search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-torture/denytest.c: replace cli_read_old() with cli_read()
[Samba/gebeck_regimport.git] / source3 / utils / net_ads.c
blobbb78ecbf12eef5ad65fbd3d144d3b19e77a959f7
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "../librpc/gen_ndr/ndr_spoolss.h"
28 #include "nsswitch/libwbclient/wbclient.h"
29 #include "ads.h"
30 #include "libads/cldap.h"
31 #include "libads/dns.h"
32 #include "../libds/common/flags.h"
33 #include "librpc/gen_ndr/libnet_join.h"
34 #include "libnet/libnet_join.h"
35 #include "smb_krb5.h"
36 #include "secrets.h"
37 #include "krb5_env.h"
38 #include "../libcli/security/security.h"
39 #include "libsmb/libsmb.h"
40
41 #ifdef HAVE_ADS
42
43 /* when we do not have sufficient input parameters to contact a remote domain
44 * we always fall back to our own realm - Guenther*/
45
46 static const char *assume_own_realm(struct net_context *c)
47 {
48 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
49 return lp_realm();
50 }
51
52 return NULL;
53 }
54
55 /*
56 do a cldap netlogon query
57 */
58 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
59 {
60 char addr[INET6_ADDRSTRLEN];
61 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
62
63 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
64
65 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
66 d_fprintf(stderr, _("CLDAP query failed!\n"));
67 return -1;
68 }
69
70 d_printf(_("Information for Domain Controller: %s\n\n"),
71 addr);
72
73 d_printf(_("Response Type: "));
74 switch (reply.command) {
75 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
76 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
77 break;
78 case LOGON_SAM_LOGON_RESPONSE_EX:
79 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
80 break;
81 default:
82 d_printf("0x%x\n", reply.command);
83 break;
84 }
85
86 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
87
88 d_printf(_("Flags:\n"
89 "\tIs a PDC: %s\n"
90 "\tIs a GC of the forest: %s\n"
91 "\tIs an LDAP server: %s\n"
92 "\tSupports DS: %s\n"
93 "\tIs running a KDC: %s\n"
94 "\tIs running time services: %s\n"
95 "\tIs the closest DC: %s\n"
96 "\tIs writable: %s\n"
97 "\tHas a hardware clock: %s\n"
98 "\tIs a non-domain NC serviced by LDAP server: %s\n"
99 "\tIs NT6 DC that has some secrets: %s\n"
100 "\tIs NT6 DC that has all secrets: %s\n"),
101 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
110 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
111 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
112 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
113
114
115 printf(_("Forest:\t\t\t%s\n"), reply.forest);
116 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
117 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
118
119 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
120 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
121
122 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
123
124 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
125 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
126
127 d_printf(_("NT Version: %d\n"), reply.nt_version);
128 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
129 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
130
131 return 0;
132 }
133
134 /*
135 this implements the CLDAP based netlogon lookup requests
136 for finding the domain controller of a ADS domain
137 */
138 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
139 {
140 ADS_STRUCT *ads;
141 int ret;
142
143 if (c->display_usage) {
144 d_printf("%s\n"
145 "net ads lookup\n"
146 " %s",
147 _("Usage:"),
148 _("Find the ADS DC using CLDAP lookup.\n"));
149 return 0;
150 }
151
152 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
153 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
154 ads_destroy(&ads);
155 return -1;
156 }
157
158 if (!ads->config.realm) {
159 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
160 ads->ldap.port = 389;
161 }
162
163 ret = net_ads_cldap_netlogon(c, ads);
164 ads_destroy(&ads);
165 return ret;
166 }
167
168
169
170 static int net_ads_info(struct net_context *c, int argc, const char **argv)
171 {
172 ADS_STRUCT *ads;
173 char addr[INET6_ADDRSTRLEN];
174
175 if (c->display_usage) {
176 d_printf("%s\n"
177 "net ads info\n"
178 " %s",
179 _("Usage:"),
180 _("Display information about an Active Directory "
181 "server.\n"));
182 return 0;
183 }
184
185 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
186 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
187 return -1;
188 }
189
190 if (!ads || !ads->config.realm) {
191 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
192 ads_destroy(&ads);
193 return -1;
194 }
195
196 /* Try to set the server's current time since we didn't do a full
197 TCP LDAP session initially */
198
199 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
200 d_fprintf( stderr, _("Failed to get server's current time!\n"));
201 }
202
203 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
204
205 d_printf(_("LDAP server: %s\n"), addr);
206 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
207 d_printf(_("Realm: %s\n"), ads->config.realm);
208 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
209 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
210 d_printf(_("Server time: %s\n"),
211 http_timestring(talloc_tos(), ads->config.current_time));
212
213 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
214 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
215
216 ads_destroy(&ads);
217 return 0;
218 }
219
220 static void use_in_memory_ccache(void) {
221 /* Use in-memory credentials cache so we do not interfere with
222 * existing credentials */
223 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
224 }
225
226 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
227 uint32 auth_flags, ADS_STRUCT **ads_ret)
228 {
229 ADS_STRUCT *ads = NULL;
230 ADS_STATUS status;
231 bool need_password = false;
232 bool second_time = false;
233 char *cp;
234 const char *realm = NULL;
235 bool tried_closest_dc = false;
236
237 /* lp_realm() should be handled by a command line param,
238 However, the join requires that realm be set in smb.conf
239 and compares our realm with the remote server's so this is
240 ok until someone needs more flexibility */
241
242 *ads_ret = NULL;
243
244 retry_connect:
245 if (only_own_domain) {
246 realm = lp_realm();
247 } else {
248 realm = assume_own_realm(c);
249 }
250
251 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
252
253 if (!c->opt_user_name) {
254 c->opt_user_name = "administrator";
255 }
256
257 if (c->opt_user_specified) {
258 need_password = true;
259 }
260
261 retry:
262 if (!c->opt_password && need_password && !c->opt_machine_pass) {
263 c->opt_password = net_prompt_pass(c, c->opt_user_name);
264 if (!c->opt_password) {
265 ads_destroy(&ads);
266 return ADS_ERROR(LDAP_NO_MEMORY);
267 }
268 }
269
270 if (c->opt_password) {
271 use_in_memory_ccache();
272 SAFE_FREE(ads->auth.password);
273 ads->auth.password = smb_xstrdup(c->opt_password);
274 }
275
276 ads->auth.flags |= auth_flags;
277 SAFE_FREE(ads->auth.user_name);
278 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
279
280 /*
281 * If the username is of the form "name@realm",
282 * extract the realm and convert to upper case.
283 * This is only used to establish the connection.
284 */
285 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
286 *cp++ = '\0';
287 SAFE_FREE(ads->auth.realm);
288 ads->auth.realm = smb_xstrdup(cp);
289 strupper_m(ads->auth.realm);
290 }
291
292 status = ads_connect(ads);
293
294 if (!ADS_ERR_OK(status)) {
295
296 if (NT_STATUS_EQUAL(ads_ntstatus(status),
297 NT_STATUS_NO_LOGON_SERVERS)) {
298 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
299 ads_destroy(&ads);
300 return status;
301 }
302
303 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
304 need_password = true;
305 second_time = true;
306 goto retry;
307 } else {
308 ads_destroy(&ads);
309 return status;
310 }
311 }
312
313 /* when contacting our own domain, make sure we use the closest DC.
314 * This is done by reconnecting to ADS because only the first call to
315 * ads_connect will give us our own sitename */
316
317 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
318
319 tried_closest_dc = true; /* avoid loop */
320
321 if (!ads_closest_dc(ads)) {
322
323 namecache_delete(ads->server.realm, 0x1C);
324 namecache_delete(ads->server.workgroup, 0x1C);
325
326 ads_destroy(&ads);
327 ads = NULL;
328
329 goto retry_connect;
330 }
331 }
332
333 *ads_ret = ads;
334 return status;
335 }
336
337 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
338 {
339 return ads_startup_int(c, only_own_domain, 0, ads);
340 }
341
342 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
343 {
344 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
345 }
346
347 /*
348 Check to see if connection can be made via ads.
349 ads_startup() stores the password in opt_password if it needs to so
350 that rpc or rap can use it without re-prompting.
