search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-waf: use shared LIBASYNC_REQ subsystem.
[Samba.git] / source3 / utils / net_ads.c
blob858830f3c1dba8d05db6d8a09b5535425c37f58c
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
28 #include "ads.h"
29 #include "libads/cldap.h"
30 #include "libads/dns.h"
31 #include "../libds/common/flags.h"
32 #include "librpc/gen_ndr/libnet_join.h"
33 #include "libnet/libnet_join.h"
34 #include "smb_krb5.h"
35 #include "secrets.h"
36 #include "krb5_env.h"
37 #include "../libcli/security/security.h"
38
39 #ifdef HAVE_ADS
40
41 /* when we do not have sufficient input parameters to contact a remote domain
42 * we always fall back to our own realm - Guenther*/
43
44 static const char *assume_own_realm(struct net_context *c)
45 {
46 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
47 return lp_realm();
48 }
49
50 return NULL;
51 }
52
53 /*
54 do a cldap netlogon query
55 */
56 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
57 {
58 char addr[INET6_ADDRSTRLEN];
59 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
60
61 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
62 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
63 d_fprintf(stderr, _("CLDAP query failed!\n"));
64 return -1;
65 }
66
67 d_printf(_("Information for Domain Controller: %s\n\n"),
68 addr);
69
70 d_printf(_("Response Type: "));
71 switch (reply.command) {
72 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
73 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
74 break;
75 case LOGON_SAM_LOGON_RESPONSE_EX:
76 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
77 break;
78 default:
79 d_printf("0x%x\n", reply.command);
80 break;
81 }
82
83 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
84
85 d_printf(_("Flags:\n"
86 "\tIs a PDC: %s\n"
87 "\tIs a GC of the forest: %s\n"
88 "\tIs an LDAP server: %s\n"
89 "\tSupports DS: %s\n"
90 "\tIs running a KDC: %s\n"
91 "\tIs running time services: %s\n"
92 "\tIs the closest DC: %s\n"
93 "\tIs writable: %s\n"
94 "\tHas a hardware clock: %s\n"
95 "\tIs a non-domain NC serviced by LDAP server: %s\n"
96 "\tIs NT6 DC that has some secrets: %s\n"
97 "\tIs NT6 DC that has all secrets: %s\n"),
98 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
100 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
101 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
110
111
112 printf(_("Forest:\t\t\t%s\n"), reply.forest);
113 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
114 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
115
116 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
117 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
118
119 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
120
121 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
122 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
123
124 d_printf(_("NT Version: %d\n"), reply.nt_version);
125 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
126 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
127
128 return 0;
129 }
130
131 /*
132 this implements the CLDAP based netlogon lookup requests
133 for finding the domain controller of a ADS domain
134 */
135 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
136 {
137 ADS_STRUCT *ads;
138 int ret;
139
140 if (c->display_usage) {
141 d_printf("%s\n"
142 "net ads lookup\n"
143 " %s",
144 _("Usage:"),
145 _("Find the ADS DC using CLDAP lookup.\n"));
146 return 0;
147 }
148
149 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
150 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
151 ads_destroy(&ads);
152 return -1;
153 }
154
155 if (!ads->config.realm) {
156 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
157 ads->ldap.port = 389;
158 }
159
160 ret = net_ads_cldap_netlogon(c, ads);
161 ads_destroy(&ads);
162 return ret;
163 }
164
165
166
167 static int net_ads_info(struct net_context *c, int argc, const char **argv)
168 {
169 ADS_STRUCT *ads;
170 char addr[INET6_ADDRSTRLEN];
171
172 if (c->display_usage) {
173 d_printf("%s\n"
174 "net ads info\n"
175 " %s",
176 _("Usage:"),
177 _("Display information about an Active Directory "
178 "server.\n"));
179 return 0;
180 }
181
182 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
183 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
184 return -1;
185 }
186
187 if (!ads || !ads->config.realm) {
188 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
189 ads_destroy(&ads);
190 return -1;
191 }
192
193 /* Try to set the server's current time since we didn't do a full
194 TCP LDAP session initially */
195
196 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
197 d_fprintf( stderr, _("Failed to get server's current time!\n"));
198 }
199
200 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
201
202 d_printf(_("LDAP server: %s\n"), addr);
203 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
204 d_printf(_("Realm: %s\n"), ads->config.realm);
205 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
206 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
207 d_printf(_("Server time: %s\n"),
208 http_timestring(talloc_tos(), ads->config.current_time));
209
210 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
211 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
212
213 ads_destroy(&ads);
214 return 0;
215 }
216
217 static void use_in_memory_ccache(void) {
218 /* Use in-memory credentials cache so we do not interfere with
219 * existing credentials */
220 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
221 }
222
223 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
224 uint32 auth_flags, ADS_STRUCT **ads_ret)
225 {
226 ADS_STRUCT *ads = NULL;
227 ADS_STATUS status;
228 bool need_password = false;
229 bool second_time = false;
230 char *cp;
231 const char *realm = NULL;
232 bool tried_closest_dc = false;
233
234 /* lp_realm() should be handled by a command line param,
235 However, the join requires that realm be set in smb.conf
236 and compares our realm with the remote server's so this is
237 ok until someone needs more flexibility */
238
239 *ads_ret = NULL;
240
241 retry_connect:
242 if (only_own_domain) {
243 realm = lp_realm();
244 } else {
245 realm = assume_own_realm(c);
246 }
247
248 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
249
250 if (!c->opt_user_name) {
251 c->opt_user_name = "administrator";
252 }
253
254 if (c->opt_user_specified) {
255 need_password = true;
256 }
257
258 retry:
259 if (!c->opt_password && need_password && !c->opt_machine_pass) {
260 c->opt_password = net_prompt_pass(c, c->opt_user_name);
261 if (!c->opt_password) {
262 ads_destroy(&ads);
263 return ADS_ERROR(LDAP_NO_MEMORY);
264 }
265 }
266
267 if (c->opt_password) {
268 use_in_memory_ccache();
269 SAFE_FREE(ads->auth.password);
270 ads->auth.password = smb_xstrdup(c->opt_password);
271 }
272
273 ads->auth.flags |= auth_flags;
274 SAFE_FREE(ads->auth.user_name);
275 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
276
277 /*
278 * If the username is of the form "name@realm",
279 * extract the realm and convert to upper case.
280 * This is only used to establish the connection.
281 */
282 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
283 *cp++ = '\0';
284 SAFE_FREE(ads->auth.realm);
285 ads->auth.realm = smb_xstrdup(cp);
286 strupper_m(ads->auth.realm);
287 }
288
289 status = ads_connect(ads);
290
291 if (!ADS_ERR_OK(status)) {
292
293 if (NT_STATUS_EQUAL(ads_ntstatus(status),
294 NT_STATUS_NO_LOGON_SERVERS)) {
295 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
296 ads_destroy(&ads);
297 return status;
298 }
299
300 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
301 need_password = true;
302 second_time = true;
303 goto retry;
304 } else {
305 ads_destroy(&ads);
306 return status;
307 }
308 }
309
310 /* when contacting our own domain, make sure we use the closest DC.
311 * This is done by reconnecting to ADS because only the first call to
312 * ads_connect will give us our own sitename */
313
314 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
315
316 tried_closest_dc = true; /* avoid loop */
317
318 if (!ads_closest_dc(ads)) {
319
320 namecache_delete(ads->server.realm, 0x1C);
321 namecache_delete(ads->server.workgroup, 0x1C);
322
323 ads_destroy(&ads);
324 ads = NULL;
325
326 goto retry_connect;
327 }
328 }
329
330 *ads_ret = ads;
331 return status;
332 }
333
334 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
335 {
336 return ads_startup_int(c, only_own_domain, 0, ads);
337 }
338
339 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
340 {
341 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
342 }
343
344 /*
345 Check to see if connection can be made via ads.
346 ads_startup() stores the password in opt_password if it needs to so
347 that rpc or rap can use it without re-prompting.
