2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "../librpc/gen_ndr/ndr_spoolss.h"
28 #include "nsswitch/libwbclient/wbclient.h"
30 #include "libads/cldap.h"
31 #include "../lib/addns/dnsquery.h"
32 #include "../libds/common/flags.h"
33 #include "librpc/gen_ndr/libnet_join.h"
34 #include "libnet/libnet_join.h"
38 #include "../libcli/security/security.h"
39 #include "libsmb/libsmb.h"
40 #include "lib/param/loadparm.h"
41 #include "utils/net_dns.h"
45 /* when we do not have sufficient input parameters to contact a remote domain
46 * we always fall back to our own realm - Guenther*/
48 static const char *assume_own_realm(struct net_context
*c
)
50 if (!c
->opt_host
&& strequal(lp_workgroup(), c
->opt_target_workgroup
)) {
58 do a cldap netlogon query
60 static int net_ads_cldap_netlogon(struct net_context
*c
, ADS_STRUCT
*ads
)
62 char addr
[INET6_ADDRSTRLEN
];
63 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply
;
65 print_sockaddr(addr
, sizeof(addr
), &ads
->ldap
.ss
);
67 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads
->ldap
.ss
, ads
->server
.realm
, &reply
) ) {
68 d_fprintf(stderr
, _("CLDAP query failed!\n"));
72 d_printf(_("Information for Domain Controller: %s\n\n"),
75 d_printf(_("Response Type: "));
76 switch (reply
.command
) {
77 case LOGON_SAM_LOGON_USER_UNKNOWN_EX
:
78 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
80 case LOGON_SAM_LOGON_RESPONSE_EX
:
81 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
84 d_printf("0x%x\n", reply
.command
);
88 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply
.domain_uuid
));
92 "\tIs a GC of the forest: %s\n"
93 "\tIs an LDAP server: %s\n"
95 "\tIs running a KDC: %s\n"
96 "\tIs running time services: %s\n"
97 "\tIs the closest DC: %s\n"
99 "\tHas a hardware clock: %s\n"
100 "\tIs a non-domain NC serviced by LDAP server: %s\n"
101 "\tIs NT6 DC that has some secrets: %s\n"
102 "\tIs NT6 DC that has all secrets: %s\n"
103 "\tRuns Active Directory Web Services: %s\n"
104 "\tRuns on Windows 2012 or later: %s\n"),
105 (reply
.server_type
& NBT_SERVER_PDC
) ? _("yes") : _("no"),
106 (reply
.server_type
& NBT_SERVER_GC
) ? _("yes") : _("no"),
107 (reply
.server_type
& NBT_SERVER_LDAP
) ? _("yes") : _("no"),
108 (reply
.server_type
& NBT_SERVER_DS
) ? _("yes") : _("no"),
109 (reply
.server_type
& NBT_SERVER_KDC
) ? _("yes") : _("no"),
110 (reply
.server_type
& NBT_SERVER_TIMESERV
) ? _("yes") : _("no"),
111 (reply
.server_type
& NBT_SERVER_CLOSEST
) ? _("yes") : _("no"),
112 (reply
.server_type
& NBT_SERVER_WRITABLE
) ? _("yes") : _("no"),
113 (reply
.server_type
& NBT_SERVER_GOOD_TIMESERV
) ? _("yes") : _("no"),
114 (reply
.server_type
& NBT_SERVER_NDNC
) ? _("yes") : _("no"),
115 (reply
.server_type
& NBT_SERVER_SELECT_SECRET_DOMAIN_6
) ? _("yes") : _("no"),
116 (reply
.server_type
& NBT_SERVER_FULL_SECRET_DOMAIN_6
) ? _("yes") : _("no"),
117 (reply
.server_type
& NBT_SERVER_ADS_WEB_SERVICE
) ? _("yes") : _("no"),
118 (reply
.server_type
& NBT_SERVER_DS_8
) ? _("yes") : _("no"));
121 printf(_("Forest:\t\t\t%s\n"), reply
.forest
);
122 printf(_("Domain:\t\t\t%s\n"), reply
.dns_domain
);
123 printf(_("Domain Controller:\t%s\n"), reply
.pdc_dns_name
);
125 printf(_("Pre-Win2k Domain:\t%s\n"), reply
.domain_name
);
126 printf(_("Pre-Win2k Hostname:\t%s\n"), reply
.pdc_name
);
128 if (*reply
.user_name
) printf(_("User name:\t%s\n"), reply
.user_name
);
130 printf(_("Server Site Name :\t\t%s\n"), reply
.server_site
);
131 printf(_("Client Site Name :\t\t%s\n"), reply
.client_site
);
133 d_printf(_("NT Version: %d\n"), reply
.nt_version
);
134 d_printf(_("LMNT Token: %.2x\n"), reply
.lmnt_token
);
135 d_printf(_("LM20 Token: %.2x\n"), reply
.lm20_token
);
141 this implements the CLDAP based netlogon lookup requests
142 for finding the domain controller of a ADS domain
144 static int net_ads_lookup(struct net_context
*c
, int argc
, const char **argv
)
149 if (c
->display_usage
) {
154 _("Find the ADS DC using CLDAP lookup.\n"));
158 if (!ADS_ERR_OK(ads_startup_nobind(c
, false, &ads
))) {
159 d_fprintf(stderr
, _("Didn't find the cldap server!\n"));
164 if (!ads
->config
.realm
) {
165 ads
->config
.realm
= discard_const_p(char, c
->opt_target_workgroup
);
166 ads
->ldap
.port
= 389;
169 ret
= net_ads_cldap_netlogon(c
, ads
);
176 static int net_ads_info(struct net_context
*c
, int argc
, const char **argv
)
179 char addr
[INET6_ADDRSTRLEN
];
182 if (c
->display_usage
) {
187 _("Display information about an Active Directory "
192 if (!ADS_ERR_OK(ads_startup_nobind(c
, false, &ads
))) {
193 d_fprintf(stderr
, _("Didn't find the ldap server!\n"));
197 if (!ads
|| !ads
->config
.realm
) {
198 d_fprintf(stderr
, _("Didn't find the ldap server!\n"));
203 /* Try to set the server's current time since we didn't do a full
204 TCP LDAP session initially */
206 if ( !ADS_ERR_OK(ads_current_time( ads
)) ) {
207 d_fprintf( stderr
, _("Failed to get server's current time!\n"));
210 pass_time
= secrets_fetch_pass_last_set_time(ads
->server
.workgroup
);
212 print_sockaddr(addr
, sizeof(addr
), &ads
->ldap
.ss
);
214 d_printf(_("LDAP server: %s\n"), addr
);
215 d_printf(_("LDAP server name: %s\n"), ads
->config
.ldap_server_name
);
216 d_printf(_("Realm: %s\n"), ads
->config
.realm
);
217 d_printf(_("Bind Path: %s\n"), ads
->config
.bind_path
);
218 d_printf(_("LDAP port: %d\n"), ads
->ldap
.port
);
219 d_printf(_("Server time: %s\n"),
220 http_timestring(talloc_tos(), ads
->config
.current_time
));
222 d_printf(_("KDC server: %s\n"), ads
->auth
.kdc_server
);
223 d_printf(_("Server time offset: %d\n"), ads
->auth
.time_offset
);
225 d_printf(_("Last machine account password change: %s\n"),
226 http_timestring(talloc_tos(), pass_time
));
232 static void use_in_memory_ccache(void) {
233 /* Use in-memory credentials cache so we do not interfere with
234 * existing credentials */
235 setenv(KRB5_ENV_CCNAME
, "MEMORY:net_ads", 1);
238 static ADS_STATUS
ads_startup_int(struct net_context
*c
, bool only_own_domain
,
239 uint32_t auth_flags
, ADS_STRUCT
**ads_ret
)
241 ADS_STRUCT
*ads
= NULL
;
243 bool need_password
= false;
244 bool second_time
= false;
246 const char *realm
= NULL
;
247 bool tried_closest_dc
= false;
249 /* lp_realm() should be handled by a command line param,
250 However, the join requires that realm be set in smb.conf
251 and compares our realm with the remote server's so this is
252 ok until someone needs more flexibility */
257 if (only_own_domain
) {
260 realm
= assume_own_realm(c
);
263 ads
= ads_init(realm
, c
->opt_target_workgroup
, c
->opt_host
);
265 if (!c
->opt_user_name
) {
266 c
->opt_user_name
= "administrator";
269 if (c
->opt_user_specified
) {
270 need_password
= true;
274 if (!c
->opt_password
&& need_password
&& !c
->opt_machine_pass
) {
275 c
->opt_password
= net_prompt_pass(c
, c
->opt_user_name
);
276 if (!c
->opt_password
) {
278 return ADS_ERROR(LDAP_NO_MEMORY
);
282 if (c
->opt_password
) {
283 use_in_memory_ccache();
284 SAFE_FREE(ads
->auth
.password
);
285 ads
->auth
.password
= smb_xstrdup(c
->opt_password
);
288 ads
->auth
.flags
|= auth_flags
;
289 SAFE_FREE(ads
->auth
.user_name
);
290 ads
->auth
.user_name
= smb_xstrdup(c
->opt_user_name
);
293 * If the username is of the form "name@realm",
294 * extract the realm and convert to upper case.
295 * This is only used to establish the connection.
297 if ((cp
= strchr_m(ads
->auth
.user_name
, '@'))!=0) {
299 SAFE_FREE(ads
->auth
.realm
);
300 ads
->auth
.realm
= smb_xstrdup(cp
);
301 if (!strupper_m(ads
->auth
.realm
)) {
303 return ADS_ERROR(LDAP_NO_MEMORY
);
307 status
= ads_connect(ads
);
309 if (!ADS_ERR_OK(status
)) {
311 if (NT_STATUS_EQUAL(ads_ntstatus(status
),
312 NT_STATUS_NO_LOGON_SERVERS
)) {
313 DEBUG(0,("ads_connect: %s\n", ads_errstr(status
)));
318 if (!need_password
&& !second_time
&& !(auth_flags
& ADS_AUTH_NO_BIND
)) {
319 need_password
= true;
328 /* when contacting our own domain, make sure we use the closest DC.
329 * This is done by reconnecting to ADS because only the first call to
330 * ads_connect will give us our own sitename */
332 if ((only_own_domain
|| !c
->opt_host
) && !tried_closest_dc
) {
334 tried_closest_dc
= true; /* avoid loop */
336 if (!ads_closest_dc(ads
)) {
338 namecache_delete(ads
->server
.realm
, 0x1C);
339 namecache_delete(ads
->server
.workgroup
, 0x1C);
352 ADS_STATUS
ads_startup(struct net_context
*c
, bool only_own_domain
, ADS_STRUCT
**ads
)
354 return ads_startup_int(c
, only_own_domain
, 0, ads
);
357 ADS_STATUS
ads_startup_nobind(struct net_context
*c
, bool only_own_domain
, ADS_STRUCT
**ads
)
359 return ads_startup_int(c
, only_own_domain
, ADS_AUTH_NO_BIND
, ads
);
363 Check to see if connection can be made via ads.
364 ads_startup() stores the password in opt_password if it needs to so
365 that rpc or rap can use it without re-prompting.
