search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
net: Only use the in memory ccache when not already using a kerberos ticket in net ads
[Samba/gebeck_regimport.git] / source3 / utils / net_ads.c
blob38b59d9cdfd59238e1fe7b167e4adc0e8d3bb1de
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26
27 #ifdef HAVE_ADS
28
29 /* when we do not have sufficient input parameters to contact a remote domain
30 * we always fall back to our own realm - Guenther*/
31
32 static const char *assume_own_realm(struct net_context *c)
33 {
34 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
35 return lp_realm();
36 }
37
38 return NULL;
39 }
40
41 /*
42 do a cldap netlogon query
43 */
44 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
45 {
46 char addr[INET6_ADDRSTRLEN];
47 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
48
49 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
50 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
51 d_fprintf(stderr, "CLDAP query failed!\n");
52 return -1;
53 }
54
55 d_printf("Information for Domain Controller: %s\n\n",
56 addr);
57
58 d_printf("Response Type: ");
59 switch (reply.command) {
60 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
61 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
62 break;
63 case LOGON_SAM_LOGON_RESPONSE_EX:
64 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
65 break;
66 default:
67 d_printf("0x%x\n", reply.command);
68 break;
69 }
70
71 d_printf("GUID: %s\n", GUID_string(talloc_tos(), &reply.domain_uuid));
72
73 d_printf("Flags:\n"
74 "\tIs a PDC: %s\n"
75 "\tIs a GC of the forest: %s\n"
76 "\tIs an LDAP server: %s\n"
77 "\tSupports DS: %s\n"
78 "\tIs running a KDC: %s\n"
79 "\tIs running time services: %s\n"
80 "\tIs the closest DC: %s\n"
81 "\tIs writable: %s\n"
82 "\tHas a hardware clock: %s\n"
83 "\tIs a non-domain NC serviced by LDAP server: %s\n"
84 "\tIs NT6 DC that has some secrets: %s\n"
85 "\tIs NT6 DC that has all secrets: %s\n",
86 (reply.server_type & NBT_SERVER_PDC) ? "yes" : "no",
87 (reply.server_type & NBT_SERVER_GC) ? "yes" : "no",
88 (reply.server_type & NBT_SERVER_LDAP) ? "yes" : "no",
89 (reply.server_type & NBT_SERVER_DS) ? "yes" : "no",
90 (reply.server_type & NBT_SERVER_KDC) ? "yes" : "no",
91 (reply.server_type & NBT_SERVER_TIMESERV) ? "yes" : "no",
92 (reply.server_type & NBT_SERVER_CLOSEST) ? "yes" : "no",
93 (reply.server_type & NBT_SERVER_WRITABLE) ? "yes" : "no",
94 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? "yes" : "no",
95 (reply.server_type & NBT_SERVER_NDNC) ? "yes" : "no",
96 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? "yes" : "no",
97 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? "yes" : "no");
98
99
100 printf("Forest:\t\t\t%s\n", reply.forest);
101 printf("Domain:\t\t\t%s\n", reply.dns_domain);
102 printf("Domain Controller:\t%s\n", reply.pdc_dns_name);
103
104 printf("Pre-Win2k Domain:\t%s\n", reply.domain);
105 printf("Pre-Win2k Hostname:\t%s\n", reply.pdc_name);
106
107 if (*reply.user_name) printf("User name:\t%s\n", reply.user_name);
108
109 printf("Server Site Name :\t\t%s\n", reply.server_site);
110 printf("Client Site Name :\t\t%s\n", reply.client_site);
111
112 d_printf("NT Version: %d\n", reply.nt_version);
113 d_printf("LMNT Token: %.2x\n", reply.lmnt_token);
114 d_printf("LM20 Token: %.2x\n", reply.lm20_token);
115
116 return 0;
117 }
118
119 /*
120 this implements the CLDAP based netlogon lookup requests
121 for finding the domain controller of a ADS domain
122 */
123 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
124 {
125 ADS_STRUCT *ads;
126 int ret;
127
128 if (c->display_usage) {
129 d_printf("Usage:\n"
130 "net ads lookup\n"
131 " Find the ADS DC using CLDAP lookup.\n");
132 return 0;
133 }
134
135 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
136 d_fprintf(stderr, "Didn't find the cldap server!\n");
137 ads_destroy(&ads);
138 return -1;
139 }
140
141 if (!ads->config.realm) {
142 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
143 ads->ldap.port = 389;
144 }
145
146 ret = net_ads_cldap_netlogon(c, ads);
147 ads_destroy(&ads);
148 return ret;
149 }
150
151
152
153 static int net_ads_info(struct net_context *c, int argc, const char **argv)
154 {
155 ADS_STRUCT *ads;
156 char addr[INET6_ADDRSTRLEN];
157
158 if (c->display_usage) {
159 d_printf("Usage:\n"
160 "net ads info\n"
161 " Display information about an Active Directory "
162 "server.\n");
163 return 0;
164 }
165
166 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
167 d_fprintf(stderr, "Didn't find the ldap server!\n");
168 return -1;
169 }
170
171 if (!ads || !ads->config.realm) {
172 d_fprintf(stderr, "Didn't find the ldap server!\n");
173 ads_destroy(&ads);
174 return -1;
175 }
176
177 /* Try to set the server's current time since we didn't do a full
178 TCP LDAP session initially */
179
180 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
181 d_fprintf( stderr, "Failed to get server's current time!\n");
182 }
183
184 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
185
186 d_printf("LDAP server: %s\n", addr);
187 d_printf("LDAP server name: %s\n", ads->config.ldap_server_name);
188 d_printf("Realm: %s\n", ads->config.realm);
189 d_printf("Bind Path: %s\n", ads->config.bind_path);
190 d_printf("LDAP port: %d\n", ads->ldap.port);
191 d_printf("Server time: %s\n",
192 http_timestring(talloc_tos(), ads->config.current_time));
193
194 d_printf("KDC server: %s\n", ads->auth.kdc_server );
195 d_printf("Server time offset: %d\n", ads->auth.time_offset );
196
197 ads_destroy(&ads);
198 return 0;
199 }
200
201 static void use_in_memory_ccache(void) {
202 /* Use in-memory credentials cache so we do not interfere with
203 * existing credentials */
204 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
205 }
206
207 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
208 uint32 auth_flags, ADS_STRUCT **ads_ret)
209 {
210 ADS_STRUCT *ads = NULL;
211 ADS_STATUS status;
212 bool need_password = false;
213 bool second_time = false;
214 char *cp;
215 const char *realm = NULL;
216 bool tried_closest_dc = false;
217
218 /* lp_realm() should be handled by a command line param,
219 However, the join requires that realm be set in smb.conf
220 and compares our realm with the remote server's so this is
221 ok until someone needs more flexibility */
222
223 *ads_ret = NULL;
224
225 retry_connect:
226 if (only_own_domain) {
227 realm = lp_realm();
228 } else {
229 realm = assume_own_realm(c);
230 }
231
232 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
233
234 retry:
235 if (need_password) {
236 set_cmdline_auth_info_getpass(c->auth_info);
237 }
238
239 if (get_cmdline_auth_info_got_pass(c->auth_info) ||
240 !get_cmdline_auth_info_use_kerberos(c->auth_info)) {
241 use_in_memory_ccache();
242 SAFE_FREE(ads->auth.password);
243 ads->auth.password = smb_xstrdup(
244 get_cmdline_auth_info_password(c->auth_info));
245 }
246
247 ads->auth.flags |= auth_flags;
248 SAFE_FREE(ads->auth.user_name);
249 ads->auth.user_name = smb_xstrdup(
250 get_cmdline_auth_info_username(c->auth_info));
251
252 /*
253 * If the username is of the form "name@realm",
254 * extract the realm and convert to upper case.
255 * This is only used to establish the connection.
256 */
257 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
258 *cp++ = '\0';
259 SAFE_FREE(ads->auth.realm);
260 ads->auth.realm = smb_xstrdup(cp);
261 strupper_m(ads->auth.realm);
262 }
263
264 status = ads_connect(ads);
265
266 if (!ADS_ERR_OK(status)) {
267
268 if (NT_STATUS_EQUAL(ads_ntstatus(status),
269 NT_STATUS_NO_LOGON_SERVERS)) {
270 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
271 ads_destroy(&ads);
272 return status;
273 }
274
275 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
276 need_password = true;
277 second_time = true;
278 goto retry;
279 } else {
280 ads_destroy(&ads);
281 return status;
282 }
283 }
284
285 /* when contacting our own domain, make sure we use the closest DC.
286 * This is done by reconnecting to ADS because only the first call to
287 * ads_connect will give us our own sitename */
288
289 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
290
291 tried_closest_dc = true; /* avoid loop */
292
293 if (!ads_closest_dc(ads)) {
294
295 namecache_delete(ads->server.realm, 0x1C);
296 namecache_delete(ads->server.workgroup, 0x1C);
297
298 ads_destroy(&ads);
299 ads = NULL;
300
301 goto retry_connect;
302 }
303 }
304
305 *ads_ret = ads;
306 return status;
307 }
308
309 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
310 {
311 return ads_startup_int(c, only_own_domain, 0, ads);
312 }
313
314 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
315 {
316 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
317 }
318
319 /*
320 Check to see if connection can be made via ads.
321 ads_startup() stores the password in opt_password if it needs to so
322 that rpc or rap can use it without re-prompting.