348 */
349 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
350 {
351 ADS_STRUCT *ads;
352 ADS_STATUS status;
353
354 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
355 return -1;
356 }
357
358 ads->auth.flags |= ADS_AUTH_NO_BIND;
359
360 status = ads_connect(ads);
361 if ( !ADS_ERR_OK(status) ) {
362 return -1;
363 }
364
365 ads_destroy(&ads);
366 return 0;
367 }
368
369 int net_ads_check_our_domain(struct net_context *c)
370 {
371 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
372 }
373
374 int net_ads_check(struct net_context *c)
375 {
376 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
377 }
378
379 /*
380 determine the netbios workgroup name for a domain
381 */
382 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
383 {
384 ADS_STRUCT *ads;
385 char addr[INET6_ADDRSTRLEN];
386 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
387
388 if (c->display_usage) {
389 d_printf ("%s\n"
390 "net ads workgroup\n"
391 " %s\n",
392 _("Usage:"),
393 _("Print the workgroup name"));
394 return 0;
395 }
396
397 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
398 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
399 return -1;
400 }
401
402 if (!ads->config.realm) {
403 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
404 ads->ldap.port = 389;
405 }
406
407 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
408 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
409 d_fprintf(stderr, _("CLDAP query failed!\n"));
410 ads_destroy(&ads);
411 return -1;
412 }
413
414 d_printf(_("Workgroup: %s\n"), reply.domain_name);
415
416 ads_destroy(&ads);
417
418 return 0;
419 }
420
421
422
423 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
424 {
425 char **disp_fields = (char **) data_area;
426
427 if (!field) { /* must be end of record */
428 if (disp_fields[0]) {
429 if (!strchr_m(disp_fields[0], '$')) {
430 if (disp_fields[1])
431 d_printf("%-21.21s %s\n",
432 disp_fields[0], disp_fields[1]);
433 else
434 d_printf("%s\n", disp_fields[0]);
435 }
436 }
437 SAFE_FREE(disp_fields[0]);
438 SAFE_FREE(disp_fields[1]);
439 return true;
440 }
441 if (!values) /* must be new field, indicate string field */
442 return true;
443 if (StrCaseCmp(field, "sAMAccountName") == 0) {
444 disp_fields[0] = SMB_STRDUP((char *) values[0]);
445 }
446 if (StrCaseCmp(field, "description") == 0)
447 disp_fields[1] = SMB_STRDUP((char *) values[0]);
448 return true;
449 }
450
451 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
452 {
453 return net_user_usage(c, argc, argv);
454 }
455
456 static int ads_user_add(struct net_context *c, int argc, const char **argv)
457 {
458 ADS_STRUCT *ads;
459 ADS_STATUS status;
460 char *upn, *userdn;
461 LDAPMessage *res=NULL;
462 int rc = -1;
463 char *ou_str = NULL;
464
465 if (argc < 1 || c->display_usage)
466 return net_ads_user_usage(c, argc, argv);
467
468 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
469 return -1;
470 }
471
472 status = ads_find_user_acct(ads, &res, argv[0]);
473
474 if (!ADS_ERR_OK(status)) {
475 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
476 goto done;
477 }
478
479 if (ads_count_replies(ads, res)) {
480 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
481 argv[0]);
482 goto done;
483 }
484
485 if (c->opt_container) {
486 ou_str = SMB_STRDUP(c->opt_container);
487 } else {
488 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
489 }
490
491 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
492
493 if (!ADS_ERR_OK(status)) {
494 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
495 ads_errstr(status));
496 goto done;
497 }
498
499 /* if no password is to be set, we're done */
500 if (argc == 1) {
501 d_printf(_("User %s added\n"), argv[0]);
502 rc = 0;
503 goto done;
504 }
505
506 /* try setting the password */
507 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
508 goto done;
509 }
510 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
511 ads->auth.time_offset);
512 SAFE_FREE(upn);
513 if (ADS_ERR_OK(status)) {
514 d_printf(_("User %s added\n"), argv[0]);
515 rc = 0;
516 goto done;
517 }
518
519 /* password didn't set, delete account */
520 d_fprintf(stderr, _("Could not add user %s. "
521 "Error setting password %s\n"),
522 argv[0], ads_errstr(status));
523 ads_msgfree(ads, res);
524 status=ads_find_user_acct(ads, &res, argv[0]);
525 if (ADS_ERR_OK(status)) {
526 userdn = ads_get_dn(ads, talloc_tos(), res);
527 ads_del_dn(ads, userdn);
528 TALLOC_FREE(userdn);
529 }
530
531 done:
532 if (res)
533 ads_msgfree(ads, res);
534 ads_destroy(&ads);
535 SAFE_FREE(ou_str);
536 return rc;
537 }
538
539 static int ads_user_info(struct net_context *c, int argc, const char **argv)
540 {
541 ADS_STRUCT *ads = NULL;
542 ADS_STATUS rc;
543 LDAPMessage *res = NULL;
544 TALLOC_CTX *frame;
545 int ret = 0;
546 wbcErr wbc_status;
547 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
548 char *searchstring=NULL;
549 char **grouplist;
550 char *primary_group;
551 char *escaped_user;
552 struct dom_sid primary_group_sid;
553 uint32_t group_rid;
554 enum wbcSidType type;
555
556 if (argc < 1 || c->display_usage) {
557 return net_ads_user_usage(c, argc, argv);
558 }
559
560 frame = talloc_new(talloc_tos());
561 if (frame == NULL) {
562 return -1;
563 }
564
565 escaped_user = escape_ldap_string(frame, argv[0]);
566 if (!escaped_user) {
567 d_fprintf(stderr,
568 _("ads_user_info: failed to escape user %s\n"),
569 argv[0]);
570 return -1;
571 }
572
573 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
574 ret = -1;
575 goto error;
576 }
577
578 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
579 ret =-1;
580 goto error;
581 }
582 rc = ads_search(ads, &res, searchstring, attrs);
583 SAFE_FREE(searchstring);
584
585 if (!ADS_ERR_OK(rc)) {
586 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
587 ret = -1;
588 goto error;
589 }
590
591 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
592 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
593 ret = -1;
594 goto error;
595 }
596
597 rc = ads_domain_sid(ads, &primary_group_sid);
598 if (!ADS_ERR_OK(rc)) {
599 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
600 ret = -1;
601 goto error;
602 }
603
604 sid_append_rid(&primary_group_sid, group_rid);
605
606 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
607 NULL, /* don't look up domain */
608 &primary_group,
609 &type);
610 if (!WBC_ERROR_IS_OK(wbc_status)) {
611 d_fprintf(stderr, "wbcLookupSid: %s\n",
612 wbcErrorString(wbc_status));
613 ret = -1;
614 goto error;
615 }
616
617 d_printf("%s\n", primary_group);
618
619 wbcFreeMemory(primary_group);
620
621 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
622 (LDAPMessage *)res, "memberOf");
623
624 if (grouplist) {
625 int i;
626 char **groupname;
627 for (i=0;grouplist[i];i++) {
628 groupname = ldap_explode_dn(grouplist[i], 1);
629 d_printf("%s\n", groupname[0]);
630 ldap_value_free(groupname);
631 }
632 ldap_value_free(grouplist);
633 }
634
635 error:
636 if (res) ads_msgfree(ads, res);
637 if (ads) ads_destroy(&ads);
638 TALLOC_FREE(frame);
639 return ret;
640 }
641
642 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
643 {
644 ADS_STRUCT *ads;
645 ADS_STATUS rc;
646 LDAPMessage *res = NULL;
647 char *userdn;
648
649 if (argc < 1) {
650 return net_ads_user_usage(c, argc, argv);
651 }
652
653 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
654 return -1;
655 }
656
657 rc = ads_find_user_acct(ads, &res, argv[0]);
658 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
659 d_printf(_("User %s does not exist.\n"), argv[0]);
660 ads_msgfree(ads, res);
661 ads_destroy(&ads);
662 return -1;
663 }
664 userdn = ads_get_dn(ads, talloc_tos(), res);
665 ads_msgfree(ads, res);
666 rc = ads_del_dn(ads, userdn);
667 TALLOC_FREE(userdn);
668 if (ADS_ERR_OK(rc)) {
669 d_printf(_("User %s deleted\n"), argv[0]);
670 ads_destroy(&ads);
671 return 0;
672 }
673 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
674 ads_errstr(rc));
675 ads_destroy(&ads);
676 return -1;
677 }
678
679 int net_ads_user(struct net_context *c, int argc, const char **argv)
680 {
681 struct functable func[] = {
682 {
683 "add",
684 ads_user_add,
685 NET_TRANSPORT_ADS,
686 N_("Add an AD user"),
687 N_("net ads user add\n"
688 " Add an AD user")
689 },
690 {
691 "info",
692 ads_user_info,
693 NET_TRANSPORT_ADS,
694 N_("Display information about an AD user"),
695 N_("net ads user info\n"
696 " Display information about an AD user")
697 },
698 {
699 "delete",
700 ads_user_delete,
701 NET_TRANSPORT_ADS,
702 N_("Delete an AD user"),
703 N_("net ads user delete\n"
704 " Delete an AD user")
705 },
706 {NULL, NULL, 0, NULL, NULL}
707 };
708 ADS_STRUCT *ads;
709 ADS_STATUS rc;