351 */
352 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
353 {
354 ADS_STRUCT *ads;
355 ADS_STATUS status;
356
357 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
358 return -1;
359 }
360
361 ads->auth.flags |= ADS_AUTH_NO_BIND;
362
363 status = ads_connect(ads);
364 if ( !ADS_ERR_OK(status) ) {
365 return -1;
366 }
367
368 ads_destroy(&ads);
369 return 0;
370 }
371
372 int net_ads_check_our_domain(struct net_context *c)
373 {
374 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
375 }
376
377 int net_ads_check(struct net_context *c)
378 {
379 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
380 }
381
382 /*
383 determine the netbios workgroup name for a domain
384 */
385 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
386 {
387 ADS_STRUCT *ads;
388 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
389
390 if (c->display_usage) {
391 d_printf ("%s\n"
392 "net ads workgroup\n"
393 " %s\n",
394 _("Usage:"),
395 _("Print the workgroup name"));
396 return 0;
397 }
398
399 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
400 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
401 return -1;
402 }
403
404 if (!ads->config.realm) {
405 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
406 ads->ldap.port = 389;
407 }
408
409 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
410 d_fprintf(stderr, _("CLDAP query failed!\n"));
411 ads_destroy(&ads);
412 return -1;
413 }
414
415 d_printf(_("Workgroup: %s\n"), reply.domain_name);
416
417 ads_destroy(&ads);
418
419 return 0;
420 }
421
422
423
424 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
425 {
426 char **disp_fields = (char **) data_area;
427
428 if (!field) { /* must be end of record */
429 if (disp_fields[0]) {
430 if (!strchr_m(disp_fields[0], '$')) {
431 if (disp_fields[1])
432 d_printf("%-21.21s %s\n",
433 disp_fields[0], disp_fields[1]);
434 else
435 d_printf("%s\n", disp_fields[0]);
436 }
437 }
438 SAFE_FREE(disp_fields[0]);
439 SAFE_FREE(disp_fields[1]);
440 return true;
441 }
442 if (!values) /* must be new field, indicate string field */
443 return true;
444 if (strcasecmp_m(field, "sAMAccountName") == 0) {
445 disp_fields[0] = SMB_STRDUP((char *) values[0]);
446 }
447 if (strcasecmp_m(field, "description") == 0)
448 disp_fields[1] = SMB_STRDUP((char *) values[0]);
449 return true;
450 }
451
452 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
453 {
454 return net_user_usage(c, argc, argv);
455 }
456
457 static int ads_user_add(struct net_context *c, int argc, const char **argv)
458 {
459 ADS_STRUCT *ads;
460 ADS_STATUS status;
461 char *upn, *userdn;
462 LDAPMessage *res=NULL;
463 int rc = -1;
464 char *ou_str = NULL;
465
466 if (argc < 1 || c->display_usage)
467 return net_ads_user_usage(c, argc, argv);
468
469 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
470 return -1;
471 }
472
473 status = ads_find_user_acct(ads, &res, argv[0]);
474
475 if (!ADS_ERR_OK(status)) {
476 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
477 goto done;
478 }
479
480 if (ads_count_replies(ads, res)) {
481 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
482 argv[0]);
483 goto done;
484 }
485
486 if (c->opt_container) {
487 ou_str = SMB_STRDUP(c->opt_container);
488 } else {
489 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
490 }
491
492 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
493
494 if (!ADS_ERR_OK(status)) {
495 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
496 ads_errstr(status));
497 goto done;
498 }
499
500 /* if no password is to be set, we're done */
501 if (argc == 1) {
502 d_printf(_("User %s added\n"), argv[0]);
503 rc = 0;
504 goto done;
505 }
506
507 /* try setting the password */
508 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
509 goto done;
510 }
511 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
512 ads->auth.time_offset);
513 SAFE_FREE(upn);
514 if (ADS_ERR_OK(status)) {
515 d_printf(_("User %s added\n"), argv[0]);
516 rc = 0;
517 goto done;
518 }
519
520 /* password didn't set, delete account */
521 d_fprintf(stderr, _("Could not add user %s. "
522 "Error setting password %s\n"),
523 argv[0], ads_errstr(status));
524 ads_msgfree(ads, res);
525 status=ads_find_user_acct(ads, &res, argv[0]);
526 if (ADS_ERR_OK(status)) {
527 userdn = ads_get_dn(ads, talloc_tos(), res);
528 ads_del_dn(ads, userdn);
529 TALLOC_FREE(userdn);
530 }
531
532 done:
533 if (res)
534 ads_msgfree(ads, res);
535 ads_destroy(&ads);
536 SAFE_FREE(ou_str);
537 return rc;
538 }
539
540 static int ads_user_info(struct net_context *c, int argc, const char **argv)
541 {
542 ADS_STRUCT *ads = NULL;
543 ADS_STATUS rc;
544 LDAPMessage *res = NULL;
545 TALLOC_CTX *frame;
546 int ret = 0;
547 wbcErr wbc_status;
548 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
549 char *searchstring=NULL;
550 char **grouplist;
551 char *primary_group;
552 char *escaped_user;
553 struct dom_sid primary_group_sid;
554 uint32_t group_rid;
555 enum wbcSidType type;
556
557 if (argc < 1 || c->display_usage) {
558 return net_ads_user_usage(c, argc, argv);
559 }
560
561 frame = talloc_new(talloc_tos());
562 if (frame == NULL) {
563 return -1;
564 }
565
566 escaped_user = escape_ldap_string(frame, argv[0]);
567 if (!escaped_user) {
568 d_fprintf(stderr,
569 _("ads_user_info: failed to escape user %s\n"),
570 argv[0]);
571 return -1;
572 }
573
574 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
575 ret = -1;
576 goto error;
577 }
578
579 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
580 ret =-1;
581 goto error;
582 }
583 rc = ads_search(ads, &res, searchstring, attrs);
584 SAFE_FREE(searchstring);
585
586 if (!ADS_ERR_OK(rc)) {
587 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
588 ret = -1;
589 goto error;
590 }
591
592 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
593 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
594 ret = -1;
595 goto error;
596 }
597
598 rc = ads_domain_sid(ads, &primary_group_sid);
599 if (!ADS_ERR_OK(rc)) {
600 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
601 ret = -1;
602 goto error;
603 }
604
605 sid_append_rid(&primary_group_sid, group_rid);
606
607 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
608 NULL, /* don't look up domain */
609 &primary_group,
610 &type);
611 if (!WBC_ERROR_IS_OK(wbc_status)) {
612 d_fprintf(stderr, "wbcLookupSid: %s\n",
613 wbcErrorString(wbc_status));
614 ret = -1;
615 goto error;
616 }
617
618 d_printf("%s\n", primary_group);
619
620 wbcFreeMemory(primary_group);
621
622 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
623 (LDAPMessage *)res, "memberOf");
624
625 if (grouplist) {
626 int i;
627 char **groupname;
628 for (i=0;grouplist[i];i++) {
629 groupname = ldap_explode_dn(grouplist[i], 1);
630 d_printf("%s\n", groupname[0]);
631 ldap_value_free(groupname);
632 }
633 ldap_value_free(grouplist);
634 }
635
636 error:
637 if (res) ads_msgfree(ads, res);
638 if (ads) ads_destroy(&ads);
639 TALLOC_FREE(frame);
640 return ret;
641 }
642
643 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
644 {
645 ADS_STRUCT *ads;
646 ADS_STATUS rc;
647 LDAPMessage *res = NULL;
648 char *userdn;
649
650 if (argc < 1) {
651 return net_ads_user_usage(c, argc, argv);
652 }
653
654 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
655 return -1;
656 }
657
658 rc = ads_find_user_acct(ads, &res, argv[0]);
659 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
660 d_printf(_("User %s does not exist.\n"), argv[0]);
661 ads_msgfree(ads, res);
662 ads_destroy(&ads);
663 return -1;
664 }
665 userdn = ads_get_dn(ads, talloc_tos(), res);
666 ads_msgfree(ads, res);
667 rc = ads_del_dn(ads, userdn);
668 TALLOC_FREE(userdn);
669 if (ADS_ERR_OK(rc)) {
670 d_printf(_("User %s deleted\n"), argv[0]);
671 ads_destroy(&ads);
672 return 0;
673 }
674 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
675 ads_errstr(rc));
676 ads_destroy(&ads);
677 return -1;
678 }
679
680 int net_ads_user(struct net_context *c, int argc, const char **argv)
681 {
682 struct functable func[] = {
683 {
684 "add",
685 ads_user_add,
686 NET_TRANSPORT_ADS,
687 N_("Add an AD user"),
688 N_("net ads user add\n"
689 " Add an AD user")
690 },
691 {
692 "info",
693 ads_user_info,
694 NET_TRANSPORT_ADS,
695 N_("Display information about an AD user"),
696 N_("net ads user info\n"
697 " Display information about an AD user")
698 },
699 {
700 "delete",
701 ads_user_delete,
702 NET_TRANSPORT_ADS,
703 N_("Delete an AD user"),
704 N_("net ads user delete\n"
705 " Delete an AD user")
706 },
707 {NULL, NULL, 0, NULL, NULL}
708 };
709 ADS_STRUCT *ads;
710 ADS_STATUS rc;
711 const char *shortattrs[] = {"sAMAccountName", NULL};
712 const char *longattrs[] = {"sAMAccountName", "description", NULL};
713 char *disp_fields[2] = {NULL, NULL};
714
715 if (argc == 0) {
716 if (c->display_usage) {
717 d_printf( "%s\n"
718 "net ads user\n"
719 " %s\n",
720 _("Usage:"),
721 _("List AD users"));
722 net_display_usage_from_functable(func);
723 return 0;
724 }
725
726 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
727 return -1;
728 }
729
730 if (c->opt_long_list_entries)
731 d_printf(_("\nUser name Comment"
732 "\n-----------------------------\n"));
733
734 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
735 LDAP_SCOPE_SUBTREE,
736 "(objectCategory=user)",
737 c->opt_long_list_entries ? longattrs :
738 shortattrs, usergrp_display,
739 disp_fields);
740 ads_destroy(&ads);
741 return ADS_ERR_OK(rc) ? 0 : -1;
742 }
743
744 return net_run_function(c, argc, argv, "net ads user", func);
745 }
746
747 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
748 {
749 return net_group_usage(c, argc, argv);
750 }
751
752 static int ads_group_add(struct net_context *c, int argc, const char **argv)
753 {
754 ADS_STRUCT *ads;
755 ADS_STATUS status;
756 LDAPMessage *res=NULL;
757 int rc = -1;
758 char *ou_str = NULL;
759
760 if (argc < 1 || c->display_usage) {
761 return net_ads_group_usage(c, argc, argv);
