s3-docs: overrided -> overridden
[Samba.git] / source3 / utils / net_ads.c
blob381393ebad2d0d2a59a760b58f78150949921575
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "../librpc/gen_ndr/ndr_spoolss.h"
28 #include "nsswitch/libwbclient/wbclient.h"
29 #include "ads.h"
30 #include "libads/cldap.h"
31 #include "libads/dns.h"
32 #include "../libds/common/flags.h"
33 #include "librpc/gen_ndr/libnet_join.h"
34 #include "libnet/libnet_join.h"
35 #include "smb_krb5.h"
36 #include "secrets.h"
37 #include "krb5_env.h"
38 #include "../libcli/security/security.h"
39 #include "libsmb/libsmb.h"
41 #ifdef HAVE_ADS
43 /* when we do not have sufficient input parameters to contact a remote domain
44 * we always fall back to our own realm - Guenther*/
46 static const char *assume_own_realm(struct net_context *c)
48 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
49 return lp_realm();
52 return NULL;
56 do a cldap netlogon query
58 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
60 char addr[INET6_ADDRSTRLEN];
61 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
63 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
65 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
66 d_fprintf(stderr, _("CLDAP query failed!\n"));
67 return -1;
70 d_printf(_("Information for Domain Controller: %s\n\n"),
71 addr);
73 d_printf(_("Response Type: "));
74 switch (reply.command) {
75 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
76 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
77 break;
78 case LOGON_SAM_LOGON_RESPONSE_EX:
79 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
80 break;
81 default:
82 d_printf("0x%x\n", reply.command);
83 break;
86 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
88 d_printf(_("Flags:\n"
89 "\tIs a PDC: %s\n"
90 "\tIs a GC of the forest: %s\n"
91 "\tIs an LDAP server: %s\n"
92 "\tSupports DS: %s\n"
93 "\tIs running a KDC: %s\n"
94 "\tIs running time services: %s\n"
95 "\tIs the closest DC: %s\n"
96 "\tIs writable: %s\n"
97 "\tHas a hardware clock: %s\n"
98 "\tIs a non-domain NC serviced by LDAP server: %s\n"
99 "\tIs NT6 DC that has some secrets: %s\n"
100 "\tIs NT6 DC that has all secrets: %s\n"),
101 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
110 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
111 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
112 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
115 printf(_("Forest:\t\t\t%s\n"), reply.forest);
116 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
117 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
119 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
120 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
122 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
124 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
125 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
127 d_printf(_("NT Version: %d\n"), reply.nt_version);
128 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
129 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
131 return 0;
135 this implements the CLDAP based netlogon lookup requests
136 for finding the domain controller of a ADS domain
138 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
140 ADS_STRUCT *ads;
141 int ret;
143 if (c->display_usage) {
144 d_printf("%s\n"
145 "net ads lookup\n"
146 " %s",
147 _("Usage:"),
148 _("Find the ADS DC using CLDAP lookup.\n"));
149 return 0;
152 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
153 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
154 ads_destroy(&ads);
155 return -1;
158 if (!ads->config.realm) {
159 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
160 ads->ldap.port = 389;
163 ret = net_ads_cldap_netlogon(c, ads);
164 ads_destroy(&ads);
165 return ret;
170 static int net_ads_info(struct net_context *c, int argc, const char **argv)
172 ADS_STRUCT *ads;
173 char addr[INET6_ADDRSTRLEN];
175 if (c->display_usage) {
176 d_printf("%s\n"
177 "net ads info\n"
178 " %s",
179 _("Usage:"),
180 _("Display information about an Active Directory "
181 "server.\n"));
182 return 0;
185 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
186 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
187 return -1;
190 if (!ads || !ads->config.realm) {
191 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
192 ads_destroy(&ads);
193 return -1;
196 /* Try to set the server's current time since we didn't do a full
197 TCP LDAP session initially */
199 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
200 d_fprintf( stderr, _("Failed to get server's current time!\n"));
203 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
205 d_printf(_("LDAP server: %s\n"), addr);
206 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
207 d_printf(_("Realm: %s\n"), ads->config.realm);
208 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
209 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
210 d_printf(_("Server time: %s\n"),
211 http_timestring(talloc_tos(), ads->config.current_time));
213 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
214 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
216 ads_destroy(&ads);
217 return 0;
220 static void use_in_memory_ccache(void) {
221 /* Use in-memory credentials cache so we do not interfere with
222 * existing credentials */
223 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
226 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
227 uint32 auth_flags, ADS_STRUCT **ads_ret)
229 ADS_STRUCT *ads = NULL;
230 ADS_STATUS status;
231 bool need_password = false;
232 bool second_time = false;
233 char *cp;
234 const char *realm = NULL;
235 bool tried_closest_dc = false;
237 /* lp_realm() should be handled by a command line param,
238 However, the join requires that realm be set in smb.conf
239 and compares our realm with the remote server's so this is
240 ok until someone needs more flexibility */
242 *ads_ret = NULL;
244 retry_connect:
245 if (only_own_domain) {
246 realm = lp_realm();
247 } else {
248 realm = assume_own_realm(c);
251 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
253 if (!c->opt_user_name) {
254 c->opt_user_name = "administrator";
257 if (c->opt_user_specified) {
258 need_password = true;
261 retry:
262 if (!c->opt_password && need_password && !c->opt_machine_pass) {
263 c->opt_password = net_prompt_pass(c, c->opt_user_name);
264 if (!c->opt_password) {
265 ads_destroy(&ads);
266 return ADS_ERROR(LDAP_NO_MEMORY);
270 if (c->opt_password) {
271 use_in_memory_ccache();
272 SAFE_FREE(ads->auth.password);
273 ads->auth.password = smb_xstrdup(c->opt_password);
276 ads->auth.flags |= auth_flags;
277 SAFE_FREE(ads->auth.user_name);
278 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
281 * If the username is of the form "name@realm",
282 * extract the realm and convert to upper case.
283 * This is only used to establish the connection.
285 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
286 *cp++ = '\0';
287 SAFE_FREE(ads->auth.realm);
288 ads->auth.realm = smb_xstrdup(cp);
289 strupper_m(ads->auth.realm);
292 status = ads_connect(ads);
294 if (!ADS_ERR_OK(status)) {
296 if (NT_STATUS_EQUAL(ads_ntstatus(status),
297 NT_STATUS_NO_LOGON_SERVERS)) {
298 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
299 ads_destroy(&ads);
300 return status;
303 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
304 need_password = true;
305 second_time = true;
306 goto retry;
307 } else {
308 ads_destroy(&ads);
309 return status;
313 /* when contacting our own domain, make sure we use the closest DC.
314 * This is done by reconnecting to ADS because only the first call to
315 * ads_connect will give us our own sitename */
317 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
319 tried_closest_dc = true; /* avoid loop */
321 if (!ads_closest_dc(ads)) {
323 namecache_delete(ads->server.realm, 0x1C);
324 namecache_delete(ads->server.workgroup, 0x1C);
326 ads_destroy(&ads);
327 ads = NULL;
329 goto retry_connect;
333 *ads_ret = ads;
334 return status;
337 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
339 return ads_startup_int(c, only_own_domain, 0, ads);
342 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
344 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
348 Check to see if connection can be made via ads.
349 ads_startup() stores the password in opt_password if it needs to so
350 that rpc or rap can use it without re-prompting.