710 const char *shortattrs[] = {"sAMAccountName", NULL};
711 const char *longattrs[] = {"sAMAccountName", "description", NULL};
712 char *disp_fields[2] = {NULL, NULL};
713
714 if (argc == 0) {
715 if (c->display_usage) {
716 d_printf( "%s\n"
717 "net ads user\n"
718 " %s\n",
719 _("Usage:"),
720 _("List AD users"));
721 net_display_usage_from_functable(func);
722 return 0;
723 }
724
725 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
726 return -1;
727 }
728
729 if (c->opt_long_list_entries)
730 d_printf(_("\nUser name Comment"
731 "\n-----------------------------\n"));
732
733 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
734 LDAP_SCOPE_SUBTREE,
735 "(objectCategory=user)",
736 c->opt_long_list_entries ? longattrs :
737 shortattrs, usergrp_display,
738 disp_fields);
739 ads_destroy(&ads);
740 return ADS_ERR_OK(rc) ? 0 : -1;
741 }
742
743 return net_run_function(c, argc, argv, "net ads user", func);
744 }
745
746 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
747 {
748 return net_group_usage(c, argc, argv);
749 }
750
751 static int ads_group_add(struct net_context *c, int argc, const char **argv)
752 {
753 ADS_STRUCT *ads;
754 ADS_STATUS status;
755 LDAPMessage *res=NULL;
756 int rc = -1;
757 char *ou_str = NULL;
758
759 if (argc < 1 || c->display_usage) {
760 return net_ads_group_usage(c, argc, argv);
761 }
762
763 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
764 return -1;
765 }
766
767 status = ads_find_user_acct(ads, &res, argv[0]);
768
769 if (!ADS_ERR_OK(status)) {
770 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
771 goto done;
772 }
773
774 if (ads_count_replies(ads, res)) {
775 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
776 goto done;
777 }
778
779 if (c->opt_container) {
780 ou_str = SMB_STRDUP(c->opt_container);
781 } else {
782 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
783 }
784
785 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
786
787 if (ADS_ERR_OK(status)) {
788 d_printf(_("Group %s added\n"), argv[0]);
789 rc = 0;
790 } else {
791 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
792 ads_errstr(status));
793 }
794
795 done:
796 if (res)
797 ads_msgfree(ads, res);
798 ads_destroy(&ads);
799 SAFE_FREE(ou_str);
800 return rc;
801 }
802
803 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
804 {
805 ADS_STRUCT *ads;
806 ADS_STATUS rc;
807 LDAPMessage *res = NULL;
808 char *groupdn;
809
810 if (argc < 1 || c->display_usage) {
811 return net_ads_group_usage(c, argc, argv);
812 }
813
814 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
815 return -1;
816 }
817
818 rc = ads_find_user_acct(ads, &res, argv[0]);
819 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
820 d_printf(_("Group %s does not exist.\n"), argv[0]);
821 ads_msgfree(ads, res);
822 ads_destroy(&ads);
823 return -1;
824 }
825 groupdn = ads_get_dn(ads, talloc_tos(), res);
826 ads_msgfree(ads, res);
827 rc = ads_del_dn(ads, groupdn);
828 TALLOC_FREE(groupdn);
829 if (ADS_ERR_OK(rc)) {
830 d_printf(_("Group %s deleted\n"), argv[0]);
831 ads_destroy(&ads);
832 return 0;
833 }
834 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
835 ads_errstr(rc));
836 ads_destroy(&ads);
837 return -1;
838 }
839
840 int net_ads_group(struct net_context *c, int argc, const char **argv)
841 {
842 struct functable func[] = {
843 {
844 "add",
845 ads_group_add,
846 NET_TRANSPORT_ADS,
847 N_("Add an AD group"),
848 N_("net ads group add\n"
849 " Add an AD group")
850 },
851 {
852 "delete",
853 ads_group_delete,
854 NET_TRANSPORT_ADS,
855 N_("Delete an AD group"),
856 N_("net ads group delete\n"
857 " Delete an AD group")
858 },
859 {NULL, NULL, 0, NULL, NULL}
860 };
861 ADS_STRUCT *ads;
862 ADS_STATUS rc;
863 const char *shortattrs[] = {"sAMAccountName", NULL};
864 const char *longattrs[] = {"sAMAccountName", "description", NULL};
865 char *disp_fields[2] = {NULL, NULL};
866
867 if (argc == 0) {
868 if (c->display_usage) {
869 d_printf( "%s\n"
870 "net ads group\n"
871 " %s\n",
872 _("Usage:"),
873 _("List AD groups"));
874 net_display_usage_from_functable(func);
875 return 0;
876 }
877
878 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
879 return -1;
880 }
881
882 if (c->opt_long_list_entries)
883 d_printf(_("\nGroup name Comment"
884 "\n-----------------------------\n"));
885 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
886 LDAP_SCOPE_SUBTREE,
887 "(objectCategory=group)",
888 c->opt_long_list_entries ? longattrs :
889 shortattrs, usergrp_display,
890 disp_fields);
891
892 ads_destroy(&ads);
893 return ADS_ERR_OK(rc) ? 0 : -1;
894 }
895 return net_run_function(c, argc, argv, "net ads group", func);
896 }
897
898 static int net_ads_status(struct net_context *c, int argc, const char **argv)
899 {
900 ADS_STRUCT *ads;
901 ADS_STATUS rc;
902 LDAPMessage *res;
903
904 if (c->display_usage) {
905 d_printf( "%s\n"
906 "net ads status\n"
907 " %s\n",
908 _("Usage:"),
909 _("Display machine account details"));
910 return 0;
911 }
912
913 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
914 return -1;
915 }
916
917 rc = ads_find_machine_acct(ads, &res, global_myname());
918 if (!ADS_ERR_OK(rc)) {
919 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
920 ads_destroy(&ads);
921 return -1;
922 }
923
924 if (ads_count_replies(ads, res) == 0) {
925 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
926 ads_destroy(&ads);
927 return -1;
928 }
929
930 ads_dump(ads, res);
931 ads_destroy(&ads);
932 return 0;
933 }
934
935 /*******************************************************************
936 Leave an AD domain. Windows XP disables the machine account.
937 We'll try the same. The old code would do an LDAP delete.
938 That only worked using the machine creds because added the machine
939 with full control to the computer object's ACL.
940 *******************************************************************/
941
942 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
943 {
944 TALLOC_CTX *ctx;
945 struct libnet_UnjoinCtx *r = NULL;
946 WERROR werr;
947
948 if (c->display_usage) {
949 d_printf( "%s\n"
950 "net ads leave\n"
951 " %s\n",
952 _("Usage:"),
953 _("Leave an AD domain"));
954 return 0;
955 }
956
957 if (!*lp_realm()) {
958 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
959 return -1;
960 }
961
962 if (!(ctx = talloc_init("net_ads_leave"))) {
963 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
964 return -1;
965 }
966
967 if (!c->opt_kerberos) {
968 use_in_memory_ccache();
969 }
970
971 werr = libnet_init_UnjoinCtx(ctx, &r);
972 if (!W_ERROR_IS_OK(werr)) {
973 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
974 return -1;
975 }
976
977 r->in.debug = true;
978 r->in.use_kerberos = c->opt_kerberos;
979 r->in.dc_name = c->opt_host;
980 r->in.domain_name = lp_realm();
981 r->in.admin_account = c->opt_user_name;
982 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
983 r->in.modify_config = lp_config_backend_is_registry();
984
985 /* Try to delete it, but if that fails, disable it. The
986 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
987 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
988 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
989 r->in.delete_machine_account = true;
990 r->in.msg_ctx = c->msg_ctx;
991
992 werr = libnet_Unjoin(ctx, r);
993 if (!W_ERROR_IS_OK(werr)) {
994 d_printf(_("Failed to leave domain: %s\n"),
995 r->out.error_string ? r->out.error_string :
996 get_friendly_werror_msg(werr));
997 goto done;
998 }
999
1000 if (r->out.deleted_machine_account) {
1001 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1002 r->in.machine_name, r->out.dns_domain_name);
1003 goto done;
1004 }
1005
1006 /* We couldn't delete it - see if the disable succeeded. */
1007 if (r->out.disabled_machine_account) {
1008 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1009 r->in.machine_name, r->out.dns_domain_name);
1010 werr = WERR_OK;
1011 goto done;
1012 }
1013
1014 /* Based on what we requseted, we shouldn't get here, but if
1015 we did, it means the secrets were removed, and therefore
1016 we have left the domain */
1017 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1018 r->in.machine_name, r->out.dns_domain_name);
1019
1020 done:
1021 TALLOC_FREE(r);
1022 TALLOC_FREE(ctx);
1023
1024 if (W_ERROR_IS_OK(werr)) {
1025 return 0;
1026 }
1027
1028 return -1;
1029 }
1030
1031 static NTSTATUS net_ads_join_ok(struct net_context *c)
1032 {
1033 ADS_STRUCT *ads = NULL;
1034 ADS_STATUS status;
1035 fstring dc_name;
1036 struct sockaddr_storage dcip;
1037
1038 if (!secrets_init()) {
1039 DEBUG(1,("Failed to initialise secrets database\n"));
1040 return NT_STATUS_ACCESS_DENIED;
1041 }
1042
1043 net_use_krb_machine_account(c);
1044
