2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "../librpc/gen_ndr/ndr_spoolss.h"
28 #include "nsswitch/libwbclient/wbclient.h"
30 #include "libads/cldap.h"
31 #include "libads/dns.h"
32 #include "../libds/common/flags.h"
33 #include "librpc/gen_ndr/libnet_join.h"
34 #include "libnet/libnet_join.h"
38 #include "../libcli/security/security.h"
42 /* when we do not have sufficient input parameters to contact a remote domain
43 * we always fall back to our own realm - Guenther*/
45 static const char *assume_own_realm(struct net_context *c)
47 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
55 do a cldap netlogon query
57 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
59 char addr[INET6_ADDRSTRLEN];
60 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
62 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
64 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
65 d_fprintf(stderr, _("CLDAP query failed!\n"));
69 d_printf(_("Information for Domain Controller: %s\n\n"),
72 d_printf(_("Response Type: "));
73 switch (reply.command) {
74 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
75 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
77 case LOGON_SAM_LOGON_RESPONSE_EX:
78 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
81 d_printf("0x%x\n", reply.command);
85 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
89 "\tIs a GC of the forest: %s\n"
90 "\tIs an LDAP server: %s\n"
92 "\tIs running a KDC: %s\n"
93 "\tIs running time services: %s\n"
94 "\tIs the closest DC: %s\n"
96 "\tHas a hardware clock: %s\n"
97 "\tIs a non-domain NC serviced by LDAP server: %s\n"
98 "\tIs NT6 DC that has some secrets: %s\n"
99 "\tIs NT6 DC that has all secrets: %s\n"),
100 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
101 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
110 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
111 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
114 printf(_("Forest:\t\t\t%s\n"), reply.forest);
115 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
116 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
118 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
119 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
121 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
123 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
124 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
126 d_printf(_("NT Version: %d\n"), reply.nt_version);
127 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
128 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
134 this implements the CLDAP based netlogon lookup requests
135 for finding the domain controller of a ADS domain
137 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
142 if (c->display_usage) {
147 _("Find the ADS DC using CLDAP lookup.\n"));
151 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
152 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
157 if (!ads->config.realm) {
158 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
159 ads->ldap.port = 389;
162 ret = net_ads_cldap_netlogon(c, ads);
169 static int net_ads_info(struct net_context *c, int argc, const char **argv)
172 char addr[INET6_ADDRSTRLEN];
174 if (c->display_usage) {
179 _("Display information about an Active Directory "
184 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
185 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
189 if (!ads || !ads->config.realm) {
190 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
195 /* Try to set the server's current time since we didn't do a full
196 TCP LDAP session initially */
198 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
199 d_fprintf( stderr, _("Failed to get server's current time!\n"));
202 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
204 d_printf(_("LDAP server: %s\n"), addr);
205 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
206 d_printf(_("Realm: %s\n"), ads->config.realm);
207 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
208 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
209 d_printf(_("Server time: %s\n"),
210 http_timestring(talloc_tos(), ads->config.current_time));
212 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
213 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
219 static void use_in_memory_ccache(void) {
220 /* Use in-memory credentials cache so we do not interfere with
221 * existing credentials */
222 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
225 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
226 uint32 auth_flags, ADS_STRUCT **ads_ret)
228 ADS_STRUCT *ads = NULL;
230 bool need_password = false;
231 bool second_time = false;
233 const char *realm = NULL;
234 bool tried_closest_dc = false;
236 /* lp_realm() should be handled by a command line param,
237 However, the join requires that realm be set in smb.conf
238 and compares our realm with the remote server's so this is
239 ok until someone needs more flexibility */
244 if (only_own_domain) {
247 realm = assume_own_realm(c);
250 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
252 if (!c->opt_user_name) {
253 c->opt_user_name = "administrator";
256 if (c->opt_user_specified) {
257 need_password = true;
261 if (!c->opt_password && need_password && !c->opt_machine_pass) {
262 c->opt_password = net_prompt_pass(c, c->opt_user_name);
263 if (!c->opt_password) {
265 return ADS_ERROR(LDAP_NO_MEMORY);
269 if (c->opt_password) {
270 use_in_memory_ccache();
271 SAFE_FREE(ads->auth.password);
272 ads->auth.password = smb_xstrdup(c->opt_password);
275 ads->auth.flags |= auth_flags;
276 SAFE_FREE(ads->auth.user_name);
277 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
280 * If the username is of the form "name@realm",
281 * extract the realm and convert to upper case.