323 */
324 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
325 {
326 ADS_STRUCT *ads;
327 ADS_STATUS status;
328
329 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
330 return -1;
331 }
332
333 ads->auth.flags |= ADS_AUTH_NO_BIND;
334
335 status = ads_connect(ads);
336 if ( !ADS_ERR_OK(status) ) {
337 return -1;
338 }
339
340 ads_destroy(&ads);
341 return 0;
342 }
343
344 int net_ads_check_our_domain(struct net_context *c)
345 {
346 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
347 }
348
349 int net_ads_check(struct net_context *c)
350 {
351 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
352 }
353
354 /*
355 determine the netbios workgroup name for a domain
356 */
357 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
358 {
359 ADS_STRUCT *ads;
360 char addr[INET6_ADDRSTRLEN];
361 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
362
363 if (c->display_usage) {
364 d_printf("Usage:\n"
365 "net ads workgroup\n"
366 " Print the workgroup name\n");
367 return 0;
368 }
369
370 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
371 d_fprintf(stderr, "Didn't find the cldap server!\n");
372 return -1;
373 }
374
375 if (!ads->config.realm) {
376 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
377 ads->ldap.port = 389;
378 }
379
380 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
381 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
382 d_fprintf(stderr, "CLDAP query failed!\n");
383 ads_destroy(&ads);
384 return -1;
385 }
386
387 d_printf("Workgroup: %s\n", reply.domain);
388
389 ads_destroy(&ads);
390
391 return 0;
392 }
393
394
395
396 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
397 {
398 char **disp_fields = (char **) data_area;
399
400 if (!field) { /* must be end of record */
401 if (disp_fields[0]) {
402 if (!strchr_m(disp_fields[0], '$')) {
403 if (disp_fields[1])
404 d_printf("%-21.21s %s\n",
405 disp_fields[0], disp_fields[1]);
406 else
407 d_printf("%s\n", disp_fields[0]);
408 }
409 }
410 SAFE_FREE(disp_fields[0]);
411 SAFE_FREE(disp_fields[1]);
412 return true;
413 }
414 if (!values) /* must be new field, indicate string field */
415 return true;
416 if (StrCaseCmp(field, "sAMAccountName") == 0) {
417 disp_fields[0] = SMB_STRDUP((char *) values[0]);
418 }
419 if (StrCaseCmp(field, "description") == 0)
420 disp_fields[1] = SMB_STRDUP((char *) values[0]);
421 return true;
422 }
423
424 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
425 {
426 return net_user_usage(c, argc, argv);
427 }
428
429 static int ads_user_add(struct net_context *c, int argc, const char **argv)
430 {
431 ADS_STRUCT *ads;
432 ADS_STATUS status;
433 char *upn, *userdn;
434 LDAPMessage *res=NULL;
435 int rc = -1;
436 char *ou_str = NULL;
437
438 if (argc < 1 || c->display_usage)
439 return net_ads_user_usage(c, argc, argv);
440
441 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
442 return -1;
443 }
444
445 status = ads_find_user_acct(ads, &res, argv[0]);
446
447 if (!ADS_ERR_OK(status)) {
448 d_fprintf(stderr, "ads_user_add: %s\n", ads_errstr(status));
449 goto done;
450 }
451
452 if (ads_count_replies(ads, res)) {
453 d_fprintf(stderr, "ads_user_add: User %s already exists\n", argv[0]);
454 goto done;
455 }
456
457 if (c->opt_container) {
458 ou_str = SMB_STRDUP(c->opt_container);
459 } else {
460 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
461 }
462
463 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
464
465 if (!ADS_ERR_OK(status)) {
466 d_fprintf(stderr, "Could not add user %s: %s\n", argv[0],
467 ads_errstr(status));
468 goto done;
469 }
470
471 /* if no password is to be set, we're done */
472 if (argc == 1) {
473 d_printf("User %s added\n", argv[0]);
474 rc = 0;
475 goto done;
476 }
477
478 /* try setting the password */
479 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
480 goto done;
481 }
482 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
483 ads->auth.time_offset);
484 SAFE_FREE(upn);
485 if (ADS_ERR_OK(status)) {
486 d_printf("User %s added\n", argv[0]);
487 rc = 0;
488 goto done;
489 }
490
491 /* password didn't set, delete account */
492 d_fprintf(stderr, "Could not add user %s. Error setting password %s\n",
493 argv[0], ads_errstr(status));
494 ads_msgfree(ads, res);
495 status=ads_find_user_acct(ads, &res, argv[0]);
496 if (ADS_ERR_OK(status)) {
497 userdn = ads_get_dn(ads, talloc_tos(), res);
498 ads_del_dn(ads, userdn);
499 TALLOC_FREE(userdn);
500 }
501
502 done:
503 if (res)
504 ads_msgfree(ads, res);
505 ads_destroy(&ads);
506 SAFE_FREE(ou_str);
507 return rc;
508 }
509
510 static int ads_user_info(struct net_context *c, int argc, const char **argv)
511 {
512 ADS_STRUCT *ads;
513 ADS_STATUS rc;
514 LDAPMessage *res;
515 const char *attrs[] = {"memberOf", NULL};
516 char *searchstring=NULL;
517 char **grouplist;
518 char *escaped_user;
519
520 if (argc < 1 || c->display_usage) {
521 return net_ads_user_usage(c, argc, argv);
522 }
523
524 escaped_user = escape_ldap_string_alloc(argv[0]);
525
526 if (!escaped_user) {
527 d_fprintf(stderr, "ads_user_info: failed to escape user %s\n", argv[0]);
528 return -1;
529 }
530
531 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
532 SAFE_FREE(escaped_user);
533 return -1;
534 }
535
536 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
537 SAFE_FREE(escaped_user);
538 return -1;
539 }
540 rc = ads_search(ads, &res, searchstring, attrs);
541 SAFE_FREE(searchstring);
542
543 if (!ADS_ERR_OK(rc)) {
544 d_fprintf(stderr, "ads_search: %s\n", ads_errstr(rc));
545 ads_destroy(&ads);
546 SAFE_FREE(escaped_user);
547 return -1;
548 }
549
550 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
551 (LDAPMessage *)res, "memberOf");
552
553 if (grouplist) {
554 int i;
555 char **groupname;
556 for (i=0;grouplist[i];i++) {
557 groupname = ldap_explode_dn(grouplist[i], 1);
558 d_printf("%s\n", groupname[0]);
559 ldap_value_free(groupname);
560 }
561 ldap_value_free(grouplist);
562 }
563
564 ads_msgfree(ads, res);
565 ads_destroy(&ads);
566 SAFE_FREE(escaped_user);
567 return 0;
568 }
569
570 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
571 {
572 ADS_STRUCT *ads;
573 ADS_STATUS rc;
574 LDAPMessage *res = NULL;
575 char *userdn;
576
577 if (argc < 1) {
578 return net_ads_user_usage(c, argc, argv);
579 }
580
581 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
582 return -1;
583 }
584
585 rc = ads_find_user_acct(ads, &res, argv[0]);
586 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
587 d_printf("User %s does not exist.\n", argv[0]);
588 ads_msgfree(ads, res);
589 ads_destroy(&ads);
590 return -1;
591 }
592 userdn = ads_get_dn(ads, talloc_tos(), res);
593 ads_msgfree(ads, res);
594 rc = ads_del_dn(ads, userdn);
595 TALLOC_FREE(userdn);
596 if (ADS_ERR_OK(rc)) {
597 d_printf("User %s deleted\n", argv[0]);
598 ads_destroy(&ads);
599 return 0;
600 }
601 d_fprintf(stderr, "Error deleting user %s: %s\n", argv[0],
602 ads_errstr(rc));
603 ads_destroy(&ads);
604 return -1;
605 }
606
607 int net_ads_user(struct net_context *c, int argc, const char **argv)
608 {
609 struct functable func[] = {
610 {
611 "add",
612 ads_user_add,
613 NET_TRANSPORT_ADS,
614 "Add an AD user",
615 "net ads user add\n"
616 " Add an AD user"
617 },
618 {
619 "info",
620 ads_user_info,
621 NET_TRANSPORT_ADS,
622 "Display information about an AD user",
623 "net ads user info\n"
624 " Display information about an AD user"
625 },
626 {
627 "delete",
628 ads_user_delete,
629 NET_TRANSPORT_ADS,
630 "Delete an AD user",
631 "net ads user delete\n"
632 " Delete an AD user"
633 },
634 {NULL, NULL, 0, NULL, NULL}
635 };
636 ADS_STRUCT *ads;
637 ADS_STATUS rc;
638 const char *shortattrs[] = {"sAMAccountName", NULL};
639 const char *longattrs[] = {"sAMAccountName", "description", NULL};
640 char *disp_fields[2] = {NULL, NULL};
641
642 if (argc == 0) {
643 if (c->display_usage) {
644 d_printf("Usage:\n");
645 d_printf("net ads user\n"
646 " List AD users\n");
647 net_display_usage_from_functable(func);
648 return 0;
649 }
650
651 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
652 return -1;
653 }
654
655 if (c->opt_long_list_entries)
656 d_printf("\nUser name Comment"
657 "\n-----------------------------\n");
658
659 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
660 LDAP_SCOPE_SUBTREE,
661 "(objectCategory=user)",
662 c->opt_long_list_entries ? longattrs :
663 shortattrs, usergrp_display,
664 disp_fields);
665 ads_destroy(&ads);
666 return ADS_ERR_OK(rc) ? 0 : -1;