1045 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1046
1047 status = ads_startup(c, true, &ads);
1048 if (!ADS_ERR_OK(status)) {
1049 return ads_ntstatus(status);
1050 }
1051
1052 ads_destroy(&ads);
1053 return NT_STATUS_OK;
1054 }
1055
1056 /*
1057 check that an existing join is OK
1058 */
1059 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1060 {
1061 NTSTATUS status;
1062 use_in_memory_ccache();
1063
1064 if (c->display_usage) {
1065 d_printf( "%s\n"
1066 "net ads testjoin\n"
1067 " %s\n",
1068 _("Usage:"),
1069 _("Test if the existing join is ok"));
1070 return 0;
1071 }
1072
1073 /* Display success or failure */
1074 status = net_ads_join_ok(c);
1075 if (!NT_STATUS_IS_OK(status)) {
1076 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1077 get_friendly_nt_error_msg(status));
1078 return -1;
1079 }
1080
1081 printf(_("Join is OK\n"));
1082 return 0;
1083 }
1084
1085 /*******************************************************************
1086 Simple configu checks before beginning the join
1087 ********************************************************************/
1088
1089 static WERROR check_ads_config( void )
1090 {
1091 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1092 d_printf(_("Host is not configured as a member server.\n"));
1093 return WERR_INVALID_DOMAIN_ROLE;
1094 }
1095
1096 if (strlen(global_myname()) > 15) {
1097 d_printf(_("Our netbios name can be at most 15 chars long, "
1098 "\"%s\" is %u chars long\n"), global_myname(),
1099 (unsigned int)strlen(global_myname()));
1100 return WERR_INVALID_COMPUTERNAME;
1101 }
1102
1103 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1104 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1105 "join to succeed.\n"), get_dyn_CONFIGFILE());
1106 return WERR_INVALID_PARAM;
1107 }
1108
1109 return WERR_OK;
1110 }
1111
1112 /*******************************************************************
1113 Send a DNS update request
1114 *******************************************************************/
1115
1116 #if defined(WITH_DNS_UPDATES)
1117 #include "dns.h"
1118 DNS_ERROR DoDNSUpdate(char *pszServerName,
1119 const char *pszDomainName, const char *pszHostName,
1120 const struct sockaddr_storage *sslist,
1121 size_t num_addrs );
1122
1123 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1124 const char *machine_name,
1125 const struct sockaddr_storage *addrs,
1126 int num_addrs)
1127 {
1128 struct dns_rr_ns *nameservers = NULL;
1129 int ns_count = 0;
1130 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1131 DNS_ERROR dns_err;
1132 fstring dns_server;
1133 const char *dnsdomain = NULL;
1134 char *root_domain = NULL;
1135
1136 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1137 d_printf(_("No DNS domain configured for %s. "
1138 "Unable to perform DNS Update.\n"), machine_name);
1139 status = NT_STATUS_INVALID_PARAMETER;
1140 goto done;
1141 }
1142 dnsdomain++;
1143
1144 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1145 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1146 /* Child domains often do not have NS records. Look
1147 for the NS record for the forest root domain
1148 (rootDomainNamingContext in therootDSE) */
1149
1150 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1151 LDAPMessage *msg = NULL;
1152 char *root_dn;
1153 ADS_STATUS ads_status;
1154
1155 if ( !ads->ldap.ld ) {
1156 ads_status = ads_connect( ads );
1157 if ( !ADS_ERR_OK(ads_status) ) {
1158 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1159 goto done;
1160 }
1161 }
1162
1163 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1164 "(objectclass=*)", rootname_attrs, &msg);
1165 if (!ADS_ERR_OK(ads_status)) {
1166 goto done;
1167 }
1168
1169 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1170 if ( !root_dn ) {
1171 ads_msgfree( ads, msg );
1172 goto done;
1173 }
1174
1175 root_domain = ads_build_domain( root_dn );
1176
1177 /* cleanup */
1178 ads_msgfree( ads, msg );
1179
1180 /* try again for NS servers */
1181
1182 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1183
1184 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1185 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1186 "realm\n", ads->config.realm));
1187 goto done;
1188 }
1189
1190 dnsdomain = root_domain;
1191
1192 }
1193
1194 /* Now perform the dns update - we'll try non-secure and if we fail,
1195 we'll follow it up with a secure update */
1196
1197 fstrcpy( dns_server, nameservers[0].hostname );
1198
1199 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1200 if (!ERR_DNS_IS_OK(dns_err)) {
1201 d_printf(_("DNS Update for %s failed: %s\n"),
1202 machine_name, dns_errstr(dns_err));
1203 status = NT_STATUS_UNSUCCESSFUL;
1204 }
1205
1206 done:
1207
1208 SAFE_FREE( root_domain );
1209
1210 return status;
1211 }
1212
1213 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1214 {
1215 int num_addrs;
1216 struct sockaddr_storage *iplist = NULL;
1217 fstring machine_name;
1218 NTSTATUS status;
1219
1220 if (hostname) {
1221 fstrcpy(machine_name, hostname);
1222 } else {
1223 name_to_fqdn( machine_name, global_myname() );
1224 }
1225 strlower_m( machine_name );
1226
1227 /* Get our ip address (not the 127.0.0.x address but a real ip
1228 * address) */
1229
1230 num_addrs = get_my_ip_address( &iplist );
1231 if ( num_addrs <= 0 ) {
1232 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1233 "addresses!\n"));
1234 return NT_STATUS_INVALID_PARAMETER;
1235 }
1236
1237 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1238 iplist, num_addrs);
1239 SAFE_FREE( iplist );
1240 return status;
1241 }
1242 #endif
1243
1244
1245 /*******************************************************************
1246 ********************************************************************/
1247
1248 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1249 {
1250 d_printf(_("net ads join [options]\n"
1251 "Valid options:\n"));
1252 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1253 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1254 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1255 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1256 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1257 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1258 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1259 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1260 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1261 " NB: osName and osVer must be specified together for either to take effect.\n"
1262 " Also, the operatingSystemService attribute is also set when along with\n"
1263 " the two other attributes.\n"));
1264
1265 return -1;
1266 }
1267
1268 /*******************************************************************
1269 ********************************************************************/
1270
1271 int net_ads_join(struct net_context *c, int argc, const char **argv)
1272 {
1273 TALLOC_CTX *ctx = NULL;
1274 struct libnet_JoinCtx *r = NULL;
1275 const char *domain = lp_realm();
1276 WERROR werr = WERR_SETUP_NOT_JOINED;
1277 bool createupn = false;
1278 const char *machineupn = NULL;
1279 const char *create_in_ou = NULL;
1280 int i;
1281 const char *os_name = NULL;
1282 const char *os_version = NULL;
1283 bool modify_config = lp_config_backend_is_registry();
1284
1285 if (c->display_usage)
1286 return net_ads_join_usage(c, argc, argv);
1287
1288 if (!modify_config) {
1289
1290 werr = check_ads_config();
1291 if (!W_ERROR_IS_OK(werr)) {
1292 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1293 goto fail;
1294 }
1295 }
1296
1297 if (!(ctx = talloc_init("net_ads_join"))) {
1298 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1299 werr = WERR_NOMEM;
1300 goto fail;
1301 }
1302
1303 if (!c->opt_kerberos) {
1304 use_in_memory_ccache();
1305 }
1306
1307 werr = libnet_init_JoinCtx(ctx, &r);
1308 if (!W_ERROR_IS_OK(werr)) {
1309 goto fail;
1310 }
1311
1312 /* process additional command line args */
1313
1314 for ( i=0; i<argc; i++ ) {
1315 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1316 createupn = true;
1317 machineupn = get_string_param(argv[i]);
1318 }
1319 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1320 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1321 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1322 werr = WERR_INVALID_PARAM;
1323 goto fail;
1324 }
1325 }
1326 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1327 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1328 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1329 werr = WERR_INVALID_PARAM;
1330 goto fail;
1331 }
1332 }
1333 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1334 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1335 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1336 werr = WERR_INVALID_PARAM;