762 }
763
764 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
765 return -1;
766 }
767
768 status = ads_find_user_acct(ads, &res, argv[0]);
769
770 if (!ADS_ERR_OK(status)) {
771 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
772 goto done;
773 }
774
775 if (ads_count_replies(ads, res)) {
776 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
777 goto done;
778 }
779
780 if (c->opt_container) {
781 ou_str = SMB_STRDUP(c->opt_container);
782 } else {
783 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
784 }
785
786 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
787
788 if (ADS_ERR_OK(status)) {
789 d_printf(_("Group %s added\n"), argv[0]);
790 rc = 0;
791 } else {
792 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
793 ads_errstr(status));
794 }
795
796 done:
797 if (res)
798 ads_msgfree(ads, res);
799 ads_destroy(&ads);
800 SAFE_FREE(ou_str);
801 return rc;
802 }
803
804 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
805 {
806 ADS_STRUCT *ads;
807 ADS_STATUS rc;
808 LDAPMessage *res = NULL;
809 char *groupdn;
810
811 if (argc < 1 || c->display_usage) {
812 return net_ads_group_usage(c, argc, argv);
813 }
814
815 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
816 return -1;
817 }
818
819 rc = ads_find_user_acct(ads, &res, argv[0]);
820 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
821 d_printf(_("Group %s does not exist.\n"), argv[0]);
822 ads_msgfree(ads, res);
823 ads_destroy(&ads);
824 return -1;
825 }
826 groupdn = ads_get_dn(ads, talloc_tos(), res);
827 ads_msgfree(ads, res);
828 rc = ads_del_dn(ads, groupdn);
829 TALLOC_FREE(groupdn);
830 if (ADS_ERR_OK(rc)) {
831 d_printf(_("Group %s deleted\n"), argv[0]);
832 ads_destroy(&ads);
833 return 0;
834 }
835 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
836 ads_errstr(rc));
837 ads_destroy(&ads);
838 return -1;
839 }
840
841 int net_ads_group(struct net_context *c, int argc, const char **argv)
842 {
843 struct functable func[] = {
844 {
845 "add",
846 ads_group_add,
847 NET_TRANSPORT_ADS,
848 N_("Add an AD group"),
849 N_("net ads group add\n"
850 " Add an AD group")
851 },
852 {
853 "delete",
854 ads_group_delete,
855 NET_TRANSPORT_ADS,
856 N_("Delete an AD group"),
857 N_("net ads group delete\n"
858 " Delete an AD group")
859 },
860 {NULL, NULL, 0, NULL, NULL}
861 };
862 ADS_STRUCT *ads;
863 ADS_STATUS rc;
864 const char *shortattrs[] = {"sAMAccountName", NULL};
865 const char *longattrs[] = {"sAMAccountName", "description", NULL};
866 char *disp_fields[2] = {NULL, NULL};
867
868 if (argc == 0) {
869 if (c->display_usage) {
870 d_printf( "%s\n"
871 "net ads group\n"
872 " %s\n",
873 _("Usage:"),
874 _("List AD groups"));
875 net_display_usage_from_functable(func);
876 return 0;
877 }
878
879 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
880 return -1;
881 }
882
883 if (c->opt_long_list_entries)
884 d_printf(_("\nGroup name Comment"
885 "\n-----------------------------\n"));
886 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
887 LDAP_SCOPE_SUBTREE,
888 "(objectCategory=group)",
889 c->opt_long_list_entries ? longattrs :
890 shortattrs, usergrp_display,
891 disp_fields);
892
893 ads_destroy(&ads);
894 return ADS_ERR_OK(rc) ? 0 : -1;
895 }
896 return net_run_function(c, argc, argv, "net ads group", func);
897 }
898
899 static int net_ads_status(struct net_context *c, int argc, const char **argv)
900 {
901 ADS_STRUCT *ads;
902 ADS_STATUS rc;
903 LDAPMessage *res;
904
905 if (c->display_usage) {
906 d_printf( "%s\n"
907 "net ads status\n"
908 " %s\n",
909 _("Usage:"),
910 _("Display machine account details"));
911 return 0;
912 }
913
914 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
915 return -1;
916 }
917
918 rc = ads_find_machine_acct(ads, &res, lp_netbios_name());
919 if (!ADS_ERR_OK(rc)) {
920 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
921 ads_destroy(&ads);
922 return -1;
923 }
924
925 if (ads_count_replies(ads, res) == 0) {
926 d_fprintf(stderr, _("No machine account for '%s' found\n"), lp_netbios_name());
927 ads_destroy(&ads);
928 return -1;
929 }
930
931 ads_dump(ads, res);
932 ads_destroy(&ads);
933 return 0;
934 }
935
936 /*******************************************************************
937 Leave an AD domain. Windows XP disables the machine account.
938 We'll try the same. The old code would do an LDAP delete.
939 That only worked using the machine creds because added the machine
940 with full control to the computer object's ACL.
941 *******************************************************************/
942
943 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
944 {
945 TALLOC_CTX *ctx;
946 struct libnet_UnjoinCtx *r = NULL;
947 WERROR werr;
948
949 if (c->display_usage) {
950 d_printf( "%s\n"
951 "net ads leave\n"
952 " %s\n",
953 _("Usage:"),
954 _("Leave an AD domain"));
955 return 0;
956 }
957
958 if (!*lp_realm()) {
959 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
960 return -1;
961 }
962
963 if (!(ctx = talloc_init("net_ads_leave"))) {
964 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
965 return -1;
966 }
967
968 if (!c->opt_kerberos) {
969 use_in_memory_ccache();
970 }
971
972 if (!c->msg_ctx) {
973 d_fprintf(stderr, _("Could not initialise message context. "
974 "Try running as root\n"));
975 return -1;
976 }
977
978 werr = libnet_init_UnjoinCtx(ctx, &r);
979 if (!W_ERROR_IS_OK(werr)) {
980 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
981 return -1;
982 }
983
984 r->in.debug = true;
985 r->in.use_kerberos = c->opt_kerberos;
986 r->in.dc_name = c->opt_host;
987 r->in.domain_name = lp_realm();
988 r->in.admin_account = c->opt_user_name;
989 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
990 r->in.modify_config = lp_config_backend_is_registry();
991
992 /* Try to delete it, but if that fails, disable it. The
993 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
994 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
995 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
996 r->in.delete_machine_account = true;
997 r->in.msg_ctx = c->msg_ctx;
998
999 werr = libnet_Unjoin(ctx, r);
1000 if (!W_ERROR_IS_OK(werr)) {
1001 d_printf(_("Failed to leave domain: %s\n"),
1002 r->out.error_string ? r->out.error_string :
1003 get_friendly_werror_msg(werr));
1004 goto done;
1005 }
1006
1007 if (r->out.deleted_machine_account) {
1008 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1009 r->in.machine_name, r->out.dns_domain_name);
1010 goto done;
1011 }
1012
1013 /* We couldn't delete it - see if the disable succeeded. */
1014 if (r->out.disabled_machine_account) {
1015 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1016 r->in.machine_name, r->out.dns_domain_name);
1017 werr = WERR_OK;
1018 goto done;
1019 }
1020
1021 /* Based on what we requseted, we shouldn't get here, but if
1022 we did, it means the secrets were removed, and therefore
1023 we have left the domain */
1024 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1025 r->in.machine_name, r->out.dns_domain_name);
1026
1027 done:
1028 TALLOC_FREE(r);
1029 TALLOC_FREE(ctx);
1030
1031 if (W_ERROR_IS_OK(werr)) {
1032 return 0;
1033 }
1034
1035 return -1;
1036 }
1037
1038 static NTSTATUS net_ads_join_ok(struct net_context *c)
1039 {
1040 ADS_STRUCT *ads = NULL;
1041 ADS_STATUS status;
1042 fstring dc_name;
1043 struct sockaddr_storage dcip;
1044
1045 if (!secrets_init()) {
1046 DEBUG(1,("Failed to initialise secrets database\n"));
1047 return NT_STATUS_ACCESS_DENIED;
1048 }
1049
1050 net_use_krb_machine_account(c);
1051
1052 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1053
1054 status = ads_startup(c, true, &ads);
1055 if (!ADS_ERR_OK(status)) {
1056 return ads_ntstatus(status);
1057 }
1058
1059 ads_destroy(&ads);
1060 return NT_STATUS_OK;
1061 }
1062
1063 /*
1064 check that an existing join is OK
1065 */
1066 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1067 {
1068 NTSTATUS status;
1069 use_in_memory_ccache();
1070
1071 if (c->display_usage) {
1072 d_printf( "%s\n"
1073 "net ads testjoin\n"
1074 " %s\n",
1075 _("Usage:"),
1076 _("Test if the existing join is ok"));
1077 return 0;
1078 }
1079
1080 /* Display success or failure */
1081 status = net_ads_join_ok(c);
1082 if (!NT_STATUS_IS_OK(status)) {
1083 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1084 get_friendly_nt_error_msg(status));
1085 return -1;
1086 }
1087
1088 printf(_("Join is OK\n"));
1089 return 0;
1090 }
1091
1092 /*******************************************************************
1093 Simple configu checks before beginning the join
1094 ********************************************************************/
1095
1096 static WERROR check_ads_config( void )
1097 {
1098 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1099 d_printf(_("Host is not configured as a member server.\n"));
1100 return WERR_INVALID_DOMAIN_ROLE;
1101 }
1102
1103 if (strlen(lp_netbios_name()) > 15) {
1104 d_printf(_("Our netbios name can be at most 15 chars long, "
1105 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1106 (unsigned int)strlen(lp_netbios_name()));
1107 return WERR_INVALID_COMPUTERNAME;
1108 }
1109
1110 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1111 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1112 "join to succeed.\n"), get_dyn_CONFIGFILE());
1113 return WERR_INVALID_PARAM;
1114 }
1115
1116 return WERR_OK;
1117 }
1118
1119 /*******************************************************************
1120 Send a DNS update request
1121 *******************************************************************/
1122
1123 #if defined(WITH_DNS_UPDATES)
1124 #include "../lib/addns/dns.h"
1125 DNS_ERROR DoDNSUpdate(char *pszServerName,
1126 const char *pszDomainName, const char *pszHostName,
1127 const struct sockaddr_storage *sslist,
1128 size_t num_addrs );
1129
1130 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1131 const char *machine_name,
1132 const struct sockaddr_storage *addrs,
