2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
34 static const char *assume_own_realm(struct net_context *c)
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
44 do a cldap netlogon query
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
57 d_printf(_("Information for Domain Controller: %s\n\n"),
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
69 d_printf("0x%x\n", reply.command);
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
130 if (c->display_usage) {
135 _("Find the ADS DC using CLDAP lookup.\n"));
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
150 ret = net_ads_cldap_netlogon(c, ads);
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
160 char addr[INET6_ADDRSTRLEN];
162 if (c->display_usage) {
167 _("Display information about an Active Directory "
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
216 ADS_STRUCT *ads = NULL;
218 bool need_password = false;
219 bool second_time = false;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
232 if (only_own_domain) {
235 realm = assume_own_realm(c);
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
244 if (c->opt_user_specified) {
245 need_password = true;
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
253 return ADS_ERROR(LDAP_NO_MEMORY);
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
279 status = ads_connect(ads);
281 if (!ADS_ERR_OK(status)) {
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
306 tried_closest_dc = true; /* avoid loop */
308 if (!ads_closest_dc(ads)) {
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
326 return ads_startup_int(c, only_own_domain, 0, ads);
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
359 int net_ads_check_our_domain(struct net_context *c)
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
364 int net_ads_check(struct net_context *c)
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
370 determine the netbios workgroup name for a domain
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
378 if (c->display_usage) {
380 "net ads workgroup\n"
383 _("Print the workgroup name"));
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
404 d_printf(_("Workgroup: %s\n"), reply.domain);
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
415 char **disp_fields = (char **) data_area;
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
424 d_printf("%s\n", disp_fields[0]);
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
431 if (!values) /* must be new field, indicate string field */
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
443 return net_user_usage(c, argc, argv);
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
451 LDAPMessage *res=NULL;
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
462 status = ads_find_user_acct(ads, &res, argv[0]);
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
489 /* if no password is to be set, we're done */
491 d_printf(_("User %s added\n"), argv[0]);
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
523 ads_msgfree(ads, res);
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
531 ADS_STRUCT *ads = NULL;
533 LDAPMessage *res = NULL;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
542 DOM_SID primary_group_sid;
544 enum wbcSidType type;
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
550 frame = talloc_new(talloc_tos());
555 escaped_user = escape_ldap_string(frame, argv[0]);
558 _("ads_user_info: failed to escape user %s\n"),
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
594 sid_append_rid(&primary_group_sid, group_rid);
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
607 d_printf("%s\n", primary_group);
609 wbcFreeMemory(primary_group);
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
622 ldap_value_free(grouplist);
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
636 LDAPMessage *res = NULL;
640 return net_ads_user_usage(c, argc, argv);
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
671 struct functable func[] = {
676 N_("Add an AD user"),
677 N_("net ads user add\n"
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
696 {NULL, NULL, 0, NULL, NULL}
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
705 if (c->display_usage) {
711 net_display_usage_from_functable(func);
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
730 return ADS_ERR_OK(rc) ? 0 : -1;
733 return net_run_function(c, argc, argv, "net ads user", func);
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
738 return net_group_usage(c, argc, argv);
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
745 LDAPMessage *res=NULL;
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
757 status = ads_find_user_acct(ads, &res, argv[0]);
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
787 ads_msgfree(ads, res);
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
797 LDAPMessage *res = NULL;
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
832 struct functable func[] = {
837 N_("Add an AD group"),