1337 goto fail;
1338 }
1339 }
1340 else {
1341 domain = argv[i];
1342 }
1343 }
1344
1345 if (!*domain) {
1346 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1347 werr = WERR_INVALID_PARAM;
1348 goto fail;
1349 }
1350
1351 /* Do the domain join here */
1352
1353 r->in.domain_name = domain;
1354 r->in.create_upn = createupn;
1355 r->in.upn = machineupn;
1356 r->in.account_ou = create_in_ou;
1357 r->in.os_name = os_name;
1358 r->in.os_version = os_version;
1359 r->in.dc_name = c->opt_host;
1360 r->in.admin_account = c->opt_user_name;
1361 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1362 r->in.debug = true;
1363 r->in.use_kerberos = c->opt_kerberos;
1364 r->in.modify_config = modify_config;
1365 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1366 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1367 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1368 r->in.msg_ctx = c->msg_ctx;
1369
1370 werr = libnet_Join(ctx, r);
1371 if (!W_ERROR_IS_OK(werr)) {
1372 goto fail;
1373 }
1374
1375 /* Check the short name of the domain */
1376
1377 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1378 d_printf(_("The workgroup in %s does not match the short\n"
1379 "domain name obtained from the server.\n"
1380 "Using the name [%s] from the server.\n"
1381 "You should set \"workgroup = %s\" in %s.\n"),
1382 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1383 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1384 }
1385
1386 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1387
1388 if (r->out.dns_domain_name) {
1389 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1390 r->out.dns_domain_name);
1391 } else {
1392 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1393 r->out.netbios_domain_name);
1394 }
1395
1396 #if defined(WITH_DNS_UPDATES)
1397 if (r->out.domain_is_ad) {
1398 /* We enter this block with user creds */
1399 ADS_STRUCT *ads_dns = NULL;
1400
1401 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1402 /* kinit with the machine password */
1403
1404 use_in_memory_ccache();
1405 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1406 goto fail;
1407 }
1408 ads_dns->auth.password = secrets_fetch_machine_password(
1409 r->out.netbios_domain_name, NULL, NULL );
1410 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1411 strupper_m(ads_dns->auth.realm );
1412 ads_kinit_password( ads_dns );
1413 }
1414
1415 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1416 d_fprintf( stderr, _("DNS update failed!\n") );
1417 }
1418
1419 /* exit from this block using machine creds */
1420 ads_destroy(&ads_dns);
1421 }
1422 #endif
1423 TALLOC_FREE(r);
1424 TALLOC_FREE( ctx );
1425
1426 return 0;
1427
1428 fail:
1429 /* issue an overall failure message at the end. */
1430 d_printf(_("Failed to join domain: %s\n"),
1431 r && r->out.error_string ? r->out.error_string :
1432 get_friendly_werror_msg(werr));
1433 TALLOC_FREE( ctx );
1434
1435 return -1;
1436 }
1437
1438 /*******************************************************************
1439 ********************************************************************/
1440
1441 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1442 {
1443 #if defined(WITH_DNS_UPDATES)
1444 ADS_STRUCT *ads;
1445 ADS_STATUS status;
1446 TALLOC_CTX *ctx;
1447
1448 #ifdef DEVELOPER
1449 talloc_enable_leak_report();
1450 #endif
1451
1452 if (argc > 1 || c->display_usage) {
1453 d_printf( "%s\n"
1454 "net ads dns register [hostname]\n"
1455 " %s\n",
1456 _("Usage:"),
1457 _("Register hostname with DNS\n"));
1458 return -1;
1459 }
1460
1461 if (!(ctx = talloc_init("net_ads_dns"))) {
1462 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1463 return -1;
1464 }
1465
1466 status = ads_startup(c, true, &ads);
1467 if ( !ADS_ERR_OK(status) ) {
1468 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1469 TALLOC_FREE(ctx);
1470 return -1;
1471 }
1472
1473 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
1474 d_fprintf( stderr, _("DNS update failed!\n") );
1475 ads_destroy( &ads );
1476 TALLOC_FREE( ctx );
1477 return -1;
1478 }
1479
1480 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1481
1482 ads_destroy(&ads);
1483 TALLOC_FREE( ctx );
1484
1485 return 0;
1486 #else
1487 d_fprintf(stderr,
1488 _("DNS update support not enabled at compile time!\n"));
1489 return -1;
1490 #endif
1491 }
1492
1493 #if defined(WITH_DNS_UPDATES)
1494 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1495 #endif
1496
1497 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1498 {
1499 #if defined(WITH_DNS_UPDATES)
1500 DNS_ERROR err;
1501
1502 #ifdef DEVELOPER
1503 talloc_enable_leak_report();
1504 #endif
1505
1506 if (argc != 2 || c->display_usage) {
1507 d_printf( "%s\n"
1508 " %s\n"
1509 " %s\n",
1510 _("Usage:"),
1511 _("net ads dns gethostbyname <server> <name>\n"),
1512 _(" Look up hostname from the AD\n"
1513 " server\tName server to use\n"
1514 " name\tName to look up\n"));
1515 return -1;
1516 }
1517
1518 err = do_gethostbyname(argv[0], argv[1]);
1519
1520 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1521 dns_errstr(err), ERROR_DNS_V(err));
1522 #endif
1523 return 0;
1524 }
1525
1526 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1527 {
1528 struct functable func[] = {
1529 {
1530 "register",
1531 net_ads_dns_register,
1532 NET_TRANSPORT_ADS,
1533 N_("Add host dns entry to AD"),
1534 N_("net ads dns register\n"
1535 " Add host dns entry to AD")
1536 },
1537 {
1538 "gethostbyname",
1539 net_ads_dns_gethostbyname,
1540 NET_TRANSPORT_ADS,
1541 N_("Look up host"),
1542 N_("net ads dns gethostbyname\n"
1543 " Look up host")
1544 },
1545 {NULL, NULL, 0, NULL, NULL}
1546 };
1547
1548 return net_run_function(c, argc, argv, "net ads dns", func);
1549 }
1550
1551 /*******************************************************************
1552 ********************************************************************/
1553
1554 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1555 {
1556 d_printf(_(
1557 "\nnet ads printer search <printer>"
1558 "\n\tsearch for a printer in the directory\n"
1559 "\nnet ads printer info <printer> <server>"
1560 "\n\tlookup info in directory for printer on server"
1561 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1562 "\nnet ads printer publish <printername>"
1563 "\n\tpublish printer in directory"
1564 "\n\t(note: printer name is required)\n"
1565 "\nnet ads printer remove <printername>"
1566 "\n\tremove printer from directory"
1567 "\n\t(note: printer name is required)\n"));
1568 return -1;
1569 }
1570
1571 /*******************************************************************
1572 ********************************************************************/
1573
1574 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1575 {
1576 ADS_STRUCT *ads;
1577 ADS_STATUS rc;
1578 LDAPMessage *res = NULL;
1579
1580 if (c->display_usage) {
1581 d_printf( "%s\n"
1582 "net ads printer search\n"
1583 " %s\n",
1584 _("Usage:"),
1585 _("List printers in the AD"));
1586 return 0;
1587 }
1588
1589 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1590 return -1;
1591 }
1592
1593 rc = ads_find_printers(ads, &res);
1594
1595 if (!ADS_ERR_OK(rc)) {
1596 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1597 ads_msgfree(ads, res);
1598 ads_destroy(&ads);
1599 return -1;
1600 }
1601
1602 if (ads_count_replies(ads, res) == 0) {
1603 d_fprintf(stderr, _("No results found\n"));
1604 ads_msgfree(ads, res);
1605 ads_destroy(&ads);
1606 return -1;
1607 }
1608
1609 ads_dump(ads, res);
1610 ads_msgfree(ads, res);
1611 ads_destroy(&ads);
1612 return 0;
1613 }
1614
1615 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1616 {
1617 ADS_STRUCT *ads;
1618 ADS_STATUS rc;
1619 const char *servername, *printername;
1620 LDAPMessage *res = NULL;
1621
1622 if (c->display_usage) {
1623 d_printf("%s\n%s",
1624 _("Usage:"),
1625 _("net ads printer info [printername [servername]]\n"
1626 " Display printer info from AD\n"
1627 " printername\tPrinter name or wildcard\n"
1628 " servername\tName of the print server\n"));
1629 return 0;
1630 }
1631
1632 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1633 return -1;
1634 }
1635
1636 if (argc > 0) {
1637 printername = argv[0];
1638 } else {
1639 printername = "*";
1640 }
1641
1642 if (argc > 1) {
1643 servername = argv[1];
1644 } else {
1645 servername = global_myname();
1646 }
1647
1648 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1649
1650 if (!ADS_ERR_OK(rc)) {
1651 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1652 servername, ads_errstr(rc));
1653 ads_msgfree(ads, res);
1654 ads_destroy(&ads);
1655 return -1;
1656 }
1657
1658 if (ads_count_replies(ads, res) == 0) {