667 }
668
669 return net_run_function(c, argc, argv, "net ads user", func);
670 }
671
672 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
673 {
674 return net_group_usage(c, argc, argv);
675 }
676
677 static int ads_group_add(struct net_context *c, int argc, const char **argv)
678 {
679 ADS_STRUCT *ads;
680 ADS_STATUS status;
681 LDAPMessage *res=NULL;
682 int rc = -1;
683 char *ou_str = NULL;
684
685 if (argc < 1 || c->display_usage) {
686 return net_ads_group_usage(c, argc, argv);
687 }
688
689 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
690 return -1;
691 }
692
693 status = ads_find_user_acct(ads, &res, argv[0]);
694
695 if (!ADS_ERR_OK(status)) {
696 d_fprintf(stderr, "ads_group_add: %s\n", ads_errstr(status));
697 goto done;
698 }
699
700 if (ads_count_replies(ads, res)) {
701 d_fprintf(stderr, "ads_group_add: Group %s already exists\n", argv[0]);
702 goto done;
703 }
704
705 if (c->opt_container) {
706 ou_str = SMB_STRDUP(c->opt_container);
707 } else {
708 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
709 }
710
711 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
712
713 if (ADS_ERR_OK(status)) {
714 d_printf("Group %s added\n", argv[0]);
715 rc = 0;
716 } else {
717 d_fprintf(stderr, "Could not add group %s: %s\n", argv[0],
718 ads_errstr(status));
719 }
720
721 done:
722 if (res)
723 ads_msgfree(ads, res);
724 ads_destroy(&ads);
725 SAFE_FREE(ou_str);
726 return rc;
727 }
728
729 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
730 {
731 ADS_STRUCT *ads;
732 ADS_STATUS rc;
733 LDAPMessage *res = NULL;
734 char *groupdn;
735
736 if (argc < 1 || c->display_usage) {
737 return net_ads_group_usage(c, argc, argv);
738 }
739
740 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
741 return -1;
742 }
743
744 rc = ads_find_user_acct(ads, &res, argv[0]);
745 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
746 d_printf("Group %s does not exist.\n", argv[0]);
747 ads_msgfree(ads, res);
748 ads_destroy(&ads);
749 return -1;
750 }
751 groupdn = ads_get_dn(ads, talloc_tos(), res);
752 ads_msgfree(ads, res);
753 rc = ads_del_dn(ads, groupdn);
754 TALLOC_FREE(groupdn);
755 if (ADS_ERR_OK(rc)) {
756 d_printf("Group %s deleted\n", argv[0]);
757 ads_destroy(&ads);
758 return 0;
759 }
760 d_fprintf(stderr, "Error deleting group %s: %s\n", argv[0],
761 ads_errstr(rc));
762 ads_destroy(&ads);
763 return -1;
764 }
765
766 int net_ads_group(struct net_context *c, int argc, const char **argv)
767 {
768 struct functable func[] = {
769 {
770 "add",
771 ads_group_add,
772 NET_TRANSPORT_ADS,
773 "Add an AD group",
774 "net ads group add\n"
775 " Add an AD group"
776 },
777 {
778 "delete",
779 ads_group_delete,
780 NET_TRANSPORT_ADS,
781 "Delete an AD group",
782 "net ads group delete\n"
783 " Delete an AD group"
784 },
785 {NULL, NULL, 0, NULL, NULL}
786 };
787 ADS_STRUCT *ads;
788 ADS_STATUS rc;
789 const char *shortattrs[] = {"sAMAccountName", NULL};
790 const char *longattrs[] = {"sAMAccountName", "description", NULL};
791 char *disp_fields[2] = {NULL, NULL};
792
793 if (argc == 0) {
794 if (c->display_usage) {
795 d_printf("Usage:\n");
796 d_printf("net ads group\n"
797 " List AD groups\n");
798 net_display_usage_from_functable(func);
799 return 0;
800 }
801
802 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
803 return -1;
804 }
805
806 if (c->opt_long_list_entries)
807 d_printf("\nGroup name Comment"
808 "\n-----------------------------\n");
809 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
810 LDAP_SCOPE_SUBTREE,
811 "(objectCategory=group)",
812 c->opt_long_list_entries ? longattrs :
813 shortattrs, usergrp_display,
814 disp_fields);
815
816 ads_destroy(&ads);
817 return ADS_ERR_OK(rc) ? 0 : -1;
818 }
819 return net_run_function(c, argc, argv, "net ads group", func);
820 }
821
822 static int net_ads_status(struct net_context *c, int argc, const char **argv)
823 {
824 ADS_STRUCT *ads;
825 ADS_STATUS rc;
826 LDAPMessage *res;
827
828 if (c->display_usage) {
829 d_printf("Usage:\n"
830 "net ads status\n"
831 " Display machine account details\n");
832 return 0;
833 }
834
835 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
836 return -1;
837 }
838
839 rc = ads_find_machine_acct(ads, &res, global_myname());
840 if (!ADS_ERR_OK(rc)) {
841 d_fprintf(stderr, "ads_find_machine_acct: %s\n", ads_errstr(rc));
842 ads_destroy(&ads);
843 return -1;
844 }
845
846 if (ads_count_replies(ads, res) == 0) {
847 d_fprintf(stderr, "No machine account for '%s' found\n", global_myname());
848 ads_destroy(&ads);
849 return -1;
850 }
851
852 ads_dump(ads, res);
853 ads_destroy(&ads);
854 return 0;
855 }
856
857 /*******************************************************************
858 Leave an AD domain. Windows XP disables the machine account.
859 We'll try the same. The old code would do an LDAP delete.
860 That only worked using the machine creds because added the machine
861 with full control to the computer object's ACL.
862 *******************************************************************/
863
864 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
865 {
866 TALLOC_CTX *ctx;
867 struct libnet_UnjoinCtx *r = NULL;
868 WERROR werr;
869 struct user_auth_info *ai = c->auth_info;
870
871 if (c->display_usage) {
872 d_printf("Usage:\n"
873 "net ads leave\n"
874 " Leave an AD domain\n");
875 return 0;
876 }
877
878 if (!*lp_realm()) {
879 d_fprintf(stderr, "No realm set, are we joined ?\n");
880 return -1;
881 }
882
883 if (!(ctx = talloc_init("net_ads_leave"))) {
884 d_fprintf(stderr, "Could not initialise talloc context.\n");
885 return -1;
886 }
887
888 if (!get_cmdline_auth_info_use_kerberos(ai)) {
889 use_in_memory_ccache();
890 }
891
892 werr = libnet_init_UnjoinCtx(ctx, &r);
893 if (!W_ERROR_IS_OK(werr)) {
894 d_fprintf(stderr, "Could not initialise unjoin context.\n");
895 return -1;
896 }
897
898 set_cmdline_auth_info_getpass(ai);
899
900 r->in.debug = true;
901 r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai);
902 r->in.dc_name = c->opt_host;
903 r->in.domain_name = lp_realm();
904 r->in.admin_account = get_cmdline_auth_info_username(ai);
905 r->in.admin_password = get_cmdline_auth_info_password(ai);
906 r->in.modify_config = lp_config_backend_is_registry();
907 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
908 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
909
910 werr = libnet_Unjoin(ctx, r);
911 if (!W_ERROR_IS_OK(werr)) {
912 d_printf("Failed to leave domain: %s\n",
913 r->out.error_string ? r->out.error_string :
914 get_friendly_werror_msg(werr));
915 goto done;
916 }
917
918 if (W_ERROR_IS_OK(werr)) {
919 d_printf("Deleted account for '%s' in realm '%s'\n",
920 r->in.machine_name, r->out.dns_domain_name);
921 goto done;
922 }
923
924 /* We couldn't delete it - see if the disable succeeded. */
925 if (r->out.disabled_machine_account) {
926 d_printf("Disabled account for '%s' in realm '%s'\n",
927 r->in.machine_name, r->out.dns_domain_name);
928 werr = WERR_OK;
929 goto done;
930 }
931
932 d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
933 r->in.machine_name, r->out.dns_domain_name);
934
935 done:
936 TALLOC_FREE(r);
937 TALLOC_FREE(ctx);
938
939 if (W_ERROR_IS_OK(werr)) {
940 return 0;
941 }
942
943 return -1;
944 }
945
946 static NTSTATUS net_ads_join_ok(struct net_context *c)
947 {
948 ADS_STRUCT *ads = NULL;
949 ADS_STATUS status;
950
951 if (!secrets_init()) {
952 DEBUG(1,("Failed to initialise secrets database\n"));
953 return NT_STATUS_ACCESS_DENIED;
954 }
955
956 set_cmdline_auth_info_use_machine_account(c->auth_info);
957 set_cmdline_auth_info_machine_account_creds(c->auth_info);
958
959 status = ads_startup(c, true, &ads);
960 if (!ADS_ERR_OK(status)) {
961 return ads_ntstatus(status);
962 }
963
964 ads_destroy(&ads);
965 return NT_STATUS_OK;
966 }
967
968 /*
969 check that an existing join is OK
970 */
971 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
972 {
973 NTSTATUS status;
974 use_in_memory_ccache();
975
976 if (c->display_usage) {
977 d_printf("Usage:\n"
978 "net ads testjoin\n"
979 " Test if the existing join is ok\n");
980 return 0;
981 }
982
983 /* Display success or failure */
984 status = net_ads_join_ok(c);
985 if (!NT_STATUS_IS_OK(status)) {
986 fprintf(stderr,"Join to domain is not valid: %s\n",
987 get_friendly_nt_error_msg(status));
988 return -1;
989 }
990
991 printf("Join is OK\n");
992 return 0;
993 }
994
995 /*******************************************************************