367 static int net_ads_check_int(const char *realm
, const char *workgroup
, const char *host
)
372 if ( (ads
= ads_init( realm
, workgroup
, host
)) == NULL
) {
376 ads
->auth
.flags
|= ADS_AUTH_NO_BIND
;
378 status
= ads_connect(ads
);
379 if ( !ADS_ERR_OK(status
) ) {
387 int net_ads_check_our_domain(struct net_context
*c
)
389 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL
);
392 int net_ads_check(struct net_context
*c
)
394 return net_ads_check_int(NULL
, c
->opt_workgroup
, c
->opt_host
);
398 determine the netbios workgroup name for a domain
400 static int net_ads_workgroup(struct net_context
*c
, int argc
, const char **argv
)
403 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply
;
405 if (c
->display_usage
) {
407 "net ads workgroup\n"
410 _("Print the workgroup name"));
414 if (!ADS_ERR_OK(ads_startup_nobind(c
, false, &ads
))) {
415 d_fprintf(stderr
, _("Didn't find the cldap server!\n"));
419 if (!ads
->config
.realm
) {
420 ads
->config
.realm
= discard_const_p(char, c
->opt_target_workgroup
);
421 ads
->ldap
.port
= 389;
424 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads
->ldap
.ss
, ads
->server
.realm
, &reply
) ) {
425 d_fprintf(stderr
, _("CLDAP query failed!\n"));
430 d_printf(_("Workgroup: %s\n"), reply
.domain_name
);
439 static bool usergrp_display(ADS_STRUCT
*ads
, char *field
, void **values
, void *data_area
)
441 char **disp_fields
= (char **) data_area
;
443 if (!field
) { /* must be end of record */
444 if (disp_fields
[0]) {
445 if (!strchr_m(disp_fields
[0], '$')) {
447 d_printf("%-21.21s %s\n",
448 disp_fields
[0], disp_fields
[1]);
450 d_printf("%s\n", disp_fields
[0]);
453 SAFE_FREE(disp_fields
[0]);
454 SAFE_FREE(disp_fields
[1]);
457 if (!values
) /* must be new field, indicate string field */
459 if (strcasecmp_m(field
, "sAMAccountName") == 0) {
460 disp_fields
[0] = SMB_STRDUP((char *) values
[0]);
462 if (strcasecmp_m(field
, "description") == 0)
463 disp_fields
[1] = SMB_STRDUP((char *) values
[0]);
467 static int net_ads_user_usage(struct net_context
*c
, int argc
, const char **argv
)
469 return net_user_usage(c
, argc
, argv
);
472 static int ads_user_add(struct net_context
*c
, int argc
, const char **argv
)
477 LDAPMessage
*res
=NULL
;
481 if (argc
< 1 || c
->display_usage
)
482 return net_ads_user_usage(c
, argc
, argv
);
484 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
488 status
= ads_find_user_acct(ads
, &res
, argv
[0]);
490 if (!ADS_ERR_OK(status
)) {
491 d_fprintf(stderr
, _("ads_user_add: %s\n"), ads_errstr(status
));
495 if (ads_count_replies(ads
, res
)) {
496 d_fprintf(stderr
, _("ads_user_add: User %s already exists\n"),
501 if (c
->opt_container
) {
502 ou_str
= SMB_STRDUP(c
->opt_container
);
504 ou_str
= ads_default_ou_string(ads
, DS_GUID_USERS_CONTAINER
);
507 status
= ads_add_user_acct(ads
, argv
[0], ou_str
, c
->opt_comment
);
509 if (!ADS_ERR_OK(status
)) {
510 d_fprintf(stderr
, _("Could not add user %s: %s\n"), argv
[0],
515 /* if no password is to be set, we're done */
517 d_printf(_("User %s added\n"), argv
[0]);
522 /* try setting the password */
523 if (asprintf(&upn
, "%s@%s", argv
[0], ads
->config
.realm
) == -1) {
526 status
= ads_krb5_set_password(ads
->auth
.kdc_server
, upn
, argv
[1],
527 ads
->auth
.time_offset
);
529 if (ADS_ERR_OK(status
)) {
530 d_printf(_("User %s added\n"), argv
[0]);
535 /* password didn't set, delete account */
536 d_fprintf(stderr
, _("Could not add user %s. "
537 "Error setting password %s\n"),
538 argv
[0], ads_errstr(status
));
539 ads_msgfree(ads
, res
);
540 status
=ads_find_user_acct(ads
, &res
, argv
[0]);
541 if (ADS_ERR_OK(status
)) {
542 userdn
= ads_get_dn(ads
, talloc_tos(), res
);
543 ads_del_dn(ads
, userdn
);
549 ads_msgfree(ads
, res
);
555 static int ads_user_info(struct net_context
*c
, int argc
, const char **argv
)
557 ADS_STRUCT
*ads
= NULL
;
559 LDAPMessage
*res
= NULL
;
563 const char *attrs
[] = {"memberOf", "primaryGroupID", NULL
};
564 char *searchstring
=NULL
;
568 struct dom_sid primary_group_sid
;
570 enum wbcSidType type
;
572 if (argc
< 1 || c
->display_usage
) {
573 return net_ads_user_usage(c
, argc
, argv
);
576 frame
= talloc_new(talloc_tos());
581 escaped_user
= escape_ldap_string(frame
, argv
[0]);
584 _("ads_user_info: failed to escape user %s\n"),
589 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
594 if (asprintf(&searchstring
, "(sAMAccountName=%s)", escaped_user
) == -1) {
598 rc
= ads_search(ads
, &res
, searchstring
, attrs
);
599 SAFE_FREE(searchstring
);
601 if (!ADS_ERR_OK(rc
)) {
602 d_fprintf(stderr
, _("ads_search: %s\n"), ads_errstr(rc
));
607 if (!ads_pull_uint32(ads
, res
, "primaryGroupID", &group_rid
)) {
608 d_fprintf(stderr
, _("ads_pull_uint32 failed\n"));
613 rc
= ads_domain_sid(ads
, &primary_group_sid
);
614 if (!ADS_ERR_OK(rc
)) {
615 d_fprintf(stderr
, _("ads_domain_sid: %s\n"), ads_errstr(rc
));
620 sid_append_rid(&primary_group_sid
, group_rid
);
622 wbc_status
= wbcLookupSid((struct wbcDomainSid
*)&primary_group_sid
,
623 NULL
, /* don't look up domain */
626 if (!WBC_ERROR_IS_OK(wbc_status
)) {
627 d_fprintf(stderr
, "wbcLookupSid: %s\n",
628 wbcErrorString(wbc_status
));
633 d_printf("%s\n", primary_group
);
635 wbcFreeMemory(primary_group
);
637 grouplist
= ldap_get_values((LDAP
*)ads
->ldap
.ld
,
638 (LDAPMessage
*)res
, "memberOf");
643 for (i
=0;grouplist
[i
];i
++) {
644 groupname
= ldap_explode_dn(grouplist
[i
], 1);
645 d_printf("%s\n", groupname
[0]);
646 ldap_value_free(groupname
);
648 ldap_value_free(grouplist
);
652 if (res
) ads_msgfree(ads
, res
);
653 if (ads
) ads_destroy(&ads
);
658 static int ads_user_delete(struct net_context
*c
, int argc
, const char **argv
)
662 LDAPMessage
*res
= NULL
;
666 return net_ads_user_usage(c
, argc
, argv
);
669 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
673 rc
= ads_find_user_acct(ads
, &res
, argv
[0]);
674 if (!ADS_ERR_OK(rc
) || ads_count_replies(ads
, res
) != 1) {
675 d_printf(_("User %s does not exist.\n"), argv
[0]);
676 ads_msgfree(ads
, res
);
680 userdn
= ads_get_dn(ads
, talloc_tos(), res
);
681 ads_msgfree(ads
, res
);
682 rc
= ads_del_dn(ads
, userdn
);
684 if (ADS_ERR_OK(rc
)) {
685 d_printf(_("User %s deleted\n"), argv
[0]);
689 d_fprintf(stderr
, _("Error deleting user %s: %s\n"), argv
[0],
695 int net_ads_user(struct net_context
*c
, int argc
, const char **argv
)
697 struct functable func
[] = {
702 N_("Add an AD user"),
703 N_("net ads user add\n"
710 N_("Display information about an AD user"),
711 N_("net ads user info\n"
712 " Display information about an AD user")
718 N_("Delete an AD user"),
719 N_("net ads user delete\n"
720 " Delete an AD user")
722 {NULL
, NULL
, 0, NULL
, NULL
}
726 const char *shortattrs
[] = {"sAMAccountName", NULL
};
727 const char *longattrs
[] = {"sAMAccountName", "description", NULL
};
728 char *disp_fields
[2] = {NULL
, NULL
};
731 if (c
->display_usage
) {
737 net_display_usage_from_functable(func
);
741 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
745 if (c
->opt_long_list_entries
)
746 d_printf(_("\nUser name Comment"
747 "\n-----------------------------\n"));
749 rc
= ads_do_search_all_fn(ads
, ads
->config
.bind_path
,
751 "(objectCategory=user)",
752 c
->opt_long_list_entries
? longattrs
:
753 shortattrs
, usergrp_display
,
756 return ADS_ERR_OK(rc
) ? 0 : -1;
759 return net_run_function(c
, argc
, argv
, "net ads user", func
);
762 static int net_ads_group_usage(struct net_context
*c
, int argc
, const char **argv
)
764 return net_group_usage(c
, argc
, argv
);
767 static int ads_group_add(struct net_context
*c
, int argc
, const char **argv
)
771 LDAPMessage
*res
=NULL
;
775 if (argc
< 1 || c
->display_usage
) {
776 return net_ads_group_usage(c
, argc
, argv
);
779 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
783 status
= ads_find_user_acct(ads
, &res
, argv
[0]);
785 if (!ADS_ERR_OK(status
)) {
786 d_fprintf(stderr
, _("ads_group_add: %s\n"), ads_errstr(status
));
790 if (ads_count_replies(ads
, res
)) {
791 d_fprintf(stderr
, _("ads_group_add: Group %s already exists\n"), argv
[0]);
795 if (c
->opt_container
) {
796 ou_str
= SMB_STRDUP(c
->opt_container
);
798 ou_str
= ads_default_ou_string(ads
, DS_GUID_USERS_CONTAINER
);
801 status
= ads_add_group_acct(ads
, argv
[0], ou_str
, c
->opt_comment
);
803 if (ADS_ERR_OK(status
)) {
804 d_printf(_("Group %s added\n"), argv
[0]);
807 d_fprintf(stderr
, _("Could not add group %s: %s\n"), argv
[0],
813 ads_msgfree(ads
, res
);
819 static int ads_group_delete(struct net_context
*c
, int argc
, const char **argv
)
823 LDAPMessage
*res
= NULL
;
826 if (argc
< 1 || c
->display_usage
) {
827 return net_ads_group_usage(c
, argc
, argv
);
830 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
834 rc
= ads_find_user_acct(ads
, &res
, argv
[0]);
835 if (!ADS_ERR_OK(rc
) || ads_count_replies(ads
, res
) != 1) {
836 d_printf(_("Group %s does not exist.\n"), argv
[0]);
837 ads_msgfree(ads
, res
);
841 groupdn
= ads_get_dn(ads
, talloc_tos(), res
);
842 ads_msgfree(ads
, res
);
843 rc
= ads_del_dn(ads
, groupdn
);
844 TALLOC_FREE(groupdn
);
845 if (ADS_ERR_OK(rc
)) {
846 d_printf(_("Group %s deleted\n"), argv
[0]);
850 d_fprintf(stderr
, _("Error deleting group %s: %s\n"), argv
[0],
856 int net_ads_group(struct net_context
*c
, int argc
, const char **argv
)
858 struct functable func
[] = {
863 N_("Add an AD group"),
864 N_("net ads group add\n"
871 N_("Delete an AD group"),
872 N_("net ads group delete\n"
873 " Delete an AD group")
875 {NULL
, NULL
, 0, NULL
, NULL
}
879 const char *shortattrs
[] = {"sAMAccountName", NULL
};
880 const char *longattrs
[] = {"sAMAccountName", "description", NULL
};
881 char *disp_fields
[2] = {NULL
, NULL
};
884 if (c
->display_usage
) {
889 _("List AD groups"));
890 net_display_usage_from_functable(func
);
894 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
898 if (c
->opt_long_list_entries
)
899 d_printf(_("\nGroup name Comment"
900 "\n-----------------------------\n"));
901 rc
= ads_do_search_all_fn(ads
, ads
->config
.bind_path
,
903 "(objectCategory=group)",
904 c
->opt_long_list_entries
? longattrs
:
905 shortattrs
, usergrp_display
,
909 return ADS_ERR_OK(rc
) ? 0 : -1;
911 return net_run_function(c
, argc
, argv
, "net ads group", func
);
914 static int net_ads_status(struct net_context
*c
, int argc
, const char **argv
)
920 if (c
->display_usage
) {
925 _("Display machine account details"));
929 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
933 rc
= ads_find_machine_acct(ads
, &res
, lp_netbios_name());
934 if (!ADS_ERR_OK(rc
)) {
935 d_fprintf(stderr
, _("ads_find_machine_acct: %s\n"), ads_errstr(rc
));
940 if (ads_count_replies(ads
, res
) == 0) {
941 d_fprintf(stderr
, _("No machine account for '%s' found\n"), lp_netbios_name());
