2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "system/passwd.h"
23 #include "utils/net.h"
24 #include "../librpc/gen_ndr/samr.h"
26 #include "../libcli/security/security.h"
27 #include "lib/winbind_util.h"
29 #include "passdb/pdb_ldap_util.h"
30 #include "passdb/pdb_ldap_schema.h"
31 #include "lib/privileges.h"
34 #include "lib/util/smb_strtox.h"
35 #include "lib/util/string_wrappers.h"
41 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
43 bool (*fn)(struct samu *, const char *,
44 enum pdb_value_state))
46 struct samu *sam_acct = NULL;
48 enum lsa_SidType type;
49 const char *dom, *name;
52 if (argc != 2 || c->display_usage) {
53 d_fprintf(stderr, "%s\n", _("Usage:"));
54 d_fprintf(stderr, _("net sam set %s <user> <value>\n"),
59 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
60 &dom, &name, &sid, &type)) {
61 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
65 if (type != SID_NAME_USER) {
66 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
67 sid_type_lookup(type));
71 if ( !(sam_acct = samu_new( NULL )) ) {
72 d_fprintf(stderr, _("Internal error\n"));
76 if (!pdb_getsampwsid(sam_acct, &sid)) {
77 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
81 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
82 d_fprintf(stderr, _("Internal error\n"));
86 status = pdb_update_sam_account(sam_acct);
87 if (!NT_STATUS_IS_OK(status)) {
88 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
89 argv[0], nt_errstr(status));
93 TALLOC_FREE(sam_acct);
95 d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
99 static int net_sam_set_fullname(struct net_context *c, int argc,
102 return net_sam_userset(c, argc, argv, "fullname",
106 static int net_sam_set_logonscript(struct net_context *c, int argc,
109 return net_sam_userset(c, argc, argv, "logonscript",
110 pdb_set_logon_script);
113 static int net_sam_set_profilepath(struct net_context *c, int argc,
116 return net_sam_userset(c, argc, argv, "profilepath",
117 pdb_set_profile_path);
120 static int net_sam_set_homedrive(struct net_context *c, int argc,
123 return net_sam_userset(c, argc, argv, "homedrive",
127 static int net_sam_set_homedir(struct net_context *c, int argc,
130 return net_sam_userset(c, argc, argv, "homedir",
134 static int net_sam_set_workstations(struct net_context *c, int argc,
137 return net_sam_userset(c, argc, argv, "workstations",
138 pdb_set_workstations);
145 static int net_sam_set_userflag(struct net_context *c, int argc,
146 const char **argv, const char *field,
149 struct samu *sam_acct = NULL;
151 enum lsa_SidType type;
152 const char *dom, *name;
156 if ((argc != 2) || c->display_usage ||
157 (!strequal(argv[1], "yes") &&
158 !strequal(argv[1], "no"))) {
159 d_fprintf(stderr, "%s\n", _("Usage:"));
160 d_fprintf(stderr, _("net sam set %s <user> [yes|no]\n"),
165 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
166 &dom, &name, &sid, &type)) {
167 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
171 if (type != SID_NAME_USER) {
172 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
173 sid_type_lookup(type));
177 if ( !(sam_acct = samu_new( NULL )) ) {
178 d_fprintf(stderr, _("Internal error\n"));
182 if (!pdb_getsampwsid(sam_acct, &sid)) {
183 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
187 acct_flags = pdb_get_acct_ctrl(sam_acct);
189 if (strequal(argv[1], "yes")) {
195 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
197 status = pdb_update_sam_account(sam_acct);
198 if (!NT_STATUS_IS_OK(status)) {
199 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
200 argv[0], nt_errstr(status));
204 TALLOC_FREE(sam_acct);
206 d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
211 static int net_sam_set_disabled(struct net_context *c, int argc,
214 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
217 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
220 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
223 static int net_sam_set_autolock(struct net_context *c, int argc,
226 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
229 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
232 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
236 * Set pass last change time, based on force pass change now
239 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
242 struct samu *sam_acct = NULL;
244 enum lsa_SidType type;
245 const char *dom, *name;
248 if ((argc != 2) || c->display_usage ||
249 (!strequal(argv[1], "yes") &&
250 !strequal(argv[1], "no"))) {
251 d_fprintf(stderr, "%s\n%s",
253 _("net sam set pwdmustchangenow <user> [yes|no]\n"));
257 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
258 &dom, &name, &sid, &type)) {
259 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
263 if (type != SID_NAME_USER) {
264 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
265 sid_type_lookup(type));
269 if ( !(sam_acct = samu_new( NULL )) ) {
270 d_fprintf(stderr, _("Internal error\n"));
274 if (!pdb_getsampwsid(sam_acct, &sid)) {
275 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
279 if (strequal(argv[1], "yes")) {
280 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
282 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
285 status = pdb_update_sam_account(sam_acct);
286 if (!NT_STATUS_IS_OK(status)) {
287 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
288 argv[0], nt_errstr(status));
292 TALLOC_FREE(sam_acct);
294 d_fprintf(stderr, _("Updated 'user must change password at next logon' "
295 "for %s\\%s to %s\n"), dom,
302 * Set a user's or a group's comment
305 static int net_sam_set_comment(struct net_context *c, int argc,
310 enum lsa_SidType type;
311 const char *dom, *name;
314 if (argc != 2 || c->display_usage) {
315 d_fprintf(stderr, "%s\n%s",