282 * This is only used to establish the connection.
284 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
286 SAFE_FREE(ads->auth.realm);
287 ads->auth.realm = smb_xstrdup(cp);
288 strupper_m(ads->auth.realm);
291 status = ads_connect(ads);
293 if (!ADS_ERR_OK(status)) {
295 if (NT_STATUS_EQUAL(ads_ntstatus(status),
296 NT_STATUS_NO_LOGON_SERVERS)) {
297 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
302 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
303 need_password = true;
312 /* when contacting our own domain, make sure we use the closest DC.
313 * This is done by reconnecting to ADS because only the first call to
314 * ads_connect will give us our own sitename */
316 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
318 tried_closest_dc = true; /* avoid loop */
320 if (!ads_closest_dc(ads)) {
322 namecache_delete(ads->server.realm, 0x1C);
323 namecache_delete(ads->server.workgroup, 0x1C);
336 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
338 return ads_startup_int(c, only_own_domain, 0, ads);
341 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
343 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
347 Check to see if connection can be made via ads.
348 ads_startup() stores the password in opt_password if it needs to so
349 that rpc or rap can use it without re-prompting.
351 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
356 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
360 ads->auth.flags |= ADS_AUTH_NO_BIND;
362 status = ads_connect(ads);
363 if ( !ADS_ERR_OK(status) ) {
371 int net_ads_check_our_domain(struct net_context *c)
373 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
376 int net_ads_check(struct net_context *c)
378 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
382 determine the netbios workgroup name for a domain
384 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
387 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
389 if (c->display_usage) {
391 "net ads workgroup\n"
394 _("Print the workgroup name"));
398 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
399 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
403 if (!ads->config.realm) {
404 ads->config.realm = discard_const_p(char, c->opt_target_workgroup);
405 ads->ldap.port = 389;
408 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
409 d_fprintf(stderr, _("CLDAP query failed!\n"));
414 d_printf(_("Workgroup: %s\n"), reply.domain_name);
423 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
425 char **disp_fields = (char **) data_area;
427 if (!field) { /* must be end of record */
428 if (disp_fields[0]) {
429 if (!strchr_m(disp_fields[0], '$')) {
431 d_printf("%-21.21s %s\n",
432 disp_fields[0], disp_fields[1]);
434 d_printf("%s\n", disp_fields[0]);
437 SAFE_FREE(disp_fields[0]);
438 SAFE_FREE(disp_fields[1]);
441 if (!values) /* must be new field, indicate string field */
443 if (StrCaseCmp(field, "sAMAccountName") == 0) {
444 disp_fields[0] = SMB_STRDUP((char *) values[0]);
446 if (StrCaseCmp(field, "description") == 0)
447 disp_fields[1] = SMB_STRDUP((char *) values[0]);
451 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
453 return net_user_usage(c, argc, argv);
456 static int ads_user_add(struct net_context *c, int argc, const char **argv)
461 LDAPMessage *res=NULL;
465 if (argc < 1 || c->display_usage)
466 return net_ads_user_usage(c, argc, argv);
468 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
472 status = ads_find_user_acct(ads, &res, argv[0]);
474 if (!ADS_ERR_OK(status)) {
475 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
479 if (ads_count_replies(ads, res)) {
480 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
485 if (c->opt_container) {
486 ou_str = SMB_STRDUP(c->opt_container);
488 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
491 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
493 if (!ADS_ERR_OK(status)) {
494 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
499 /* if no password is to be set, we're done */
501 d_printf(_("User %s added\n"), argv[0]);
506 /* try setting the password */
507 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
510 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
511 ads->auth.time_offset);
513 if (ADS_ERR_OK(status)) {
514 d_printf(_("User %s added\n"), argv[0]);
519 /* password didn't set, delete account */
520 d_fprintf(stderr, _("Could not add user %s. "
521 "Error setting password %s\n"),
522 argv[0], ads_errstr(status));
523 ads_msgfree(ads, res);
524 status=ads_find_user_acct(ads, &res, argv[0]);
525 if (ADS_ERR_OK(status)) {
526 userdn = ads_get_dn(ads, talloc_tos(), res);
527 ads_del_dn(ads, userdn);
533 ads_msgfree(ads, res);
539 static int ads_user_info(struct net_context *c, int argc, const char **argv)
541 ADS_STRUCT *ads = NULL;
543 LDAPMessage *res = NULL;