951 /*******************************************************************
952 Leave an AD domain. Windows XP disables the machine account.
953 We'll try the same. The old code would do an LDAP delete.
954 That only worked using the machine creds because added the machine
955 with full control to the computer object's ACL.
956 *******************************************************************/
958 static int net_ads_leave(struct net_context
*c
, int argc
, const char **argv
)
961 struct libnet_UnjoinCtx
*r
= NULL
;
964 if (c
->display_usage
) {
969 _("Leave an AD domain"));
974 d_fprintf(stderr
, _("No realm set, are we joined ?\n"));
978 if (!(ctx
= talloc_init("net_ads_leave"))) {
979 d_fprintf(stderr
, _("Could not initialise talloc context.\n"));
983 if (!c
->opt_kerberos
) {
984 use_in_memory_ccache();
988 d_fprintf(stderr
, _("Could not initialise message context. "
989 "Try running as root\n"));
993 werr
= libnet_init_UnjoinCtx(ctx
, &r
);
994 if (!W_ERROR_IS_OK(werr
)) {
995 d_fprintf(stderr
, _("Could not initialise unjoin context.\n"));
1000 r
->in
.use_kerberos
= c
->opt_kerberos
;
1001 r
->in
.dc_name
= c
->opt_host
;
1002 r
->in
.domain_name
= lp_realm();
1003 r
->in
.admin_account
= c
->opt_user_name
;
1004 r
->in
.admin_password
= net_prompt_pass(c
, c
->opt_user_name
);
1005 r
->in
.modify_config
= lp_config_backend_is_registry();
1007 /* Try to delete it, but if that fails, disable it. The
1008 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
1009 r
->in
.unjoin_flags
= WKSSVC_JOIN_FLAGS_JOIN_TYPE
|
1010 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
;
1011 r
->in
.delete_machine_account
= true;
1012 r
->in
.msg_ctx
= c
->msg_ctx
;
1014 werr
= libnet_Unjoin(ctx
, r
);
1015 if (!W_ERROR_IS_OK(werr
)) {
1016 d_printf(_("Failed to leave domain: %s\n"),
1017 r
->out
.error_string
? r
->out
.error_string
:
1018 get_friendly_werror_msg(werr
));
1022 if (r
->out
.deleted_machine_account
) {
1023 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1024 r
->in
.machine_name
, r
->out
.dns_domain_name
);
1028 /* We couldn't delete it - see if the disable succeeded. */
1029 if (r
->out
.disabled_machine_account
) {
1030 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1031 r
->in
.machine_name
, r
->out
.dns_domain_name
);
1036 /* Based on what we requested, we shouldn't get here, but if
1037 we did, it means the secrets were removed, and therefore
1038 we have left the domain */
1039 d_fprintf(stderr
, _("Machine '%s' Left domain '%s'\n"),
1040 r
->in
.machine_name
, r
->out
.dns_domain_name
);
1046 if (W_ERROR_IS_OK(werr
)) {
1053 static NTSTATUS
net_ads_join_ok(struct net_context
*c
)
1055 ADS_STRUCT
*ads
= NULL
;
1058 struct sockaddr_storage dcip
;
1060 if (!secrets_init()) {
1061 DEBUG(1,("Failed to initialise secrets database\n"));
1062 return NT_STATUS_ACCESS_DENIED
;
1065 net_use_krb_machine_account(c
);
1067 get_dc_name(lp_workgroup(), lp_realm(), dc_name
, &dcip
);
1069 status
= ads_startup(c
, true, &ads
);
1070 if (!ADS_ERR_OK(status
)) {
1071 return ads_ntstatus(status
);
1075 return NT_STATUS_OK
;
1079 check that an existing join is OK
1081 int net_ads_testjoin(struct net_context
*c
, int argc
, const char **argv
)
1084 use_in_memory_ccache();
1086 if (c
->display_usage
) {
1088 "net ads testjoin\n"
1091 _("Test if the existing join is ok"));
1095 /* Display success or failure */
1096 status
= net_ads_join_ok(c
);
1097 if (!NT_STATUS_IS_OK(status
)) {
1098 fprintf(stderr
, _("Join to domain is not valid: %s\n"),
1099 get_friendly_nt_error_msg(status
));
1103 printf(_("Join is OK\n"));
1107 /*******************************************************************
1108 Simple configu checks before beginning the join
1109 ********************************************************************/
1111 static WERROR
check_ads_config( void )
1113 if (lp_server_role() != ROLE_DOMAIN_MEMBER
) {
1114 d_printf(_("Host is not configured as a member server.\n"));
1115 return WERR_INVALID_DOMAIN_ROLE
;
1118 if (strlen(lp_netbios_name()) > 15) {
1119 d_printf(_("Our netbios name can be at most 15 chars long, "
1120 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1121 (unsigned int)strlen(lp_netbios_name()));
1122 return WERR_INVALID_COMPUTERNAME
;
1125 if ( lp_security() == SEC_ADS
&& !*lp_realm()) {
1126 d_fprintf(stderr
, _("realm must be set in in %s for ADS "
1127 "join to succeed.\n"), get_dyn_CONFIGFILE());
1128 return WERR_INVALID_PARAMETER
;
1134 /*******************************************************************
1135 Send a DNS update request
1136 *******************************************************************/
1138 #if defined(WITH_DNS_UPDATES)
1139 #include "../lib/addns/dns.h"
1141 static NTSTATUS
net_update_dns_internal(struct net_context
*c
,
1142 TALLOC_CTX
*ctx
, ADS_STRUCT
*ads
,
1143 const char *machine_name
,
1144 const struct sockaddr_storage
*addrs
,
1145 int num_addrs
, bool remove_host
)
1147 struct dns_rr_ns
*nameservers
= NULL
;
1148 int ns_count
= 0, i
;
1149 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
1152 const char *dnsdomain
= NULL
;
1153 char *root_domain
= NULL
;
1155 if ( (dnsdomain
= strchr_m( machine_name
, '.')) == NULL
) {
1156 d_printf(_("No DNS domain configured for %s. "
1157 "Unable to perform DNS Update.\n"), machine_name
);
1158 status
= NT_STATUS_INVALID_PARAMETER
;
1163 status
= ads_dns_lookup_ns(ctx
,
1167 if ( !NT_STATUS_IS_OK(status
) || (ns_count
== 0)) {
1168 /* Child domains often do not have NS records. Look
1169 for the NS record for the forest root domain
1170 (rootDomainNamingContext in therootDSE) */
1172 const char *rootname_attrs
[] = { "rootDomainNamingContext", NULL
};
1173 LDAPMessage
*msg
= NULL
;
1175 ADS_STATUS ads_status
;
1177 if ( !ads
->ldap
.ld
) {
1178 ads_status
= ads_connect( ads
);
1179 if ( !ADS_ERR_OK(ads_status
) ) {
1180 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1185 ads_status
= ads_do_search(ads
, "", LDAP_SCOPE_BASE
,
1186 "(objectclass=*)", rootname_attrs
, &msg
);
1187 if (!ADS_ERR_OK(ads_status
)) {
1191 root_dn
= ads_pull_string(ads
, ctx
, msg
, "rootDomainNamingContext");
1193 ads_msgfree( ads
, msg
);
1197 root_domain
= ads_build_domain( root_dn
);
1200 ads_msgfree( ads
, msg
);
1202 /* try again for NS servers */
1204 status
= ads_dns_lookup_ns(ctx
,
1209 if ( !NT_STATUS_IS_OK(status
) || (ns_count
== 0)) {
1210 DEBUG(3,("net_update_dns_internal: Failed to find name server for the %s "
1211 "realm\n", ads
->config
.realm
));
1212 if (ns_count
== 0) {
1213 status
= NT_STATUS_UNSUCCESSFUL
;
1218 dnsdomain
= root_domain
;
1222 for (i
=0; i
< ns_count
; i
++) {
1224 uint32_t flags
= DNS_UPDATE_SIGNED
|
1225 DNS_UPDATE_UNSIGNED
|
1226 DNS_UPDATE_UNSIGNED_SUFFICIENT
|
1228 DNS_UPDATE_PROBE_SUFFICIENT
;
1231 flags
&= ~DNS_UPDATE_PROBE_SUFFICIENT
;
1232 flags
&= ~DNS_UPDATE_UNSIGNED_SUFFICIENT
;
1236 * Do not return after PROBE completion if this function
1237 * is called for DNS removal.