317 _("net sam set comment <name> <comment>\n"));
321 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
322 &dom, &name, &sid, &type)) {
323 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
327 if (type == SID_NAME_USER) {
328 return net_sam_userset(c, argc, argv, "comment",
332 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
333 (type != SID_NAME_WKN_GRP)) {
334 d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
335 sid_type_lookup(type));
339 map = talloc_zero(talloc_tos(), GROUP_MAP);
341 d_fprintf(stderr, _("Out of memory!\n"));
345 if (!pdb_getgrsid(map, sid)) {
346 d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
350 map->comment = talloc_strdup(map, argv[1]);
352 d_fprintf(stderr, _("Out of memory!\n"));
356 status = pdb_update_group_mapping_entry(map);
358 if (!NT_STATUS_IS_OK(status)) {
359 d_fprintf(stderr, _("Updating group mapping entry failed with "
360 "%s\n"), nt_errstr(status));
364 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
371 static int net_sam_set(struct net_context *c, int argc, const char **argv)
373 struct functable func[] = {
378 N_("Change a user's home directory"),
379 N_("net sam set homedir\n"
380 " Change a user's home directory")
384 net_sam_set_profilepath,
386 N_("Change a user's profile path"),
387 N_("net sam set profilepath\n"
388 " Change a user's profile path")
394 N_("Change a users or groups description"),
395 N_("net sam set comment\n"
396 " Change a users or groups description")
400 net_sam_set_fullname,
402 N_("Change a user's full name"),
403 N_("net sam set fullname\n"
404 " Change a user's full name")
408 net_sam_set_logonscript,
410 N_("Change a user's logon script"),
411 N_("net sam set logonscript\n"
412 " Change a user's logon script")
416 net_sam_set_homedrive,
418 N_("Change a user's home drive"),
419 N_("net sam set homedrive\n"
420 " Change a user's home drive")
424 net_sam_set_workstations,
426 N_("Change a user's allowed workstations"),
427 N_("net sam set workstations\n"
428 " Change a user's allowed workstations")
432 net_sam_set_disabled,
434 N_("Disable/Enable a user"),
435 N_("net sam set disable\n"
436 " Disable/Enable a user")
440 net_sam_set_pwnotreq,
442 N_("Disable/Enable the password not required flag"),
443 N_("net sam set pwnotreq\n"
444 " Disable/Enable the password not required flag")
448 net_sam_set_autolock,
450 N_("Disable/Enable a user's lockout flag"),
451 N_("net sam set autolock\n"
452 " Disable/Enable a user's lockout flag")
458 N_("Disable/Enable whether a user's pw does not "
460 N_("net sam set pwnoexp\n"
461 " Disable/Enable whether a user's pw does not "
466 net_sam_set_pwdmustchangenow,
468 N_("Force users password must change at next logon"),
469 N_("net sam set pwdmustchangenow\n"
470 " Force users password must change at next logon")
472 {NULL, NULL, 0, NULL, NULL}
475 return net_run_function(c, argc, argv, "net sam set", func);
479 * Manage account policies
482 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
484 const char *account_policy = NULL;
486 uint32_t old_value = 0;
487 enum pdb_policy_type field;
490 if (argc != 2 || c->display_usage) {
491 d_fprintf(stderr, "%s\n%s",
493 _("net sam policy set \"<account policy>\" <value>\n"));
497 account_policy = argv[0];
498 field = account_policy_name_to_typenum(account_policy);
500 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
501 || strequal(argv[1], "off")) {
505 value = smb_strtoul(argv[1],
509 SMB_STR_FULL_STR_CONV);
512 d_printf(_("Unable to set policy \"%s\"! Invalid value "
514 account_policy, argv[1]);
523 account_policy_names_list(talloc_tos(), &names, &count);
524 d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
525 d_fprintf(stderr, _("Valid account policies are:\n"));
527 for (i=0; i<count; i++) {
528 d_fprintf(stderr, "%s\n", names[i]);
536 if (!pdb_get_account_policy(field, &old_value)) {
537 d_fprintf(stderr, _("Valid account policy, but unable to fetch "
540 d_printf(_("Account policy \"%s\" value was: %d\n"),
541 account_policy, old_value);
544 if (!pdb_set_account_policy(field, value)) {
545 d_fprintf(stderr, _("Valid account policy, but unable to "
549 d_printf(_("Account policy \"%s\" value is now: %d\n"),
550 account_policy, value);
556 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
558 const char *account_policy = NULL;
560 enum pdb_policy_type field;
562 if (argc != 1 || c->display_usage) {
563 d_fprintf(stderr, "%s\n%s",
565 _("net sam policy show \"<account policy>\"\n"));
569 account_policy = argv[0];
570 field = account_policy_name_to_typenum(account_policy);
576 account_policy_names_list(talloc_tos(), &names, &count);
577 d_fprintf(stderr, _("No account policy by that name!\n"));
579 d_fprintf(stderr, _("Valid account policies "
581 for (i=0; i<count; i++) {
582 d_fprintf(stderr, "%s\n", names[i]);
589 if (!pdb_get_account_policy(field, &old_value)) {
590 fprintf(stderr, _("Valid account policy, but unable to "
595 printf(_("Account policy \"%s\" description: %s\n"),
596 account_policy, account_policy_get_desc(field));
597 printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
602 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
608 if (c->display_usage) {
610 "net sam policy list\n"
613 _("List account policies"));
617 account_policy_names_list(talloc_tos(), &names, &count);
619 d_fprintf(stderr, _("Valid account policies "
621 for (i = 0; i < count ; i++) {
622 d_fprintf(stderr, "%s\n", names[i]);
629 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
631 struct functable func[] = {
636 N_("List account policies"),
637 N_("net sam policy list\n"
638 " List account policies")
644 N_("Show account policies"),
645 N_("net sam policy show\n"
646 " Show account policies")