838 N_("net ads group add\n"
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
849 {NULL, NULL, 0, NULL, NULL}
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
858 if (c->display_usage) {
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
883 return ADS_ERR_OK(rc) ? 0 : -1;
885 return net_run_function(c, argc, argv, "net ads group", func);
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
894 if (c->display_usage) {
899 _("Display machine account details"));
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
935 struct libnet_UnjoinCtx *r = NULL;
938 if (c->display_usage) {
943 _("Leave an AD domain"));
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1013 if (W_ERROR_IS_OK(werr)) {
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1022 ADS_STRUCT *ads = NULL;
1025 struct sockaddr_storage dcip;
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1032 net_use_krb_machine_account(c);
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1042 return NT_STATUS_OK;
1046 check that an existing join is OK
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1051 use_in_memory_ccache();
1053 if (c->display_usage) {
1055 "net ads testjoin\n"
1058 _("Test if the existing join is ok"));
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1070 printf(_("Join is OK\n"));
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1078 static WERROR check_ads_config( void )
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1105 #if defined(WITH_DNS_UPDATES)
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1117 struct dns_rr_ns *nameservers = NULL;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1142 ADS_STATUS ads_status;
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1160 ads_msgfree( ads, msg );
1164 root_domain = ads_build_domain( root_dn );
1167 ads_msgfree( ads, msg );
1169 /* try again for NS servers */
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1179 dnsdomain = root_domain;
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1186 fstrcpy( dns_server, nameservers[0].hostname );
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1195 SAFE_FREE( root_domain );
1200 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1203 struct sockaddr_storage *iplist = NULL;
1204 fstring machine_name;
1208 fstrcpy(machine_name, hostname);
1210 name_to_fqdn( machine_name, global_myname() );
1212 strlower_m( machine_name );
1214 /* Get our ip address (not the 127.0.0.x address but a real ip
1217 num_addrs = get_my_ip_address( &iplist );
1218 if ( num_addrs <= 0 ) {
1219 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1221 return NT_STATUS_INVALID_PARAMETER;
1224 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1226 SAFE_FREE( iplist );
1232 /*******************************************************************
1233 ********************************************************************/
1235 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1237 d_printf(_("net ads join [options]\n"
1238 "Valid options:\n"));
1239 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1240 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1241 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1242 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1243 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1244 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1245 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1246 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1247 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1248 " NB: osName and osVer must be specified together for either to take effect.\n"
1249 " Also, the operatingSystemService attribute is also set when along with\n"
1250 " the two other attributes.\n"));
1255 /*******************************************************************
1256 ********************************************************************/
1258 int net_ads_join(struct net_context *c, int argc, const char **argv)
1260 TALLOC_CTX *ctx = NULL;
1261 struct libnet_JoinCtx *r = NULL;
1262 const char *domain = lp_realm();
1263 WERROR werr = WERR_SETUP_NOT_JOINED;
1264 bool createupn = false;
1265 const char *machineupn = NULL;
1266 const char *create_in_ou = NULL;
1268 const char *os_name = NULL;
1269 const char *os_version = NULL;
1270 bool modify_config = lp_config_backend_is_registry();
1272 if (c->display_usage)
1273 return net_ads_join_usage(c, argc, argv);
1275 if (!modify_config) {
1277 werr = check_ads_config();
1278 if (!W_ERROR_IS_OK(werr)) {
1279 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1284 if (!(ctx = talloc_init("net_ads_join"))) {
1285 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1290 if (!c->opt_kerberos) {
1291 use_in_memory_ccache();
1294 werr = libnet_init_JoinCtx(ctx, &r);
1295 if (!W_ERROR_IS_OK(werr)) {
1299 /* process additional command line args */
1301 for ( i=0; i<argc; i++ ) {
1302 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1304 machineupn = get_string_param(argv[i]);
