2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include "utils/net.h"
29 static int net_sam_userset(int argc, const char **argv, const char *field,
30 BOOL (*fn)(struct samu *, const char *,
31 enum pdb_value_state))
33 struct samu *sam_acct = NULL;
35 enum lsa_SidType type;
36 const char *dom, *name;
40 d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
45 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
46 &dom, &name, &sid, &type)) {
47 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
51 if (type != SID_NAME_USER) {
52 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
53 sid_type_lookup(type));
57 if ( !(sam_acct = samu_new( NULL )) ) {
58 d_fprintf(stderr, "Internal error\n");
62 if (!pdb_getsampwsid(sam_acct, &sid)) {
63 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
67 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
68 d_fprintf(stderr, "Internal error\n");
72 status = pdb_update_sam_account(sam_acct);
73 if (!NT_STATUS_IS_OK(status)) {
74 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
75 argv[0], nt_errstr(status));
79 TALLOC_FREE(sam_acct);
81 d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
85 static int net_sam_set_fullname(int argc, const char **argv)
87 return net_sam_userset(argc, argv, "fullname",
91 static int net_sam_set_logonscript(int argc, const char **argv)
93 return net_sam_userset(argc, argv, "logonscript",
94 pdb_set_logon_script);
97 static int net_sam_set_profilepath(int argc, const char **argv)
99 return net_sam_userset(argc, argv, "profilepath",
100 pdb_set_profile_path);
103 static int net_sam_set_homedrive(int argc, const char **argv)
105 return net_sam_userset(argc, argv, "homedrive",
109 static int net_sam_set_homedir(int argc, const char **argv)
111 return net_sam_userset(argc, argv, "homedir",
115 static int net_sam_set_workstations(int argc, const char **argv)
117 return net_sam_userset(argc, argv, "workstations",
118 pdb_set_workstations);
125 static int net_sam_set_userflag(int argc, const char **argv, const char *field,
128 struct samu *sam_acct = NULL;
130 enum lsa_SidType type;
131 const char *dom, *name;
135 if ((argc != 2) || (!strequal(argv[1], "yes") &&
136 !strequal(argv[1], "no"))) {
137 d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
142 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
143 &dom, &name, &sid, &type)) {
144 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
148 if (type != SID_NAME_USER) {
149 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
150 sid_type_lookup(type));
154 if ( !(sam_acct = samu_new( NULL )) ) {
155 d_fprintf(stderr, "Internal error\n");
159 if (!pdb_getsampwsid(sam_acct, &sid)) {
160 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
164 acct_flags = pdb_get_acct_ctrl(sam_acct);
166 if (strequal(argv[1], "yes")) {
172 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
174 status = pdb_update_sam_account(sam_acct);
175 if (!NT_STATUS_IS_OK(status)) {
176 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
177 argv[0], nt_errstr(status));
181 TALLOC_FREE(sam_acct);
183 d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
188 static int net_sam_set_disabled(int argc, const char **argv)
190 return net_sam_set_userflag(argc, argv, "disabled", ACB_DISABLED);
193 static int net_sam_set_pwnotreq(int argc, const char **argv)
195 return net_sam_set_userflag(argc, argv, "pwnotreq", ACB_PWNOTREQ);
198 static int net_sam_set_autolock(int argc, const char **argv)
200 return net_sam_set_userflag(argc, argv, "autolock", ACB_AUTOLOCK);
203 static int net_sam_set_pwnoexp(int argc, const char **argv)
205 return net_sam_set_userflag(argc, argv, "pwnoexp", ACB_PWNOEXP);
209 * Set pass last change time, based on force pass change now
212 static int net_sam_set_pwdmustchangenow(int argc, const char **argv)
214 struct samu *sam_acct = NULL;
216 enum lsa_SidType type;
217 const char *dom, *name;
220 if ((argc != 2) || (!strequal(argv[1], "yes") &&
221 !strequal(argv[1], "no"))) {
222 d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
226 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
227 &dom, &name, &sid, &type)) {
228 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
232 if (type != SID_NAME_USER) {