652 N_("Change account policies"),
653 N_("net sam policy set\n"
654 " Change account policies")
656 {NULL, NULL, 0, NULL, NULL}
659 return net_run_function(c, argc, argv, "net sam policy", func);
662 static int net_sam_rights_list(struct net_context *c, int argc,
665 enum sec_privilege privilege;
667 if (argc > 1 || c->display_usage) {
668 d_fprintf(stderr, "%s\n%s",
670 _("net sam rights list [privilege name]\n"));
676 int num = num_privileges_in_short_list();
678 for (i=0; i<num; i++) {
679 d_printf("%s\n", sec_privilege_name_from_index(i));
684 privilege = sec_privilege_id(argv[0]);
686 if (privilege != SEC_PRIV_INVALID) {
687 struct dom_sid *sids;
691 status = privilege_enum_sids(privilege, talloc_tos(),
693 if (!NT_STATUS_IS_OK(status)) {
694 d_fprintf(stderr, _("Could not list rights: %s\n"),
699 for (i=0; i<num_sids; i++) {
700 const char *dom, *name;
701 enum lsa_SidType type;
702 struct dom_sid_buf buf;
704 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
706 d_printf("%s\\%s\n", dom, name);
710 dom_sid_str_buf(&sids[i], &buf));
719 static int net_sam_rights_grant(struct net_context *c, int argc,
723 enum lsa_SidType type;
724 const char *dom, *name;
727 if (argc < 2 || c->display_usage) {
728 d_fprintf(stderr, "%s\n%s",
730 _("net sam rights grant <name> <rights> ...\n"));
734 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
735 &dom, &name, &sid, &type)) {
736 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
740 for (i=1; i < argc; i++) {
741 enum sec_privilege privilege = sec_privilege_id(argv[i]);
742 if (privilege == SEC_PRIV_INVALID) {
743 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
747 if (!grant_privilege_by_name(&sid, argv[i])) {
748 d_fprintf(stderr, _("Could not grant privilege\n"));
752 d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
758 static int net_sam_rights_revoke(struct net_context *c, int argc,
762 enum lsa_SidType type;
763 const char *dom, *name;
766 if (argc < 2 || c->display_usage) {
767 d_fprintf(stderr, "%s\n%s",
769 _("net sam rights revoke <name> <rights>\n"));
773 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
774 &dom, &name, &sid, &type)) {
775 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
779 for (i=1; i < argc; i++) {
780 enum sec_privilege privilege = sec_privilege_id(argv[i]);
781 if (privilege == SEC_PRIV_INVALID) {
782 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
786 if (!revoke_privilege_by_name(&sid, argv[i])) {
787 d_fprintf(stderr, _("Could not revoke privilege\n"));
791 d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
797 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
799 struct functable func[] = {
804 N_("List possible user rights"),
805 N_("net sam rights list\n"
806 " List possible user rights")
810 net_sam_rights_grant,
812 N_("Grant right(s)"),
813 N_("net sam rights grant\n"
818 net_sam_rights_revoke,
820 N_("Revoke right(s)"),
821 N_("net sam rights revoke\n"
824 {NULL, NULL, 0, NULL, NULL}
826 return net_run_function(c, argc, argv, "net sam rights", func);
830 * Map a unix group to a domain group
833 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *map)
835 const char *dom, *name;
838 if (pdb_getgrgid(map, grp->gr_gid)) {
839 return NT_STATUS_GROUP_EXISTS;
842 map->gid = grp->gr_gid;
844 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
845 &dom, &name, NULL, NULL)) {
847 map->nt_name = talloc_asprintf(map, "Unix Group %s",
850 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
851 grp->gr_name, dom, name, map->nt_name));
854 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
855 NULL, NULL, NULL, NULL)) {
856 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
857 return NT_STATUS_GROUP_EXISTS;
860 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
861 if (!pdb_new_rid(&rid)) {
862 DEBUG(3, ("Could not get a new RID for %s\n",
864 return NT_STATUS_ACCESS_DENIED;
867 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
870 sid_compose(&map->sid, get_global_sam_sid(), rid);
871 map->sid_name_use = SID_NAME_DOM_GRP;
872 map->comment = talloc_asprintf(map, "Unix Group %s", grp->gr_name);
874 return pdb_add_group_mapping_entry(map);
877 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
882 struct dom_sid_buf buf;
884 if (argc != 1 || c->display_usage) {
885 d_fprintf(stderr, "%s\n%s",
887 _("net sam mapunixgroup <name>\n"));
891 grp = getgrnam(argv[0]);
893 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
897 map = talloc_zero(talloc_tos(), GROUP_MAP);
899 d_fprintf(stderr, _("Out of memory!\n"));
903 status = map_unix_group(grp, map);
905 if (!NT_STATUS_IS_OK(status)) {
906 d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
907 argv[0], nt_errstr(status));
911 d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
912 dom_sid_str_buf(&map->sid, &buf));
919 * Remove a group mapping
922 static NTSTATUS unmap_unix_group(const struct group *grp)
924 struct dom_sid dom_sid;
927 if (!lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
928 NULL, NULL, NULL, NULL)) {
929 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
930 return NT_STATUS_NO_SUCH_GROUP;
934 id.type = ID_TYPE_GID;
935 if (!pdb_id_to_sid(&id, &dom_sid)) {
936 return NT_STATUS_UNSUCCESSFUL;
939 return pdb_delete_group_mapping_entry(dom_sid);
942 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
947 if (argc != 1 || c->display_usage) {
948 d_fprintf(stderr, "%s\n%s",
950 _("net sam unmapunixgroup <name>\n"));
954 grp = getgrnam(argv[0]);
956 d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
961 status = unmap_unix_group(grp);
963 if (!NT_STATUS_IS_OK(status)) {
964 d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
965 argv[0], nt_errstr(status));