352 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
354 ADS_STRUCT *ads;
355 ADS_STATUS status;
357 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
358 return -1;
361 ads->auth.flags |= ADS_AUTH_NO_BIND;
363 status = ads_connect(ads);
364 if ( !ADS_ERR_OK(status) ) {
365 return -1;
368 ads_destroy(&ads);
369 return 0;
372 int net_ads_check_our_domain(struct net_context *c)
374 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
377 int net_ads_check(struct net_context *c)
379 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
383 determine the netbios workgroup name for a domain
385 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
387 ADS_STRUCT *ads;
388 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
390 if (c->display_usage) {
391 d_printf ("%s\n"
392 "net ads workgroup\n"
393 " %s\n",
394 _("Usage:"),
395 _("Print the workgroup name"));
396 return 0;
399 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
400 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
401 return -1;
404 if (!ads->config.realm) {
405 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
406 ads->ldap.port = 389;
409 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
410 d_fprintf(stderr, _("CLDAP query failed!\n"));
411 ads_destroy(&ads);
412 return -1;
415 d_printf(_("Workgroup: %s\n"), reply.domain_name);
417 ads_destroy(&ads);
419 return 0;
424 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
426 char **disp_fields = (char **) data_area;
428 if (!field) { /* must be end of record */
429 if (disp_fields[0]) {
430 if (!strchr_m(disp_fields[0], '$')) {
431 if (disp_fields[1])
432 d_printf("%-21.21s %s\n",
433 disp_fields[0], disp_fields[1]);
434 else
435 d_printf("%s\n", disp_fields[0]);
438 SAFE_FREE(disp_fields[0]);
439 SAFE_FREE(disp_fields[1]);
440 return true;
442 if (!values) /* must be new field, indicate string field */
443 return true;
444 if (strcasecmp_m(field, "sAMAccountName") == 0) {
445 disp_fields[0] = SMB_STRDUP((char *) values[0]);
447 if (strcasecmp_m(field, "description") == 0)
448 disp_fields[1] = SMB_STRDUP((char *) values[0]);
449 return true;
452 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
454 return net_user_usage(c, argc, argv);
457 static int ads_user_add(struct net_context *c, int argc, const char **argv)
459 ADS_STRUCT *ads;
460 ADS_STATUS status;
461 char *upn, *userdn;
462 LDAPMessage *res=NULL;
463 int rc = -1;
464 char *ou_str = NULL;
466 if (argc < 1 || c->display_usage)
467 return net_ads_user_usage(c, argc, argv);
469 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
470 return -1;
473 status = ads_find_user_acct(ads, &res, argv[0]);
475 if (!ADS_ERR_OK(status)) {
476 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
477 goto done;
480 if (ads_count_replies(ads, res)) {
481 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
482 argv[0]);
483 goto done;
486 if (c->opt_container) {
487 ou_str = SMB_STRDUP(c->opt_container);
488 } else {
489 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
492 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
494 if (!ADS_ERR_OK(status)) {
495 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
496 ads_errstr(status));
497 goto done;
500 /* if no password is to be set, we're done */
501 if (argc == 1) {
502 d_printf(_("User %s added\n"), argv[0]);
503 rc = 0;
504 goto done;
507 /* try setting the password */
508 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
509 goto done;
511 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
512 ads->auth.time_offset);
513 SAFE_FREE(upn);
514 if (ADS_ERR_OK(status)) {
515 d_printf(_("User %s added\n"), argv[0]);
516 rc = 0;
517 goto done;
520 /* password didn't set, delete account */
521 d_fprintf(stderr, _("Could not add user %s. "
522 "Error setting password %s\n"),
523 argv[0], ads_errstr(status));
524 ads_msgfree(ads, res);
525 status=ads_find_user_acct(ads, &res, argv[0]);
526 if (ADS_ERR_OK(status)) {
527 userdn = ads_get_dn(ads, talloc_tos(), res);
528 ads_del_dn(ads, userdn);
529 TALLOC_FREE(userdn);
532 done:
533 if (res)
534 ads_msgfree(ads, res);
535 ads_destroy(&ads);
536 SAFE_FREE(ou_str);
537 return rc;
540 static int ads_user_info(struct net_context *c, int argc, const char **argv)
542 ADS_STRUCT *ads = NULL;
543 ADS_STATUS rc;
544 LDAPMessage *res = NULL;
545 TALLOC_CTX *frame;
546 int ret = 0;
547 wbcErr wbc_status;
548 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
549 char *searchstring=NULL;
550 char **grouplist;
551 char *primary_group;
552 char *escaped_user;
553 struct dom_sid primary_group_sid;
554 uint32_t group_rid;
555 enum wbcSidType type;
557 if (argc < 1 || c->display_usage) {
558 return net_ads_user_usage(c, argc, argv);
561 frame = talloc_new(talloc_tos());
562 if (frame == NULL) {
563 return -1;
566 escaped_user = escape_ldap_string(frame, argv[0]);
567 if (!escaped_user) {
568 d_fprintf(stderr,
569 _("ads_user_info: failed to escape user %s\n"),
570 argv[0]);
571 return -1;
574 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
575 ret = -1;
576 goto error;
579 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
580 ret =-1;
581 goto error;
583 rc = ads_search(ads, &res, searchstring, attrs);
584 SAFE_FREE(searchstring);
586 if (!ADS_ERR_OK(rc)) {
587 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
588 ret = -1;
589 goto error;
592 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
593 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
594 ret = -1;
595 goto error;
598 rc = ads_domain_sid(ads, &primary_group_sid);
599 if (!ADS_ERR_OK(rc)) {
600 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
601 ret = -1;
602 goto error;
605 sid_append_rid(&primary_group_sid, group_rid);
607 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
608 NULL, /* don't look up domain */
609 &primary_group,
610 &type);
611 if (!WBC_ERROR_IS_OK(wbc_status)) {
612 d_fprintf(stderr, "wbcLookupSid: %s\n",
613 wbcErrorString(wbc_status));
614 ret = -1;
615 goto error;
618 d_printf("%s\n", primary_group);
620 wbcFreeMemory(primary_group);
622 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
623 (LDAPMessage *)res, "memberOf");
625 if (grouplist) {
626 int i;
627 char **groupname;
628 for (i=0;grouplist[i];i++) {
629 groupname = ldap_explode_dn(grouplist[i], 1);
630 d_printf("%s\n", groupname[0]);
631 ldap_value_free(groupname);
633 ldap_value_free(grouplist);
636 error:
637 if (res) ads_msgfree(ads, res);
638 if (ads) ads_destroy(&ads);
639 TALLOC_FREE(frame);
640 return ret;
643 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
645 ADS_STRUCT *ads;
646 ADS_STATUS rc;
647 LDAPMessage *res = NULL;
648 char *userdn;
650 if (argc < 1) {
651 return net_ads_user_usage(c, argc, argv);
654 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
655 return -1;
658 rc = ads_find_user_acct(ads, &res, argv[0]);
659 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
660 d_printf(_("User %s does not exist.\n"), argv[0]);
661 ads_msgfree(ads, res);
662 ads_destroy(&ads);
663 return -1;
665 userdn = ads_get_dn(ads, talloc_tos(), res);
666 ads_msgfree(ads, res);
667 rc = ads_del_dn(ads, userdn);
668 TALLOC_FREE(userdn);
669 if (ADS_ERR_OK(rc)) {
670 d_printf(_("User %s deleted\n"), argv[0]);
671 ads_destroy(&ads);
672 return 0;
674 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
675 ads_errstr(rc));
676 ads_destroy(&ads);
677 return -1;
680 int net_ads_user(struct net_context *c, int argc, const char **argv)
682 struct functable func[] = {
684 "add",
685 ads_user_add,
686 NET_TRANSPORT_ADS,
687 N_("Add an AD user"),
688 N_("net ads user add\n"
689 " Add an AD user")
692 "info",
693 ads_user_info,
694 NET_TRANSPORT_ADS,
695 N_("Display information about an AD user"),
696 N_("net ads user info\n"
697 " Display information about an AD user")
700 "delete",
701 ads_user_delete,
702 NET_TRANSPORT_ADS,
703 N_("Delete an AD user"),
704 N_("net ads user delete\n"
705 " Delete an AD user")
707 {NULL, NULL, 0, NULL, NULL}
709 ADS_STRUCT *ads;
710 ADS_STATUS rc;
711 const char *shortattrs[] = {"sAMAccountName", NULL};
712 const char *longattrs[] = {"sAMAccountName", "description", NULL};
713 char *disp_fields[2] = {NULL, NULL};
715 if (argc == 0) {
716 if (c->display_usage) {
717 d_printf( "%s\n"
718 "net ads user\n"
719 " %s\n",
720 _("Usage:"),
721 _("List AD users"));
722 net_display_usage_from_functable(func);
723 return 0;
726 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
727 return -1;
730 if (c->opt_long_list_entries)
731 d_printf(_("\nUser name Comment"
732 "\n-----------------------------\n"));
734 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
735 LDAP_SCOPE_SUBTREE,
736 "(objectCategory=user)",
737 c->opt_long_list_entries ? longattrs :
738 shortattrs, usergrp_display,
739 disp_fields);
740 ads_destroy(&ads);
741 return ADS_ERR_OK(rc) ? 0 : -1;
744 return net_run_function(c, argc, argv, "net ads user", func);
747 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
749 return net_group_usage(c, argc, argv);
752 static int ads_group_add(struct net_context *c, int argc, const char **argv)
754 ADS_STRUCT *ads;
755 ADS_STATUS status;
756 LDAPMessage *res=NULL;
757 int rc = -1;
758 char *ou_str = NULL;
760 if (argc < 1 || c->display_usage) {
761 return net_ads_group_usage(c, argc, argv);
764 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
765 return -1;
768 status = ads_find_user_acct(ads, &res, argv[0]);
770 if (!ADS_ERR_OK(status)) {
771 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
772 goto done;
775 if (ads_count_replies(ads, res)) {
776 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
777 goto done;
780 if (c->opt_container) {
781 ou_str = SMB_STRDUP(c->opt_container);
782 } else {
783 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
786 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
788 if (ADS_ERR_OK(status)) {