233 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
234 sid_type_lookup(type));
238 if ( !(sam_acct = samu_new( NULL )) ) {
239 d_fprintf(stderr, "Internal error\n");
243 if (!pdb_getsampwsid(sam_acct, &sid)) {
244 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
248 if (strequal(argv[1], "yes")) {
249 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
251 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
254 status = pdb_update_sam_account(sam_acct);
255 if (!NT_STATUS_IS_OK(status)) {
256 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
257 argv[0], nt_errstr(status));
261 TALLOC_FREE(sam_acct);
263 d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
270 * Set a user's or a group's comment
273 static int net_sam_set_comment(int argc, const char **argv)
277 enum lsa_SidType type;
278 const char *dom, *name;
282 d_fprintf(stderr, "usage: net sam set comment <name> "
287 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
288 &dom, &name, &sid, &type)) {
289 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
293 if (type == SID_NAME_USER) {
294 return net_sam_userset(argc, argv, "comment",
298 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
299 (type != SID_NAME_WKN_GRP)) {
300 d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
301 sid_type_lookup(type));
305 if (!pdb_getgrsid(&map, sid)) {
306 d_fprintf(stderr, "Could not load group %s\n", argv[0]);
310 fstrcpy(map.comment, argv[1]);
312 status = pdb_update_group_mapping_entry(&map);
314 if (!NT_STATUS_IS_OK(status)) {
315 d_fprintf(stderr, "Updating group mapping entry failed with "
316 "%s\n", nt_errstr(status));
320 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
326 static int net_sam_set(int argc, const char **argv)
328 struct functable2 func[] = {
329 { "homedir", net_sam_set_homedir,
330 "Change a user's home directory" },
331 { "profilepath", net_sam_set_profilepath,
332 "Change a user's profile path" },
333 { "comment", net_sam_set_comment,
334 "Change a users or groups description" },
335 { "fullname", net_sam_set_fullname,
336 "Change a user's full name" },
337 { "logonscript", net_sam_set_logonscript,
338 "Change a user's logon script" },
339 { "homedrive", net_sam_set_homedrive,
340 "Change a user's home drive" },
341 { "workstations", net_sam_set_workstations,
342 "Change a user's allowed workstations" },
343 { "disabled", net_sam_set_disabled,
344 "Disable/Enable a user" },
345 { "pwnotreq", net_sam_set_pwnotreq,
346 "Disable/Enable the password not required flag" },
347 { "autolock", net_sam_set_autolock,
348 "Disable/Enable a user's lockout flag" },
349 { "pwnoexp", net_sam_set_pwnoexp,
350 "Disable/Enable whether a user's pw does not expire" },
351 { "pwdmustchangenow", net_sam_set_pwdmustchangenow,
352 "Force users password must change at next logon" },
356 return net_run_function2(argc, argv, "net sam set", func);
360 * Manage account policies
363 static int net_sam_policy_set(int argc, const char **argv)
365 const char *account_policy = NULL;
366 uint32 value, old_value;
371 d_fprintf(stderr, "usage: net sam policy set "
372 "\"<account policy>\" <value> \n");
376 account_policy = argv[0];
377 field = account_policy_name_to_fieldnum(account_policy);
379 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
380 || strequal(argv[1], "off")) {
384 value = strtoul(argv[1], &endptr, 10);
386 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
387 d_printf("Unable to set policy \"%s\"! Invalid value "
389 account_policy, argv[1]);
398 account_policy_names_list(&names, &count);
399 d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
400 d_fprintf(stderr, "Valid account policies are:\n");
402 for (i=0; i<count; i++) {
403 d_fprintf(stderr, "%s\n", names[i]);
410 if (!pdb_get_account_policy(field, &old_value)) {
411 d_fprintf(stderr, "Valid account policy, but unable to fetch "
415 if (!pdb_set_account_policy(field, value)) {
416 d_fprintf(stderr, "Valid account policy, but unable to "
421 d_printf("Account policy \"%s\" value was: %d\n", account_policy,
424 d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
429 static int net_sam_policy_show(int argc, const char **argv)
431 const char *account_policy = NULL;
436 d_fprintf(stderr, "usage: net sam policy show"
437 " \"<account policy>\" \n");