1240 flags
&= ~DNS_UPDATE_PROBE_SUFFICIENT
;
1243 status
= NT_STATUS_UNSUCCESSFUL
;
1245 /* Now perform the dns update - we'll try non-secure and if we fail,
1246 we'll follow it up with a secure update */
1248 fstrcpy( dns_server
, nameservers
[i
].hostname
);
1250 dns_err
= DoDNSUpdate(dns_server
,
1257 if (ERR_DNS_IS_OK(dns_err
)) {
1258 status
= NT_STATUS_OK
;
1262 if (ERR_DNS_EQUAL(dns_err
, ERROR_DNS_INVALID_NAME_SERVER
) ||
1263 ERR_DNS_EQUAL(dns_err
, ERROR_DNS_CONNECTION_FAILED
) ||
1264 ERR_DNS_EQUAL(dns_err
, ERROR_DNS_SOCKET_ERROR
)) {
1265 DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
1266 dns_errstr(dns_err
)));
1270 d_printf(_("DNS Update for %s failed: %s\n"),
1271 machine_name
, dns_errstr(dns_err
));
1272 status
= NT_STATUS_UNSUCCESSFUL
;
1278 SAFE_FREE( root_domain
);
1283 static NTSTATUS
net_update_dns_ext(struct net_context
*c
,
1284 TALLOC_CTX
*mem_ctx
, ADS_STRUCT
*ads
,
1285 const char *hostname
,
1286 struct sockaddr_storage
*iplist
,
1287 int num_addrs
, bool remove_host
)
1289 struct sockaddr_storage
*iplist_alloc
= NULL
;
1290 fstring machine_name
;
1294 fstrcpy(machine_name
, hostname
);
1296 name_to_fqdn( machine_name
, lp_netbios_name() );
1298 if (!strlower_m( machine_name
)) {
1299 return NT_STATUS_INVALID_PARAMETER
;
1303 * If remove_host is true, then remove all IP addresses associated with
1304 * this hostname from the AD server.
1306 if (!remove_host
&& (num_addrs
== 0 || iplist
== NULL
)) {
1308 * Get our ip address
1309 * (not the 127.0.0.x address but a real ip address)
1311 num_addrs
= get_my_ip_address(&iplist_alloc
);
1312 if ( num_addrs
<= 0 ) {
1313 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1314 "non-loopback IP addresses!\n"));
1315 return NT_STATUS_INVALID_PARAMETER
;
1317 iplist
= iplist_alloc
;
1320 status
= net_update_dns_internal(c
, mem_ctx
, ads
, machine_name
,
1321 iplist
, num_addrs
, remove_host
);
1323 SAFE_FREE(iplist_alloc
);
1327 static NTSTATUS
net_update_dns(struct net_context
*c
, TALLOC_CTX
*mem_ctx
, ADS_STRUCT
*ads
, const char *hostname
)
1331 status
= net_update_dns_ext(c
, mem_ctx
, ads
, hostname
, NULL
, 0, false);
1337 /*******************************************************************
1338 ********************************************************************/
1340 static int net_ads_join_usage(struct net_context
*c
, int argc
, const char **argv
)
1342 d_printf(_("net ads join [--no-dns-updates] [options]\n"
1343 "Valid options:\n"));
1344 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1345 " The default UPN is in the form host/netbiosname@REALM.\n"));
1346 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1347 " The OU string read from top to bottom without RDNs\n"
1348 " and delimited by a '/'.\n"
1349 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1350 " NB: A backslash '\\' is used as escape at multiple\n"
1351 " levels and may need to be doubled or even\n"
1352 " quadrupled. It is not used as a separator.\n"));
1353 d_printf(_(" machinepass=PASS Set the machine password to a specific value during\n"
1354 " the join. The default password is random.\n"));
1355 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1356 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during join.\n"
1357 " NB: osName and osVer must be specified together for\n"
1358 " either to take effect. The operatingSystemService\n"
1359 " attribute is then also set along with the two\n"
1360 " other attributes.\n"));
1361 d_printf(_(" osServicePack=string Set the operatingSystemServicePack attribute\n"
1362 " during the join.\n"
1363 " NB: If not specified then by default the samba\n"
1364 " version string is used instead.\n"));
1369 static void _net_ads_join_dns_updates(struct net_context
*c
, TALLOC_CTX
*ctx
, struct libnet_JoinCtx
*r
)
1371 #if defined(WITH_DNS_UPDATES)
1372 ADS_STRUCT
*ads_dns
= NULL
;
1377 * In a clustered environment, don't do dynamic dns updates:
1378 * Registering the set of ip addresses that are assigned to
1379 * the interfaces of the node that performs the join does usually
1380 * not have the desired effect, since the local interfaces do not
1381 * carry the complete set of the cluster's public IP addresses.
1382 * And it can also contain internal addresses that should not
1383 * be visible to the outside at all.
1384 * In order to do dns updates in a clustererd setup, use
1385 * net ads dns register.
1387 if (lp_clustering()) {
1388 d_fprintf(stderr
, _("Not doing automatic DNS update in a "
1389 "clustered setup.\n"));
1393 if (!r
->out
.domain_is_ad
) {
1398 * We enter this block with user creds.
1399 * kinit with the machine password to do dns update.
1402 ads_dns
= ads_init(lp_realm(), NULL
, r
->in
.dc_name
);
1404 if (ads_dns
== NULL
) {
1405 d_fprintf(stderr
, _("DNS update failed: out of memory!\n"));
1409 use_in_memory_ccache();
1411 ret
= asprintf(&ads_dns
->auth
.user_name
, "%s$", lp_netbios_name());
1413 d_fprintf(stderr
, _("DNS update failed: out of memory\n"));
1417 ads_dns
->auth
.password
= secrets_fetch_machine_password(
1418 r
->out
.netbios_domain_name
, NULL
, NULL
);
1419 if (ads_dns
->auth
.password
== NULL
) {
1420 d_fprintf(stderr
, _("DNS update failed: out of memory\n"));
1424 ads_dns
->auth
.realm
= SMB_STRDUP(r
->out
.dns_domain_name
);
1425 if (ads_dns
->auth
.realm
== NULL
) {
1426 d_fprintf(stderr
, _("DNS update failed: out of memory\n"));
1430 if (!strupper_m(ads_dns
->auth
.realm
)) {
1431 d_fprintf(stderr
, _("strupper_m %s failed\n"), ads_dns
->auth
.realm
);
1435 ret
= ads_kinit_password(ads_dns
);
1438 _("DNS update failed: kinit failed: %s\n"),
1439 error_message(ret
));
1443 status
= net_update_dns(c
, ctx
, ads_dns
, NULL
);
1444 if (!NT_STATUS_IS_OK(status
)) {
1445 d_fprintf( stderr
, _("DNS update failed: %s\n"),
1450 ads_destroy(&ads_dns
);
1457 int net_ads_join(struct net_context
*c
, int argc
, const char **argv
)
1459 TALLOC_CTX
*ctx
= NULL
;
1460 struct libnet_JoinCtx
*r
= NULL
;
1461 const char *domain
= lp_realm();
1462 WERROR werr
= WERR_NERR_SETUPNOTJOINED
;
1463 bool createupn
= false;
1464 const char *machineupn
= NULL
;
1465 const char *machine_password
= NULL
;
1466 const char *create_in_ou
= NULL
;
1468 const char *os_name
= NULL
;
1469 const char *os_version
= NULL
;
1470 const char *os_servicepack
= NULL
;
1471 bool modify_config
= lp_config_backend_is_registry();
1472 enum libnetjoin_JoinDomNameType domain_name_type
= JoinDomNameTypeDNS
;
1474 if (c
->display_usage
)
1475 return net_ads_join_usage(c
, argc
, argv
);
1477 if (!modify_config
) {
1479 werr
= check_ads_config();
1480 if (!W_ERROR_IS_OK(werr
)) {
1481 d_fprintf(stderr
, _("Invalid configuration. Exiting....\n"));
1486 if (!(ctx
= talloc_init("net_ads_join"))) {
1487 d_fprintf(stderr
, _("Could not initialise talloc context.\n"));
1488 werr
= WERR_NOT_ENOUGH_MEMORY
;
1492 if (!c
->opt_kerberos
) {
1493 use_in_memory_ccache();
1496 werr
= libnet_init_JoinCtx(ctx
, &r
);
1497 if (!W_ERROR_IS_OK(werr
)) {
1501 /* process additional command line args */
1503 for ( i
=0; i
<argc
; i
++ ) {
1504 if ( !strncasecmp_m(argv
[i
], "createupn", strlen("createupn")) ) {
1506 machineupn
= get_string_param(argv
[i
]);
1508 else if ( !strncasecmp_m(argv
[i
], "createcomputer", strlen("createcomputer")) ) {
1509 if ( (create_in_ou
= get_string_param(argv
[i
])) == NULL
) {
1510 d_fprintf(stderr
, _("Please supply a valid OU path.\n"));
1511 werr
= WERR_INVALID_PARAMETER
;
1515 else if ( !strncasecmp_m(argv
[i
], "osName", strlen("osName")) ) {
1516 if ( (os_name
= get_string_param(argv
[i
])) == NULL
) {
1517 d_fprintf(stderr
, _("Please supply a operating system name.\n"));
1518 werr
= WERR_INVALID_PARAMETER
;
1522 else if ( !strncasecmp_m(argv
[i
], "osVer", strlen("osVer")) ) {
1523 if ( (os_version
= get_string_param(argv
[i
])) == NULL
) {
1524 d_fprintf(stderr
, _("Please supply a valid operating system version.\n"));
1525 werr
= WERR_INVALID_PARAMETER
;
1529 else if ( !strncasecmp_m(argv
[i
], "osServicePack", strlen("osServicePack")) ) {
1530 if ( (os_servicepack
= get_string_param(argv
[i
])) == NULL
) {
1531 d_fprintf(stderr
, _("Please supply a valid servicepack identifier.\n"));
1532 werr
= WERR_INVALID_PARAMETER
;
1536 else if ( !strncasecmp_m(argv
[i
], "machinepass", strlen("machinepass")) ) {
1537 if ( (machine_password
= get_string_param(argv
[i
])) == NULL
) {
1538 d_fprintf(stderr
, _("Please supply a valid password to set as trust account password.\n"));
1539 werr
= WERR_INVALID_PARAMETER
;
1545 if (strchr(domain
, '.') == NULL
) {
1546 domain_name_type
= JoinDomNameTypeUnknown
;
1548 domain_name_type
= JoinDomNameTypeDNS
;
1554 d_fprintf(stderr
, _("Please supply a valid domain name\n"));
1555 werr
= WERR_INVALID_PARAMETER
;
1560 d_fprintf(stderr
, _("Could not initialise message context. "
1561 "Try running as root\n"));
1562 werr
= WERR_ACCESS_DENIED
;
1566 /* Do the domain join here */
1568 r
->in
.domain_name
= domain
;
1569 r
->in
.domain_name_type
= domain_name_type
;
1570 r
->in
.create_upn
= createupn
;
1571 r
->in
.upn
= machineupn
;
1572 r
->in
.account_ou
= create_in_ou
;
1573 r
->in
.os_name
= os_name
;
1574 r
->in
.os_version
= os_version
;
1575 r
->in
.os_servicepack
= os_servicepack
;
1576 r
->in
.dc_name
= c
->opt_host
;
1577 r
->in
.admin_account
= c
->opt_user_name
;
1578 r
->in
.admin_password
= net_prompt_pass(c
, c
->opt_user_name
);
1579 r
->in
.machine_password
= machine_password
;
1581 r
->in
.use_kerberos
= c
->opt_kerberos
;
1582 r
->in
.modify_config
= modify_config
;
1583 r
->in
.join_flags
= WKSSVC_JOIN_FLAGS_JOIN_TYPE
|
1584 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
|
1585 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
;
1586 r
->in
.msg_ctx
= c
->msg_ctx
;
1588 werr
= libnet_Join(ctx
, r
);
1589 if (W_ERROR_EQUAL(werr
, WERR_NERR_DCNOTFOUND
) &&
1590 strequal(domain
, lp_realm())) {
1591 r
->in
.domain_name
= lp_workgroup();
1592 r
->in
.domain_name_type
= JoinDomNameTypeNBT
;
1593 werr
= libnet_Join(ctx
, r
);
1595 if (!W_ERROR_IS_OK(werr
)) {
1599 /* Check the short name of the domain */
1601 if (!modify_config
&& !strequal(lp_workgroup(), r
->out
.netbios_domain_name
)) {
1602 d_printf(_("The workgroup in %s does not match the short\n"
1603 "domain name obtained from the server.\n"
1604 "Using the name [%s] from the server.\n"
1605 "You should set \"workgroup = %s\" in %s.\n"),
1606 get_dyn_CONFIGFILE(), r
->out
.netbios_domain_name
,
1607 r
->out
.netbios_domain_name
, get_dyn_CONFIGFILE());
1610 d_printf(_("Using short domain name -- %s\n"), r
->out
.netbios_domain_name
);
1612 if (r
->out
.dns_domain_name
) {
1613 d_printf(_("Joined '%s' to dns domain '%s'\n"), r
->in
.machine_name
,
1614 r
->out
.dns_domain_name
);
1616 d_printf(_("Joined '%s' to domain '%s'\n"), r
->in
.machine_name
,
1617 r
->out
.netbios_domain_name
);
1620 /* print out informative error string in case there is one */
1621 if (r
->out
.error_string
!= NULL
) {
1622 d_printf("%s\n", r
->out
.error_string
);
1626 * We try doing the dns update (if it was compiled in
1627 * and if it was not disabled on the command line).