789 d_printf(_("Group %s added\n"), argv[0]);
790 rc = 0;
791 } else {
792 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
793 ads_errstr(status));
796 done:
797 if (res)
798 ads_msgfree(ads, res);
799 ads_destroy(&ads);
800 SAFE_FREE(ou_str);
801 return rc;
804 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
806 ADS_STRUCT *ads;
807 ADS_STATUS rc;
808 LDAPMessage *res = NULL;
809 char *groupdn;
811 if (argc < 1 || c->display_usage) {
812 return net_ads_group_usage(c, argc, argv);
815 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
816 return -1;
819 rc = ads_find_user_acct(ads, &res, argv[0]);
820 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
821 d_printf(_("Group %s does not exist.\n"), argv[0]);
822 ads_msgfree(ads, res);
823 ads_destroy(&ads);
824 return -1;
826 groupdn = ads_get_dn(ads, talloc_tos(), res);
827 ads_msgfree(ads, res);
828 rc = ads_del_dn(ads, groupdn);
829 TALLOC_FREE(groupdn);
830 if (ADS_ERR_OK(rc)) {
831 d_printf(_("Group %s deleted\n"), argv[0]);
832 ads_destroy(&ads);
833 return 0;
835 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
836 ads_errstr(rc));
837 ads_destroy(&ads);
838 return -1;
841 int net_ads_group(struct net_context *c, int argc, const char **argv)
843 struct functable func[] = {
845 "add",
846 ads_group_add,
847 NET_TRANSPORT_ADS,
848 N_("Add an AD group"),
849 N_("net ads group add\n"
850 " Add an AD group")
853 "delete",
854 ads_group_delete,
855 NET_TRANSPORT_ADS,
856 N_("Delete an AD group"),
857 N_("net ads group delete\n"
858 " Delete an AD group")
860 {NULL, NULL, 0, NULL, NULL}
862 ADS_STRUCT *ads;
863 ADS_STATUS rc;
864 const char *shortattrs[] = {"sAMAccountName", NULL};
865 const char *longattrs[] = {"sAMAccountName", "description", NULL};
866 char *disp_fields[2] = {NULL, NULL};
868 if (argc == 0) {
869 if (c->display_usage) {
870 d_printf( "%s\n"
871 "net ads group\n"
872 " %s\n",
873 _("Usage:"),
874 _("List AD groups"));
875 net_display_usage_from_functable(func);
876 return 0;
879 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
880 return -1;
883 if (c->opt_long_list_entries)
884 d_printf(_("\nGroup name Comment"
885 "\n-----------------------------\n"));
886 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
887 LDAP_SCOPE_SUBTREE,
888 "(objectCategory=group)",
889 c->opt_long_list_entries ? longattrs :
890 shortattrs, usergrp_display,
891 disp_fields);
893 ads_destroy(&ads);
894 return ADS_ERR_OK(rc) ? 0 : -1;
896 return net_run_function(c, argc, argv, "net ads group", func);
899 static int net_ads_status(struct net_context *c, int argc, const char **argv)
901 ADS_STRUCT *ads;
902 ADS_STATUS rc;
903 LDAPMessage *res;
905 if (c->display_usage) {
906 d_printf( "%s\n"
907 "net ads status\n"
908 " %s\n",
909 _("Usage:"),
910 _("Display machine account details"));
911 return 0;
914 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
915 return -1;
918 rc = ads_find_machine_acct(ads, &res, lp_netbios_name());
919 if (!ADS_ERR_OK(rc)) {
920 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
921 ads_destroy(&ads);
922 return -1;
925 if (ads_count_replies(ads, res) == 0) {
926 d_fprintf(stderr, _("No machine account for '%s' found\n"), lp_netbios_name());
927 ads_destroy(&ads);
928 return -1;
931 ads_dump(ads, res);
932 ads_destroy(&ads);
933 return 0;
936 /*******************************************************************
937 Leave an AD domain. Windows XP disables the machine account.
938 We'll try the same. The old code would do an LDAP delete.
939 That only worked using the machine creds because added the machine
940 with full control to the computer object's ACL.
941 *******************************************************************/
943 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
945 TALLOC_CTX *ctx;
946 struct libnet_UnjoinCtx *r = NULL;
947 WERROR werr;
949 if (c->display_usage) {
950 d_printf( "%s\n"
951 "net ads leave\n"
952 " %s\n",
953 _("Usage:"),
954 _("Leave an AD domain"));
955 return 0;
958 if (!*lp_realm()) {
959 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
960 return -1;
963 if (!(ctx = talloc_init("net_ads_leave"))) {
964 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
965 return -1;
968 if (!c->opt_kerberos) {
969 use_in_memory_ccache();
972 if (!c->msg_ctx) {
973 d_fprintf(stderr, _("Could not initialise message context. "
974 "Try running as root\n"));
975 return -1;
978 werr = libnet_init_UnjoinCtx(ctx, &r);
979 if (!W_ERROR_IS_OK(werr)) {
980 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
981 return -1;
984 r->in.debug = true;
985 r->in.use_kerberos = c->opt_kerberos;
986 r->in.dc_name = c->opt_host;
987 r->in.domain_name = lp_realm();
988 r->in.admin_account = c->opt_user_name;
989 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
990 r->in.modify_config = lp_config_backend_is_registry();
992 /* Try to delete it, but if that fails, disable it. The
993 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
994 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
995 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
996 r->in.delete_machine_account = true;
997 r->in.msg_ctx = c->msg_ctx;
999 werr = libnet_Unjoin(ctx, r);
1000 if (!W_ERROR_IS_OK(werr)) {
1001 d_printf(_("Failed to leave domain: %s\n"),
1002 r->out.error_string ? r->out.error_string :
1003 get_friendly_werror_msg(werr));
1004 goto done;
1007 if (r->out.deleted_machine_account) {
1008 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1009 r->in.machine_name, r->out.dns_domain_name);
1010 goto done;
1013 /* We couldn't delete it - see if the disable succeeded. */
1014 if (r->out.disabled_machine_account) {
1015 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1016 r->in.machine_name, r->out.dns_domain_name);
1017 werr = WERR_OK;
1018 goto done;
1021 /* Based on what we requseted, we shouldn't get here, but if
1022 we did, it means the secrets were removed, and therefore
1023 we have left the domain */
1024 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1025 r->in.machine_name, r->out.dns_domain_name);
1027 done:
1028 TALLOC_FREE(r);
1029 TALLOC_FREE(ctx);
1031 if (W_ERROR_IS_OK(werr)) {
1032 return 0;
1035 return -1;
1038 static NTSTATUS net_ads_join_ok(struct net_context *c)
1040 ADS_STRUCT *ads = NULL;
1041 ADS_STATUS status;
1042 fstring dc_name;
1043 struct sockaddr_storage dcip;
1045 if (!secrets_init()) {
1046 DEBUG(1,("Failed to initialise secrets database\n"));
1047 return NT_STATUS_ACCESS_DENIED;
1050 net_use_krb_machine_account(c);
1052 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1054 status = ads_startup(c, true, &ads);
1055 if (!ADS_ERR_OK(status)) {
1056 return ads_ntstatus(status);
1059 ads_destroy(&ads);
1060 return NT_STATUS_OK;
1064 check that an existing join is OK
1066 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1068 NTSTATUS status;
1069 use_in_memory_ccache();
1071 if (c->display_usage) {
1072 d_printf( "%s\n"
1073 "net ads testjoin\n"
1074 " %s\n",
1075 _("Usage:"),
1076 _("Test if the existing join is ok"));
1077 return 0;
1080 /* Display success or failure */
1081 status = net_ads_join_ok(c);
1082 if (!NT_STATUS_IS_OK(status)) {
1083 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1084 get_friendly_nt_error_msg(status));
1085 return -1;
1088 printf(_("Join is OK\n"));
1089 return 0;
1092 /*******************************************************************
1093 Simple configu checks before beginning the join
1094 ********************************************************************/
1096 static WERROR check_ads_config( void )
1098 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1099 d_printf(_("Host is not configured as a member server.\n"));
1100 return WERR_INVALID_DOMAIN_ROLE;
1103 if (strlen(lp_netbios_name()) > 15) {
1104 d_printf(_("Our netbios name can be at most 15 chars long, "
1105 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1106 (unsigned int)strlen(lp_netbios_name()));
1107 return WERR_INVALID_COMPUTERNAME;
1110 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1111 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1112 "join to succeed.\n"), get_dyn_CONFIGFILE());
1113 return WERR_INVALID_PARAM;
1116 return WERR_OK;
1119 /*******************************************************************
1120 Send a DNS update request
1121 *******************************************************************/
1123 #if defined(WITH_DNS_UPDATES)
1124 #include "../lib/addns/dns.h"
1125 DNS_ERROR DoDNSUpdate(char *pszServerName,
1126 const char *pszDomainName, const char *pszHostName,
1127 const struct sockaddr_storage *sslist,
1128 size_t num_addrs );
1130 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1131 const char *machine_name,
1132 const struct sockaddr_storage *addrs,
1133 int num_addrs)
1135 struct dns_rr_ns *nameservers = NULL;
1136 int ns_count = 0, i;
1137 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1138 DNS_ERROR dns_err;
1139 fstring dns_server;
1140 const char *dnsdomain = NULL;
1141 char *root_domain = NULL;
1143 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1144 d_printf(_("No DNS domain configured for %s. "
1145 "Unable to perform DNS Update.\n"), machine_name);
1146 status = NT_STATUS_INVALID_PARAMETER;
1147 goto done;
1149 dnsdomain++;
1151 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1152 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1153 /* Child domains often do not have NS records. Look
1154 for the NS record for the forest root domain
1155 (rootDomainNamingContext in therootDSE) */
1157 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1158 LDAPMessage *msg = NULL;
1159 char *root_dn;
1160 ADS_STATUS ads_status;
1162 if ( !ads->ldap.ld ) {
1163 ads_status = ads_connect( ads );
1164 if ( !ADS_ERR_OK(ads_status) ) {
1165 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1166 goto done;
