search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:net: disable dynamic dns updates at the end of "net ads join" in a cluster (bug...
[Samba.git] / source3 / utils / net_ads.c
blob8c04eda788882617a4418ef25e4aadbd28851080
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
28
29 #ifdef HAVE_ADS
30
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
33
34 static const char *assume_own_realm(struct net_context *c)
35 {
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
37 return lp_realm();
38 }
39
40 return NULL;
41 }
42
43 /*
44 do a cldap netlogon query
45 */
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
47 {
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
50
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
54 return -1;
55 }
56
57 d_printf(_("Information for Domain Controller: %s\n\n"),
58 addr);
59
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
64 break;
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
67 break;
68 default:
69 d_printf("0x%x\n", reply.command);
70 break;
71 }
72
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
74
75 d_printf(_("Flags:\n"
76 "\tIs a PDC: %s\n"
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
79 "\tSupports DS: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
83 "\tIs writable: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
100
101
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
105
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
108
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
110
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
113
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
117
118 return 0;
119 }
120
121 /*
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
124 */
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
126 {
127 ADS_STRUCT *ads;
128 int ret;
129
130 if (c->display_usage) {
131 d_printf("%s\n"
132 "net ads lookup\n"
133 " %s",
134 _("Usage:"),
135 _("Find the ADS DC using CLDAP lookup.\n"));
136 return 0;
137 }
138
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
141 ads_destroy(&ads);
142 return -1;
143 }
144
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
148 }
149
150 ret = net_ads_cldap_netlogon(c, ads);
151 ads_destroy(&ads);
152 return ret;
153 }
154
155
156
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
158 {
159 ADS_STRUCT *ads;
160 char addr[INET6_ADDRSTRLEN];
161
162 if (c->display_usage) {
163 d_printf("%s\n"
164 "net ads info\n"
165 " %s",
166 _("Usage:"),
167 _("Display information about an Active Directory "
168 "server.\n"));
169 return 0;
170 }
171
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
174 return -1;
175 }
176
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
179 ads_destroy(&ads);
180 return -1;
181 }
182
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
185
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
188 }
189
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
191
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
199
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
202
203 ads_destroy(&ads);
204 return 0;
205 }
206
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
211 }
212
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
215 {
216 ADS_STRUCT *ads = NULL;
217 ADS_STATUS status;
218 bool need_password = false;
219 bool second_time = false;
220 char *cp;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
223
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
228
229 *ads_ret = NULL;
230
231 retry_connect:
232 if (only_own_domain) {
233 realm = lp_realm();
234 } else {
235 realm = assume_own_realm(c);
236 }
237
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
239
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
242 }
243
244 if (c->opt_user_specified) {
245 need_password = true;
246 }
247
248 retry:
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
252 ads_destroy(&ads);
253 return ADS_ERROR(LDAP_NO_MEMORY);
254 }
255 }
256
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
261 }
262
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
266
267 /*
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
271 */
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
273 *cp++ = '\0';
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
277 }
278
279 status = ads_connect(ads);
280
281 if (!ADS_ERR_OK(status)) {
282
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
286 ads_destroy(&ads);
287 return status;
288 }
289
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
292 second_time = true;
293 goto retry;
294 } else {
295 ads_destroy(&ads);
296 return status;
297 }
298 }
299
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
303
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
305
306 tried_closest_dc = true; /* avoid loop */
307
308 if (!ads_closest_dc(ads)) {
309
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
312
313 ads_destroy(&ads);
314 ads = NULL;
315
316 goto retry_connect;
317 }
318 }
319
320 *ads_ret = ads;
321 return status;
322 }
323
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
325 {
326 return ads_startup_int(c, only_own_domain, 0, ads);
327 }
328
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
330 {
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
332 }
333
334 /*
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
338 */
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
340 {
341 ADS_STRUCT *ads;
342 ADS_STATUS status;
343
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
345 return -1;
346 }
347
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
349
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
352 return -1;
353 }
354
355 ads_destroy(&ads);
356 return 0;
357 }
358
359 int net_ads_check_our_domain(struct net_context *c)
360 {
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
362 }
363
364 int net_ads_check(struct net_context *c)
365 {
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
367 }
368
369 /*
370 determine the netbios workgroup name for a domain
371 */
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
373 {
374 ADS_STRUCT *ads;
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
377
378 if (c->display_usage) {
379 d_printf ("%s\n"
380 "net ads workgroup\n"
381 " %s\n",
382 _("Usage:"),
383 _("Print the workgroup name"));
384 return 0;
385 }
386
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
389 return -1;
390 }
391
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
395 }
396
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
400 ads_destroy(&ads);
401 return -1;
402 }
403
404 d_printf(_("Workgroup: %s\n"), reply.domain);
405
406 ads_destroy(&ads);
407
408 return 0;
409 }
410
411
412
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
414 {
415 char **disp_fields = (char **) data_area;
416
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
420 if (disp_fields[1])
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
423 else
424 d_printf("%s\n", disp_fields[0]);
425 }
426 }
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
429 return true;
430 }
431 if (!values) /* must be new field, indicate string field */
432 return true;
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
435 }
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
438 return true;
439 }
440
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
442 {
443 return net_user_usage(c, argc, argv);
444 }
445
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
447 {
448 ADS_STRUCT *ads;
449 ADS_STATUS status;
450 char *upn, *userdn;
451 LDAPMessage *res=NULL;
452 int rc = -1;
453 char *ou_str = NULL;
454
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
457
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
459 return -1;
460 }
461
462 status = ads_find_user_acct(ads, &res, argv[0]);
463
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
466 goto done;
467 }
468
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
471 argv[0]);
472 goto done;
473 }
474
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
477 } else {
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
479 }
480
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
482
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
485 ads_errstr(status));
486 goto done;
487 }
488
489 /* if no password is to be set, we're done */
490 if (argc == 1) {
491 d_printf(_("User %s added\n"), argv[0]);
492 rc = 0;
493 goto done;
494 }
495
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
498 goto done;
499 }
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
502 SAFE_FREE(upn);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
505 rc = 0;
506 goto done;
507 }
508
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
518 TALLOC_FREE(userdn);
519 }
520
521 done:
522 if (res)
523 ads_msgfree(ads, res);
524 ads_destroy(&ads);
525 SAFE_FREE(ou_str);
526 return rc;
527 }
528
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
530 {
