27d534665c4c0f1d91cb29c2fb10c010dc6acb58
[samba.git] / source3 / utils / net_ads.c
1 /*
2    Samba Unix/Linux SMB client library
3    net ads commands
4    Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5    Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6    Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7    Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26
27 #ifdef HAVE_ADS
28
29 /* when we do not have sufficient input parameters to contact a remote domain
30  * we always fall back to our own realm - Guenther*/
31
32 static const char *assume_own_realm(struct net_context *c)
33 {
34         if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
35                 return lp_realm();
36         }
37
38         return NULL;
39 }
40
41 /*
42   do a cldap netlogon query
43 */
44 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
45 {
46         char addr[INET6_ADDRSTRLEN];
47         struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
48
49         print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
50         if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
51                 d_fprintf(stderr, "CLDAP query failed!\n");
52                 return -1;
53         }
54
55         d_printf("Information for Domain Controller: %s\n\n",
56                 addr);
57
58         d_printf("Response Type: ");
59         switch (reply.command) {
60         case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
61                 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
62                 break;
63         case LOGON_SAM_LOGON_RESPONSE_EX:
64                 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
65                 break;
66         default:
67                 d_printf("0x%x\n", reply.command);
68                 break;
69         }
70
71         d_printf("GUID: %s\n", GUID_string(talloc_tos(), &reply.domain_uuid));
72
73         d_printf("Flags:\n"
74                  "\tIs a PDC:                                   %s\n"
75                  "\tIs a GC of the forest:                      %s\n"
76                  "\tIs an LDAP server:                          %s\n"
77                  "\tSupports DS:                                %s\n"
78                  "\tIs running a KDC:                           %s\n"
79                  "\tIs running time services:                   %s\n"
80                  "\tIs the closest DC:                          %s\n"
81                  "\tIs writable:                                %s\n"
82                  "\tHas a hardware clock:                       %s\n"
83                  "\tIs a non-domain NC serviced by LDAP server: %s\n"
84                  "\tIs NT6 DC that has some secrets:            %s\n"
85                  "\tIs NT6 DC that has all secrets:             %s\n",
86                  (reply.server_type & NBT_SERVER_PDC) ? "yes" : "no",
87                  (reply.server_type & NBT_SERVER_GC) ? "yes" : "no",
88                  (reply.server_type & NBT_SERVER_LDAP) ? "yes" : "no",
89                  (reply.server_type & NBT_SERVER_DS) ? "yes" : "no",
90                  (reply.server_type & NBT_SERVER_KDC) ? "yes" : "no",
91                  (reply.server_type & NBT_SERVER_TIMESERV) ? "yes" : "no",
92                  (reply.server_type & NBT_SERVER_CLOSEST) ? "yes" : "no",
93                  (reply.server_type & NBT_SERVER_WRITABLE) ? "yes" : "no",
94                  (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? "yes" : "no",
95                  (reply.server_type & NBT_SERVER_NDNC) ? "yes" : "no",
96                  (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? "yes" : "no",
97                  (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? "yes" : "no");
98
99
100         printf("Forest:\t\t\t%s\n", reply.forest);
101         printf("Domain:\t\t\t%s\n", reply.dns_domain);
102         printf("Domain Controller:\t%s\n", reply.pdc_dns_name);
103
104         printf("Pre-Win2k Domain:\t%s\n", reply.domain);
105         printf("Pre-Win2k Hostname:\t%s\n", reply.pdc_name);
106
107         if (*reply.user_name) printf("User name:\t%s\n", reply.user_name);
108
109         printf("Server Site Name :\t\t%s\n", reply.server_site);
110         printf("Client Site Name :\t\t%s\n", reply.client_site);
111
112         d_printf("NT Version: %d\n", reply.nt_version);
113         d_printf("LMNT Token: %.2x\n", reply.lmnt_token);
114         d_printf("LM20 Token: %.2x\n", reply.lm20_token);
115
116         return 0;
117 }
118
119 /*
120   this implements the CLDAP based netlogon lookup requests
121   for finding the domain controller of a ADS domain
122 */
123 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
124 {
125         ADS_STRUCT *ads;
126
127         if (c->display_usage) {
128                 d_printf("Usage:\n"
129                          "net ads lookup\n"
130                          "    Find the ADS DC using CLDAP lookup.\n");
131                 return 0;
132         }
133
134         if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
135                 d_fprintf(stderr, "Didn't find the cldap server!\n");
136                 return -1;
137         }
138
139         if (!ads->config.realm) {
140                 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
141                 ads->ldap.port = 389;
142         }
143
144         return net_ads_cldap_netlogon(c, ads);
145 }
146
147
148
149 static int net_ads_info(struct net_context *c, int argc, const char **argv)
150 {
151         ADS_STRUCT *ads;
152         char addr[INET6_ADDRSTRLEN];
153
154         if (c->display_usage) {
155                 d_printf("Usage:\n"
156                          "net ads info\n"
157                          "    Display information about an Active Directory "
158                          "server.\n");
159                 return 0;
160         }
161
162         if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
163                 d_fprintf(stderr, "Didn't find the ldap server!\n");
164                 return -1;
165         }
166
167         if (!ads || !ads->config.realm) {
168                 d_fprintf(stderr, "Didn't find the ldap server!\n");
169                 return -1;
170         }
171
172         /* Try to set the server's current time since we didn't do a full
173            TCP LDAP session initially */
174
175         if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
176                 d_fprintf( stderr, "Failed to get server's current time!\n");
177         }
178
179         print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
180
181         d_printf("LDAP server: %s\n", addr);
182         d_printf("LDAP server name: %s\n", ads->config.ldap_server_name);
183         d_printf("Realm: %s\n", ads->config.realm);
184         d_printf("Bind Path: %s\n", ads->config.bind_path);
185         d_printf("LDAP port: %d\n", ads->ldap.port);
186         d_printf("Server time: %s\n", 
187                          http_timestring(talloc_tos(), ads->config.current_time));
188
189         d_printf("KDC server: %s\n", ads->auth.kdc_server );
190         d_printf("Server time offset: %d\n", ads->auth.time_offset );
191
192         return 0;
193 }
194
195 static void use_in_memory_ccache(void) {
196         /* Use in-memory credentials cache so we do not interfere with
197          * existing credentials */
198         setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
199 }
200
201 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
202                                   uint32 auth_flags, ADS_STRUCT **ads_ret)
203 {
204         ADS_STRUCT *ads = NULL;
205         ADS_STATUS status;
206         bool need_password = false;
207         bool second_time = false;
208         char *cp;
209         const char *realm = NULL;
210         bool tried_closest_dc = false;
211
212         /* lp_realm() should be handled by a command line param,
213            However, the join requires that realm be set in smb.conf
214            and compares our realm with the remote server's so this is
215            ok until someone needs more flexibility */
216
217         *ads_ret = NULL;
218
219 retry_connect:
220         if (only_own_domain) {
221                 realm = lp_realm();
222         } else {
223                 realm = assume_own_realm(c);
224         }
225
226         ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
227
228         if (!c->opt_user_name) {
229                 c->opt_user_name = "administrator";
230         }
231
232         if (c->opt_user_specified) {
233                 need_password = true;
234         }
235
236 retry:
237         if (!c->opt_password && need_password && !c->opt_machine_pass) {
238                 c->opt_password = net_prompt_pass(c, c->opt_user_name);
239                 if (!c->opt_password) {
240                         ads_destroy(&ads);
241                         return ADS_ERROR(LDAP_NO_MEMORY);
242                 }
243         }
244
245         if (c->opt_password) {
246                 use_in_memory_ccache();
247                 SAFE_FREE(ads->auth.password);
248                 ads->auth.password = smb_xstrdup(c->opt_password);
249         }
250
251         ads->auth.flags |= auth_flags;
252         SAFE_FREE(ads->auth.user_name);
253         ads->auth.user_name = smb_xstrdup(c->opt_user_name);
254
255        /*
256         * If the username is of the form "name@realm",
257         * extract the realm and convert to upper case.
258         * This is only used to establish the connection.
259         */
260        if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
261                 *cp++ = '\0';
262                 SAFE_FREE(ads->auth.realm);
263                 ads->auth.realm = smb_xstrdup(cp);
264                 strupper_m(ads->auth.realm);
265        }
266
267         status = ads_connect(ads);
268
269         if (!ADS_ERR_OK(status)) {
270
271                 if (NT_STATUS_EQUAL(ads_ntstatus(status),
272                                     NT_STATUS_NO_LOGON_SERVERS)) {
273                         DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
274                         ads_destroy(&ads);
275                         return status;
276                 }
277
278                 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
279                         need_password = true;
280                         second_time = true;
281                         goto retry;
282                 } else {
283                         ads_destroy(&ads);
284                         return status;
285                 }
286         }
287
288         /* when contacting our own domain, make sure we use the closest DC.
289          * This is done by reconnecting to ADS because only the first call to
290          * ads_connect will give us our own sitename */
291
292         if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
293
294                 tried_closest_dc = true; /* avoid loop */
295
296                 if (!ads_closest_dc(ads)) {
297
298                         namecache_delete(ads->server.realm, 0x1C);
299                         namecache_delete(ads->server.workgroup, 0x1C);
300
301                         ads_destroy(&ads);
302                         ads = NULL;
303
304                         goto retry_connect;
305                 }
306         }
307
308         *ads_ret = ads;
309         return status;
310 }
311
312 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
313 {
314         return ads_startup_int(c, only_own_domain, 0, ads);
315 }
316
317 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
318 {
319         return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
320 }
321
322 /*
323   Check to see if connection can be made via ads.
324   ads_startup() stores the password in opt_password if it needs to so
325   that rpc or rap can use it without re-prompting.