996 Simple configu checks before beginning the join
997 ********************************************************************/
998
999 static WERROR check_ads_config( void )
1000 {
1001 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1002 d_printf("Host is not configured as a member server.\n");
1003 return WERR_INVALID_DOMAIN_ROLE;
1004 }
1005
1006 if (strlen(global_myname()) > 15) {
1007 d_printf("Our netbios name can be at most 15 chars long, "
1008 "\"%s\" is %u chars long\n", global_myname(),
1009 (unsigned int)strlen(global_myname()));
1010 return WERR_INVALID_COMPUTERNAME;
1011 }
1012
1013 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1014 d_fprintf(stderr, "realm must be set in in %s for ADS "
1015 "join to succeed.\n", get_dyn_CONFIGFILE());
1016 return WERR_INVALID_PARAM;
1017 }
1018
1019 return WERR_OK;
1020 }
1021
1022 /*******************************************************************
1023 Send a DNS update request
1024 *******************************************************************/
1025
1026 #if defined(WITH_DNS_UPDATES)
1027 #include "dns.h"
1028 DNS_ERROR DoDNSUpdate(char *pszServerName,
1029 const char *pszDomainName, const char *pszHostName,
1030 const struct sockaddr_storage *sslist,
1031 size_t num_addrs );
1032
1033 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1034 const char *machine_name,
1035 const struct sockaddr_storage *addrs,
1036 int num_addrs)
1037 {
1038 struct dns_rr_ns *nameservers = NULL;
1039 int ns_count = 0;
1040 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1041 DNS_ERROR dns_err;
1042 fstring dns_server;
1043 const char *dnsdomain = NULL;
1044 char *root_domain = NULL;
1045
1046 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1047 d_printf("No DNS domain configured for %s. "
1048 "Unable to perform DNS Update.\n", machine_name);
1049 status = NT_STATUS_INVALID_PARAMETER;
1050 goto done;
1051 }
1052 dnsdomain++;
1053
1054 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1055 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1056 /* Child domains often do not have NS records. Look
1057 for the NS record for the forest root domain
1058 (rootDomainNamingContext in therootDSE) */
1059
1060 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1061 LDAPMessage *msg = NULL;
1062 char *root_dn;
1063 ADS_STATUS ads_status;
1064
1065 if ( !ads->ldap.ld ) {
1066 ads_status = ads_connect( ads );
1067 if ( !ADS_ERR_OK(ads_status) ) {
1068 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1069 goto done;
1070 }
1071 }
1072
1073 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1074 "(objectclass=*)", rootname_attrs, &msg);
1075 if (!ADS_ERR_OK(ads_status)) {
1076 goto done;
1077 }
1078
1079 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1080 if ( !root_dn ) {
1081 ads_msgfree( ads, msg );
1082 goto done;
1083 }
1084
1085 root_domain = ads_build_domain( root_dn );
1086
1087 /* cleanup */
1088 ads_msgfree( ads, msg );
1089
1090 /* try again for NS servers */
1091
1092 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1093
1094 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1095 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1096 "realm\n", ads->config.realm));
1097 goto done;
1098 }
1099
1100 dnsdomain = root_domain;
1101
1102 }
1103
1104 /* Now perform the dns update - we'll try non-secure and if we fail,
1105 we'll follow it up with a secure update */
1106
1107 fstrcpy( dns_server, nameservers[0].hostname );
1108
1109 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1110 if (!ERR_DNS_IS_OK(dns_err)) {
1111 status = NT_STATUS_UNSUCCESSFUL;
1112 }
1113
1114 done:
1115
1116 SAFE_FREE( root_domain );
1117
1118 return status;
1119 }
1120
1121 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1122 {
1123 int num_addrs;
1124 struct sockaddr_storage *iplist = NULL;
1125 fstring machine_name;
1126 NTSTATUS status;
1127
1128 name_to_fqdn( machine_name, global_myname() );
1129 strlower_m( machine_name );
1130
1131 /* Get our ip address (not the 127.0.0.x address but a real ip
1132 * address) */
1133
1134 num_addrs = get_my_ip_address( &iplist );
1135 if ( num_addrs <= 0 ) {
1136 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1137 "addresses!\n"));
1138 return NT_STATUS_INVALID_PARAMETER;
1139 }
1140
1141 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1142 iplist, num_addrs);
1143 SAFE_FREE( iplist );
1144 return status;
1145 }
1146 #endif
1147
1148
1149 /*******************************************************************
1150 ********************************************************************/
1151
1152 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1153 {
1154 d_printf("net ads join [options]\n");
1155 d_printf("Valid options:\n");
1156 d_printf(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n");
1157 d_printf(" The deault UPN is in the form host/netbiosname@REALM.\n");
1158 d_printf(" createcomputer=OU Precreate the computer account in a specific OU.\n");
1159 d_printf(" The OU string read from top to bottom without RDNs and delimited by a '/'.\n");
1160 d_printf(" E.g. \"createcomputer=Computers/Servers/Unix\"\n");
1161 d_printf(" NB: A backslash '\\' is used as escape at multiple levels and may\n");
1162 d_printf(" need to be doubled or even quadrupled. It is not used as a separator.\n");
1163 d_printf(" osName=string Set the operatingSystem attribute during the join.\n");
1164 d_printf(" osVer=string Set the operatingSystemVersion attribute during the join.\n");
1165 d_printf(" NB: osName and osVer must be specified together for either to take effect.\n");
1166 d_printf(" Also, the operatingSystemService attribute is also set when along with\n");
1167 d_printf(" the two other attributes.\n");
1168
1169 return -1;
1170 }
1171
1172 /*******************************************************************
1173 ********************************************************************/
1174
1175 int net_ads_join(struct net_context *c, int argc, const char **argv)
1176 {
1177 TALLOC_CTX *ctx = NULL;
1178 struct libnet_JoinCtx *r = NULL;
1179 const char *domain = lp_realm();
1180 WERROR werr = WERR_SETUP_NOT_JOINED;
1181 bool createupn = false;
1182 const char *machineupn = NULL;
1183 const char *create_in_ou = NULL;
1184 int i;
1185 const char *os_name = NULL;
1186 const char *os_version = NULL;
1187 bool modify_config = lp_config_backend_is_registry();
1188 struct user_auth_info *ai = c->auth_info;;
1189
1190 if (c->display_usage)
1191 return net_ads_join_usage(c, argc, argv);
1192
1193 if (!modify_config) {
1194
1195 werr = check_ads_config();
1196 if (!W_ERROR_IS_OK(werr)) {
1197 d_fprintf(stderr, "Invalid configuration. Exiting....\n");
1198 goto fail;
1199 }
1200 }
1201
1202 if (!(ctx = talloc_init("net_ads_join"))) {
1203 d_fprintf(stderr, "Could not initialise talloc context.\n");
1204 werr = WERR_NOMEM;
1205 goto fail;
1206 }
1207
1208 if (!get_cmdline_auth_info_use_kerberos(ai)) {
1209 use_in_memory_ccache();
1210 }
1211
1212 werr = libnet_init_JoinCtx(ctx, &r);
1213 if (!W_ERROR_IS_OK(werr)) {
1214 goto fail;
1215 }
1216
1217 /* process additional command line args */
1218
1219 for ( i=0; i<argc; i++ ) {
1220 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1221 createupn = true;
1222 machineupn = get_string_param(argv[i]);
1223 }
1224 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1225 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1226 d_fprintf(stderr, "Please supply a valid OU path.\n");
1227 werr = WERR_INVALID_PARAM;
1228 goto fail;
1229 }
1230 }
1231 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1232 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1233 d_fprintf(stderr, "Please supply a operating system name.\n");
1234 werr = WERR_INVALID_PARAM;
1235 goto fail;
1236 }
1237 }
1238 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1239 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1240 d_fprintf(stderr, "Please supply a valid operating system version.\n");
1241 werr = WERR_INVALID_PARAM;
1242 goto fail;
1243 }
1244 }
1245 else {
1246 domain = argv[i];
1247 }
1248 }
1249
1250 if (!*domain) {
1251 d_fprintf(stderr, "Please supply a valid domain name\n");
1252 werr = WERR_INVALID_PARAM;
1253 goto fail;
1254 }
1255
1256 /* Do the domain join here */
1257
1258 set_cmdline_auth_info_getpass(ai);
1259
1260 r->in.domain_name = domain;
1261 r->in.create_upn = createupn;
1262 r->in.upn = machineupn;