1306 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1307 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1308 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1309 werr = WERR_INVALID_PARAM;
1313 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1314 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1315 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1316 werr = WERR_INVALID_PARAM;
1320 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1321 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1322 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1323 werr = WERR_INVALID_PARAM;
1333 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1334 werr = WERR_INVALID_PARAM;
1338 /* Do the domain join here */
1340 r->in.domain_name = domain;
1341 r->in.create_upn = createupn;
1342 r->in.upn = machineupn;
1343 r->in.account_ou = create_in_ou;
1344 r->in.os_name = os_name;
1345 r->in.os_version = os_version;
1346 r->in.dc_name = c->opt_host;
1347 r->in.admin_account = c->opt_user_name;
1348 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1350 r->in.use_kerberos = c->opt_kerberos;
1351 r->in.modify_config = modify_config;
1352 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1353 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1354 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1356 werr = libnet_Join(ctx, r);
1357 if (!W_ERROR_IS_OK(werr)) {
1361 /* Check the short name of the domain */
1363 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1364 d_printf(_("The workgroup in %s does not match the short\n"
1365 "domain name obtained from the server.\n"
1366 "Using the name [%s] from the server.\n"
1367 "You should set \"workgroup = %s\" in %s.\n"),
1368 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1369 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1372 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1374 if (r->out.dns_domain_name) {
1375 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1376 r->out.dns_domain_name);
1378 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1379 r->out.netbios_domain_name);
1382 #if defined(WITH_DNS_UPDATES)
1383 if (r->out.domain_is_ad) {
1384 /* We enter this block with user creds */
1385 ADS_STRUCT *ads_dns = NULL;
1387 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1388 /* kinit with the machine password */
1390 use_in_memory_ccache();
1391 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1394 ads_dns->auth.password = secrets_fetch_machine_password(
1395 r->out.netbios_domain_name, NULL, NULL );
1396 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1397 strupper_m(ads_dns->auth.realm );
1398 ads_kinit_password( ads_dns );
1401 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1402 d_fprintf( stderr, _("DNS update failed!\n") );
1405 /* exit from this block using machine creds */
1406 ads_destroy(&ads_dns);
1415 /* issue an overall failure message at the end. */
1416 d_printf(_("Failed to join domain: %s\n"),
1417 r && r->out.error_string ? r->out.error_string :
1418 get_friendly_werror_msg(werr));
1424 /*******************************************************************
1425 ********************************************************************/
1427 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1429 #if defined(WITH_DNS_UPDATES)
1435 talloc_enable_leak_report();
1438 if (argc > 1 || c->display_usage) {
1440 "net ads dns register [hostname]\n"
1443 _("Register hostname with DNS\n"));
1447 if (!(ctx = talloc_init("net_ads_dns"))) {
1448 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1452 status = ads_startup(c, true, &ads);
1453 if ( !ADS_ERR_OK(status) ) {
1454 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1459 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
1460 d_fprintf( stderr, _("DNS update failed!\n") );
1461 ads_destroy( &ads );
1466 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1474 _("DNS update support not enabled at compile time!\n"));
1479 #if defined(WITH_DNS_UPDATES)
1480 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1483 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1485 #if defined(WITH_DNS_UPDATES)
1489 talloc_enable_leak_report();
1492 if (argc != 2 || c->display_usage) {
1497 _("net ads dns gethostbyname <server> <name>\n"),
1498 _(" Look up hostname from the AD\n"
1499 " server\tName server to use\n"
1500 " name\tName to look up\n"));
1504 err = do_gethostbyname(argv[0], argv[1]);
1506 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1511 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1513 struct functable func[] = {
1516 net_ads_dns_register,
1518 N_("Add host dns entry to AD"),
1519 N_("net ads dns register\n"
1520 " Add host dns entry to AD")
1524 net_ads_dns_gethostbyname,
1527 N_("net ads dns gethostbyname\n"
1530 {NULL, NULL, 0, NULL, NULL}
1533 return net_run_function(c, argc, argv, "net ads dns", func);