531 ADS_STRUCT *ads = NULL;
532 ADS_STATUS rc;
533 LDAPMessage *res = NULL;
534 TALLOC_CTX *frame;
535 int ret = 0;
536 wbcErr wbc_status;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
539 char **grouplist;
540 char *primary_group;
541 char *escaped_user;
542 DOM_SID primary_group_sid;
543 uint32_t group_rid;
544 enum wbcSidType type;
545
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
548 }
549
550 frame = talloc_new(talloc_tos());
551 if (frame == NULL) {
552 return -1;
553 }
554
555 escaped_user = escape_ldap_string(frame, argv[0]);
556 if (!escaped_user) {
557 d_fprintf(stderr,
558 _("ads_user_info: failed to escape user %s\n"),
559 argv[0]);
560 return -1;
561 }
562
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
564 ret = -1;
565 goto error;
566 }
567
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
569 ret =-1;
570 goto error;
571 }
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
574
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
577 ret = -1;
578 goto error;
579 }
580
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
583 ret = -1;
584 goto error;
585 }
586
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
590 ret = -1;
591 goto error;
592 }
593
594 sid_append_rid(&primary_group_sid, group_rid);
595
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
598 &primary_group,
599 &type);
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
603 ret = -1;
604 goto error;
605 }
606
607 d_printf("%s\n", primary_group);
608
609 wbcFreeMemory(primary_group);
610
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
613
614 if (grouplist) {
615 int i;
616 char **groupname;
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
621 }
622 ldap_value_free(grouplist);
623 }
624
625 error:
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
628 TALLOC_FREE(frame);
629 return ret;
630 }
631
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
633 {
634 ADS_STRUCT *ads;
635 ADS_STATUS rc;
636 LDAPMessage *res = NULL;
637 char *userdn;
638
639 if (argc < 1) {
640 return net_ads_user_usage(c, argc, argv);
641 }
642
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
644 return -1;
645 }
646
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
651 ads_destroy(&ads);
652 return -1;
653 }
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
657 TALLOC_FREE(userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
660 ads_destroy(&ads);
661 return 0;
662 }
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
664 ads_errstr(rc));
665 ads_destroy(&ads);
666 return -1;
667 }
668
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
670 {
671 struct functable func[] = {
672 {
673 "add",
674 ads_user_add,
675 NET_TRANSPORT_ADS,
676 N_("Add an AD user"),
677 N_("net ads user add\n"
678 " Add an AD user")
679 },
680 {
681 "info",
682 ads_user_info,
683 NET_TRANSPORT_ADS,
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
687 },
688 {
689 "delete",
690 ads_user_delete,
691 NET_TRANSPORT_ADS,
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
695 },
696 {NULL, NULL, 0, NULL, NULL}
697 };
698 ADS_STRUCT *ads;
699 ADS_STATUS rc;
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
703
704 if (argc == 0) {
705 if (c->display_usage) {
706 d_printf( "%s\n"
707 "net ads user\n"
708 " %s\n",
709 _("Usage:"),
710 _("List AD users"));
711 net_display_usage_from_functable(func);
712 return 0;
713 }
714
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
716 return -1;
717 }
718
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
722
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
724 LDAP_SCOPE_SUBTREE,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
728 disp_fields);
729 ads_destroy(&ads);
730 return ADS_ERR_OK(rc) ? 0 : -1;
731 }
732
733 return net_run_function(c, argc, argv, "net ads user", func);
734 }
735
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
737 {
738 return net_group_usage(c, argc, argv);
739 }
740
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
742 {
743 ADS_STRUCT *ads;
744 ADS_STATUS status;
745 LDAPMessage *res=NULL;
746 int rc = -1;
747 char *ou_str = NULL;
748
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
751 }
752
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
754 return -1;
755 }
756
757 status = ads_find_user_acct(ads, &res, argv[0]);
758
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
761 goto done;
762 }
763
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
766 goto done;
767 }
768
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
771 } else {
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
773 }
774
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
776
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
779 rc = 0;
780 } else {
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
782 ads_errstr(status));
783 }
784
785 done:
786 if (res)
787 ads_msgfree(ads, res);
788 ads_destroy(&ads);
789 SAFE_FREE(ou_str);
790 return rc;
791 }
792
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
794 {
795 ADS_STRUCT *ads;
796 ADS_STATUS rc;
797 LDAPMessage *res = NULL;
798 char *groupdn;
799
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
802 }
803
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
805 return -1;
806 }
807
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
812 ads_destroy(&ads);
813 return -1;
814 }
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
821 ads_destroy(&ads);
822 return 0;
823 }
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
825 ads_errstr(rc));
826 ads_destroy(&ads);
827 return -1;
828 }
829
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
831 {
832 struct functable func[] = {
833 {
834 "add",
835 ads_group_add,
836 NET_TRANSPORT_ADS,
837 N_("Add an AD group"),
838 N_("net ads group add\n"
839 " Add an AD group")
840 },
841 {
842 "delete",
843 ads_group_delete,
844 NET_TRANSPORT_ADS,
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
848 },
849 {NULL, NULL, 0, NULL, NULL}
850 };
851 ADS_STRUCT *ads;
852 ADS_STATUS rc;
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
856
857 if (argc == 0) {
858 if (c->display_usage) {
859 d_printf( "%s\n"
860 "net ads group\n"
861 " %s\n",
862 _("Usage:"),
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
865 return 0;
866 }
867
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
869 return -1;
870 }
871
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
876 LDAP_SCOPE_SUBTREE,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
880 disp_fields);
881
882 ads_destroy(&ads);
883 return ADS_ERR_OK(rc) ? 0 : -1;
884 }
885 return net_run_function(c, argc, argv, "net ads group", func);
886 }
887
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
889 {
890 ADS_STRUCT *ads;
891 ADS_STATUS rc;
892 LDAPMessage *res;
893
894 if (c->display_usage) {
895 d_printf( "%s\n"
896 "net ads status\n"
897 " %s\n",
898 _("Usage:"),
899 _("Display machine account details"));
900 return 0;
901 }
902
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
904 return -1;
905 }
906
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
910 ads_destroy(&ads);
911 return -1;
912 }
913
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
916 ads_destroy(&ads);
917 return -1;
918 }
919
920 ads_dump(ads, res);
921 ads_destroy(&ads);
922 return 0;
923 }
924
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
931
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
933 {
934 TALLOC_CTX *ctx;
935 struct libnet_UnjoinCtx *r = NULL;
936 WERROR werr;
937
938 if (c->display_usage) {
939 d_printf( "%s\n"
940 "net ads leave\n"
941 " %s\n",
942 _("Usage:"),
943 _("Leave an AD domain"));
944 return 0;
945 }
946
947 if (!*lp_realm()) {
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
949 return -1;
950 }
951
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
954 return -1;
955 }
956
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
959 }
960
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
964 return -1;
965 }
966
967 r->in.debug = true;
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
974
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
980
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
986 goto done;
987 }
988
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
992 goto done;
993 }
994
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
999 werr = WERR_OK;
1000 goto done;
1001 }
1002
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1008
1009 done:
1010 TALLOC_FREE(r);
1011 TALLOC_FREE(ctx);
1012
1013 if (W_ERROR_IS_OK(werr)) {
1014 return 0;
1015 }
1016
1017 return -1;
1018 }
1019
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1021 {
1022 ADS_STRUCT *ads = NULL;
1023 ADS_STATUS status;
1024 fstring dc_name;
1025 struct sockaddr_storage dcip;
1026
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1030 }
1031
1032 net_use_krb_machine_account(c);
1033
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1035
