2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "utils/net.h"
28 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
30 bool (*fn)(struct samu *, const char *,
31 enum pdb_value_state))
33 struct samu *sam_acct = NULL;
35 enum lsa_SidType type;
36 const char *dom, *name;
39 if (argc != 2 || c->display_usage) {
40 d_fprintf(stderr, _("Usage:"),_(" net sam set %s <user> <value>\n"),
45 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
46 &dom, &name, &sid, &type)) {
47 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
51 if (type != SID_NAME_USER) {
52 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
53 sid_type_lookup(type));
57 if ( !(sam_acct = samu_new( NULL )) ) {
58 d_fprintf(stderr, _("Internal error\n"));
62 if (!pdb_getsampwsid(sam_acct, &sid)) {
63 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
67 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
68 d_fprintf(stderr, _("Internal error\n"));
72 status = pdb_update_sam_account(sam_acct);
73 if (!NT_STATUS_IS_OK(status)) {
74 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
75 argv[0], nt_errstr(status));
79 TALLOC_FREE(sam_acct);
81 d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
85 static int net_sam_set_fullname(struct net_context *c, int argc,
88 return net_sam_userset(c, argc, argv, "fullname",
92 static int net_sam_set_logonscript(struct net_context *c, int argc,
95 return net_sam_userset(c, argc, argv, "logonscript",
96 pdb_set_logon_script);
99 static int net_sam_set_profilepath(struct net_context *c, int argc,
102 return net_sam_userset(c, argc, argv, "profilepath",
103 pdb_set_profile_path);
106 static int net_sam_set_homedrive(struct net_context *c, int argc,
109 return net_sam_userset(c, argc, argv, "homedrive",
113 static int net_sam_set_homedir(struct net_context *c, int argc,
116 return net_sam_userset(c, argc, argv, "homedir",
120 static int net_sam_set_workstations(struct net_context *c, int argc,
123 return net_sam_userset(c, argc, argv, "workstations",
124 pdb_set_workstations);
131 static int net_sam_set_userflag(struct net_context *c, int argc,
132 const char **argv, const char *field,
135 struct samu *sam_acct = NULL;
137 enum lsa_SidType type;
138 const char *dom, *name;
142 if ((argc != 2) || c->display_usage ||
143 (!strequal(argv[1], "yes") &&
144 !strequal(argv[1], "no"))) {
145 d_fprintf(stderr, _("Usage:"),_(" net sam set %s <user> [yes|no]\n"),
150 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
151 &dom, &name, &sid, &type)) {
152 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
156 if (type != SID_NAME_USER) {
157 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
158 sid_type_lookup(type));
162 if ( !(sam_acct = samu_new( NULL )) ) {
163 d_fprintf(stderr, _("Internal error\n"));
167 if (!pdb_getsampwsid(sam_acct, &sid)) {
168 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
172 acct_flags = pdb_get_acct_ctrl(sam_acct);
174 if (strequal(argv[1], "yes")) {
180 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
182 status = pdb_update_sam_account(sam_acct);
183 if (!NT_STATUS_IS_OK(status)) {
184 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
185 argv[0], nt_errstr(status));
189 TALLOC_FREE(sam_acct);
191 d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
196 static int net_sam_set_disabled(struct net_context *c, int argc,
199 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
202 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
205 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
208 static int net_sam_set_autolock(struct net_context *c, int argc,
211 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
214 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
217 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
221 * Set pass last change time, based on force pass change now
224 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
227 struct samu *sam_acct = NULL;
229 enum lsa_SidType type;
230 const char *dom, *name;
233 if ((argc != 2) || c->display_usage ||
234 (!strequal(argv[1], "yes") &&
235 !strequal(argv[1], "no"))) {
237 _("Usage:"),_(" net sam set pwdmustchangenow <user> "
242 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
243 &dom, &name, &sid, &type)) {
244 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
248 if (type != SID_NAME_USER) {
249 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
250 sid_type_lookup(type));
254 if ( !(sam_acct = samu_new( NULL )) ) {
255 d_fprintf(stderr, _("Internal error\n"));
259 if (!pdb_getsampwsid(sam_acct, &sid)) {
260 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
264 if (strequal(argv[1], "yes")) {
265 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
267 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
270 status = pdb_update_sam_account(sam_acct);
271 if (!NT_STATUS_IS_OK(status)) {
272 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
273 argv[0], nt_errstr(status));
277 TALLOC_FREE(sam_acct);
279 d_fprintf(stderr, _("Updated 'user must change password at next logon' "
280 "for %s\\%s to %s\n"), dom,
287 * Set a user's or a group's comment
290 static int net_sam_set_comment(struct net_context *c, int argc,
295 enum lsa_SidType type;