1536 /*******************************************************************
1537 ********************************************************************/
1539 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1542 "\nnet ads printer search <printer>"
1543 "\n\tsearch for a printer in the directory\n"
1544 "\nnet ads printer info <printer> <server>"
1545 "\n\tlookup info in directory for printer on server"
1546 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1547 "\nnet ads printer publish <printername>"
1548 "\n\tpublish printer in directory"
1549 "\n\t(note: printer name is required)\n"
1550 "\nnet ads printer remove <printername>"
1551 "\n\tremove printer from directory"
1552 "\n\t(note: printer name is required)\n"));
1556 /*******************************************************************
1557 ********************************************************************/
1559 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1563 LDAPMessage *res = NULL;
1565 if (c->display_usage) {
1567 "net ads printer search\n"
1570 _("List printers in the AD"));
1574 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1578 rc = ads_find_printers(ads, &res);
1580 if (!ADS_ERR_OK(rc)) {
1581 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1582 ads_msgfree(ads, res);
1587 if (ads_count_replies(ads, res) == 0) {
1588 d_fprintf(stderr, _("No results found\n"));
1589 ads_msgfree(ads, res);
1595 ads_msgfree(ads, res);
1600 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1604 const char *servername, *printername;
1605 LDAPMessage *res = NULL;
1607 if (c->display_usage) {
1610 _("net ads printer info [printername [servername]]\n"
1611 " Display printer info from AD\n"
1612 " printername\tPrinter name or wildcard\n"
1613 " servername\tName of the print server\n"));
1617 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1622 printername = argv[0];
1628 servername = argv[1];
1630 servername = global_myname();
1633 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1635 if (!ADS_ERR_OK(rc)) {
1636 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1637 servername, ads_errstr(rc));
1638 ads_msgfree(ads, res);
1643 if (ads_count_replies(ads, res) == 0) {
1644 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1645 ads_msgfree(ads, res);
1651 ads_msgfree(ads, res);
1657 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1661 const char *servername, *printername;
1662 struct cli_state *cli = NULL;
1663 struct rpc_pipe_client *pipe_hnd = NULL;
1664 struct sockaddr_storage server_ss;
1666 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1667 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1668 char *prt_dn, *srv_dn, **srv_cn;
1669 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1670 LDAPMessage *res = NULL;
1672 if (argc < 1 || c->display_usage) {
1675 _("net ads printer publish <printername> [servername]\n"
1676 " Publish printer in AD\n"
1677 " printername\tName of the printer\n"
1678 " servername\tName of the print server\n"));
1679 talloc_destroy(mem_ctx);
1683 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1684 talloc_destroy(mem_ctx);
1688 printername = argv[0];
1691 servername = argv[1];
1693 servername = global_myname();
1696 /* Get printer data from SPOOLSS */
1698 resolve_name(servername, &server_ss, 0x20, false);
1700 nt_status = cli_full_connection(&cli, global_myname(), servername,
1703 c->opt_user_name, c->opt_workgroup,
1704 c->opt_password ? c->opt_password : "",
1705 CLI_FULL_CONNECTION_USE_KERBEROS,
1708 if (NT_STATUS_IS_ERR(nt_status)) {
1709 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1710 "obtain data for %s\n"),
1711 servername, printername);
1713 talloc_destroy(mem_ctx);
1717 /* Publish on AD server */
1719 ads_find_machine_acct(ads, &res, servername);
1721 if (ads_count_replies(ads, res) == 0) {
1722 d_fprintf(stderr, _("Could not find machine account for server "
1726 talloc_destroy(mem_ctx);
1730 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1731 srv_cn = ldap_explode_dn(srv_dn, 1);
1733 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1734 printername_escaped = escape_rdn_val_string_alloc(printername);
1735 if (!srv_cn_escaped || !printername_escaped) {
1736 SAFE_FREE(srv_cn_escaped);
1737 SAFE_FREE(printername_escaped);
1738 d_fprintf(stderr, _("Internal error, out of memory!"));
1740 talloc_destroy(mem_ctx);
1744 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1745 SAFE_FREE(srv_cn_escaped);
1746 SAFE_FREE(printername_escaped);
1747 d_fprintf(stderr, _("Internal error, out of memory!"));
1749 talloc_destroy(mem_ctx);
1753 SAFE_FREE(srv_cn_escaped);
1754 SAFE_FREE(printername_escaped);
1756 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1757 if (!NT_STATUS_IS_OK(nt_status)) {
1758 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1762 talloc_destroy(mem_ctx);
1766 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1770 talloc_destroy(mem_ctx);
1774 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1775 if (!ADS_ERR_OK(rc)) {