441 account_policy = argv[0];
442 field = account_policy_name_to_fieldnum(account_policy);
448 account_policy_names_list(&names, &count);
449 d_fprintf(stderr, "No account policy by that name!\n");
451 d_fprintf(stderr, "Valid account policies "
453 for (i=0; i<count; i++) {
454 d_fprintf(stderr, "%s\n", names[i]);
461 if (!pdb_get_account_policy(field, &old_value)) {
462 fprintf(stderr, "Valid account policy, but unable to "
467 printf("Account policy \"%s\" description: %s\n",
468 account_policy, account_policy_get_desc(field));
469 printf("Account policy \"%s\" value is: %d\n", account_policy,
474 static int net_sam_policy_list(int argc, const char **argv)
479 account_policy_names_list(&names, &count);
481 d_fprintf(stderr, "Valid account policies "
483 for (i = 0; i < count ; i++) {
484 d_fprintf(stderr, "%s\n", names[i]);
491 static int net_sam_policy(int argc, const char **argv)
493 struct functable2 func[] = {
494 { "list", net_sam_policy_list,
495 "List account policies" },
496 { "show", net_sam_policy_show,
497 "Show account policies" },
498 { "set", net_sam_policy_set,
499 "Change account policies" },
503 return net_run_function2(argc, argv, "net sam policy", func);
507 * Map a unix group to a domain group
510 static int net_sam_mapunixgroup(int argc, const char **argv)
517 d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
521 grp = getgrnam(argv[0]);
523 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
527 status = map_unix_group(grp, &map);
529 if (!NT_STATUS_IS_OK(status)) {
530 d_fprintf(stderr, "Mapping group %s failed with %s\n",
531 argv[0], nt_errstr(status));
535 d_printf("Mapped unix group %s to SID %s\n", argv[0],
536 sid_string_static(&map.sid));
542 * Create a local group
545 static int net_sam_createlocalgroup(int argc, const char **argv)
551 d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
555 if (!winbind_ping()) {
556 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
557 "only works when winbind runs.\n");
561 status = pdb_create_alias(argv[0], &rid);
563 if (!NT_STATUS_IS_OK(status)) {
564 d_fprintf(stderr, "Creating %s failed with %s\n",
565 argv[0], nt_errstr(status));
569 d_printf("Created local group %s with RID %d\n", argv[0], rid);
575 * Delete a local group
578 static int net_sam_deletelocalgroup(int argc, const char **argv)
581 enum lsa_SidType type;
582 const char *dom, *name;
586 d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
590 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
591 &dom, &name, &sid, &type)) {
592 d_fprintf(stderr, "Could not find %s.\n", argv[0]);
596 if (type != SID_NAME_ALIAS) {
597 d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0],
598 sid_type_lookup(type));
602 status = pdb_delete_alias(&sid);
604 if (!NT_STATUS_IS_OK(status)) {
605 d_fprintf(stderr, "Deleting local group %s failed with %s\n",
606 argv[0], nt_errstr(status));
610 d_printf("Deleted local group %s.\n", argv[0]);
616 * Create a local group
619 static int net_sam_createbuiltingroup(int argc, const char **argv)
623 enum lsa_SidType type;
628 d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
632 if (!winbind_ping()) {
633 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
634 "only works when winbind runs.\n");
638 /* validate the name and get the group */
640 fstrcpy( groupname, "BUILTIN\\" );
641 fstrcat( groupname, argv[0] );
643 if ( !lookup_name(tmp_talloc_ctx(), groupname, LOOKUP_NAME_ALL, NULL,
644 NULL, &sid, &type)) {
645 d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
649 if ( !sid_peek_rid( &sid, &rid ) ) {
650 d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
654 status = pdb_create_builtin_alias( rid );
656 if (!NT_STATUS_IS_OK(status)) {
657 d_fprintf(stderr, "Creating %s failed with %s\n",
658 argv[0], nt_errstr(status));
662 d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
671 static int net_sam_addmem(int argc, const char **argv)
673 const char *groupdomain, *groupname, *memberdomain, *membername;
674 DOM_SID group, member;
675 enum lsa_SidType grouptype, membertype;
679 d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
683 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
684 &groupdomain, &groupname, &group, &grouptype)) {
685 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