296 const char *dom, *name;
299 if (argc != 2 || c->display_usage) {
300 d_fprintf(stderr, _("Usage:"),_(" net sam set comment <name> "
305 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
306 &dom, &name, &sid, &type)) {
307 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
311 if (type == SID_NAME_USER) {
312 return net_sam_userset(c, argc, argv, "comment",
316 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
317 (type != SID_NAME_WKN_GRP)) {
318 d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
319 sid_type_lookup(type));
323 if (!pdb_getgrsid(&map, sid)) {
324 d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
328 fstrcpy(map.comment, argv[1]);
330 status = pdb_update_group_mapping_entry(&map);
332 if (!NT_STATUS_IS_OK(status)) {
333 d_fprintf(stderr, _("Updating group mapping entry failed with "
334 "%s\n"), nt_errstr(status));
338 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
344 static int net_sam_set(struct net_context *c, int argc, const char **argv)
346 struct functable func[] = {
351 N_("Change a user's home directory"),
352 N_("net sam set homedir\n"
353 " Change a user's home directory")
357 net_sam_set_profilepath,
359 N_("Change a user's profile path"),
360 N_("net sam set profilepath\n"
361 " Change a user's profile path")
367 N_("Change a users or groups description"),
368 N_("net sam set comment\n"
369 " Change a users or groups description")
373 net_sam_set_fullname,
375 N_("Change a user's full name"),
376 N_("net sam set fullname\n"
377 " Change a user's full name")
381 net_sam_set_logonscript,
383 N_("Change a user's logon script"),
384 N_("net sam set logonscript\n"
385 " Change a user's logon script")
389 net_sam_set_homedrive,
391 N_("Change a user's home drive"),
392 N_("net sam set homedrive\n"
393 " Change a user's home drive")
397 net_sam_set_workstations,
399 N_("Change a user's allowed workstations"),
400 N_("net sam set workstations\n"
401 " Change a user's allowed workstations")
405 net_sam_set_disabled,
407 N_("Disable/Enable a user"),
408 N_("net sam set disable\n"
409 " Disable/Enable a user")
413 net_sam_set_pwnotreq,
415 N_("Disable/Enable the password not required flag"),
416 N_("net sam set pwnotreq\n"
417 " Disable/Enable the password not required flag")
421 net_sam_set_autolock,
423 N_("Disable/Enable a user's lockout flag"),
424 N_("net sam set autolock\n"
425 " Disable/Enable a user's lockout flag")
431 N_("Disable/Enable whether a user's pw does not "
433 N_("net sam set pwnoexp\n"
434 " Disable/Enable whether a user's pw does not "
439 net_sam_set_pwdmustchangenow,
441 N_("Force users password must change at next logon"),
442 N_("net sam set pwdmustchangenow\n"
443 " Force users password must change at next logon")
445 {NULL, NULL, 0, NULL, NULL}
448 return net_run_function(c, argc, argv, "net sam set", func);
452 * Manage account policies
455 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
457 const char *account_policy = NULL;
459 uint32 old_value = 0;
460 enum pdb_policy_type field;
463 if (argc != 2 || c->display_usage) {
464 d_fprintf(stderr, _("Usage:"),_(" net sam policy set "
465 "\"<account policy>\" <value> \n"));
469 account_policy = argv[0];
470 field = account_policy_name_to_typenum(account_policy);
472 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
473 || strequal(argv[1], "off")) {
477 value = strtoul(argv[1], &endptr, 10);
479 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
480 d_printf(_("Unable to set policy \"%s\"! Invalid value "
482 account_policy, argv[1]);
491 account_policy_names_list(&names, &count);
492 d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
493 d_fprintf(stderr, _("Valid account policies are:\n"));
495 for (i=0; i<count; i++) {
496 d_fprintf(stderr, "%s\n", names[i]);
503 if (!pdb_get_account_policy(field, &old_value)) {
504 d_fprintf(stderr, _("Valid account policy, but unable to fetch "
507 d_printf(_("Account policy \"%s\" value was: %d\n"),
508 account_policy, old_value);
511 if (!pdb_set_account_policy(field, value)) {
512 d_fprintf(stderr, _("Valid account policy, but unable to "
516 d_printf(_("Account policy \"%s\" value is now: %d\n"),
517 account_policy, value);
523 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
525 const char *account_policy = NULL;
527 enum pdb_policy_type field;
529 if (argc != 1 || c->display_usage) {
530 d_fprintf(stderr, _("Usage:"),_(" net sam policy show"
531 " \"<account policy>\" \n"));
535 account_policy = argv[0];
536 field = account_policy_name_to_typenum(account_policy);
542 account_policy_names_list(&names, &count);
543 d_fprintf(stderr, _("No account policy by that name!\n"));
545 d_fprintf(stderr, _("Valid account policies "
547 for (i=0; i<count; i++) {
548 d_fprintf(stderr, "%s\n", names[i]);
555 if (!pdb_get_account_policy(field, &old_value)) {
556 fprintf(stderr, _("Valid account policy, but unable to "
561 printf(_("Account policy \"%s\" description: %s\n"),
562 account_policy, account_policy_get_desc(field));
563 printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
568 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
574 if (c->display_usage) {
575 d_printf(_("Usage:\n"),
576 "net sam policy list\n"
