2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
34 static const char *assume_own_realm(struct net_context *c)
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
44 do a cldap netlogon query
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
57 d_printf(_("Information for Domain Controller: %s\n\n"),
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
69 d_printf("0x%x\n", reply.command);
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
130 if (c->display_usage) {
135 _("Find the ADS DC using CLDAP lookup.\n"));
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
150 ret = net_ads_cldap_netlogon(c, ads);
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
160 char addr[INET6_ADDRSTRLEN];
162 if (c->display_usage) {
167 _("Display information about an Active Directory "
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
216 ADS_STRUCT *ads = NULL;
218 bool need_password = false;
219 bool second_time = false;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
232 if (only_own_domain) {
235 realm = assume_own_realm(c);
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
244 if (c->opt_user_specified) {
245 need_password = true;
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
253 return ADS_ERROR(LDAP_NO_MEMORY);
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
279 status = ads_connect(ads);
281 if (!ADS_ERR_OK(status)) {
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
306 tried_closest_dc = true; /* avoid loop */
308 if (!ads_closest_dc(ads)) {
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
326 return ads_startup_int(c, only_own_domain, 0, ads);
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
359 int net_ads_check_our_domain(struct net_context *c)
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
364 int net_ads_check(struct net_context *c)
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
370 determine the netbios workgroup name for a domain
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
378 if (c->display_usage) {
380 "net ads workgroup\n"
383 _("Print the workgroup name"));
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
404 d_printf(_("Workgroup: %s\n"), reply.domain);
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
415 char **disp_fields = (char **) data_area;
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
424 d_printf("%s\n", disp_fields[0]);
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
431 if (!values) /* must be new field, indicate string field */
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
443 return net_user_usage(c, argc, argv);
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
451 LDAPMessage *res=NULL;
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
462 status = ads_find_user_acct(ads, &res, argv[0]);
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
489 /* if no password is to be set, we're done */
491 d_printf(_("User %s added\n"), argv[0]);
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
523 ads_msgfree(ads, res);
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
531 ADS_STRUCT *ads = NULL;
533 LDAPMessage *res = NULL;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
542 DOM_SID primary_group_sid;
544 enum wbcSidType type;
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
550 frame = talloc_new(talloc_tos());
555 escaped_user = escape_ldap_string(frame, argv[0]);
558 _("ads_user_info: failed to escape user %s\n"),
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
594 sid_append_rid(&primary_group_sid, group_rid);
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
607 d_printf("%s\n", primary_group);
609 wbcFreeMemory(primary_group);
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
622 ldap_value_free(grouplist);
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
636 LDAPMessage *res = NULL;
640 return net_ads_user_usage(c, argc, argv);
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
671 struct functable func[] = {
676 N_("Add an AD user"),
677 N_("net ads user add\n"
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
696 {NULL, NULL, 0, NULL, NULL}
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
705 if (c->display_usage) {
711 net_display_usage_from_functable(func);
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
730 return ADS_ERR_OK(rc) ? 0 : -1;
733 return net_run_function(c, argc, argv, "net ads user", func);
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
738 return net_group_usage(c, argc, argv);
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
745 LDAPMessage *res=NULL;
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
757 status = ads_find_user_acct(ads, &res, argv[0]);
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
787 ads_msgfree(ads, res);
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
797 LDAPMessage *res = NULL;
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
832 struct functable func[] = {
837 N_("Add an AD group"),
838 N_("net ads group add\n"
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
849 {NULL, NULL, 0, NULL, NULL}
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
858 if (c->display_usage) {
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
883 return ADS_ERR_OK(rc) ? 0 : -1;
885 return net_run_function(c, argc, argv, "net ads group", func);
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
894 if (c->display_usage) {
899 _("Display machine account details"));
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
935 struct libnet_UnjoinCtx *r = NULL;
938 if (c->display_usage) {
943 _("Leave an AD domain"));
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1013 if (W_ERROR_IS_OK(werr)) {
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1022 ADS_STRUCT *ads = NULL;
1025 struct sockaddr_storage dcip;
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1032 net_use_krb_machine_account(c);
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1042 return NT_STATUS_OK;
1046 check that an existing join is OK
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1051 use_in_memory_ccache();
1053 if (c->display_usage) {
1055 "net ads testjoin\n"
1058 _("Test if the existing join is ok"));
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1070 printf(_("Join is OK\n"));
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1078 static WERROR check_ads_config( void )