1170 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1171 "(objectclass=*)", rootname_attrs, &msg);
1172 if (!ADS_ERR_OK(ads_status)) {
1173 goto done;
1176 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1177 if ( !root_dn ) {
1178 ads_msgfree( ads, msg );
1179 goto done;
1182 root_domain = ads_build_domain( root_dn );
1184 /* cleanup */
1185 ads_msgfree( ads, msg );
1187 /* try again for NS servers */
1189 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1191 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1192 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1193 "realm\n", ads->config.realm));
1194 goto done;
1197 dnsdomain = root_domain;
1201 for (i=0; i < ns_count; i++) {
1203 status = NT_STATUS_UNSUCCESSFUL;
1205 /* Now perform the dns update - we'll try non-secure and if we fail,
1206 we'll follow it up with a secure update */
1208 fstrcpy( dns_server, nameservers[i].hostname );
1210 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1211 if (ERR_DNS_IS_OK(dns_err)) {
1212 status = NT_STATUS_OK;
1213 goto done;
1216 if (ERR_DNS_EQUAL(dns_err, ERROR_DNS_INVALID_NAME_SERVER) ||
1217 ERR_DNS_EQUAL(dns_err, ERROR_DNS_CONNECTION_FAILED) ||
1218 ERR_DNS_EQUAL(dns_err, ERROR_DNS_SOCKET_ERROR)) {
1219 DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
1220 dns_errstr(dns_err)));
1221 continue;
1224 d_printf(_("DNS Update for %s failed: %s\n"),
1225 machine_name, dns_errstr(dns_err));
1226 status = NT_STATUS_UNSUCCESSFUL;
1227 goto done;
1230 done:
1232 SAFE_FREE( root_domain );
1234 return status;
1237 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1238 const char *hostname,
1239 struct sockaddr_storage *iplist,
1240 int num_addrs)
1242 struct sockaddr_storage *iplist_alloc = NULL;
1243 fstring machine_name;
1244 NTSTATUS status;
1246 if (hostname) {
1247 fstrcpy(machine_name, hostname);
1248 } else {
1249 name_to_fqdn( machine_name, lp_netbios_name() );
1251 strlower_m( machine_name );
1253 if (num_addrs == 0 || iplist == NULL) {
1255 * Get our ip address
1256 * (not the 127.0.0.x address but a real ip address)
1258 num_addrs = get_my_ip_address(&iplist_alloc);
1259 if ( num_addrs <= 0 ) {
1260 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1261 "non-loopback IP addresses!\n"));
1262 return NT_STATUS_INVALID_PARAMETER;
1264 iplist = iplist_alloc;
1267 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1268 iplist, num_addrs);
1270 SAFE_FREE(iplist_alloc);
1271 return status;
1274 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1276 NTSTATUS status;
1278 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1279 return status;
1281 #endif
1284 /*******************************************************************
1285 ********************************************************************/
1287 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1289 d_printf(_("net ads join [options]\n"
1290 "Valid options:\n"));
1291 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1292 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1293 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1294 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1295 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1296 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1297 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1298 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1299 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1300 " NB: osName and osVer must be specified together for either to take effect.\n"
1301 " Also, the operatingSystemService attribute is also set when along with\n"
1302 " the two other attributes.\n"));
1304 return -1;
1308 static void _net_ads_join_dns_updates(TALLOC_CTX *ctx, struct libnet_JoinCtx *r)
1310 #if defined(WITH_DNS_UPDATES)
1311 ADS_STRUCT *ads_dns = NULL;
1312 int ret;
1313 NTSTATUS status;
1316 * In a clustered environment, don't do dynamic dns updates:
1317 * Registering the set of ip addresses that are assigned to
1318 * the interfaces of the node that performs the join does usually
1319 * not have the desired effect, since the local interfaces do not
1320 * carry the complete set of the cluster's public IP addresses.
1321 * And it can also contain internal addresses that should not
1322 * be visible to the outside at all.
1323 * In order to do dns updates in a clustererd setup, use
1324 * net ads dns register.
1326 if (lp_clustering()) {
1327 d_fprintf(stderr, _("Not doing automatic DNS update in a "
1328 "clustered setup.\n"));
1329 return;
1332 if (!r->out.domain_is_ad) {
1333 return;
1337 * We enter this block with user creds.
1338 * kinit with the machine password to do dns update.
1341 ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
1343 if (ads_dns == NULL) {
1344 d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
1345 goto done;
1348 use_in_memory_ccache();
1350 ret = asprintf(&ads_dns->auth.user_name, "%s$", lp_netbios_name());
1351 if (ret == -1) {
1352 d_fprintf(stderr, _("DNS update failed: out of memory\n"));
1353 goto done;
1356 ads_dns->auth.password = secrets_fetch_machine_password(
1357 r->out.netbios_domain_name, NULL, NULL);
1358 if (ads_dns->auth.password == NULL) {
1359 d_fprintf(stderr, _("DNS update failed: out of memory\n"));
1360 goto done;
1363 ads_dns->auth.realm = SMB_STRDUP(r->out.dns_domain_name);
1364 if (ads_dns->auth.realm == NULL) {
1365 d_fprintf(stderr, _("DNS update failed: out of memory\n"));
1366 goto done;
1369 strupper_m(ads_dns->auth.realm);
1371 ret = ads_kinit_password(ads_dns);
1372 if (ret != 0) {
1373 d_fprintf(stderr,
1374 _("DNS update failed: kinit failed: %s\n"),
1375 error_message(ret));
1376 goto done;
1379 status = net_update_dns(ctx, ads_dns, NULL);
1380 if (!NT_STATUS_IS_OK(status)) {
1381 d_fprintf( stderr, _("DNS update failed: %s\n"),
1382 nt_errstr(status));
1385 done:
1386 ads_destroy(&ads_dns);
1387 #endif
1389 return;
1393 int net_ads_join(struct net_context *c, int argc, const char **argv)
1395 TALLOC_CTX *ctx = NULL;
1396 struct libnet_JoinCtx *r = NULL;
1397 const char *domain = lp_realm();
1398 WERROR werr = WERR_SETUP_NOT_JOINED;
1399 bool createupn = false;
1400 const char *machineupn = NULL;
1401 const char *create_in_ou = NULL;
1402 int i;
1403 const char *os_name = NULL;
1404 const char *os_version = NULL;
1405 bool modify_config = lp_config_backend_is_registry();
1407 if (c->display_usage)
1408 return net_ads_join_usage(c, argc, argv);
1410 if (!modify_config) {
1412 werr = check_ads_config();
1413 if (!W_ERROR_IS_OK(werr)) {
1414 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1415 goto fail;
1419 if (!(ctx = talloc_init("net_ads_join"))) {
1420 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1421 werr = WERR_NOMEM;
1422 goto fail;
1425 if (!c->opt_kerberos) {
1426 use_in_memory_ccache();
1429 werr = libnet_init_JoinCtx(ctx, &r);
1430 if (!W_ERROR_IS_OK(werr)) {
1431 goto fail;
1434 /* process additional command line args */
1436 for ( i=0; i<argc; i++ ) {
1437 if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
1438 createupn = true;
1439 machineupn = get_string_param(argv[i]);
1441 else if ( !strncasecmp_m(argv[i], "createcomputer", strlen("createcomputer")) ) {
1442 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1443 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1444 werr = WERR_INVALID_PARAM;
1445 goto fail;
1448 else if ( !strncasecmp_m(argv[i], "osName", strlen("osName")) ) {
1449 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1450 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1451 werr = WERR_INVALID_PARAM;
1452 goto fail;
1455 else if ( !strncasecmp_m(argv[i], "osVer", strlen("osVer")) ) {
1456 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1457 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1458 werr = WERR_INVALID_PARAM;
1459 goto fail;
1462 else {
1463 domain = argv[i];
1467 if (!*domain) {
1468 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1469 werr = WERR_INVALID_PARAM;
1470 goto fail;
1473 if (!c->msg_ctx) {
1474 d_fprintf(stderr, _("Could not initialise message context. "
1475 "Try running as root\n"));
1476 werr = WERR_ACCESS_DENIED;
1477 goto fail;
1480 /* Do the domain join here */
1482 r->in.domain_name = domain;
1483 r->in.create_upn = createupn;
1484 r->in.upn = machineupn;
1485 r->in.account_ou = create_in_ou;
1486 r->in.os_name = os_name;
1487 r->in.os_version = os_version;
1488 r->in.dc_name = c->opt_host;
1489 r->in.admin_account = c->opt_user_name;
1490 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1491 r->in.debug = true;
1492 r->in.use_kerberos = c->opt_kerberos;
1493 r->in.modify_config = modify_config;
1494 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1495 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1496 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1497 r->in.msg_ctx = c->msg_ctx;
1499 werr = libnet_Join(ctx, r);
1500 if (W_ERROR_EQUAL(werr, WERR_DCNOTFOUND) &&
1501 strequal(domain, lp_realm())) {
1502 r->in.domain_name = lp_workgroup();
1503 werr = libnet_Join(ctx, r);
1505 if (!W_ERROR_IS_OK(werr)) {
1506 goto fail;
1509 /* Check the short name of the domain */
1511 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1512 d_printf(_("The workgroup in %s does not match the short\n"
1513 "domain name obtained from the server.\n"
1514 "Using the name [%s] from the server.\n"
1515 "You should set \"workgroup = %s\" in %s.\n"),
1516 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1517 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1520 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1522 if (r->out.dns_domain_name) {
1523 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1524 r->out.dns_domain_name);
1525 } else {
1526 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1527 r->out.netbios_domain_name);
1531 * We try doing the dns update (if it was compiled in).