969 d_printf(_("Unmapped unix group %s.\n"), argv[0]);
975 * Create a domain group
978 static int net_sam_createdomaingroup(struct net_context *c, int argc,
984 if (argc != 1 || c->display_usage) {
985 d_fprintf(stderr, "%s\n%s",
987 _("net sam createdomaingroup <name>\n"));
991 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
993 if (!NT_STATUS_IS_OK(status)) {
994 d_fprintf(stderr, _("Creating %s failed with %s\n"),
995 argv[0], nt_errstr(status));
999 d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
1005 * Delete a domain group
1008 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
1013 enum lsa_SidType type;
1014 const char *dom, *name;
1017 if (argc != 1 || c->display_usage) {
1018 d_fprintf(stderr, "%s\n%s",
1020 _("net sam deletelocalgroup <name>\n"));
1024 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1025 &dom, &name, &sid, &type)) {
1026 d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
1030 if (type != SID_NAME_DOM_GRP) {
1031 d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
1032 argv[0], sid_type_lookup(type));
1036 sid_peek_rid(&sid, &rid);
1038 status = pdb_delete_dom_group(talloc_tos(), rid);
1040 if (!NT_STATUS_IS_OK(status)) {
1041 d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1042 argv[0], nt_errstr(status));
1046 d_printf(_("Deleted domain group %s.\n"), argv[0]);
1052 * Create a local group
1055 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1060 if (argc != 1 || c->display_usage) {
1061 d_fprintf(stderr, "%s\n%s",
1063 _("net sam createlocalgroup <name>\n"));
1067 if (!winbind_ping()) {
1068 d_fprintf(stderr, _("winbind seems not to run. "
1069 "createlocalgroup only works when winbind runs.\n"));
1073 status = pdb_create_alias(argv[0], &rid);
1075 if (!NT_STATUS_IS_OK(status)) {
1076 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1077 argv[0], nt_errstr(status));
1081 d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1087 * Delete a local group
1090 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1093 enum lsa_SidType type;
1094 const char *dom, *name;
1097 if (argc != 1 || c->display_usage) {
1098 d_fprintf(stderr, "%s\n%s",
1100 _("net sam deletelocalgroup <name>\n"));
1104 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1105 &dom, &name, &sid, &type)) {
1106 d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1110 if (type != SID_NAME_ALIAS) {
1111 d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1112 sid_type_lookup(type));
1116 status = pdb_delete_alias(&sid);
1118 if (!NT_STATUS_IS_OK(status)) {
1119 d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1120 argv[0], nt_errstr(status));
1124 d_printf(_("Deleted local group %s.\n"), argv[0]);
1130 * Create a builtin group
1133 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1137 enum lsa_SidType type;
1141 if (argc != 1 || c->display_usage) {
1142 d_fprintf(stderr, "%s\n%s",
1144 _("net sam createbuiltingroup <name>\n"));
1148 if (!winbind_ping()) {
1149 d_fprintf(stderr, _("winbind seems not to run. "
1150 "createbuiltingroup only works when winbind "
1155 /* validate the name and get the group */
1157 fstrcpy( groupname, "BUILTIN\\" );
1158 fstrcat( groupname, argv[0] );
1160 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1161 NULL, &sid, &type)) {
1162 d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1166 if ( !sid_peek_rid( &sid, &rid ) ) {
1167 d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1171 status = pdb_create_builtin(rid);
1173 if (!NT_STATUS_IS_OK(status)) {
1174 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1175 argv[0], nt_errstr(status));
1179 d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1185 * Add a group member
1188 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1190 const char *groupdomain, *groupname, *memberdomain, *membername;
1191 struct dom_sid group, member;
1192 enum lsa_SidType grouptype, membertype;
1195 if (argc != 2 || c->display_usage) {
1196 d_fprintf(stderr, "%s\n%s",
1198 _("net sam addmem <group> <member>\n"));
1202 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1203 &groupdomain, &groupname, &group, &grouptype)) {
1204 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1208 /* check to see if the member to be added is a name or a SID */
1210 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1211 &memberdomain, &membername, &member, &membertype))
1213 /* try it as a SID */
1215 if ( !string_to_sid( &member, argv[1] ) ) {
1216 d_fprintf(stderr, _("Could not find member %s\n"),
1221 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1222 &membername, &membertype) )
1224 d_fprintf(stderr, _("Could not resolve SID %s\n"),
1230 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1231 if ((membertype != SID_NAME_USER) &&
1232 (membertype != SID_NAME_ALIAS) &&
1233 (membertype != SID_NAME_DOM_GRP)) {
1234 d_fprintf(stderr, _("Can't add %s: only users, domain "
1235 "groups and domain local groups "
1236 "can be added. %s is a %s\n"),
1238 sid_type_lookup(membertype));
1241 status = pdb_add_aliasmem(&group, &member);
1243 if (!NT_STATUS_IS_OK(status)) {
1244 d_fprintf(stderr, _("Adding local group member failed "
1245 "with %s\n"), nt_errstr(status));
1248 } else if (grouptype == SID_NAME_DOM_GRP) {
1249 uint32_t grouprid, memberrid;
1251 sid_peek_rid(&group, &grouprid);
1252 sid_peek_rid(&member, &memberrid);
1254 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1255 if (!NT_STATUS_IS_OK(status)) {
1256 d_fprintf(stderr, _("Adding domain group member failed "
1257 "with %s\n"), nt_errstr(status));
1261 d_fprintf(stderr, _("Can only add members to local groups so "
1262 "far, %s is a %s\n"), argv[0],
1263 sid_type_lookup(grouptype));
1267 d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1268 groupdomain, groupname);