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1105 #if defined(WITH_DNS_UPDATES)
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1117 struct dns_rr_ns *nameservers = NULL;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1142 ADS_STATUS ads_status;
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1160 ads_msgfree( ads, msg );
1164 root_domain = ads_build_domain( root_dn );
1167 ads_msgfree( ads, msg );
1169 /* try again for NS servers */
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1179 dnsdomain = root_domain;
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1186 fstrcpy( dns_server, nameservers[0].hostname );
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1195 SAFE_FREE( root_domain );
1200 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1201 const char *hostname,
1202 struct sockaddr_storage *iplist,
1205 struct sockaddr_storage *iplist_alloc = NULL;
1206 fstring machine_name;
1210 fstrcpy(machine_name, hostname);
1212 name_to_fqdn( machine_name, global_myname() );
1214 strlower_m( machine_name );
1216 if (num_addrs == 0 || iplist == NULL) {
1218 * Get our ip address
1219 * (not the 127.0.0.x address but a real ip address)
1221 num_addrs = get_my_ip_address(&iplist_alloc);
1222 if ( num_addrs <= 0 ) {
1223 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1224 "non-loopback IP addresses!\n"));
1225 return NT_STATUS_INVALID_PARAMETER;
1227 iplist = iplist_alloc;
1230 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1233 SAFE_FREE(iplist_alloc);
1237 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1241 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1247 /*******************************************************************
1248 ********************************************************************/
1250 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1252 d_printf(_("net ads join [options]\n"
1253 "Valid options:\n"));
1254 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1255 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1256 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1257 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1258 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1259 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1260 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1261 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1262 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1263 " NB: osName and osVer must be specified together for either to take effect.\n"
1264 " Also, the operatingSystemService attribute is also set when along with\n"
1265 " the two other attributes.\n"));
1270 /*******************************************************************
1271 ********************************************************************/
1273 int net_ads_join(struct net_context *c, int argc, const char **argv)
1275 TALLOC_CTX *ctx = NULL;
1276 struct libnet_JoinCtx *r = NULL;
1277 const char *domain = lp_realm();
1278 WERROR werr = WERR_SETUP_NOT_JOINED;
1279 bool createupn = false;
1280 const char *machineupn = NULL;
1281 const char *create_in_ou = NULL;
1283 const char *os_name = NULL;
1284 const char *os_version = NULL;
1285 bool modify_config = lp_config_backend_is_registry();
1287 if (c->display_usage)
1288 return net_ads_join_usage(c, argc, argv);
1290 if (!modify_config) {
1292 werr = check_ads_config();
1293 if (!W_ERROR_IS_OK(werr)) {
1294 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1299 if (!(ctx = talloc_init("net_ads_join"))) {
1300 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1305 if (!c->opt_kerberos) {
1306 use_in_memory_ccache();
1309 werr = libnet_init_JoinCtx(ctx, &r);
1310 if (!W_ERROR_IS_OK(werr)) {
1314 /* process additional command line args */
1316 for ( i=0; i<argc; i++ ) {
1317 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1319 machineupn = get_string_param(argv[i]);
1321 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1322 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1323 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1324 werr = WERR_INVALID_PARAM;
1328 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1329 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1330 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1331 werr = WERR_INVALID_PARAM;
1335 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1336 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1337 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1338 werr = WERR_INVALID_PARAM;
1348 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1349 werr = WERR_INVALID_PARAM;
1353 /* Do the domain join here */
1355 r->in.domain_name = domain;
1356 r->in.create_upn = createupn;
1357 r->in.upn = machineupn;
1358 r->in.account_ou = create_in_ou;
1359 r->in.os_name = os_name;
1360 r->in.os_version = os_version;
1361 r->in.dc_name = c->opt_host;
1362 r->in.admin_account = c->opt_user_name;
1363 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1365 r->in.use_kerberos = c->opt_kerberos;
1366 r->in.modify_config = modify_config;
1367 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1368 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1369 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1371 werr = libnet_Join(ctx, r);
1372 if (!W_ERROR_IS_OK(werr)) {
1376 /* Check the short name of the domain */
1378 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1379 d_printf(_("The workgroup in %s does not match the short\n"
1380 "domain name obtained from the server.\n"
1381 "Using the name [%s] from the server.\n"
1382 "You should set \"workgroup = %s\" in %s.\n"),
1383 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1384 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1387 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1389 if (r->out.dns_domain_name) {
1390 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1391 r->out.dns_domain_name);
1393 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1394 r->out.netbios_domain_name);
1397 #if defined(WITH_DNS_UPDATES)
1399 * In a clustered environment, don't do dynamic dns updates:
1400 * Registering the set of ip addresses that are assigned to
1401 * the interfaces of the node that performs the join does usually
1402 * not have the desired effect, since the local interfaces do not
1403 * carry the complete set of the cluster's public IP addresses.