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1039 }
1040
1041 ads_destroy(&ads);
1042 return NT_STATUS_OK;
1043 }
1044
1045 /*
1046 check that an existing join is OK
1047 */
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1049 {
1050 NTSTATUS status;
1051 use_in_memory_ccache();
1052
1053 if (c->display_usage) {
1054 d_printf( "%s\n"
1055 "net ads testjoin\n"
1056 " %s\n",
1057 _("Usage:"),
1058 _("Test if the existing join is ok"));
1059 return 0;
1060 }
1061
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1067 return -1;
1068 }
1069
1070 printf(_("Join is OK\n"));
1071 return 0;
1072 }
1073
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1077
1078 static WERROR check_ads_config( void )
1079 {
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1083 }
1084
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1090 }
1091
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1096 }
1097
1098 return WERR_OK;
1099 }
1100
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1104
1105 #if defined(WITH_DNS_UPDATES)
1106 #include "dns.h"
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1110 size_t num_addrs );
1111
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1115 int num_addrs)
1116 {
1117 struct dns_rr_ns *nameservers = NULL;
1118 int ns_count = 0;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1120 DNS_ERROR dns_err;
1121 fstring dns_server;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1124
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1129 goto done;
1130 }
1131 dnsdomain++;
1132
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1138
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1141 char *root_dn;
1142 ADS_STATUS ads_status;
1143
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1148 goto done;
1149 }
1150 }
1151
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1155 goto done;
1156 }
1157
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1159 if ( !root_dn ) {
1160 ads_msgfree( ads, msg );
1161 goto done;
1162 }
1163
1164 root_domain = ads_build_domain( root_dn );
1165
1166 /* cleanup */
1167 ads_msgfree( ads, msg );
1168
1169 /* try again for NS servers */
1170
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1172
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1176 goto done;
1177 }
1178
1179 dnsdomain = root_domain;
1180
1181 }
1182
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1185
1186 fstrcpy( dns_server, nameservers[0].hostname );
1187
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1191 }
1192
1193 done:
1194
1195 SAFE_FREE( root_domain );
1196
1197 return status;
1198 }
1199
1200 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1201 {
1202 int num_addrs;
1203 struct sockaddr_storage *iplist = NULL;
1204 fstring machine_name;
1205 NTSTATUS status;
1206
1207 if (hostname) {
1208 fstrcpy(machine_name, hostname);
1209 } else {
1210 name_to_fqdn( machine_name, global_myname() );
1211 }
1212 strlower_m( machine_name );
1213
1214 /* Get our ip address (not the 127.0.0.x address but a real ip
1215 * address) */
1216
1217 num_addrs = get_my_ip_address( &iplist );
1218 if ( num_addrs <= 0 ) {
1219 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1220 "addresses!\n"));
1221 return NT_STATUS_INVALID_PARAMETER;
1222 }
1223
1224 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1225 iplist, num_addrs);
1226 SAFE_FREE( iplist );
1227 return status;
1228 }
1229 #endif
1230
1231
1232 /*******************************************************************
1233 ********************************************************************/
1234
1235 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1236 {
1237 d_printf(_("net ads join [options]\n"
1238 "Valid options:\n"));
1239 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1240 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1241 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1242 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1243 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1244 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1245 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1246 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1247 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1248 " NB: osName and osVer must be specified together for either to take effect.\n"
1249 " Also, the operatingSystemService attribute is also set when along with\n"
1250 " the two other attributes.\n"));
1251
1252 return -1;
1253 }
1254
1255 /*******************************************************************
1256 ********************************************************************/
1257
1258 int net_ads_join(struct net_context *c, int argc, const char **argv)
1259 {
1260 TALLOC_CTX *ctx = NULL;
1261 struct libnet_JoinCtx *r = NULL;
1262 const char *domain = lp_realm();
1263 WERROR werr = WERR_SETUP_NOT_JOINED;
1264 bool createupn = false;
1265 const char *machineupn = NULL;
1266 const char *create_in_ou = NULL;
1267 int i;
1268 const char *os_name = NULL;
1269 const char *os_version = NULL;
1270 bool modify_config = lp_config_backend_is_registry();
1271
1272 if (c->display_usage)
1273 return net_ads_join_usage(c, argc, argv);
1274
1275 if (!modify_config) {
1276
1277 werr = check_ads_config();
1278 if (!W_ERROR_IS_OK(werr)) {
1279 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1280 goto fail;
1281 }
1282 }
1283
1284 if (!(ctx = talloc_init("net_ads_join"))) {
1285 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1286 werr = WERR_NOMEM;
1287 goto fail;
1288 }
1289
1290 if (!c->opt_kerberos) {
1291 use_in_memory_ccache();
1292 }
1293
1294 werr = libnet_init_JoinCtx(ctx, &r);
1295 if (!W_ERROR_IS_OK(werr)) {
1296 goto fail;
1297 }
1298
1299 /* process additional command line args */
1300
1301 for ( i=0; i<argc; i++ ) {
1302 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1303 createupn = true;
1304 machineupn = get_string_param(argv[i]);
1305 }
1306 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1307 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1308 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1309 werr = WERR_INVALID_PARAM;
1310 goto fail;
1311 }
1312 }
1313 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1314 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1315 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1316 werr = WERR_INVALID_PARAM;
1317 goto fail;
1318 }
1319 }
1320 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1321 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1322 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1323 werr = WERR_INVALID_PARAM;
1324 goto fail;
1325 }
1326 }
1327 else {
1328 domain = argv[i];
1329 }
1330 }
1331
1332 if (!*domain) {
1333 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1334 werr = WERR_INVALID_PARAM;
1335 goto fail;
1336 }
1337
1338 /* Do the domain join here */
1339
1340 r->in.domain_name = domain;
1341 r->in.create_upn = createupn;
1342 r->in.upn = machineupn;
1343 r->in.account_ou = create_in_ou;
1344 r->in.os_name = os_name;
1345 r->in.os_version = os_version;
1346 r->in.dc_name = c->opt_host;
1347 r->in.admin_account = c->opt_user_name;
1348 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1349 r->in.debug = true;
1350 r->in.use_kerberos = c->opt_kerberos;
1351 r->in.modify_config = modify_config;
1352 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1353 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1354 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1355
1356 werr = libnet_Join(ctx, r);
1357 if (!W_ERROR_IS_OK(werr)) {
1358 goto fail;
1359 }
1360
1361 /* Check the short name of the domain */
1362
1363 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1364 d_printf(_("The workgroup in %s does not match the short\n"
1365 "domain name obtained from the server.\n"
1366 "Using the name [%s] from the server.\n"
1367 "You should set \"workgroup = %s\" in %s.\n"),
1368 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1369 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1370 }
1371
1372 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1373
1374 if (r->out.dns_domain_name) {
1375 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1376 r->out.dns_domain_name);
1377 } else {
1378 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1379 r->out.netbios_domain_name);
1380 }
1381
1382 #if defined(WITH_DNS_UPDATES)
1383 /*
1384 * In a clustered environment, don't do dynamic dns updates:
1385 * Registering the set of ip addresses that are assigned to
1386 * the interfaces of the node that performs the join does usually
1387 * not have the desired effect, since the local interfaces do not
1388 * carry the complete set of the cluster's public IP addresses.
1389 * And it can also contain internal addresses that should not
1390 * be visible to the outside at all.
1391 * In order to do dns updates in a clustererd setup, use
1392 * net ads dns register.