547 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
548 char *searchstring=NULL;
552 struct dom_sid primary_group_sid;
554 enum wbcSidType type;
556 if (argc < 1 || c->display_usage) {
557 return net_ads_user_usage(c, argc, argv);
560 frame = talloc_new(talloc_tos());
565 escaped_user = escape_ldap_string(frame, argv[0]);
568 _("ads_user_info: failed to escape user %s\n"),
573 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
578 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
582 rc = ads_search(ads, &res, searchstring, attrs);
583 SAFE_FREE(searchstring);
585 if (!ADS_ERR_OK(rc)) {
586 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
591 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
592 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
597 rc = ads_domain_sid(ads, &primary_group_sid);
598 if (!ADS_ERR_OK(rc)) {
599 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
604 sid_append_rid(&primary_group_sid, group_rid);
606 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
607 NULL, /* don't look up domain */
610 if (!WBC_ERROR_IS_OK(wbc_status)) {
611 d_fprintf(stderr, "wbcLookupSid: %s\n",
612 wbcErrorString(wbc_status));
617 d_printf("%s\n", primary_group);
619 wbcFreeMemory(primary_group);
621 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
622 (LDAPMessage *)res, "memberOf");
627 for (i=0;grouplist[i];i++) {
628 groupname = ldap_explode_dn(grouplist[i], 1);
629 d_printf("%s\n", groupname[0]);
630 ldap_value_free(groupname);
632 ldap_value_free(grouplist);
636 if (res) ads_msgfree(ads, res);
637 if (ads) ads_destroy(&ads);
642 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
646 LDAPMessage *res = NULL;
650 return net_ads_user_usage(c, argc, argv);
653 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
657 rc = ads_find_user_acct(ads, &res, argv[0]);
658 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
659 d_printf(_("User %s does not exist.\n"), argv[0]);
660 ads_msgfree(ads, res);
664 userdn = ads_get_dn(ads, talloc_tos(), res);
665 ads_msgfree(ads, res);
666 rc = ads_del_dn(ads, userdn);
668 if (ADS_ERR_OK(rc)) {
669 d_printf(_("User %s deleted\n"), argv[0]);
673 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
679 int net_ads_user(struct net_context *c, int argc, const char **argv)
681 struct functable func[] = {
686 N_("Add an AD user"),
687 N_("net ads user add\n"
694 N_("Display information about an AD user"),
695 N_("net ads user info\n"
696 " Display information about an AD user")
702 N_("Delete an AD user"),
703 N_("net ads user delete\n"
704 " Delete an AD user")
706 {NULL, NULL, 0, NULL, NULL}
710 const char *shortattrs[] = {"sAMAccountName", NULL};
711 const char *longattrs[] = {"sAMAccountName", "description", NULL};
712 char *disp_fields[2] = {NULL, NULL};
715 if (c->display_usage) {
721 net_display_usage_from_functable(func);
725 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
729 if (c->opt_long_list_entries)
730 d_printf(_("\nUser name Comment"
731 "\n-----------------------------\n"));
733 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
735 "(objectCategory=user)",
736 c->opt_long_list_entries ? longattrs :
737 shortattrs, usergrp_display,
740 return ADS_ERR_OK(rc) ? 0 : -1;
743 return net_run_function(c, argc, argv, "net ads user", func);
746 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
748 return net_group_usage(c, argc, argv);
751 static int ads_group_add(struct net_context *c, int argc, const char **argv)
755 LDAPMessage *res=NULL;
759 if (argc < 1 || c->display_usage) {
760 return net_ads_group_usage(c, argc, argv);
763 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
767 status = ads_find_user_acct(ads, &res, argv[0]);
769 if (!ADS_ERR_OK(status)) {
770 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
774 if (ads_count_replies(ads, res)) {
775 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
779 if (c->opt_container) {
780 ou_str = SMB_STRDUP(c->opt_container);
782 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
785 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
787 if (ADS_ERR_OK(status)) {
788 d_printf(_("Group %s added\n"), argv[0]);
791 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
797 ads_msgfree(ads, res);
803 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
807 LDAPMessage *res = NULL;
810 if (argc < 1 || c->display_usage) {
811 return net_ads_group_usage(c, argc, argv);
814 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
818 rc = ads_find_user_acct(ads, &res, argv[0]);
819 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
820 d_printf(_("Group %s does not exist.\n"), argv[0]);
821 ads_msgfree(ads, res);
825 groupdn = ads_get_dn(ads, talloc_tos(), res);
826 ads_msgfree(ads, res);
827 rc = ads_del_dn(ads, groupdn);
828 TALLOC_FREE(groupdn);
829 if (ADS_ERR_OK(rc)) {
830 d_printf(_("Group %s deleted\n"), argv[0]);