1404 * And it can also contain internal addresses that should not
1405 * be visible to the outside at all.
1406 * In order to do dns updates in a clustererd setup, use
1407 * net ads dns register.
1409 if (lp_clustering()) {
1410 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1411 "clustered setup.\n"));
1415 if (r->out.domain_is_ad) {
1416 /* We enter this block with user creds */
1417 ADS_STRUCT *ads_dns = NULL;
1419 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1420 /* kinit with the machine password */
1422 use_in_memory_ccache();
1423 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1426 ads_dns->auth.password = secrets_fetch_machine_password(
1427 r->out.netbios_domain_name, NULL, NULL );
1428 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1429 strupper_m(ads_dns->auth.realm );
1430 ads_kinit_password( ads_dns );
1433 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1434 d_fprintf( stderr, _("DNS update failed!\n") );
1437 /* exit from this block using machine creds */
1438 ads_destroy(&ads_dns);
1449 /* issue an overall failure message at the end. */
1450 d_printf(_("Failed to join domain: %s\n"),
1451 r && r->out.error_string ? r->out.error_string :
1452 get_friendly_werror_msg(werr));
1458 /*******************************************************************
1459 ********************************************************************/
1461 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1463 #if defined(WITH_DNS_UPDATES)
1469 talloc_enable_leak_report();
1472 if (argc > 1 || c->display_usage) {
1474 "net ads dns register [hostname]\n"
1477 _("Register hostname with DNS\n"));
1481 if (!(ctx = talloc_init("net_ads_dns"))) {
1482 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1486 status = ads_startup(c, true, &ads);
1487 if ( !ADS_ERR_OK(status) ) {
1488 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1493 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
1494 d_fprintf( stderr, _("DNS update failed!\n") );
1495 ads_destroy( &ads );
1500 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1508 _("DNS update support not enabled at compile time!\n"));
1513 #if defined(WITH_DNS_UPDATES)
1514 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1517 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1519 #if defined(WITH_DNS_UPDATES)
1523 talloc_enable_leak_report();
1526 if (argc != 2 || c->display_usage) {
1531 _("net ads dns gethostbyname <server> <name>\n"),
1532 _(" Look up hostname from the AD\n"
1533 " server\tName server to use\n"
1534 " name\tName to look up\n"));
1538 err = do_gethostbyname(argv[0], argv[1]);
1540 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1545 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1547 struct functable func[] = {
1550 net_ads_dns_register,
1552 N_("Add host dns entry to AD"),
1553 N_("net ads dns register\n"
1554 " Add host dns entry to AD")
1558 net_ads_dns_gethostbyname,
1561 N_("net ads dns gethostbyname\n"
1564 {NULL, NULL, 0, NULL, NULL}
1567 return net_run_function(c, argc, argv, "net ads dns", func);
1570 /*******************************************************************
1571 ********************************************************************/
1573 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1576 "\nnet ads printer search <printer>"
1577 "\n\tsearch for a printer in the directory\n"
1578 "\nnet ads printer info <printer> <server>"
1579 "\n\tlookup info in directory for printer on server"
1580 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1581 "\nnet ads printer publish <printername>"
1582 "\n\tpublish printer in directory"
1583 "\n\t(note: printer name is required)\n"
1584 "\nnet ads printer remove <printername>"
1585 "\n\tremove printer from directory"
1586 "\n\t(note: printer name is required)\n"));
1590 /*******************************************************************
1591 ********************************************************************/
1593 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1597 LDAPMessage *res = NULL;
1599 if (c->display_usage) {
1601 "net ads printer search\n"
1604 _("List printers in the AD"));
1608 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1612 rc = ads_find_printers(ads, &res);
1614 if (!ADS_ERR_OK(rc)) {
1615 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1616 ads_msgfree(ads, res);
1621 if (ads_count_replies(ads, res) == 0) {
1622 d_fprintf(stderr, _("No results found\n"));
1623 ads_msgfree(ads, res);
1629 ads_msgfree(ads, res);
1634 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1638 const char *servername, *printername;