1628 * If the dns update fails, we still consider the join
1629 * operation as succeeded if we came this far.
1631 if (!c
->opt_no_dns_updates
) {
1632 _net_ads_join_dns_updates(c
, ctx
, r
);
1641 /* issue an overall failure message at the end. */
1642 d_printf(_("Failed to join domain: %s\n"),
1643 r
&& r
->out
.error_string
? r
->out
.error_string
:
1644 get_friendly_werror_msg(werr
));
1650 /*******************************************************************
1651 ********************************************************************/
1653 static int net_ads_dns_register(struct net_context
*c
, int argc
, const char **argv
)
1655 #if defined(WITH_DNS_UPDATES)
1660 const char *hostname
= NULL
;
1661 const char **addrs_list
= NULL
;
1662 struct sockaddr_storage
*addrs
= NULL
;
1667 talloc_enable_leak_report();
1670 if (argc
<= 1 && lp_clustering() && lp_cluster_addresses() == NULL
) {
1671 d_fprintf(stderr
, _("Refusing DNS updates with automatic "
1672 "detection of addresses in a clustered "
1674 c
->display_usage
= true;
1677 if (c
->display_usage
) {
1679 "net ads dns register [hostname [IP [IP...]]]\n"
1682 _("Register hostname with DNS\n"));
1686 if (!(ctx
= talloc_init("net_ads_dns"))) {
1687 d_fprintf(stderr
, _("Could not initialise talloc context\n"));
1696 num_addrs
= argc
- 1;
1697 addrs_list
= &argv
[1];
1698 } else if (lp_clustering()) {
1699 addrs_list
= lp_cluster_addresses();
1700 num_addrs
= str_list_length(addrs_list
);
1703 if (num_addrs
> 0) {
1704 addrs
= talloc_zero_array(ctx
, struct sockaddr_storage
, num_addrs
);
1705 if (addrs
== NULL
) {
1706 d_fprintf(stderr
, _("Error allocating memory!\n"));
1712 for (count
= 0; count
< num_addrs
; count
++) {
1713 if (!interpret_string_addr(&addrs
[count
], addrs_list
[count
], 0)) {
1714 d_fprintf(stderr
, "%s '%s'.\n",
1715 _("Cannot interpret address"),
1722 status
= ads_startup(c
, true, &ads
);
1723 if ( !ADS_ERR_OK(status
) ) {
1724 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status
)));
1729 ntstatus
= net_update_dns_ext(c
, ctx
, ads
, hostname
, addrs
, num_addrs
, false);
1730 if (!NT_STATUS_IS_OK(ntstatus
)) {
1731 d_fprintf( stderr
, _("DNS update failed!\n") );
1732 ads_destroy( &ads
);
1737 d_fprintf( stderr
, _("Successfully registered hostname with DNS\n") );
1745 _("DNS update support not enabled at compile time!\n"));
1750 static int net_ads_dns_unregister(struct net_context
*c
,
1754 #if defined(WITH_DNS_UPDATES)
1759 const char *hostname
= NULL
;
1762 talloc_enable_leak_report();
1766 c
->display_usage
= true;
1769 if (c
->display_usage
) {
1771 "net ads dns unregister [hostname]\n"
1774 _("Register hostname with DNS\n"));
1778 if (!(ctx
= talloc_init("net_ads_dns"))) {
1779 d_fprintf(stderr
, _("Could not initialise talloc context\n"));
1783 /* Get the hostname for un-registering */
1786 status
= ads_startup(c
, true, &ads
);
1787 if ( !ADS_ERR_OK(status
) ) {
1788 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status
)));
1793 ntstatus
= net_update_dns_ext(c
, ctx
, ads
, hostname
, NULL
, 0, true);
1794 if (!NT_STATUS_IS_OK(ntstatus
)) {
1795 d_fprintf( stderr
, _("DNS update failed!\n") );
1796 ads_destroy( &ads
);
1801 d_fprintf( stderr
, _("Successfully un-registered hostname from DNS\n"));
1809 _("DNS update support not enabled at compile time!\n"));
1814 static int net_ads_dns_gethostbyname(struct net_context
*c
, int argc
, const char **argv
)
1816 #if defined(WITH_DNS_UPDATES)
1820 talloc_enable_leak_report();
1823 if (argc
!= 2 || c
->display_usage
) {
1828 _("net ads dns gethostbyname <server> <name>\n"),
1829 _(" Look up hostname from the AD\n"
1830 " server\tName server to use\n"
1831 " name\tName to look up\n"));
1835 err
= do_gethostbyname(argv
[0], argv
[1]);
1836 if (!ERR_DNS_IS_OK(err
)) {
1837 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1838 dns_errstr(err
), ERROR_DNS_V(err
));
1844 static int net_ads_dns(struct net_context
*c
, int argc
, const char *argv
[])
1846 struct functable func
[] = {
1849 net_ads_dns_register
,
1851 N_("Add host dns entry to AD"),
1852 N_("net ads dns register\n"
1853 " Add host dns entry to AD")
1857 net_ads_dns_unregister
,
1859 N_("Remove host dns entry from AD"),
1860 N_("net ads dns unregister\n"
1861 " Remove host dns entry from AD")
1865 net_ads_dns_gethostbyname
,
1868 N_("net ads dns gethostbyname\n"
1871 {NULL
, NULL
, 0, NULL
, NULL
}
1874 return net_run_function(c
, argc
, argv
, "net ads dns", func
);
1877 /*******************************************************************
1878 ********************************************************************/
1880 int net_ads_printer_usage(struct net_context
*c
, int argc
, const char **argv
)
1883 "\nnet ads printer search <printer>"
1884 "\n\tsearch for a printer in the directory\n"
1885 "\nnet ads printer info <printer> <server>"
1886 "\n\tlookup info in directory for printer on server"
1887 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1888 "\nnet ads printer publish <printername>"
1889 "\n\tpublish printer in directory"
1890 "\n\t(note: printer name is required)\n"
1891 "\nnet ads printer remove <printername>"
1892 "\n\tremove printer from directory"
1893 "\n\t(note: printer name is required)\n"));
1897 /*******************************************************************
1898 ********************************************************************/
1900 static int net_ads_printer_search(struct net_context
*c
, int argc
, const char **argv
)
1904 LDAPMessage
*res
= NULL
;
1906 if (c
->display_usage
) {
1908 "net ads printer search\n"
1911 _("List printers in the AD"));
1915 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
1919 rc
= ads_find_printers(ads
, &res
);
1921 if (!ADS_ERR_OK(rc
)) {
1922 d_fprintf(stderr
, _("ads_find_printer: %s\n"), ads_errstr(rc
));
1923 ads_msgfree(ads
, res
);
1928 if (ads_count_replies(ads
, res
) == 0) {
1929 d_fprintf(stderr
, _("No results found\n"));
1930 ads_msgfree(ads
, res
);
1936 ads_msgfree(ads
, res
);
1941 static int net_ads_printer_info(struct net_context
*c
, int argc
, const char **argv
)
1945 const char *servername
, *printername
;
1946 LDAPMessage
*res
= NULL
;
1948 if (c
->display_usage
) {
1951 _("net ads printer info [printername [servername]]\n"
1952 " Display printer info from AD\n"
1953 " printername\tPrinter name or wildcard\n"
1954 " servername\tName of the print server\n"));
1958 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
1963 printername
= argv
[0];
1969 servername
= argv
[1];
1971 servername
= lp_netbios_name();
1974 rc
= ads_find_printer_on_server(ads
, &res
, printername
, servername
);
1976 if (!ADS_ERR_OK(rc
)) {
1977 d_fprintf(stderr
, _("Server '%s' not found: %s\n"),
1978 servername
, ads_errstr(rc
));
1979 ads_msgfree(ads
, res
);
1984 if (ads_count_replies(ads
, res
) == 0) {
1985 d_fprintf(stderr
, _("Printer '%s' not found\n"), printername
);
1986 ads_msgfree(ads
, res
);
1992 ads_msgfree(ads
, res
);
1998 static int net_ads_printer_publish(struct net_context
*c
, int argc
, const char **argv
)
2002 const char *servername
, *printername
;
2003 struct cli_state
*cli
= NULL
;
2004 struct rpc_pipe_client
*pipe_hnd
= NULL
;
2005 struct sockaddr_storage server_ss
;
2007 TALLOC_CTX
*mem_ctx
= talloc_init("net_ads_printer_publish");
2008 ADS_MODLIST mods
= ads_init_mods(mem_ctx
);
2009 char *prt_dn
, *srv_dn
, **srv_cn
;
2010 char *srv_cn_escaped
= NULL
, *printername_escaped
= NULL
;
2011 LDAPMessage
*res
= NULL
;
2014 if (argc
< 1 || c
->display_usage
) {
2017 _("net ads printer publish <printername> [servername]\n"
2018 " Publish printer in AD\n"
2019 " printername\tName of the printer\n"
2020 " servername\tName of the print server\n"));
2021 talloc_destroy(mem_ctx
);
2025 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2026 talloc_destroy(mem_ctx
);
2030 printername
= argv
[0];
2033 servername
= argv
[1];
2035 servername
= lp_netbios_name();
2038 /* Get printer data from SPOOLSS */
2040 ok
= resolve_name(servername
, &server_ss
, 0x20, false);
2042 d_fprintf(stderr
, _("Could not find server %s\n"),
2045 talloc_destroy(mem_ctx
);
2049 nt_status
= cli_full_connection(&cli
, lp_netbios_name(), servername
,
2052 c
->opt_user_name
, c
->opt_workgroup
,
2053 c
->opt_password
? c
->opt_password
: "",
2054 CLI_FULL_CONNECTION_USE_KERBEROS
,
2055 SMB_SIGNING_IPC_DEFAULT
);
2057 if (NT_STATUS_IS_ERR(nt_status
)) {
2058 d_fprintf(stderr
, _("Unable to open a connection to %s to "
2059 "obtain data for %s\n"),
2060 servername
, printername
);
2062 talloc_destroy(mem_ctx
);
2066 /* Publish on AD server */
2068 ads_find_machine_acct(ads
, &res
, servername
);
2070 if (ads_count_replies(ads
, res
) == 0) {
2071 d_fprintf(stderr
, _("Could not find machine account for server "
2075 talloc_destroy(mem_ctx
);
2079 srv_dn
= ldap_get_dn((LDAP
*)ads
->ldap
.ld
, (LDAPMessage
*)res
);
2080 srv_cn
= ldap_explode_dn(srv_dn
, 1);
2082 srv_cn_escaped
= escape_rdn_val_string_alloc(srv_cn
[0]);
2083 printername_escaped
= escape_rdn_val_string_alloc(printername
);
2084 if (!srv_cn_escaped
|| !printername_escaped
) {
2085 SAFE_FREE(srv_cn_escaped
);
2086 SAFE_FREE(printername_escaped
);
2087 d_fprintf(stderr
, _("Internal error, out of memory!"));
2089 talloc_destroy(mem_ctx
);
2093 if (asprintf(&prt_dn
, "cn=%s-%s,%s", srv_cn_escaped
, printername_escaped
, srv_dn
) == -1) {
2094 SAFE_FREE(srv_cn_escaped
);
2095 SAFE_FREE(printername_escaped
);
2096 d_fprintf(stderr
, _("Internal error, out of memory!"));
2098 talloc_destroy(mem_ctx
);
2102 SAFE_FREE(srv_cn_escaped
);
2103 SAFE_FREE(printername_escaped
);
2105 nt_status
= cli_rpc_pipe_open_noauth(cli
, &ndr_table_spoolss
, &pipe_hnd
);
2106 if (!NT_STATUS_IS_OK(nt_status
)) {
2107 d_fprintf(stderr
, _("Unable to open a connection to the spoolss pipe on %s\n"),
2111 talloc_destroy(mem_ctx
);
2115 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd
, mem_ctx
, &mods
,
2119 talloc_destroy(mem_ctx
);
2123 rc
= ads_add_printer_entry(ads
, prt_dn
, mem_ctx
, &mods
);
2124 if (!ADS_ERR_OK(rc
)) {
2125 d_fprintf(stderr
, "ads_publish_printer: %s\n", ads_errstr(rc
));
2128 talloc_destroy(mem_ctx
);
2132 d_printf("published printer\n");
2135 talloc_destroy(mem_ctx
);
