2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
34 static const char *assume_own_realm(struct net_context *c)
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
44 do a cldap netlogon query
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
57 d_printf(_("Information for Domain Controller: %s\n\n"),
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
69 d_printf("0x%x\n", reply.command);
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
130 if (c->display_usage) {
135 _("Find the ADS DC using CLDAP lookup.\n"));
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
150 ret = net_ads_cldap_netlogon(c, ads);
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
160 char addr[INET6_ADDRSTRLEN];
162 if (c->display_usage) {
167 _("Display information about an Active Directory "
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
216 ADS_STRUCT *ads = NULL;
218 bool need_password = false;
219 bool second_time = false;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
232 if (only_own_domain) {
235 realm = assume_own_realm(c);
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
244 if (c->opt_user_specified) {
245 need_password = true;
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
253 return ADS_ERROR(LDAP_NO_MEMORY);
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
279 status = ads_connect(ads);
281 if (!ADS_ERR_OK(status)) {
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
306 tried_closest_dc = true; /* avoid loop */
308 if (!ads_closest_dc(ads)) {
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
326 return ads_startup_int(c, only_own_domain, 0, ads);
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
359 int net_ads_check_our_domain(struct net_context *c)
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
364 int net_ads_check(struct net_context *c)
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
370 determine the netbios workgroup name for a domain
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
378 if (c->display_usage) {
380 "net ads workgroup\n"
383 _("Print the workgroup name"));
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
404 d_printf(_("Workgroup: %s\n"), reply.domain);
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
415 char **disp_fields = (char **) data_area;
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
424 d_printf("%s\n", disp_fields[0]);
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
431 if (!values) /* must be new field, indicate string field */
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
443 return net_user_usage(c, argc, argv);
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
451 LDAPMessage *res=NULL;
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
462 status = ads_find_user_acct(ads, &res, argv[0]);
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
489 /* if no password is to be set, we're done */
491 d_printf(_("User %s added\n"), argv[0]);
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
523 ads_msgfree(ads, res);
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
531 ADS_STRUCT *ads = NULL;
533 LDAPMessage *res = NULL;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
542 DOM_SID primary_group_sid;
544 enum wbcSidType type;
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
550 frame = talloc_new(talloc_tos());
555 escaped_user = escape_ldap_string(frame, argv[0]);
558 _("ads_user_info: failed to escape user %s\n"),
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
594 sid_append_rid(&primary_group_sid, group_rid);
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
607 d_printf("%s\n", primary_group);
609 wbcFreeMemory(primary_group);
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
622 ldap_value_free(grouplist);
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
636 LDAPMessage *res = NULL;
640 return net_ads_user_usage(c, argc, argv);
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
671 struct functable func[] = {
676 N_("Add an AD user"),
677 N_("net ads user add\n"
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
696 {NULL, NULL, 0, NULL, NULL}
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
705 if (c->display_usage) {
711 net_display_usage_from_functable(func);
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
730 return ADS_ERR_OK(rc) ? 0 : -1;
733 return net_run_function(c, argc, argv, "net ads user", func);
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
738 return net_group_usage(c, argc, argv);
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
745 LDAPMessage *res=NULL;