689 /* check to see if the member to be added is a name or a SID */
691 if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
692 &memberdomain, &membername, &member, &membertype))
694 /* try it as a SID */
696 if ( !string_to_sid( &member, argv[1] ) ) {
697 d_fprintf(stderr, "Could not find member %s\n", argv[1]);
701 if ( !lookup_sid(tmp_talloc_ctx(), &member, &memberdomain,
702 &membername, &membertype) )
704 d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
709 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
710 if ((membertype != SID_NAME_USER) &&
711 (membertype != SID_NAME_DOM_GRP)) {
712 d_fprintf(stderr, "%s is a local group, only users "
713 "and domain groups can be added.\n"
714 "%s is a %s\n", argv[0], argv[1],
715 sid_type_lookup(membertype));
718 status = pdb_add_aliasmem(&group, &member);
720 if (!NT_STATUS_IS_OK(status)) {
721 d_fprintf(stderr, "Adding local group member failed "
722 "with %s\n", nt_errstr(status));
726 d_fprintf(stderr, "Can only add members to local groups so "
727 "far, %s is a %s\n", argv[0],
728 sid_type_lookup(grouptype));
732 d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
733 groupdomain, groupname);
739 * Delete a group member
742 static int net_sam_delmem(int argc, const char **argv)
744 const char *groupdomain, *groupname;
745 const char *memberdomain = NULL;
746 const char *membername = NULL;
747 DOM_SID group, member;
748 enum lsa_SidType grouptype;
752 d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
756 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
757 &groupdomain, &groupname, &group, &grouptype)) {
758 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
762 if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
763 &memberdomain, &membername, &member, NULL)) {
764 if (!string_to_sid(&member, argv[1])) {
765 d_fprintf(stderr, "Could not find member %s\n",
771 if ((grouptype == SID_NAME_ALIAS) ||
772 (grouptype == SID_NAME_WKN_GRP)) {
773 status = pdb_del_aliasmem(&group, &member);
775 if (!NT_STATUS_IS_OK(status)) {
776 d_fprintf(stderr, "Deleting local group member failed "
777 "with %s\n", nt_errstr(status));
781 d_fprintf(stderr, "Can only delete members from local groups "
782 "so far, %s is a %s\n", argv[0],
783 sid_type_lookup(grouptype));
787 if (membername != NULL) {
788 d_printf("Deleted %s\\%s from %s\\%s\n",
789 memberdomain, membername, groupdomain, groupname);
791 d_printf("Deleted %s from %s\\%s\n",
792 sid_string_static(&member), groupdomain, groupname);
802 static int net_sam_listmem(int argc, const char **argv)
804 const char *groupdomain, *groupname;
806 enum lsa_SidType grouptype;
810 d_fprintf(stderr, "usage: net sam listmem <group>\n");
814 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
815 &groupdomain, &groupname, &group, &grouptype)) {
816 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
820 if ((grouptype == SID_NAME_ALIAS) ||
821 (grouptype == SID_NAME_WKN_GRP)) {
822 DOM_SID *members = NULL;
823 size_t i, num_members = 0;
825 status = pdb_enum_aliasmem(&group, &members, &num_members);
827 if (!NT_STATUS_IS_OK(status)) {
828 d_fprintf(stderr, "Listing group members failed with "
829 "%s\n", nt_errstr(status));
833 d_printf("%s\\%s has %u members\n", groupdomain, groupname,
834 (unsigned int)num_members);
835 for (i=0; i<num_members; i++) {
836 const char *dom, *name;
837 if (lookup_sid(tmp_talloc_ctx(), &members[i],
838 &dom, &name, NULL)) {
839 d_printf(" %s\\%s\n", dom, name);
842 sid_string_static(&members[i]));
846 d_fprintf(stderr, "Can only list local group members so far.\n"
847 "%s is a %s\n", argv[0], sid_type_lookup(grouptype));
857 static int net_sam_do_list(int argc, const char **argv,
858 struct pdb_search *search, const char *what)
860 BOOL verbose = (argc == 1);
863 ((argc == 1) && !strequal(argv[0], "verbose"))) {
864 d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
868 if (search == NULL) {
869 d_fprintf(stderr, "Could not start search\n");
874 struct samr_displayentry entry;
875 if (!search->next_entry(search, &entry)) {
879 d_printf("%s:%d:%s\n",
884 d_printf("%s\n", entry.account_name);
888 search->search_end(search);
892 static int net_sam_list_users(int argc, const char **argv)