1639 LDAPMessage *res = NULL;
1641 if (c->display_usage) {
1644 _("net ads printer info [printername [servername]]\n"
1645 " Display printer info from AD\n"
1646 " printername\tPrinter name or wildcard\n"
1647 " servername\tName of the print server\n"));
1651 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1656 printername = argv[0];
1662 servername = argv[1];
1664 servername = global_myname();
1667 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1669 if (!ADS_ERR_OK(rc)) {
1670 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1671 servername, ads_errstr(rc));
1672 ads_msgfree(ads, res);
1677 if (ads_count_replies(ads, res) == 0) {
1678 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1679 ads_msgfree(ads, res);
1685 ads_msgfree(ads, res);
1691 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1695 const char *servername, *printername;
1696 struct cli_state *cli = NULL;
1697 struct rpc_pipe_client *pipe_hnd = NULL;
1698 struct sockaddr_storage server_ss;
1700 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1701 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1702 char *prt_dn, *srv_dn, **srv_cn;
1703 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1704 LDAPMessage *res = NULL;
1706 if (argc < 1 || c->display_usage) {
1709 _("net ads printer publish <printername> [servername]\n"
1710 " Publish printer in AD\n"
1711 " printername\tName of the printer\n"
1712 " servername\tName of the print server\n"));
1713 talloc_destroy(mem_ctx);
1717 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1718 talloc_destroy(mem_ctx);
1722 printername = argv[0];
1725 servername = argv[1];
1727 servername = global_myname();
1730 /* Get printer data from SPOOLSS */
1732 resolve_name(servername, &server_ss, 0x20, false);
1734 nt_status = cli_full_connection(&cli, global_myname(), servername,
1737 c->opt_user_name, c->opt_workgroup,
1738 c->opt_password ? c->opt_password : "",
1739 CLI_FULL_CONNECTION_USE_KERBEROS,
1742 if (NT_STATUS_IS_ERR(nt_status)) {
1743 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1744 "obtain data for %s\n"),
1745 servername, printername);
1747 talloc_destroy(mem_ctx);
1751 /* Publish on AD server */
1753 ads_find_machine_acct(ads, &res, servername);
1755 if (ads_count_replies(ads, res) == 0) {
1756 d_fprintf(stderr, _("Could not find machine account for server "
1760 talloc_destroy(mem_ctx);
1764 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1765 srv_cn = ldap_explode_dn(srv_dn, 1);
1767 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1768 printername_escaped = escape_rdn_val_string_alloc(printername);
1769 if (!srv_cn_escaped || !printername_escaped) {
1770 SAFE_FREE(srv_cn_escaped);
1771 SAFE_FREE(printername_escaped);
1772 d_fprintf(stderr, _("Internal error, out of memory!"));
1774 talloc_destroy(mem_ctx);
1778 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1779 SAFE_FREE(srv_cn_escaped);
1780 SAFE_FREE(printername_escaped);
1781 d_fprintf(stderr, _("Internal error, out of memory!"));
1783 talloc_destroy(mem_ctx);
1787 SAFE_FREE(srv_cn_escaped);
1788 SAFE_FREE(printername_escaped);
1790 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1791 if (!NT_STATUS_IS_OK(nt_status)) {
1792 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1796 talloc_destroy(mem_ctx);
1800 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1804 talloc_destroy(mem_ctx);
1808 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1809 if (!ADS_ERR_OK(rc)) {
1810 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1813 talloc_destroy(mem_ctx);
1817 d_printf("published printer\n");
1820 talloc_destroy(mem_ctx);
1825 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1829 const char *servername;
1831 LDAPMessage *res = NULL;
1833 if (argc < 1 || c->display_usage) {
1836 _("net ads printer remove <printername> [servername]\n"
1837 " Remove a printer from the AD\n"
1838 " printername\tName of the printer\n"
1839 " servername\tName of the print server\n"));
1843 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1848 servername = argv[1];
1850 servername = global_myname();
1853 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1855 if (!ADS_ERR_OK(rc)) {
1856 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1857 ads_msgfree(ads, res);
1862 if (ads_count_replies(ads, res) == 0) {
1863 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1864 ads_msgfree(ads, res);
1869 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1870 ads_msgfree(ads, res);
1871 rc = ads_del_dn(ads, prt_dn);
1872 TALLOC_FREE(prt_dn);