834 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
840 int net_ads_group(struct net_context *c, int argc, const char **argv)
842 struct functable func[] = {
847 N_("Add an AD group"),
848 N_("net ads group add\n"
855 N_("Delete an AD group"),
856 N_("net ads group delete\n"
857 " Delete an AD group")
859 {NULL, NULL, 0, NULL, NULL}
863 const char *shortattrs[] = {"sAMAccountName", NULL};
864 const char *longattrs[] = {"sAMAccountName", "description", NULL};
865 char *disp_fields[2] = {NULL, NULL};
868 if (c->display_usage) {
873 _("List AD groups"));
874 net_display_usage_from_functable(func);
878 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
882 if (c->opt_long_list_entries)
883 d_printf(_("\nGroup name Comment"
884 "\n-----------------------------\n"));
885 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
887 "(objectCategory=group)",
888 c->opt_long_list_entries ? longattrs :
889 shortattrs, usergrp_display,
893 return ADS_ERR_OK(rc) ? 0 : -1;
895 return net_run_function(c, argc, argv, "net ads group", func);
898 static int net_ads_status(struct net_context *c, int argc, const char **argv)
904 if (c->display_usage) {
909 _("Display machine account details"));
913 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
917 rc = ads_find_machine_acct(ads, &res, global_myname());
918 if (!ADS_ERR_OK(rc)) {
919 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
924 if (ads_count_replies(ads, res) == 0) {
925 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
935 /*******************************************************************
936 Leave an AD domain. Windows XP disables the machine account.
937 We'll try the same. The old code would do an LDAP delete.
938 That only worked using the machine creds because added the machine
939 with full control to the computer object's ACL.
940 *******************************************************************/
942 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
945 struct libnet_UnjoinCtx *r = NULL;
948 if (c->display_usage) {
953 _("Leave an AD domain"));
958 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
962 if (!(ctx = talloc_init("net_ads_leave"))) {
963 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
967 if (!c->opt_kerberos) {
968 use_in_memory_ccache();
972 d_fprintf(stderr, _("Could not initialise message context. "
973 "Try running as root\n"));
977 werr = libnet_init_UnjoinCtx(ctx, &r);
978 if (!W_ERROR_IS_OK(werr)) {
979 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
984 r->in.use_kerberos = c->opt_kerberos;
985 r->in.dc_name = c->opt_host;
986 r->in.domain_name = lp_realm();
987 r->in.admin_account = c->opt_user_name;
988 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
989 r->in.modify_config = lp_config_backend_is_registry();
991 /* Try to delete it, but if that fails, disable it. The
992 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
993 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
994 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
995 r->in.delete_machine_account = true;
996 r->in.msg_ctx = c->msg_ctx;
998 werr = libnet_Unjoin(ctx, r);
999 if (!W_ERROR_IS_OK(werr)) {
1000 d_printf(_("Failed to leave domain: %s\n"),
1001 r->out.error_string ? r->out.error_string :
1002 get_friendly_werror_msg(werr));
1006 if (r->out.deleted_machine_account) {
1007 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1008 r->in.machine_name, r->out.dns_domain_name);
1012 /* We couldn't delete it - see if the disable succeeded. */
1013 if (r->out.disabled_machine_account) {
1014 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1015 r->in.machine_name, r->out.dns_domain_name);
1020 /* Based on what we requseted, we shouldn't get here, but if
1021 we did, it means the secrets were removed, and therefore
1022 we have left the domain */
1023 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1024 r->in.machine_name, r->out.dns_domain_name);
1030 if (W_ERROR_IS_OK(werr)) {
1037 static NTSTATUS net_ads_join_ok(struct net_context *c)
1039 ADS_STRUCT *ads = NULL;
1042 struct sockaddr_storage dcip;
1044 if (!secrets_init()) {
1045 DEBUG(1,("Failed to initialise secrets database\n"));
1046 return NT_STATUS_ACCESS_DENIED;
1049 net_use_krb_machine_account(c);
1051 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1053 status = ads_startup(c, true, &ads);
1054 if (!ADS_ERR_OK(status)) {
1055 return ads_ntstatus(status);
1059 return NT_STATUS_OK;
1063 check that an existing join is OK
1065 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1068 use_in_memory_ccache();
1070 if (c->display_usage) {
1072 "net ads testjoin\n"
1075 _("Test if the existing join is ok"));
1079 /* Display success or failure */
1080 status = net_ads_join_ok(c);
1081 if (!NT_STATUS_IS_OK(status)) {
1082 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1083 get_friendly_nt_error_msg(status));