1263 r->in.account_ou = create_in_ou;
1264 r->in.os_name = os_name;
1265 r->in.os_version = os_version;
1266 r->in.dc_name = c->opt_host;
1267 r->in.admin_account = get_cmdline_auth_info_username(ai);
1268 r->in.admin_password = get_cmdline_auth_info_password(ai);
1269 r->in.debug = true;
1270 r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai);
1271 r->in.modify_config = modify_config;
1272 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1273 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1274 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1275
1276 werr = libnet_Join(ctx, r);
1277 if (!W_ERROR_IS_OK(werr)) {
1278 goto fail;
1279 }
1280
1281 /* Check the short name of the domain */
1282
1283 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1284 d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
1285 d_printf("domain name obtained from the server.\n");
1286 d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
1287 d_printf("You should set \"workgroup = %s\" in %s.\n",
1288 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1289 }
1290
1291 d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
1292
1293 if (r->out.dns_domain_name) {
1294 d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
1295 r->out.dns_domain_name);
1296 } else {
1297 d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
1298 r->out.netbios_domain_name);
1299 }
1300
1301 #if defined(WITH_DNS_UPDATES)
1302 if (r->out.domain_is_ad) {
1303 /* We enter this block with user creds */
1304 ADS_STRUCT *ads_dns = NULL;
1305
1306 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1307 /* kinit with the machine password */
1308
1309 use_in_memory_ccache();
1310 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1311 goto fail;
1312 }
1313 ads_dns->auth.password = secrets_fetch_machine_password(
1314 r->out.netbios_domain_name, NULL, NULL );
1315 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1316 strupper_m(ads_dns->auth.realm );
1317 ads_kinit_password( ads_dns );
1318 }
1319
1320 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1321 d_fprintf( stderr, "DNS update failed!\n" );
1322 }
1323
1324 /* exit from this block using machine creds */
1325 ads_destroy(&ads_dns);
1326 }
1327 #endif
1328 TALLOC_FREE(r);
1329 TALLOC_FREE( ctx );
1330
1331 return 0;
1332
1333 fail:
1334 /* issue an overall failure message at the end. */
1335 d_printf("Failed to join domain: %s\n",
1336 r && r->out.error_string ? r->out.error_string :
1337 get_friendly_werror_msg(werr));
1338 TALLOC_FREE( ctx );
1339
1340 return -1;
1341 }
1342
1343 /*******************************************************************
1344 ********************************************************************/
1345
1346 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1347 {
1348 #if defined(WITH_DNS_UPDATES)
1349 ADS_STRUCT *ads;
1350 ADS_STATUS status;
1351 TALLOC_CTX *ctx;
1352
1353 #ifdef DEVELOPER
1354 talloc_enable_leak_report();
1355 #endif
1356
1357 if (argc > 0 || c->display_usage) {
1358 d_printf("Usage:\n"
1359 "net ads dns register\n"
1360 " Register hostname with DNS\n");
1361 return -1;
1362 }
1363
1364 if (!(ctx = talloc_init("net_ads_dns"))) {
1365 d_fprintf(stderr, "Could not initialise talloc context\n");
1366 return -1;
1367 }
1368
1369 status = ads_startup(c, true, &ads);
1370 if ( !ADS_ERR_OK(status) ) {
1371 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1372 TALLOC_FREE(ctx);
1373 return -1;
1374 }
1375
1376 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1377 d_fprintf( stderr, "DNS update failed!\n" );
1378 ads_destroy( &ads );
1379 TALLOC_FREE( ctx );
1380 return -1;
1381 }
1382
1383 d_fprintf( stderr, "Successfully registered hostname with DNS\n" );
1384
1385 ads_destroy(&ads);
1386 TALLOC_FREE( ctx );
1387
1388 return 0;
1389 #else
1390 d_fprintf(stderr, "DNS update support not enabled at compile time!\n");
1391 return -1;
1392 #endif
1393 }
1394
1395 #if defined(WITH_DNS_UPDATES)
1396 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1397 #endif
1398
1399 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1400 {
1401 #if defined(WITH_DNS_UPDATES)
1402 DNS_ERROR err;
1403
1404 #ifdef DEVELOPER
1405 talloc_enable_leak_report();
1406 #endif
1407
1408 if (argc != 2 || c->display_usage) {
1409 d_printf("Usage:\n"
1410 "net ads dns gethostbyname <server> <name>\n"
1411 " Look up hostname from the AD\n"
1412 " server\tName server to use\n"
1413 " name\tName to look up\n");
1414 return -1;
1415 }
1416
1417 err = do_gethostbyname(argv[0], argv[1]);
1418
1419 d_printf("do_gethostbyname returned %d\n", ERROR_DNS_V(err));
1420 #endif
1421 return 0;
1422 }
1423
1424 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1425 {
1426 struct functable func[] = {
1427 {
1428 "register",
1429 net_ads_dns_register,
1430 NET_TRANSPORT_ADS,
1431 "Add host dns entry to AD",
1432 "net ads dns register\n"
1433 " Add host dns entry to AD"
1434 },
1435 {
1436 "gethostbyname",
1437 net_ads_dns_gethostbyname,
1438 NET_TRANSPORT_ADS,
1439 "Look up host",
1440 "net ads dns gethostbyname\n"
1441 " Look up host"
1442 },
1443 {NULL, NULL, 0, NULL, NULL}
1444 };
1445
1446 return net_run_function(c, argc, argv, "net ads dns", func);
1447 }
1448
1449 /*******************************************************************
1450 ********************************************************************/
1451
1452 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1453 {
1454 d_printf(
1455 "\nnet ads printer search <printer>"
1456 "\n\tsearch for a printer in the directory\n"
1457 "\nnet ads printer info <printer> <server>"
1458 "\n\tlookup info in directory for printer on server"
1459 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1460 "\nnet ads printer publish <printername>"
1461 "\n\tpublish printer in directory"
1462 "\n\t(note: printer name is required)\n"
1463 "\nnet ads printer remove <printername>"
1464 "\n\tremove printer from directory"
1465 "\n\t(note: printer name is required)\n");
1466 return -1;
1467 }
1468
1469 /*******************************************************************
1470 ********************************************************************/
1471
1472 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1473 {
1474 ADS_STRUCT *ads;
1475 ADS_STATUS rc;
1476 LDAPMessage *res = NULL;
1477
1478 if (c->display_usage) {
1479 d_printf("Usage:\n"
1480 "net ads printer search\n"
1481 " List printers in the AD\n");
1482 return 0;
1483 }
1484
1485 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1486 return -1;
1487 }
1488
1489 rc = ads_find_printers(ads, &res);
1490
1491 if (!ADS_ERR_OK(rc)) {
1492 d_fprintf(stderr, "ads_find_printer: %s\n", ads_errstr(rc));
1493 ads_msgfree(ads, res);
1494 ads_destroy(&ads);
1495 return -1;
1496 }
1497
1498 if (ads_count_replies(ads, res) == 0) {
1499 d_fprintf(stderr, "No results found\n");
1500 ads_msgfree(ads, res);
1501 ads_destroy(&ads);
1502 return -1;
1503 }
1504
1505 ads_dump(ads, res);
1506 ads_msgfree(ads, res);
1507 ads_destroy(&ads);
1508 return 0;
1509 }
1510
1511 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1512 {
1513 ADS_STRUCT *ads;
1514 ADS_STATUS rc;
1515 const char *servername, *printername;
1516 LDAPMessage *res = NULL;
1517
1518 if (c->display_usage) {
1519 d_printf("Usage:\n"
1520 "net ads printer info [printername [servername]]\n"
1521 " Display printer info from AD\n"
1522 " printername\tPrinter name or wildcard\n"
1523 " servername\tName of the print server\n");
1524 return 0;
1525 }
1526
1527 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1528 return -1;
1529 }
1530
1531 if (argc > 0) {
1532 printername = argv[0];
1533 } else {
1534 printername = "*";
1535 }
1536
1537 if (argc > 1) {
1538 servername = argv[1];
1539 } else {
1540 servername = global_myname();
1541 }
1542
1543 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1544
1545 if (!ADS_ERR_OK(rc)) {
1546 d_fprintf(stderr, "Server '%s' not found: %s\n",
1547 servername, ads_errstr(rc));
1548 ads_msgfree(ads, res);
1549 ads_destroy(&ads);
1550 return -1;
1551 }
1552
1553 if (ads_count_replies(ads, res) == 0) {
1554 d_fprintf(stderr, "Printer '%s' not found\n", printername);
1555 ads_msgfree(ads, res);
1556 ads_destroy(&ads);
1557 return -1;
1558 }
1559
1560 ads_dump(ads, res);
1561 ads_msgfree(ads, res);
1562 ads_destroy(&ads);
1563
1564 return 0;
1565 }
1566
1567 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1568 {
1569 ADS_STRUCT *ads;