1874 if (!ADS_ERR_OK(rc)) {
1875 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1884 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1886 struct functable func[] = {
1889 net_ads_printer_search,
1891 N_("Search for a printer"),
1892 N_("net ads printer search\n"
1893 " Search for a printer")
1897 net_ads_printer_info,
1899 N_("Display printer information"),
1900 N_("net ads printer info\n"
1901 " Display printer information")
1905 net_ads_printer_publish,
1907 N_("Publish a printer"),
1908 N_("net ads printer publish\n"
1909 " Publish a printer")
1913 net_ads_printer_remove,
1915 N_("Delete a printer"),
1916 N_("net ads printer remove\n"
1917 " Delete a printer")
1919 {NULL, NULL, 0, NULL, NULL}
1922 return net_run_function(c, argc, argv, "net ads printer", func);
1926 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1929 const char *auth_principal = c->opt_user_name;
1930 const char *auth_password = c->opt_password;
1932 char *new_password = NULL;
1937 if (c->display_usage) {
1940 _("net ads password <username>\n"
1941 " Change password for user\n"
1942 " username\tName of user to change password for\n"));
1946 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1947 d_fprintf(stderr, _("You must supply an administrator "
1948 "username/password\n"));
1953 d_fprintf(stderr, _("ERROR: You must say which username to "
1954 "change password for\n"));
1959 if (!strchr_m(user, '@')) {
1960 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1966 use_in_memory_ccache();
1967 chr = strchr_m(auth_principal, '@');
1974 /* use the realm so we can eventually change passwords for users
1975 in realms other than default */
1976 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1980 /* we don't actually need a full connect, but it's the easy way to
1981 fill in the KDC's addresss */
1984 if (!ads->config.realm) {
1985 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1991 new_password = (char *)argv[1];
1993 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1996 new_password = getpass(prompt);
2000 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2001 auth_password, user, new_password, ads->auth.time_offset);
2002 if (!ADS_ERR_OK(ret)) {
2003 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2008 d_printf(_("Password change for %s completed.\n"), user);
2014 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2017 char *host_principal;
2021 if (c->display_usage) {
2023 "net ads changetrustpw\n"
2026 _("Change the machine account's trust password"));
2030 if (!secrets_init()) {
2031 DEBUG(1,("Failed to initialise secrets database\n"));
2035 net_use_krb_machine_account(c);
2037 use_in_memory_ccache();
2039 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2043 fstrcpy(my_name, global_myname());
2044 strlower_m(my_name);
2045 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2049 d_printf(_("Changing password for principal: %s\n"), host_principal);
2051 ret = ads_change_trust_account_password(ads, host_principal);
2053 if (!ADS_ERR_OK(ret)) {
2054 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2056 SAFE_FREE(host_principal);
2060 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2062 if (USE_SYSTEM_KEYTAB) {
2063 d_printf(_("Attempting to update system keytab with new password.\n"));
2064 if (ads_keytab_create_default(ads)) {
2065 d_printf(_("Failed to update system keytab.\n"));
2070 SAFE_FREE(host_principal);
2076 help for net ads search
2078 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2081 "\nnet ads search <expression> <attributes...>\n"
2082 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2083 "The expression is a standard LDAP search expression, and the\n"
2084 "attributes are a list of LDAP fields to show in the results.\n\n"
2085 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2087 net_common_flags_usage(c, argc, argv);
2093 general ADS search function. Useful in diagnosing problems in ADS
2095 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2099 const char *ldap_exp;
2101 LDAPMessage *res = NULL;
2103 if (argc < 1 || c->display_usage) {
2104 return net_ads_search_usage(c, argc, argv);
2107 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2114 rc = ads_do_search_all(ads, ads->config.bind_path,
2116 ldap_exp, attrs, &res);
2117 if (!ADS_ERR_OK(rc)) {
2118 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2123 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2125 /* dump the results */
2128 ads_msgfree(ads, res);
2136 help for net ads search
2138 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2141 "\nnet ads dn <dn> <attributes...>\n"