1087 printf(_("Join is OK\n"));
1091 /*******************************************************************
1092 Simple configu checks before beginning the join
1093 ********************************************************************/
1095 static WERROR check_ads_config( void )
1097 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1098 d_printf(_("Host is not configured as a member server.\n"));
1099 return WERR_INVALID_DOMAIN_ROLE;
1102 if (strlen(global_myname()) > 15) {
1103 d_printf(_("Our netbios name can be at most 15 chars long, "
1104 "\"%s\" is %u chars long\n"), global_myname(),
1105 (unsigned int)strlen(global_myname()));
1106 return WERR_INVALID_COMPUTERNAME;
1109 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1110 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1111 "join to succeed.\n"), get_dyn_CONFIGFILE());
1112 return WERR_INVALID_PARAM;
1118 /*******************************************************************
1119 Send a DNS update request
1120 *******************************************************************/
1122 #if defined(WITH_DNS_UPDATES)
1123 #include "../lib/addns/dns.h"
1124 DNS_ERROR DoDNSUpdate(char *pszServerName,
1125 const char *pszDomainName, const char *pszHostName,
1126 const struct sockaddr_storage *sslist,
1129 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1130 const char *machine_name,
1131 const struct sockaddr_storage *addrs,
1134 struct dns_rr_ns *nameservers = NULL;
1135 int ns_count = 0, i;
1136 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1139 const char *dnsdomain = NULL;
1140 char *root_domain = NULL;
1142 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1143 d_printf(_("No DNS domain configured for %s. "
1144 "Unable to perform DNS Update.\n"), machine_name);
1145 status = NT_STATUS_INVALID_PARAMETER;
1150 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1151 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1152 /* Child domains often do not have NS records. Look
1153 for the NS record for the forest root domain
1154 (rootDomainNamingContext in therootDSE) */
1156 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1157 LDAPMessage *msg = NULL;
1159 ADS_STATUS ads_status;
1161 if ( !ads->ldap.ld ) {
1162 ads_status = ads_connect( ads );
1163 if ( !ADS_ERR_OK(ads_status) ) {
1164 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1169 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1170 "(objectclass=*)", rootname_attrs, &msg);
1171 if (!ADS_ERR_OK(ads_status)) {
1175 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1177 ads_msgfree( ads, msg );
1181 root_domain = ads_build_domain( root_dn );
1184 ads_msgfree( ads, msg );
1186 /* try again for NS servers */
1188 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1190 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1191 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1192 "realm\n", ads->config.realm));
1196 dnsdomain = root_domain;
1200 for (i=0; i < ns_count; i++) {
1202 /* Now perform the dns update - we'll try non-secure and if we fail,
1203 we'll follow it up with a secure update */
1205 fstrcpy( dns_server, nameservers[i].hostname );
1207 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1208 if (ERR_DNS_IS_OK(dns_err)) {
1209 status = NT_STATUS_OK;
1213 if (ERR_DNS_EQUAL(dns_err, ERROR_DNS_INVALID_NAME_SERVER) ||
1214 ERR_DNS_EQUAL(dns_err, ERROR_DNS_CONNECTION_FAILED) ||
1215 ERR_DNS_EQUAL(dns_err, ERROR_DNS_SOCKET_ERROR)) {
1216 DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
1217 dns_errstr(dns_err)));
1221 d_printf(_("DNS Update for %s failed: %s\n"),
1222 machine_name, dns_errstr(dns_err));
1223 status = NT_STATUS_UNSUCCESSFUL;
1229 SAFE_FREE( root_domain );
1234 static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
1235 const char *hostname,
1236 struct sockaddr_storage *iplist,
1239 struct sockaddr_storage *iplist_alloc = NULL;
1240 fstring machine_name;
1244 fstrcpy(machine_name, hostname);
1246 name_to_fqdn( machine_name, global_myname() );
1248 strlower_m( machine_name );
1250 if (num_addrs == 0 || iplist == NULL) {
1252 * Get our ip address
1253 * (not the 127.0.0.x address but a real ip address)
1255 num_addrs = get_my_ip_address(&iplist_alloc);
1256 if ( num_addrs <= 0 ) {
1257 DEBUG(4, ("net_update_dns_ext: Failed to find my "
1258 "non-loopback IP addresses!\n"));
1259 return NT_STATUS_INVALID_PARAMETER;
1261 iplist = iplist_alloc;
1264 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1267 SAFE_FREE(iplist_alloc);
1271 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
1275 status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
1281 /*******************************************************************
1282 ********************************************************************/
1284 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1286 d_printf(_("net ads join [options]\n"