1776 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1779 talloc_destroy(mem_ctx);
1783 d_printf("published printer\n");
1786 talloc_destroy(mem_ctx);
1791 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1795 const char *servername;
1797 LDAPMessage *res = NULL;
1799 if (argc < 1 || c->display_usage) {
1802 _("net ads printer remove <printername> [servername]\n"
1803 " Remove a printer from the AD\n"
1804 " printername\tName of the printer\n"
1805 " servername\tName of the print server\n"));
1809 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1814 servername = argv[1];
1816 servername = global_myname();
1819 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1821 if (!ADS_ERR_OK(rc)) {
1822 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1823 ads_msgfree(ads, res);
1828 if (ads_count_replies(ads, res) == 0) {
1829 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1830 ads_msgfree(ads, res);
1835 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1836 ads_msgfree(ads, res);
1837 rc = ads_del_dn(ads, prt_dn);
1838 TALLOC_FREE(prt_dn);
1840 if (!ADS_ERR_OK(rc)) {
1841 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1850 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1852 struct functable func[] = {
1855 net_ads_printer_search,
1857 N_("Search for a printer"),
1858 N_("net ads printer search\n"
1859 " Search for a printer")
1863 net_ads_printer_info,
1865 N_("Display printer information"),
1866 N_("net ads printer info\n"
1867 " Display printer information")
1871 net_ads_printer_publish,
1873 N_("Publish a printer"),
1874 N_("net ads printer publish\n"
1875 " Publish a printer")
1879 net_ads_printer_remove,
1881 N_("Delete a printer"),
1882 N_("net ads printer remove\n"
1883 " Delete a printer")
1885 {NULL, NULL, 0, NULL, NULL}
1888 return net_run_function(c, argc, argv, "net ads printer", func);
1892 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1895 const char *auth_principal = c->opt_user_name;
1896 const char *auth_password = c->opt_password;
1898 char *new_password = NULL;
1903 if (c->display_usage) {
1906 _("net ads password <username>\n"
1907 " Change password for user\n"
1908 " username\tName of user to change password for\n"));
1912 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1913 d_fprintf(stderr, _("You must supply an administrator "
1914 "username/password\n"));
1919 d_fprintf(stderr, _("ERROR: You must say which username to "
1920 "change password for\n"));
1925 if (!strchr_m(user, '@')) {
1926 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1932 use_in_memory_ccache();
1933 chr = strchr_m(auth_principal, '@');
1940 /* use the realm so we can eventually change passwords for users
1941 in realms other than default */
1942 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1946 /* we don't actually need a full connect, but it's the easy way to
1947 fill in the KDC's addresss */
1950 if (!ads->config.realm) {
1951 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1957 new_password = (char *)argv[1];
1959 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1962 new_password = getpass(prompt);
1966 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1967 auth_password, user, new_password, ads->auth.time_offset);
1968 if (!ADS_ERR_OK(ret)) {
1969 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
1974 d_printf(_("Password change for %s completed.\n"), user);
1980 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1983 char *host_principal;
1987 if (c->display_usage) {
1989 "net ads changetrustpw\n"
1992 _("Change the machine account's trust password"));
1996 if (!secrets_init()) {
1997 DEBUG(1,("Failed to initialise secrets database\n"));
2001 net_use_krb_machine_account(c);
2003 use_in_memory_ccache();
2005 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2009 fstrcpy(my_name, global_myname());
2010 strlower_m(my_name);
2011 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2015 d_printf(_("Changing password for principal: %s\n"), host_principal);
2017 ret = ads_change_trust_account_password(ads, host_principal);
2019 if (!ADS_ERR_OK(ret)) {
2020 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2022 SAFE_FREE(host_principal);
2026 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2028 if (USE_SYSTEM_KEYTAB) {
2029 d_printf(_("Attempting to update system keytab with new password.\n"));
2030 if (ads_keytab_create_default(ads)) {
2031 d_printf(_("Failed to update system keytab.\n"));
2036 SAFE_FREE(host_principal);
2042 help for net ads search
2044 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2047 "\nnet ads search <expression> <attributes...>\n"
2048 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2049 "The expression is a standard LDAP search expression, and the\n"
2050 "attributes are a list of LDAP fields to show in the results.\n\n"
2051 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2053 net_common_flags_usage(c, argc, argv);