2142 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2143 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2144 "to show in the results\n\n"
2145 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2146 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2148 net_common_flags_usage(c, argc, argv);
2154 general ADS search function. Useful in diagnosing problems in ADS
2156 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2162 LDAPMessage *res = NULL;
2164 if (argc < 1 || c->display_usage) {
2165 return net_ads_dn_usage(c, argc, argv);
2168 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2175 rc = ads_do_search_all(ads, dn,
2177 "(objectclass=*)", attrs, &res);
2178 if (!ADS_ERR_OK(rc)) {
2179 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2184 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2186 /* dump the results */
2189 ads_msgfree(ads, res);
2196 help for net ads sid search
2198 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2201 "\nnet ads sid <sid> <attributes...>\n"
2202 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2203 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2204 "to show in the results\n\n"
2205 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2207 net_common_flags_usage(c, argc, argv);
2213 general ADS search function. Useful in diagnosing problems in ADS
2215 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2219 const char *sid_string;
2221 LDAPMessage *res = NULL;
2224 if (argc < 1 || c->display_usage) {
2225 return net_ads_sid_usage(c, argc, argv);
2228 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2232 sid_string = argv[0];
2235 if (!string_to_sid(&sid, sid_string)) {
2236 d_fprintf(stderr, _("could not convert sid\n"));
2241 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2242 if (!ADS_ERR_OK(rc)) {
2243 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2248 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2250 /* dump the results */
2253 ads_msgfree(ads, res);
2259 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2264 if (c->display_usage) {
2266 "net ads keytab flush\n"
2269 _("Delete the whole keytab"));
2273 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2276 ret = ads_keytab_flush(ads);
2281 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2287 if (c->display_usage) {
2290 _("net ads keytab add <principal> [principal ...]\n"
2291 " Add principals to local keytab\n"
2292 " principal\tKerberos principal to add to "
2297 d_printf(_("Processing principals to add...\n"));
2298 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2301 for (i = 0; i < argc; i++) {
2302 ret |= ads_keytab_add_entry(ads, argv[i]);
2308 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2313 if (c->display_usage) {
2315 "net ads keytab create\n"
2318 _("Create new default keytab"));
2322 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2325 ret = ads_keytab_create_default(ads);
2330 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2332 const char *keytab = NULL;
2334 if (c->display_usage) {
2337 _("net ads keytab list [keytab]\n"
2338 " List a local keytab\n"
2339 " keytab\tKeytab to list\n"));
2347 return ads_keytab_list(keytab);
2351 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2353 struct functable func[] = {
2358 N_("Add a service principal"),
2359 N_("net ads keytab add\n"
2360 " Add a service principal")
2364 net_ads_keytab_create,
2366 N_("Create a fresh keytab"),
2367 N_("net ads keytab create\n"
2368 " Create a fresh keytab")
2372 net_ads_keytab_flush,
2374 N_("Remove all keytab entries"),
2375 N_("net ads keytab flush\n"
2376 " Remove all keytab entries")
2380 net_ads_keytab_list,
2382 N_("List a keytab"),
2383 N_("net ads keytab list\n"
2386 {NULL, NULL, 0, NULL, NULL}
2389 if (!USE_KERBEROS_KEYTAB) {
2390 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2391 "keytab method to use keytab functions.\n"));
2394 return net_run_function(c, argc, argv, "net ads keytab", func);
2397 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2401 if (c->display_usage) {
2403 "net ads kerberos renew\n"
2406 _("Renew TGT from existing credential cache"));
2410 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2412 d_printf(_("failed to renew kerberos ticket: %s\n"),
2413 error_message(ret));
2418 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2420 struct PAC_DATA *pac = NULL;
2421 struct PAC_LOGON_INFO *info = NULL;
2422 TALLOC_CTX *mem_ctx = NULL;
2425 const char *impersonate_princ_s = NULL;
2427 if (c->display_usage) {
2429 "net ads kerberos pac\n"