894 return net_sam_do_list(argc, argv, pdb_search_users(ACB_NORMAL),
898 static int net_sam_list_groups(int argc, const char **argv)
900 return net_sam_do_list(argc, argv, pdb_search_groups(), "groups");
903 static int net_sam_list_localgroups(int argc, const char **argv)
905 return net_sam_do_list(argc, argv,
906 pdb_search_aliases(get_global_sam_sid()),
910 static int net_sam_list_builtin(int argc, const char **argv)
912 return net_sam_do_list(argc, argv,
913 pdb_search_aliases(&global_sid_Builtin),
917 static int net_sam_list_workstations(int argc, const char **argv)
919 return net_sam_do_list(argc, argv,
920 pdb_search_users(ACB_WSTRUST),
928 static int net_sam_list(int argc, const char **argv)
930 struct functable2 func[] = {
931 { "users", net_sam_list_users,
933 { "groups", net_sam_list_groups,
935 { "localgroups", net_sam_list_localgroups,
936 "List SAM local groups" },
937 { "builtin", net_sam_list_builtin,
938 "List builtin groups" },
939 { "workstations", net_sam_list_workstations,
940 "List domain member workstations" },
944 return net_run_function2(argc, argv, "net sam list", func);
948 * Show details of SAM entries
951 static int net_sam_show(int argc, const char **argv)
954 enum lsa_SidType type;
955 const char *dom, *name;
958 d_fprintf(stderr, "usage: net sam show <name>\n");
962 if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
963 &dom, &name, &sid, &type)) {
964 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
968 d_printf("%s\\%s is a %s with SID %s\n", dom, name,
969 sid_type_lookup(type), sid_string_static(&sid));
977 * Init an LDAP tree with default users and Groups
978 * if ldapsam:editposix is enabled
981 static int net_sam_provision(int argc, const char **argv)
985 char *ldap_uri = NULL;
987 struct smbldap_state *ls;
990 gid_t domusers_gid = -1;
991 gid_t domadmins_gid = -1;
992 struct samu *samuser;
995 tc = talloc_new(NULL);
997 d_fprintf(stderr, "Out of Memory!\n");
1001 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1002 d_fprintf(stderr, "talloc failed\n");
1006 p = strchr(ldap_bk, ':');
1009 ldap_uri = talloc_strdup(tc, p+1);
1010 trim_char(ldap_uri, ' ', ' ');
1013 trim_char(ldap_bk, ' ', ' ');
1015 if (strcmp(ldap_bk, "ldapsam") != 0) {
1016 d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
1020 if (!lp_parm_bool(-1, "ldapsam", "trusted", False) ||
1021 !lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1023 d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
1024 " and ldapsam:editposix are enabled.\n");
1028 if (!winbind_ping()) {
1029 d_fprintf(stderr, "winbind seems not to run. Provisioning "
1030 "LDAP only works when winbind runs.\n");
1034 if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
1035 d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
1039 d_printf("Checking for Domain Users group.\n");
1041 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
1043 if (!pdb_getgrsid(&gmap, gsid)) {
1044 LDAPMod **mods = NULL;
1052 d_printf("Adding the Domain Users group.\n");
1054 /* lets allocate a new groupid for this group */
1055 if (!winbind_allocate_gid(&domusers_gid)) {
1056 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
1060 uname = talloc_strdup(tc, "domusers");
1061 wname = talloc_strdup(tc, "Domain Users");
1062 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1063 gidstr = talloc_asprintf(tc, "%d", domusers_gid);
1064 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1066 if (!uname || !wname || !dn || !gidstr || !gtype) {
1067 d_fprintf(stderr, "Out of Memory!\n");
1071 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1072 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1073 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1074 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1075 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1076 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1077 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1079 talloc_autofree_ldapmod(tc, mods);
1081 rc = smbldap_add(ls, dn, mods);
1083 if (rc != LDAP_SUCCESS) {
1084 d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
1087 domusers_gid = gmap.gid;
1088 d_printf("found!\n");
1093 d_printf("Checking for Domain Admins group.\n");
1095 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