1393 */
1394 if (lp_clustering()) {
1395 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1396 "clustered setup.\n"));
1397 goto done;
1398 }
1399
1400 if (r->out.domain_is_ad) {
1401 /* We enter this block with user creds */
1402 ADS_STRUCT *ads_dns = NULL;
1403
1404 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1405 /* kinit with the machine password */
1406
1407 use_in_memory_ccache();
1408 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1409 goto fail;
1410 }
1411 ads_dns->auth.password = secrets_fetch_machine_password(
1412 r->out.netbios_domain_name, NULL, NULL );
1413 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1414 strupper_m(ads_dns->auth.realm );
1415 ads_kinit_password( ads_dns );
1416 }
1417
1418 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1419 d_fprintf( stderr, _("DNS update failed!\n") );
1420 }
1421
1422 /* exit from this block using machine creds */
1423 ads_destroy(&ads_dns);
1424 }
1425 #endif
1426
1427 done:
1428 TALLOC_FREE(r);
1429 TALLOC_FREE( ctx );
1430
1431 return 0;
1432
1433 fail:
1434 /* issue an overall failure message at the end. */
1435 d_printf(_("Failed to join domain: %s\n"),
1436 r && r->out.error_string ? r->out.error_string :
1437 get_friendly_werror_msg(werr));
1438 TALLOC_FREE( ctx );
1439
1440 return -1;
1441 }
1442
1443 /*******************************************************************
1444 ********************************************************************/
1445
1446 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1447 {
1448 #if defined(WITH_DNS_UPDATES)
1449 ADS_STRUCT *ads;
1450 ADS_STATUS status;
1451 TALLOC_CTX *ctx;
1452
1453 #ifdef DEVELOPER
1454 talloc_enable_leak_report();
1455 #endif
1456
1457 if (argc > 1 || c->display_usage) {
1458 d_printf( "%s\n"
1459 "net ads dns register [hostname]\n"
1460 " %s\n",
1461 _("Usage:"),
1462 _("Register hostname with DNS\n"));
1463 return -1;
1464 }
1465
1466 if (!(ctx = talloc_init("net_ads_dns"))) {
1467 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1468 return -1;
1469 }
1470
1471 status = ads_startup(c, true, &ads);
1472 if ( !ADS_ERR_OK(status) ) {
1473 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1474 TALLOC_FREE(ctx);
1475 return -1;
1476 }
1477
1478 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
1479 d_fprintf( stderr, _("DNS update failed!\n") );
1480 ads_destroy( &ads );
1481 TALLOC_FREE( ctx );
1482 return -1;
1483 }
1484
1485 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1486
1487 ads_destroy(&ads);
1488 TALLOC_FREE( ctx );
1489
1490 return 0;
1491 #else
1492 d_fprintf(stderr,
1493 _("DNS update support not enabled at compile time!\n"));
1494 return -1;
1495 #endif
1496 }
1497
1498 #if defined(WITH_DNS_UPDATES)
1499 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1500 #endif
1501
1502 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1503 {
1504 #if defined(WITH_DNS_UPDATES)
1505 DNS_ERROR err;
1506
1507 #ifdef DEVELOPER
1508 talloc_enable_leak_report();
1509 #endif
1510
1511 if (argc != 2 || c->display_usage) {
1512 d_printf( "%s\n"
1513 " %s\n"
1514 " %s\n",
1515 _("Usage:"),
1516 _("net ads dns gethostbyname <server> <name>\n"),
1517 _(" Look up hostname from the AD\n"
1518 " server\tName server to use\n"
1519 " name\tName to look up\n"));
1520 return -1;
1521 }
1522
1523 err = do_gethostbyname(argv[0], argv[1]);
1524
1525 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1526 #endif
1527 return 0;
1528 }
1529
1530 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1531 {
1532 struct functable func[] = {
1533 {
1534 "register",
1535 net_ads_dns_register,
1536 NET_TRANSPORT_ADS,
1537 N_("Add host dns entry to AD"),
1538 N_("net ads dns register\n"
1539 " Add host dns entry to AD")
1540 },
1541 {
1542 "gethostbyname",
1543 net_ads_dns_gethostbyname,
1544 NET_TRANSPORT_ADS,
1545 N_("Look up host"),
1546 N_("net ads dns gethostbyname\n"
1547 " Look up host")
1548 },
1549 {NULL, NULL, 0, NULL, NULL}
1550 };
1551
1552 return net_run_function(c, argc, argv, "net ads dns", func);
1553 }
1554
1555 /*******************************************************************
1556 ********************************************************************/
1557
1558 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1559 {
1560 d_printf(_(
1561 "\nnet ads printer search <printer>"
1562 "\n\tsearch for a printer in the directory\n"
1563 "\nnet ads printer info <printer> <server>"
1564 "\n\tlookup info in directory for printer on server"
1565 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1566 "\nnet ads printer publish <printername>"
1567 "\n\tpublish printer in directory"
1568 "\n\t(note: printer name is required)\n"
1569 "\nnet ads printer remove <printername>"
1570 "\n\tremove printer from directory"
1571 "\n\t(note: printer name is required)\n"));
1572 return -1;
1573 }
1574
1575 /*******************************************************************
1576 ********************************************************************/
1577
1578 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1579 {
1580 ADS_STRUCT *ads;
1581 ADS_STATUS rc;
1582 LDAPMessage *res = NULL;
1583
1584 if (c->display_usage) {
1585 d_printf( "%s\n"
1586 "net ads printer search\n"
1587 " %s\n",
1588 _("Usage:"),
1589 _("List printers in the AD"));
1590 return 0;
1591 }
1592
1593 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1594 return -1;
1595 }
1596
1597 rc = ads_find_printers(ads, &res);
1598
1599 if (!ADS_ERR_OK(rc)) {
1600 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1601 ads_msgfree(ads, res);
1602 ads_destroy(&ads);
1603 return -1;
1604 }
1605
1606 if (ads_count_replies(ads, res) == 0) {
1607 d_fprintf(stderr, _("No results found\n"));
1608 ads_msgfree(ads, res);
1609 ads_destroy(&ads);
1610 return -1;
1611 }
1612
1613 ads_dump(ads, res);
1614 ads_msgfree(ads, res);
1615 ads_destroy(&ads);
1616 return 0;
1617 }
1618
1619 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1620 {
1621 ADS_STRUCT *ads;
1622 ADS_STATUS rc;
1623 const char *servername, *printername;
1624 LDAPMessage *res = NULL;
1625
1626 if (c->display_usage) {
1627 d_printf("%s\n%s",
1628 _("Usage:"),
1629 _("net ads printer info [printername [servername]]\n"
1630 " Display printer info from AD\n"
1631 " printername\tPrinter name or wildcard\n"
1632 " servername\tName of the print server\n"));
1633 return 0;
1634 }
1635
1636 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1637 return -1;
1638 }
1639
1640 if (argc > 0) {
1641 printername = argv[0];
1642 } else {
1643 printername = "*";
1644 }
1645
1646 if (argc > 1) {
1647 servername = argv[1];
1648 } else {