577 " ",_("List account policies\n"));
581 account_policy_names_list(&names, &count);
583 d_fprintf(stderr, _("Valid account policies "
585 for (i = 0; i < count ; i++) {
586 d_fprintf(stderr, "%s\n", names[i]);
593 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
595 struct functable func[] = {
600 N_("List account policies"),
601 N_("net sam policy list\n"
602 " List account policies")
608 N_("Show account policies"),
609 N_("net sam policy show\n"
610 " Show account policies")
616 N_("Change account policies"),
617 N_("net sam policy set\n"
618 " Change account policies")
620 {NULL, NULL, 0, NULL, NULL}
623 return net_run_function(c, argc, argv, "net sam policy", func);
626 extern PRIVS privs[];
628 static int net_sam_rights_list(struct net_context *c, int argc,
633 if (argc > 1 || c->display_usage) {
634 d_fprintf(stderr, _("Usage:"),
635 _(" net sam rights list [privilege name]\n"));
641 int num = count_all_privileges();
643 for (i=0; i<num; i++) {
644 d_printf("%s\n", privs[i].name);
649 if (se_priv_from_name(argv[0], &mask)) {
654 status = privilege_enum_sids(&mask, talloc_tos(),
656 if (!NT_STATUS_IS_OK(status)) {
657 d_fprintf(stderr, _("Could not list rights: %s\n"),
662 for (i=0; i<num_sids; i++) {
663 const char *dom, *name;
664 enum lsa_SidType type;
666 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
668 d_printf("%s\\%s\n", dom, name);
671 d_printf("%s\n", sid_string_tos(&sids[i]));
680 static int net_sam_rights_grant(struct net_context *c, int argc,
684 enum lsa_SidType type;
685 const char *dom, *name;
689 if (argc < 2 || c->display_usage) {
690 d_fprintf(stderr, _("Usage:"),_(" net sam rights grant <name> "
695 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
696 &dom, &name, &sid, &type)) {
697 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
701 for (i=1; i < argc; i++) {
702 if (!se_priv_from_name(argv[i], &mask)) {
703 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
707 if (!grant_privilege(&sid, &mask)) {
708 d_fprintf(stderr, _("Could not grant privilege\n"));
712 d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
718 static int net_sam_rights_revoke(struct net_context *c, int argc,
722 enum lsa_SidType type;
723 const char *dom, *name;
727 if (argc < 2 || c->display_usage) {
728 d_fprintf(stderr, _("Usage:"),_(" net sam rights revoke <name> "
733 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
734 &dom, &name, &sid, &type)) {
735 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
739 for (i=1; i < argc; i++) {
741 if (!se_priv_from_name(argv[i], &mask)) {
742 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
746 if (!revoke_privilege(&sid, &mask)) {
747 d_fprintf(stderr, _("Could not revoke privilege\n"));
751 d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
757 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
759 struct functable func[] = {
764 N_("List possible user rights"),
765 N_("net sam rights list\n"
766 " List possible user rights")
770 net_sam_rights_grant,
772 N_("Grant right(s)"),
773 N_("net sam rights grant\n"
778 net_sam_rights_revoke,
780 N_("Revoke right(s)"),
781 N_("net sam rights revoke\n"
784 {NULL, NULL, 0, NULL, NULL}
786 return net_run_function(c, argc, argv, "net sam rights", func);
790 * Map a unix group to a domain group
793 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
797 const char *grpname, *dom, *name;
800 if (pdb_getgrgid(&map, grp->gr_gid)) {
801 return NT_STATUS_GROUP_EXISTS;
804 map.gid = grp->gr_gid;
805 grpname = grp->gr_name;
807 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
808 &dom, &name, NULL, NULL)) {
810 const char *tmp = talloc_asprintf(
811 talloc_tos(), "Unix Group %s", grp->gr_name);
813 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
814 grpname, dom, name, tmp));
818 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
819 NULL, NULL, NULL, NULL)) {
820 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
821 return NT_STATUS_GROUP_EXISTS;
824 fstrcpy(map.nt_name, grpname);
826 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
827 if (!pdb_new_rid(&rid)) {
828 DEBUG(3, ("Could not get a new RID for %s\n",
830 return NT_STATUS_ACCESS_DENIED;
833 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
836 sid_compose(&map.sid, get_global_sam_sid(), rid);
837 map.sid_name_use = SID_NAME_DOM_GRP;
838 fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
841 status = pdb_add_group_mapping_entry(&map);
842 if (NT_STATUS_IS_OK(status)) {
848 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
854 if (argc != 1 || c->display_usage) {
855 d_fprintf(stderr, _("Usage:"),_(" net sam mapunixgroup <name>\n"));
859 grp = getgrnam(argv[0]);
861 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
865 status = map_unix_group(grp, &map);
867 if (!NT_STATUS_IS_OK(status)) {
868 d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
869 argv[0], nt_errstr(status));
873 d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
874 sid_string_tos(&map.sid));
880 * Remove a group mapping
883 static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
890 map.gid = grp->gr_gid;
891 grpname = grp->gr_name;
893 if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