1097 if (!pdb_getgrsid(&gmap, gsid)) {
1098 LDAPMod **mods = NULL;
1106 d_printf("Adding the Domain Admins group.\n");
1108 /* lets allocate a new groupid for this group */
1109 if (!winbind_allocate_gid(&domadmins_gid)) {
1110 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
1114 uname = talloc_strdup(tc, "domadmins");
1115 wname = talloc_strdup(tc, "Domain Admins");
1116 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1117 gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
1118 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1120 if (!uname || !wname || !dn || !gidstr || !gtype) {
1121 d_fprintf(stderr, "Out of Memory!\n");
1125 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1126 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1127 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1128 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1129 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1130 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1131 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1133 talloc_autofree_ldapmod(tc, mods);
1135 rc = smbldap_add(ls, dn, mods);
1137 if (rc != LDAP_SUCCESS) {
1138 d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
1141 domadmins_gid = gmap.gid;
1142 d_printf("found!\n");
1147 d_printf("Check for Administrator account.\n");
1149 samuser = samu_new(tc);
1151 d_fprintf(stderr, "Out of Memory!\n");
1155 if (!pdb_getsampwnam(samuser, "Administrator")) {
1156 LDAPMod **mods = NULL;
1167 d_printf("Adding the Administrator user.\n");
1169 if (domadmins_gid == -1) {
1170 d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
1173 if (!winbind_allocate_uid(&uid)) {
1174 d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
1177 name = talloc_strdup(tc, "Administrator");
1178 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1179 uidstr = talloc_asprintf(tc, "%d", uid);
1180 gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
1181 dir = talloc_sub_specified(tc, lp_template_homedir(),
1183 get_global_sam_name(),
1184 uid, domadmins_gid);
1185 shell = talloc_sub_specified(tc, lp_template_shell(),
1187 get_global_sam_name(),
1188 uid, domadmins_gid);
1190 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1191 d_fprintf(stderr, "Out of Memory!\n");
1195 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
1197 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1198 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1199 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1200 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1201 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1202 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1203 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1204 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1205 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1206 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1207 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
1208 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1209 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1210 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1212 talloc_autofree_ldapmod(tc, mods);
1214 rc = smbldap_add(ls, dn, mods);
1216 if (rc != LDAP_SUCCESS) {
1217 d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
1220 d_printf("found!\n");
1223 d_printf("Checking for Guest user.\n");
1225 samuser = samu_new(tc);
1227 d_fprintf(stderr, "Out of Memory!\n");
1231 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1232 LDAPMod **mods = NULL;
1239 d_printf("Adding the Guest user.\n");
1241 pwd = getpwnam_alloc(tc, lp_guestaccount());
1244 if (domusers_gid == -1) {
1245 d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
1248 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1249 d_fprintf(stderr, "talloc failed\n");
1252 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1253 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1254 d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
1257 pwd->pw_gid = domusers_gid;
1258 pwd->pw_dir = talloc_strdup(tc, "/");
1259 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1260 if (!pwd->pw_dir || !pwd->pw_shell) {
1261 d_fprintf(stderr, "Out of Memory!\n");