326 */
327 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
328 {
329         ADS_STRUCT *ads;
330         ADS_STATUS status;
331
332         if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
333                 return -1;
334         }
335
336         ads->auth.flags |= ADS_AUTH_NO_BIND;
337
338         status = ads_connect(ads);
339         if ( !ADS_ERR_OK(status) ) {
340                 return -1;
341         }
342
343         ads_destroy(&ads);
344         return 0;
345 }
346
347 int net_ads_check_our_domain(struct net_context *c)
348 {
349         return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
350 }
351
352 int net_ads_check(struct net_context *c)
353 {
354         return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
355 }
356
357 /*
358    determine the netbios workgroup name for a domain
359  */
360 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
361 {
362         ADS_STRUCT *ads;
363         char addr[INET6_ADDRSTRLEN];
364         struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
365
366         if (c->display_usage) {
367                 d_printf("Usage:\n"
368                          "net ads workgroup\n"
369                          "    Print the workgroup name\n");
370                 return 0;
371         }
372
373         if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
374                 d_fprintf(stderr, "Didn't find the cldap server!\n");
375                 return -1;
376         }
377
378         if (!ads->config.realm) {
379                 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
380                 ads->ldap.port = 389;
381         }
382
383         print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
384         if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
385                 d_fprintf(stderr, "CLDAP query failed!\n");
386                 return -1;
387         }
388
389         d_printf("Workgroup: %s\n", reply.domain);
390
391         ads_destroy(&ads);
392
393         return 0;
394 }
395
396
397
398 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
399 {
400         char **disp_fields = (char **) data_area;
401
402         if (!field) { /* must be end of record */
403                 if (disp_fields[0]) {
404                         if (!strchr_m(disp_fields[0], '$')) {
405                                 if (disp_fields[1])
406                                         d_printf("%-21.21s %s\n",
407                                                disp_fields[0], disp_fields[1]);
408                                 else
409                                         d_printf("%s\n", disp_fields[0]);
410                         }
411                 }
412                 SAFE_FREE(disp_fields[0]);
413                 SAFE_FREE(disp_fields[1]);
414                 return true;
415         }
416         if (!values) /* must be new field, indicate string field */
417                 return true;
418         if (StrCaseCmp(field, "sAMAccountName") == 0) {
419                 disp_fields[0] = SMB_STRDUP((char *) values[0]);
420         }
421         if (StrCaseCmp(field, "description") == 0)
422                 disp_fields[1] = SMB_STRDUP((char *) values[0]);
423         return true;
424 }
425
426 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
427 {
428         return net_user_usage(c, argc, argv);
429 }
430
431 static int ads_user_add(struct net_context *c, int argc, const char **argv)
432 {
433         ADS_STRUCT *ads;
434         ADS_STATUS status;
435         char *upn, *userdn;
436         LDAPMessage *res=NULL;
437         int rc = -1;
438         char *ou_str = NULL;
439
440         if (argc < 1 || c->display_usage)
441                 return net_ads_user_usage(c, argc, argv);
442
443         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
444                 return -1;
445         }
446
447         status = ads_find_user_acct(ads, &res, argv[0]);
448
449         if (!ADS_ERR_OK(status)) {
450                 d_fprintf(stderr, "ads_user_add: %s\n", ads_errstr(status));
451                 goto done;
452         }
453
454         if (ads_count_replies(ads, res)) {
455                 d_fprintf(stderr, "ads_user_add: User %s already exists\n", argv[0]);
456                 goto done;
457         }
458
459         if (c->opt_container) {
460                 ou_str = SMB_STRDUP(c->opt_container);
461         } else {
462                 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
463         }
464
465         status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
466
467         if (!ADS_ERR_OK(status)) {
468                 d_fprintf(stderr, "Could not add user %s: %s\n", argv[0],
469                          ads_errstr(status));
470                 goto done;
471         }
472
473         /* if no password is to be set, we're done */
474         if (argc == 1) {
475                 d_printf("User %s added\n", argv[0]);
476                 rc = 0;
477                 goto done;
478         }
479
480         /* try setting the password */
481         asprintf(&upn, "%s@%s", argv[0], ads->config.realm);
482         status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
483                                        ads->auth.time_offset);
484         SAFE_FREE(upn);
485         if (ADS_ERR_OK(status)) {
486                 d_printf("User %s added\n", argv[0]);
487                 rc = 0;
488                 goto done;
489         }
490
491         /* password didn't set, delete account */
492         d_fprintf(stderr, "Could not add user %s.  Error setting password %s\n",
493                  argv[0], ads_errstr(status));
494         ads_msgfree(ads, res);
495         status=ads_find_user_acct(ads, &res, argv[0]);
496         if (ADS_ERR_OK(status)) {
497                 userdn = ads_get_dn(ads, res);
498                 ads_del_dn(ads, userdn);
499                 ads_memfree(ads, userdn);
500         }
501
502  done:
503         if (res)
504                 ads_msgfree(ads, res);
505         ads_destroy(&ads);
506         SAFE_FREE(ou_str);
507         return rc;
508 }
509
510 static int ads_user_info(struct net_context *c, int argc, const char **argv)
511 {
512         ADS_STRUCT *ads;
513         ADS_STATUS rc;
514         LDAPMessage *res;
515         const char *attrs[] = {"memberOf", NULL};
516         char *searchstring=NULL;
517         char **grouplist;
518         char *escaped_user;
519
520         if (argc < 1 || c->display_usage) {
521                 return net_ads_user_usage(c, argc, argv);
522         }
523
524         escaped_user = escape_ldap_string_alloc(argv[0]);
525
526         if (!escaped_user) {
527                 d_fprintf(stderr, "ads_user_info: failed to escape user %s\n", argv[0]);
528                 return -1;
529         }
530
531         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
532                 SAFE_FREE(escaped_user);
533                 return -1;
534         }
535
536         asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user);
537         rc = ads_search(ads, &res, searchstring, attrs);
538         SAFE_FREE(searchstring);
539
540         if (!ADS_ERR_OK(rc)) {
541                 d_fprintf(stderr, "ads_search: %s\n", ads_errstr(rc));
542                 ads_destroy(&ads);
543                 SAFE_FREE(escaped_user);
544                 return -1;
545         }
546
547         grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
548                                     (LDAPMessage *)res, "memberOf");
549
550         if (grouplist) {
551                 int i;
552                 char **groupname;
553                 for (i=0;grouplist[i];i++) {
554                         groupname = ldap_explode_dn(grouplist[i], 1);
555                         d_printf("%s\n", groupname[0]);
556                         ldap_value_free(groupname);
557                 }
558                 ldap_value_free(grouplist);
559         }
560
561         ads_msgfree(ads, res);
562         ads_destroy(&ads);
563         SAFE_FREE(escaped_user);
564         return 0;
565 }
566
567 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
568 {
569         ADS_STRUCT *ads;
570         ADS_STATUS rc;
571         LDAPMessage *res = NULL;
572         char *userdn;
573
574         if (argc < 1) {
575                 return net_ads_user_usage(c, argc, argv);
576         }
577
578         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
579                 return -1;
580         }
581
582         rc = ads_find_user_acct(ads, &res, argv[0]);
583         if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
584                 d_printf("User %s does not exist.\n", argv[0]);
585                 ads_msgfree(ads, res);
586                 ads_destroy(&ads);
587                 return -1;
588         }
589         userdn = ads_get_dn(ads, res);
590         ads_msgfree(ads, res);
591         rc = ads_del_dn(ads, userdn);
592         ads_memfree(ads, userdn);
593         if (ADS_ERR_OK(rc)) {
594                 d_printf("User %s deleted\n", argv[0]);
595                 ads_destroy(&ads);
596                 return 0;
597         }
598         d_fprintf(stderr, "Error deleting user %s: %s\n", argv[0],
599                  ads_errstr(rc));
600         ads_destroy(&ads);
601         return -1;
602 }
603
604 int net_ads_user(struct net_context *c, int argc, const char **argv)
605 {
606         struct functable func[] = {
607                 {
608                         "add",
609                         ads_user_add,
610                         NET_TRANSPORT_ADS,
611                         "Add an AD user",
612                         "net ads user add\n"
613                         "    Add an AD user"
614                 },
615                 {
616                         "info",
617                         ads_user_info,
618                         NET_TRANSPORT_ADS,
619                         "Display information about an AD user",
620                         "net ads user info\n"
621                         "    Display information about an AD user"
622                 },
623                 {
624                         "delete",
625                         ads_user_delete,
626                         NET_TRANSPORT_ADS,
627                         "Delete an AD user",
628                         "net ads user delete\n"
629                         "    Delete an AD user"
630                 },
631                 {NULL, NULL, 0, NULL, NULL}
632         };
633         ADS_STRUCT *ads;
634         ADS_STATUS rc;
635         const char *shortattrs[] = {"sAMAccountName", NULL};
636         const char *longattrs[] = {"sAMAccountName", "description", NULL};
637         char *disp_fields[2] = {NULL, NULL};
638
639         if (argc == 0) {
640                 if (c->display_usage) {
641                         d_printf("Usage:\n");
642                         d_printf("net ads user\n"
643                                  "    List AD users\n");
644                         net_display_usage_from_functable(func);
645                         return 0;
646                 }
647
648                 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
649                         return -1;
650                 }
651
652                 if (c->opt_long_list_entries)
653                         d_printf("\nUser name             Comment"
654                                  "\n-----------------------------\n");
655
656                 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
657                                           LDAP_SCOPE_SUBTREE,
658                                           "(objectCategory=user)",
659                                           c->opt_long_list_entries ? longattrs :
660                                           shortattrs, usergrp_display,
661                                           disp_fields);