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
757 status = ads_find_user_acct(ads, &res, argv[0]);
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
787 ads_msgfree(ads, res);
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
797 LDAPMessage *res = NULL;
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
832 struct functable func[] = {
837 N_("Add an AD group"),
838 N_("net ads group add\n"
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
849 {NULL, NULL, 0, NULL, NULL}
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
858 if (c->display_usage) {
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
883 return ADS_ERR_OK(rc) ? 0 : -1;
885 return net_run_function(c, argc, argv, "net ads group", func);
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
894 if (c->display_usage) {
899 _("Display machine account details"));
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
935 struct libnet_UnjoinCtx *r = NULL;
938 if (c->display_usage) {
943 _("Leave an AD domain"));
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1013 if (W_ERROR_IS_OK(werr)) {
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1022 ADS_STRUCT *ads = NULL;
1025 struct sockaddr_storage dcip;
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1032 net_use_krb_machine_account(c);
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1042 return NT_STATUS_OK;
1046 check that an existing join is OK
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1051 use_in_memory_ccache();
1053 if (c->display_usage) {
1055 "net ads testjoin\n"
1058 _("Test if the existing join is ok"));
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1070 printf(_("Join is OK\n"));
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1078 static WERROR check_ads_config( void )
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1105 #if defined(WITH_DNS_UPDATES)
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1117 struct dns_rr_ns *nameservers = NULL;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1142 ADS_STATUS ads_status;
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1160 ads_msgfree( ads, msg );
1164 root_domain = ads_build_domain( root_dn );
1167 ads_msgfree( ads, msg );
1169 /* try again for NS servers */
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1179 dnsdomain = root_domain;
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1186 fstrcpy( dns_server, nameservers[0].hostname );
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1195 SAFE_FREE( root_domain );
1200 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1201 const char *hostname,
1202 struct sockaddr_storage *iplist,
1205 struct sockaddr_storage *iplist_alloc = NULL;
1206 fstring machine_name;
1210 fstrcpy(machine_name, hostname);
1212 name_to_fqdn( machine_name, global_myname() );
1214 strlower_m( machine_name );
1216 if (num_addrs == 0 || iplist == NULL) {
1218 * Get our ip address
1219 * (not the 127.0.0.x address but a real ip address)
1221 num_addrs = get_my_ip_address(&iplist_alloc);
1222 if ( num_addrs <= 0 ) {
1223 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1224 "non-loopback IP addresses!\n"));
1225 return NT_STATUS_INVALID_PARAMETER;
1227 iplist = iplist_alloc;
1230 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1233 SAFE_FREE(iplist_alloc);
1237 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1241 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1247 /*******************************************************************
1248 ********************************************************************/
1250 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1252 d_printf(_("net ads join [options]\n"
1253 "Valid options:\n"));
1254 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1255 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1256 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1257 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1258 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1259 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1260 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1261 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1262 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1263 " NB: osName and osVer must be specified together for either to take effect.\n"
1264 " Also, the operatingSystemService attribute is also set when along with\n"
1265 " the two other attributes.\n"));
1270 /*******************************************************************
1271 ********************************************************************/