1266 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
1268 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1269 uidstr = talloc_asprintf(tc, "%d", pwd->pw_uid);
1270 gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
1271 if (!dn || !uidstr || !gidstr) {
1272 d_fprintf(stderr, "Out of Memory!\n");
1276 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1277 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1278 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1279 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1280 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1281 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1282 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1283 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1284 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1285 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1287 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1288 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1290 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
1291 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1292 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1293 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1295 talloc_autofree_ldapmod(tc, mods);
1297 rc = smbldap_add(ls, dn, mods);
1299 if (rc != LDAP_SUCCESS) {
1300 d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
1303 d_printf("found!\n");
1306 d_printf("Checking Guest's group.\n");
1308 pwd = getpwnam_alloc(NULL, lp_guestaccount());
1310 d_fprintf(stderr, "Failed to find just created Guest account!\n"
1311 " Is nss properly configured?!\n");
1315 if (pwd->pw_gid == domusers_gid) {
1316 d_printf("found!\n");
1320 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1321 LDAPMod **mods = NULL;
1329 d_printf("Adding the Domain Guests group.\n");
1331 uname = talloc_strdup(tc, "domguests");
1332 wname = talloc_strdup(tc, "Domain Guests");
1333 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1334 gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
1335 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1337 if (!uname || !wname || !dn || !gidstr || !gtype) {
1338 d_fprintf(stderr, "Out of Memory!\n");
1342 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
1344 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
1345 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1346 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1347 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1348 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1349 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
1350 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1352 talloc_autofree_ldapmod(tc, mods);
1354 rc = smbldap_add(ls, dn, mods);
1356 if (rc != LDAP_SUCCESS) {
1357 d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
1360 d_printf("found!\n");
1375 /***********************************************************
1376 migrated functionality from smbgroupedit
1377 **********************************************************/
1378 int net_sam(int argc, const char **argv)
1380 struct functable2 func[] = {
1381 { "createbuiltingroup", net_sam_createbuiltingroup,
1382 "Create a new BUILTIN group" },
1383 { "createlocalgroup", net_sam_createlocalgroup,
1384 "Create a new local group" },
1385 { "deletelocalgroup", net_sam_deletelocalgroup,
1386 "Delete an existing local group" },
1387 { "mapunixgroup", net_sam_mapunixgroup,
1388 "Map a unix group to a domain group" },
1389 { "addmem", net_sam_addmem,
1390 "Add a member to a group" },
1391 { "delmem", net_sam_delmem,
1392 "Delete a member from a group" },
1393 { "listmem", net_sam_listmem,
1394 "List group members" },
1395 { "list", net_sam_list,
1396 "List users, groups and local groups" },
1397 { "show", net_sam_show,
1398 "Show details of a SAM entry" },
1399 { "set", net_sam_set,
1400 "Set details of a SAM account" },
1401 { "policy", net_sam_policy,
1402 "Set account policies" },
1404 { "provision", net_sam_provision,
1405 "Provision a clean User Database" },
1407 { NULL, NULL, NULL }
1410 /* we shouldn't have silly checks like this */
1411 if (getuid() != 0) {
1412 d_fprintf(stderr, "You must be root to edit the SAM "
1417 return net_run_function2(argc, argv, "net sam", func);