662                 ads_destroy(&ads);
663                 return ADS_ERR_OK(rc) ? 0 : -1;
664         }
665
666         return net_run_function(c, argc, argv, "net ads user", func);
667 }
668
669 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
670 {
671         return net_group_usage(c, argc, argv);
672 }
673
674 static int ads_group_add(struct net_context *c, int argc, const char **argv)
675 {
676         ADS_STRUCT *ads;
677         ADS_STATUS status;
678         LDAPMessage *res=NULL;
679         int rc = -1;
680         char *ou_str = NULL;
681
682         if (argc < 1 || c->display_usage) {
683                 return net_ads_group_usage(c, argc, argv);
684         }
685
686         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
687                 return -1;
688         }
689
690         status = ads_find_user_acct(ads, &res, argv[0]);
691
692         if (!ADS_ERR_OK(status)) {
693                 d_fprintf(stderr, "ads_group_add: %s\n", ads_errstr(status));
694                 goto done;
695         }
696
697         if (ads_count_replies(ads, res)) {
698                 d_fprintf(stderr, "ads_group_add: Group %s already exists\n", argv[0]);
699                 goto done;
700         }
701
702         if (c->opt_container) {
703                 ou_str = SMB_STRDUP(c->opt_container);
704         } else {
705                 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
706         }
707
708         status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
709
710         if (ADS_ERR_OK(status)) {
711                 d_printf("Group %s added\n", argv[0]);
712                 rc = 0;
713         } else {
714                 d_fprintf(stderr, "Could not add group %s: %s\n", argv[0],
715                          ads_errstr(status));
716         }
717
718  done:
719         if (res)
720                 ads_msgfree(ads, res);
721         ads_destroy(&ads);
722         SAFE_FREE(ou_str);
723         return rc;
724 }
725
726 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
727 {
728         ADS_STRUCT *ads;
729         ADS_STATUS rc;
730         LDAPMessage *res = NULL;
731         char *groupdn;
732
733         if (argc < 1 || c->display_usage) {
734                 return net_ads_group_usage(c, argc, argv);
735         }
736
737         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
738                 return -1;
739         }
740
741         rc = ads_find_user_acct(ads, &res, argv[0]);
742         if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
743                 d_printf("Group %s does not exist.\n", argv[0]);
744                 ads_msgfree(ads, res);
745                 ads_destroy(&ads);
746                 return -1;
747         }
748         groupdn = ads_get_dn(ads, res);
749         ads_msgfree(ads, res);
750         rc = ads_del_dn(ads, groupdn);
751         ads_memfree(ads, groupdn);
752         if (ADS_ERR_OK(rc)) {
753                 d_printf("Group %s deleted\n", argv[0]);
754                 ads_destroy(&ads);
755                 return 0;
756         }
757         d_fprintf(stderr, "Error deleting group %s: %s\n", argv[0],
758                  ads_errstr(rc));
759         ads_destroy(&ads);
760         return -1;
761 }
762
763 int net_ads_group(struct net_context *c, int argc, const char **argv)
764 {
765         struct functable func[] = {
766                 {
767                         "add",
768                         ads_group_add,
769                         NET_TRANSPORT_ADS,
770                         "Add an AD group",
771                         "net ads group add\n"
772                         "    Add an AD group"
773                 },
774                 {
775                         "delete",
776                         ads_group_delete,
777                         NET_TRANSPORT_ADS,
778                         "Delete an AD group",
779                         "net ads group delete\n"
780                         "    Delete an AD group"
781                 },
782                 {NULL, NULL, 0, NULL, NULL}
783         };
784         ADS_STRUCT *ads;
785         ADS_STATUS rc;
786         const char *shortattrs[] = {"sAMAccountName", NULL};
787         const char *longattrs[] = {"sAMAccountName", "description", NULL};
788         char *disp_fields[2] = {NULL, NULL};
789
790         if (argc == 0) {
791                 if (c->display_usage) {
792                         d_printf("Usage:\n");
793                         d_printf("net ads group\n"
794                                  "    List AD groups\n");
795                         net_display_usage_from_functable(func);
796                         return 0;
797                 }
798
799                 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
800                         return -1;
801                 }
802
803                 if (c->opt_long_list_entries)
804                         d_printf("\nGroup name            Comment"
805                                  "\n-----------------------------\n");
806                 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
807                                           LDAP_SCOPE_SUBTREE,
808                                           "(objectCategory=group)",
809                                           c->opt_long_list_entries ? longattrs :
810                                           shortattrs, usergrp_display,
811                                           disp_fields);
812
813                 ads_destroy(&ads);
814                 return ADS_ERR_OK(rc) ? 0 : -1;
815         }
816         return net_run_function(c, argc, argv, "net ads group", func);
817 }
818
819 static int net_ads_status(struct net_context *c, int argc, const char **argv)
820 {
821         ADS_STRUCT *ads;
822         ADS_STATUS rc;
823         LDAPMessage *res;
824
825         if (c->display_usage) {
826                 d_printf("Usage:\n"
827                          "net ads status\n"
828                          "    Display machine account details\n");
829                 return 0;
830         }
831
832         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
833                 return -1;
834         }
835
836         rc = ads_find_machine_acct(ads, &res, global_myname());
837         if (!ADS_ERR_OK(rc)) {
838                 d_fprintf(stderr, "ads_find_machine_acct: %s\n", ads_errstr(rc));
839                 ads_destroy(&ads);
840                 return -1;
841         }
842
843         if (ads_count_replies(ads, res) == 0) {
844                 d_fprintf(stderr, "No machine account for '%s' found\n", global_myname());
845                 ads_destroy(&ads);
846                 return -1;
847         }
848
849         ads_dump(ads, res);
850         ads_destroy(&ads);
851         return 0;
852 }
853
854 /*******************************************************************
855  Leave an AD domain.  Windows XP disables the machine account.
856  We'll try the same.  The old code would do an LDAP delete.
857  That only worked using the machine creds because added the machine
858  with full control to the computer object's ACL.
859 *******************************************************************/
860
861 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
862 {
863         TALLOC_CTX *ctx;
864         struct libnet_UnjoinCtx *r = NULL;
865         WERROR werr;
866
867         if (c->display_usage) {
868                 d_printf("Usage:\n"
869                          "net ads leave\n"
870                          "    Leave an AD domain\n");
871                 return 0;
872         }
873
874         if (!*lp_realm()) {
875                 d_fprintf(stderr, "No realm set, are we joined ?\n");
876                 return -1;
877         }
878
879         if (!(ctx = talloc_init("net_ads_leave"))) {
880                 d_fprintf(stderr, "Could not initialise talloc context.\n");
881                 return -1;
882         }
883
884         if (!c->opt_kerberos) {
885                 use_in_memory_ccache();
886         }
887
888         werr = libnet_init_UnjoinCtx(ctx, &r);
889         if (!W_ERROR_IS_OK(werr)) {
890                 d_fprintf(stderr, "Could not initialise unjoin context.\n");
891                 return -1;
892         }
893
894         r->in.debug             = true;
895         r->in.use_kerberos      = c->opt_kerberos;
896         r->in.dc_name           = c->opt_host;
897         r->in.domain_name       = lp_realm();
898         r->in.admin_account     = c->opt_user_name;
899         r->in.admin_password    = net_prompt_pass(c, c->opt_user_name);
900         r->in.modify_config     = lp_config_backend_is_registry();
901         r->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
902                                   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
903
904         werr = libnet_Unjoin(ctx, r);
905         if (!W_ERROR_IS_OK(werr)) {
906                 d_printf("Failed to leave domain: %s\n",
907                          r->out.error_string ? r->out.error_string :
908                          get_friendly_werror_msg(werr));
909                 goto done;
910         }
911
912         if (W_ERROR_IS_OK(werr)) {
913                 d_printf("Deleted account for '%s' in realm '%s'\n",
914                         r->in.machine_name, r->out.dns_domain_name);
915                 goto done;
916         }
917
918         /* We couldn't delete it - see if the disable succeeded. */
919         if (r->out.disabled_machine_account) {
920                 d_printf("Disabled account for '%s' in realm '%s'\n",
921                         r->in.machine_name, r->out.dns_domain_name);
922                 werr = WERR_OK;
923                 goto done;
924         }
925
926         d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
927                   r->in.machine_name, r->out.dns_domain_name);
928
929  done:
930         TALLOC_FREE(r);
931         TALLOC_FREE(ctx);
932
933         if (W_ERROR_IS_OK(werr)) {
934                 return 0;
935         }
936
937         return -1;
938 }
939
940 static NTSTATUS net_ads_join_ok(struct net_context *c)
941 {
942         ADS_STRUCT *ads = NULL;
943         ADS_STATUS status;
944
945         if (!secrets_init()) {
946                 DEBUG(1,("Failed to initialise secrets database\n"));
947                 return NT_STATUS_ACCESS_DENIED;
948         }
949
950         net_use_krb_machine_account(c);
951
952         status = ads_startup(c, true, &ads);
953         if (!ADS_ERR_OK(status)) {
954                 return ads_ntstatus(status);
955         }
956
957         ads_destroy(&ads);
958         return NT_STATUS_OK;
959 }
960
961 /*
962   check that an existing join is OK
963  */
964 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
965 {
966         NTSTATUS status;
967         use_in_memory_ccache();
968
969         if (c->display_usage) {
970                 d_printf("Usage:\n"
971                          "net ads testjoin\n"
972                          "    Test if the existing join is ok\n");
973                 return 0;
974         }
975
976         /* Display success or failure */
977         status = net_ads_join_ok(c);
978         if (!NT_STATUS_IS_OK(status)) {
979                 fprintf(stderr,"Join to domain is not valid: %s\n",
980                         get_friendly_nt_error_msg(status));
981                 return -1;
982         }
983
984         printf("Join is OK\n");
985         return 0;
986 }
987
988 /*******************************************************************
989   Simple configu checks before beginning the join
990  ********************************************************************/
991
992 static WERROR check_ads_config( void )
993 {
994         if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
995                 d_printf("Host is not configured as a member server.\n");
996                 return WERR_INVALID_DOMAIN_ROLE;