1649 servername = global_myname();
1650 }
1651
1652 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1653
1654 if (!ADS_ERR_OK(rc)) {
1655 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1656 servername, ads_errstr(rc));
1657 ads_msgfree(ads, res);
1658 ads_destroy(&ads);
1659 return -1;
1660 }
1661
1662 if (ads_count_replies(ads, res) == 0) {
1663 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1664 ads_msgfree(ads, res);
1665 ads_destroy(&ads);
1666 return -1;
1667 }
1668
1669 ads_dump(ads, res);
1670 ads_msgfree(ads, res);
1671 ads_destroy(&ads);
1672
1673 return 0;
1674 }
1675
1676 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1677 {
1678 ADS_STRUCT *ads;
1679 ADS_STATUS rc;
1680 const char *servername, *printername;
1681 struct cli_state *cli = NULL;
1682 struct rpc_pipe_client *pipe_hnd = NULL;
1683 struct sockaddr_storage server_ss;
1684 NTSTATUS nt_status;
1685 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1686 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1687 char *prt_dn, *srv_dn, **srv_cn;
1688 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1689 LDAPMessage *res = NULL;
1690
1691 if (argc < 1 || c->display_usage) {
1692 d_printf("%s\n%s",
1693 _("Usage:"),
1694 _("net ads printer publish <printername> [servername]\n"
1695 " Publish printer in AD\n"
1696 " printername\tName of the printer\n"
1697 " servername\tName of the print server\n"));
1698 talloc_destroy(mem_ctx);
1699 return -1;
1700 }
1701
1702 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1703 talloc_destroy(mem_ctx);
1704 return -1;
1705 }
1706
1707 printername = argv[0];
1708
1709 if (argc == 2) {
1710 servername = argv[1];
1711 } else {
1712 servername = global_myname();
1713 }
1714
1715 /* Get printer data from SPOOLSS */
1716
1717 resolve_name(servername, &server_ss, 0x20, false);
1718
1719 nt_status = cli_full_connection(&cli, global_myname(), servername,
1720 &server_ss, 0,
1721 "IPC$", "IPC",
1722 c->opt_user_name, c->opt_workgroup,
1723 c->opt_password ? c->opt_password : "",
1724 CLI_FULL_CONNECTION_USE_KERBEROS,
1725 Undefined, NULL);
1726
1727 if (NT_STATUS_IS_ERR(nt_status)) {
1728 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1729 "obtain data for %s\n"),
1730 servername, printername);
1731 ads_destroy(&ads);
1732 talloc_destroy(mem_ctx);
1733 return -1;
1734 }
1735
1736 /* Publish on AD server */
1737
1738 ads_find_machine_acct(ads, &res, servername);
1739
1740 if (ads_count_replies(ads, res) == 0) {
1741 d_fprintf(stderr, _("Could not find machine account for server "
1742 "%s\n"),
1743 servername);
1744 ads_destroy(&ads);
1745 talloc_destroy(mem_ctx);
1746 return -1;
1747 }
1748
1749 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1750 srv_cn = ldap_explode_dn(srv_dn, 1);
1751
1752 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1753 printername_escaped = escape_rdn_val_string_alloc(printername);
1754 if (!srv_cn_escaped || !printername_escaped) {
1755 SAFE_FREE(srv_cn_escaped);
1756 SAFE_FREE(printername_escaped);
1757 d_fprintf(stderr, _("Internal error, out of memory!"));
1758 ads_destroy(&ads);
1759 talloc_destroy(mem_ctx);
1760 return -1;
1761 }
1762
1763 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1764 SAFE_FREE(srv_cn_escaped);
1765 SAFE_FREE(printername_escaped);
1766 d_fprintf(stderr, _("Internal error, out of memory!"));
1767 ads_destroy(&ads);
1768 talloc_destroy(mem_ctx);
1769 return -1;
1770 }
1771
1772 SAFE_FREE(srv_cn_escaped);
1773 SAFE_FREE(printername_escaped);
1774
1775 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1776 if (!NT_STATUS_IS_OK(nt_status)) {
1777 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1778 servername);
1779 SAFE_FREE(prt_dn);
1780 ads_destroy(&ads);
1781 talloc_destroy(mem_ctx);
1782 return -1;
1783 }
1784
1785 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1786 printername))) {
1787 SAFE_FREE(prt_dn);
1788 ads_destroy(&ads);
1789 talloc_destroy(mem_ctx);
1790 return -1;
1791 }
1792
1793 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1794 if (!ADS_ERR_OK(rc)) {
1795 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1796 SAFE_FREE(prt_dn);
1797 ads_destroy(&ads);
1798 talloc_destroy(mem_ctx);
1799 return -1;
1800 }
1801
1802 d_printf("published printer\n");
1803 SAFE_FREE(prt_dn);
1804 ads_destroy(&ads);
1805 talloc_destroy(mem_ctx);
1806
1807 return 0;
1808 }
1809
1810 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1811 {
1812 ADS_STRUCT *ads;
1813 ADS_STATUS rc;
1814 const char *servername;
1815 char *prt_dn;
1816 LDAPMessage *res = NULL;
1817
1818 if (argc < 1 || c->display_usage) {
1819 d_printf("%s\n%s",
1820 _("Usage:"),
1821 _("net ads printer remove <printername> [servername]\n"
1822 " Remove a printer from the AD\n"
1823 " printername\tName of the printer\n"
1824 " servername\tName of the print server\n"));
1825 return -1;
1826 }
1827
1828 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1829 return -1;
1830 }
1831
1832 if (argc > 1) {
1833 servername = argv[1];
1834 } else {
1835 servername = global_myname();
1836 }
1837
1838 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1839
1840 if (!ADS_ERR_OK(rc)) {
1841 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1842 ads_msgfree(ads, res);
1843 ads_destroy(&ads);
1844 return -1;
1845 }
1846
1847 if (ads_count_replies(ads, res) == 0) {
1848 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1849 ads_msgfree(ads, res);
1850 ads_destroy(&ads);
1851 return -1;
1852 }
1853
1854 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1855 ads_msgfree(ads, res);
1856 rc = ads_del_dn(ads, prt_dn);
1857 TALLOC_FREE(prt_dn);
1858
1859 if (!ADS_ERR_OK(rc)) {
1860 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1861 ads_destroy(&ads);
1862 return -1;
1863 }
1864
1865 ads_destroy(&ads);
1866 return 0;
1867 }
1868
1869 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1870 {
1871 struct functable func[] = {
1872 {
1873 "search",
1874 net_ads_printer_search,
1875 NET_TRANSPORT_ADS,
1876 N_("Search for a printer"),
1877 N_("net ads printer search\n"
1878 " Search for a printer")
1879 },
1880 {
1881 "info",
1882 net_ads_printer_info,
1883 NET_TRANSPORT_ADS,
1884 N_("Display printer information"),
1885 N_("net ads printer info\n"
1886 " Display printer information")
1887 },
1888 {
1889 "publish",
1890 net_ads_printer_publish,
1891 NET_TRANSPORT_ADS,
1892 N_("Publish a printer"),
1893 N_("net ads printer publish\n"
1894 " Publish a printer")
1895 },
1896 {
1897 "remove",
1898 net_ads_printer_remove,
1899 NET_TRANSPORT_ADS,
1900 N_("Delete a printer"),
1901 N_("net ads printer remove\n"