1287 "Valid options:\n"));
1288 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1289 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1290 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1291 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1292 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1293 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1294 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1295 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1296 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1297 " NB: osName and osVer must be specified together for either to take effect.\n"
1298 " Also, the operatingSystemService attribute is also set when along with\n"
1299 " the two other attributes.\n"));
1304 /*******************************************************************
1305 ********************************************************************/
1307 int net_ads_join(struct net_context *c, int argc, const char **argv)
1309 TALLOC_CTX *ctx = NULL;
1310 struct libnet_JoinCtx *r = NULL;
1311 const char *domain = lp_realm();
1312 WERROR werr = WERR_SETUP_NOT_JOINED;
1313 bool createupn = false;
1314 const char *machineupn = NULL;
1315 const char *create_in_ou = NULL;
1317 const char *os_name = NULL;
1318 const char *os_version = NULL;
1319 bool modify_config = lp_config_backend_is_registry();
1321 if (c->display_usage)
1322 return net_ads_join_usage(c, argc, argv);
1324 if (!modify_config) {
1326 werr = check_ads_config();
1327 if (!W_ERROR_IS_OK(werr)) {
1328 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1333 if (!(ctx = talloc_init("net_ads_join"))) {
1334 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1339 if (!c->opt_kerberos) {
1340 use_in_memory_ccache();
1343 werr = libnet_init_JoinCtx(ctx, &r);
1344 if (!W_ERROR_IS_OK(werr)) {
1348 /* process additional command line args */
1350 for ( i=0; i<argc; i++ ) {
1351 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1353 machineupn = get_string_param(argv[i]);
1355 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1356 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1357 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1358 werr = WERR_INVALID_PARAM;
1362 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1363 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1364 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1365 werr = WERR_INVALID_PARAM;
1369 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1370 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1371 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1372 werr = WERR_INVALID_PARAM;
1382 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1383 werr = WERR_INVALID_PARAM;
1388 d_fprintf(stderr, _("Could not initialise message context. "
1389 "Try running as root\n"));
1390 werr = WERR_ACCESS_DENIED;
1394 /* Do the domain join here */
1396 r->in.domain_name = domain;
1397 r->in.create_upn = createupn;
1398 r->in.upn = machineupn;
1399 r->in.account_ou = create_in_ou;
1400 r->in.os_name = os_name;
1401 r->in.os_version = os_version;
1402 r->in.dc_name = c->opt_host;
1403 r->in.admin_account = c->opt_user_name;
1404 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1406 r->in.use_kerberos = c->opt_kerberos;
1407 r->in.modify_config = modify_config;
1408 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1409 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1410 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1411 r->in.msg_ctx = c->msg_ctx;
1413 werr = libnet_Join(ctx, r);
1414 if (W_ERROR_EQUAL(werr, WERR_DCNOTFOUND) &&
1415 strequal(domain, lp_realm())) {
1416 r->in.domain_name = lp_workgroup();
1417 werr = libnet_Join(ctx, r);
1419 if (!W_ERROR_IS_OK(werr)) {
1423 /* Check the short name of the domain */
1425 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1426 d_printf(_("The workgroup in %s does not match the short\n"
1427 "domain name obtained from the server.\n"
1428 "Using the name [%s] from the server.\n"
1429 "You should set \"workgroup = %s\" in %s.\n"),
1430 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1431 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1434 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1436 if (r->out.dns_domain_name) {
1437 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1438 r->out.dns_domain_name);
1440 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1441 r->out.netbios_domain_name);
1444 #if defined(WITH_DNS_UPDATES)
1446 * In a clustered environment, don't do dynamic dns updates:
1447 * Registering the set of ip addresses that are assigned to
1448 * the interfaces of the node that performs the join does usually
1449 * not have the desired effect, since the local interfaces do not
1450 * carry the complete set of the cluster's public IP addresses.