894 NULL, NULL, NULL, NULL)) {
895 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
896 return NT_STATUS_NO_SUCH_GROUP;
899 fstrcpy(map.nt_name, grpname);
901 if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
902 return NT_STATUS_UNSUCCESSFUL;
905 status = pdb_delete_group_mapping_entry(dom_sid);
910 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
916 if (argc != 1 || c->display_usage) {
917 d_fprintf(stderr, _("Usage:"),_(" net sam unmapunixgroup <name>\n"));
921 grp = getgrnam(argv[0]);
923 d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
928 status = unmap_unix_group(grp, &map);
930 if (!NT_STATUS_IS_OK(status)) {
931 d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
932 argv[0], nt_errstr(status));
936 d_printf(_("Unmapped unix group %s.\n"), argv[0]);
942 * Create a domain group
945 static int net_sam_createdomaingroup(struct net_context *c, int argc,
951 if (argc != 1 || c->display_usage) {
953 _("Usage:"),_(" net sam createdomaingroup <name>\n"));
957 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
959 if (!NT_STATUS_IS_OK(status)) {
960 d_fprintf(stderr, _("Creating %s failed with %s\n"),
961 argv[0], nt_errstr(status));
965 d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
971 * Delete a domain group
974 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
979 enum lsa_SidType type;
980 const char *dom, *name;
983 if (argc != 1 || c->display_usage) {
984 d_fprintf(stderr,_("Usage:"),_(" net sam deletelocalgroup <name>\n"));
988 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
989 &dom, &name, &sid, &type)) {
990 d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
994 if (type != SID_NAME_DOM_GRP) {
995 d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
996 argv[0], sid_type_lookup(type));
1000 sid_peek_rid(&sid, &rid);
1002 status = pdb_delete_dom_group(talloc_tos(), rid);
1004 if (!NT_STATUS_IS_OK(status)) {
1005 d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1006 argv[0], nt_errstr(status));
1010 d_printf(_("Deleted domain group %s.\n"), argv[0]);
1016 * Create a local group
1019 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1024 if (argc != 1 || c->display_usage) {
1025 d_fprintf(stderr,_("Usage:"),_(" net sam createlocalgroup <name>\n"));
1029 if (!winbind_ping()) {
1030 d_fprintf(stderr, _("winbind seems not to run. "
1031 "createlocalgroup only works when winbind runs.\n"));
1035 status = pdb_create_alias(argv[0], &rid);
1037 if (!NT_STATUS_IS_OK(status)) {
1038 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1039 argv[0], nt_errstr(status));
1043 d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1049 * Delete a local group
1052 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1055 enum lsa_SidType type;
1056 const char *dom, *name;
1059 if (argc != 1 || c->display_usage) {
1060 d_fprintf(stderr,_("Usage:"),_(" net sam deletelocalgroup <name>\n"));
1064 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1065 &dom, &name, &sid, &type)) {
1066 d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1070 if (type != SID_NAME_ALIAS) {
1071 d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1072 sid_type_lookup(type));
1076 status = pdb_delete_alias(&sid);
1078 if (!NT_STATUS_IS_OK(status)) {
1079 d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1080 argv[0], nt_errstr(status));
1084 d_printf(_("Deleted local group %s.\n"), argv[0]);
1090 * Create a builtin group
1093 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1097 enum lsa_SidType type;
1101 if (argc != 1 || c->display_usage) {
1103 _("Usage:"),_(" net sam createbuiltingroup <name>\n"));
1107 if (!winbind_ping()) {
1108 d_fprintf(stderr, _("winbind seems not to run. "
1109 "createbuiltingroup only works when winbind "
1114 /* validate the name and get the group */
1116 fstrcpy( groupname, "BUILTIN\\" );
1117 fstrcat( groupname, argv[0] );
1119 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1120 NULL, &sid, &type)) {
1121 d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1125 if ( !sid_peek_rid( &sid, &rid ) ) {
1126 d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1130 status = pdb_create_builtin_alias( rid );
1132 if (!NT_STATUS_IS_OK(status)) {
1133 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1134 argv[0], nt_errstr(status));
1138 d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1144 * Add a group member
1147 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1149 const char *groupdomain, *groupname, *memberdomain, *membername;
1150 DOM_SID group, member;
1151 enum lsa_SidType grouptype, membertype;
1154 if (argc != 2 || c->display_usage) {
1155 d_fprintf(stderr,_("Usage:"),_(" net sam addmem <group> <member>\n"));
1159 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1160 &groupdomain, &groupname, &group, &grouptype)) {
1161 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1165 /* check to see if the member to be added is a name or a SID */
1167 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1168 &memberdomain, &membername, &member, &membertype))
1170 /* try it as a SID */
1172 if ( !string_to_sid( &member, argv[1] ) ) {
1173 d_fprintf(stderr, _("Could not find member %s\n"),