1659 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1660 ads_msgfree(ads, res);
1661 ads_destroy(&ads);
1662 return -1;
1663 }
1664
1665 ads_dump(ads, res);
1666 ads_msgfree(ads, res);
1667 ads_destroy(&ads);
1668
1669 return 0;
1670 }
1671
1672 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1673 {
1674 ADS_STRUCT *ads;
1675 ADS_STATUS rc;
1676 const char *servername, *printername;
1677 struct cli_state *cli = NULL;
1678 struct rpc_pipe_client *pipe_hnd = NULL;
1679 struct sockaddr_storage server_ss;
1680 NTSTATUS nt_status;
1681 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1682 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1683 char *prt_dn, *srv_dn, **srv_cn;
1684 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1685 LDAPMessage *res = NULL;
1686
1687 if (argc < 1 || c->display_usage) {
1688 d_printf("%s\n%s",
1689 _("Usage:"),
1690 _("net ads printer publish <printername> [servername]\n"
1691 " Publish printer in AD\n"
1692 " printername\tName of the printer\n"
1693 " servername\tName of the print server\n"));
1694 talloc_destroy(mem_ctx);
1695 return -1;
1696 }
1697
1698 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1699 talloc_destroy(mem_ctx);
1700 return -1;
1701 }
1702
1703 printername = argv[0];
1704
1705 if (argc == 2) {
1706 servername = argv[1];
1707 } else {
1708 servername = global_myname();
1709 }
1710
1711 /* Get printer data from SPOOLSS */
1712
1713 resolve_name(servername, &server_ss, 0x20, false);
1714
1715 nt_status = cli_full_connection(&cli, global_myname(), servername,
1716 &server_ss, 0,
1717 "IPC$", "IPC",
1718 c->opt_user_name, c->opt_workgroup,
1719 c->opt_password ? c->opt_password : "",
1720 CLI_FULL_CONNECTION_USE_KERBEROS,
1721 Undefined, NULL);
1722
1723 if (NT_STATUS_IS_ERR(nt_status)) {
1724 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1725 "obtain data for %s\n"),
1726 servername, printername);
1727 ads_destroy(&ads);
1728 talloc_destroy(mem_ctx);
1729 return -1;
1730 }
1731
1732 /* Publish on AD server */
1733
1734 ads_find_machine_acct(ads, &res, servername);
1735
1736 if (ads_count_replies(ads, res) == 0) {
1737 d_fprintf(stderr, _("Could not find machine account for server "
1738 "%s\n"),
1739 servername);
1740 ads_destroy(&ads);
1741 talloc_destroy(mem_ctx);
1742 return -1;
1743 }
1744
1745 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1746 srv_cn = ldap_explode_dn(srv_dn, 1);
1747
1748 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1749 printername_escaped = escape_rdn_val_string_alloc(printername);
1750 if (!srv_cn_escaped || !printername_escaped) {
1751 SAFE_FREE(srv_cn_escaped);
1752 SAFE_FREE(printername_escaped);
1753 d_fprintf(stderr, _("Internal error, out of memory!"));
1754 ads_destroy(&ads);
1755 talloc_destroy(mem_ctx);
1756 return -1;
1757 }
1758
1759 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1760 SAFE_FREE(srv_cn_escaped);
1761 SAFE_FREE(printername_escaped);
1762 d_fprintf(stderr, _("Internal error, out of memory!"));
1763 ads_destroy(&ads);
1764 talloc_destroy(mem_ctx);
1765 return -1;
1766 }
1767
1768 SAFE_FREE(srv_cn_escaped);
1769 SAFE_FREE(printername_escaped);
1770
1771 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1772 if (!NT_STATUS_IS_OK(nt_status)) {
1773 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1774 servername);
1775 SAFE_FREE(prt_dn);
1776 ads_destroy(&ads);
1777 talloc_destroy(mem_ctx);
1778 return -1;
1779 }
1780
1781 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1782 printername))) {
1783 SAFE_FREE(prt_dn);
1784 ads_destroy(&ads);
1785 talloc_destroy(mem_ctx);
1786 return -1;
1787 }
1788
1789 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1790 if (!ADS_ERR_OK(rc)) {
1791 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1792 SAFE_FREE(prt_dn);
1793 ads_destroy(&ads);
1794 talloc_destroy(mem_ctx);
1795 return -1;
1796 }
1797
1798 d_printf("published printer\n");
1799 SAFE_FREE(prt_dn);
1800 ads_destroy(&ads);
1801 talloc_destroy(mem_ctx);
1802
1803 return 0;
1804 }
1805
1806 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1807 {
1808 ADS_STRUCT *ads;
1809 ADS_STATUS rc;
1810 const char *servername;
1811 char *prt_dn;
1812 LDAPMessage *res = NULL;
1813
1814 if (argc < 1 || c->display_usage) {
1815 d_printf("%s\n%s",
1816 _("Usage:"),
1817 _("net ads printer remove <printername> [servername]\n"
1818 " Remove a printer from the AD\n"
1819 " printername\tName of the printer\n"
1820 " servername\tName of the print server\n"));
1821 return -1;
1822 }
1823
1824 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1825 return -1;
1826 }
1827
1828 if (argc > 1) {
1829 servername = argv[1];
1830 } else {
1831 servername = global_myname();
1832 }
1833
1834 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1835
1836 if (!ADS_ERR_OK(rc)) {
1837 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1838 ads_msgfree(ads, res);
1839 ads_destroy(&ads);
1840 return -1;
1841 }
1842
1843 if (ads_count_replies(ads, res) == 0) {
1844 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1845 ads_msgfree(ads, res);
1846 ads_destroy(&ads);
1847 return -1;
1848 }
1849
1850 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1851 ads_msgfree(ads, res);
1852 rc = ads_del_dn(ads, prt_dn);
1853 TALLOC_FREE(prt_dn);
1854
1855 if (!ADS_ERR_OK(rc)) {
1856 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1857 ads_destroy(&ads);
1858 return -1;
1859 }
1860
1861 ads_destroy(&ads);
1862 return 0;
1863 }
1864
1865 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1866 {
1867 struct functable func[] = {
1868 {
1869 "search",
1870 net_ads_printer_search,
1871 NET_TRANSPORT_ADS,
1872 N_("Search for a printer"),
1873 N_("net ads printer search\n"
1874 " Search for a printer")
1875 },
1876 {
1877 "info",
1878 net_ads_printer_info,
1879 NET_TRANSPORT_ADS,
1880 N_("Display printer information"),
1881 N_("net ads printer info\n"
1882 " Display printer information")
1883 },
1884 {
1885 "publish",
1886 net_ads_printer_publish,
1887 NET_TRANSPORT_ADS,
1888 N_("Publish a printer"),
1889 N_("net ads printer publish\n"
1890 " Publish a printer")
1891 },
1892 {
1893 "remove",
1894 net_ads_printer_remove,
1895 NET_TRANSPORT_ADS,
1896 N_("Delete a printer"),
1897 N_("net ads printer remove\n"
1898 " Delete a printer")
1899 },
1900 {NULL, NULL, 0, NULL, NULL}
1901 };
1902
1903 return net_run_function(c, argc, argv, "net ads printer", func);
1904 }
1905
1906
1907 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1908 {
1909 ADS_STRUCT *ads;
1910 const char *auth_principal = c->opt_user_name;
1911 const char *auth_password = c->opt_password;
1912 char *realm = NULL;
1913 char *new_password = NULL;
1914 char *chr, *prompt;
1915 const char *user;
1916 ADS_STATUS ret;
1917
1918 if (c->display_usage) {
1919 d_printf("%s\n%s",
1920 _("Usage:"),
1921 _("net ads password <username>\n"
1922 " Change password for user\n"
1923 " username\tName of user to change password for\n"));
1924 return 0;
1925 }
1926
1927 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1928 d_fprintf(stderr, _("You must supply an administrator "
1929 "username/password\n"));
1930 return -1;
1931 }
1932
1933 if (argc < 1) {
1934 d_fprintf(stderr, _("ERROR: You must say which username to "
1935 "change password for\n"));
1936 return -1;
1937 }
1938
1939 user = argv[0];
1940 if (!strchr_m(user, '@')) {
1941 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1942 return -1;
1943 }
1944 user = chr;
1945 }
1946
1947 use_in_memory_ccache();
1948 chr = strchr_m(auth_principal, '@');
1949 if (chr) {
1950 realm = ++chr;
1951 } else {
1952 realm = lp_realm();
1953 }
1954
1955 /* use the realm so we can eventually change passwords for users
1956 in realms other than default */
1957 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1958 return -1;
1959 }
1960
1961 /* we don't actually need a full connect, but it's the easy way to
1962 fill in the KDC's addresss */
1963 ads_connect(ads);
1964
1965 if (!ads->config.realm) {
1966 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1967 ads_destroy(&ads);
1968 return -1;
1969 }
1970
1971 if (argv[1]) {
1972 new_password = (char *)argv[1];
1973 } else {
1974 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1975 return -1;
1976 }
1977 new_password = getpass(prompt);
1978 free(prompt);
1979 }
1980
1981 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1982 auth_password, user, new_password, ads->auth.time_offset);
1983 if (!ADS_ERR_OK(ret)) {
1984 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
1985 ads_destroy(&ads);
1986 return -1;
1987 }
1988
1989 d_printf(_("Password change for %s completed.\n"), user);
1990 ads_destroy(&ads);
1991
1992 return 0;
1993 }
1994
1995 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1996 {