1274 * Delete a group member
1277 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1279 const char *groupdomain, *groupname;
1280 const char *memberdomain = NULL;
1281 const char *membername = NULL;
1282 struct dom_sid group, member;
1283 enum lsa_SidType grouptype;
1286 if (argc != 2 || c->display_usage) {
1287 d_fprintf(stderr,"%s\n%s",
1289 _("net sam delmem <group> <member>\n"));
1293 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1294 &groupdomain, &groupname, &group, &grouptype)) {
1295 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1299 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1300 &memberdomain, &membername, &member, NULL)) {
1301 if (!string_to_sid(&member, argv[1])) {
1302 d_fprintf(stderr, _("Could not find member %s\n"),
1308 if ((grouptype == SID_NAME_ALIAS) ||
1309 (grouptype == SID_NAME_WKN_GRP)) {
1310 status = pdb_del_aliasmem(&group, &member);
1312 if (!NT_STATUS_IS_OK(status)) {
1313 d_fprintf(stderr,_("Deleting local group member failed "
1314 "with %s\n"), nt_errstr(status));
1317 } else if (grouptype == SID_NAME_DOM_GRP) {
1318 uint32_t grouprid, memberrid;
1320 sid_peek_rid(&group, &grouprid);
1321 sid_peek_rid(&member, &memberrid);
1323 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1324 if (!NT_STATUS_IS_OK(status)) {
1325 d_fprintf(stderr, _("Deleting domain group member "
1326 "failed with %s\n"), nt_errstr(status));
1330 d_fprintf(stderr, _("Can only delete members from local groups "
1331 "so far, %s is a %s\n"), argv[0],
1332 sid_type_lookup(grouptype));
1336 if (membername != NULL) {
1337 d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1338 memberdomain, membername, groupdomain, groupname);
1340 struct dom_sid_buf buf;
1341 d_printf(_("Deleted %s from %s\\%s\n"),
1342 dom_sid_str_buf(&member, &buf),
1351 * List group members
1354 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1356 const char *groupdomain, *groupname;
1357 struct dom_sid group;
1358 struct dom_sid *members = NULL;
1359 size_t i, num_members = 0;
1360 enum lsa_SidType grouptype;
1363 if (argc != 1 || c->display_usage) {
1364 d_fprintf(stderr, "%s\n%s",
1366 _("net sam listmem <group>\n"));
1370 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1371 &groupdomain, &groupname, &group, &grouptype)) {
1372 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1376 if ((grouptype == SID_NAME_ALIAS) ||
1377 (grouptype == SID_NAME_WKN_GRP)) {
1378 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1380 if (!NT_STATUS_IS_OK(status)) {
1381 d_fprintf(stderr, _("Listing group members failed with "
1382 "%s\n"), nt_errstr(status));
1385 } else if (grouptype == SID_NAME_DOM_GRP) {
1388 status = pdb_enum_group_members(talloc_tos(), &group,
1389 &rids, &num_members);
1390 if (!NT_STATUS_IS_OK(status)) {
1391 d_fprintf(stderr, _("Listing group members failed with "
1392 "%s\n"), nt_errstr(status));
1396 members = talloc_array(talloc_tos(), struct dom_sid,
1398 if (members == NULL) {
1403 for (i=0; i<num_members; i++) {
1404 sid_compose(&members[i], get_global_sam_sid(),
1409 d_fprintf(stderr,_("Can only list local group members so far.\n"
1410 "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1414 d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1415 (unsigned int)num_members);
1416 for (i=0; i<num_members; i++) {
1417 const char *dom, *name;
1418 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1419 d_printf(" %s\\%s\n", dom, name);
1421 struct dom_sid_buf buf;
1423 dom_sid_str_buf(&members[i], &buf));
1427 TALLOC_FREE(members);
1435 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1436 struct pdb_search *search, const char *what)
1438 bool verbose = (argc == 1);
1440 if ((argc > 1) || c->display_usage ||
1441 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1442 d_fprintf(stderr, "%s\n", _("Usage:"));
1443 d_fprintf(stderr, _("net sam list %s [verbose]\n"), what);
1447 if (search == NULL) {
1448 d_fprintf(stderr, _("Could not start search\n"));
1453 struct samr_displayentry entry;
1454 if (!search->next_entry(search, &entry)) {
1458 d_printf("%s:%d:%s\n",
1463 d_printf("%s\n", entry.account_name);
1467 TALLOC_FREE(search);
1471 static int net_sam_list_users(struct net_context *c, int argc,
1474 return net_sam_do_list(c, argc, argv,
1475 pdb_search_users(talloc_tos(), ACB_NORMAL),
1479 static int net_sam_list_groups(struct net_context *c, int argc,
1482 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1486 static int net_sam_list_localgroups(struct net_context *c, int argc,
1489 return net_sam_do_list(c, argc, argv,
1490 pdb_search_aliases(talloc_tos(),
1491 get_global_sam_sid()),
1495 static int net_sam_list_builtin(struct net_context *c, int argc,
1498 return net_sam_do_list(c, argc, argv,
1499 pdb_search_aliases(talloc_tos(),
1500 &global_sid_Builtin),
1504 static int net_sam_list_workstations(struct net_context *c, int argc,
1507 return net_sam_do_list(c, argc, argv,
1508 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1516 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1518 struct functable func[] = {
1522 NET_TRANSPORT_LOCAL,
1523 N_("List SAM users"),
1524 N_("net sam list users\n"
1529 net_sam_list_groups,
1530 NET_TRANSPORT_LOCAL,
1531 N_("List SAM groups"),
1532 N_("net sam list groups\n"
1537 net_sam_list_localgroups,
1538 NET_TRANSPORT_LOCAL,
1539 N_("List SAM local groups"),
1540 N_("net sam list localgroups\n"
1541 " List SAM local groups")
1545 net_sam_list_builtin,
1546 NET_TRANSPORT_LOCAL,
1547 N_("List builtin groups"),
1548 N_("net sam list builtin\n"
1549 " List builtin groups")
1553 net_sam_list_workstations,
1554 NET_TRANSPORT_LOCAL,
1555 N_("List domain member workstations"),