997         }
998
999         if (strlen(global_myname()) > 15) {
1000                 d_printf("Our netbios name can be at most 15 chars long, "
1001                          "\"%s\" is %u chars long\n", global_myname(),
1002                          (unsigned int)strlen(global_myname()));
1003                 return WERR_INVALID_COMPUTERNAME;
1004         }
1005
1006         if ( lp_security() == SEC_ADS && !*lp_realm()) {
1007                 d_fprintf(stderr, "realm must be set in in %s for ADS "
1008                         "join to succeed.\n", get_dyn_CONFIGFILE());
1009                 return WERR_INVALID_PARAM;
1010         }
1011
1012         return WERR_OK;
1013 }
1014
1015 /*******************************************************************
1016  Send a DNS update request
1017 *******************************************************************/
1018
1019 #if defined(WITH_DNS_UPDATES)
1020 #include "dns.h"
1021 DNS_ERROR DoDNSUpdate(char *pszServerName,
1022                       const char *pszDomainName, const char *pszHostName,
1023                       const struct sockaddr_storage *sslist,
1024                       size_t num_addrs );
1025
1026 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1027                                         const char *machine_name,
1028                                         const struct sockaddr_storage *addrs,
1029                                         int num_addrs)
1030 {
1031         struct dns_rr_ns *nameservers = NULL;
1032         int ns_count = 0;
1033         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1034         DNS_ERROR dns_err;
1035         fstring dns_server;
1036         const char *dnsdomain = NULL;
1037         char *root_domain = NULL;
1038
1039         if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1040                 d_printf("No DNS domain configured for %s. "
1041                          "Unable to perform DNS Update.\n", machine_name);
1042                 status = NT_STATUS_INVALID_PARAMETER;
1043                 goto done;
1044         }
1045         dnsdomain++;
1046
1047         status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1048         if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1049                 /* Child domains often do not have NS records.  Look
1050                    for the NS record for the forest root domain
1051                    (rootDomainNamingContext in therootDSE) */
1052
1053                 const char *rootname_attrs[] =  { "rootDomainNamingContext", NULL };
1054                 LDAPMessage *msg = NULL;
1055                 char *root_dn;
1056                 ADS_STATUS ads_status;
1057
1058                 if ( !ads->ldap.ld ) {
1059                         ads_status = ads_connect( ads );
1060                         if ( !ADS_ERR_OK(ads_status) ) {
1061                                 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1062                                 goto done;
1063                         }
1064                 }
1065
1066                 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1067                                        "(objectclass=*)", rootname_attrs, &msg);
1068                 if (!ADS_ERR_OK(ads_status)) {
1069                         goto done;
1070                 }
1071
1072                 root_dn = ads_pull_string(ads, ctx, msg,  "rootDomainNamingContext");
1073                 if ( !root_dn ) {
1074                         ads_msgfree( ads, msg );
1075                         goto done;
1076                 }
1077
1078                 root_domain = ads_build_domain( root_dn );
1079
1080                 /* cleanup */
1081                 ads_msgfree( ads, msg );
1082
1083                 /* try again for NS servers */
1084
1085                 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1086
1087                 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1088                         DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1089                          "realm\n", ads->config.realm));
1090                         goto done;
1091                 }
1092
1093                 dnsdomain = root_domain;
1094
1095         }
1096
1097         /* Now perform the dns update - we'll try non-secure and if we fail,
1098            we'll follow it up with a secure update */
1099
1100         fstrcpy( dns_server, nameservers[0].hostname );
1101
1102         dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1103         if (!ERR_DNS_IS_OK(dns_err)) {
1104                 status = NT_STATUS_UNSUCCESSFUL;
1105         }
1106
1107 done:
1108
1109         SAFE_FREE( root_domain );
1110
1111         return status;
1112 }
1113
1114 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1115 {
1116         int num_addrs;
1117         struct sockaddr_storage *iplist = NULL;
1118         fstring machine_name;
1119         NTSTATUS status;
1120
1121         name_to_fqdn( machine_name, global_myname() );
1122         strlower_m( machine_name );
1123
1124         /* Get our ip address (not the 127.0.0.x address but a real ip
1125          * address) */
1126
1127         num_addrs = get_my_ip_address( &iplist );
1128         if ( num_addrs <= 0 ) {
1129                 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1130                          "addresses!\n"));
1131                 return NT_STATUS_INVALID_PARAMETER;
1132         }
1133
1134         status = net_update_dns_internal(mem_ctx, ads, machine_name,
1135                                          iplist, num_addrs);
1136         SAFE_FREE( iplist );
1137         return status;
1138 }
1139 #endif
1140
1141
1142 /*******************************************************************
1143  ********************************************************************/
1144
1145 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1146 {
1147         d_printf("net ads join [options]\n");
1148         d_printf("Valid options:\n");
1149         d_printf("   createupn[=UPN]    Set the userPrincipalName attribute during the join.\n");
1150         d_printf("                      The deault UPN is in the form host/netbiosname@REALM.\n");
1151         d_printf("   createcomputer=OU  Precreate the computer account in a specific OU.\n");
1152         d_printf("                      The OU string read from top to bottom without RDNs and delimited by a '/'.\n");
1153         d_printf("                      E.g. \"createcomputer=Computers/Servers/Unix\"\n");
1154         d_printf("                      NB: A backslash '\\' is used as escape at multiple levels and may\n");
1155         d_printf("                          need to be doubled or even quadrupled.  It is not used as a separator.\n");
1156         d_printf("   osName=string      Set the operatingSystem attribute during the join.\n");
1157         d_printf("   osVer=string       Set the operatingSystemVersion attribute during the join.\n");
1158         d_printf("                      NB: osName and osVer must be specified together for either to take effect.\n");
1159         d_printf("                          Also, the operatingSystemService attribute is also set when along with\n");
1160         d_printf("                          the two other attributes.\n");
1161
1162         return -1;
1163 }
1164
1165 /*******************************************************************
1166  ********************************************************************/
1167
1168 int net_ads_join(struct net_context *c, int argc, const char **argv)
1169 {
1170         TALLOC_CTX *ctx = NULL;
1171         struct libnet_JoinCtx *r = NULL;
1172         const char *domain = lp_realm();
1173         WERROR werr = WERR_SETUP_NOT_JOINED;
1174         bool createupn = false;
1175         const char *machineupn = NULL;
1176         const char *create_in_ou = NULL;
1177         int i;
1178         const char *os_name = NULL;
1179         const char *os_version = NULL;
1180         bool modify_config = lp_config_backend_is_registry();
1181
1182         if (c->display_usage)
1183                 return net_ads_join_usage(c, argc, argv);
1184
1185         if (!modify_config) {
1186
1187                 werr = check_ads_config();
1188                 if (!W_ERROR_IS_OK(werr)) {
1189                         d_fprintf(stderr, "Invalid configuration.  Exiting....\n");
1190                         goto fail;
1191                 }
1192         }
1193
1194         if (!(ctx = talloc_init("net_ads_join"))) {
1195                 d_fprintf(stderr, "Could not initialise talloc context.\n");
1196                 werr = WERR_NOMEM;
1197                 goto fail;
1198         }
1199
1200         if (!c->opt_kerberos) {
1201                 use_in_memory_ccache();
1202         }
1203
1204         werr = libnet_init_JoinCtx(ctx, &r);
1205         if (!W_ERROR_IS_OK(werr)) {
1206                 goto fail;
1207         }
1208
1209         /* process additional command line args */
1210
1211         for ( i=0; i<argc; i++ ) {
1212                 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1213                         createupn = true;
1214                         machineupn = get_string_param(argv[i]);
1215                 }
1216                 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1217                         if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1218                                 d_fprintf(stderr, "Please supply a valid OU path.\n");
1219                                 werr = WERR_INVALID_PARAM;
1220                                 goto fail;
1221                         }
1222                 }
1223                 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1224                         if ( (os_name = get_string_param(argv[i])) == NULL ) {
1225                                 d_fprintf(stderr, "Please supply a operating system name.\n");
1226                                 werr = WERR_INVALID_PARAM;
1227                                 goto fail;
1228                         }
1229                 }
1230                 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1231                         if ( (os_version = get_string_param(argv[i])) == NULL ) {
1232                                 d_fprintf(stderr, "Please supply a valid operating system version.\n");
1233                                 werr = WERR_INVALID_PARAM;
1234                                 goto fail;
1235                         }
1236                 }
1237                 else {
1238                         domain = argv[i];
1239                 }
1240         }
1241
1242         if (!*domain) {
1243                 d_fprintf(stderr, "Please supply a valid domain name\n");
1244                 werr = WERR_INVALID_PARAM;
1245                 goto fail;
1246         }
1247
1248         /* Do the domain join here */
1249
1250         r->in.domain_name       = domain;
1251         r->in.create_upn        = createupn;
1252         r->in.upn               = machineupn;
1253         r->in.account_ou        = create_in_ou;
1254         r->in.os_name           = os_name;
1255         r->in.os_version        = os_version;
1256         r->in.dc_name           = c->opt_host;
1257         r->in.admin_account     = c->opt_user_name;
1258         r->in.admin_password    = net_prompt_pass(c, c->opt_user_name);
1259         r->in.debug             = true;
1260         r->in.use_kerberos      = c->opt_kerberos;
1261         r->in.modify_config     = modify_config;
1262         r->in.join_flags        = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1263                                   WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1264                                   WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1265
1266         werr = libnet_Join(ctx, r);
1267         if (!W_ERROR_IS_OK(werr)) {