1133 int num_addrs)
1134 {
1135 struct dns_rr_ns *nameservers = NULL;
1136 int ns_count = 0, i;
1137 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1138 DNS_ERROR dns_err;
1139 fstring dns_server;
1140 const char *dnsdomain = NULL;
1141 char *root_domain = NULL;
1142
1143 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1144 d_printf(_("No DNS domain configured for %s. "
1145 "Unable to perform DNS Update.\n"), machine_name);
1146 status = NT_STATUS_INVALID_PARAMETER;
1147 goto done;
1148 }
1149 dnsdomain++;
1150
1151 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1152 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1153 /* Child domains often do not have NS records. Look
1154 for the NS record for the forest root domain
1155 (rootDomainNamingContext in therootDSE) */
1156
1157 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1158 LDAPMessage *msg = NULL;
1159 char *root_dn;
1160 ADS_STATUS ads_status;
1161
1162 if ( !ads->ldap.ld ) {
1163 ads_status = ads_connect( ads );
1164 if ( !ADS_ERR_OK(ads_status) ) {
1165 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1166 goto done;
1167 }
1168 }
1169
1170 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1171 "(objectclass=*)", rootname_attrs, &msg);
1172 if (!ADS_ERR_OK(ads_status)) {
1173 goto done;
1174 }
1175
1176 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1177 if ( !root_dn ) {
1178 ads_msgfree( ads, msg );
1179 goto done;
1180 }
1181
1182 root_domain = ads_build_domain( root_dn );
1183
1184 /* cleanup */
1185 ads_msgfree( ads, msg );
1186
1187 /* try again for NS servers */
1188
1189 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1190
1191 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1192 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1193 "realm\n", ads->config.realm));
1194 goto done;
1195 }
1196
1197 dnsdomain = root_domain;
1198
1199 }
1200
1201 for (i=0; i < ns_count; i++) {
1202
1203 /* Now perform the dns update - we'll try non-secure and if we fail,
1204 we'll follow it up with a secure update */
1205
1206 fstrcpy( dns_server, nameservers[i].hostname );
1207
1208 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1209 if (ERR_DNS_IS_OK(dns_err)) {
1210 status = NT_STATUS_OK;
1211 goto done;
1212 }
1213
1214 if (ERR_DNS_EQUAL(dns_err, ERROR_DNS_INVALID_NAME_SERVER) ||
1215 ERR_DNS_EQUAL(dns_err, ERROR_DNS_CONNECTION_FAILED) ||
1216 ERR_DNS_EQUAL(dns_err, ERROR_DNS_SOCKET_ERROR)) {
1217 DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
1218 dns_errstr(dns_err)));
1219 continue;
1220 }
1221
1222 d_printf(_("DNS Update for %s failed: %s\n"),
1223 machine_name, dns_errstr(dns_err));
1224 status = NT_STATUS_UNSUCCESSFUL;
1225 goto done;
1226 }
1227
1228 done:
1229
1230 SAFE_FREE( root_domain );
1231
1232 return status;
1233 }
1234
1235 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1236 const char *hostname,
1237 struct sockaddr_storage *iplist,
1238 int num_addrs)
1239 {
1240 struct sockaddr_storage *iplist_alloc = NULL;
1241 fstring machine_name;
1242 NTSTATUS status;
1243
1244 if (hostname) {
1245 fstrcpy(machine_name, hostname);
1246 } else {
1247 name_to_fqdn( machine_name, lp_netbios_name() );
1248 }
1249 strlower_m( machine_name );
1250
1251 if (num_addrs == 0 || iplist == NULL) {
1252 /*
1253 * Get our ip address
1254 * (not the 127.0.0.x address but a real ip address)
1255 */
1256 num_addrs = get_my_ip_address(&iplist_alloc);
1257 if ( num_addrs <= 0 ) {
1258 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1259 "non-loopback IP addresses!\n"));
1260 return NT_STATUS_INVALID_PARAMETER;
1261 }
1262 iplist = iplist_alloc;
1263 }
1264
1265 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1266 iplist, num_addrs);
1267
1268 SAFE_FREE(iplist_alloc);
1269 return status;
1270 }
1271
1272 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1273 {
1274 NTSTATUS status;
1275
1276 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1277 return status;
1278 }
1279 #endif
1280
1281
1282 /*******************************************************************
1283 ********************************************************************/
1284
1285 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1286 {
1287 d_printf(_("net ads join [options]\n"
1288 "Valid options:\n"));
1289 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1290 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1291 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1292 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1293 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1294 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1295 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1296 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1297 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1298 " NB: osName and osVer must be specified together for either to take effect.\n"
1299 " Also, the operatingSystemService attribute is also set when along with\n"
1300 " the two other attributes.\n"));
1301
1302 return -1;
1303 }
1304
1305 /*******************************************************************
1306 ********************************************************************/
1307
1308 int net_ads_join(struct net_context *c, int argc, const char **argv)
1309 {
1310 TALLOC_CTX *ctx = NULL;
1311 struct libnet_JoinCtx *r = NULL;
1312 const char *domain = lp_realm();
1313 WERROR werr = WERR_SETUP_NOT_JOINED;
1314 bool createupn = false;
1315 const char *machineupn = NULL;
1316 const char *create_in_ou = NULL;
1317 int i;
1318 const char *os_name = NULL;
1319 const char *os_version = NULL;
1320 bool modify_config = lp_config_backend_is_registry();
1321
1322 if (c->display_usage)
1323 return net_ads_join_usage(c, argc, argv);
1324
1325 if (!modify_config) {
1326
1327 werr = check_ads_config();
1328 if (!W_ERROR_IS_OK(werr)) {
1329 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1330 goto fail;
1331 }
1332 }
1333
1334 if (!(ctx = talloc_init("net_ads_join"))) {
1335 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1336 werr = WERR_NOMEM;
1337 goto fail;
1338 }
1339
1340 if (!c->opt_kerberos) {
1341 use_in_memory_ccache();
1342 }
1343
1344 werr = libnet_init_JoinCtx(ctx, &r);
1345 if (!W_ERROR_IS_OK(werr)) {
1346 goto fail;
1347 }
1348
1349 /* process additional command line args */
1350
1351 for ( i=0; i<argc; i++ ) {
1352 if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
1353 createupn = true;
1354 machineupn = get_string_param(argv[i]);
1355 }
1356 else if ( !strncasecmp_m(argv[i], "createcomputer", strlen("createcomputer")) ) {
1357 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1358 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1359 werr = WERR_INVALID_PARAM;
1360 goto fail;
1361 }
1362 }
1363 else if ( !strncasecmp_m(argv[i], "osName", strlen("osName")) ) {
1364 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1365 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1366 werr = WERR_INVALID_PARAM;
1367 goto fail;
1368 }
1369 }
1370 else if ( !strncasecmp_m(argv[i], "osVer", strlen("osVer")) ) {
1371 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1372 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1373 werr = WERR_INVALID_PARAM;
1374 goto fail;
1375 }
1376 }
1377 else {
1378 domain = argv[i];
1379 }
1380 }
1381
1382 if (!*domain) {
1383 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1384 werr = WERR_INVALID_PARAM;
1385 goto fail;
1386 }
1387
1388 if (!c->msg_ctx) {
1389 d_fprintf(stderr, _("Could not initialise message context. "
1390 "Try running as root\n"));
1391 werr = WERR_ACCESS_DENIED;
1392 goto fail;
1393 }
1394
1395 /* Do the domain join here */
1396
1397 r->in.domain_name = domain;
1398 r->in.create_upn = createupn;
1399 r->in.upn = machineupn;
1400 r->in.account_ou = create_in_ou;
1401 r->in.os_name = os_name;
1402 r->in.os_version = os_version;
1403 r->in.dc_name = c->opt_host;
1404 r->in.admin_account = c->opt_user_name;
1405 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1406 r->in.debug = true;
1407 r->in.use_kerberos = c->opt_kerberos;
1408 r->in.modify_config = modify_config;
1409 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1410 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1411 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1412 r->in.msg_ctx = c->msg_ctx;
1413
1414 werr = libnet_Join(ctx, r);
1415 if (W_ERROR_EQUAL(werr, WERR_DCNOTFOUND) &&
1416 strequal(domain, lp_realm())) {
1417 r->in.domain_name = lp_workgroup();
1418 werr = libnet_Join(ctx, r);
1419 }
1420 if (!W_ERROR_IS_OK(werr)) {
1421 goto fail;
1422 }
1423
1424 /* Check the short name of the domain */
1425
1426 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1427 d_printf(_("The workgroup in %s does not match the short\n"
1428 "domain name obtained from the server.\n"
1429 "Using the name [%s] from the server.\n"
1430 "You should set \"workgroup = %s\" in %s.\n"),
1431 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1432 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1433 }
1434
1435 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1436
1437 if (r->out.dns_domain_name) {
1438 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1439 r->out.dns_domain_name);
1440 } else {
1441 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1442 r->out.netbios_domain_name);
1443 }
1444
1445 #if defined(WITH_DNS_UPDATES)
1446 /*
1447 * In a clustered environment, don't do dynamic dns updates:
1448 * Registering the set of ip addresses that are assigned to
1449 * the interfaces of the node that performs the join does usually
1450 * not have the desired effect, since the local interfaces do not
1451 * carry the complete set of the cluster's public IP addresses.
1452 * And it can also contain internal addresses that should not
1453 * be visible to the outside at all.
1454 * In order to do dns updates in a clustererd setup, use
1455 * net ads dns register.