1178 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1179 &membername, &membertype) )
1181 d_fprintf(stderr, _("Could not resolve SID %s\n"),
1187 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1188 if ((membertype != SID_NAME_USER) &&
1189 (membertype != SID_NAME_DOM_GRP)) {
1190 d_fprintf(stderr, _("%s is a local group, only users "
1191 "and domain groups can be added.\n"
1192 "%s is a %s\n"), argv[0], argv[1],
1193 sid_type_lookup(membertype));
1196 status = pdb_add_aliasmem(&group, &member);
1198 if (!NT_STATUS_IS_OK(status)) {
1199 d_fprintf(stderr, _("Adding local group member failed "
1200 "with %s\n"), nt_errstr(status));
1203 } else if (grouptype == SID_NAME_DOM_GRP) {
1204 uint32_t grouprid, memberrid;
1206 sid_peek_rid(&group, &grouprid);
1207 sid_peek_rid(&member, &memberrid);
1209 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1210 if (!NT_STATUS_IS_OK(status)) {
1211 d_fprintf(stderr, _("Adding domain group member failed "
1212 "with %s\n"), nt_errstr(status));
1216 d_fprintf(stderr, _("Can only add members to local groups so "
1217 "far, %s is a %s\n"), argv[0],
1218 sid_type_lookup(grouptype));
1222 d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1223 groupdomain, groupname);
1229 * Delete a group member
1232 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1234 const char *groupdomain, *groupname;
1235 const char *memberdomain = NULL;
1236 const char *membername = NULL;
1237 DOM_SID group, member;
1238 enum lsa_SidType grouptype;
1241 if (argc != 2 || c->display_usage) {
1242 d_fprintf(stderr,_("Usage:"),_(" net sam delmem <group> <member>\n"));
1246 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1247 &groupdomain, &groupname, &group, &grouptype)) {
1248 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1252 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1253 &memberdomain, &membername, &member, NULL)) {
1254 if (!string_to_sid(&member, argv[1])) {
1255 d_fprintf(stderr, _("Could not find member %s\n"),
1261 if ((grouptype == SID_NAME_ALIAS) ||
1262 (grouptype == SID_NAME_WKN_GRP)) {
1263 status = pdb_del_aliasmem(&group, &member);
1265 if (!NT_STATUS_IS_OK(status)) {
1266 d_fprintf(stderr,_("Deleting local group member failed "
1267 "with %s\n"), nt_errstr(status));
1270 } else if (grouptype == SID_NAME_DOM_GRP) {
1271 uint32_t grouprid, memberrid;
1273 sid_peek_rid(&group, &grouprid);
1274 sid_peek_rid(&member, &memberrid);
1276 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1277 if (!NT_STATUS_IS_OK(status)) {
1278 d_fprintf(stderr, _("Deleting domain group member "
1279 "failed with %s\n"), nt_errstr(status));
1283 d_fprintf(stderr, _("Can only delete members from local groups "
1284 "so far, %s is a %s\n"), argv[0],
1285 sid_type_lookup(grouptype));
1289 if (membername != NULL) {
1290 d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1291 memberdomain, membername, groupdomain, groupname);
1293 d_printf(_("Deleted %s from %s\\%s\n"),
1294 sid_string_tos(&member), groupdomain, groupname);
1301 * List group members
1304 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1306 const char *groupdomain, *groupname;
1308 DOM_SID *members = NULL;
1309 size_t i, num_members = 0;
1310 enum lsa_SidType grouptype;
1313 if (argc != 1 || c->display_usage) {
1314 d_fprintf(stderr, _("Usage:"),_(" net sam listmem <group>\n"));
1318 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1319 &groupdomain, &groupname, &group, &grouptype)) {
1320 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1324 if ((grouptype == SID_NAME_ALIAS) ||
1325 (grouptype == SID_NAME_WKN_GRP)) {
1326 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1328 if (!NT_STATUS_IS_OK(status)) {
1329 d_fprintf(stderr, _("Listing group members failed with "
1330 "%s\n"), nt_errstr(status));
1333 } else if (grouptype == SID_NAME_DOM_GRP) {
1336 status = pdb_enum_group_members(talloc_tos(), &group,
1337 &rids, &num_members);
1338 if (!NT_STATUS_IS_OK(status)) {
1339 d_fprintf(stderr, _("Listing group members failed with "
1340 "%s\n"), nt_errstr(status));
1344 members = talloc_array(talloc_tos(), struct dom_sid,
1346 if (members == NULL) {
1351 for (i=0; i<num_members; i++) {
1352 sid_compose(&members[i], get_global_sam_sid(),
1357 d_fprintf(stderr,_("Can only list local group members so far.\n"
1358 "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1362 d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1363 (unsigned int)num_members);
1364 for (i=0; i<num_members; i++) {
1365 const char *dom, *name;
1366 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1367 d_printf(" %s\\%s\n", dom, name);
1369 d_printf(" %s\n", sid_string_tos(&members[i]));
1373 TALLOC_FREE(members);
1381 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1382 struct pdb_search *search, const char *what)
1384 bool verbose = (argc == 1);
1386 if ((argc > 1) || c->display_usage ||
1387 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1388 d_fprintf(stderr,_("Usage:"),_(" net sam list %s [verbose]\n"), what);
1392 if (search == NULL) {
1393 d_fprintf(stderr, _("Could not start search\n"));
1398 struct samr_displayentry entry;
1399 if (!search->next_entry(search, &entry)) {