1268                 goto fail;
1269         }
1270
1271         /* Check the short name of the domain */
1272
1273         if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1274                 d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
1275                 d_printf("domain name obtained from the server.\n");
1276                 d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
1277                 d_printf("You should set \"workgroup = %s\" in %s.\n",
1278                          r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1279         }
1280
1281         d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
1282
1283         if (r->out.dns_domain_name) {
1284                 d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
1285                         r->out.dns_domain_name);
1286         } else {
1287                 d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
1288                         r->out.netbios_domain_name);
1289         }
1290
1291 #if defined(WITH_DNS_UPDATES)
1292         if (r->out.domain_is_ad) {
1293                 /* We enter this block with user creds */
1294                 ADS_STRUCT *ads_dns = NULL;
1295
1296                 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1297                         /* kinit with the machine password */
1298
1299                         use_in_memory_ccache();
1300                         asprintf( &ads_dns->auth.user_name, "%s$", global_myname() );
1301                         ads_dns->auth.password = secrets_fetch_machine_password(
1302                                 r->out.netbios_domain_name, NULL, NULL );
1303                         ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1304                         strupper_m(ads_dns->auth.realm );
1305                         ads_kinit_password( ads_dns );
1306                 }
1307
1308                 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1309                         d_fprintf( stderr, "DNS update failed!\n" );
1310                 }
1311
1312                 /* exit from this block using machine creds */
1313                 ads_destroy(&ads_dns);
1314         }
1315 #endif
1316         TALLOC_FREE(r);
1317         TALLOC_FREE( ctx );
1318
1319         return 0;
1320
1321 fail:
1322         /* issue an overall failure message at the end. */
1323         d_printf("Failed to join domain: %s\n",
1324                 r && r->out.error_string ? r->out.error_string :
1325                 get_friendly_werror_msg(werr));
1326         TALLOC_FREE( ctx );
1327
1328         return -1;
1329 }
1330
1331 /*******************************************************************
1332  ********************************************************************/
1333
1334 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1335 {
1336 #if defined(WITH_DNS_UPDATES)
1337         ADS_STRUCT *ads;
1338         ADS_STATUS status;
1339         TALLOC_CTX *ctx;
1340
1341 #ifdef DEVELOPER
1342         talloc_enable_leak_report();
1343 #endif
1344
1345         if (argc > 0 || c->display_usage) {
1346                 d_printf("Usage:\n"
1347                          "net ads dns register\n"
1348                          "    Register hostname with DNS\n");
1349                 return -1;
1350         }
1351
1352         if (!(ctx = talloc_init("net_ads_dns"))) {
1353                 d_fprintf(stderr, "Could not initialise talloc context\n");
1354                 return -1;
1355         }
1356
1357         status = ads_startup(c, true, &ads);
1358         if ( !ADS_ERR_OK(status) ) {
1359                 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1360                 TALLOC_FREE(ctx);
1361                 return -1;
1362         }
1363
1364         if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1365                 d_fprintf( stderr, "DNS update failed!\n" );
1366                 ads_destroy( &ads );
1367                 TALLOC_FREE( ctx );
1368                 return -1;
1369         }
1370
1371         d_fprintf( stderr, "Successfully registered hostname with DNS\n" );
1372
1373         ads_destroy(&ads);
1374         TALLOC_FREE( ctx );
1375
1376         return 0;
1377 #else
1378         d_fprintf(stderr, "DNS update support not enabled at compile time!\n");
1379         return -1;
1380 #endif
1381 }
1382
1383 #if defined(WITH_DNS_UPDATES)
1384 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1385 #endif
1386
1387 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1388 {
1389 #if defined(WITH_DNS_UPDATES)
1390         DNS_ERROR err;
1391
1392 #ifdef DEVELOPER
1393         talloc_enable_leak_report();
1394 #endif
1395
1396         if (argc != 2 || c->display_usage) {
1397                 d_printf("Usage:\n"
1398                          "net ads dns gethostbyname <server> <name>\n"
1399                          "  Look up hostname from the AD\n"
1400                          "    server\tName server to use\n"
1401                          "    name\tName to look up\n");
1402                 return -1;
1403         }
1404
1405         err = do_gethostbyname(argv[0], argv[1]);
1406
1407         d_printf("do_gethostbyname returned %d\n", ERROR_DNS_V(err));
1408 #endif
1409         return 0;
1410 }
1411
1412 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1413 {
1414         struct functable func[] = {
1415                 {
1416                         "register",
1417                         net_ads_dns_register,
1418                         NET_TRANSPORT_ADS,
1419                         "Add host dns entry to AD",
1420                         "net ads dns register\n"
1421                         "    Add host dns entry to AD"
1422                 },
1423                 {
1424                         "gethostbyname",
1425                         net_ads_dns_gethostbyname,
1426                         NET_TRANSPORT_ADS,
1427                         "Look up host",
1428                         "net ads dns gethostbyname\n"
1429                         "    Look up host"
1430                 },
1431                 {NULL, NULL, 0, NULL, NULL}
1432         };
1433
1434         return net_run_function(c, argc, argv, "net ads dns", func);
1435 }
1436
1437 /*******************************************************************
1438  ********************************************************************/
1439
1440 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1441 {
1442         d_printf(
1443 "\nnet ads printer search <printer>"
1444 "\n\tsearch for a printer in the directory\n"
1445 "\nnet ads printer info <printer> <server>"
1446 "\n\tlookup info in directory for printer on server"
1447 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1448 "\nnet ads printer publish <printername>"
1449 "\n\tpublish printer in directory"
1450 "\n\t(note: printer name is required)\n"
1451 "\nnet ads printer remove <printername>"
1452 "\n\tremove printer from directory"
1453 "\n\t(note: printer name is required)\n");
1454         return -1;
1455 }
1456
1457 /*******************************************************************
1458  ********************************************************************/
1459
1460 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1461 {
1462         ADS_STRUCT *ads;
1463         ADS_STATUS rc;
1464         LDAPMessage *res = NULL;
1465
1466         if (c->display_usage) {
1467                 d_printf("Usage:\n"
1468                          "net ads printer search\n"
1469                          "    List printers in the AD\n");
1470                 return 0;
1471         }
1472
1473         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1474                 return -1;
1475         }
1476
1477         rc = ads_find_printers(ads, &res);
1478
1479         if (!ADS_ERR_OK(rc)) {
1480                 d_fprintf(stderr, "ads_find_printer: %s\n", ads_errstr(rc));
1481                 ads_msgfree(ads, res);
1482                 ads_destroy(&ads);
1483                 return -1;
1484         }
1485
1486         if (ads_count_replies(ads, res) == 0) {
1487                 d_fprintf(stderr, "No results found\n");
1488                 ads_msgfree(ads, res);
1489                 ads_destroy(&ads);
1490                 return -1;
1491         }
1492
1493         ads_dump(ads, res);
1494         ads_msgfree(ads, res);
1495         ads_destroy(&ads);
1496         return 0;
1497 }
1498
1499 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1500 {
1501         ADS_STRUCT *ads;
1502         ADS_STATUS rc;
1503         const char *servername, *printername;
1504         LDAPMessage *res = NULL;
1505
1506         if (c->display_usage) {
1507                 d_printf("Usage:\n"
1508                          "net ads printer info [printername [servername]]\n"
1509                          "  Display printer info from AD\n"
1510                          "    printername\tPrinter name or wildcard\n"
1511                          "    servername\tName of the print server\n");
1512                 return 0;
1513         }
1514
1515         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1516                 return -1;
1517         }
1518
1519         if (argc > 0) {
1520                 printername = argv[0];
1521         } else {
1522                 printername = "*";
1523         }
1524
1525         if (argc > 1) {
1526                 servername =  argv[1];
1527         } else {
1528                 servername = global_myname();
1529         }
1530
1531         rc = ads_find_printer_on_server(ads, &res, printername, servername);
1532
1533         if (!ADS_ERR_OK(rc)) {
1534                 d_fprintf(stderr, "Server '%s' not found: %s\n",
1535                         servername, ads_errstr(rc));
1536                 ads_msgfree(ads, res);
1537                 ads_destroy(&ads);
1538                 return -1;
1539         }
1540
1541         if (ads_count_replies(ads, res) == 0) {
1542                 d_fprintf(stderr, "Printer '%s' not found\n", printername);
1543                 ads_msgfree(ads, res);
1544                 ads_destroy(&ads);
1545                 return -1;
1546         }
1547
1548         ads_dump(ads, res);
1549         ads_msgfree(ads, res);
1550         ads_destroy(&ads);
1551
1552         return 0;
1553 }
1554
1555 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1556 {
1557         ADS_STRUCT *ads;
1558         ADS_STATUS rc;
1559         const char *servername, *printername;
1560         struct cli_state *cli;
1561         struct rpc_pipe_client *pipe_hnd;
1562         struct sockaddr_storage server_ss;
1563         NTSTATUS nt_status;
1564         TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1565         ADS_MODLIST mods = ads_init_mods(mem_ctx);
1566         char *prt_dn, *srv_dn, **srv_cn;
1567         char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1568         LDAPMessage *res = NULL;
1569
1570         if (argc < 1 || c->display_usage) {
1571                 d_printf("Usage:\n"
1572                          "net ads printer publish <printername> [servername]\n"
1573                          "  Publish printer in AD\n"
1574                          "    printername\tName of the printer\n"
1575                          "    servername\tName of the print server\n");
1576                 talloc_destroy(mem_ctx);
1577                 return -1;
1578         }
1579
1580         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1581                 talloc_destroy(mem_ctx);
1582                 return -1;
1583         }
1584
1585         printername = argv[0];
1586
1587         if (argc == 2) {
1588                 servername = argv[1];
1589         } else {
1590                 servername = global_myname();
1591         }
1592
1593         /* Get printer data from SPOOLSS */
1594
1595         resolve_name(servername, &server_ss, 0x20);
1596
1597         nt_status = cli_full_connection(&cli, global_myname(), servername,