1456 */
1457 if (lp_clustering()) {
1458 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1459 "clustered setup.\n"));
1460 goto done;
1461 }
1462
1463 if (r->out.domain_is_ad) {
1464 /* We enter this block with user creds */
1465 ADS_STRUCT *ads_dns = NULL;
1466
1467 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1468 /* kinit with the machine password */
1469
1470 use_in_memory_ccache();
1471 if (asprintf( &ads_dns->auth.user_name, "%s$", lp_netbios_name()) == -1) {
1472 goto fail;
1473 }
1474 ads_dns->auth.password = secrets_fetch_machine_password(
1475 r->out.netbios_domain_name, NULL, NULL );
1476 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1477 strupper_m(ads_dns->auth.realm );
1478 ads_kinit_password( ads_dns );
1479 }
1480
1481 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1482 d_fprintf( stderr, _("DNS update failed!\n") );
1483 }
1484
1485 /* exit from this block using machine creds */
1486 ads_destroy(&ads_dns);
1487 }
1488
1489 done:
1490 #endif
1491
1492 TALLOC_FREE(r);
1493 TALLOC_FREE( ctx );
1494
1495 return 0;
1496
1497 fail:
1498 /* issue an overall failure message at the end. */
1499 d_printf(_("Failed to join domain: %s\n"),
1500 r && r->out.error_string ? r->out.error_string :
1501 get_friendly_werror_msg(werr));
1502 TALLOC_FREE( ctx );
1503
1504 return -1;
1505 }
1506
1507 /*******************************************************************
1508 ********************************************************************/
1509
1510 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1511 {
1512 #if defined(WITH_DNS_UPDATES)
1513 ADS_STRUCT *ads;
1514 ADS_STATUS status;
1515 NTSTATUS ntstatus;
1516 TALLOC_CTX *ctx;
1517 const char *hostname = NULL;
1518 const char **addrs_list = NULL;
1519 struct sockaddr_storage *addrs = NULL;
1520 int num_addrs = 0;
1521 int count;
1522
1523 #ifdef DEVELOPER
1524 talloc_enable_leak_report();
1525 #endif
1526
1527 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1528 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1529 "detection of addresses in a clustered "
1530 "setup.\n"));
1531 c->display_usage = true;
1532 }
1533
1534 if (c->display_usage) {
1535 d_printf( "%s\n"
1536 "net ads dns register [hostname [IP [IP...]]]\n"
1537 " %s\n",
1538 _("Usage:"),
1539 _("Register hostname with DNS\n"));
1540 return -1;
1541 }
1542
1543 if (!(ctx = talloc_init("net_ads_dns"))) {
1544 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1545 return -1;
1546 }
1547
1548 if (argc >= 1) {
1549 hostname = argv[0];
1550 }
1551
1552 if (argc > 1) {
1553 num_addrs = argc - 1;
1554 addrs_list = &argv[1];
1555 } else if (lp_clustering()) {
1556 addrs_list = lp_cluster_addresses();
1557 num_addrs = str_list_length(addrs_list);
1558 }
1559
1560 if (num_addrs > 0) {
1561 addrs = talloc_zero_array(ctx, struct sockaddr_storage, num_addrs);
1562 if (addrs == NULL) {
1563 d_fprintf(stderr, _("Error allocating memory!\n"));
1564 talloc_free(ctx);
1565 return -1;
1566 }
1567 }
1568
1569 for (count = 0; count < num_addrs; count++) {
1570 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1571 d_fprintf(stderr, "%s '%s'.\n",
1572 _("Cannot interpret address"),
1573 addrs_list[count]);
1574 talloc_free(ctx);
1575 return -1;
1576 }
1577 }
1578
1579 status = ads_startup(c, true, &ads);
1580 if ( !ADS_ERR_OK(status) ) {
1581 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1582 TALLOC_FREE(ctx);
1583 return -1;
1584 }
1585
1586 ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
1587 if (!NT_STATUS_IS_OK(ntstatus)) {
1588 d_fprintf( stderr, _("DNS update failed!\n") );
1589 ads_destroy( &ads );
1590 TALLOC_FREE( ctx );
1591 return -1;
1592 }
1593
1594 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1595
1596 ads_destroy(&ads);
1597 TALLOC_FREE( ctx );
1598
1599 return 0;
1600 #else
1601 d_fprintf(stderr,
1602 _("DNS update support not enabled at compile time!\n"));
1603 return -1;
1604 #endif
1605 }
1606
1607 #if defined(WITH_DNS_UPDATES)
1608 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1609 #endif
1610
1611 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1612 {
1613 #if defined(WITH_DNS_UPDATES)
1614 DNS_ERROR err;
1615
1616 #ifdef DEVELOPER
1617 talloc_enable_leak_report();
1618 #endif
1619
1620 if (argc != 2 || c->display_usage) {
1621 d_printf( "%s\n"
1622 " %s\n"
1623 " %s\n",
1624 _("Usage:"),
1625 _("net ads dns gethostbyname <server> <name>\n"),
1626 _(" Look up hostname from the AD\n"
1627 " server\tName server to use\n"
1628 " name\tName to look up\n"));
1629 return -1;
1630 }
1631
1632 err = do_gethostbyname(argv[0], argv[1]);
1633
1634 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1635 dns_errstr(err), ERROR_DNS_V(err));
1636 #endif
1637 return 0;
1638 }
1639
1640 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1641 {
1642 struct functable func[] = {
1643 {
1644 "register",
1645 net_ads_dns_register,
1646 NET_TRANSPORT_ADS,
1647 N_("Add host dns entry to AD"),
1648 N_("net ads dns register\n"
1649 " Add host dns entry to AD")
1650 },
1651 {
1652 "gethostbyname",
1653 net_ads_dns_gethostbyname,
1654 NET_TRANSPORT_ADS,
1655 N_("Look up host"),
1656 N_("net ads dns gethostbyname\n"
1657 " Look up host")
1658 },
1659 {NULL, NULL, 0, NULL, NULL}
1660 };
1661
1662 return net_run_function(c, argc, argv, "net ads dns", func);
1663 }
1664
1665 /*******************************************************************
1666 ********************************************************************/
1667
1668 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1669 {
1670 d_printf(_(
1671 "\nnet ads printer search <printer>"
1672 "\n\tsearch for a printer in the directory\n"
1673 "\nnet ads printer info <printer> <server>"
1674 "\n\tlookup info in directory for printer on server"
1675 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1676 "\nnet ads printer publish <printername>"
1677 "\n\tpublish printer in directory"
1678 "\n\t(note: printer name is required)\n"
1679 "\nnet ads printer remove <printername>"
1680 "\n\tremove printer from directory"
1681 "\n\t(note: printer name is required)\n"));
1682 return -1;
1683 }
1684
1685 /*******************************************************************
1686 ********************************************************************/
1687
1688 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1689 {
1690 ADS_STRUCT *ads;
1691 ADS_STATUS rc;
1692 LDAPMessage *res = NULL;
1693
1694 if (c->display_usage) {
1695 d_printf( "%s\n"
1696 "net ads printer search\n"
1697 " %s\n",
1698 _("Usage:"),
1699 _("List printers in the AD"));
1700 return 0;
1701 }
1702
1703 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1704 return -1;
1705 }
1706
1707 rc = ads_find_printers(ads, &res);
1708
1709 if (!ADS_ERR_OK(rc)) {
1710 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1711 ads_msgfree(ads, res);
1712 ads_destroy(&ads);
1713 return -1;
1714 }
1715
1716 if (ads_count_replies(ads, res) == 0) {
1717 d_fprintf(stderr, _("No results found\n"));
1718 ads_msgfree(ads, res);
1719 ads_destroy(&ads);
1720 return -1;
1721 }
1722
1723 ads_dump(ads, res);
1724 ads_msgfree(ads, res);
1725 ads_destroy(&ads);
1726 return 0;
1727 }
1728
1729 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1730 {
1731 ADS_STRUCT *ads;
1732 ADS_STATUS rc;
1733 const char *servername, *printername;
1734 LDAPMessage *res = NULL;
1735
1736 if (c->display_usage) {
1737 d_printf("%s\n%s",
1738 _("Usage:"),
1739 _("net ads printer info [printername [servername]]\n"
1740 " Display printer info from AD\n"
1741 " printername\tPrinter name or wildcard\n"
1742 " servername\tName of the print server\n"));
1743 return 0;
1744 }
1745
1746 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1747 return -1;
1748 }
1749
1750 if (argc > 0) {
1751 printername = argv[0];
1752 } else {
1753 printername = "*";
1754 }
1755
1756 if (argc > 1) {
1757 servername = argv[1];
1758 } else {
1759 servername = lp_netbios_name();
1760 }
1761
1762 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1763
1764 if (!ADS_ERR_OK(rc)) {
1765 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1766 servername, ads_errstr(rc));
1767 ads_msgfree(ads, res);
1768 ads_destroy(&ads);
1769 return -1;
1770 }
1771
1772 if (ads_count_replies(ads, res) == 0) {
1773 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1774 ads_msgfree(ads, res);
1775 ads_destroy(&ads);
1776 return -1;
1777 }
1778
1779 ads_dump(ads, res);
1780 ads_msgfree(ads, res);
1781 ads_destroy(&ads);
1782
1783 return 0;
1784 }
1785
1786 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1787 {
1788 ADS_STRUCT *ads;
1789 ADS_STATUS rc;