1273 int net_ads_join(struct net_context *c, int argc, const char **argv)
1275 TALLOC_CTX *ctx = NULL;
1276 struct libnet_JoinCtx *r = NULL;
1277 const char *domain = lp_realm();
1278 WERROR werr = WERR_SETUP_NOT_JOINED;
1279 bool createupn = false;
1280 const char *machineupn = NULL;
1281 const char *create_in_ou = NULL;
1283 const char *os_name = NULL;
1284 const char *os_version = NULL;
1285 bool modify_config = lp_config_backend_is_registry();
1287 if (c->display_usage)
1288 return net_ads_join_usage(c, argc, argv);
1290 if (!modify_config) {
1292 werr = check_ads_config();
1293 if (!W_ERROR_IS_OK(werr)) {
1294 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1299 if (!(ctx = talloc_init("net_ads_join"))) {
1300 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1305 if (!c->opt_kerberos) {
1306 use_in_memory_ccache();
1309 werr = libnet_init_JoinCtx(ctx, &r);
1310 if (!W_ERROR_IS_OK(werr)) {
1314 /* process additional command line args */
1316 for ( i=0; i<argc; i++ ) {
1317 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1319 machineupn = get_string_param(argv[i]);
1321 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1322 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1323 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1324 werr = WERR_INVALID_PARAM;
1328 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1329 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1330 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1331 werr = WERR_INVALID_PARAM;
1335 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1336 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1337 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1338 werr = WERR_INVALID_PARAM;
1348 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1349 werr = WERR_INVALID_PARAM;
1353 /* Do the domain join here */
1355 r->in.domain_name = domain;
1356 r->in.create_upn = createupn;
1357 r->in.upn = machineupn;
1358 r->in.account_ou = create_in_ou;
1359 r->in.os_name = os_name;
1360 r->in.os_version = os_version;
1361 r->in.dc_name = c->opt_host;
1362 r->in.admin_account = c->opt_user_name;
1363 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1365 r->in.use_kerberos = c->opt_kerberos;
1366 r->in.modify_config = modify_config;
1367 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1368 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1369 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1371 werr = libnet_Join(ctx, r);
1372 if (!W_ERROR_IS_OK(werr)) {
1376 /* Check the short name of the domain */
1378 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1379 d_printf(_("The workgroup in %s does not match the short\n"
1380 "domain name obtained from the server.\n"
1381 "Using the name [%s] from the server.\n"
1382 "You should set \"workgroup = %s\" in %s.\n"),
1383 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1384 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1387 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1389 if (r->out.dns_domain_name) {
1390 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1391 r->out.dns_domain_name);
1393 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1394 r->out.netbios_domain_name);
1397 #if defined(WITH_DNS_UPDATES)
1399 * In a clustered environment, don't do dynamic dns updates:
1400 * Registering the set of ip addresses that are assigned to
1401 * the interfaces of the node that performs the join does usually
1402 * not have the desired effect, since the local interfaces do not
1403 * carry the complete set of the cluster's public IP addresses.
1404 * And it can also contain internal addresses that should not
1405 * be visible to the outside at all.
1406 * In order to do dns updates in a clustererd setup, use
1407 * net ads dns register.
1409 if (lp_clustering()) {
1410 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1411 "clustered setup.\n"));
1415 if (r->out.domain_is_ad) {
1416 /* We enter this block with user creds */
1417 ADS_STRUCT *ads_dns = NULL;
1419 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1420 /* kinit with the machine password */
1422 use_in_memory_ccache();
1423 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1426 ads_dns->auth.password = secrets_fetch_machine_password(
1427 r->out.netbios_domain_name, NULL, NULL );
1428 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1429 strupper_m(ads_dns->auth.realm );
1430 ads_kinit_password( ads_dns );
1433 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1434 d_fprintf( stderr, _("DNS update failed!\n") );