2140 static int net_ads_printer_remove(struct net_context
*c
, int argc
, const char **argv
)
2144 const char *servername
;
2146 LDAPMessage
*res
= NULL
;
2148 if (argc
< 1 || c
->display_usage
) {
2151 _("net ads printer remove <printername> [servername]\n"
2152 " Remove a printer from the AD\n"
2153 " printername\tName of the printer\n"
2154 " servername\tName of the print server\n"));
2158 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2163 servername
= argv
[1];
2165 servername
= lp_netbios_name();
2168 rc
= ads_find_printer_on_server(ads
, &res
, argv
[0], servername
);
2170 if (!ADS_ERR_OK(rc
)) {
2171 d_fprintf(stderr
, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc
));
2172 ads_msgfree(ads
, res
);
2177 if (ads_count_replies(ads
, res
) == 0) {
2178 d_fprintf(stderr
, _("Printer '%s' not found\n"), argv
[1]);
2179 ads_msgfree(ads
, res
);
2184 prt_dn
= ads_get_dn(ads
, talloc_tos(), res
);
2185 ads_msgfree(ads
, res
);
2186 rc
= ads_del_dn(ads
, prt_dn
);
2187 TALLOC_FREE(prt_dn
);
2189 if (!ADS_ERR_OK(rc
)) {
2190 d_fprintf(stderr
, _("ads_del_dn: %s\n"), ads_errstr(rc
));
2199 static int net_ads_printer(struct net_context
*c
, int argc
, const char **argv
)
2201 struct functable func
[] = {
2204 net_ads_printer_search
,
2206 N_("Search for a printer"),
2207 N_("net ads printer search\n"
2208 " Search for a printer")
2212 net_ads_printer_info
,
2214 N_("Display printer information"),
2215 N_("net ads printer info\n"
2216 " Display printer information")
2220 net_ads_printer_publish
,
2222 N_("Publish a printer"),
2223 N_("net ads printer publish\n"
2224 " Publish a printer")
2228 net_ads_printer_remove
,
2230 N_("Delete a printer"),
2231 N_("net ads printer remove\n"
2232 " Delete a printer")
2234 {NULL
, NULL
, 0, NULL
, NULL
}
2237 return net_run_function(c
, argc
, argv
, "net ads printer", func
);
2241 static int net_ads_password(struct net_context
*c
, int argc
, const char **argv
)
2244 const char *auth_principal
= c
->opt_user_name
;
2245 const char *auth_password
= c
->opt_password
;
2246 const char *realm
= NULL
;
2247 const char *new_password
= NULL
;
2250 char pwd
[256] = {0};
2253 if (c
->display_usage
) {
2256 _("net ads password <username>\n"
2257 " Change password for user\n"
2258 " username\tName of user to change password for\n"));
2262 if (c
->opt_user_name
== NULL
|| c
->opt_password
== NULL
) {
2263 d_fprintf(stderr
, _("You must supply an administrator "
2264 "username/password\n"));
2269 d_fprintf(stderr
, _("ERROR: You must say which username to "
2270 "change password for\n"));
2275 if (!strchr_m(user
, '@')) {
2276 if (asprintf(&chr
, "%s@%s", argv
[0], lp_realm()) == -1) {
2282 use_in_memory_ccache();
2283 chr
= strchr_m(auth_principal
, '@');
2290 /* use the realm so we can eventually change passwords for users
2291 in realms other than default */
2292 if (!(ads
= ads_init(realm
, c
->opt_workgroup
, c
->opt_host
))) {
2296 /* we don't actually need a full connect, but it's the easy way to
2297 fill in the KDC's addresss */
2300 if (!ads
->config
.realm
) {
2301 d_fprintf(stderr
, _("Didn't find the kerberos server!\n"));
2307 new_password
= (const char *)argv
[1];
2311 if (asprintf(&prompt
, _("Enter new password for %s:"), user
) == -1) {
2314 rc
= samba_getpass(prompt
, pwd
, sizeof(pwd
), false, true);
2322 ret
= kerberos_set_password(ads
->auth
.kdc_server
, auth_principal
,
2323 auth_password
, user
, new_password
, ads
->auth
.time_offset
);
2324 memset(pwd
, '\0', sizeof(pwd
));
2325 if (!ADS_ERR_OK(ret
)) {
2326 d_fprintf(stderr
, _("Password change failed: %s\n"), ads_errstr(ret
));
2331 d_printf(_("Password change for %s completed.\n"), user
);
2337 int net_ads_changetrustpw(struct net_context
*c
, int argc
, const char **argv
)
2340 char *host_principal
;
2344 if (c
->display_usage
) {
2346 "net ads changetrustpw\n"
2349 _("Change the machine account's trust password"));
2353 if (!secrets_init()) {
2354 DEBUG(1,("Failed to initialise secrets database\n"));
2358 net_use_krb_machine_account(c
);
2360 use_in_memory_ccache();
2362 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2366 fstrcpy(my_name
, lp_netbios_name());
2367 if (!strlower_m(my_name
)) {
2372 if (asprintf(&host_principal
, "%s$@%s", my_name
, ads
->config
.realm
) == -1) {
2376 d_printf(_("Changing password for principal: %s\n"), host_principal
);
2378 ret
= ads_change_trust_account_password(ads
, host_principal
);
2380 if (!ADS_ERR_OK(ret
)) {
2381 d_fprintf(stderr
, _("Password change failed: %s\n"), ads_errstr(ret
));
2383 SAFE_FREE(host_principal
);
2387 d_printf(_("Password change for principal %s succeeded.\n"), host_principal
);
2389 if (USE_SYSTEM_KEYTAB
) {
2390 d_printf(_("Attempting to update system keytab with new password.\n"));
2391 if (ads_keytab_create_default(ads
)) {
2392 d_printf(_("Failed to update system keytab.\n"));
2397 SAFE_FREE(host_principal
);
2403 help for net ads search
2405 static int net_ads_search_usage(struct net_context
*c
, int argc
, const char **argv
)
2408 "\nnet ads search <expression> <attributes...>\n"
2409 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2410 "The expression is a standard LDAP search expression, and the\n"
2411 "attributes are a list of LDAP fields to show in the results.\n\n"
2412 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2414 net_common_flags_usage(c
, argc
, argv
);
2420 general ADS search function. Useful in diagnosing problems in ADS
2422 static int net_ads_search(struct net_context
*c
, int argc
, const char **argv
)
2426 const char *ldap_exp
;
2428 LDAPMessage
*res
= NULL
;
2430 if (argc
< 1 || c
->display_usage
) {
2431 return net_ads_search_usage(c
, argc
, argv
);
2434 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
2441 rc
= ads_do_search_retry(ads
, ads
->config
.bind_path
,
2443 ldap_exp
, attrs
, &res
);
2444 if (!ADS_ERR_OK(rc
)) {
2445 d_fprintf(stderr
, _("search failed: %s\n"), ads_errstr(rc
));
2450 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads
, res
));
2452 /* dump the results */
2455 ads_msgfree(ads
, res
);
2463 help for net ads search
2465 static int net_ads_dn_usage(struct net_context
*c
, int argc
, const char **argv
)
2468 "\nnet ads dn <dn> <attributes...>\n"
2469 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2470 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2471 "to show in the results\n\n"
2472 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2473 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2475 net_common_flags_usage(c
, argc
, argv
);
2481 general ADS search function. Useful in diagnosing problems in ADS
2483 static int net_ads_dn(struct net_context
*c
, int argc
, const char **argv
)
2489 LDAPMessage
*res
= NULL
;
2491 if (argc
< 1 || c
->display_usage
) {
2492 return net_ads_dn_usage(c
, argc
, argv
);
2495 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
2502 rc
= ads_do_search_all(ads
, dn
,
2504 "(objectclass=*)", attrs
, &res
);
2505 if (!ADS_ERR_OK(rc
)) {
2506 d_fprintf(stderr
, _("search failed: %s\n"), ads_errstr(rc
));
2511 d_printf("Got %d replies\n\n", ads_count_replies(ads
, res
));
2513 /* dump the results */
2516 ads_msgfree(ads
, res
);
2523 help for net ads sid search
2525 static int net_ads_sid_usage(struct net_context
*c
, int argc
, const char **argv
)
2528 "\nnet ads sid <sid> <attributes...>\n"
2529 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2530 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2531 "to show in the results\n\n"
2532 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2534 net_common_flags_usage(c
, argc
, argv
);
2540 general ADS search function. Useful in diagnosing problems in ADS
2542 static int net_ads_sid(struct net_context
*c
, int argc
, const char **argv
)
2546 const char *sid_string
;
2548 LDAPMessage
*res
= NULL
;
2551 if (argc
< 1 || c
->display_usage
) {
2552 return net_ads_sid_usage(c
, argc
, argv
);
2555 if (!ADS_ERR_OK(ads_startup(c
, false, &ads
))) {
2559 sid_string
= argv
[0];
2562 if (!string_to_sid(&sid
, sid_string
)) {
2563 d_fprintf(stderr
, _("could not convert sid\n"));
2568 rc
= ads_search_retry_sid(ads
, &res
, &sid
, attrs
);
2569 if (!ADS_ERR_OK(rc
)) {
2570 d_fprintf(stderr
, _("search failed: %s\n"), ads_errstr(rc
));
2575 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads
, res
));
2577 /* dump the results */
2580 ads_msgfree(ads
, res
);
2586 static int net_ads_keytab_flush(struct net_context
*c
, int argc
, const char **argv
)
2591 if (c
->display_usage
) {
2593 "net ads keytab flush\n"
2596 _("Delete the whole keytab"));
2600 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2603 ret
= ads_keytab_flush(ads
);
2608 static int net_ads_keytab_add(struct net_context
*c
,
2617 if (c
->display_usage
) {
2620 _("net ads keytab add <principal> [principal ...]\n"
2621 " Add principals to local keytab\n"
2622 " principal\tKerberos principal to add to "
2627 d_printf(_("Processing principals to add...\n"));
2628 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2631 for (i
= 0; i
< argc
; i
++) {
2632 ret
|= ads_keytab_add_entry(ads
, argv
[i
], update_ads
);
2638 static int net_ads_keytab_add_default(struct net_context
*c
,
2642 return net_ads_keytab_add(c
, argc
, argv
, false);
2645 static int net_ads_keytab_add_update_ads(struct net_context
*c
,
2649 return net_ads_keytab_add(c
, argc
, argv
, true);
2652 static int net_ads_keytab_create(struct net_context
*c
, int argc
, const char **argv
)
2657 if (c
->display_usage
) {
2659 "net ads keytab create\n"
2662 _("Create new default keytab"));
2666 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
2669 ret
= ads_keytab_create_default(ads
);
2674 static int net_ads_keytab_list(struct net_context
*c
, int argc
, const char **argv
)
2676 const char *keytab
= NULL
;
2678 if (c
->display_usage
) {
2681 _("net ads keytab list [keytab]\n"
2682 " List a local keytab\n"
2683 " keytab\tKeytab to list\n"));
2691 return ads_keytab_list(keytab
);
2695 int net_ads_keytab(struct net_context
*c
, int argc
, const char **argv
)
2697 struct functable func
[] = {
2700 net_ads_keytab_add_default
,
2702 N_("Add a service principal"),
2703 N_("net ads keytab add\n"
2704 " Add a service principal, updates keytab file only.")