1790 const char *servername, *printername;
1791 struct cli_state *cli = NULL;
1792 struct rpc_pipe_client *pipe_hnd = NULL;
1793 struct sockaddr_storage server_ss;
1794 NTSTATUS nt_status;
1795 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1796 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1797 char *prt_dn, *srv_dn, **srv_cn;
1798 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1799 LDAPMessage *res = NULL;
1800
1801 if (argc < 1 || c->display_usage) {
1802 d_printf("%s\n%s",
1803 _("Usage:"),
1804 _("net ads printer publish <printername> [servername]\n"
1805 " Publish printer in AD\n"
1806 " printername\tName of the printer\n"
1807 " servername\tName of the print server\n"));
1808 talloc_destroy(mem_ctx);
1809 return -1;
1810 }
1811
1812 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1813 talloc_destroy(mem_ctx);
1814 return -1;
1815 }
1816
1817 printername = argv[0];
1818
1819 if (argc == 2) {
1820 servername = argv[1];
1821 } else {
1822 servername = lp_netbios_name();
1823 }
1824
1825 /* Get printer data from SPOOLSS */
1826
1827 resolve_name(servername, &server_ss, 0x20, false);
1828
1829 nt_status = cli_full_connection(&cli, lp_netbios_name(), servername,
1830 &server_ss, 0,
1831 "IPC$", "IPC",
1832 c->opt_user_name, c->opt_workgroup,
1833 c->opt_password ? c->opt_password : "",
1834 CLI_FULL_CONNECTION_USE_KERBEROS,
1835 Undefined);
1836
1837 if (NT_STATUS_IS_ERR(nt_status)) {
1838 d_fprintf(stderr, _("Unable to open a connection to %s to "
1839 "obtain data for %s\n"),
1840 servername, printername);
1841 ads_destroy(&ads);
1842 talloc_destroy(mem_ctx);
1843 return -1;
1844 }
1845
1846 /* Publish on AD server */
1847
1848 ads_find_machine_acct(ads, &res, servername);
1849
1850 if (ads_count_replies(ads, res) == 0) {
1851 d_fprintf(stderr, _("Could not find machine account for server "
1852 "%s\n"),
1853 servername);
1854 ads_destroy(&ads);
1855 talloc_destroy(mem_ctx);
1856 return -1;
1857 }
1858
1859 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1860 srv_cn = ldap_explode_dn(srv_dn, 1);
1861
1862 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1863 printername_escaped = escape_rdn_val_string_alloc(printername);
1864 if (!srv_cn_escaped || !printername_escaped) {
1865 SAFE_FREE(srv_cn_escaped);
1866 SAFE_FREE(printername_escaped);
1867 d_fprintf(stderr, _("Internal error, out of memory!"));
1868 ads_destroy(&ads);
1869 talloc_destroy(mem_ctx);
1870 return -1;
1871 }
1872
1873 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1874 SAFE_FREE(srv_cn_escaped);
1875 SAFE_FREE(printername_escaped);
1876 d_fprintf(stderr, _("Internal error, out of memory!"));
1877 ads_destroy(&ads);
1878 talloc_destroy(mem_ctx);
1879 return -1;
1880 }
1881
1882 SAFE_FREE(srv_cn_escaped);
1883 SAFE_FREE(printername_escaped);
1884
1885 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1886 if (!NT_STATUS_IS_OK(nt_status)) {
1887 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
1888 servername);
1889 SAFE_FREE(prt_dn);
1890 ads_destroy(&ads);
1891 talloc_destroy(mem_ctx);
1892 return -1;
1893 }
1894
1895 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1896 printername))) {
1897 SAFE_FREE(prt_dn);
1898 ads_destroy(&ads);
1899 talloc_destroy(mem_ctx);
1900 return -1;
1901 }
1902
1903 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1904 if (!ADS_ERR_OK(rc)) {
1905 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1906 SAFE_FREE(prt_dn);
1907 ads_destroy(&ads);
1908 talloc_destroy(mem_ctx);
1909 return -1;
1910 }
1911
1912 d_printf("published printer\n");
1913 SAFE_FREE(prt_dn);
1914 ads_destroy(&ads);
1915 talloc_destroy(mem_ctx);
1916
1917 return 0;
1918 }
1919
1920 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1921 {
1922 ADS_STRUCT *ads;
1923 ADS_STATUS rc;
1924 const char *servername;
1925 char *prt_dn;
1926 LDAPMessage *res = NULL;
1927
1928 if (argc < 1 || c->display_usage) {
1929 d_printf("%s\n%s",
1930 _("Usage:"),
1931 _("net ads printer remove <printername> [servername]\n"
1932 " Remove a printer from the AD\n"
1933 " printername\tName of the printer\n"
1934 " servername\tName of the print server\n"));
1935 return -1;
1936 }
1937
1938 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1939 return -1;
1940 }
1941
1942 if (argc > 1) {
1943 servername = argv[1];
1944 } else {
1945 servername = lp_netbios_name();
1946 }
1947
1948 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1949
1950 if (!ADS_ERR_OK(rc)) {
1951 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1952 ads_msgfree(ads, res);
1953 ads_destroy(&ads);
1954 return -1;
1955 }
1956
1957 if (ads_count_replies(ads, res) == 0) {
1958 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1959 ads_msgfree(ads, res);
1960 ads_destroy(&ads);
1961 return -1;
1962 }
1963
1964 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1965 ads_msgfree(ads, res);
1966 rc = ads_del_dn(ads, prt_dn);
1967 TALLOC_FREE(prt_dn);
1968
1969 if (!ADS_ERR_OK(rc)) {
1970 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1971 ads_destroy(&ads);
1972 return -1;
1973 }
1974
1975 ads_destroy(&ads);
1976 return 0;
1977 }
1978
1979 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1980 {
1981 struct functable func[] = {
1982 {
1983 "search",
1984 net_ads_printer_search,
1985 NET_TRANSPORT_ADS,
1986 N_("Search for a printer"),
1987 N_("net ads printer search\n"
1988 " Search for a printer")
1989 },
1990 {
1991 "info",
1992 net_ads_printer_info,
1993 NET_TRANSPORT_ADS,
1994 N_("Display printer information"),
1995 N_("net ads printer info\n"
1996 " Display printer information")
1997 },
1998 {
1999 "publish",
2000 net_ads_printer_publish,
2001 NET_TRANSPORT_ADS,
2002 N_("Publish a printer"),
2003 N_("net ads printer publish\n"
2004 " Publish a printer")
2005 },
2006 {
2007 "remove",
2008 net_ads_printer_remove,
2009 NET_TRANSPORT_ADS,
2010 N_("Delete a printer"),
2011 N_("net ads printer remove\n"
2012 " Delete a printer")
2013 },
2014 {NULL, NULL, 0, NULL, NULL}
2015 };
2016
2017 return net_run_function(c, argc, argv, "net ads printer", func);
2018 }
2019
2020
2021 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2022 {
2023 ADS_STRUCT *ads;
2024 const char *auth_principal = c->opt_user_name;
2025 const char *auth_password = c->opt_password;
2026 const char *realm = NULL;
2027 const char *new_password = NULL;
2028 char *chr, *prompt;
2029 const char *user;
2030 ADS_STATUS ret;
2031
2032 if (c->display_usage) {
2033 d_printf("%s\n%s",
2034 _("Usage:"),
2035 _("net ads password <username>\n"
2036 " Change password for user\n"
2037 " username\tName of user to change password for\n"));
2038 return 0;
2039 }
2040
2041 if (c->opt_user_name == NULL || c->opt_password == NULL) {
2042 d_fprintf(stderr, _("You must supply an administrator "
2043 "username/password\n"));
2044 return -1;
2045 }
2046
2047 if (argc < 1) {
2048 d_fprintf(stderr, _("ERROR: You must say which username to "
2049 "change password for\n"));
2050 return -1;
2051 }
2052
2053 user = argv[0];
2054 if (!strchr_m(user, '@')) {
2055 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
2056 return -1;
2057 }
2058 user = chr;
2059 }
2060
2061 use_in_memory_ccache();
2062 chr = strchr_m(auth_principal, '@');
2063 if (chr) {
2064 realm = ++chr;
2065 } else {
2066 realm = lp_realm();
2067 }
2068
2069 /* use the realm so we can eventually change passwords for users
2070 in realms other than default */
2071 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
2072 return -1;
2073 }
2074
2075 /* we don't actually need a full connect, but it's the easy way to
2076 fill in the KDC's addresss */
2077 ads_connect(ads);
2078
2079 if (!ads->config.realm) {
2080 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2081 ads_destroy(&ads);
2082 return -1;
2083 }
2084
2085 if (argv[1]) {
2086 new_password = (const char *)argv[1];
2087 } else {
2088 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
2089 return -1;
2090 }
2091 new_password = getpass(prompt);
2092 free(prompt);
2093 }
2094
2095 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2096 auth_password, user, new_password, ads->auth.time_offset);
2097 if (!ADS_ERR_OK(ret)) {
2098 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2099 ads_destroy(&ads);
2100 return -1;
2101 }
2102
2103 d_printf(_("Password change for %s completed.\n"), user);
2104 ads_destroy(&ads);
2105
2106 return 0;
2107 }
2108
2109 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2110 {
2111 ADS_STRUCT *ads;
2112 char *host_principal;
2113 fstring my_name;
2114 ADS_STATUS ret;
2115
2116 if (c->display_usage) {
2117 d_printf( "%s\n"
2118 "net ads changetrustpw\n"