1437 /* exit from this block using machine creds */
1438 ads_destroy(&ads_dns);
1449 /* issue an overall failure message at the end. */
1450 d_printf(_("Failed to join domain: %s\n"),
1451 r && r->out.error_string ? r->out.error_string :
1452 get_friendly_werror_msg(werr));
1458 /*******************************************************************
1459 ********************************************************************/
1461 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1463 #if defined(WITH_DNS_UPDATES)
1468 const char *hostname = NULL;
1469 const char **addrs_list = NULL;
1470 struct sockaddr_storage *addrs = NULL;
1475 talloc_enable_leak_report();
1478 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1479 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1480 "detection of addresses in a clustered "
1482 c->display_usage = true;
1485 if (c->display_usage) {
1487 "net ads dns register [hostname [IP [IP...]]]\n"
1490 _("Register hostname with DNS\n"));
1494 if (!(ctx = talloc_init("net_ads_dns"))) {
1495 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1504 num_addrs = argc - 1;
1505 addrs_list = &argv[1];
1506 } else if (lp_clustering()) {
1507 addrs_list = lp_cluster_addresses();
1508 num_addrs = str_list_length(addrs_list);
1511 if (num_addrs > 0) {
1512 addrs = talloc_zero_array(ctx, struct sockaddr_storage, num_addrs);
1513 if (addrs == NULL) {
1514 d_fprintf(stderr, _("Error allocating memory!\n"));
1520 for (count = 0; count < num_addrs; count++) {
1521 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1522 d_fprintf(stderr, "%s '%s'.\n",
1523 _("Cannot interpret address"),
1530 status = ads_startup(c, true, &ads);
1531 if ( !ADS_ERR_OK(status) ) {
1532 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1537 ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
1538 if (!NT_STATUS_IS_OK(ntstatus)) {
1539 d_fprintf( stderr, _("DNS update failed!\n") );
1540 ads_destroy( &ads );
1545 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1553 _("DNS update support not enabled at compile time!\n"));
1558 #if defined(WITH_DNS_UPDATES)
1559 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1562 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1564 #if defined(WITH_DNS_UPDATES)
1568 talloc_enable_leak_report();
1571 if (argc != 2 || c->display_usage) {
1576 _("net ads dns gethostbyname <server> <name>\n"),
1577 _(" Look up hostname from the AD\n"
1578 " server\tName server to use\n"
1579 " name\tName to look up\n"));
1583 err = do_gethostbyname(argv[0], argv[1]);
1585 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1590 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1592 struct functable func[] = {
1595 net_ads_dns_register,
1597 N_("Add host dns entry to AD"),
1598 N_("net ads dns register\n"
1599 " Add host dns entry to AD")
1603 net_ads_dns_gethostbyname,
1606 N_("net ads dns gethostbyname\n"
1609 {NULL, NULL, 0, NULL, NULL}
1612 return net_run_function(c, argc, argv, "net ads dns", func);
1615 /*******************************************************************
1616 ********************************************************************/
1618 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1621 "\nnet ads printer search <printer>"
1622 "\n\tsearch for a printer in the directory\n"
1623 "\nnet ads printer info <printer> <server>"
1624 "\n\tlookup info in directory for printer on server"
1625 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1626 "\nnet ads printer publish <printername>"
1627 "\n\tpublish printer in directory"
1628 "\n\t(note: printer name is required)\n"
1629 "\nnet ads printer remove <printername>"
1630 "\n\tremove printer from directory"
1631 "\n\t(note: printer name is required)\n"));
1635 /*******************************************************************
1636 ********************************************************************/
1638 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1642 LDAPMessage *res = NULL;
1644 if (c->display_usage) {
1646 "net ads printer search\n"
1649 _("List printers in the AD"));
1653 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1657 rc = ads_find_printers(ads, &res);
1659 if (!ADS_ERR_OK(rc)) {
1660 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1661 ads_msgfree(ads, res);
1666 if (ads_count_replies(ads, res) == 0) {
1667 d_fprintf(stderr, _("No results found\n"));
1668 ads_msgfree(ads, res);
1674 ads_msgfree(ads, res);
1679 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1683 const char *servername, *printername;
1684 LDAPMessage *res = NULL;
1686 if (c->display_usage) {