1556 N_("net sam list workstations\n"
1557 " List domain member workstations")
1559 {NULL, NULL, 0, NULL, NULL}
1562 return net_run_function(c, argc, argv, "net sam list", func);
1566 * Show details of SAM entries
1569 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1572 struct dom_sid_buf buf;
1573 enum lsa_SidType type;
1574 const char *dom, *name;
1576 if (argc != 1 || c->display_usage) {
1577 d_fprintf(stderr, "%s\n%s",
1579 _("net sam show <name>\n"));
1583 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1584 &dom, &name, &sid, &type)) {
1585 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1589 d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1590 sid_type_lookup(type), dom_sid_str_buf(&sid, &buf));
1598 * Init an LDAP tree with default users and Groups
1599 * if ldapsam:editposix is enabled
1602 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1606 char *ldap_uri = NULL;
1608 struct smbldap_state *state = NULL;
1609 GROUP_MAP *gmap = NULL;
1610 struct dom_sid gsid;
1611 gid_t domusers_gid = -1;
1612 gid_t domadmins_gid = -1;
1613 struct samu *samuser;
1615 bool is_ipa = false;
1616 char *bind_dn = NULL;
1617 char *bind_secret = NULL;
1620 if (c->display_usage) {
1622 "net sam provision\n"
1625 _("Init an LDAP tree with default users/groups"));
1629 tc = talloc_new(NULL);
1631 d_fprintf(stderr, _("Out of Memory!\n"));
1635 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1636 d_fprintf(stderr, _("talloc failed\n"));
1640 p = strchr(ldap_bk, ':');
1643 ldap_uri = talloc_strdup(tc, p+1);
1644 trim_char(ldap_uri, ' ', ' ');
1647 trim_char(ldap_bk, ' ', ' ');
1649 if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
1653 if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
1655 _("Provisioning works only with ldapsam backend\n"));
1659 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1660 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1662 d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1663 " and ldapsam:editposix are enabled.\n"));
1667 if (!is_ipa && !winbind_ping()) {
1668 d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1669 "LDAP only works when winbind runs.\n"));
1673 if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1674 d_fprintf(stderr, _("Failed to retrieve LDAP password from secrets.tdb\n"));
1678 status = smbldap_init(tc, NULL, ldap_uri, false, bind_dn, bind_secret, &state);
1680 memset(bind_secret, '\0', strlen(bind_secret));
1681 SAFE_FREE(bind_secret);
1684 if (!NT_STATUS_IS_OK(status)) {
1685 d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1689 d_printf(_("Checking for Domain Users group.\n"));
1691 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
1693 gmap = talloc_zero(tc, GROUP_MAP);
1695 d_printf(_("Out of memory!\n"));
1699 if (!pdb_getgrsid(gmap, gsid)) {
1700 struct dom_sid_buf gsid_str;
1701 LDAPMod **mods = NULL;
1709 d_printf(_("Adding the Domain Users group.\n"));
1711 /* lets allocate a new groupid for this group */
1715 if (!winbind_allocate_gid(&domusers_gid)) {
1716 d_fprintf(stderr, _("Unable to allocate a new gid to "
1717 "create Domain Users group!\n"));
1722 uname = talloc_strdup(tc, "domusers");
1723 wname = talloc_strdup(tc, "Domain Users");
1724 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers",
1725 lp_ldap_group_suffix(talloc_tos()));
1726 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1727 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1729 if (!uname || !wname || !dn || !gidstr || !gtype) {
1730 d_fprintf(stderr, "Out of Memory!\n");
1734 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1735 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1737 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1738 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1739 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1741 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1742 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1743 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1744 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1745 dom_sid_str_buf(&gsid, &gsid_str));
1746 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1748 smbldap_talloc_autofree_ldapmod(tc, mods);
1750 rc = smbldap_add(state, dn, mods);
1752 if (rc != LDAP_SUCCESS) {
1753 d_fprintf(stderr, _("Failed to add Domain Users group "
1754 "to ldap directory\n"));
1758 if (!pdb_getgrsid(gmap, gsid)) {
1759 d_fprintf(stderr, _("Failed to read just "
1760 "created domain group.\n"));
1763 domusers_gid = gmap->gid;
1767 domusers_gid = gmap->gid;
1768 d_printf(_("found!\n"));
1773 d_printf(_("Checking for Domain Admins group.\n"));
1775 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
1777 if (!pdb_getgrsid(gmap, gsid)) {
1778 struct dom_sid_buf gsid_str;
1779 LDAPMod **mods = NULL;
1787 d_printf(_("Adding the Domain Admins group.\n"));
1789 /* lets allocate a new groupid for this group */
1791 domadmins_gid = 999;
1793 if (!winbind_allocate_gid(&domadmins_gid)) {
1794 d_fprintf(stderr, _("Unable to allocate a new gid to "
1795 "create Domain Admins group!\n"));
1800 uname = talloc_strdup(tc, "domadmins");
1801 wname = talloc_strdup(tc, "Domain Admins");
1802 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins",
1803 lp_ldap_group_suffix(talloc_tos()));
1804 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1805 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1807 if (!uname || !wname || !dn || !gidstr || !gtype) {
1808 d_fprintf(stderr, _("Out of Memory!\n"));