2119 " %s\n",
2120 _("Usage:"),
2121 _("Change the machine account's trust password"));
2122 return 0;
2123 }
2124
2125 if (!secrets_init()) {
2126 DEBUG(1,("Failed to initialise secrets database\n"));
2127 return -1;
2128 }
2129
2130 net_use_krb_machine_account(c);
2131
2132 use_in_memory_ccache();
2133
2134 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2135 return -1;
2136 }
2137
2138 fstrcpy(my_name, lp_netbios_name());
2139 strlower_m(my_name);
2140 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2141 ads_destroy(&ads);
2142 return -1;
2143 }
2144 d_printf(_("Changing password for principal: %s\n"), host_principal);
2145
2146 ret = ads_change_trust_account_password(ads, host_principal);
2147
2148 if (!ADS_ERR_OK(ret)) {
2149 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2150 ads_destroy(&ads);
2151 SAFE_FREE(host_principal);
2152 return -1;
2153 }
2154
2155 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2156
2157 if (USE_SYSTEM_KEYTAB) {
2158 d_printf(_("Attempting to update system keytab with new password.\n"));
2159 if (ads_keytab_create_default(ads)) {
2160 d_printf(_("Failed to update system keytab.\n"));
2161 }
2162 }
2163
2164 ads_destroy(&ads);
2165 SAFE_FREE(host_principal);
2166
2167 return 0;
2168 }
2169
2170 /*
2171 help for net ads search
2172 */
2173 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2174 {
2175 d_printf(_(
2176 "\nnet ads search <expression> <attributes...>\n"
2177 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2178 "The expression is a standard LDAP search expression, and the\n"
2179 "attributes are a list of LDAP fields to show in the results.\n\n"
2180 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2181 ));
2182 net_common_flags_usage(c, argc, argv);
2183 return -1;
2184 }
2185
2186
2187 /*
2188 general ADS search function. Useful in diagnosing problems in ADS
2189 */
2190 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2191 {
2192 ADS_STRUCT *ads;
2193 ADS_STATUS rc;
2194 const char *ldap_exp;
2195 const char **attrs;
2196 LDAPMessage *res = NULL;
2197
2198 if (argc < 1 || c->display_usage) {
2199 return net_ads_search_usage(c, argc, argv);
2200 }
2201
2202 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2203 return -1;
2204 }
2205
2206 ldap_exp = argv[0];
2207 attrs = (argv + 1);
2208
2209 rc = ads_do_search_all(ads, ads->config.bind_path,
2210 LDAP_SCOPE_SUBTREE,
2211 ldap_exp, attrs, &res);
2212 if (!ADS_ERR_OK(rc)) {
2213 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2214 ads_destroy(&ads);
2215 return -1;
2216 }
2217
2218 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2219
2220 /* dump the results */
2221 ads_dump(ads, res);
2222
2223 ads_msgfree(ads, res);
2224 ads_destroy(&ads);
2225
2226 return 0;
2227 }
2228
2229
2230 /*
2231 help for net ads search
2232 */
2233 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2234 {
2235 d_printf(_(
2236 "\nnet ads dn <dn> <attributes...>\n"
2237 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2238 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2239 "to show in the results\n\n"
2240 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2241 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2242 ));
2243 net_common_flags_usage(c, argc, argv);
2244 return -1;
2245 }
2246
2247
2248 /*
2249 general ADS search function. Useful in diagnosing problems in ADS
2250 */
2251 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2252 {
2253 ADS_STRUCT *ads;
2254 ADS_STATUS rc;
2255 const char *dn;
2256 const char **attrs;
2257 LDAPMessage *res = NULL;
2258
2259 if (argc < 1 || c->display_usage) {
2260 return net_ads_dn_usage(c, argc, argv);
2261 }
2262
2263 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2264 return -1;
2265 }
2266
2267 dn = argv[0];
2268 attrs = (argv + 1);
2269
2270 rc = ads_do_search_all(ads, dn,
2271 LDAP_SCOPE_BASE,
2272 "(objectclass=*)", attrs, &res);
2273 if (!ADS_ERR_OK(rc)) {
2274 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2275 ads_destroy(&ads);
2276 return -1;
2277 }
2278
2279 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2280
2281 /* dump the results */
2282 ads_dump(ads, res);
2283
2284 ads_msgfree(ads, res);
2285 ads_destroy(&ads);
2286
2287 return 0;
2288 }
2289
2290 /*
2291 help for net ads sid search
2292 */
2293 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2294 {
2295 d_printf(_(
2296 "\nnet ads sid <sid> <attributes...>\n"
2297 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2298 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2299 "to show in the results\n\n"
2300 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2301 ));
2302 net_common_flags_usage(c, argc, argv);
2303 return -1;
2304 }
2305
2306
2307 /*
2308 general ADS search function. Useful in diagnosing problems in ADS
2309 */
2310 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2311 {
2312 ADS_STRUCT *ads;
2313 ADS_STATUS rc;
2314 const char *sid_string;
2315 const char **attrs;
2316 LDAPMessage *res = NULL;
2317 struct dom_sid sid;
2318
2319 if (argc < 1 || c->display_usage) {
2320 return net_ads_sid_usage(c, argc, argv);
2321 }
2322
2323 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2324 return -1;
2325 }
2326
2327 sid_string = argv[0];
2328 attrs = (argv + 1);
2329
2330 if (!string_to_sid(&sid, sid_string)) {
2331 d_fprintf(stderr, _("could not convert sid\n"));
2332 ads_destroy(&ads);
2333 return -1;
2334 }
2335
2336 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2337 if (!ADS_ERR_OK(rc)) {
2338 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2339 ads_destroy(&ads);
2340 return -1;
2341 }
2342
2343 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2344
2345 /* dump the results */
2346 ads_dump(ads, res);
2347
2348 ads_msgfree(ads, res);
2349 ads_destroy(&ads);
2350
2351 return 0;
2352 }
2353
2354 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2355 {
2356 int ret;
2357 ADS_STRUCT *ads;
2358
2359 if (c->display_usage) {
2360 d_printf( "%s\n"
2361 "net ads keytab flush\n"
2362 " %s\n",
2363 _("Usage:"),
2364 _("Delete the whole keytab"));
2365 return 0;
2366 }
2367
2368 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2369 return -1;
2370 }
2371 ret = ads_keytab_flush(ads);
2372 ads_destroy(&ads);
2373 return ret;
2374 }
2375
2376 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2377 {
2378 int i;
2379 int ret = 0;
2380 ADS_STRUCT *ads;
2381
2382 if (c->display_usage) {
2383 d_printf("%s\n%s",
2384 _("Usage:"),
2385 _("net ads keytab add <principal> [principal ...]\n"
2386 " Add principals to local keytab\n"
2387 " principal\tKerberos principal to add to "
2388 "keytab\n"));
2389 return 0;
2390 }
2391
2392 d_printf(_("Processing principals to add...\n"));
2393 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2394 return -1;
2395 }
2396 for (i = 0; i < argc; i++) {
2397 ret |= ads_keytab_add_entry(ads, argv[i]);
2398 }
2399 ads_destroy(&ads);
2400 return ret;
2401 }
2402
2403 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2404 {
2405 ADS_STRUCT *ads;
2406 int ret;
2407
2408 if (c->display_usage) {
2409 d_printf( "%s\n"
2410 "net ads keytab create\n"
2411 " %s\n",
2412 _("Usage:"),
2413 _("Create new default keytab"));
2414 return 0;
2415 }
2416
2417 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2418 return -1;
2419 }
2420 ret = ads_keytab_create_default(ads);
2421 ads_destroy(&ads);
2422 return ret;
2423 }
2424
2425 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2426 {
2427 const char *keytab = NULL;
2428
2429 if (c->display_usage) {
2430 d_printf("%s\n%s",
2431 _("Usage:"),
2432 _("net ads keytab list [keytab]\n"
2433 " List a local keytab\n"
2434 " keytab\tKeytab to list\n"));
2435 return 0;
2436 }
2437
2438 if (argc >= 1) {
2439 keytab = argv[0];
2440 }
2441
2442 return ads_keytab_list(keytab);
2443 }
2444
2445
2446 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2447 {
2448 struct functable func[] = {
2449 {
2450 "add",
2451 net_ads_keytab_add,
2452 NET_TRANSPORT_ADS,
2453 N_("Add a service principal"),
2454 N_("net ads keytab add\n"
2455 " Add a service principal")
2456 },
2457 {
2458 "create",
2459 net_ads_keytab_create,
2460 NET_TRANSPORT_ADS,
2461 N_("Create a fresh keytab"),
2462 N_("net ads keytab create\n"
2463 " Create a fresh keytab")
2464 },
2465 {
2466 "flush",
2467 net_ads_keytab_flush,
2468 NET_TRANSPORT_ADS,
2469 N_("Remove all keytab entries"),
2470 N_("net ads keytab flush\n"
2471 " Remove all keytab entries")
2472 },
2473 {
2474 "list",
2475 net_ads_keytab_list,
2476 NET_TRANSPORT_ADS,
2477 N_("List a keytab"),
2478 N_("net ads keytab list\n"
2479 " List a keytab")
