads_dn,
4052 NET_TRANSPORT_ADS,
4053 N_("Issue LDAP search by DN"),
4054 N_("net ads dn\n"
4055 " Issue LDAP search by DN")
4056 },
4057 {
4058 "sid",
4059 net_ads_sid,
4060 NET_TRANSPORT_ADS,
4061 N_("Issue LDAP search by SID"),
4062 N_("net ads sid\n"
4063 " Issue LDAP search by SID")
4064 },
4065 {
4066 "workgroup",
4067 net_ads_workgroup,
4068 NET_TRANSPORT_ADS,
4069 N_("Display workgroup name"),
4070 N_("net ads workgroup\n"
4071 " Display the workgroup name")
4072 },
4073 {
4074 "lookup",
4075 net_ads_lookup,
4076 NET_TRANSPORT_ADS,
4077 N_("Perform CLDAP query on DC"),
4078 N_("net ads lookup\n"
4079 " Find the ADS DC using CLDAP lookups")
4080 },
4081 {
4082 "keytab",
4083 net_ads_keytab,
4084 NET_TRANSPORT_ADS,
4085 N_("Manage local keytab file"),
4086 N_("net ads keytab\n"
4087 " Manage local keytab file")
4088 },
4089 {
4090 "setspn",
4091 net_ads_setspn,
4092 NET_TRANSPORT_ADS,
4093 N_("Manage Service Principal Names (SPN)s"),
4094 N_("net ads spnset\n"
4095 " Manage Service Principal Names (SPN)s")
4096 },
4097 {
4098 "gpo",
4099 net_ads_gpo,
4100 NET_TRANSPORT_ADS,
4101 N_("Manage group policy objects"),
4102 N_("net ads gpo\n"
4103 " Manage group policy objects")
4104 },
4105 {
4106 "kerberos",
4107 net_ads_kerberos,
4108 NET_TRANSPORT_ADS,
4109 N_("Manage kerberos keytab"),
4110 N_("net ads kerberos\n"
4111 " Manage kerberos keytab")
4112 },
4113 {
4114 "enctypes",
4115 net_ads_enctypes,
4116 NET_TRANSPORT_ADS,
4117 N_("List/modify supported encryption types"),
4118 N_("net ads enctypes\n"
4119 " List/modify enctypes")
4120 },
4121 {NULL, NULL, 0, NULL, NULL}
4122 };
4123
4124 return net_run_function(c, argc, argv, "net ads", func);
4125 }
4126
4127 #else
4128
4129 static int net_ads_noads(void)
4130 {
4131 d_fprintf(stderr, _("ADS support not compiled in\n"));
4132 return -1;
4133 }
4134
4135 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
4136 {
4137 return net_ads_noads();
4138 }
4139
4140 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
4141 {
4142 return net_ads_noads();
4143 }
4144
4145 int net_ads_setspn(struct net_context *c, int argc, const char **argv)
4146 {
4147 return net_ads_noads();
4148 }
4149
4150 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
4151 {
4152 return net_ads_noads();
4153 }
4154
4155 int net_ads_join(struct net_context *c, int argc, const char **argv)
4156 {
4157 return net_ads_noads();
4158 }
4159
4160 int net_ads_user(struct net_context *c, int argc, const char **argv)
4161 {
4162 return net_ads_noads();
4163 }
4164
4165 int net_ads_group(struct net_context *c, int argc, const char **argv)
4166 {
4167 return net_ads_noads();
4168 }
4169
4170 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
4171 {
4172 return net_ads_noads();
4173 }
4174
4175 /* this one shouldn't display a message */
4176 int net_ads_check(struct net_context *c)
4177 {
4178 return -1;
4179 }
4180
4181 int net_ads_check_our_domain(struct net_context *c)
4182 {
4183 return -1;
4184 }
4185
4186 int net_ads(struct net_context *c, int argc, const char **argv)
4187 {
4188 return net_ads_noads();
4189 }
4190
4191 #endif /* HAVE_ADS */
Samba GIT mirror