1902 " Delete a printer")
1903 },
1904 {NULL, NULL, 0, NULL, NULL}
1905 };
1906
1907 return net_run_function(c, argc, argv, "net ads printer", func);
1908 }
1909
1910
1911 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1912 {
1913 ADS_STRUCT *ads;
1914 const char *auth_principal = c->opt_user_name;
1915 const char *auth_password = c->opt_password;
1916 char *realm = NULL;
1917 char *new_password = NULL;
1918 char *chr, *prompt;
1919 const char *user;
1920 ADS_STATUS ret;
1921
1922 if (c->display_usage) {
1923 d_printf("%s\n%s",
1924 _("Usage:"),
1925 _("net ads password <username>\n"
1926 " Change password for user\n"
1927 " username\tName of user to change password for\n"));
1928 return 0;
1929 }
1930
1931 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1932 d_fprintf(stderr, _("You must supply an administrator "
1933 "username/password\n"));
1934 return -1;
1935 }
1936
1937 if (argc < 1) {
1938 d_fprintf(stderr, _("ERROR: You must say which username to "
1939 "change password for\n"));
1940 return -1;
1941 }
1942
1943 user = argv[0];
1944 if (!strchr_m(user, '@')) {
1945 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1946 return -1;
1947 }
1948 user = chr;
1949 }
1950
1951 use_in_memory_ccache();
1952 chr = strchr_m(auth_principal, '@');
1953 if (chr) {
1954 realm = ++chr;
1955 } else {
1956 realm = lp_realm();
1957 }
1958
1959 /* use the realm so we can eventually change passwords for users
1960 in realms other than default */
1961 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1962 return -1;
1963 }
1964
1965 /* we don't actually need a full connect, but it's the easy way to
1966 fill in the KDC's addresss */
1967 ads_connect(ads);
1968
1969 if (!ads->config.realm) {
1970 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1971 ads_destroy(&ads);
1972 return -1;
1973 }
1974
1975 if (argv[1]) {
1976 new_password = (char *)argv[1];
1977 } else {
1978 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1979 return -1;
1980 }
1981 new_password = getpass(prompt);
1982 free(prompt);
1983 }
1984
1985 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1986 auth_password, user, new_password, ads->auth.time_offset);
1987 if (!ADS_ERR_OK(ret)) {
1988 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
1989 ads_destroy(&ads);
1990 return -1;
1991 }
1992
1993 d_printf(_("Password change for %s completed.\n"), user);
1994 ads_destroy(&ads);
1995
1996 return 0;
1997 }
1998
1999 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2000 {
2001 ADS_STRUCT *ads;
2002 char *host_principal;
2003 fstring my_name;
2004 ADS_STATUS ret;
2005
2006 if (c->display_usage) {
2007 d_printf( "%s\n"
2008 "net ads changetrustpw\n"
2009 " %s\n",
2010 _("Usage:"),
2011 _("Change the machine account's trust password"));
2012 return 0;
2013 }
2014
2015 if (!secrets_init()) {
2016 DEBUG(1,("Failed to initialise secrets database\n"));
2017 return -1;
2018 }
2019
2020 net_use_krb_machine_account(c);
2021
2022 use_in_memory_ccache();
2023
2024 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2025 return -1;
2026 }
2027
2028 fstrcpy(my_name, global_myname());
2029 strlower_m(my_name);
2030 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2031 ads_destroy(&ads);
2032 return -1;
2033 }
2034 d_printf(_("Changing password for principal: %s\n"), host_principal);
2035
2036 ret = ads_change_trust_account_password(ads, host_principal);
2037
2038 if (!ADS_ERR_OK(ret)) {
2039 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2040 ads_destroy(&ads);
2041 SAFE_FREE(host_principal);
2042 return -1;
2043 }
2044
2045 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2046
2047 if (USE_SYSTEM_KEYTAB) {
2048 d_printf(_("Attempting to update system keytab with new password.\n"));
2049 if (ads_keytab_create_default(ads)) {
2050 d_printf(_("Failed to update system keytab.\n"));
2051 }
2052 }
2053
2054 ads_destroy(&ads);
2055 SAFE_FREE(host_principal);
2056
2057 return 0;
2058 }
2059
2060 /*
2061 help for net ads search
2062 */
2063 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2064 {
2065 d_printf(_(
2066 "\nnet ads search <expression> <attributes...>\n"
2067 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2068 "The expression is a standard LDAP search expression, and the\n"
2069 "attributes are a list of LDAP fields to show in the results.\n\n"
2070 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2071 ));
2072 net_common_flags_usage(c, argc, argv);
2073 return -1;
2074 }
2075
2076
2077 /*
2078 general ADS search function. Useful in diagnosing problems in ADS
2079 */
2080 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2081 {
2082 ADS_STRUCT *ads;
2083 ADS_STATUS rc;
2084 const char *ldap_exp;
2085 const char **attrs;
2086 LDAPMessage *res = NULL;
2087
2088 if (argc < 1 || c->display_usage) {
2089 return net_ads_search_usage(c, argc, argv);
2090 }
2091
2092 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2093 return -1;
2094 }
2095
2096 ldap_exp = argv[0];
2097 attrs = (argv + 1);
2098
2099 rc = ads_do_search_all(ads, ads->config.bind_path,
2100 LDAP_SCOPE_SUBTREE,
2101 ldap_exp, attrs, &res);
2102 if (!ADS_ERR_OK(rc)) {
2103 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2104 ads_destroy(&ads);
2105 return -1;
2106 }
2107
2108 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2109
2110 /* dump the results */
2111 ads_dump(ads, res);
2112
2113 ads_msgfree(ads, res);
2114 ads_destroy(&ads);
2115
2116 return 0;
2117 }
2118
2119
2120 /*
2121 help for net ads search
2122 */
2123 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2124 {
2125 d_printf(_(
2126 "\nnet ads dn <dn> <attributes...>\n"
2127 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2128 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2129 "to show in the results\n\n"
2130 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2131 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2132 ));
2133 net_common_flags_usage(c, argc, argv);
2134 return -1;
2135 }
2136
2137
2138 /*
2139 general ADS search function. Useful in diagnosing problems in ADS
2140 */
2141 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2142 {
2143 ADS_STRUCT *ads;
2144 ADS_STATUS rc;
2145 const char *dn;
2146 const char **attrs;
2147 LDAPMessage *res = NULL;
2148
2149 if (argc < 1 || c->display_usage) {
2150 return net_ads_dn_usage(c, argc, argv);
2151 }
2152
2153 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2154 return -1;
2155 }
2156
2157 dn = argv[0];
2158 attrs = (argv + 1);
2159
2160 rc = ads_do_search_all(ads, dn,
2161 LDAP_SCOPE_BASE,
2162 "(objectclass=*)", attrs, &res);
2163 if (!ADS_ERR_OK(rc)) {