1403 d_printf("%s:%d:%s\n",
1408 d_printf("%s\n", entry.account_name);
1412 TALLOC_FREE(search);
1416 static int net_sam_list_users(struct net_context *c, int argc,
1419 return net_sam_do_list(c, argc, argv,
1420 pdb_search_users(talloc_tos(), ACB_NORMAL),
1424 static int net_sam_list_groups(struct net_context *c, int argc,
1427 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1431 static int net_sam_list_localgroups(struct net_context *c, int argc,
1434 return net_sam_do_list(c, argc, argv,
1435 pdb_search_aliases(talloc_tos(),
1436 get_global_sam_sid()),
1440 static int net_sam_list_builtin(struct net_context *c, int argc,
1443 return net_sam_do_list(c, argc, argv,
1444 pdb_search_aliases(talloc_tos(),
1445 &global_sid_Builtin),
1449 static int net_sam_list_workstations(struct net_context *c, int argc,
1452 return net_sam_do_list(c, argc, argv,
1453 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1461 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1463 struct functable func[] = {
1467 NET_TRANSPORT_LOCAL,
1468 N_("List SAM users"),
1469 N_("net sam list users\n"
1474 net_sam_list_groups,
1475 NET_TRANSPORT_LOCAL,
1476 N_("List SAM groups"),
1477 N_("net sam list groups\n"
1482 net_sam_list_localgroups,
1483 NET_TRANSPORT_LOCAL,
1484 N_("List SAM local groups"),
1485 N_("net sam list localgroups\n"
1486 " List SAM local groups")
1490 net_sam_list_builtin,
1491 NET_TRANSPORT_LOCAL,
1492 N_("List builtin groups"),
1493 N_("net sam list builtin\n"
1494 " List builtin groups")
1498 net_sam_list_workstations,
1499 NET_TRANSPORT_LOCAL,
1500 N_("List domain member workstations"),
1501 N_("net sam list workstations\n"
1502 " List domain member workstations")
1504 {NULL, NULL, 0, NULL, NULL}
1507 return net_run_function(c, argc, argv, "net sam list", func);
1511 * Show details of SAM entries
1514 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1517 enum lsa_SidType type;
1518 const char *dom, *name;
1520 if (argc != 1 || c->display_usage) {
1521 d_fprintf(stderr, _("Usage:"),_(" net sam show <name>\n"));
1525 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1526 &dom, &name, &sid, &type)) {
1527 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1531 d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1532 sid_type_lookup(type), sid_string_tos(&sid));
1540 * Init an LDAP tree with default users and Groups
1541 * if ldapsam:editposix is enabled
1544 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1548 char *ldap_uri = NULL;
1550 struct smbldap_state *ls;
1553 gid_t domusers_gid = -1;
1554 gid_t domadmins_gid = -1;
1555 struct samu *samuser;
1558 if (c->display_usage) {
1559 d_printf(_("Usage:\n"),
1560 "net sam provision\n"
1561 " ",_("Init an LDAP tree with default "
1566 tc = talloc_new(NULL);
1568 d_fprintf(stderr, _("Out of Memory!\n"));
1572 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1573 d_fprintf(stderr, _("talloc failed\n"));
1577 p = strchr(ldap_bk, ':');
1580 ldap_uri = talloc_strdup(tc, p+1);
1581 trim_char(ldap_uri, ' ', ' ');
1584 trim_char(ldap_bk, ' ', ' ');
1586 if (strcmp(ldap_bk, "ldapsam") != 0) {
1588 _("Provisioning works only with ldapsam backend\n"));
1592 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1593 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1595 d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1596 " and ldapsam:editposix are enabled.\n"));
1600 if (!winbind_ping()) {
1601 d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1602 "LDAP only works when winbind runs.\n"));
1606 if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
1607 d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1611 d_printf(_("Checking for Domain Users group.\n"));
1613 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
1615 if (!pdb_getgrsid(&gmap, gsid)) {
1616 LDAPMod **mods = NULL;
1624 d_printf(_("Adding the Domain Users group.\n"));
1626 /* lets allocate a new groupid for this group */
1627 if (!winbind_allocate_gid(&domusers_gid)) {
1628 d_fprintf(stderr, _("Unable to allocate a new gid to "
1629 "create Domain Users group!\n"));
1633 uname = talloc_strdup(tc, "domusers");
1634 wname = talloc_strdup(tc, "Domain Users");
1635 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1636 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1637 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1639 if (!uname || !wname || !dn || !gidstr || !gtype) {
1640 d_fprintf(stderr, "Out of Memory!\n");
1644 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1645 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1646 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1647 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1648 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1649 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1650 sid_string_talloc(tc, &gsid));
1651 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1653 talloc_autofree_ldapmod(tc, mods);
1655 rc = smbldap_add(ls, dn, mods);
1657 if (rc != LDAP_SUCCESS) {
1658 d_fprintf(stderr, _("Failed to add Domain Users group "
1659 "to ldap directory\n"));
1662 domusers_gid = gmap.gid;
1663 d_printf(_("found!\n"));
1668 d_printf(_("Checking for Domain Admins group.\n"));