1570 ADS_STATUS rc;
1571 const char *servername, *printername;
1572 struct cli_state *cli;
1573 struct rpc_pipe_client *pipe_hnd;
1574 struct sockaddr_storage server_ss;
1575 NTSTATUS nt_status;
1576 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1577 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1578 char *prt_dn, *srv_dn, **srv_cn;
1579 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1580 LDAPMessage *res = NULL;
1581 struct user_auth_info *ai = c->auth_info;
1582
1583 if (argc < 1 || c->display_usage) {
1584 d_printf("Usage:\n"
1585 "net ads printer publish <printername> [servername]\n"
1586 " Publish printer in AD\n"
1587 " printername\tName of the printer\n"
1588 " servername\tName of the print server\n");
1589 talloc_destroy(mem_ctx);
1590 return -1;
1591 }
1592
1593 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1594 talloc_destroy(mem_ctx);
1595 return -1;
1596 }
1597
1598 printername = argv[0];
1599
1600 if (argc == 2) {
1601 servername = argv[1];
1602 } else {
1603 servername = global_myname();
1604 }
1605
1606 /* Get printer data from SPOOLSS */
1607
1608 resolve_name(servername, &server_ss, 0x20);
1609
1610 nt_status = cli_full_connection(&cli, global_myname(), servername,
1611 &server_ss, 0,
1612 "IPC$", "IPC",
1613 get_cmdline_auth_info_username(ai),
1614 c->opt_workgroup,
1615 get_cmdline_auth_info_password(ai),
1616 CLI_FULL_CONNECTION_USE_KERBEROS,
1617 Undefined, NULL);
1618
1619 if (NT_STATUS_IS_ERR(nt_status)) {
1620 d_fprintf(stderr, "Unable to open a connnection to %s to obtain data "
1621 "for %s\n", servername, printername);
1622 ads_destroy(&ads);
1623 talloc_destroy(mem_ctx);
1624 return -1;
1625 }
1626
1627 /* Publish on AD server */
1628
1629 ads_find_machine_acct(ads, &res, servername);
1630
1631 if (ads_count_replies(ads, res) == 0) {
1632 d_fprintf(stderr, "Could not find machine account for server %s\n",
1633 servername);
1634 ads_destroy(&ads);
1635 talloc_destroy(mem_ctx);
1636 return -1;
1637 }
1638
1639 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1640 srv_cn = ldap_explode_dn(srv_dn, 1);
1641
1642 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1643 printername_escaped = escape_rdn_val_string_alloc(printername);
1644 if (!srv_cn_escaped || !printername_escaped) {
1645 SAFE_FREE(srv_cn_escaped);
1646 SAFE_FREE(printername_escaped);
1647 d_fprintf(stderr, "Internal error, out of memory!");
1648 ads_destroy(&ads);
1649 talloc_destroy(mem_ctx);
1650 return -1;
1651 }
1652
1653 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1654 SAFE_FREE(srv_cn_escaped);
1655 SAFE_FREE(printername_escaped);
1656 d_fprintf(stderr, "Internal error, out of memory!");
1657 ads_destroy(&ads);
1658 talloc_destroy(mem_ctx);
1659 return -1;
1660 }
1661
1662 SAFE_FREE(srv_cn_escaped);
1663 SAFE_FREE(printername_escaped);
1664
1665 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1666 if (!NT_STATUS_IS_OK(nt_status)) {
1667 d_fprintf(stderr, "Unable to open a connnection to the spoolss pipe on %s\n",
1668 servername);
1669 SAFE_FREE(prt_dn);
1670 ads_destroy(&ads);
1671 talloc_destroy(mem_ctx);
1672 return -1;
1673 }
1674
1675 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1676 printername))) {
1677 SAFE_FREE(prt_dn);
1678 ads_destroy(&ads);
1679 talloc_destroy(mem_ctx);
1680 return -1;
1681 }
1682
1683 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1684 if (!ADS_ERR_OK(rc)) {
1685 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1686 SAFE_FREE(prt_dn);
1687 ads_destroy(&ads);
1688 talloc_destroy(mem_ctx);
1689 return -1;
1690 }
1691
1692 d_printf("published printer\n");
1693 SAFE_FREE(prt_dn);
1694 ads_destroy(&ads);
1695 talloc_destroy(mem_ctx);
1696
1697 return 0;
1698 }
1699
1700 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1701 {
1702 ADS_STRUCT *ads;
1703 ADS_STATUS rc;
1704 const char *servername;
1705 char *prt_dn;
1706 LDAPMessage *res = NULL;
1707
1708 if (argc < 1 || c->display_usage) {
1709 d_printf("Usage:\n"
1710 "net ads printer remove <printername> [servername]\n"
1711 " Remove a printer from the AD\n"
1712 " printername\tName of the printer\n"
1713 " servername\tName of the print server\n");
1714 return -1;
1715 }
1716
1717 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1718 return -1;
1719 }
1720
1721 if (argc > 1) {
1722 servername = argv[1];
1723 } else {
1724 servername = global_myname();
1725 }
1726
1727 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1728
1729 if (!ADS_ERR_OK(rc)) {
1730 d_fprintf(stderr, "ads_find_printer_on_server: %s\n", ads_errstr(rc));
1731 ads_msgfree(ads, res);
1732 ads_destroy(&ads);
1733 return -1;
1734 }
1735
1736 if (ads_count_replies(ads, res) == 0) {
1737 d_fprintf(stderr, "Printer '%s' not found\n", argv[1]);
1738 ads_msgfree(ads, res);
1739 ads_destroy(&ads);
1740 return -1;
1741 }
1742
1743 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1744 ads_msgfree(ads, res);
1745 rc = ads_del_dn(ads, prt_dn);
1746 TALLOC_FREE(prt_dn);
1747
1748 if (!ADS_ERR_OK(rc)) {
1749 d_fprintf(stderr, "ads_del_dn: %s\n", ads_errstr(rc));
1750 ads_destroy(&ads);
1751 return -1;
1752 }
1753
1754 ads_destroy(&ads);
1755 return 0;
1756 }
1757
1758 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1759 {
1760 struct functable func[] = {
1761 {
1762 "search",
1763 net_ads_printer_search,
1764 NET_TRANSPORT_ADS,
1765 "Search for a printer",
1766 "net ads printer search\n"
1767 " Search for a printer"
1768 },
1769 {
1770 "info",
1771 net_ads_printer_info,
1772 NET_TRANSPORT_ADS,
1773 "Display printer information",
1774 "net ads printer info\n"
1775 " Display printer information"
1776 },
1777 {
1778 "publish",
1779 net_ads_printer_publish,
1780 NET_TRANSPORT_ADS,
1781 "Publish a printer",
1782 "net ads printer publish\n"
1783 " Publish a printer"
1784 },
1785 {
1786 "remove",
1787 net_ads_printer_remove,
1788 NET_TRANSPORT_ADS,
1789 "Delete a printer",
1790 "net ads printer remove\n"
1791 " Delete a printer"
1792 },
1793 {NULL, NULL, 0, NULL, NULL}
1794 };
1795
1796 return net_run_function(c, argc, argv, "net ads printer", func);
1797 }
1798
1799
1800 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1801 {
1802 ADS_STRUCT *ads;
1803 const char *auth_principal;
1804 const char *auth_password;
1805 char *realm = NULL;
1806 char *new_password = NULL;
1807 char *chr, *prompt;
1808 const char *user;
1809 ADS_STATUS ret;
1810
1811 if (c->display_usage) {
1812 d_printf("Usage:\n"
1813 "net ads password <username>\n"
1814 " Change password for user\n"
1815 " username\tName of user to change password for\n");
1816 return 0;
1817 }
1818
1819 auth_principal = get_cmdline_auth_info_username(c->auth_info);
1820 set_cmdline_auth_info_getpass(c->auth_info);
1821 auth_password = get_cmdline_auth_info_password(c->auth_info);
1822
1823 if (argc < 1) {
1824 d_fprintf(stderr, "ERROR: You must say which username to change password for\n");
1825 return -1;
1826 }
1827
1828 user = argv[0];
1829 if (!strchr_m(user, '@')) {
1830 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1831 return -1;
1832 }
1833 user = chr;
1834 }
1835
1836 use_in_memory_ccache();
1837 chr = strchr_m(auth_principal, '@');
1838 if (chr) {
1839 realm = ++chr;
1840 } else {
1841 realm = lp_realm();
1842 }
1843
1844 /* use the realm so we can eventually change passwords for users
1845 in realms other than default */
1846 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1847 return -1;
1848 }
1849
1850 /* we don't actually need a full connect, but it's the easy way to
1851 fill in the KDC's addresss */
1852 ads_connect(ads);
1853
1854 if (!ads->config.realm) {
1855 d_fprintf(stderr, "Didn't find the kerberos server!\n");
1856 ads_destroy(&ads);
1857 return -1;
1858 }
1859
1860 if (argv[1]) {
1861 new_password = (char *)argv[1];
1862 } else {
1863 if (asprintf(&prompt, "Enter new password for %s:", user) == -1) {
1864 return -1;
1865 }
1866 new_password = getpass(prompt);
1867 free(prompt);
1868 }
1869
1870 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1871 auth_password, user, new_password, ads->auth.time_offset);
1872 if (!ADS_ERR_OK(ret)) {
1873 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1874 ads_destroy(&ads);
1875 return -1;
1876 }
1877
1878 d_printf("Password change for %s completed.\n", user);
1879 ads_destroy(&ads);
1880
1881 return 0;
1882 }
1883
1884 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1885 {
1886 ADS_STRUCT *ads;
1887 char *host_principal;
1888 fstring my_name;