1812 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1813 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1815 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1816 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1817 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1819 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1820 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1821 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1822 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1823 dom_sid_str_buf(&gsid, &gsid_str));
1824 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1826 smbldap_talloc_autofree_ldapmod(tc, mods);
1828 rc = smbldap_add(state, dn, mods);
1830 if (rc != LDAP_SUCCESS) {
1831 d_fprintf(stderr, _("Failed to add Domain Admins group "
1832 "to ldap directory\n"));
1836 if (!pdb_getgrsid(gmap, gsid)) {
1837 d_fprintf(stderr, _("Failed to read just "
1838 "created domain group.\n"));
1841 domadmins_gid = gmap->gid;
1845 domadmins_gid = gmap->gid;
1846 d_printf(_("found!\n"));
1851 d_printf(_("Check for Administrator account.\n"));
1853 samuser = samu_new(tc);
1855 d_fprintf(stderr, _("Out of Memory!\n"));
1859 if (!pdb_getsampwnam(samuser, "Administrator")) {
1860 LDAPMod **mods = NULL;
1862 struct dom_sid_buf sid_str;
1873 d_printf(_("Adding the Administrator user.\n"));
1875 if (domadmins_gid == -1) {
1877 _("Can't create Administrator user, Domain "
1878 "Admins group not available!\n"));
1885 if (!winbind_allocate_uid(&uid)) {
1887 _("Unable to allocate a new uid to create "
1888 "the Administrator user!\n"));
1893 name = talloc_strdup(tc, "Administrator");
1894 dn = talloc_asprintf(tc, "uid=Administrator,%s",
1895 lp_ldap_user_suffix(talloc_tos()));
1896 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1897 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1898 dir = talloc_sub_specified(tc, lp_template_homedir(),
1901 get_global_sam_name(),
1902 uid, domadmins_gid);
1903 shell = talloc_sub_specified(tc, lp_template_shell(),
1906 get_global_sam_name(),
1907 uid, domadmins_gid);
1909 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1910 d_fprintf(stderr, _("Out of Memory!\n"));
1914 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
1916 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1917 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1918 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1920 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
1921 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
1922 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
1923 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
1924 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
1925 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
1926 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
1927 princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
1929 d_fprintf(stderr, _("Out of Memory!\n"));
1932 smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
1934 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1935 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1936 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1937 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1938 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1939 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1940 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1941 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1942 dom_sid_str_buf(&sid, &sid_str));
1943 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1944 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1945 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1947 smbldap_talloc_autofree_ldapmod(tc, mods);
1949 rc = smbldap_add(state, dn, mods);
1951 if (rc != LDAP_SUCCESS) {
1952 d_fprintf(stderr, _("Failed to add Administrator user "
1953 "to ldap directory\n"));
1957 if (!pdb_getsampwnam(samuser, "Administrator")) {
1958 d_fprintf(stderr, _("Failed to read just "
1959 "created user.\n"));
1964 d_printf(_("found!\n"));
1967 d_printf(_("Checking for Guest user.\n"));
1969 samuser = samu_new(tc);
1971 d_fprintf(stderr, _("Out of Memory!\n"));
1975 if (!pdb_getsampwnam(samuser, lp_guest_account())) {
1976 LDAPMod **mods = NULL;
1978 struct dom_sid_buf sid_str;
1984 d_printf(_("Adding the Guest user.\n"));
1986 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
1988 pwd = Get_Pwnam_alloc(tc, lp_guest_account());
1991 if (domusers_gid == -1) {
1993 _("Can't create Guest user, Domain "
1994 "Users group not available!\n"));
1997 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1998 d_fprintf(stderr, _("talloc failed\n"));
2001 pwd->pw_name = talloc_strdup(pwd, lp_guest_account());
2006 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
2008 _("Unable to allocate a new uid to "
2009 "create the Guest user!\n"));
2013 pwd->pw_gid = domusers_gid;
2014 pwd->pw_dir = talloc_strdup(tc, "/");
2015 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
2016 if (!pwd->pw_dir || !pwd->pw_shell) {
2017 d_fprintf(stderr, _("Out of Memory!\n"));
2022 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name,
2023 lp_ldap_user_suffix (talloc_tos()));
2024 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
2025 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2026 if (!dn || !uidstr || !gidstr) {
2027 d_fprintf(stderr, _("Out of Memory!\n"));
2031 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
2032 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
2033 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
2035 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
2036 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
2037 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
2038 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
2039 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
2040 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