1598                                         &server_ss, 0,
1599                                         "IPC$", "IPC",
1600                                         c->opt_user_name, c->opt_workgroup,
1601                                         c->opt_password ? c->opt_password : "",
1602                                         CLI_FULL_CONNECTION_USE_KERBEROS,
1603                                         Undefined, NULL);
1604
1605         if (NT_STATUS_IS_ERR(nt_status)) {
1606                 d_fprintf(stderr, "Unable to open a connnection to %s to obtain data "
1607                          "for %s\n", servername, printername);
1608                 ads_destroy(&ads);
1609                 talloc_destroy(mem_ctx);
1610                 return -1;
1611         }
1612
1613         /* Publish on AD server */
1614
1615         ads_find_machine_acct(ads, &res, servername);
1616
1617         if (ads_count_replies(ads, res) == 0) {
1618                 d_fprintf(stderr, "Could not find machine account for server %s\n", 
1619                          servername);
1620                 ads_destroy(&ads);
1621                 talloc_destroy(mem_ctx);
1622                 return -1;
1623         }
1624
1625         srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1626         srv_cn = ldap_explode_dn(srv_dn, 1);
1627
1628         srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1629         printername_escaped = escape_rdn_val_string_alloc(printername);
1630         if (!srv_cn_escaped || !printername_escaped) {
1631                 SAFE_FREE(srv_cn_escaped);
1632                 SAFE_FREE(printername_escaped);
1633                 d_fprintf(stderr, "Internal error, out of memory!");
1634                 ads_destroy(&ads);
1635                 talloc_destroy(mem_ctx);
1636                 return -1;
1637         }
1638
1639         asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn);
1640
1641         SAFE_FREE(srv_cn_escaped);
1642         SAFE_FREE(printername_escaped);
1643
1644         nt_status = cli_rpc_pipe_open_noauth(cli, &syntax_spoolss, &pipe_hnd);
1645         if (!NT_STATUS_IS_OK(nt_status)) {
1646                 d_fprintf(stderr, "Unable to open a connnection to the spoolss pipe on %s\n",
1647                          servername);
1648                 SAFE_FREE(prt_dn);
1649                 ads_destroy(&ads);
1650                 talloc_destroy(mem_ctx);
1651                 return -1;
1652         }
1653
1654         if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1655                                                               printername))) {
1656                 SAFE_FREE(prt_dn);
1657                 ads_destroy(&ads);
1658                 talloc_destroy(mem_ctx);
1659                 return -1;
1660         }
1661
1662         rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1663         if (!ADS_ERR_OK(rc)) {
1664                 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1665                 SAFE_FREE(prt_dn);
1666                 ads_destroy(&ads);
1667                 talloc_destroy(mem_ctx);
1668                 return -1;
1669         }
1670
1671         d_printf("published printer\n");
1672         SAFE_FREE(prt_dn);
1673         ads_destroy(&ads);
1674         talloc_destroy(mem_ctx);
1675
1676         return 0;
1677 }
1678
1679 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1680 {
1681         ADS_STRUCT *ads;
1682         ADS_STATUS rc;
1683         const char *servername;
1684         char *prt_dn;
1685         LDAPMessage *res = NULL;
1686
1687         if (argc < 1 || c->display_usage) {
1688                 d_printf("Usage:\n"
1689                          "net ads printer remove <printername> [servername]\n"
1690                          "  Remove a printer from the AD\n"
1691                          "    printername\tName of the printer\n"
1692                          "    servername\tName of the print server\n");
1693                 return -1;
1694         }
1695
1696         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1697                 return -1;
1698         }
1699
1700         if (argc > 1) {
1701                 servername = argv[1];
1702         } else {
1703                 servername = global_myname();
1704         }
1705
1706         rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1707
1708         if (!ADS_ERR_OK(rc)) {
1709                 d_fprintf(stderr, "ads_find_printer_on_server: %s\n", ads_errstr(rc));
1710                 ads_msgfree(ads, res);
1711                 ads_destroy(&ads);
1712                 return -1;
1713         }
1714
1715         if (ads_count_replies(ads, res) == 0) {
1716                 d_fprintf(stderr, "Printer '%s' not found\n", argv[1]);
1717                 ads_msgfree(ads, res);
1718                 ads_destroy(&ads);
1719                 return -1;
1720         }
1721
1722         prt_dn = ads_get_dn(ads, res);
1723         ads_msgfree(ads, res);
1724         rc = ads_del_dn(ads, prt_dn);
1725         ads_memfree(ads, prt_dn);
1726
1727         if (!ADS_ERR_OK(rc)) {
1728                 d_fprintf(stderr, "ads_del_dn: %s\n", ads_errstr(rc));
1729                 ads_destroy(&ads);
1730                 return -1;
1731         }
1732
1733         ads_destroy(&ads);
1734         return 0;
1735 }
1736
1737 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1738 {
1739         struct functable func[] = {
1740                 {
1741                         "search",
1742                         net_ads_printer_search,
1743                         NET_TRANSPORT_ADS,
1744                         "Search for a printer",
1745                         "net ads printer search\n"
1746                         "    Search for a printer"
1747                 },
1748                 {
1749                         "info",
1750                         net_ads_printer_info,
1751                         NET_TRANSPORT_ADS,
1752                         "Display printer information",
1753                         "net ads printer info\n"
1754                         "    Display printer information"
1755                 },
1756                 {
1757                         "publish",
1758                         net_ads_printer_publish,
1759                         NET_TRANSPORT_ADS,
1760                         "Publish a printer",
1761                         "net ads printer publish\n"
1762                         "    Publish a printer"
1763                 },
1764                 {
1765                         "remove",
1766                         net_ads_printer_remove,
1767                         NET_TRANSPORT_ADS,
1768                         "Delete a printer",
1769                         "net ads printer remove\n"
1770                         "    Delete a printer"
1771                 },
1772                 {NULL, NULL, 0, NULL, NULL}
1773         };
1774
1775         return net_run_function(c, argc, argv, "net ads printer", func);
1776 }
1777
1778
1779 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1780 {
1781         ADS_STRUCT *ads;
1782         const char *auth_principal = c->opt_user_name;
1783         const char *auth_password = c->opt_password;
1784         char *realm = NULL;
1785         char *new_password = NULL;
1786         char *chr, *prompt;
1787         const char *user;
1788         ADS_STATUS ret;
1789
1790         if (c->display_usage) {
1791                 d_printf("Usage:\n"
1792                          "net ads password <username>\n"
1793                          "  Change password for user\n"
1794                          "    username\tName of user to change password for\n");
1795                 return 0;
1796         }
1797
1798         if (c->opt_user_name == NULL || c->opt_password == NULL) {
1799                 d_fprintf(stderr, "You must supply an administrator username/password\n");
1800                 return -1;
1801         }
1802
1803         if (argc < 1) {
1804                 d_fprintf(stderr, "ERROR: You must say which username to change password for\n");
1805                 return -1;
1806         }
1807
1808         user = argv[0];
1809         if (!strchr_m(user, '@')) {
1810                 asprintf(&chr, "%s@%s", argv[0], lp_realm());
1811                 user = chr;
1812         }
1813
1814         use_in_memory_ccache();
1815         chr = strchr_m(auth_principal, '@');
1816         if (chr) {
1817                 realm = ++chr;
1818         } else {
1819                 realm = lp_realm();
1820         }
1821
1822         /* use the realm so we can eventually change passwords for users
1823         in realms other than default */
1824         if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1825                 return -1;
1826         }
1827
1828         /* we don't actually need a full connect, but it's the easy way to
1829                 fill in the KDC's addresss */
1830         ads_connect(ads);
1831
1832         if (!ads->config.realm) {
1833                 d_fprintf(stderr, "Didn't find the kerberos server!\n");
1834                 return -1;
1835         }
1836
1837         if (argv[1]) {
1838                 new_password = (char *)argv[1];
1839         } else {
1840                 asprintf(&prompt, "Enter new password for %s:", user);
1841                 new_password = getpass(prompt);
1842                 free(prompt);
1843         }
1844
1845         ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1846                                 auth_password, user, new_password, ads->auth.time_offset);
1847         if (!ADS_ERR_OK(ret)) {
1848                 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1849                 ads_destroy(&ads);
1850                 return -1;
1851         }
1852
1853         d_printf("Password change for %s completed.\n", user);
1854         ads_destroy(&ads);
1855
1856         return 0;
1857 }
1858
1859 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1860 {
1861         ADS_STRUCT *ads;
1862         char *host_principal;
1863         fstring my_name;
1864         ADS_STATUS ret;
1865
1866         if (c->display_usage) {
1867                 d_printf("Usage:\n"
1868                          "net ads changetrustpw\n"
1869                          "    Change the machine account's trust password\n");
1870                 return 0;
1871         }
1872
1873         if (!secrets_init()) {
1874                 DEBUG(1,("Failed to initialise secrets database\n"));
1875                 return -1;
1876         }
1877
1878         net_use_krb_machine_account(c);
1879
1880         use_in_memory_ccache();
1881
1882         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1883                 return -1;
1884         }
1885
1886         fstrcpy(my_name, global_myname());
1887         strlower_m(my_name);
1888         asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm);
1889         d_printf("Changing password for principal: %s\n", host_principal);
1890
1891         ret = ads_change_trust_account_password(ads, host_principal);
1892
1893         if (!ADS_ERR_OK(ret)) {
1894                 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1895                 ads_destroy(&ads);
1896                 SAFE_FREE(host_principal);
1897                 return -1;
1898         }
1899
1900         d_printf("Password change for principal %s succeeded.\n", host_principal);
1901
1902         if (lp_use_kerberos_keytab()) {
1903                 d_printf("Attempting to update system keytab with new password.\n");
1904                 if (ads_keytab_create_default(ads)) {
1905                         d_printf("Failed to update system keytab.\n");
1906                 }
1907         }
1908
1909         ads_destroy(&ads);
1910         SAFE_FREE(host_principal);
1911
1912         return 0;
1913 }
1914
1915 /*
1916   help for net ads search