2708 net_ads_keytab_add_update_ads
,
2710 N_("Add a service principal"),
2711 N_("net ads keytab add_update_ads\n"
2712 " Add a service principal, depending on the param passed may update ADS computer object in addition to the keytab file.")
2716 net_ads_keytab_create
,
2718 N_("Create a fresh keytab"),
2719 N_("net ads keytab create\n"
2720 " Create a fresh keytab or update exising one.")
2724 net_ads_keytab_flush
,
2726 N_("Remove all keytab entries"),
2727 N_("net ads keytab flush\n"
2728 " Remove all keytab entries")
2732 net_ads_keytab_list
,
2734 N_("List a keytab"),
2735 N_("net ads keytab list\n"
2738 {NULL
, NULL
, 0, NULL
, NULL
}
2741 if (!USE_KERBEROS_KEYTAB
) {
2742 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2743 "keytab method to use keytab functions.\n"));
2746 return net_run_function(c
, argc
, argv
, "net ads keytab", func
);
2749 static int net_ads_kerberos_renew(struct net_context
*c
, int argc
, const char **argv
)
2753 if (c
->display_usage
) {
2755 "net ads kerberos renew\n"
2758 _("Renew TGT from existing credential cache"));
2762 ret
= smb_krb5_renew_ticket(NULL
, NULL
, NULL
, NULL
);
2764 d_printf(_("failed to renew kerberos ticket: %s\n"),
2765 error_message(ret
));
2770 static int net_ads_kerberos_pac_common(struct net_context
*c
, int argc
, const char **argv
,
2771 struct PAC_DATA_CTR
**pac_data_ctr
)
2775 const char *impersonate_princ_s
= NULL
;
2776 const char *local_service
= NULL
;
2779 for (i
=0; i
<argc
; i
++) {
2780 if (strnequal(argv
[i
], "impersonate", strlen("impersonate"))) {
2781 impersonate_princ_s
= get_string_param(argv
[i
]);
2782 if (impersonate_princ_s
== NULL
) {
2786 if (strnequal(argv
[i
], "local_service", strlen("local_service"))) {
2787 local_service
= get_string_param(argv
[i
]);
2788 if (local_service
== NULL
) {
2794 if (local_service
== NULL
) {
2795 local_service
= talloc_asprintf(c
, "%s$@%s",
2796 lp_netbios_name(), lp_realm());
2797 if (local_service
== NULL
) {
2802 c
->opt_password
= net_prompt_pass(c
, c
->opt_user_name
);
2804 status
= kerberos_return_pac(c
,
2813 2592000, /* one month */
2814 impersonate_princ_s
,
2817 if (!NT_STATUS_IS_OK(status
)) {
2818 d_printf(_("failed to query kerberos PAC: %s\n"),
2828 static int net_ads_kerberos_pac_dump(struct net_context
*c
, int argc
, const char **argv
)
2830 struct PAC_DATA_CTR
*pac_data_ctr
= NULL
;
2833 enum PAC_TYPE type
= 0;
2835 if (c
->display_usage
) {
2837 "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
2840 _("Dump the Kerberos PAC"));
2844 for (i
=0; i
<argc
; i
++) {
2845 if (strnequal(argv
[i
], "pac_buffer_type", strlen("pac_buffer_type"))) {
2846 type
= get_int_param(argv
[i
]);
2850 ret
= net_ads_kerberos_pac_common(c
, argc
, argv
, &pac_data_ctr
);
2859 s
= NDR_PRINT_STRUCT_STRING(c
, PAC_DATA
,
2860 pac_data_ctr
->pac_data
);
2862 d_printf(_("The Pac: %s\n"), s
);
2869 for (i
=0; i
< pac_data_ctr
->pac_data
->num_buffers
; i
++) {
2873 if (pac_data_ctr
->pac_data
->buffers
[i
].type
!= type
) {
2877 s
= NDR_PRINT_UNION_STRING(c
, PAC_INFO
, type
,
2878 pac_data_ctr
->pac_data
->buffers
[i
].info
);
2880 d_printf(_("The Pac: %s\n"), s
);
2889 static int net_ads_kerberos_pac_save(struct net_context
*c
, int argc
, const char **argv
)
2891 struct PAC_DATA_CTR
*pac_data_ctr
= NULL
;
2892 char *filename
= NULL
;
2896 if (c
->display_usage
) {
2898 "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
2901 _("Save the Kerberos PAC"));
2905 for (i
=0; i
<argc
; i
++) {
2906 if (strnequal(argv
[i
], "filename", strlen("filename"))) {
2907 filename
= get_string_param(argv
[i
]);
2908 if (filename
== NULL
) {
2914 ret
= net_ads_kerberos_pac_common(c
, argc
, argv
, &pac_data_ctr
);
2919 if (filename
== NULL
) {
2920 d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
2924 /* save the raw format */
2925 if (!file_save(filename
, pac_data_ctr
->pac_blob
.data
, pac_data_ctr
->pac_blob
.length
)) {
2926 d_printf(_("failed to save PAC in %s\n"), filename
);
2933 static int net_ads_kerberos_pac(struct net_context
*c
, int argc
, const char **argv
)
2935 struct functable func
[] = {
2938 net_ads_kerberos_pac_dump
,
2940 N_("Dump Kerberos PAC"),
2941 N_("net ads kerberos pac dump\n"
2942 " Dump a Kerberos PAC to stdout")
2946 net_ads_kerberos_pac_save
,
2948 N_("Save Kerberos PAC"),
2949 N_("net ads kerberos pac save\n"
2950 " Save a Kerberos PAC in a file")
2953 {NULL
, NULL
, 0, NULL
, NULL
}
2956 return net_run_function(c
, argc
, argv
, "net ads kerberos pac", func
);
2959 static int net_ads_kerberos_kinit(struct net_context
*c
, int argc
, const char **argv
)
2961 TALLOC_CTX
*mem_ctx
= NULL
;
2965 if (c
->display_usage
) {
2967 "net ads kerberos kinit\n"
2970 _("Get Ticket Granting Ticket (TGT) for the user"));
2974 mem_ctx
= talloc_init("net_ads_kerberos_kinit");
2979 c
->opt_password
= net_prompt_pass(c
, c
->opt_user_name
);
2981 ret
= kerberos_kinit_password_ext(c
->opt_user_name
,
2989 2592000, /* one month */
2992 d_printf(_("failed to kinit password: %s\n"),
2999 int net_ads_kerberos(struct net_context
*c
, int argc
, const char **argv
)
3001 struct functable func
[] = {
3004 net_ads_kerberos_kinit
,
3006 N_("Retrieve Ticket Granting Ticket (TGT)"),
3007 N_("net ads kerberos kinit\n"
3008 " Receive Ticket Granting Ticket (TGT)")
3012 net_ads_kerberos_renew
,
3014 N_("Renew Ticket Granting Ticket from credential cache"),
3015 N_("net ads kerberos renew\n"
3016 " Renew Ticket Granting Ticket (TGT) from "
3021 net_ads_kerberos_pac
,
3023 N_("Dump Kerberos PAC"),
3024 N_("net ads kerberos pac\n"
3025 " Dump Kerberos PAC")
3027 {NULL
, NULL
, 0, NULL
, NULL
}
3030 return net_run_function(c
, argc
, argv
, "net ads kerberos", func
);
3033 static int net_ads_setspn_list(struct net_context
*c
, int argc
, const char **argv
)
3037 ADS_STRUCT
*ads
= NULL
;
3038 if (c
->display_usage
) {
3041 _("net ads setspn list <machinename>\n"));
3045 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
3050 ok
= ads_setspn_list(ads
, argv
[0]);
3052 ok
= ads_setspn_list(ads
, lp_netbios_name());
3064 static int net_ads_setspn_add(struct net_context
*c
, int argc
, const char **argv
)
3068 ADS_STRUCT
*ads
= NULL
;
3069 if (c
->display_usage
|| argc
< 1) {
3072 _("net ads setspn add <machinename> SPN\n"));
3076 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
3081 ok
= ads_setspn_add(ads
, argv
[0], argv
[1]);
3083 ok
= ads_setspn_add(ads
, lp_netbios_name(), argv
[0]);
3095 static int net_ads_setspn_delete(struct net_context
*c
, int argc
, const char **argv
)
3099 ADS_STRUCT
*ads
= NULL
;
3100 if (c
->display_usage
|| argc
< 1) {
3103 _("net ads setspn delete <machinename> SPN\n"));
3107 if (!ADS_ERR_OK(ads_startup(c
, true, &ads
))) {
3112 ok
= ads_setspn_delete(ads
, argv
[0], argv
[1]);
3114 ok
= ads_setspn_delete(ads
, lp_netbios_name(), argv
[0]);
3126 int net_ads_setspn(struct net_context
*c
, int argc
, const char **argv
)
3128 struct functable func
[] = {
3131 net_ads_setspn_list
,
3133 N_("List Service Principal Names (SPN)"),
3134 N_("net ads setspn list machine\n"
3135 " List Service Principal Names (SPN)")
3141 N_("Add Service Principal Names (SPN)"),
3142 N_("net ads setspn add machine spn\n"
3143 " Add Service Principal Names (SPN)")
3147 net_ads_setspn_delete
,
3149 N_("Delete Service Principal Names (SPN)"),
3150 N_("net ads setspn delete machine spn\n"
3151 " Delete Service Principal Names (SPN)")
3153 {NULL
, NULL
, 0, NULL
, NULL
}
3156 return net_run_function(c
, argc
, argv
, "net ads setspn", func
);
3159 static int net_ads_enctype_lookup_account(struct net_context
*c
,
3161 const char *account
,
3163 const char **enctype_str
)
3166 const char *attrs
[] = {
3167 "msDS-SupportedEncryptionTypes",
3174 filter
= talloc_asprintf(c
, "(&(objectclass=user)(sAMAccountName=%s))",
3176 if (filter
== NULL
) {
3180 status
= ads_search(ads
, res
, filter
, attrs
);
3181 if (!ADS_ERR_OK(status
)) {
3182 d_printf(_("no account found with filter: %s\n"), filter
);
3186 count
= ads_count_replies(ads
, *res
);
3191 d_printf(_("no account found with filter: %s\n"), filter
);