1689 _("net ads printer info [printername [servername]]\n"
1690 " Display printer info from AD\n"
1691 " printername\tPrinter name or wildcard\n"
1692 " servername\tName of the print server\n"));
1696 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1701 printername = argv[0];
1707 servername = argv[1];
1709 servername = global_myname();
1712 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1714 if (!ADS_ERR_OK(rc)) {
1715 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1716 servername, ads_errstr(rc));
1717 ads_msgfree(ads, res);
1722 if (ads_count_replies(ads, res) == 0) {
1723 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1724 ads_msgfree(ads, res);
1730 ads_msgfree(ads, res);
1736 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1740 const char *servername, *printername;
1741 struct cli_state *cli = NULL;
1742 struct rpc_pipe_client *pipe_hnd = NULL;
1743 struct sockaddr_storage server_ss;
1745 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1746 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1747 char *prt_dn, *srv_dn, **srv_cn;
1748 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1749 LDAPMessage *res = NULL;
1751 if (argc < 1 || c->display_usage) {
1754 _("net ads printer publish <printername> [servername]\n"
1755 " Publish printer in AD\n"
1756 " printername\tName of the printer\n"
1757 " servername\tName of the print server\n"));
1758 talloc_destroy(mem_ctx);
1762 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1763 talloc_destroy(mem_ctx);
1767 printername = argv[0];
1770 servername = argv[1];
1772 servername = global_myname();
1775 /* Get printer data from SPOOLSS */
1777 resolve_name(servername, &server_ss, 0x20, false);
1779 nt_status = cli_full_connection(&cli, global_myname(), servername,
1782 c->opt_user_name, c->opt_workgroup,
1783 c->opt_password ? c->opt_password : "",
1784 CLI_FULL_CONNECTION_USE_KERBEROS,
1787 if (NT_STATUS_IS_ERR(nt_status)) {
1788 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1789 "obtain data for %s\n"),
1790 servername, printername);
1792 talloc_destroy(mem_ctx);
1796 /* Publish on AD server */
1798 ads_find_machine_acct(ads, &res, servername);
1800 if (ads_count_replies(ads, res) == 0) {
1801 d_fprintf(stderr, _("Could not find machine account for server "
1805 talloc_destroy(mem_ctx);
1809 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1810 srv_cn = ldap_explode_dn(srv_dn, 1);
1812 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1813 printername_escaped = escape_rdn_val_string_alloc(printername);
1814 if (!srv_cn_escaped || !printername_escaped) {
1815 SAFE_FREE(srv_cn_escaped);
1816 SAFE_FREE(printername_escaped);
1817 d_fprintf(stderr, _("Internal error, out of memory!"));
1819 talloc_destroy(mem_ctx);
1823 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1824 SAFE_FREE(srv_cn_escaped);
1825 SAFE_FREE(printername_escaped);
1826 d_fprintf(stderr, _("Internal error, out of memory!"));
1828 talloc_destroy(mem_ctx);
1832 SAFE_FREE(srv_cn_escaped);
1833 SAFE_FREE(printername_escaped);
1835 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1836 if (!NT_STATUS_IS_OK(nt_status)) {
1837 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1841 talloc_destroy(mem_ctx);
1845 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1849 talloc_destroy(mem_ctx);
1853 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1854 if (!ADS_ERR_OK(rc)) {
1855 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1858 talloc_destroy(mem_ctx);
1862 d_printf("published printer\n");
1865 talloc_destroy(mem_ctx);
1870 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1874 const char *servername;
1876 LDAPMessage *res = NULL;
1878 if (argc < 1 || c->display_usage) {
1881 _("net ads printer remove <printername> [servername]\n"
1882 " Remove a printer from the AD\n"
1883 " printername\tName of the printer\n"
1884 " servername\tName of the print server\n"));
1888 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1893 servername = argv[1];
1895 servername = global_myname();
1898 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1900 if (!ADS_ERR_OK(rc)) {
1901 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1902 ads_msgfree(ads, res);
1907 if (ads_count_replies(ads, res) == 0) {
1908 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1909 ads_msgfree(ads, res);
1914 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1915 ads_msgfree(ads, res);
1916 rc = ads_del_dn(ads, prt_dn);
1917 TALLOC_FREE(prt_dn);
1919 if (!ADS_ERR_OK(rc)) {