2041 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
2043 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
2044 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
2045 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
2046 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
2047 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2048 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
2049 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
2051 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
2052 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
2054 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
2055 dom_sid_str_buf(&sid, &sid_str));
2056 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
2057 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
2058 NEW_PW_FORMAT_SPACE_PADDED_LEN));
2060 smbldap_talloc_autofree_ldapmod(tc, mods);
2062 rc = smbldap_add(state, dn, mods);
2064 if (rc != LDAP_SUCCESS) {
2065 d_fprintf(stderr, _("Failed to add Guest user to "
2066 "ldap directory\n"));
2070 if (!pdb_getsampwnam(samuser, lp_guest_account())) {
2071 d_fprintf(stderr, _("Failed to read just "
2072 "created user.\n"));
2077 d_printf(_("found!\n"));
2080 d_printf(_("Checking Guest's group.\n"));
2082 pwd = Get_Pwnam_alloc(tc, lp_guest_account());
2085 _("Failed to find just created Guest account!\n"
2086 " Is nss properly configured?!\n"));
2090 if (pwd->pw_gid == domusers_gid) {
2091 d_printf(_("found!\n"));
2095 if (!pdb_getgrgid(gmap, pwd->pw_gid)) {
2096 struct dom_sid_buf gsid_str;
2097 LDAPMod **mods = NULL;
2105 d_printf(_("Adding the Domain Guests group.\n"));
2107 uname = talloc_strdup(tc, "domguests");
2108 wname = talloc_strdup(tc, "Domain Guests");
2109 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests",
2110 lp_ldap_group_suffix(talloc_tos()));
2111 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2112 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
2114 if (!uname || !wname || !dn || !gidstr || !gtype) {
2115 d_fprintf(stderr, _("Out of Memory!\n"));
2119 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
2121 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
2122 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
2124 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
2125 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
2126 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
2128 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
2129 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
2130 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2131 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
2132 dom_sid_str_buf(&gsid, &gsid_str));
2133 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
2135 smbldap_talloc_autofree_ldapmod(tc, mods);
2137 rc = smbldap_add(state, dn, mods);
2139 if (rc != LDAP_SUCCESS) {
2141 _("Failed to add Domain Guests group to ldap "
2145 d_printf(_("found!\n"));
2160 /***********************************************************
2161 migrated functionality from smbgroupedit
2162 **********************************************************/
2163 int net_sam(struct net_context *c, int argc, const char **argv)
2165 struct functable func[] = {
2167 "createbuiltingroup",
2168 net_sam_createbuiltingroup,
2169 NET_TRANSPORT_LOCAL,
2170 N_("Create a new BUILTIN group"),
2171 N_("net sam createbuiltingroup\n"
2172 " Create a new BUILTIN group")
2176 net_sam_createlocalgroup,
2177 NET_TRANSPORT_LOCAL,
2178 N_("Create a new local group"),
2179 N_("net sam createlocalgroup\n"
2180 " Create a new local group")
2183 "createdomaingroup",
2184 net_sam_createdomaingroup,
2185 NET_TRANSPORT_LOCAL,
2186 N_("Create a new group"),
2187 N_("net sam createdomaingroup\n"
2188 " Create a new group")
2192 net_sam_deletelocalgroup,
2193 NET_TRANSPORT_LOCAL,
2194 N_("Delete an existing local group"),
2195 N_("net sam deletelocalgroup\n"
2196 " Delete an existing local group")
2199 "deletedomaingroup",
2200 net_sam_deletedomaingroup,
2201 NET_TRANSPORT_LOCAL,
2202 N_("Delete a domain group"),
2203 N_("net sam deletedomaingroup\n"
2208 net_sam_mapunixgroup,
2209 NET_TRANSPORT_LOCAL,
2210 N_("Map a unix group to a domain group"),
2211 N_("net sam mapunixgroup\n"
2212 " Map a unix group to a domain group")
2216 net_sam_unmapunixgroup,
2217 NET_TRANSPORT_LOCAL,
2218 N_("Remove a group mapping of an unix group to a "
2220 N_("net sam unmapunixgroup\n"
2221 " Remove a group mapping of an unix group to a "
2227 NET_TRANSPORT_LOCAL,
2228 N_("Add a member to a group"),
2229 N_("net sam addmem\n"
2230 " Add a member to a group")
2235 NET_TRANSPORT_LOCAL,
2236 N_("Delete a member from a group"),
2237 N_("net sam delmem\n"
2238 " Delete a member from a group")
2243 NET_TRANSPORT_LOCAL,
2244 N_("List group members"),
2245 N_("net sam listmem\n"
2246 " List group members")
2251 NET_TRANSPORT_LOCAL,
2252 N_("List users, groups and local groups"),
2254 " List users, groups and local groups")
2259 NET_TRANSPORT_LOCAL,
2260 N_("Show details of a SAM entry"),
2262 " Show details of a SAM entry")
2267 NET_TRANSPORT_LOCAL,
2268 N_("Set details of a SAM account"),
2270 " Set details of a SAM account")
2275 NET_TRANSPORT_LOCAL,
2276 N_("Set account policies"),
2277 N_("net sam policy\n"
2278 " Set account policies")
2283 NET_TRANSPORT_LOCAL,
2284 N_("Manipulate user privileges"),
2285 N_("net sam rights\n"
2286 " Manipulate user privileges")
2292 NET_TRANSPORT_LOCAL,
2293 N_("Provision a clean user database"),
2294 N_("net sam privison\n"
2295 " Provision a clear user database")
2298 {NULL, NULL, 0, NULL, NULL}
2301 if (getuid() != 0) {
2302 d_fprintf(stderr, _("You are not root, most things won't "
2306 return net_run_function(c, argc, argv, "net sam", func);