3194 d_printf(_("multiple accounts found with filter: %s\n"), filter
);
3199 *enctype_str
= ads_pull_string(ads
, c
, *res
,
3200 "msDS-SupportedEncryptionTypes");
3201 if (*enctype_str
== NULL
) {
3202 d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
3212 static void net_ads_enctype_dump_enctypes(const char *username
,
3213 const char *enctype_str
)
3215 int enctypes
= atoi(enctype_str
);
3217 d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\": %d (0x%08x)\n"),
3218 username
, enctypes
, enctypes
);
3220 printf("[%s] 0x%08x DES-CBC-CRC\n",
3221 enctypes
& ENC_CRC32
? "X" : " ",
3223 printf("[%s] 0x%08x DES-CBC-MD5\n",
3224 enctypes
& ENC_RSA_MD5
? "X" : " ",
3226 printf("[%s] 0x%08x RC4-HMAC\n",
3227 enctypes
& ENC_RC4_HMAC_MD5
? "X" : " ",
3229 printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
3230 enctypes
& ENC_HMAC_SHA1_96_AES128
? "X" : " ",
3231 ENC_HMAC_SHA1_96_AES128
);
3232 printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
3233 enctypes
& ENC_HMAC_SHA1_96_AES256
? "X" : " ",
3234 ENC_HMAC_SHA1_96_AES256
);
3237 static int net_ads_enctypes_list(struct net_context
*c
, int argc
, const char **argv
)
3241 ADS_STRUCT
*ads
= NULL
;
3242 LDAPMessage
*res
= NULL
;
3243 const char *str
= NULL
;
3245 if (c
->display_usage
|| (argc
< 1)) {
3247 "net ads enctypes list\n"
3250 _("List supported enctypes"));
3254 status
= ads_startup(c
, false, &ads
);
3255 if (!ADS_ERR_OK(status
)) {
3256 printf("startup failed\n");
3260 ret
= net_ads_enctype_lookup_account(c
, ads
, argv
[0], &res
, &str
);
3265 net_ads_enctype_dump_enctypes(argv
[0], str
);
3269 ads_msgfree(ads
, res
);
3275 static int net_ads_enctypes_set(struct net_context
*c
, int argc
, const char **argv
)
3280 LDAPMessage
*res
= NULL
;
3281 const char *etype_list_str
;
3284 uint32_t etype_list
;
3287 if (c
->display_usage
|| argc
< 1) {
3289 "net ads enctypes set <sAMAccountName> [enctypes]\n"
3292 _("Set supported enctypes"));
3296 status
= ads_startup(c
, false, &ads
);
3297 if (!ADS_ERR_OK(status
)) {
3298 printf("startup failed\n");
3302 ret
= net_ads_enctype_lookup_account(c
, ads
, argv
[0], &res
, NULL
);
3307 dn
= ads_get_dn(ads
, c
, res
);
3312 etype_list
= ENC_CRC32
| ENC_RSA_MD5
| ENC_RC4_HMAC_MD5
;
3313 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
3314 etype_list
|= ENC_HMAC_SHA1_96_AES128
;
3316 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
3317 etype_list
|= ENC_HMAC_SHA1_96_AES256
;
3320 if (argv
[1] != NULL
) {
3321 sscanf(argv
[1], "%i", &etype_list
);
3324 etype_list_str
= talloc_asprintf(c
, "%d", etype_list
);
3325 if (!etype_list_str
) {
3329 mods
= ads_init_mods(c
);
3334 status
= ads_mod_str(c
, &mods
, "msDS-SupportedEncryptionTypes",
3336 if (!ADS_ERR_OK(status
)) {
3340 status
= ads_gen_mod(ads
, dn
, mods
);
3341 if (!ADS_ERR_OK(status
)) {
3342 d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
3343 ads_errstr(status
));
3347 ads_msgfree(ads
, res
);
3349 ret
= net_ads_enctype_lookup_account(c
, ads
, argv
[0], &res
, &str
);
3354 net_ads_enctype_dump_enctypes(argv
[0], str
);
3358 ads_msgfree(ads
, res
);
3364 static int net_ads_enctypes_delete(struct net_context
*c
, int argc
, const char **argv
)
3369 LDAPMessage
*res
= NULL
;
3373 if (c
->display_usage
|| argc
< 1) {
3375 "net ads enctypes delete <sAMAccountName>\n"
3378 _("Delete supported enctypes"));
3382 status
= ads_startup(c
, false, &ads
);
3383 if (!ADS_ERR_OK(status
)) {
3384 printf("startup failed\n");
3388 ret
= net_ads_enctype_lookup_account(c
, ads
, argv
[0], &res
, NULL
);
3393 dn
= ads_get_dn(ads
, c
, res
);
3398 mods
= ads_init_mods(c
);
3403 status
= ads_mod_str(c
, &mods
, "msDS-SupportedEncryptionTypes", NULL
);
3404 if (!ADS_ERR_OK(status
)) {
3408 status
= ads_gen_mod(ads
, dn
, mods
);
3409 if (!ADS_ERR_OK(status
)) {
3410 d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
3411 ads_errstr(status
));
3418 ads_msgfree(ads
, res
);
3423 static int net_ads_enctypes(struct net_context
*c
, int argc
, const char **argv
)
3425 struct functable func
[] = {
3428 net_ads_enctypes_list
,
3430 N_("List the supported encryption types"),
3431 N_("net ads enctypes list\n"
3432 " List the supported encryption types")
3436 net_ads_enctypes_set
,
3438 N_("Set the supported encryption types"),
3439 N_("net ads enctypes set\n"
3440 " Set the supported encryption types")
3444 net_ads_enctypes_delete
,
3446 N_("Delete the supported encryption types"),
3447 N_("net ads enctypes delete\n"
3448 " Delete the supported encryption types")
3451 {NULL
, NULL
, 0, NULL
, NULL
}
3454 return net_run_function(c
, argc
, argv
, "net ads enctypes", func
);
3458 int net_ads(struct net_context
*c
, int argc
, const char **argv
)
3460 struct functable func
[] = {
3465 N_("Display details on remote ADS server"),
3467 " Display details on remote ADS server")
3473 N_("Join the local machine to ADS realm"),
3475 " Join the local machine to ADS realm")
3481 N_("Validate machine account"),
3482 N_("net ads testjoin\n"
3483 " Validate machine account")
3489 N_("Remove the local machine from ADS"),
3490 N_("net ads leave\n"
3491 " Remove the local machine from ADS")
3497 N_("Display machine account details"),
3498 N_("net ads status\n"
3499 " Display machine account details")
3505 N_("List/modify users"),
3507 " List/modify users")
3513 N_("List/modify groups"),
3514 N_("net ads group\n"
3515 " List/modify groups")
3521 N_("Issue dynamic DNS update"),
3523 " Issue dynamic DNS update")
3529 N_("Change user passwords"),
3530 N_("net ads password\n"
3531 " Change user passwords")
3535 net_ads_changetrustpw
,
3537 N_("Change trust account password"),
3538 N_("net ads changetrustpw\n"
3539 " Change trust account password")
3545 N_("List/modify printer entries"),
3546 N_("net ads printer\n"
3547 " List/modify printer entries")
3553 N_("Issue LDAP search using filter"),
3554 N_("net ads search\n"
3555 " Issue LDAP search using filter")
3561 N_("Issue LDAP search by DN"),
3563 " Issue LDAP search by DN")
3569 N_("Issue LDAP search by SID"),
3571 " Issue LDAP search by SID")
3577 N_("Display workgroup name"),
3578 N_("net ads workgroup\n"
3579 " Display the workgroup name")
3585 N_("Perform CLDAP query on DC"),
3586 N_("net ads lookup\n"
3587 " Find the ADS DC using CLDAP lookups")
3593 N_("Manage local keytab file"),
3594 N_("net ads keytab\n"
3595 " Manage local keytab file")
3601 N_("Manage Service Principal Names (SPN)s"),
3602 N_("net ads spnset\n"
3603 " Manage Service Principal Names (SPN)s")
3609 N_("Manage group policy objects"),
3611 " Manage group policy objects")
3617 N_("Manage kerberos keytab"),
3618 N_("net ads kerberos\n"
3619 " Manage kerberos keytab")
3625 N_("List/modify supported encryption types"),
3626 N_("net ads enctypes\n"
3627 " List/modify enctypes")
3629 {NULL
, NULL
, 0, NULL
, NULL
}
3632 return net_run_function(c
, argc
, argv
, "net ads", func
);
3637 static int net_ads_noads(void)
3639 d_fprintf(stderr
, _("ADS support not compiled in\n"));
3643 int net_ads_keytab(struct net_context
*c
, int argc
, const char **argv
)
3645 return net_ads_noads();
3648 int net_ads_kerberos(struct net_context
*c
, int argc
, const char **argv
)
3650 return net_ads_noads();
3653 int net_ads_setspn(struct net_context
*c
, int argc
, const char **argv
)
3655 return net_ads_noads();
3658 int net_ads_changetrustpw(struct net_context
*c
, int argc
, const char **argv
)
3660 return net_ads_noads();
3663 int net_ads_join(struct net_context
*c
, int argc
, const char **argv
)
3665 return net_ads_noads();
3668 int net_ads_user(struct net_context
*c
, int argc
, const char **argv
)
3670 return net_ads_noads();
3673 int net_ads_group(struct net_context
*c
, int argc
, const char **argv
)
3675 return net_ads_noads();
3678 int net_ads_gpo(struct net_context
*c
, int argc
, const char **argv
)
3680 return net_ads_noads();
3683 /* this one shouldn't display a message */
3684 int net_ads_check(struct net_context
*c
)
3689 int net_ads_check_our_domain(struct net_context
*c
)
3694 int net_ads(struct net_context
*c
, int argc
, const char **argv
)
3696 return net_ads_noads();
3699 #endif /* HAVE_ADS */