1920 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1929 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1931 struct functable func[] = {
1934 net_ads_printer_search,
1936 N_("Search for a printer"),
1937 N_("net ads printer search\n"
1938 " Search for a printer")
1942 net_ads_printer_info,
1944 N_("Display printer information"),
1945 N_("net ads printer info\n"
1946 " Display printer information")
1950 net_ads_printer_publish,
1952 N_("Publish a printer"),
1953 N_("net ads printer publish\n"
1954 " Publish a printer")
1958 net_ads_printer_remove,
1960 N_("Delete a printer"),
1961 N_("net ads printer remove\n"
1962 " Delete a printer")
1964 {NULL, NULL, 0, NULL, NULL}
1967 return net_run_function(c, argc, argv, "net ads printer", func);
1971 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1974 const char *auth_principal = c->opt_user_name;
1975 const char *auth_password = c->opt_password;
1977 char *new_password = NULL;
1982 if (c->display_usage) {
1985 _("net ads password <username>\n"
1986 " Change password for user\n"
1987 " username\tName of user to change password for\n"));
1991 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1992 d_fprintf(stderr, _("You must supply an administrator "
1993 "username/password\n"));
1998 d_fprintf(stderr, _("ERROR: You must say which username to "
1999 "change password for\n"));
2004 if (!strchr_m(user, '@')) {
2005 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
2011 use_in_memory_ccache();
2012 chr = strchr_m(auth_principal, '@');
2019 /* use the realm so we can eventually change passwords for users
2020 in realms other than default */
2021 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
2025 /* we don't actually need a full connect, but it's the easy way to
2026 fill in the KDC's addresss */
2029 if (!ads->config.realm) {
2030 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2036 new_password = (char *)argv[1];
2038 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
2041 new_password = getpass(prompt);
2045 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2046 auth_password, user, new_password, ads->auth.time_offset);
2047 if (!ADS_ERR_OK(ret)) {
2048 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2053 d_printf(_("Password change for %s completed.\n"), user);
2059 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2062 char *host_principal;
2066 if (c->display_usage) {
2068 "net ads changetrustpw\n"
2071 _("Change the machine account's trust password"));
2075 if (!secrets_init()) {
2076 DEBUG(1,("Failed to initialise secrets database\n"));
2080 net_use_krb_machine_account(c);
2082 use_in_memory_ccache();
2084 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2088 fstrcpy(my_name, global_myname());
2089 strlower_m(my_name);
2090 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2094 d_printf(_("Changing password for principal: %s\n"), host_principal);
2096 ret = ads_change_trust_account_password(ads, host_principal);
2098 if (!ADS_ERR_OK(ret)) {
2099 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2101 SAFE_FREE(host_principal);
2105 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2107 if (USE_SYSTEM_KEYTAB) {
2108 d_printf(_("Attempting to update system keytab with new password.\n"));
2109 if (ads_keytab_create_default(ads)) {
2110 d_printf(_("Failed to update system keytab.\n"));
2115 SAFE_FREE(host_principal);
2121 help for net ads search
2123 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2126 "\nnet ads search <expression> <attributes...>\n"
2127 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2128 "The expression is a standard LDAP search expression, and the\n"
2129 "attributes are a list of LDAP fields to show in the results.\n\n"
2130 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2132 net_common_flags_usage(c, argc, argv);
2138 general ADS search function. Useful in diagnosing problems in ADS
2140 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2144 const char *ldap_exp;
2146 LDAPMessage *res = NULL;
2148 if (argc < 1 || c->display_usage) {
2149 return net_ads_search_usage(c, argc, argv);
2152 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2159 rc = ads_do_search_all(ads, ads->config.bind_path,
2161 ldap_exp, attrs, &res);
2162 if (!ADS_ERR_OK(rc)) {
2163 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2168 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2170 /* dump the results */
2173 ads_msgfree(ads, res);
2181 help for net ads search
2183 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2186 "\nnet ads dn <dn> <attributes...>\n"