1917 */
1918 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
1919 {
1920         d_printf(
1921                 "\nnet ads search <expression> <attributes...>\n"
1922                 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
1923                 "The expression is a standard LDAP search expression, and the\n"
1924                 "attributes are a list of LDAP fields to show in the results.\n\n"
1925                 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
1926                 );
1927         net_common_flags_usage(c, argc, argv);
1928         return -1;
1929 }
1930
1931
1932 /*
1933   general ADS search function. Useful in diagnosing problems in ADS
1934 */
1935 static int net_ads_search(struct net_context *c, int argc, const char **argv)
1936 {
1937         ADS_STRUCT *ads;
1938         ADS_STATUS rc;
1939         const char *ldap_exp;
1940         const char **attrs;
1941         LDAPMessage *res = NULL;
1942
1943         if (argc < 1 || c->display_usage) {
1944                 return net_ads_search_usage(c, argc, argv);
1945         }
1946
1947         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1948                 return -1;
1949         }
1950
1951         ldap_exp = argv[0];
1952         attrs = (argv + 1);
1953
1954         rc = ads_do_search_all(ads, ads->config.bind_path,
1955                                LDAP_SCOPE_SUBTREE,
1956                                ldap_exp, attrs, &res);
1957         if (!ADS_ERR_OK(rc)) {
1958                 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1959                 ads_destroy(&ads);
1960                 return -1;
1961         }
1962
1963         d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1964
1965         /* dump the results */
1966         ads_dump(ads, res);
1967
1968         ads_msgfree(ads, res);
1969         ads_destroy(&ads);
1970
1971         return 0;
1972 }
1973
1974
1975 /*
1976   help for net ads search
1977 */
1978 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
1979 {
1980         d_printf(
1981                 "\nnet ads dn <dn> <attributes...>\n"
1982                 "\nperform a raw LDAP search on a ADS server and dump the results\n"
1983                 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
1984                 "to show in the results\n\n"
1985                 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
1986                 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
1987                 );
1988         net_common_flags_usage(c, argc, argv);
1989         return -1;
1990 }
1991
1992
1993 /*
1994   general ADS search function. Useful in diagnosing problems in ADS
1995 */
1996 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
1997 {
1998         ADS_STRUCT *ads;
1999         ADS_STATUS rc;
2000         const char *dn;
2001         const char **attrs;
2002         LDAPMessage *res = NULL;
2003
2004         if (argc < 1 || c->display_usage) {
2005                 return net_ads_dn_usage(c, argc, argv);
2006         }
2007
2008         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2009                 return -1;
2010         }
2011
2012         dn = argv[0];
2013         attrs = (argv + 1);
2014
2015         rc = ads_do_search_all(ads, dn,
2016                                LDAP_SCOPE_BASE,
2017                                "(objectclass=*)", attrs, &res);
2018         if (!ADS_ERR_OK(rc)) {
2019                 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2020                 ads_destroy(&ads);
2021                 return -1;
2022         }
2023
2024         d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2025
2026         /* dump the results */
2027         ads_dump(ads, res);
2028
2029         ads_msgfree(ads, res);
2030         ads_destroy(&ads);
2031
2032         return 0;
2033 }
2034
2035 /*
2036   help for net ads sid search
2037 */
2038 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2039 {
2040         d_printf(
2041                 "\nnet ads sid <sid> <attributes...>\n"
2042                 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2043                 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2044                 "to show in the results\n\n"
2045                 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2046                 );
2047         net_common_flags_usage(c, argc, argv);
2048         return -1;
2049 }
2050
2051
2052 /*
2053   general ADS search function. Useful in diagnosing problems in ADS
2054 */
2055 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2056 {
2057         ADS_STRUCT *ads;
2058         ADS_STATUS rc;
2059         const char *sid_string;
2060         const char **attrs;
2061         LDAPMessage *res = NULL;
2062         DOM_SID sid;
2063
2064         if (argc < 1 || c->display_usage) {
2065                 return net_ads_sid_usage(c, argc, argv);
2066         }
2067
2068         if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2069                 return -1;
2070         }
2071
2072         sid_string = argv[0];
2073         attrs = (argv + 1);
2074
2075         if (!string_to_sid(&sid, sid_string)) {
2076                 d_fprintf(stderr, "could not convert sid\n");
2077                 ads_destroy(&ads);
2078                 return -1;
2079         }
2080
2081         rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2082         if (!ADS_ERR_OK(rc)) {
2083                 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2084                 ads_destroy(&ads);
2085                 return -1;
2086         }
2087
2088         d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2089
2090         /* dump the results */
2091         ads_dump(ads, res);
2092
2093         ads_msgfree(ads, res);
2094         ads_destroy(&ads);
2095
2096         return 0;
2097 }
2098
2099 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2100 {
2101         int ret;
2102         ADS_STRUCT *ads;
2103
2104         if (c->display_usage) {
2105                 d_printf("Usage:\n"
2106                          "net ads keytab flush\n"
2107                          "    Delete the whole keytab\n");
2108                 return 0;
2109         }
2110
2111         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2112                 return -1;
2113         }
2114         ret = ads_keytab_flush(ads);
2115         ads_destroy(&ads);
2116         return ret;
2117 }
2118
2119 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2120 {
2121         int i;
2122         int ret = 0;
2123         ADS_STRUCT *ads;
2124
2125         if (c->display_usage) {
2126                 d_printf("Usage:\n"
2127                          "net ads keytab add <principal> [principal ...]\n"
2128                          "  Add principals to local keytab\n"
2129                          "    principal\tKerberos principal to add to "
2130                          "keytab\n");
2131                 return 0;
2132         }
2133
2134         d_printf("Processing principals to add...\n");
2135         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2136                 return -1;
2137         }
2138         for (i = 0; i < argc; i++) {
2139                 ret |= ads_keytab_add_entry(ads, argv[i]);
2140         }
2141         ads_destroy(&ads);
2142         return ret;
2143 }
2144
2145 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2146 {
2147         ADS_STRUCT *ads;
2148         int ret;
2149
2150         if (c->display_usage) {
2151                 d_printf("Usage:\n"
2152                          "net ads keytab create\n"
2153                          "    Create new default keytab\n");
2154                 return 0;
2155         }
2156
2157         if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2158                 return -1;
2159         }
2160         ret = ads_keytab_create_default(ads);
2161         ads_destroy(&ads);
2162         return ret;
2163 }
2164
2165 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2166 {
2167         const char *keytab = NULL;
2168
2169         if (c->display_usage) {
2170                 d_printf("Usage:\n"
2171                          "net ads keytab list [keytab]\n"
2172                          "  List a local keytab\n"
2173                          "    keytab\tKeytab to list\n");
2174                 return 0;
2175         }
2176
2177         if (argc >= 1) {
2178                 keytab = argv[0];
2179         }
2180
2181         return ads_keytab_list(keytab);
2182 }
2183
2184
2185 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2186 {
2187         struct functable func[] = {
2188                 {
2189                         "add",
2190                         net_ads_keytab_add,
2191                         NET_TRANSPORT_ADS,
2192                         "Add a service principal",
2193                         "net ads keytab add\n"
2194                         "    Add a service principal"
2195                 },
2196                 {
2197                         "create",
2198                         net_ads_keytab_create,
2199                         NET_TRANSPORT_ADS,
2200                         "Create a fresh keytab",
2201                         "net ads keytab create\n"
2202                         "    Create a fresh keytab"
2203                 },
2204                 {
2205                         "flush",
2206                         net_ads_keytab_flush,
2207                         NET_TRANSPORT_ADS,
2208                         "Remove all keytab entries",
2209                         "net ads keytab flush\n"
2210                         "    Remove all keytab entries"
2211                 },
2212                 {
2213                         "list",
2214                         net_ads_keytab_list,
2215                         NET_TRANSPORT_ADS,
2216                         "List a keytab",
2217                         "net ads keytab list\n"
2218                         "    List a keytab"
2219                 },
2220                 {NULL, NULL, 0, NULL, NULL}
2221         };
2222
2223         if (!lp_use_kerberos_keytab()) {
2224                 d_printf("\nWarning: \"use kerberos keytab\" must be set to \"true\" in order to \
2225 use keytab functions.\n");
2226         }
2227
2228         return net_run_function(c, argc, argv, "net ads keytab", func);
2229 }
2230
2231 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2232 {
2233         int ret = -1;
2234
2235         if (c->display_usage) {
2236                 d_printf("Usage:\n"
2237                          "net ads kerberos renew\n"
2238                          "    Renew TGT from existing credential cache\n");
2239                 return 0;
2240         }
2241
2242         ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2243         if (ret) {
2244                 d_printf("failed to renew kerberos ticket: %s\n",
2245                         error_message(ret));
2246         }
2247         return ret;
2248 }
2249
2250 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2251 {
2252         struct PAC_DATA *pac = NULL;
2253         struct PAC_LOGON_INFO *info = NULL;
2254         TALLOC_CTX *mem_ctx = NULL;
2255         NTSTATUS status;
2256         int ret = -1;
2257
2258         if (c->display_usage) {
2259                 d_printf("Usage:\n"
2260                          "net ads kerberos pac\n"
2261                          "    Dump the Kerberos PAC\n");
2262                 return 0;
2263         }
2264
2265         mem_ctx = talloc_init("net_ads_kerberos_pac");
2266         if (!mem_ctx) {
2267                 goto out;
2268         }
2269
2270         c->opt_password = net_prompt_pass(c, c->opt_user_name);
2271
2272         status = kerberos_return_pac(mem_ctx,
2273                                      c->opt_user_name,
2274                                      c->opt_password,
2275                                      0,