2164 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2165 ads_destroy(&ads);
2166 return -1;
2167 }
2168
2169 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2170
2171 /* dump the results */
2172 ads_dump(ads, res);
2173
2174 ads_msgfree(ads, res);
2175 ads_destroy(&ads);
2176
2177 return 0;
2178 }
2179
2180 /*
2181 help for net ads sid search
2182 */
2183 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2184 {
2185 d_printf(_(
2186 "\nnet ads sid <sid> <attributes...>\n"
2187 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2188 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2189 "to show in the results\n\n"
2190 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2191 ));
2192 net_common_flags_usage(c, argc, argv);
2193 return -1;
2194 }
2195
2196
2197 /*
2198 general ADS search function. Useful in diagnosing problems in ADS
2199 */
2200 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2201 {
2202 ADS_STRUCT *ads;
2203 ADS_STATUS rc;
2204 const char *sid_string;
2205 const char **attrs;
2206 LDAPMessage *res = NULL;
2207 DOM_SID sid;
2208
2209 if (argc < 1 || c->display_usage) {
2210 return net_ads_sid_usage(c, argc, argv);
2211 }
2212
2213 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2214 return -1;
2215 }
2216
2217 sid_string = argv[0];
2218 attrs = (argv + 1);
2219
2220 if (!string_to_sid(&sid, sid_string)) {
2221 d_fprintf(stderr, _("could not convert sid\n"));
2222 ads_destroy(&ads);
2223 return -1;
2224 }
2225
2226 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2227 if (!ADS_ERR_OK(rc)) {
2228 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2229 ads_destroy(&ads);
2230 return -1;
2231 }
2232
2233 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2234
2235 /* dump the results */
2236 ads_dump(ads, res);
2237
2238 ads_msgfree(ads, res);
2239 ads_destroy(&ads);
2240
2241 return 0;
2242 }
2243
2244 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2245 {
2246 int ret;
2247 ADS_STRUCT *ads;
2248
2249 if (c->display_usage) {
2250 d_printf( "%s\n"
2251 "net ads keytab flush\n"
2252 " %s\n",
2253 _("Usage:"),
2254 _("Delete the whole keytab"));
2255 return 0;
2256 }
2257
2258 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2259 return -1;
2260 }
2261 ret = ads_keytab_flush(ads);
2262 ads_destroy(&ads);
2263 return ret;
2264 }
2265
2266 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2267 {
2268 int i;
2269 int ret = 0;
2270 ADS_STRUCT *ads;
2271
2272 if (c->display_usage) {
2273 d_printf("%s\n%s",
2274 _("Usage:"),
2275 _("net ads keytab add <principal> [principal ...]\n"
2276 " Add principals to local keytab\n"
2277 " principal\tKerberos principal to add to "
2278 "keytab\n"));
2279 return 0;
2280 }
2281
2282 d_printf(_("Processing principals to add...\n"));
2283 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2284 return -1;
2285 }
2286 for (i = 0; i < argc; i++) {
2287 ret |= ads_keytab_add_entry(ads, argv[i]);
2288 }
2289 ads_destroy(&ads);
2290 return ret;
2291 }
2292
2293 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2294 {
2295 ADS_STRUCT *ads;
2296 int ret;
2297
2298 if (c->display_usage) {
2299 d_printf( "%s\n"
2300 "net ads keytab create\n"
2301 " %s\n",
2302 _("Usage:"),
2303 _("Create new default keytab"));
2304 return 0;
2305 }
2306
2307 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2308 return -1;
2309 }
2310 ret = ads_keytab_create_default(ads);
2311 ads_destroy(&ads);
2312 return ret;
2313 }
2314
2315 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2316 {
2317 const char *keytab = NULL;
2318
2319 if (c->display_usage) {
2320 d_printf("%s\n%s",
2321 _("Usage:"),
2322 _("net ads keytab list [keytab]\n"
2323 " List a local keytab\n"
2324 " keytab\tKeytab to list\n"));
2325 return 0;
2326 }
2327
2328 if (argc >= 1) {
2329 keytab = argv[0];
2330 }
2331
2332 return ads_keytab_list(keytab);
2333 }
2334
2335
2336 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2337 {
2338 struct functable func[] = {
2339 {
2340 "add",
2341 net_ads_keytab_add,
2342 NET_TRANSPORT_ADS,
2343 N_("Add a service principal"),
2344 N_("net ads keytab add\n"
2345 " Add a service principal")
2346 },
2347 {
2348 "create",
2349 net_ads_keytab_create,
2350 NET_TRANSPORT_ADS,
2351 N_("Create a fresh keytab"),
2352 N_("net ads keytab create\n"
2353 " Create a fresh keytab")
2354 },
2355 {
2356 "flush",
2357 net_ads_keytab_flush,
2358 NET_TRANSPORT_ADS,
2359 N_("Remove all keytab entries"),
2360 N_("net ads keytab flush\n"
2361 " Remove all keytab entries")
2362 },
2363 {
2364 "list",
2365 net_ads_keytab_list,
2366 NET_TRANSPORT_ADS,
2367 N_("List a keytab"),
2368 N_("net ads keytab list\n"
2369 " List a keytab")
2370 },
2371 {NULL, NULL, 0, NULL, NULL}
2372 };
2373
2374 if (!USE_KERBEROS_KEYTAB) {
2375 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2376 "keytab method to use keytab functions.\n"));
2377 }
2378
2379 return net_run_function(c, argc, argv, "net ads keytab", func);
2380 }
2381
2382 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2383 {
2384 int ret = -1;
2385
2386 if (c->display_usage) {
2387 d_printf( "%s\n"
2388 "net ads kerberos renew\n"
2389 " %s\n",
2390 _("Usage:"),
2391 _("Renew TGT from existing credential cache"));
2392 return 0;
2393 }
2394
2395 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2396 if (ret) {
2397 d_printf(_("failed to renew kerberos ticket: %s\n"),
2398 error_message(ret));
2399 }
2400 return ret;
2401 }
2402
2403 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2404 {
2405 struct PAC_DATA *pac = NULL;
2406 struct PAC_LOGON_INFO *info = NULL;
2407 TALLOC_CTX *mem_ctx = NULL;
2408 NTSTATUS status;
2409 int ret = -1;
2410 const char *impersonate_princ_s = NULL;
2411
2412 if (c->display_usage) {
2413 d_printf( "%s\n"
2414 "net ads kerberos pac\n"
2415 " %s\n",
2416 _("Usage:"),
2417 _("Dump the Kerberos PAC"));
2418 return 0;
2419 }
2420
2421 mem_ctx = talloc_init("net_ads_kerberos_pac");
2422 if (!mem_ctx) {
2423 goto out;
2424 }
2425
2426 if (argc > 0) {
2427 impersonate_princ_s = argv[0];
2428 }
2429
2430 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2431
2432 status = kerberos_return_pac(mem_ctx,
2433 c->opt_user_name,
2434 c->opt_password,
2435 0,
2436 NULL,
2437 NULL,
2438 NULL,
2439 true,
2440 true,
2441 2592000, /* one month */
2442 impersonate_princ_s,
2443 &pac);
2444 if (!NT_STATUS_IS_OK(status)) {
2445 d_printf(_("failed to query kerberos PAC: %s\n"),
2446 nt_errstr(status));
2447 goto out;
2448 }
2449
2450 info = get_logon_info_from_pac(pac);
2451 if (info) {
2452 const char *s;
2453 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2454 d_printf(_("The Pac: %s\n"), s);