1451 * And it can also contain internal addresses that should not
1452 * be visible to the outside at all.
1453 * In order to do dns updates in a clustererd setup, use
1454 * net ads dns register.
1456 if (lp_clustering()) {
1457 d_fprintf(stderr, _("Not doing automatic DNS update in a"
1458 "clustered setup.\n"));
1462 if (r->out.domain_is_ad) {
1463 /* We enter this block with user creds */
1464 ADS_STRUCT *ads_dns = NULL;
1466 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1467 /* kinit with the machine password */
1469 use_in_memory_ccache();
1470 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1473 ads_dns->auth.password = secrets_fetch_machine_password(
1474 r->out.netbios_domain_name, NULL, NULL );
1475 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1476 strupper_m(ads_dns->auth.realm );
1477 ads_kinit_password( ads_dns );
1480 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
1481 d_fprintf( stderr, _("DNS update failed!\n") );
1484 /* exit from this block using machine creds */
1485 ads_destroy(&ads_dns);
1497 /* issue an overall failure message at the end. */
1498 d_printf(_("Failed to join domain: %s\n"),
1499 r && r->out.error_string ? r->out.error_string :
1500 get_friendly_werror_msg(werr));
1506 /*******************************************************************
1507 ********************************************************************/
1509 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1511 #if defined(WITH_DNS_UPDATES)
1516 const char *hostname = NULL;
1517 const char **addrs_list = NULL;
1518 struct sockaddr_storage *addrs = NULL;
1523 talloc_enable_leak_report();
1526 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1527 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1528 "detection of addresses in a clustered "
1530 c->display_usage = true;
1533 if (c->display_usage) {
1535 "net ads dns register [hostname [IP [IP...]]]\n"
1538 _("Register hostname with DNS\n"));
1542 if (!(ctx = talloc_init("net_ads_dns"))) {
1543 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1552 num_addrs = argc - 1;
1553 addrs_list = &argv[1];
1554 } else if (lp_clustering()) {
1555 addrs_list = lp_cluster_addresses();
1556 num_addrs = str_list_length(addrs_list);
1559 if (num_addrs > 0) {
1560 addrs = talloc_zero_array(ctx, struct sockaddr_storage, num_addrs);
1561 if (addrs == NULL) {
1562 d_fprintf(stderr, _("Error allocating memory!\n"));
1568 for (count = 0; count < num_addrs; count++) {
1569 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1570 d_fprintf(stderr, "%s '%s'.\n",
1571 _("Cannot interpret address"),
1578 status = ads_startup(c, true, &ads);
1579 if ( !ADS_ERR_OK(status) ) {
1580 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1585 ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
1586 if (!NT_STATUS_IS_OK(ntstatus)) {
1587 d_fprintf( stderr, _("DNS update failed!\n") );
1588 ads_destroy( &ads );
1593 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1601 _("DNS update support not enabled at compile time!\n"));
1606 #if defined(WITH_DNS_UPDATES)
1607 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1610 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1612 #if defined(WITH_DNS_UPDATES)
1616 talloc_enable_leak_report();
1619 if (argc != 2 || c->display_usage) {
1624 _("net ads dns gethostbyname <server> <name>\n"),
1625 _(" Look up hostname from the AD\n"
1626 " server\tName server to use\n"
1627 " name\tName to look up\n"));
1631 err = do_gethostbyname(argv[0], argv[1]);
1633 d_printf(_("do_gethostbyname returned %s (%d)\n"),
1634 dns_errstr(err), ERROR_DNS_V(err));
1639 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1641 struct functable func[] = {
1644 net_ads_dns_register,
1646 N_("Add host dns entry to AD"),
1647 N_("net ads dns register\n"
1648 " Add host dns entry to AD")
1652 net_ads_dns_gethostbyname,
1655 N_("net ads dns gethostbyname\n"