1889 ADS_STATUS ret;
1890
1891 if (c->display_usage) {
1892 d_printf("Usage:\n"
1893 "net ads changetrustpw\n"
1894 " Change the machine account's trust password\n");
1895 return 0;
1896 }
1897
1898 if (!secrets_init()) {
1899 DEBUG(1,("Failed to initialise secrets database\n"));
1900 return -1;
1901 }
1902
1903 set_cmdline_auth_info_use_machine_account(c->auth_info);
1904
1905 use_in_memory_ccache();
1906
1907 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1908 return -1;
1909 }
1910
1911 fstrcpy(my_name, global_myname());
1912 strlower_m(my_name);
1913 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
1914 ads_destroy(&ads);
1915 return -1;
1916 }
1917 d_printf("Changing password for principal: %s\n", host_principal);
1918
1919 ret = ads_change_trust_account_password(ads, host_principal);
1920
1921 if (!ADS_ERR_OK(ret)) {
1922 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1923 ads_destroy(&ads);
1924 SAFE_FREE(host_principal);
1925 return -1;
1926 }
1927
1928 d_printf("Password change for principal %s succeeded.\n", host_principal);
1929
1930 if (USE_SYSTEM_KEYTAB) {
1931 d_printf("Attempting to update system keytab with new password.\n");
1932 if (ads_keytab_create_default(ads)) {
1933 d_printf("Failed to update system keytab.\n");
1934 }
1935 }
1936
1937 ads_destroy(&ads);
1938 SAFE_FREE(host_principal);
1939
1940 return 0;
1941 }
1942
1943 /*
1944 help for net ads search
1945 */
1946 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
1947 {
1948 d_printf(
1949 "\nnet ads search <expression> <attributes...>\n"
1950 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
1951 "The expression is a standard LDAP search expression, and the\n"
1952 "attributes are a list of LDAP fields to show in the results.\n\n"
1953 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
1954 );
1955 net_common_flags_usage(c, argc, argv);
1956 return -1;
1957 }
1958
1959
1960 /*
1961 general ADS search function. Useful in diagnosing problems in ADS
1962 */
1963 static int net_ads_search(struct net_context *c, int argc, const char **argv)
1964 {
1965 ADS_STRUCT *ads;
1966 ADS_STATUS rc;
1967 const char *ldap_exp;
1968 const char **attrs;
1969 LDAPMessage *res = NULL;
1970
1971 if (argc < 1 || c->display_usage) {
1972 return net_ads_search_usage(c, argc, argv);
1973 }
1974
1975 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1976 return -1;
1977 }
1978
1979 ldap_exp = argv[0];
1980 attrs = (argv + 1);
1981
1982 rc = ads_do_search_all(ads, ads->config.bind_path,
1983 LDAP_SCOPE_SUBTREE,
1984 ldap_exp, attrs, &res);
1985 if (!ADS_ERR_OK(rc)) {
1986 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1987 ads_destroy(&ads);
1988 return -1;
1989 }
1990
1991 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1992
1993 /* dump the results */
1994 ads_dump(ads, res);
1995
1996 ads_msgfree(ads, res);
1997 ads_destroy(&ads);
1998
1999 return 0;
2000 }
2001
2002
2003 /*
2004 help for net ads search
2005 */
2006 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2007 {
2008 d_printf(
2009 "\nnet ads dn <dn> <attributes...>\n"
2010 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2011 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2012 "to show in the results\n\n"
2013 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2014 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2015 );
2016 net_common_flags_usage(c, argc, argv);
2017 return -1;
2018 }
2019
2020
2021 /*
2022 general ADS search function. Useful in diagnosing problems in ADS
2023 */
2024 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2025 {
2026 ADS_STRUCT *ads;
2027 ADS_STATUS rc;
2028 const char *dn;
2029 const char **attrs;
2030 LDAPMessage *res = NULL;
2031
2032 if (argc < 1 || c->display_usage) {
2033 return net_ads_dn_usage(c, argc, argv);
2034 }
2035
2036 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2037 return -1;
2038 }
2039
2040 dn = argv[0];
2041 attrs = (argv + 1);
2042
2043 rc = ads_do_search_all(ads, dn,
2044 LDAP_SCOPE_BASE,
2045 "(objectclass=*)", attrs, &res);
2046 if (!ADS_ERR_OK(rc)) {
2047 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2048 ads_destroy(&ads);
2049 return -1;
2050 }
2051
2052 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2053
2054 /* dump the results */
2055 ads_dump(ads, res);
2056
2057 ads_msgfree(ads, res);
2058 ads_destroy(&ads);
2059
2060 return 0;
2061 }
2062
2063 /*
2064 help for net ads sid search
2065 */
2066 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2067 {
2068 d_printf(
2069 "\nnet ads sid <sid> <attributes...>\n"
2070 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2071 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2072 "to show in the results\n\n"
2073 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2074 );
2075 net_common_flags_usage(c, argc, argv);
2076 return -1;
2077 }
2078
2079
2080 /*
2081 general ADS search function. Useful in diagnosing problems in ADS
2082 */
2083 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2084 {
2085 ADS_STRUCT *ads;
2086 ADS_STATUS rc;
2087 const char *sid_string;
2088 const char **attrs;
2089 LDAPMessage *res = NULL;
2090 DOM_SID sid;
2091
2092 if (argc < 1 || c->display_usage) {
2093 return net_ads_sid_usage(c, argc, argv);
2094 }
2095
2096 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2097 return -1;
2098 }
2099
2100 sid_string = argv[0];
2101 attrs = (argv + 1);
2102
2103 if (!string_to_sid(&sid, sid_string)) {
2104 d_fprintf(stderr, "could not convert sid\n");
2105 ads_destroy(&ads);
2106 return -1;
2107 }
2108
2109 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2110 if (!ADS_ERR_OK(rc)) {
2111 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2112 ads_destroy(&ads);
2113 return -1;
2114 }
2115
2116 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2117
2118 /* dump the results */
2119 ads_dump(ads, res);
2120
2121 ads_msgfree(ads, res);
2122 ads_destroy(&ads);
2123
2124 return 0;
2125 }
2126
2127 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2128 {
2129 int ret;
2130 ADS_STRUCT *ads;
2131
2132 if (c->display_usage) {
2133 d_printf("Usage:\n"
2134 "net ads keytab flush\n"
2135 " Delete the whole keytab\n");
2136 return 0;
2137 }
2138
2139 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2140 return -1;
2141 }
2142 ret = ads_keytab_flush(ads);
2143 ads_destroy(&ads);
2144 return ret;
2145 }
2146
2147 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2148 {
2149 int i;
2150 int ret = 0;
2151 ADS_STRUCT *ads;
2152
2153 if (c->display_usage) {
2154 d_printf("Usage:\n"
2155 "net ads keytab add <principal> [principal ...]\n"
2156 " Add principals to local keytab\n"
2157 " principal\tKerberos principal to add to "
2158 "keytab\n");
2159 return 0;
2160 }
2161
2162 d_printf("Processing principals to add...\n");
2163 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2164 return -1;
2165 }
2166 for (i = 0; i < argc; i++) {
2167 ret |= ads_keytab_add_entry(ads, argv[i]);
2168 }
2169 ads_destroy(&ads);
2170 return ret;
2171 }
2172
2173 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2174 {
2175 ADS_STRUCT *ads;
2176 int ret;
2177
2178 if (c->display_usage) {
2179 d_printf("Usage:\n"
2180 "net ads keytab create\n"
2181 " Create new default keytab\n");
2182 return 0;
2183 }
2184
2185 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2186 return -1;
2187 }
2188 ret = ads_keytab_create_default(ads);
2189 ads_destroy(&ads);
2190 return ret;
2191 }
2192
2193 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2194 {
2195 const char *keytab = NULL;
2196
2197 if (c->display_usage) {
2198 d_printf("Usage:\n"
2199 "net ads keytab list [keytab]\n"
2200 " List a local keytab\n"
2201 " keytab\tKeytab to list\n");
2202 return 0;
2203 }
2204
2205 if (argc >= 1) {
2206 keytab = argv[0];
2207 }
2208
2209 return ads_keytab_list(keytab);
2210 }
2211
2212
2213 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2214 {
2215 struct functable func[] = {
2216 {
2217 "add",
2218 net_ads_keytab_add,
2219 NET_TRANSPORT_ADS,
2220 "Add a service principal",
2221 "net ads keytab add\n"
2222 " Add a service principal"
2223 },
2224 {
2225 "create",
2226 net_ads_keytab_create,
2227 NET_TRANSPORT_ADS,
2228 "Create a fresh keytab",
2229 "net ads keytab create\n"
2230 " Create a fresh keytab"
2231 },
2232 {
2233 "flush",
2234 net_ads_keytab_flush,
2235 NET_TRANSPORT_ADS,
2236 "Remove all keytab entries",
2237 "net ads keytab flush\n"
2238 " Remove all keytab entries"