1532 * If the dns update fails, we still consider the join
1533 * operation as succeeded if we came this far.
1535 _net_ads_join_dns_updates(ctx, r);
1537 TALLOC_FREE(r);
1538 TALLOC_FREE( ctx );
1540 return 0;
1542 fail:
1543 /* issue an overall failure message at the end. */
1544 d_printf(_("Failed to join domain: %s\n"),
1545 r && r->out.error_string ? r->out.error_string :
1546 get_friendly_werror_msg(werr));
1547 TALLOC_FREE( ctx );
1549 return -1;
1552 /*******************************************************************
1553 ********************************************************************/
1555 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1557 #if defined(WITH_DNS_UPDATES)
1558 ADS_STRUCT *ads;
1559 ADS_STATUS status;
1560 NTSTATUS ntstatus;
1561 TALLOC_CTX *ctx;
1562 const char *hostname = NULL;
1563 const char **addrs_list = NULL;
1564 struct sockaddr_storage *addrs = NULL;
1565 int num_addrs = 0;
1566 int count;
1568 #ifdef DEVELOPER
1569 talloc_enable_leak_report();
1570 #endif
1572 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1573 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1574 "detection of addresses in a clustered "
1575 "setup.\n"));
1576 c->display_usage = true;
1579 if (c->display_usage) {
1580 d_printf( "%s\n"
1581 "net ads dns register [hostname [IP [IP...]]]\n"
1582 " %s\n",
1583 _("Usage:"),
1584 _("Register hostname with DNS\n"));
1585 return -1;
1588 if (!(ctx = talloc_init("net_ads_dns"))) {
1589 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1590 return -1;
1593 if (argc >= 1) {
1594 hostname = argv[0];
1597 if (argc > 1) {
1598 num_addrs = argc - 1;
1599 addrs_list = &argv[1];
1600 } else if (lp_clustering()) {
1601 addrs_list = lp_cluster_addresses();
1602 num_addrs = str_list_length(addrs_list);
1605 if (num_addrs > 0) {
1606 addrs = talloc_zero_array(ctx, struct sockaddr_storage, num_addrs);
1607 if (addrs == NULL) {
1608 d_fprintf(stderr, _("Error allocating memory!\n"));
1609 talloc_free(ctx);
1610 return -1;
1614 for (count = 0; count < num_addrs; count++) {
1615 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1616 d_fprintf(stderr, "%s '%s'.\n",
1617 _("Cannot interpret address"),
1618 addrs_list[count]);
1619 talloc_free(ctx);
1620 return -1;
1624 status = ads_startup(c, true, &ads);
1625 if ( !ADS_ERR_OK(status) ) {
1626 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1627 TALLOC_FREE(ctx);
1628 return -1;
1631 ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
1632 if (!NT_STATUS_IS_OK(ntstatus)) {
1633 d_fprintf( stderr, _("DNS update failed!\n") );
1634 ads_destroy( &ads );
1635 TALLOC_FREE( ctx );
1636 return -1;
1639 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1641 ads_destroy(&ads);
1642 TALLOC_FREE( ctx );
1644 return 0;
1645 #else
1646 d_fprintf(stderr,
1647 _("DNS update support not enabled at compile time!\n"));
1648 return -1;
1649 #endif
1652 #if defined(WITH_DNS_UPDATES)
1653 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1654 #endif
1656 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1658 #if defined(WITH_DNS_UPDATES)
1659 DNS_ERROR err;
1661 #ifdef DEVELOPER
1662 talloc_enable_leak_report();
1663 #endif
1665 if (argc != 2 || c->display_usage) {
1666 d_printf( "%s\n"
1667 " %s\n"
1668 " %s\n",
1669 _("Usage:"),
1670 _("net ads dns gethostbyname <server> <name>\n"),
1671 _(" Look up hostname from the AD\n"
1672 " server\tName server to use\n"
1673 " name\tName to look up\n"));
1674 return -1;
1677 err = do_gethostbyname(argv[0], argv[1]);
1679 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1680 dns_errstr(err), ERROR_DNS_V(err));
1681 #endif
1682 return 0;
1685 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1687 struct functable func[] = {
1689 "register",
1690 net_ads_dns_register,
1691 NET_TRANSPORT_ADS,
1692 N_("Add host dns entry to AD"),
1693 N_("net ads dns register\n"
1694 " Add host dns entry to AD")
1697 "gethostbyname",
1698 net_ads_dns_gethostbyname,
1699 NET_TRANSPORT_ADS,
1700 N_("Look up host"),
1701 N_("net ads dns gethostbyname\n"
1702 " Look up host")
1704 {NULL, NULL, 0, NULL, NULL}
1707 return net_run_function(c, argc, argv, "net ads dns", func);
1710 /*******************************************************************
1711 ********************************************************************/
1713 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1715 d_printf(_(
1716 "\nnet ads printer search <printer>"
1717 "\n\tsearch for a printer in the directory\n"
1718 "\nnet ads printer info <printer> <server>"
1719 "\n\tlookup info in directory for printer on server"
1720 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1721 "\nnet ads printer publish <printername>"
1722 "\n\tpublish printer in directory"
1723 "\n\t(note: printer name is required)\n"
1724 "\nnet ads printer remove <printername>"
1725 "\n\tremove printer from directory"
1726 "\n\t(note: printer name is required)\n"));
1727 return -1;
1730 /*******************************************************************
1731 ********************************************************************/
1733 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1735 ADS_STRUCT *ads;
1736 ADS_STATUS rc;
1737 LDAPMessage *res = NULL;
1739 if (c->display_usage) {
1740 d_printf( "%s\n"
1741 "net ads printer search\n"
1742 " %s\n",
1743 _("Usage:"),
1744 _("List printers in the AD"));
1745 return 0;
1748 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1749 return -1;
1752 rc = ads_find_printers(ads, &res);
1754 if (!ADS_ERR_OK(rc)) {
1755 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1756 ads_msgfree(ads, res);
1757 ads_destroy(&ads);
1758 return -1;
1761 if (ads_count_replies(ads, res) == 0) {
1762 d_fprintf(stderr, _("No results found\n"));
1763 ads_msgfree(ads, res);
1764 ads_destroy(&ads);
1765 return -1;
1768 ads_dump(ads, res);
1769 ads_msgfree(ads, res);
1770 ads_destroy(&ads);
1771 return 0;
1774 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1776 ADS_STRUCT *ads;
1777 ADS_STATUS rc;
1778 const char *servername, *printername;
1779 LDAPMessage *res = NULL;
1781 if (c->display_usage) {
1782 d_printf("%s\n%s",
1783 _("Usage:"),
1784 _("net ads printer info [printername [servername]]\n"
1785 " Display printer info from AD\n"
1786 " printername\tPrinter name or wildcard\n"
1787 " servername\tName of the print server\n"));
1788 return 0;
1791 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1792 return -1;
1795 if (argc > 0) {
1796 printername = argv[0];
1797 } else {
1798 printername = "*";
1801 if (argc > 1) {
1802 servername = argv[1];
1803 } else {
1804 servername = lp_netbios_name();
1807 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1809 if (!ADS_ERR_OK(rc)) {
1810 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1811 servername, ads_errstr(rc));
1812 ads_msgfree(ads, res);
1813 ads_destroy(&ads);
1814 return -1;
1817 if (ads_count_replies(ads, res) == 0) {
1818 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1819 ads_msgfree(ads, res);
1820 ads_destroy(&ads);
1821 return -1;
1824 ads_dump(ads, res);
1825 ads_msgfree(ads, res);
1826 ads_destroy(&ads);
1828 return 0;
1831 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1833 ADS_STRUCT *ads;
1834 ADS_STATUS rc;
1835 const char *servername, *printername;
1836 struct cli_state *cli = NULL;
1837 struct rpc_pipe_client *pipe_hnd = NULL;
1838 struct sockaddr_storage server_ss;
1839 NTSTATUS nt_status;
1840 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1841 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1842 char *prt_dn, *srv_dn, **srv_cn;
1843 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1844 LDAPMessage *res = NULL;
1846 if (argc < 1 || c->display_usage) {