1670 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
1672 if (!pdb_getgrsid(&gmap, gsid)) {
1673 LDAPMod **mods = NULL;
1681 d_printf(_("Adding the Domain Admins group.\n"));
1683 /* lets allocate a new groupid for this group */
1684 if (!winbind_allocate_gid(&domadmins_gid)) {
1685 d_fprintf(stderr, _("Unable to allocate a new gid to "
1686 "create Domain Admins group!\n"));
1690 uname = talloc_strdup(tc, "domadmins");
1691 wname = talloc_strdup(tc, "Domain Admins");
1692 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1693 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1694 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1696 if (!uname || !wname || !dn || !gidstr || !gtype) {
1697 d_fprintf(stderr, _("Out of Memory!\n"));
1701 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1702 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1703 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1704 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1705 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1706 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1707 sid_string_talloc(tc, &gsid));
1708 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1710 talloc_autofree_ldapmod(tc, mods);
1712 rc = smbldap_add(ls, dn, mods);
1714 if (rc != LDAP_SUCCESS) {
1715 d_fprintf(stderr, _("Failed to add Domain Admins group "
1716 "to ldap directory\n"));
1719 domadmins_gid = gmap.gid;
1720 d_printf(_("found!\n"));
1725 d_printf(_("Check for Administrator account.\n"));
1727 samuser = samu_new(tc);
1729 d_fprintf(stderr, _("Out of Memory!\n"));
1733 if (!pdb_getsampwnam(samuser, "Administrator")) {
1734 LDAPMod **mods = NULL;
1745 d_printf(_("Adding the Administrator user.\n"));
1747 if (domadmins_gid == -1) {
1749 _("Can't create Administrator user, Domain "
1750 "Admins group not available!\n"));
1753 if (!winbind_allocate_uid(&uid)) {
1755 _("Unable to allocate a new uid to create "
1756 "the Administrator user!\n"));
1759 name = talloc_strdup(tc, "Administrator");
1760 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1761 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1762 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1763 dir = talloc_sub_specified(tc, lp_template_homedir(),
1765 get_global_sam_name(),
1766 uid, domadmins_gid);
1767 shell = talloc_sub_specified(tc, lp_template_shell(),
1769 get_global_sam_name(),
1770 uid, domadmins_gid);
1772 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1773 d_fprintf(stderr, _("Out of Memory!\n"));
1777 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
1779 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1780 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1781 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1782 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1783 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1784 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1785 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1786 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1787 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1788 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1789 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1790 sid_string_talloc(tc, &sid));
1791 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1792 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1793 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1795 talloc_autofree_ldapmod(tc, mods);
1797 rc = smbldap_add(ls, dn, mods);
1799 if (rc != LDAP_SUCCESS) {
1800 d_fprintf(stderr, _("Failed to add Administrator user "
1801 "to ldap directory\n"));
1804 d_printf(_("found!\n"));
1807 d_printf(_("Checking for Guest user.\n"));
1809 samuser = samu_new(tc);
1811 d_fprintf(stderr, _("Out of Memory!\n"));
1815 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1816 LDAPMod **mods = NULL;
1823 d_printf(_("Adding the Guest user.\n"));
1825 pwd = getpwnam_alloc(tc, lp_guestaccount());
1828 if (domusers_gid == -1) {
1830 _("Can't create Guest user, Domain "
1831 "Users group not available!\n"));
1834 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1835 d_fprintf(stderr, _("talloc failed\n"));
1838 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1839 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1841 _("Unable to allocate a new uid to "
1842 "create the Guest user!\n"));
1845 pwd->pw_gid = domusers_gid;
1846 pwd->pw_dir = talloc_strdup(tc, "/");
1847 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1848 if (!pwd->pw_dir || !pwd->pw_shell) {
1849 d_fprintf(stderr, _("Out of Memory!\n"));
1854 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
1856 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1857 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
1858 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1859 if (!dn || !uidstr || !gidstr) {
1860 d_fprintf(stderr, _("Out of Memory!\n"));