2276                                      NULL,
2277                                      NULL,
2278                                      NULL,
2279                                      true,
2280                                      true,
2281                                      2592000, /* one month */
2282                                      &pac);
2283         if (!NT_STATUS_IS_OK(status)) {
2284                 d_printf("failed to query kerberos PAC: %s\n",
2285                         nt_errstr(status));
2286                 goto out;
2287         }
2288
2289         info = get_logon_info_from_pac(pac);
2290         if (info) {
2291                 const char *s;
2292                 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2293                 d_printf("The Pac: %s\n", s);
2294         }
2295
2296         ret = 0;
2297  out:
2298         TALLOC_FREE(mem_ctx);
2299         return ret;
2300 }
2301
2302 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2303 {
2304         TALLOC_CTX *mem_ctx = NULL;
2305         int ret = -1;
2306         NTSTATUS status;
2307
2308         if (c->display_usage) {
2309                 d_printf("Usage:\n"
2310                          "net ads kerberos kinit\n"
2311                          "    Get Ticket Granting Ticket (TGT) for the user\n");
2312                 return 0;
2313         }
2314
2315         mem_ctx = talloc_init("net_ads_kerberos_kinit");
2316         if (!mem_ctx) {
2317                 goto out;
2318         }
2319
2320         c->opt_password = net_prompt_pass(c, c->opt_user_name);
2321
2322         ret = kerberos_kinit_password_ext(c->opt_user_name,
2323                                           c->opt_password,
2324                                           0,
2325                                           NULL,
2326                                           NULL,
2327                                           NULL,
2328                                           true,
2329                                           true,
2330                                           2592000, /* one month */
2331                                           &status);
2332         if (ret) {
2333                 d_printf("failed to kinit password: %s\n",
2334                         nt_errstr(status));
2335         }
2336  out:
2337         return ret;
2338 }
2339
2340 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2341 {
2342         struct functable func[] = {
2343                 {
2344                         "kinit",
2345                         net_ads_kerberos_kinit,
2346                         NET_TRANSPORT_ADS,
2347                         "Retrieve Ticket Granting Ticket (TGT)",
2348                         "net ads kerberos kinit\n"
2349                         "    Receive Ticket Granting Ticket (TGT)"
2350                 },
2351                 {
2352                         "renew",
2353                         net_ads_kerberos_renew,
2354                         NET_TRANSPORT_ADS,
2355                         "Renew Ticket Granting Ticket from credential cache"
2356                         "net ads kerberos renew\n"
2357                         "    Renew Ticket Granting Ticket from credential cache"
2358                 },
2359                 {
2360                         "pac",
2361                         net_ads_kerberos_pac,
2362                         NET_TRANSPORT_ADS,
2363                         "Dump Kerberos PAC",
2364                         "net ads kerberos pac\n"
2365                         "    Dump Kerberos PAC"
2366                 },
2367                 {NULL, NULL, 0, NULL, NULL}
2368         };
2369
2370         return net_run_function(c, argc, argv, "net ads kerberos", func);
2371 }
2372
2373 int net_ads(struct net_context *c, int argc, const char **argv)
2374 {
2375         struct functable func[] = {
2376                 {
2377                         "info",
2378                         net_ads_info,
2379                         NET_TRANSPORT_ADS,
2380                         "Display details on remote ADS server",
2381                         "net ads info\n"
2382                         "    Display details on remote ADS server"
2383                 },
2384                 {
2385                         "join",
2386                         net_ads_join,
2387                         NET_TRANSPORT_ADS,
2388                         "Join the local machine to ADS realm",
2389                         "net ads join\n"
2390                         "    Join the local machine to ADS realm"
2391                 },
2392                 {
2393                         "testjoin",
2394                         net_ads_testjoin,
2395                         NET_TRANSPORT_ADS,
2396                         "Validate machine account",
2397                         "net ads testjoin\n"
2398                         "    Validate machine account"
2399                 },
2400                 {
2401                         "leave",
2402                         net_ads_leave,
2403                         NET_TRANSPORT_ADS,
2404                         "Remove the local machine from ADS",
2405                         "net ads leave\n"
2406                         "    Remove the local machine from ADS"
2407                 },
2408                 {
2409                         "status",
2410                         net_ads_status,
2411                         NET_TRANSPORT_ADS,
2412                         "Display machine account details",
2413                         "net ads status\n"
2414                         "    Display machine account details"
2415                 },
2416                 {
2417                         "user",
2418                         net_ads_user,
2419                         NET_TRANSPORT_ADS,
2420                         "List/modify users",
2421                         "net ads user\n"
2422                         "    List/modify users"
2423                 },
2424                 {
2425                         "group",
2426                         net_ads_group,
2427                         NET_TRANSPORT_ADS,
2428                         "List/modify groups",
2429                         "net ads group\n"
2430                         "    List/modify groups"
2431                 },
2432                 {
2433                         "dns",
2434                         net_ads_dns,
2435                         NET_TRANSPORT_ADS,
2436                         "Issue dynamic DNS update",
2437                         "net ads dns\n"
2438                         "    Issue dynamic DNS update"
2439                 },
2440                 {
2441                         "password",
2442                         net_ads_password,
2443                         NET_TRANSPORT_ADS,
2444                         "Change user passwords",
2445                         "net ads password\n"
2446                         "    Change user passwords"
2447                 },
2448                 {
2449                         "changetrustpw",
2450                         net_ads_changetrustpw,
2451                         NET_TRANSPORT_ADS,
2452                         "Change trust account password",
2453                         "net ads changetrustpw\n"
2454                         "    Change trust account password"
2455                 },
2456                 {
2457                         "printer",
2458                         net_ads_printer,
2459                         NET_TRANSPORT_ADS,
2460                         "List/modify printer entries",
2461                         "net ads printer\n"
2462                         "    List/modify printer entries"
2463                 },
2464                 {
2465                         "search",
2466                         net_ads_search,
2467                         NET_TRANSPORT_ADS,
2468                         "Issue LDAP search using filter",
2469                         "net ads search\n"
2470                         "    Issue LDAP search using filter"
2471                 },
2472                 {
2473                         "dn",
2474                         net_ads_dn,
2475                         NET_TRANSPORT_ADS,
2476                         "Issue LDAP search by DN",
2477                         "net ads dn\n"
2478                         "    Issue LDAP search by DN"
2479                 },
2480                 {
2481                         "sid",
2482                         net_ads_sid,
2483                         NET_TRANSPORT_ADS,
2484                         "Issue LDAP search by SID",
2485                         "net ads sid\n"
2486                         "    Issue LDAP search by SID"
2487                 },
2488                 {
2489                         "workgroup",
2490                         net_ads_workgroup,
2491                         NET_TRANSPORT_ADS,
2492                         "Display workgroup name",
2493                         "net ads workgroup\n"
2494                         "    Display the workgroup name"
2495                 },
2496                 {
2497                         "lookup",
2498                         net_ads_lookup,
2499                         NET_TRANSPORT_ADS,
2500                         "Perfom CLDAP query on DC",
2501                         "net ads lookup\n"
2502                         "    Find the ADS DC using CLDAP lookups"
2503                 },
2504                 {
2505                         "keytab",
2506                         net_ads_keytab,
2507                         NET_TRANSPORT_ADS,
2508                         "Manage local keytab file",
2509                         "net ads keytab\n"
2510                         "    Manage local keytab file"
2511                 },
2512                 {
2513                         "gpo",
2514                         net_ads_gpo,
2515                         NET_TRANSPORT_ADS,
2516                         "Manage group policy objects",
2517                         "net ads gpo\n"
2518                         "    Manage group policy objects"
2519                 },
2520                 {
2521                         "kerberos",
2522                         net_ads_kerberos,
2523                         NET_TRANSPORT_ADS,
2524                         "Manage kerberos keytab",
2525                         "net ads kerberos\n"
2526                         "    Manage kerberos keytab"
2527                 },
2528                 {NULL, NULL, 0, NULL, NULL}
2529         };
2530
2531         return net_run_function(c, argc, argv, "net ads", func);
2532 }
2533
2534 #else
2535
2536 static int net_ads_noads(void)
2537 {
2538         d_fprintf(stderr, "ADS support not compiled in\n");
2539         return -1;
2540 }
2541
2542 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2543 {
2544         return net_ads_noads();
2545 }
2546
2547 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2548 {
2549         return net_ads_noads();
2550 }
2551
2552 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2553 {
2554         return net_ads_noads();
2555 }
2556
2557 int net_ads_join(struct net_context *c, int argc, const char **argv)
2558 {
2559         return net_ads_noads();
2560 }
2561
2562 int net_ads_user(struct net_context *c, int argc, const char **argv)
2563 {
2564         return net_ads_noads();
2565 }
2566
2567 int net_ads_group(struct net_context *c, int argc, const char **argv)
2568 {
2569         return net_ads_noads();
2570 }
2571
2572 /* this one shouldn't display a message */
2573 int net_ads_check(struct net_context *c)
2574 {
2575         return -1;
2576 }
2577
2578 int net_ads_check_our_domain(struct net_context *c)
2579 {
2580         return -1;
2581 }
2582
2583 int net_ads(struct net_context *c, int argc, const char **argv)
2584 {
2585         return net_ads_noads();
2586 }
2587
2588 #endif  /* WITH_ADS */