1847 d_printf("%s\n%s",
1848 _("Usage:"),
1849 _("net ads printer publish <printername> [servername]\n"
1850 " Publish printer in AD\n"
1851 " printername\tName of the printer\n"
1852 " servername\tName of the print server\n"));
1853 talloc_destroy(mem_ctx);
1854 return -1;
1857 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1858 talloc_destroy(mem_ctx);
1859 return -1;
1862 printername = argv[0];
1864 if (argc == 2) {
1865 servername = argv[1];
1866 } else {
1867 servername = lp_netbios_name();
1870 /* Get printer data from SPOOLSS */
1872 resolve_name(servername, &server_ss, 0x20, false);
1874 nt_status = cli_full_connection(&cli, lp_netbios_name(), servername,
1875 &server_ss, 0,
1876 "IPC$", "IPC",
1877 c->opt_user_name, c->opt_workgroup,
1878 c->opt_password ? c->opt_password : "",
1879 CLI_FULL_CONNECTION_USE_KERBEROS,
1880 SMB_SIGNING_DEFAULT);
1882 if (NT_STATUS_IS_ERR(nt_status)) {
1883 d_fprintf(stderr, _("Unable to open a connection to %s to "
1884 "obtain data for %s\n"),
1885 servername, printername);
1886 ads_destroy(&ads);
1887 talloc_destroy(mem_ctx);
1888 return -1;
1891 /* Publish on AD server */
1893 ads_find_machine_acct(ads, &res, servername);
1895 if (ads_count_replies(ads, res) == 0) {
1896 d_fprintf(stderr, _("Could not find machine account for server "
1897 "%s\n"),
1898 servername);
1899 ads_destroy(&ads);
1900 talloc_destroy(mem_ctx);
1901 return -1;
1904 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1905 srv_cn = ldap_explode_dn(srv_dn, 1);
1907 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1908 printername_escaped = escape_rdn_val_string_alloc(printername);
1909 if (!srv_cn_escaped || !printername_escaped) {
1910 SAFE_FREE(srv_cn_escaped);
1911 SAFE_FREE(printername_escaped);
1912 d_fprintf(stderr, _("Internal error, out of memory!"));
1913 ads_destroy(&ads);
1914 talloc_destroy(mem_ctx);
1915 return -1;
1918 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1919 SAFE_FREE(srv_cn_escaped);
1920 SAFE_FREE(printername_escaped);
1921 d_fprintf(stderr, _("Internal error, out of memory!"));
1922 ads_destroy(&ads);
1923 talloc_destroy(mem_ctx);
1924 return -1;
1927 SAFE_FREE(srv_cn_escaped);
1928 SAFE_FREE(printername_escaped);
1930 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1931 if (!NT_STATUS_IS_OK(nt_status)) {
1932 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
1933 servername);
1934 SAFE_FREE(prt_dn);
1935 ads_destroy(&ads);
1936 talloc_destroy(mem_ctx);
1937 return -1;
1940 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1941 printername))) {
1942 SAFE_FREE(prt_dn);
1943 ads_destroy(&ads);
1944 talloc_destroy(mem_ctx);
1945 return -1;
1948 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1949 if (!ADS_ERR_OK(rc)) {
1950 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1951 SAFE_FREE(prt_dn);
1952 ads_destroy(&ads);
1953 talloc_destroy(mem_ctx);
1954 return -1;
1957 d_printf("published printer\n");
1958 SAFE_FREE(prt_dn);
1959 ads_destroy(&ads);
1960 talloc_destroy(mem_ctx);
1962 return 0;
1965 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1967 ADS_STRUCT *ads;
1968 ADS_STATUS rc;
1969 const char *servername;
1970 char *prt_dn;
1971 LDAPMessage *res = NULL;
1973 if (argc < 1 || c->display_usage) {
1974 d_printf("%s\n%s",
1975 _("Usage:"),
1976 _("net ads printer remove <printername> [servername]\n"
1977 " Remove a printer from the AD\n"
1978 " printername\tName of the printer\n"
1979 " servername\tName of the print server\n"));
1980 return -1;
1983 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1984 return -1;
1987 if (argc > 1) {
1988 servername = argv[1];
1989 } else {
1990 servername = lp_netbios_name();
1993 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1995 if (!ADS_ERR_OK(rc)) {
1996 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1997 ads_msgfree(ads, res);
1998 ads_destroy(&ads);
1999 return -1;
2002 if (ads_count_replies(ads, res) == 0) {
2003 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
2004 ads_msgfree(ads, res);
2005 ads_destroy(&ads);
2006 return -1;
2009 prt_dn = ads_get_dn(ads, talloc_tos(), res);
2010 ads_msgfree(ads, res);
2011 rc = ads_del_dn(ads, prt_dn);
2012 TALLOC_FREE(prt_dn);
2014 if (!ADS_ERR_OK(rc)) {
2015 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
2016 ads_destroy(&ads);
2017 return -1;
2020 ads_destroy(&ads);
2021 return 0;
2024 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
2026 struct functable func[] = {
2028 "search",
2029 net_ads_printer_search,
2030 NET_TRANSPORT_ADS,
2031 N_("Search for a printer"),
2032 N_("net ads printer search\n"
2033 " Search for a printer")
2036 "info",
2037 net_ads_printer_info,
2038 NET_TRANSPORT_ADS,
2039 N_("Display printer information"),
2040 N_("net ads printer info\n"
2041 " Display printer information")
2044 "publish",
2045 net_ads_printer_publish,
2046 NET_TRANSPORT_ADS,
2047 N_("Publish a printer"),
2048 N_("net ads printer publish\n"
2049 " Publish a printer")
2052 "remove",
2053 net_ads_printer_remove,
2054 NET_TRANSPORT_ADS,
2055 N_("Delete a printer"),
2056 N_("net ads printer remove\n"
2057 " Delete a printer")
2059 {NULL, NULL, 0, NULL, NULL}
2062 return net_run_function(c, argc, argv, "net ads printer", func);
2066 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2068 ADS_STRUCT *ads;
2069 const char *auth_principal = c->opt_user_name;
2070 const char *auth_password = c->opt_password;
2071 const char *realm = NULL;
2072 const char *new_password = NULL;
2073 char *chr, *prompt;
2074 const char *user;
2075 ADS_STATUS ret;
2077 if (c->display_usage) {
2078 d_printf("%s\n%s",
2079 _("Usage:"),
2080 _("net ads password <username>\n"
2081 " Change password for user\n"
2082 " username\tName of user to change password for\n"));
2083 return 0;
2086 if (c->opt_user_name == NULL || c->opt_password == NULL) {
2087 d_fprintf(stderr, _("You must supply an administrator "
2088 "username/password\n"));
2089 return -1;
2092 if (argc < 1) {
2093 d_fprintf(stderr, _("ERROR: You must say which username to "
2094 "change password for\n"));
2095 return -1;
2098 user = argv[0];
2099 if (!strchr_m(user, '@')) {
2100 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
2101 return -1;
2103 user = chr;
2106 use_in_memory_ccache();
2107 chr = strchr_m(auth_principal, '@');
2108 if (chr) {
2109 realm = ++chr;
2110 } else {
2111 realm = lp_realm();
2114 /* use the realm so we can eventually change passwords for users
2115 in realms other than default */
2116 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
2117 return -1;
2120 /* we don't actually need a full connect, but it's the easy way to
2121 fill in the KDC's addresss */
2122 ads_connect(ads);
2124 if (!ads->config.realm) {
2125 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2126 ads_destroy(&ads);
2127 return -1;
2130 if (argv[1]) {
2131 new_password = (const char *)argv[1];
2132 } else {
2133 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
2134 return -1;
2136 new_password = getpass(prompt);
2137 free(prompt);
2140 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2141 auth_password, user, new_password, ads->auth.time_offset);
2142 if (!ADS_ERR_OK(ret)) {
2143 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2144 ads_destroy(&ads);
2145 return -1;
2148 d_printf(_("Password change for %s completed.\n"), user);
2149 ads_destroy(&ads);
2151 return 0;
2154 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2156 ADS_STRUCT *ads;
2157 char *host_principal;
2158 fstring my_name;
2159 ADS_STATUS ret;
2161 if (c->display_usage) {
2162 d_printf( "%s\n"
2163 "net ads changetrustpw\n"
2164 " %s\n",
2165 _("Usage:"),
2166 _("Change the machine account's trust password"));
2167 return 0;