2059 general ADS search function. Useful in diagnosing problems in ADS
2061 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2065 const char *ldap_exp;
2067 LDAPMessage *res = NULL;
2069 if (argc < 1 || c->display_usage) {
2070 return net_ads_search_usage(c, argc, argv);
2073 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2080 rc = ads_do_search_all(ads, ads->config.bind_path,
2082 ldap_exp, attrs, &res);
2083 if (!ADS_ERR_OK(rc)) {
2084 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2089 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2091 /* dump the results */
2094 ads_msgfree(ads, res);
2102 help for net ads search
2104 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2107 "\nnet ads dn <dn> <attributes...>\n"
2108 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2109 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2110 "to show in the results\n\n"
2111 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2112 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2114 net_common_flags_usage(c, argc, argv);
2120 general ADS search function. Useful in diagnosing problems in ADS
2122 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2128 LDAPMessage *res = NULL;
2130 if (argc < 1 || c->display_usage) {
2131 return net_ads_dn_usage(c, argc, argv);
2134 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2141 rc = ads_do_search_all(ads, dn,
2143 "(objectclass=*)", attrs, &res);
2144 if (!ADS_ERR_OK(rc)) {
2145 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2150 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2152 /* dump the results */
2155 ads_msgfree(ads, res);
2162 help for net ads sid search
2164 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2167 "\nnet ads sid <sid> <attributes...>\n"
2168 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2169 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2170 "to show in the results\n\n"
2171 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2173 net_common_flags_usage(c, argc, argv);
2179 general ADS search function. Useful in diagnosing problems in ADS
2181 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2185 const char *sid_string;
2187 LDAPMessage *res = NULL;
2190 if (argc < 1 || c->display_usage) {
2191 return net_ads_sid_usage(c, argc, argv);
2194 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2198 sid_string = argv[0];
2201 if (!string_to_sid(&sid, sid_string)) {
2202 d_fprintf(stderr, _("could not convert sid\n"));
2207 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2208 if (!ADS_ERR_OK(rc)) {
2209 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2214 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2216 /* dump the results */
2219 ads_msgfree(ads, res);
2225 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2230 if (c->display_usage) {
2232 "net ads keytab flush\n"
2235 _("Delete the whole keytab"));
2239 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2242 ret = ads_keytab_flush(ads);
2247 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2253 if (c->display_usage) {
2256 _("net ads keytab add <principal> [principal ...]\n"
2257 " Add principals to local keytab\n"
2258 " principal\tKerberos principal to add to "
2263 d_printf(_("Processing principals to add...\n"));
2264 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2267 for (i = 0; i < argc; i++) {
2268 ret |= ads_keytab_add_entry(ads, argv[i]);
2274 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2279 if (c->display_usage) {
2281 "net ads keytab create\n"
2284 _("Create new default keytab"));
2288 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2291 ret = ads_keytab_create_default(ads);
2296 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2298 const char *keytab = NULL;
2300 if (c->display_usage) {
2303 _("net ads keytab list [keytab]\n"
2304 " List a local keytab\n"
2305 " keytab\tKeytab to list\n"));
2313 return ads_keytab_list(keytab);
2317 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2319 struct functable func[] = {
2324 N_("Add a service principal"),
2325 N_("net ads keytab add\n"
2326 " Add a service principal")
2330 net_ads_keytab_create,
2332 N_("Create a fresh keytab"),
2333 N_("net ads keytab create\n"
2334 " Create a fresh keytab")
2338 net_ads_keytab_flush,
2340 N_("Remove all keytab entries"),
2341 N_("net ads keytab flush\n"
2342 " Remove all keytab entries")
2346 net_ads_keytab_list,
2348 N_("List a keytab"),
2349 N_("net ads keytab list\n"
2352 {NULL, NULL, 0, NULL, NULL}
2355 if (!USE_KERBEROS_KEYTAB) {
2356 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2357 "keytab method to use keytab functions.\n"));
2360 return net_run_function(c, argc, argv, "net ads keytab", func);
2363 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2367 if (c->display_usage) {
2369 "net ads kerberos renew\n"
2372 _("Renew TGT from existing credential cache"));