2455 }
2456
2457 ret = 0;
2458 out:
2459 TALLOC_FREE(mem_ctx);
2460 return ret;
2461 }
2462
2463 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2464 {
2465 TALLOC_CTX *mem_ctx = NULL;
2466 int ret = -1;
2467 NTSTATUS status;
2468
2469 if (c->display_usage) {
2470 d_printf( "%s\n"
2471 "net ads kerberos kinit\n"
2472 " %s\n",
2473 _("Usage:"),
2474 _("Get Ticket Granting Ticket (TGT) for the user"));
2475 return 0;
2476 }
2477
2478 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2479 if (!mem_ctx) {
2480 goto out;
2481 }
2482
2483 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2484
2485 ret = kerberos_kinit_password_ext(c->opt_user_name,
2486 c->opt_password,
2487 0,
2488 NULL,
2489 NULL,
2490 NULL,
2491 true,
2492 true,
2493 2592000, /* one month */
2494 &status);
2495 if (ret) {
2496 d_printf(_("failed to kinit password: %s\n"),
2497 nt_errstr(status));
2498 }
2499 out:
2500 return ret;
2501 }
2502
2503 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2504 {
2505 struct functable func[] = {
2506 {
2507 "kinit",
2508 net_ads_kerberos_kinit,
2509 NET_TRANSPORT_ADS,
2510 N_("Retrieve Ticket Granting Ticket (TGT)"),
2511 N_("net ads kerberos kinit\n"
2512 " Receive Ticket Granting Ticket (TGT)")
2513 },
2514 {
2515 "renew",
2516 net_ads_kerberos_renew,
2517 NET_TRANSPORT_ADS,
2518 N_("Renew Ticket Granting Ticket from credential cache"),
2519 N_("net ads kerberos renew\n"
2520 " Renew Ticket Granting Ticket (TGT) from "
2521 "credential cache")
2522 },
2523 {
2524 "pac",
2525 net_ads_kerberos_pac,
2526 NET_TRANSPORT_ADS,
2527 N_("Dump Kerberos PAC"),
2528 N_("net ads kerberos pac\n"
2529 " Dump Kerberos PAC")
2530 },
2531 {NULL, NULL, 0, NULL, NULL}
2532 };
2533
2534 return net_run_function(c, argc, argv, "net ads kerberos", func);
2535 }
2536
2537 int net_ads(struct net_context *c, int argc, const char **argv)
2538 {
2539 struct functable func[] = {
2540 {
2541 "info",
2542 net_ads_info,
2543 NET_TRANSPORT_ADS,
2544 N_("Display details on remote ADS server"),
2545 N_("net ads info\n"
2546 " Display details on remote ADS server")
2547 },
2548 {
2549 "join",
2550 net_ads_join,
2551 NET_TRANSPORT_ADS,
2552 N_("Join the local machine to ADS realm"),
2553 N_("net ads join\n"
2554 " Join the local machine to ADS realm")
2555 },
2556 {
2557 "testjoin",
2558 net_ads_testjoin,
2559 NET_TRANSPORT_ADS,
2560 N_("Validate machine account"),
2561 N_("net ads testjoin\n"
2562 " Validate machine account")
2563 },
2564 {
2565 "leave",
2566 net_ads_leave,
2567 NET_TRANSPORT_ADS,
2568 N_("Remove the local machine from ADS"),
2569 N_("net ads leave\n"
2570 " Remove the local machine from ADS")
2571 },
2572 {
2573 "status",
2574 net_ads_status,
2575 NET_TRANSPORT_ADS,
2576 N_("Display machine account details"),
2577 N_("net ads status\n"
2578 " Display machine account details")
2579 },
2580 {
2581 "user",
2582 net_ads_user,
2583 NET_TRANSPORT_ADS,
2584 N_("List/modify users"),
2585 N_("net ads user\n"
2586 " List/modify users")
2587 },
2588 {
2589 "group",
2590 net_ads_group,
2591 NET_TRANSPORT_ADS,
2592 N_("List/modify groups"),
2593 N_("net ads group\n"
2594 " List/modify groups")
2595 },
2596 {
2597 "dns",
2598 net_ads_dns,
2599 NET_TRANSPORT_ADS,
2600 N_("Issue dynamic DNS update"),
2601 N_("net ads dns\n"
2602 " Issue dynamic DNS update")
2603 },
2604 {
2605 "password",
2606 net_ads_password,
2607 NET_TRANSPORT_ADS,
2608 N_("Change user passwords"),
2609 N_("net ads password\n"
2610 " Change user passwords")
2611 },
2612 {
2613 "changetrustpw",
2614 net_ads_changetrustpw,
2615 NET_TRANSPORT_ADS,
2616 N_("Change trust account password"),
2617 N_("net ads changetrustpw\n"
2618 " Change trust account password")
2619 },
2620 {
2621 "printer",
2622 net_ads_printer,
2623 NET_TRANSPORT_ADS,
2624 N_("List/modify printer entries"),
2625 N_("net ads printer\n"
2626 " List/modify printer entries")
2627 },
2628 {
2629 "search",
2630 net_ads_search,
2631 NET_TRANSPORT_ADS,
2632 N_("Issue LDAP search using filter"),
2633 N_("net ads search\n"
2634 " Issue LDAP search using filter")
2635 },
2636 {
2637 "dn",
2638 net_ads_dn,
2639 NET_TRANSPORT_ADS,
2640 N_("Issue LDAP search by DN"),
2641 N_("net ads dn\n"
2642 " Issue LDAP search by DN")
2643 },
2644 {
2645 "sid",
2646 net_ads_sid,
2647 NET_TRANSPORT_ADS,
2648 N_("Issue LDAP search by SID"),
2649 N_("net ads sid\n"
2650 " Issue LDAP search by SID")
2651 },
2652 {
2653 "workgroup",
2654 net_ads_workgroup,
2655 NET_TRANSPORT_ADS,
2656 N_("Display workgroup name"),
2657 N_("net ads workgroup\n"
2658 " Display the workgroup name")
2659 },
2660 {
2661 "lookup",
2662 net_ads_lookup,
2663 NET_TRANSPORT_ADS,
2664 N_("Perfom CLDAP query on DC"),
2665 N_("net ads lookup\n"
2666 " Find the ADS DC using CLDAP lookups")
2667 },
2668 {
2669 "keytab",
2670 net_ads_keytab,
2671 NET_TRANSPORT_ADS,
2672 N_("Manage local keytab file"),
2673 N_("net ads keytab\n"
2674 " Manage local keytab file")
2675 },
2676 {
2677 "gpo",
2678 net_ads_gpo,
2679 NET_TRANSPORT_ADS,
2680 N_("Manage group policy objects"),
2681 N_("net ads gpo\n"
2682 " Manage group policy objects")
2683 },
2684 {
2685 "kerberos",
2686 net_ads_kerberos,
2687 NET_TRANSPORT_ADS,
2688 N_("Manage kerberos keytab"),
2689 N_("net ads kerberos\n"
2690 " Manage kerberos keytab")
2691 },
2692 {NULL, NULL, 0, NULL, NULL}
2693 };
2694
2695 return net_run_function(c, argc, argv, "net ads", func);
2696 }
2697
2698 #else
2699
2700 static int net_ads_noads(void)
2701 {
2702 d_fprintf(stderr, _("ADS support not compiled in\n"));
2703 return -1;
2704 }
2705
2706 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2707 {
2708 return net_ads_noads();
2709 }
2710
2711 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2712 {
2713 return net_ads_noads();
2714 }
2715
2716 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2717 {
2718 return net_ads_noads();
2719 }
2720
2721 int net_ads_join(struct net_context *c, int argc, const char **argv)
2722 {
2723 return net_ads_noads();
2724 }
2725
2726 int net_ads_user(struct net_context *c, int argc, const char **argv)
2727 {
2728 return net_ads_noads();
2729 }
2730
2731 int net_ads_group(struct net_context *c, int argc, const char **argv)
2732 {
2733 return net_ads_noads();
2734 }
2735
2736 /* this one shouldn't display a message */
2737 int net_ads_check(struct net_context *c)
2738 {
2739 return -1;
2740 }
2741
2742 int net_ads_check_our_domain(struct net_context *c)
2743 {
2744 return -1;
2745 }
2746
2747 int net_ads(struct net_context *c, int argc, const char **argv)
2748 {
2749 return net_ads_noads();
2750 }
2751
2752 #endif /* WITH_ADS */
Samba GIT mirror