2170 if (!secrets_init()) {
2171 DEBUG(1,("Failed to initialise secrets database\n"));
2172 return -1;
2175 net_use_krb_machine_account(c);
2177 use_in_memory_ccache();
2179 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2180 return -1;
2183 fstrcpy(my_name, lp_netbios_name());
2184 strlower_m(my_name);
2185 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2186 ads_destroy(&ads);
2187 return -1;
2189 d_printf(_("Changing password for principal: %s\n"), host_principal);
2191 ret = ads_change_trust_account_password(ads, host_principal);
2193 if (!ADS_ERR_OK(ret)) {
2194 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2195 ads_destroy(&ads);
2196 SAFE_FREE(host_principal);
2197 return -1;
2200 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2202 if (USE_SYSTEM_KEYTAB) {
2203 d_printf(_("Attempting to update system keytab with new password.\n"));
2204 if (ads_keytab_create_default(ads)) {
2205 d_printf(_("Failed to update system keytab.\n"));
2209 ads_destroy(&ads);
2210 SAFE_FREE(host_principal);
2212 return 0;
2216 help for net ads search
2218 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2220 d_printf(_(
2221 "\nnet ads search <expression> <attributes...>\n"
2222 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2223 "The expression is a standard LDAP search expression, and the\n"
2224 "attributes are a list of LDAP fields to show in the results.\n\n"
2225 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2227 net_common_flags_usage(c, argc, argv);
2228 return -1;
2233 general ADS search function. Useful in diagnosing problems in ADS
2235 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2237 ADS_STRUCT *ads;
2238 ADS_STATUS rc;
2239 const char *ldap_exp;
2240 const char **attrs;
2241 LDAPMessage *res = NULL;
2243 if (argc < 1 || c->display_usage) {
2244 return net_ads_search_usage(c, argc, argv);
2247 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2248 return -1;
2251 ldap_exp = argv[0];
2252 attrs = (argv + 1);
2254 rc = ads_do_search_all(ads, ads->config.bind_path,
2255 LDAP_SCOPE_SUBTREE,
2256 ldap_exp, attrs, &res);
2257 if (!ADS_ERR_OK(rc)) {
2258 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2259 ads_destroy(&ads);
2260 return -1;
2263 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2265 /* dump the results */
2266 ads_dump(ads, res);
2268 ads_msgfree(ads, res);
2269 ads_destroy(&ads);
2271 return 0;
2276 help for net ads search
2278 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2280 d_printf(_(
2281 "\nnet ads dn <dn> <attributes...>\n"
2282 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2283 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2284 "to show in the results\n\n"
2285 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2286 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2288 net_common_flags_usage(c, argc, argv);
2289 return -1;
2294 general ADS search function. Useful in diagnosing problems in ADS
2296 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2298 ADS_STRUCT *ads;
2299 ADS_STATUS rc;
2300 const char *dn;
2301 const char **attrs;
2302 LDAPMessage *res = NULL;
2304 if (argc < 1 || c->display_usage) {
2305 return net_ads_dn_usage(c, argc, argv);
2308 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2309 return -1;
2312 dn = argv[0];
2313 attrs = (argv + 1);
2315 rc = ads_do_search_all(ads, dn,
2316 LDAP_SCOPE_BASE,
2317 "(objectclass=*)", attrs, &res);
2318 if (!ADS_ERR_OK(rc)) {
2319 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2320 ads_destroy(&ads);
2321 return -1;
2324 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2326 /* dump the results */
2327 ads_dump(ads, res);
2329 ads_msgfree(ads, res);
2330 ads_destroy(&ads);
2332 return 0;
2336 help for net ads sid search
2338 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2340 d_printf(_(
2341 "\nnet ads sid <sid> <attributes...>\n"
2342 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2343 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2344 "to show in the results\n\n"
2345 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2347 net_common_flags_usage(c, argc, argv);
2348 return -1;
2353 general ADS search function. Useful in diagnosing problems in ADS
2355 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2357 ADS_STRUCT *ads;
2358 ADS_STATUS rc;
2359 const char *sid_string;
2360 const char **attrs;
2361 LDAPMessage *res = NULL;
2362 struct dom_sid sid;
2364 if (argc < 1 || c->display_usage) {
2365 return net_ads_sid_usage(c, argc, argv);
2368 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2369 return -1;
2372 sid_string = argv[0];
2373 attrs = (argv + 1);
2375 if (!string_to_sid(&sid, sid_string)) {
2376 d_fprintf(stderr, _("could not convert sid\n"));
2377 ads_destroy(&ads);
2378 return -1;
2381 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2382 if (!ADS_ERR_OK(rc)) {
2383 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2384 ads_destroy(&ads);
2385 return -1;
2388 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2390 /* dump the results */
2391 ads_dump(ads, res);
2393 ads_msgfree(ads, res);
2394 ads_destroy(&ads);
2396 return 0;
2399 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2401 int ret;
2402 ADS_STRUCT *ads;
2404 if (c->display_usage) {
2405 d_printf( "%s\n"
2406 "net ads keytab flush\n"
2407 " %s\n",
2408 _("Usage:"),
2409 _("Delete the whole keytab"));
2410 return 0;
2413 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2414 return -1;
2416 ret = ads_keytab_flush(ads);
2417 ads_destroy(&ads);
2418 return ret;
2421 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2423 int i;
2424 int ret = 0;
2425 ADS_STRUCT *ads;
2427 if (c->display_usage) {
2428 d_printf("%s\n%s",
2429 _("Usage:"),
2430 _("net ads keytab add <principal> [principal ...]\n"
2431 " Add principals to local keytab\n"
2432 " principal\tKerberos principal to add to "
2433 "keytab\n"));
2434 return 0;
2437 d_printf(_("Processing principals to add...\n"));
2438 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2439 return -1;
2441 for (i = 0; i < argc; i++) {
2442 ret |= ads_keytab_add_entry(ads, argv[i]);
2444 ads_destroy(&ads);
2445 return ret;
2448 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2450 ADS_STRUCT *ads;
2451 int ret;
2453 if (c->display_usage) {
2454 d_printf( "%s\n"
2455 "net ads keytab create\n"
2456 " %s\n",
2457 _("Usage:"),
2458 _("Create new default keytab"));
2459 return 0;
2462 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2463 return -1;
2465 ret = ads_keytab_create_default(ads);
2466 ads_destroy(&ads);
2467 return ret;
2470 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2472 const char *keytab = NULL;
2474 if (c->display_usage) {
2475 d_printf("%s\n%s",
2476 _("Usage:"),
2477 _("net ads keytab list [keytab]\n"
2478 " List a local keytab\n"
2479 " keytab\tKeytab to list\n"));
2480 return 0;
2483 if (argc >= 1) {
2484 keytab = argv[0];
2487 return ads_keytab_list(keytab);
2491 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2493 struct functable func[] = {
2495 "add",
2496 net_ads_keytab_add,
2497 NET_TRANSPORT_ADS,
2498 N_("Add a service principal"),
2499 N_("net ads keytab add\n"
2500 " Add a service principal")
2503 "create",
2504 net_ads_keytab_create,
2505 NET_TRANSPORT_ADS,
2506 N_("Create a fresh keytab"),
2507 N_("net ads keytab create\n"
2508 " Create a fresh keytab")
2511 "flush",
2512 net_ads_keytab_flush,
2513 NET_TRANSPORT_ADS,
2514 N_("Remove all keytab entries"),
2515 N_("net ads keytab flush\n"
2516 " Remove all keytab entries")
2519 "list",
2520 net_ads_keytab_list,
2521 NET_TRANSPORT_ADS,
2522 N_("List a keytab"),
2523 N_("net ads keytab list\n"
2524 " List a keytab")
2526 {NULL, NULL, 0, NULL, NULL}