1997 ADS_STRUCT *ads;
1998 char *host_principal;
1999 fstring my_name;
2000 ADS_STATUS ret;
2001
2002 if (c->display_usage) {
2003 d_printf( "%s\n"
2004 "net ads changetrustpw\n"
2005 " %s\n",
2006 _("Usage:"),
2007 _("Change the machine account's trust password"));
2008 return 0;
2009 }
2010
2011 if (!secrets_init()) {
2012 DEBUG(1,("Failed to initialise secrets database\n"));
2013 return -1;
2014 }
2015
2016 net_use_krb_machine_account(c);
2017
2018 use_in_memory_ccache();
2019
2020 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2021 return -1;
2022 }
2023
2024 fstrcpy(my_name, global_myname());
2025 strlower_m(my_name);
2026 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2027 ads_destroy(&ads);
2028 return -1;
2029 }
2030 d_printf(_("Changing password for principal: %s\n"), host_principal);
2031
2032 ret = ads_change_trust_account_password(ads, host_principal);
2033
2034 if (!ADS_ERR_OK(ret)) {
2035 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2036 ads_destroy(&ads);
2037 SAFE_FREE(host_principal);
2038 return -1;
2039 }
2040
2041 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2042
2043 if (USE_SYSTEM_KEYTAB) {
2044 d_printf(_("Attempting to update system keytab with new password.\n"));
2045 if (ads_keytab_create_default(ads)) {
2046 d_printf(_("Failed to update system keytab.\n"));
2047 }
2048 }
2049
2050 ads_destroy(&ads);
2051 SAFE_FREE(host_principal);
2052
2053 return 0;
2054 }
2055
2056 /*
2057 help for net ads search
2058 */
2059 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2060 {
2061 d_printf(_(
2062 "\nnet ads search <expression> <attributes...>\n"
2063 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2064 "The expression is a standard LDAP search expression, and the\n"
2065 "attributes are a list of LDAP fields to show in the results.\n\n"
2066 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2067 ));
2068 net_common_flags_usage(c, argc, argv);
2069 return -1;
2070 }
2071
2072
2073 /*
2074 general ADS search function. Useful in diagnosing problems in ADS
2075 */
2076 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2077 {
2078 ADS_STRUCT *ads;
2079 ADS_STATUS rc;
2080 const char *ldap_exp;
2081 const char **attrs;
2082 LDAPMessage *res = NULL;
2083
2084 if (argc < 1 || c->display_usage) {
2085 return net_ads_search_usage(c, argc, argv);
2086 }
2087
2088 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2089 return -1;
2090 }
2091
2092 ldap_exp = argv[0];
2093 attrs = (argv + 1);
2094
2095 rc = ads_do_search_all(ads, ads->config.bind_path,
2096 LDAP_SCOPE_SUBTREE,
2097 ldap_exp, attrs, &res);
2098 if (!ADS_ERR_OK(rc)) {
2099 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2100 ads_destroy(&ads);
2101 return -1;
2102 }
2103
2104 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2105
2106 /* dump the results */
2107 ads_dump(ads, res);
2108
2109 ads_msgfree(ads, res);
2110 ads_destroy(&ads);
2111
2112 return 0;
2113 }
2114
2115
2116 /*
2117 help for net ads search
2118 */
2119 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2120 {
2121 d_printf(_(
2122 "\nnet ads dn <dn> <attributes...>\n"
2123 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2124 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2125 "to show in the results\n\n"
2126 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2127 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2128 ));
2129 net_common_flags_usage(c, argc, argv);
2130 return -1;
2131 }
2132
2133
2134 /*
2135 general ADS search function. Useful in diagnosing problems in ADS
2136 */
2137 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2138 {
2139 ADS_STRUCT *ads;
2140 ADS_STATUS rc;
2141 const char *dn;
2142 const char **attrs;
2143 LDAPMessage *res = NULL;
2144
2145 if (argc < 1 || c->display_usage) {
2146 return net_ads_dn_usage(c, argc, argv);
2147 }
2148
2149 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2150 return -1;
2151 }
2152
2153 dn = argv[0];
2154 attrs = (argv + 1);
2155
2156 rc = ads_do_search_all(ads, dn,
2157 LDAP_SCOPE_BASE,
2158 "(objectclass=*)", attrs, &res);
2159 if (!ADS_ERR_OK(rc)) {
2160 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2161 ads_destroy(&ads);
2162 return -1;
2163 }
2164
2165 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2166
2167 /* dump the results */
2168 ads_dump(ads, res);
2169
2170 ads_msgfree(ads, res);
2171 ads_destroy(&ads);
2172
2173 return 0;
2174 }
2175
2176 /*
2177 help for net ads sid search
2178 */
2179 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2180 {
2181 d_printf(_(
2182 "\nnet ads sid <sid> <attributes...>\n"
2183 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2184 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2185 "to show in the results\n\n"
2186 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2187 ));
2188 net_common_flags_usage(c, argc, argv);
2189 return -1;
2190 }
2191
2192
2193 /*
2194 general ADS search function. Useful in diagnosing problems in ADS
2195 */
2196 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2197 {
2198 ADS_STRUCT *ads;
2199 ADS_STATUS rc;
2200 const char *sid_string;
2201 const char **attrs;
2202 LDAPMessage *res = NULL;
2203 struct dom_sid sid;
2204
2205 if (argc < 1 || c->display_usage) {
2206 return net_ads_sid_usage(c, argc, argv);
2207 }
2208
2209 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2210 return -1;
2211 }
2212
2213 sid_string = argv[0];
2214 attrs = (argv + 1);
2215
2216 if (!string_to_sid(&sid, sid_string)) {
2217 d_fprintf(stderr, _("could not convert sid\n"));
2218 ads_destroy(&ads);
2219 return -1;
2220 }
2221
2222 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2223 if (!ADS_ERR_OK(rc)) {
2224 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2225 ads_destroy(&ads);
2226 return -1;
2227 }
2228
2229 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2230
2231 /* dump the results */
2232 ads_dump(ads, res);
2233
2234 ads_msgfree(ads, res);
2235 ads_destroy(&ads);
2236
2237 return 0;
2238 }
2239
2240 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2241 {
2242 int ret;
2243 ADS_STRUCT *ads;
2244
2245 if (c->display_usage) {
2246 d_printf( "%s\n"
2247 "net ads keytab flush\n"
2248 " %s\n",
2249 _("Usage:"),
2250 _("Delete the whole keytab"));
2251 return 0;
2252 }
2253
2254 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2255 return -1;
2256 }
2257 ret = ads_keytab_flush(ads);
2258 ads_destroy(&ads);
2259 return ret;
2260 }
2261
2262 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2263 {
2264 int i;
2265 int ret = 0;
2266 ADS_STRUCT *ads;
2267
2268 if (c->display_usage) {
2269 d_printf("%s\n%s",
2270 _("Usage:"),
2271 _("net ads keytab add <principal> [principal ...]\n"
2272 " Add principals to local keytab\n"
2273 " principal\tKerberos principal to add to "
2274 "keytab\n"));
2275 return 0;
2276 }
2277
2278 d_printf(_("Processing principals to add...\n"));
2279 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2280 return -1;
2281 }
2282 for (i = 0; i < argc; i++) {
2283 ret |= ads_keytab_add_entry(ads, argv[i]);
2284 }
2285 ads_destroy(&ads);
2286 return ret;
2287 }
2288
2289 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2290 {
2291 ADS_STRUCT *ads;
2292 int ret;
2293
2294 if (c->display_usage) {
2295 d_printf( "%s\n"
2296 "net ads keytab create\n"
2297 " %s\n",
2298 _("Usage:"),
2299 _("Create new default keytab"));
2300 return 0;
2301 }
2302
2303 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2304 return -1;
2305 }
2306 ret = ads_keytab_create_default(ads);
2307 ads_destroy(&ads);
2308 return ret;
2309 }
2310
2311 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2312 {
2313 const char *keytab = NULL;
2314
2315 if (c->display_usage) {
2316 d_printf("%s\n%s",
2317 _("Usage:"),
2318 _("net ads keytab list [keytab]\n"
2319 " List a local keytab\n"
2320 " keytab\tKeytab to list\n"));
2321 return 0;
2322 }
2323
2324 if (argc >= 1) {
2325 keytab = argv[0];
2326 }
2327
2328 return ads_keytab_list(keytab);
2329 }
2330
2331
2332 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2333 {
2334 struct functable func[] = {
2335 {
2336 "add",
2337 net_ads_keytab_add,
2338 NET_TRANSPORT_ADS,
2339 N_("Add a service principal"),
2340 N_("net ads keytab add\n"
2341 " Add a service principal")
2342 },
2343 {
2344 "create",
2345 net_ads_keytab_create,
2346 NET_TRANSPORT_ADS,
2347 N_("Create a fresh keytab"),
2348 N_("net ads keytab create\n"
2349 " Create a fresh keytab")
2350 },
2351 {
2352 "flush",
2353 net_ads_keytab_flush,
2354 NET_TRANSPORT_ADS,
2355 N_("Remove all keytab entries"),
2356 N_("net ads keytab flush\n"
2357 " Remove all keytab entries")
2358 },
2359 {
2360 "list",
2361 net_ads_keytab_list,