2480 },
2481 {NULL, NULL, 0, NULL, NULL}
2482 };
2483
2484 if (!USE_KERBEROS_KEYTAB) {
2485 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2486 "keytab method to use keytab functions.\n"));
2487 }
2488
2489 return net_run_function(c, argc, argv, "net ads keytab", func);
2490 }
2491
2492 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2493 {
2494 int ret = -1;
2495
2496 if (c->display_usage) {
2497 d_printf( "%s\n"
2498 "net ads kerberos renew\n"
2499 " %s\n",
2500 _("Usage:"),
2501 _("Renew TGT from existing credential cache"));
2502 return 0;
2503 }
2504
2505 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2506 if (ret) {
2507 d_printf(_("failed to renew kerberos ticket: %s\n"),
2508 error_message(ret));
2509 }
2510 return ret;
2511 }
2512
2513 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2514 {
2515 struct PAC_LOGON_INFO *info = NULL;
2516 TALLOC_CTX *mem_ctx = NULL;
2517 NTSTATUS status;
2518 int ret = -1;
2519 const char *impersonate_princ_s = NULL;
2520
2521 if (c->display_usage) {
2522 d_printf( "%s\n"
2523 "net ads kerberos pac\n"
2524 " %s\n",
2525 _("Usage:"),
2526 _("Dump the Kerberos PAC"));
2527 return 0;
2528 }
2529
2530 mem_ctx = talloc_init("net_ads_kerberos_pac");
2531 if (!mem_ctx) {
2532 goto out;
2533 }
2534
2535 if (argc > 0) {
2536 impersonate_princ_s = argv[0];
2537 }
2538
2539 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2540
2541 status = kerberos_return_pac(mem_ctx,
2542 c->opt_user_name,
2543 c->opt_password,
2544 0,
2545 NULL,
2546 NULL,
2547 NULL,
2548 true,
2549 true,
2550 2592000, /* one month */
2551 impersonate_princ_s,
2552 &info);
2553 if (!NT_STATUS_IS_OK(status)) {
2554 d_printf(_("failed to query kerberos PAC: %s\n"),
2555 nt_errstr(status));
2556 goto out;
2557 }
2558
2559 if (info) {
2560 const char *s;
2561 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2562 d_printf(_("The Pac: %s\n"), s);
2563 }
2564
2565 ret = 0;
2566 out:
2567 TALLOC_FREE(mem_ctx);
2568 return ret;
2569 }
2570
2571 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2572 {
2573 TALLOC_CTX *mem_ctx = NULL;
2574 int ret = -1;
2575 NTSTATUS status;
2576
2577 if (c->display_usage) {
2578 d_printf( "%s\n"
2579 "net ads kerberos kinit\n"
2580 " %s\n",
2581 _("Usage:"),
2582 _("Get Ticket Granting Ticket (TGT) for the user"));
2583 return 0;
2584 }
2585
2586 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2587 if (!mem_ctx) {
2588 goto out;
2589 }
2590
2591 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2592
2593 ret = kerberos_kinit_password_ext(c->opt_user_name,
2594 c->opt_password,
2595 0,
2596 NULL,
2597 NULL,
2598 NULL,
2599 true,
2600 true,
2601 2592000, /* one month */
2602 &status);
2603 if (ret) {
2604 d_printf(_("failed to kinit password: %s\n"),
2605 nt_errstr(status));
2606 }
2607 out:
2608 return ret;
2609 }
2610
2611 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2612 {
2613 struct functable func[] = {
2614 {
2615 "kinit",
2616 net_ads_kerberos_kinit,
2617 NET_TRANSPORT_ADS,
2618 N_("Retrieve Ticket Granting Ticket (TGT)"),
2619 N_("net ads kerberos kinit\n"
2620 " Receive Ticket Granting Ticket (TGT)")
2621 },
2622 {
2623 "renew",
2624 net_ads_kerberos_renew,
2625 NET_TRANSPORT_ADS,
2626 N_("Renew Ticket Granting Ticket from credential cache"),
2627 N_("net ads kerberos renew\n"
2628 " Renew Ticket Granting Ticket (TGT) from "
2629 "credential cache")
2630 },
2631 {
2632 "pac",
2633 net_ads_kerberos_pac,
2634 NET_TRANSPORT_ADS,
2635 N_("Dump Kerberos PAC"),
2636 N_("net ads kerberos pac\n"
2637 " Dump Kerberos PAC")
2638 },
2639 {NULL, NULL, 0, NULL, NULL}
2640 };
2641
2642 return net_run_function(c, argc, argv, "net ads kerberos", func);
2643 }
2644
2645 int net_ads(struct net_context *c, int argc, const char **argv)
2646 {
2647 struct functable func[] = {
2648 {
2649 "info",
2650 net_ads_info,
2651 NET_TRANSPORT_ADS,
2652 N_("Display details on remote ADS server"),
2653 N_("net ads info\n"
2654 " Display details on remote ADS server")
2655 },
2656 {
2657 "join",
2658 net_ads_join,
2659 NET_TRANSPORT_ADS,
2660 N_("Join the local machine to ADS realm"),
2661 N_("net ads join\n"
2662 " Join the local machine to ADS realm")
2663 },
2664 {
2665 "testjoin",
2666 net_ads_testjoin,
2667 NET_TRANSPORT_ADS,
2668 N_("Validate machine account"),
2669 N_("net ads testjoin\n"
2670 " Validate machine account")
2671 },
2672 {
2673 "leave",
2674 net_ads_leave,
2675 NET_TRANSPORT_ADS,
2676 N_("Remove the local machine from ADS"),
2677 N_("net ads leave\n"
2678 " Remove the local machine from ADS")
2679 },
2680 {
2681 "status",
2682 net_ads_status,
2683 NET_TRANSPORT_ADS,
2684 N_("Display machine account details"),
2685 N_("net ads status\n"
2686 " Display machine account details")
2687 },
2688 {
2689 "user",
2690 net_ads_user,
2691 NET_TRANSPORT_ADS,
2692 N_("List/modify users"),
2693 N_("net ads user\n"
2694 " List/modify users")
2695 },
2696 {
2697 "group",
2698 net_ads_group,
2699 NET_TRANSPORT_ADS,
2700 N_("List/modify groups"),
2701 N_("net ads group\n"
2702 " List/modify groups")
2703 },
2704 {
2705 "dns",
2706 net_ads_dns,
2707 NET_TRANSPORT_ADS,
2708 N_("Issue dynamic DNS update"),
2709 N_("net ads dns\n"
2710 " Issue dynamic DNS update")
2711 },
2712 {
2713 "password",
2714 net_ads_password,
2715 NET_TRANSPORT_ADS,
2716 N_("Change user passwords"),
2717 N_("net ads password\n"
2718 " Change user passwords")
2719 },
2720 {
2721 "changetrustpw",
2722 net_ads_changetrustpw,
2723 NET_TRANSPORT_ADS,
2724 N_("Change trust account password"),
2725 N_("net ads changetrustpw\n"
2726 " Change trust account password")
2727 },
2728 {
2729 "printer",
2730 net_ads_printer,
2731 NET_TRANSPORT_ADS,
2732 N_("List/modify printer entries"),
2733 N_("net ads printer\n"
2734 " List/modify printer entries")
2735 },
2736 {
2737 "search",
2738 net_ads_search,
2739 NET_TRANSPORT_ADS,
2740 N_("Issue LDAP search using filter"),
2741 N_("net ads search\n"
2742 " Issue LDAP search using filter")
2743 },
2744 {
2745 "dn",
2746 net_ads_dn,
2747 NET_TRANSPORT_ADS,
2748 N_("Issue LDAP search by DN"),
2749 N_("net ads dn\n"
2750 " Issue LDAP search by DN")
2751 },
2752 {
2753 "sid",
2754 net_ads_sid,
2755 NET_TRANSPORT_ADS,
2756 N_("Issue LDAP search by SID"),
2757 N_("net ads sid\n"
2758 " Issue LDAP search by SID")
2759 },
2760 {
2761 "workgroup",
2762 net_ads_workgroup,
2763 NET_TRANSPORT_ADS,
2764 N_("Display workgroup name"),
2765 N_("net ads workgroup\n"
2766 " Display the workgroup name")
2767 },
2768 {
2769 "lookup",
2770 net_ads_lookup,
2771 NET_TRANSPORT_ADS,
2772 N_("Perfom CLDAP query on DC"),
2773 N_("net ads lookup\n"
2774 " Find the ADS DC using CLDAP lookups")
2775 },
2776 {
2777 "keytab",
2778 net_ads_keytab,
2779 NET_TRANSPORT_ADS,
2780 N_("Manage local keytab file"),
2781 N_("net ads keytab\n"
2782 " Manage local keytab file")
2783 },
2784 {
2785 "gpo",
2786 net_ads_gpo,
2787 NET_TRANSPORT_ADS,
2788 N_("Manage group policy objects"),
2789 N_("net ads gpo\n"
2790 " Manage group policy objects")
2791 },
2792 {
2793 "kerberos",
2794 net_ads_kerberos,
2795 NET_TRANSPORT_ADS,
2796 N_("Manage kerberos keytab"),
2797 N_("net ads kerberos\n"
2798 " Manage kerberos keytab")
2799 },
2800 {NULL, NULL, 0, NULL, NULL}
2801 };
2802
2803 return net_run_function(c, argc, argv, "net ads", func);
2804 }
2805
2806 #else
2807
2808 static int net_ads_noads(void)
2809 {
2810 d_fprintf(stderr, _("ADS support not compiled in\n"));
2811 return -1;
2812 }
2813
2814 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2815 {
2816 return net_ads_noads();
2817 }
2818
2819 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2820 {
2821 return net_ads_noads();
2822 }
2823
2824 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2825 {
2826 return net_ads_noads();
2827 }
2828
2829 int net_ads_join(struct net_context *c, int argc, const char **argv)
2830 {
2831 return net_ads_noads();
2832 }
2833
2834 int net_ads_user(struct net_context *c, int argc, const char **argv)
2835 {
2836 return net_ads_noads();
2837 }
2838
2839 int net_ads_group(struct net_context *c, int argc, const char **argv)
2840 {
2841 return net_ads_noads();
2842 }
2843
2844 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2845 {
2846 return net_ads_noads();
2847 }
2848
2849 /* this one shouldn't display a message */
2850 int net_ads_check(struct net_context *c)
2851 {
2852 return -1;
2853 }
2854
2855 int net_ads_check_our_domain(struct net_context *c)
2856 {
2857 return -1;
2858 }
2859
2860 int net_ads(struct net_context *c, int argc, const char **argv)
2861 {
2862 return net_ads_noads();
2863 }
2864
2865 #endif /* HAVE_ADS */
reg import