2187 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2188 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2189 "to show in the results\n\n"
2190 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2191 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2193 net_common_flags_usage(c, argc, argv);
2199 general ADS search function. Useful in diagnosing problems in ADS
2201 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2207 LDAPMessage *res = NULL;
2209 if (argc < 1 || c->display_usage) {
2210 return net_ads_dn_usage(c, argc, argv);
2213 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2220 rc = ads_do_search_all(ads, dn,
2222 "(objectclass=*)", attrs, &res);
2223 if (!ADS_ERR_OK(rc)) {
2224 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2229 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2231 /* dump the results */
2234 ads_msgfree(ads, res);
2241 help for net ads sid search
2243 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2246 "\nnet ads sid <sid> <attributes...>\n"
2247 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2248 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2249 "to show in the results\n\n"
2250 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2252 net_common_flags_usage(c, argc, argv);
2258 general ADS search function. Useful in diagnosing problems in ADS
2260 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2264 const char *sid_string;
2266 LDAPMessage *res = NULL;
2269 if (argc < 1 || c->display_usage) {
2270 return net_ads_sid_usage(c, argc, argv);
2273 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2277 sid_string = argv[0];
2280 if (!string_to_sid(&sid, sid_string)) {
2281 d_fprintf(stderr, _("could not convert sid\n"));
2286 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2287 if (!ADS_ERR_OK(rc)) {
2288 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2293 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2295 /* dump the results */
2298 ads_msgfree(ads, res);
2304 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2309 if (c->display_usage) {
2311 "net ads keytab flush\n"
2314 _("Delete the whole keytab"));
2318 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2321 ret = ads_keytab_flush(ads);
2326 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2332 if (c->display_usage) {
2335 _("net ads keytab add <principal> [principal ...]\n"
2336 " Add principals to local keytab\n"
2337 " principal\tKerberos principal to add to "
2342 d_printf(_("Processing principals to add...\n"));
2343 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2346 for (i = 0; i < argc; i++) {
2347 ret |= ads_keytab_add_entry(ads, argv[i]);
2353 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2358 if (c->display_usage) {
2360 "net ads keytab create\n"
2363 _("Create new default keytab"));
2367 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2370 ret = ads_keytab_create_default(ads);
2375 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2377 const char *keytab = NULL;
2379 if (c->display_usage) {
2382 _("net ads keytab list [keytab]\n"
2383 " List a local keytab\n"
2384 " keytab\tKeytab to list\n"));
2392 return ads_keytab_list(keytab);
2396 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2398 struct functable func[] = {
2403 N_("Add a service principal"),
2404 N_("net ads keytab add\n"
2405 " Add a service principal")
2409 net_ads_keytab_create,
2411 N_("Create a fresh keytab"),
2412 N_("net ads keytab create\n"
2413 " Create a fresh keytab")
2417 net_ads_keytab_flush,
2419 N_("Remove all keytab entries"),
2420 N_("net ads keytab flush\n"
2421 " Remove all keytab entries")
2425 net_ads_keytab_list,
2427 N_("List a keytab"),
2428 N_("net ads keytab list\n"
2431 {NULL, NULL, 0, NULL, NULL}
2434 if (!USE_KERBEROS_KEYTAB) {
2435 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2436 "keytab method to use keytab functions.\n"));
2439 return net_run_function(c, argc, argv, "net ads keytab", func);
2442 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2446 if (c->display_usage) {
2448 "net ads kerberos renew\n"
2451 _("Renew TGT from existing credential cache"));
2455 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2457 d_printf(_("failed to renew kerberos ticket: %s\n"),
2458 error_message(ret));
2463 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2465 struct PAC_DATA *pac = NULL;
2466 struct PAC_LOGON_INFO *info = NULL;
2467 TALLOC_CTX *mem_ctx = NULL;
2470 const char *impersonate_princ_s = NULL;
2472 if (c->display_usage) {
2474 "net ads kerberos pac\n"
2477 _("Dump the Kerberos PAC"));