1864 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1865 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1866 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1867 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1868 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1869 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1870 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1871 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1872 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1873 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1875 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1876 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1878 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1879 sid_string_talloc(tc, &sid));
1880 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1881 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1882 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1884 talloc_autofree_ldapmod(tc, mods);
1886 rc = smbldap_add(ls, dn, mods);
1888 if (rc != LDAP_SUCCESS) {
1889 d_fprintf(stderr, _("Failed to add Guest user to "
1890 "ldap directory\n"));
1893 d_printf(_("found!\n"));
1896 d_printf(_("Checking Guest's group.\n"));
1898 pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
1901 _("Failed to find just created Guest account!\n"
1902 " Is nss properly configured?!\n"));
1906 if (pwd->pw_gid == domusers_gid) {
1907 d_printf(_("found!\n"));
1911 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1912 LDAPMod **mods = NULL;
1920 d_printf(_("Adding the Domain Guests group.\n"));
1922 uname = talloc_strdup(tc, "domguests");
1923 wname = talloc_strdup(tc, "Domain Guests");
1924 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1925 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1926 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1928 if (!uname || !wname || !dn || !gidstr || !gtype) {
1929 d_fprintf(stderr, _("Out of Memory!\n"));
1933 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
1935 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1936 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1937 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1938 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1939 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1940 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1941 sid_string_talloc(tc, &gsid));
1942 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1944 talloc_autofree_ldapmod(tc, mods);
1946 rc = smbldap_add(ls, dn, mods);
1948 if (rc != LDAP_SUCCESS) {
1950 _("Failed to add Domain Guests group to ldap "
1954 d_printf(_("found!\n"));
1969 /***********************************************************
1970 migrated functionality from smbgroupedit
1971 **********************************************************/
1972 int net_sam(struct net_context *c, int argc, const char **argv)
1974 struct functable func[] = {
1976 "createbuiltingroup",
1977 net_sam_createbuiltingroup,
1978 NET_TRANSPORT_LOCAL,
1979 N_("Create a new BUILTIN group"),
1980 N_("net sam createbuiltingroup\n"
1981 " Create a new BUILTIN group")
1985 net_sam_createlocalgroup,
1986 NET_TRANSPORT_LOCAL,
1987 N_("Create a new local group"),
1988 N_("net sam createlocalgroup\n"
1989 " Create a new local group")
1992 "createdomaingroup",
1993 net_sam_createdomaingroup,
1994 NET_TRANSPORT_LOCAL,
1995 N_("Create a new group"),
1996 N_("net sam createdomaingroup\n"
1997 " Create a new group")
2001 net_sam_deletelocalgroup,
2002 NET_TRANSPORT_LOCAL,
2003 N_("Delete an existing local group"),
2004 N_("net sam deletelocalgroup\n"
2005 " Delete an existing local group")
2008 "deletedomaingroup",
2009 net_sam_deletedomaingroup,
2010 NET_TRANSPORT_LOCAL,
2011 N_("Delete a domain group"),
2012 N_("net sam deletedomaingroup\n"
2017 net_sam_mapunixgroup,
2018 NET_TRANSPORT_LOCAL,
2019 N_("Map a unix group to a domain group"),
2020 N_("net sam mapunixgroup\n"
2021 " Map a unix group to a domain group")
2025 net_sam_unmapunixgroup,
2026 NET_TRANSPORT_LOCAL,
2027 N_("Remove a group mapping of an unix group to a "
2029 N_("net sam unmapunixgroup\n"
2030 " Remove a group mapping of an unix group to a "
2036 NET_TRANSPORT_LOCAL,
2037 N_("Add a member to a group"),
2038 N_("net sam addmem\n"
2039 " Add a member to a group")
2044 NET_TRANSPORT_LOCAL,
2045 N_("Delete a member from a group"),
2046 N_("net sam delmem\n"
2047 " Delete a member from a group")
2052 NET_TRANSPORT_LOCAL,
2053 N_("List group members"),
2054 N_("net sam listmem\n"
2055 " List group members")
2060 NET_TRANSPORT_LOCAL,
2061 N_("List users, groups and local groups"),
2063 " List users, groups and local groups")
2068 NET_TRANSPORT_LOCAL,
2069 N_("Show details of a SAM entry"),
2071 " Show details of a SAM entry")
2076 NET_TRANSPORT_LOCAL,
2077 N_("Set details of a SAM account"),
2079 " Set details of a SAM account")
2084 NET_TRANSPORT_LOCAL,
2085 N_("Set account policies"),
2086 N_("net sam policy\n"
2087 " Set account policies")
2092 NET_TRANSPORT_LOCAL,
2093 N_("Manipulate user privileges"),
2094 N_("net sam rights\n"
2095 " Manipulate user privileges")
2101 NET_TRANSPORT_LOCAL,
2102 N_("Provision a clean user database"),
2103 N_("net sam privison\n"
2104 " Provision a clear user database")
2107 {NULL, NULL, 0, NULL, NULL}
2110 if (getuid() != 0) {
2111 d_fprintf(stderr, _("You are not root, most things won't "
2115 return net_run_function(c, argc, argv, "net sam", func);