2529 if (!USE_KERBEROS_KEYTAB) {
2530 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2531 "keytab method to use keytab functions.\n"));
2534 return net_run_function(c, argc, argv, "net ads keytab", func);
2537 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2539 int ret = -1;
2541 if (c->display_usage) {
2542 d_printf( "%s\n"
2543 "net ads kerberos renew\n"
2544 " %s\n",
2545 _("Usage:"),
2546 _("Renew TGT from existing credential cache"));
2547 return 0;
2550 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2551 if (ret) {
2552 d_printf(_("failed to renew kerberos ticket: %s\n"),
2553 error_message(ret));
2555 return ret;
2558 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2560 struct PAC_LOGON_INFO *info = NULL;
2561 TALLOC_CTX *mem_ctx = NULL;
2562 NTSTATUS status;
2563 int ret = -1;
2564 const char *impersonate_princ_s = NULL;
2566 if (c->display_usage) {
2567 d_printf( "%s\n"
2568 "net ads kerberos pac\n"
2569 " %s\n",
2570 _("Usage:"),
2571 _("Dump the Kerberos PAC"));
2572 return 0;
2575 mem_ctx = talloc_init("net_ads_kerberos_pac");
2576 if (!mem_ctx) {
2577 goto out;
2580 if (argc > 0) {
2581 impersonate_princ_s = argv[0];
2584 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2586 status = kerberos_return_pac(mem_ctx,
2587 c->opt_user_name,
2588 c->opt_password,
2590 NULL,
2591 NULL,
2592 NULL,
2593 true,
2594 true,
2595 2592000, /* one month */
2596 impersonate_princ_s,
2597 &info);
2598 if (!NT_STATUS_IS_OK(status)) {
2599 d_printf(_("failed to query kerberos PAC: %s\n"),
2600 nt_errstr(status));
2601 goto out;
2604 if (info) {
2605 const char *s;
2606 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2607 d_printf(_("The Pac: %s\n"), s);
2610 ret = 0;
2611 out:
2612 TALLOC_FREE(mem_ctx);
2613 return ret;
2616 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2618 TALLOC_CTX *mem_ctx = NULL;
2619 int ret = -1;
2620 NTSTATUS status;
2622 if (c->display_usage) {
2623 d_printf( "%s\n"
2624 "net ads kerberos kinit\n"
2625 " %s\n",
2626 _("Usage:"),
2627 _("Get Ticket Granting Ticket (TGT) for the user"));
2628 return 0;
2631 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2632 if (!mem_ctx) {
2633 goto out;
2636 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2638 ret = kerberos_kinit_password_ext(c->opt_user_name,
2639 c->opt_password,
2641 NULL,
2642 NULL,
2643 NULL,
2644 true,
2645 true,
2646 2592000, /* one month */
2647 &status);
2648 if (ret) {
2649 d_printf(_("failed to kinit password: %s\n"),
2650 nt_errstr(status));
2652 out:
2653 return ret;
2656 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2658 struct functable func[] = {
2660 "kinit",
2661 net_ads_kerberos_kinit,
2662 NET_TRANSPORT_ADS,
2663 N_("Retrieve Ticket Granting Ticket (TGT)"),
2664 N_("net ads kerberos kinit\n"
2665 " Receive Ticket Granting Ticket (TGT)")
2668 "renew",
2669 net_ads_kerberos_renew,
2670 NET_TRANSPORT_ADS,
2671 N_("Renew Ticket Granting Ticket from credential cache"),
2672 N_("net ads kerberos renew\n"
2673 " Renew Ticket Granting Ticket (TGT) from "
2674 "credential cache")
2677 "pac",
2678 net_ads_kerberos_pac,
2679 NET_TRANSPORT_ADS,
2680 N_("Dump Kerberos PAC"),
2681 N_("net ads kerberos pac\n"
2682 " Dump Kerberos PAC")
2684 {NULL, NULL, 0, NULL, NULL}
2687 return net_run_function(c, argc, argv, "net ads kerberos", func);
2690 int net_ads(struct net_context *c, int argc, const char **argv)
2692 struct functable func[] = {
2694 "info",
2695 net_ads_info,
2696 NET_TRANSPORT_ADS,
2697 N_("Display details on remote ADS server"),
2698 N_("net ads info\n"
2699 " Display details on remote ADS server")
2702 "join",
2703 net_ads_join,
2704 NET_TRANSPORT_ADS,
2705 N_("Join the local machine to ADS realm"),
2706 N_("net ads join\n"
2707 " Join the local machine to ADS realm")
2710 "testjoin",
2711 net_ads_testjoin,
2712 NET_TRANSPORT_ADS,
2713 N_("Validate machine account"),
2714 N_("net ads testjoin\n"
2715 " Validate machine account")
2718 "leave",
2719 net_ads_leave,
2720 NET_TRANSPORT_ADS,
2721 N_("Remove the local machine from ADS"),
2722 N_("net ads leave\n"
2723 " Remove the local machine from ADS")
2726 "status",
2727 net_ads_status,
2728 NET_TRANSPORT_ADS,
2729 N_("Display machine account details"),
2730 N_("net ads status\n"
2731 " Display machine account details")
2734 "user",
2735 net_ads_user,
2736 NET_TRANSPORT_ADS,
2737 N_("List/modify users"),
2738 N_("net ads user\n"
2739 " List/modify users")
2742 "group",
2743 net_ads_group,
2744 NET_TRANSPORT_ADS,
2745 N_("List/modify groups"),
2746 N_("net ads group\n"
2747 " List/modify groups")
2750 "dns",
2751 net_ads_dns,
2752 NET_TRANSPORT_ADS,
2753 N_("Issue dynamic DNS update"),
2754 N_("net ads dns\n"
2755 " Issue dynamic DNS update")
2758 "password",
2759 net_ads_password,
2760 NET_TRANSPORT_ADS,
2761 N_("Change user passwords"),
2762 N_("net ads password\n"
2763 " Change user passwords")
2766 "changetrustpw",
2767 net_ads_changetrustpw,
2768 NET_TRANSPORT_ADS,
2769 N_("Change trust account password"),
2770 N_("net ads changetrustpw\n"
2771 " Change trust account password")
2774 "printer",
2775 net_ads_printer,
2776 NET_TRANSPORT_ADS,
2777 N_("List/modify printer entries"),
2778 N_("net ads printer\n"
2779 " List/modify printer entries")
2782 "search",
2783 net_ads_search,
2784 NET_TRANSPORT_ADS,
2785 N_("Issue LDAP search using filter"),
2786 N_("net ads search\n"
2787 " Issue LDAP search using filter")
2790 "dn",
2791 net_ads_dn,
2792 NET_TRANSPORT_ADS,
2793 N_("Issue LDAP search by DN"),
2794 N_("net ads dn\n"
2795 " Issue LDAP search by DN")
2798 "sid",
2799 net_ads_sid,
2800 NET_TRANSPORT_ADS,
2801 N_("Issue LDAP search by SID"),
2802 N_("net ads sid\n"
2803 " Issue LDAP search by SID")
2806 "workgroup",
2807 net_ads_workgroup,
2808 NET_TRANSPORT_ADS,
2809 N_("Display workgroup name"),
2810 N_("net ads workgroup\n"
2811 " Display the workgroup name")
2814 "lookup",
2815 net_ads_lookup,
2816 NET_TRANSPORT_ADS,
2817 N_("Perfom CLDAP query on DC"),
2818 N_("net ads lookup\n"
2819 " Find the ADS DC using CLDAP lookups")
2822 "keytab",
2823 net_ads_keytab,
2824 NET_TRANSPORT_ADS,
2825 N_("Manage local keytab file"),
2826 N_("net ads keytab\n"
2827 " Manage local keytab file")
2830 "gpo",
2831 net_ads_gpo,
2832 NET_TRANSPORT_ADS,
2833 N_("Manage group policy objects"),
2834 N_("net ads gpo\n"
2835 " Manage group policy objects")
2838 "kerberos",
2839 net_ads_kerberos,
2840 NET_TRANSPORT_ADS,
2841 N_("Manage kerberos keytab"),
2842 N_("net ads kerberos\n"
2843 " Manage kerberos keytab")
2845 {NULL, NULL, 0, NULL, NULL}
2848 return net_run_function(c, argc, argv, "net ads", func);
2851 #else
2853 static int net_ads_noads(void)
2855 d_fprintf(stderr, _("ADS support not compiled in\n"));
2856 return -1;
2859 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2861 return net_ads_noads();
2864 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2866 return net_ads_noads();
2869 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2871 return net_ads_noads();
2874 int net_ads_join(struct net_context *c, int argc, const char **argv)
2876 return net_ads_noads();
2879 int net_ads_user(struct net_context *c, int argc, const char **argv)
2881 return net_ads_noads();
2884 int net_ads_group(struct net_context *c, int argc, const char **argv)
2886 return net_ads_noads();
2889 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2891 return net_ads_noads();
2894 /* this one shouldn't display a message */
2895 int net_ads_check(struct net_context *c)
2897 return -1;
2900 int net_ads_check_our_domain(struct net_context *c)
2902 return -1;
2905 int net_ads(struct net_context *c, int argc, const char **argv)
2907 return net_ads_noads();
2910 #endif /* HAVE_ADS */