2376 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2378 d_printf(_("failed to renew kerberos ticket: %s\n"),
2379 error_message(ret));
2384 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2386 struct PAC_DATA *pac = NULL;
2387 struct PAC_LOGON_INFO *info = NULL;
2388 TALLOC_CTX *mem_ctx = NULL;
2391 const char *impersonate_princ_s = NULL;
2393 if (c->display_usage) {
2395 "net ads kerberos pac\n"
2398 _("Dump the Kerberos PAC"));
2402 mem_ctx = talloc_init("net_ads_kerberos_pac");
2408 impersonate_princ_s = argv[0];
2411 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2413 status = kerberos_return_pac(mem_ctx,
2422 2592000, /* one month */
2423 impersonate_princ_s,
2425 if (!NT_STATUS_IS_OK(status)) {
2426 d_printf(_("failed to query kerberos PAC: %s\n"),
2431 info = get_logon_info_from_pac(pac);
2434 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2435 d_printf(_("The Pac: %s\n"), s);
2440 TALLOC_FREE(mem_ctx);
2444 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2446 TALLOC_CTX *mem_ctx = NULL;
2450 if (c->display_usage) {
2452 "net ads kerberos kinit\n"
2455 _("Get Ticket Granting Ticket (TGT) for the user"));
2459 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2464 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2466 ret = kerberos_kinit_password_ext(c->opt_user_name,
2474 2592000, /* one month */
2477 d_printf(_("failed to kinit password: %s\n"),
2484 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2486 struct functable func[] = {
2489 net_ads_kerberos_kinit,
2491 N_("Retrieve Ticket Granting Ticket (TGT)"),
2492 N_("net ads kerberos kinit\n"
2493 " Receive Ticket Granting Ticket (TGT)")
2497 net_ads_kerberos_renew,
2499 N_("Renew Ticket Granting Ticket from credential cache"),
2500 N_("net ads kerberos renew\n"
2501 " Renew Ticket Granting Ticket (TGT) from "
2506 net_ads_kerberos_pac,
2508 N_("Dump Kerberos PAC"),
2509 N_("net ads kerberos pac\n"
2510 " Dump Kerberos PAC")
2512 {NULL, NULL, 0, NULL, NULL}
2515 return net_run_function(c, argc, argv, "net ads kerberos", func);
2518 int net_ads(struct net_context *c, int argc, const char **argv)
2520 struct functable func[] = {
2525 N_("Display details on remote ADS server"),
2527 " Display details on remote ADS server")
2533 N_("Join the local machine to ADS realm"),
2535 " Join the local machine to ADS realm")
2541 N_("Validate machine account"),
2542 N_("net ads testjoin\n"
2543 " Validate machine account")
2549 N_("Remove the local machine from ADS"),
2550 N_("net ads leave\n"
2551 " Remove the local machine from ADS")
2557 N_("Display machine account details"),
2558 N_("net ads status\n"
2559 " Display machine account details")
2565 N_("List/modify users"),
2567 " List/modify users")
2573 N_("List/modify groups"),
2574 N_("net ads group\n"
2575 " List/modify groups")
2581 N_("Issue dynamic DNS update"),
2583 " Issue dynamic DNS update")
2589 N_("Change user passwords"),
2590 N_("net ads password\n"
2591 " Change user passwords")
2595 net_ads_changetrustpw,
2597 N_("Change trust account password"),
2598 N_("net ads changetrustpw\n"
2599 " Change trust account password")
2605 N_("List/modify printer entries"),
2606 N_("net ads printer\n"
2607 " List/modify printer entries")
2613 N_("Issue LDAP search using filter"),
2614 N_("net ads search\n"
2615 " Issue LDAP search using filter")
2621 N_("Issue LDAP search by DN"),
2623 " Issue LDAP search by DN")
2629 N_("Issue LDAP search by SID"),
2631 " Issue LDAP search by SID")
2637 N_("Display workgroup name"),
2638 N_("net ads workgroup\n"
2639 " Display the workgroup name")
2645 N_("Perfom CLDAP query on DC"),
2646 N_("net ads lookup\n"
2647 " Find the ADS DC using CLDAP lookups")
2653 N_("Manage local keytab file"),
2654 N_("net ads keytab\n"
2655 " Manage local keytab file")
2661 N_("Manage group policy objects"),
2663 " Manage group policy objects")
2669 N_("Manage kerberos keytab"),
2670 N_("net ads kerberos\n"
2671 " Manage kerberos keytab")
2673 {NULL, NULL, 0, NULL, NULL}
2676 return net_run_function(c, argc, argv, "net ads", func);
2681 static int net_ads_noads(void)
2683 d_fprintf(stderr, _("ADS support not compiled in\n"));
2687 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2689 return net_ads_noads();
2692 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2694 return net_ads_noads();
2697 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2699 return net_ads_noads();
2702 int net_ads_join(struct net_context *c, int argc, const char **argv)
2704 return net_ads_noads();
2707 int net_ads_user(struct net_context *c, int argc, const char **argv)
2709 return net_ads_noads();
2712 int net_ads_group(struct net_context *c, int argc, const char **argv)
2714 return net_ads_noads();
2717 /* this one shouldn't display a message */
2718 int net_ads_check(struct net_context *c)
2723 int net_ads_check_our_domain(struct net_context *c)
2728 int net_ads(struct net_context *c, int argc, const char **argv)
2730 return net_ads_noads();
2733 #endif /* WITH_ADS */