2362 NET_TRANSPORT_ADS,
2363 N_("List a keytab"),
2364 N_("net ads keytab list\n"
2365 " List a keytab")
2366 },
2367 {NULL, NULL, 0, NULL, NULL}
2368 };
2369
2370 if (!USE_KERBEROS_KEYTAB) {
2371 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2372 "keytab method to use keytab functions.\n"));
2373 }
2374
2375 return net_run_function(c, argc, argv, "net ads keytab", func);
2376 }
2377
2378 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2379 {
2380 int ret = -1;
2381
2382 if (c->display_usage) {
2383 d_printf( "%s\n"
2384 "net ads kerberos renew\n"
2385 " %s\n",
2386 _("Usage:"),
2387 _("Renew TGT from existing credential cache"));
2388 return 0;
2389 }
2390
2391 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2392 if (ret) {
2393 d_printf(_("failed to renew kerberos ticket: %s\n"),
2394 error_message(ret));
2395 }
2396 return ret;
2397 }
2398
2399 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2400 {
2401 struct PAC_LOGON_INFO *info = NULL;
2402 TALLOC_CTX *mem_ctx = NULL;
2403 NTSTATUS status;
2404 int ret = -1;
2405 const char *impersonate_princ_s = NULL;
2406
2407 if (c->display_usage) {
2408 d_printf( "%s\n"
2409 "net ads kerberos pac\n"
2410 " %s\n",
2411 _("Usage:"),
2412 _("Dump the Kerberos PAC"));
2413 return 0;
2414 }
2415
2416 mem_ctx = talloc_init("net_ads_kerberos_pac");
2417 if (!mem_ctx) {
2418 goto out;
2419 }
2420
2421 if (argc > 0) {
2422 impersonate_princ_s = argv[0];
2423 }
2424
2425 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2426
2427 status = kerberos_return_pac(mem_ctx,
2428 c->opt_user_name,
2429 c->opt_password,
2430 0,
2431 NULL,
2432 NULL,
2433 NULL,
2434 true,
2435 true,
2436 2592000, /* one month */
2437 impersonate_princ_s,
2438 &info);
2439 if (!NT_STATUS_IS_OK(status)) {
2440 d_printf(_("failed to query kerberos PAC: %s\n"),
2441 nt_errstr(status));
2442 goto out;
2443 }
2444
2445 if (info) {
2446 const char *s;
2447 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2448 d_printf(_("The Pac: %s\n"), s);
2449 }
2450
2451 ret = 0;
2452 out:
2453 TALLOC_FREE(mem_ctx);
2454 return ret;
2455 }
2456
2457 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2458 {
2459 TALLOC_CTX *mem_ctx = NULL;
2460 int ret = -1;
2461 NTSTATUS status;
2462
2463 if (c->display_usage) {
2464 d_printf( "%s\n"
2465 "net ads kerberos kinit\n"
2466 " %s\n",
2467 _("Usage:"),
2468 _("Get Ticket Granting Ticket (TGT) for the user"));
2469 return 0;
2470 }
2471
2472 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2473 if (!mem_ctx) {
2474 goto out;
2475 }
2476
2477 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2478
2479 ret = kerberos_kinit_password_ext(c->opt_user_name,
2480 c->opt_password,
2481 0,
2482 NULL,
2483 NULL,
2484 NULL,
2485 true,
2486 true,
2487 2592000, /* one month */
2488 &status);
2489 if (ret) {
2490 d_printf(_("failed to kinit password: %s\n"),
2491 nt_errstr(status));
2492 }
2493 out:
2494 return ret;
2495 }
2496
2497 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2498 {
2499 struct functable func[] = {
2500 {
2501 "kinit",
2502 net_ads_kerberos_kinit,
2503 NET_TRANSPORT_ADS,
2504 N_("Retrieve Ticket Granting Ticket (TGT)"),
2505 N_("net ads kerberos kinit\n"
2506 " Receive Ticket Granting Ticket (TGT)")
2507 },
2508 {
2509 "renew",
2510 net_ads_kerberos_renew,
2511 NET_TRANSPORT_ADS,
2512 N_("Renew Ticket Granting Ticket from credential cache"),
2513 N_("net ads kerberos renew\n"
2514 " Renew Ticket Granting Ticket (TGT) from "
2515 "credential cache")
2516 },
2517 {
2518 "pac",
2519 net_ads_kerberos_pac,
2520 NET_TRANSPORT_ADS,
2521 N_("Dump Kerberos PAC"),
2522 N_("net ads kerberos pac\n"
2523 " Dump Kerberos PAC")
2524 },
2525 {NULL, NULL, 0, NULL, NULL}
2526 };
2527
2528 return net_run_function(c, argc, argv, "net ads kerberos", func);
2529 }
2530
2531 int net_ads(struct net_context *c, int argc, const char **argv)
2532 {
2533 struct functable func[] = {
2534 {
2535 "info",
2536 net_ads_info,
2537 NET_TRANSPORT_ADS,
2538 N_("Display details on remote ADS server"),
2539 N_("net ads info\n"
2540 " Display details on remote ADS server")
2541 },
2542 {
2543 "join",
2544 net_ads_join,
2545 NET_TRANSPORT_ADS,
2546 N_("Join the local machine to ADS realm"),
2547 N_("net ads join\n"
2548 " Join the local machine to ADS realm")
2549 },
2550 {
2551 "testjoin",
2552 net_ads_testjoin,
2553 NET_TRANSPORT_ADS,
2554 N_("Validate machine account"),
2555 N_("net ads testjoin\n"
2556 " Validate machine account")
2557 },
2558 {
2559 "leave",
2560 net_ads_leave,
2561 NET_TRANSPORT_ADS,
2562 N_("Remove the local machine from ADS"),
2563 N_("net ads leave\n"
2564 " Remove the local machine from ADS")
2565 },
2566 {
2567 "status",
2568 net_ads_status,
2569 NET_TRANSPORT_ADS,
2570 N_("Display machine account details"),
2571 N_("net ads status\n"
2572 " Display machine account details")
2573 },
2574 {
2575 "user",
2576 net_ads_user,
2577 NET_TRANSPORT_ADS,
2578 N_("List/modify users"),
2579 N_("net ads user\n"
2580 " List/modify users")
2581 },
2582 {
2583 "group",
2584 net_ads_group,
2585 NET_TRANSPORT_ADS,
2586 N_("List/modify groups"),
2587 N_("net ads group\n"
2588 " List/modify groups")
2589 },
2590 {
2591 "dns",
2592 net_ads_dns,
2593 NET_TRANSPORT_ADS,
2594 N_("Issue dynamic DNS update"),
2595 N_("net ads dns\n"
2596 " Issue dynamic DNS update")
2597 },
2598 {
2599 "password",
2600 net_ads_password,
2601 NET_TRANSPORT_ADS,
2602 N_("Change user passwords"),
2603 N_("net ads password\n"
2604 " Change user passwords")
2605 },
2606 {
2607 "changetrustpw",
2608 net_ads_changetrustpw,
2609 NET_TRANSPORT_ADS,
2610 N_("Change trust account password"),
2611 N_("net ads changetrustpw\n"
2612 " Change trust account password")
2613 },
2614 {
2615 "printer",
2616 net_ads_printer,
2617 NET_TRANSPORT_ADS,
2618 N_("List/modify printer entries"),
2619 N_("net ads printer\n"
2620 " List/modify printer entries")
2621 },
2622 {
2623 "search",
2624 net_ads_search,
2625 NET_TRANSPORT_ADS,
2626 N_("Issue LDAP search using filter"),
2627 N_("net ads search\n"
2628 " Issue LDAP search using filter")
2629 },
2630 {
2631 "dn",
2632 net_ads_dn,
2633 NET_TRANSPORT_ADS,
2634 N_("Issue LDAP search by DN"),
2635 N_("net ads dn\n"
2636 " Issue LDAP search by DN")
2637 },
2638 {
2639 "sid",
2640 net_ads_sid,
2641 NET_TRANSPORT_ADS,
2642 N_("Issue LDAP search by SID"),
2643 N_("net ads sid\n"
2644 " Issue LDAP search by SID")
2645 },
2646 {
2647 "workgroup",
2648 net_ads_workgroup,
2649 NET_TRANSPORT_ADS,
2650 N_("Display workgroup name"),
2651 N_("net ads workgroup\n"
2652 " Display the workgroup name")
2653 },
2654 {
2655 "lookup",
2656 net_ads_lookup,
2657 NET_TRANSPORT_ADS,
2658 N_("Perfom CLDAP query on DC"),
2659 N_("net ads lookup\n"
2660 " Find the ADS DC using CLDAP lookups")
2661 },
2662 {
2663 "keytab",
2664 net_ads_keytab,
2665 NET_TRANSPORT_ADS,
2666 N_("Manage local keytab file"),
2667 N_("net ads keytab\n"
2668 " Manage local keytab file")
2669 },
2670 {
2671 "gpo",
2672 net_ads_gpo,
2673 NET_TRANSPORT_ADS,
2674 N_("Manage group policy objects"),
2675 N_("net ads gpo\n"
2676 " Manage group policy objects")
2677 },
2678 {
2679 "kerberos",
2680 net_ads_kerberos,
2681 NET_TRANSPORT_ADS,
2682 N_("Manage kerberos keytab"),
2683 N_("net ads kerberos\n"
2684 " Manage kerberos keytab")
2685 },
2686 {NULL, NULL, 0, NULL, NULL}
2687 };
2688
2689 return net_run_function(c, argc, argv, "net ads", func);
2690 }
2691
2692 #else
2693
2694 static int net_ads_noads(void)
2695 {
2696 d_fprintf(stderr, _("ADS support not compiled in\n"));
2697 return -1;
2698 }
2699
2700 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2701 {
2702 return net_ads_noads();
2703 }
2704
2705 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2706 {
2707 return net_ads_noads();
2708 }
2709
2710 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2711 {
2712 return net_ads_noads();
2713 }
2714
2715 int net_ads_join(struct net_context *c, int argc, const char **argv)
2716 {
2717 return net_ads_noads();
2718 }
2719
2720 int net_ads_user(struct net_context *c, int argc, const char **argv)
2721 {
2722 return net_ads_noads();
2723 }
2724
2725 int net_ads_group(struct net_context *c, int argc, const char **argv)
2726 {
2727 return net_ads_noads();
2728 }
2729
2730 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2731 {
2732 return net_ads_noads();
2733 }
2734
2735 /* this one shouldn't display a message */
2736 int net_ads_check(struct net_context *c)
2737 {
2738 return -1;
2739 }
2740
2741 int net_ads_check_our_domain(struct net_context *c)
2742 {
2743 return -1;
2744 }
2745
2746 int net_ads(struct net_context *c, int argc, const char **argv)
2747 {
2748 return net_ads_noads();
2749 }
2750
2751 #endif /* WITH_ADS */
Samba GIT mirror