2481 mem_ctx = talloc_init("net_ads_kerberos_pac");
2487 impersonate_princ_s = argv[0];
2490 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2492 status = kerberos_return_pac(mem_ctx,
2501 2592000, /* one month */
2502 impersonate_princ_s,
2504 if (!NT_STATUS_IS_OK(status)) {
2505 d_printf(_("failed to query kerberos PAC: %s\n"),
2510 info = get_logon_info_from_pac(pac);
2513 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2514 d_printf(_("The Pac: %s\n"), s);
2519 TALLOC_FREE(mem_ctx);
2523 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2525 TALLOC_CTX *mem_ctx = NULL;
2529 if (c->display_usage) {
2531 "net ads kerberos kinit\n"
2534 _("Get Ticket Granting Ticket (TGT) for the user"));
2538 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2543 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2545 ret = kerberos_kinit_password_ext(c->opt_user_name,
2553 2592000, /* one month */
2556 d_printf(_("failed to kinit password: %s\n"),
2563 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2565 struct functable func[] = {
2568 net_ads_kerberos_kinit,
2570 N_("Retrieve Ticket Granting Ticket (TGT)"),
2571 N_("net ads kerberos kinit\n"
2572 " Receive Ticket Granting Ticket (TGT)")
2576 net_ads_kerberos_renew,
2578 N_("Renew Ticket Granting Ticket from credential cache"),
2579 N_("net ads kerberos renew\n"
2580 " Renew Ticket Granting Ticket (TGT) from "
2585 net_ads_kerberos_pac,
2587 N_("Dump Kerberos PAC"),
2588 N_("net ads kerberos pac\n"
2589 " Dump Kerberos PAC")
2591 {NULL, NULL, 0, NULL, NULL}
2594 return net_run_function(c, argc, argv, "net ads kerberos", func);
2597 int net_ads(struct net_context *c, int argc, const char **argv)
2599 struct functable func[] = {
2604 N_("Display details on remote ADS server"),
2606 " Display details on remote ADS server")
2612 N_("Join the local machine to ADS realm"),
2614 " Join the local machine to ADS realm")
2620 N_("Validate machine account"),
2621 N_("net ads testjoin\n"
2622 " Validate machine account")
2628 N_("Remove the local machine from ADS"),
2629 N_("net ads leave\n"
2630 " Remove the local machine from ADS")
2636 N_("Display machine account details"),
2637 N_("net ads status\n"
2638 " Display machine account details")
2644 N_("List/modify users"),
2646 " List/modify users")
2652 N_("List/modify groups"),
2653 N_("net ads group\n"
2654 " List/modify groups")
2660 N_("Issue dynamic DNS update"),
2662 " Issue dynamic DNS update")
2668 N_("Change user passwords"),
2669 N_("net ads password\n"
2670 " Change user passwords")
2674 net_ads_changetrustpw,
2676 N_("Change trust account password"),
2677 N_("net ads changetrustpw\n"
2678 " Change trust account password")
2684 N_("List/modify printer entries"),
2685 N_("net ads printer\n"
2686 " List/modify printer entries")
2692 N_("Issue LDAP search using filter"),
2693 N_("net ads search\n"
2694 " Issue LDAP search using filter")
2700 N_("Issue LDAP search by DN"),
2702 " Issue LDAP search by DN")
2708 N_("Issue LDAP search by SID"),
2710 " Issue LDAP search by SID")
2716 N_("Display workgroup name"),
2717 N_("net ads workgroup\n"
2718 " Display the workgroup name")
2724 N_("Perfom CLDAP query on DC"),
2725 N_("net ads lookup\n"
2726 " Find the ADS DC using CLDAP lookups")
2732 N_("Manage local keytab file"),
2733 N_("net ads keytab\n"
2734 " Manage local keytab file")
2740 N_("Manage group policy objects"),
2742 " Manage group policy objects")
2748 N_("Manage kerberos keytab"),
2749 N_("net ads kerberos\n"
2750 " Manage kerberos keytab")
2752 {NULL, NULL, 0, NULL, NULL}
2755 return net_run_function(c, argc, argv, "net ads", func);
2760 static int net_ads_noads(void)
2762 d_fprintf(stderr, _("ADS support not compiled in\n"));
2766 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2768 return net_ads_noads();
2771 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2773 return net_ads_noads();
2776 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2778 return net_ads_noads();
2781 int net_ads_join(struct net_context *c, int argc, const char **argv)
2783 return net_ads_noads();
2786 int net_ads_user(struct net_context *c, int argc, const char **argv)
2788 return net_ads_noads();
2791 int net_ads_group(struct net_context *c, int argc, const char **argv)
2793 return net_ads_noads();
2796 /* this one shouldn't display a message */
2797 int net_ads_check(struct net_context *c)
2802 int net_ads_check_our_domain(struct net_context *c)
2807 int net_ads(struct net_context *c, int argc, const char **argv)
2809 return net_ads_noads();
2812 #endif /* WITH_ADS */
git.samba.org / samba.git / blob