2239 },
2240 {
2241 "list",
2242 net_ads_keytab_list,
2243 NET_TRANSPORT_ADS,
2244 "List a keytab",
2245 "net ads keytab list\n"
2246 " List a keytab"
2247 },
2248 {NULL, NULL, 0, NULL, NULL}
2249 };
2250
2251 if (!USE_KERBEROS_KEYTAB) {
2252 d_printf("\nWarning: \"kerberos method\" must be set to a "
2253 "keytab method to use keytab functions.\n");
2254 }
2255
2256 return net_run_function(c, argc, argv, "net ads keytab", func);
2257 }
2258
2259 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2260 {
2261 int ret = -1;
2262
2263 if (c->display_usage) {
2264 d_printf("Usage:\n"
2265 "net ads kerberos renew\n"
2266 " Renew TGT from existing credential cache\n");
2267 return 0;
2268 }
2269
2270 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2271 if (ret) {
2272 d_printf("failed to renew kerberos ticket: %s\n",
2273 error_message(ret));
2274 }
2275 return ret;
2276 }
2277
2278 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2279 {
2280 struct PAC_DATA *pac = NULL;
2281 struct PAC_LOGON_INFO *info = NULL;
2282 TALLOC_CTX *mem_ctx = NULL;
2283 NTSTATUS status;
2284 int ret = -1;
2285 struct user_auth_info *ai = c->auth_info;
2286
2287 if (c->display_usage) {
2288 d_printf("Usage:\n"
2289 "net ads kerberos pac\n"
2290 " Dump the Kerberos PAC\n");
2291 return 0;
2292 }
2293
2294 mem_ctx = talloc_init("net_ads_kerberos_pac");
2295 if (!mem_ctx) {
2296 goto out;
2297 }
2298
2299 set_cmdline_auth_info_getpass(ai);
2300
2301 status = kerberos_return_pac(mem_ctx,
2302 get_cmdline_auth_info_username(ai),
2303 get_cmdline_auth_info_password(ai),
2304 0,
2305 NULL,
2306 NULL,
2307 NULL,
2308 true,
2309 true,
2310 2592000, /* one month */
2311 &pac);
2312 if (!NT_STATUS_IS_OK(status)) {
2313 d_printf("failed to query kerberos PAC: %s\n",
2314 nt_errstr(status));
2315 goto out;
2316 }
2317
2318 info = get_logon_info_from_pac(pac);
2319 if (info) {
2320 const char *s;
2321 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2322 d_printf("The Pac: %s\n", s);
2323 }
2324
2325 ret = 0;
2326 out:
2327 TALLOC_FREE(mem_ctx);
2328 return ret;
2329 }
2330
2331 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2332 {
2333 TALLOC_CTX *mem_ctx = NULL;
2334 int ret = -1;
2335 NTSTATUS status;
2336 struct user_auth_info *ai = c->auth_info;
2337
2338 if (c->display_usage) {
2339 d_printf("Usage:\n"
2340 "net ads kerberos kinit\n"
2341 " Get Ticket Granting Ticket (TGT) for the user\n");
2342 return 0;
2343 }
2344
2345 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2346 if (!mem_ctx) {
2347 goto out;
2348 }
2349
2350 set_cmdline_auth_info_getpass(ai);
2351
2352 ret = kerberos_kinit_password_ext(get_cmdline_auth_info_username(ai),
2353 get_cmdline_auth_info_password(ai),
2354 0,
2355 NULL,
2356 NULL,
2357 NULL,
2358 true,
2359 true,
2360 2592000, /* one month */
2361 &status);
2362 if (ret) {
2363 d_printf("failed to kinit password: %s\n",
2364 nt_errstr(status));
2365 }
2366 out:
2367 return ret;
2368 }
2369
2370 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2371 {
2372 struct functable func[] = {
2373 {
2374 "kinit",
2375 net_ads_kerberos_kinit,
2376 NET_TRANSPORT_ADS,
2377 "Retrieve Ticket Granting Ticket (TGT)",
2378 "net ads kerberos kinit\n"
2379 " Receive Ticket Granting Ticket (TGT)"
2380 },
2381 {
2382 "renew",
2383 net_ads_kerberos_renew,
2384 NET_TRANSPORT_ADS,
2385 "Renew Ticket Granting Ticket from credential cache"
2386 "net ads kerberos renew\n"
2387 " Renew Ticket Granting Ticket from credential cache"
2388 },
2389 {
2390 "pac",
2391 net_ads_kerberos_pac,
2392 NET_TRANSPORT_ADS,
2393 "Dump Kerberos PAC",
2394 "net ads kerberos pac\n"
2395 " Dump Kerberos PAC"
2396 },
2397 {NULL, NULL, 0, NULL, NULL}
2398 };
2399
2400 return net_run_function(c, argc, argv, "net ads kerberos", func);
2401 }
2402
2403 int net_ads(struct net_context *c, int argc, const char **argv)
2404 {
2405 struct functable func[] = {
2406 {
2407 "info",
2408 net_ads_info,
2409 NET_TRANSPORT_ADS,
2410 "Display details on remote ADS server",
2411 "net ads info\n"
2412 " Display details on remote ADS server"
2413 },
2414 {
2415 "join",
2416 net_ads_join,
2417 NET_TRANSPORT_ADS,
2418 "Join the local machine to ADS realm",
2419 "net ads join\n"
2420 " Join the local machine to ADS realm"
2421 },
2422 {
2423 "testjoin",
2424 net_ads_testjoin,
2425 NET_TRANSPORT_ADS,
2426 "Validate machine account",
2427 "net ads testjoin\n"
2428 " Validate machine account"
2429 },
2430 {
2431 "leave",
2432 net_ads_leave,
2433 NET_TRANSPORT_ADS,
2434 "Remove the local machine from ADS",
2435 "net ads leave\n"
2436 " Remove the local machine from ADS"
2437 },
2438 {
2439 "status",
2440 net_ads_status,
2441 NET_TRANSPORT_ADS,
2442 "Display machine account details",
2443 "net ads status\n"
2444 " Display machine account details"
2445 },
2446 {
2447 "user",
2448 net_ads_user,
2449 NET_TRANSPORT_ADS,
2450 "List/modify users",
2451 "net ads user\n"
2452 " List/modify users"
2453 },
2454 {
2455 "group",
2456 net_ads_group,
2457 NET_TRANSPORT_ADS,
2458 "List/modify groups",
2459 "net ads group\n"
2460 " List/modify groups"
2461 },
2462 {
2463 "dns",
2464 net_ads_dns,
2465 NET_TRANSPORT_ADS,
2466 "Issue dynamic DNS update",
2467 "net ads dns\n"
2468 " Issue dynamic DNS update"
2469 },
2470 {
2471 "password",
2472 net_ads_password,
2473 NET_TRANSPORT_ADS,
2474 "Change user passwords",
2475 "net ads password\n"
2476 " Change user passwords"
2477 },
2478 {
2479 "changetrustpw",
2480 net_ads_changetrustpw,
2481 NET_TRANSPORT_ADS,
2482 "Change trust account password",
2483 "net ads changetrustpw\n"
2484 " Change trust account password"
2485 },
2486 {
2487 "printer",
2488 net_ads_printer,
2489 NET_TRANSPORT_ADS,
2490 "List/modify printer entries",
2491 "net ads printer\n"
2492 " List/modify printer entries"
2493 },
2494 {
2495 "search",
2496 net_ads_search,
2497 NET_TRANSPORT_ADS,
2498 "Issue LDAP search using filter",
2499 "net ads search\n"
2500 " Issue LDAP search using filter"
2501 },
2502 {
2503 "dn",
2504 net_ads_dn,
2505 NET_TRANSPORT_ADS,
2506 "Issue LDAP search by DN",
2507 "net ads dn\n"
2508 " Issue LDAP search by DN"
2509 },
2510 {
2511 "sid",
2512 net_ads_sid,
2513 NET_TRANSPORT_ADS,
2514 "Issue LDAP search by SID",
2515 "net ads sid\n"
2516 " Issue LDAP search by SID"
2517 },
2518 {
2519 "workgroup",
2520 net_ads_workgroup,
2521 NET_TRANSPORT_ADS,
2522 "Display workgroup name",
2523 "net ads workgroup\n"
2524 " Display the workgroup name"
2525 },
2526 {
2527 "lookup",
2528 net_ads_lookup,
2529 NET_TRANSPORT_ADS,
2530 "Perfom CLDAP query on DC",
2531 "net ads lookup\n"
2532 " Find the ADS DC using CLDAP lookups"
2533 },
2534 {
2535 "keytab",
2536 net_ads_keytab,
2537 NET_TRANSPORT_ADS,
2538 "Manage local keytab file",
2539 "net ads keytab\n"
2540 " Manage local keytab file"
2541 },
2542 {
2543 "gpo",
2544 net_ads_gpo,
2545 NET_TRANSPORT_ADS,
2546 "Manage group policy objects",
2547 "net ads gpo\n"
2548 " Manage group policy objects"
2549 },
2550 {
2551 "kerberos",
2552 net_ads_kerberos,
2553 NET_TRANSPORT_ADS,
2554 "Manage kerberos keytab",
2555 "net ads kerberos\n"
2556 " Manage kerberos keytab"
2557 },
2558 {NULL, NULL, 0, NULL, NULL}
2559 };
2560
2561 return net_run_function(c, argc, argv, "net ads", func);
2562 }
2563
2564 #else
2565
2566 static int net_ads_noads(void)
2567 {
2568 d_fprintf(stderr, "ADS support not compiled in\n");
2569 return -1;
2570 }
2571
2572 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2573 {
2574 return net_ads_noads();
2575 }
2576
2577 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2578 {
2579 return net_ads_noads();
2580 }
2581
2582 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2583 {
2584 return net_ads_noads();
2585 }
2586
2587 int net_ads_join(struct net_context *c, int argc, const char **argv)
2588 {
2589 return net_ads_noads();
2590 }
2591
2592 int net_ads_user(struct net_context *c, int argc, const char **argv)
2593 {
2594 return net_ads_noads();
2595 }
2596
2597 int net_ads_group(struct net_context *c, int argc, const char **argv)
2598 {
2599 return net_ads_noads();
2600 }
2601
2602 /* this one shouldn't display a message */
2603 int net_ads_check(struct net_context *c)
2604 {
2605 return -1;
2606 }
2607
2608 int net_ads_check_our_domain(struct net_context *c)
2609 {
2610 return -1;
2611 }
2612
2613 int net_ads(struct net_context *c, int argc, const char **argv)
2614 {
2615 return net_ads_noads();
2616 }
2617
2618 #endif /* WITH_ADS */
reg import