2432 _("Dump the Kerberos PAC"));
2436 mem_ctx = talloc_init("net_ads_kerberos_pac");
2442 impersonate_princ_s = argv[0];
2445 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2447 status = kerberos_return_pac(mem_ctx,
2456 2592000, /* one month */
2457 impersonate_princ_s,
2459 if (!NT_STATUS_IS_OK(status)) {
2460 d_printf(_("failed to query kerberos PAC: %s\n"),
2465 info = get_logon_info_from_pac(pac);
2468 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2469 d_printf(_("The Pac: %s\n"), s);
2474 TALLOC_FREE(mem_ctx);
2478 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2480 TALLOC_CTX *mem_ctx = NULL;
2484 if (c->display_usage) {
2486 "net ads kerberos kinit\n"
2489 _("Get Ticket Granting Ticket (TGT) for the user"));
2493 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2498 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2500 ret = kerberos_kinit_password_ext(c->opt_user_name,
2508 2592000, /* one month */
2511 d_printf(_("failed to kinit password: %s\n"),
2518 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2520 struct functable func[] = {
2523 net_ads_kerberos_kinit,
2525 N_("Retrieve Ticket Granting Ticket (TGT)"),
2526 N_("net ads kerberos kinit\n"
2527 " Receive Ticket Granting Ticket (TGT)")
2531 net_ads_kerberos_renew,
2533 N_("Renew Ticket Granting Ticket from credential cache"),
2534 N_("net ads kerberos renew\n"
2535 " Renew Ticket Granting Ticket (TGT) from "
2540 net_ads_kerberos_pac,
2542 N_("Dump Kerberos PAC"),
2543 N_("net ads kerberos pac\n"
2544 " Dump Kerberos PAC")
2546 {NULL, NULL, 0, NULL, NULL}
2549 return net_run_function(c, argc, argv, "net ads kerberos", func);
2552 int net_ads(struct net_context *c, int argc, const char **argv)
2554 struct functable func[] = {
2559 N_("Display details on remote ADS server"),
2561 " Display details on remote ADS server")
2567 N_("Join the local machine to ADS realm"),
2569 " Join the local machine to ADS realm")
2575 N_("Validate machine account"),
2576 N_("net ads testjoin\n"
2577 " Validate machine account")
2583 N_("Remove the local machine from ADS"),
2584 N_("net ads leave\n"
2585 " Remove the local machine from ADS")
2591 N_("Display machine account details"),
2592 N_("net ads status\n"
2593 " Display machine account details")
2599 N_("List/modify users"),
2601 " List/modify users")
2607 N_("List/modify groups"),
2608 N_("net ads group\n"
2609 " List/modify groups")
2615 N_("Issue dynamic DNS update"),
2617 " Issue dynamic DNS update")
2623 N_("Change user passwords"),
2624 N_("net ads password\n"
2625 " Change user passwords")
2629 net_ads_changetrustpw,
2631 N_("Change trust account password"),
2632 N_("net ads changetrustpw\n"
2633 " Change trust account password")
2639 N_("List/modify printer entries"),
2640 N_("net ads printer\n"
2641 " List/modify printer entries")
2647 N_("Issue LDAP search using filter"),
2648 N_("net ads search\n"
2649 " Issue LDAP search using filter")
2655 N_("Issue LDAP search by DN"),
2657 " Issue LDAP search by DN")
2663 N_("Issue LDAP search by SID"),
2665 " Issue LDAP search by SID")
2671 N_("Display workgroup name"),
2672 N_("net ads workgroup\n"
2673 " Display the workgroup name")
2679 N_("Perfom CLDAP query on DC"),
2680 N_("net ads lookup\n"
2681 " Find the ADS DC using CLDAP lookups")
2687 N_("Manage local keytab file"),
2688 N_("net ads keytab\n"
2689 " Manage local keytab file")
2695 N_("Manage group policy objects"),
2697 " Manage group policy objects")
2703 N_("Manage kerberos keytab"),
2704 N_("net ads kerberos\n"
2705 " Manage kerberos keytab")
2707 {NULL, NULL, 0, NULL, NULL}
2710 return net_run_function(c, argc, argv, "net ads", func);
2715 static int net_ads_noads(void)
2717 d_fprintf(stderr, _("ADS support not compiled in\n"));
2721 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2723 return net_ads_noads();
2726 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2728 return net_ads_noads();
2731 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2733 return net_ads_noads();
2736 int net_ads_join(struct net_context *c, int argc, const char **argv)
2738 return net_ads_noads();
2741 int net_ads_user(struct net_context *c, int argc, const char **argv)
2743 return net_ads_noads();
2746 int net_ads_group(struct net_context *c, int argc, const char **argv)
2748 return net_ads_noads();
2751 /* this one shouldn't display a message */
2752 int net_ads_check(struct net_context *c)
2757 int net_ads_check_our_domain(struct net_context *c)
2762 int net_ads(struct net_context *c, int argc, const char **argv)
2764 return net_ads_noads();
2767 #endif /* WITH_ADS */