1658 {NULL, NULL, 0, NULL, NULL}
1661 return net_run_function(c, argc, argv, "net ads dns", func);
1664 /*******************************************************************
1665 ********************************************************************/
1667 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1670 "\nnet ads printer search <printer>"
1671 "\n\tsearch for a printer in the directory\n"
1672 "\nnet ads printer info <printer> <server>"
1673 "\n\tlookup info in directory for printer on server"
1674 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1675 "\nnet ads printer publish <printername>"
1676 "\n\tpublish printer in directory"
1677 "\n\t(note: printer name is required)\n"
1678 "\nnet ads printer remove <printername>"
1679 "\n\tremove printer from directory"
1680 "\n\t(note: printer name is required)\n"));
1684 /*******************************************************************
1685 ********************************************************************/
1687 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1691 LDAPMessage *res = NULL;
1693 if (c->display_usage) {
1695 "net ads printer search\n"
1698 _("List printers in the AD"));
1702 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1706 rc = ads_find_printers(ads, &res);
1708 if (!ADS_ERR_OK(rc)) {
1709 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1710 ads_msgfree(ads, res);
1715 if (ads_count_replies(ads, res) == 0) {
1716 d_fprintf(stderr, _("No results found\n"));
1717 ads_msgfree(ads, res);
1723 ads_msgfree(ads, res);
1728 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1732 const char *servername, *printername;
1733 LDAPMessage *res = NULL;
1735 if (c->display_usage) {
1738 _("net ads printer info [printername [servername]]\n"
1739 " Display printer info from AD\n"
1740 " printername\tPrinter name or wildcard\n"
1741 " servername\tName of the print server\n"));
1745 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1750 printername = argv[0];
1756 servername = argv[1];
1758 servername = global_myname();
1761 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1763 if (!ADS_ERR_OK(rc)) {
1764 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1765 servername, ads_errstr(rc));
1766 ads_msgfree(ads, res);
1771 if (ads_count_replies(ads, res) == 0) {
1772 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1773 ads_msgfree(ads, res);
1779 ads_msgfree(ads, res);
1785 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1789 const char *servername, *printername;
1790 struct cli_state *cli = NULL;
1791 struct rpc_pipe_client *pipe_hnd = NULL;
1792 struct sockaddr_storage server_ss;
1794 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1795 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1796 char *prt_dn, *srv_dn, **srv_cn;
1797 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1798 LDAPMessage *res = NULL;
1800 if (argc < 1 || c->display_usage) {
1803 _("net ads printer publish <printername> [servername]\n"
1804 " Publish printer in AD\n"
1805 " printername\tName of the printer\n"
1806 " servername\tName of the print server\n"));
1807 talloc_destroy(mem_ctx);
1811 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1812 talloc_destroy(mem_ctx);
1816 printername = argv[0];
1819 servername = argv[1];
1821 servername = global_myname();
1824 /* Get printer data from SPOOLSS */
1826 resolve_name(servername, &server_ss, 0x20, false);
1828 nt_status = cli_full_connection(&cli, global_myname(), servername,
1831 c->opt_user_name, c->opt_workgroup,
1832 c->opt_password ? c->opt_password : "",
1833 CLI_FULL_CONNECTION_USE_KERBEROS,
1836 if (NT_STATUS_IS_ERR(nt_status)) {
1837 d_fprintf(stderr, _("Unable to open a connection to %s to "
1838 "obtain data for %s\n"),
1839 servername, printername);
1841 talloc_destroy(mem_ctx);
1845 /* Publish on AD server */
1847 ads_find_machine_acct(ads, &res, servername);
1849 if (ads_count_replies(ads, res) == 0) {
1850 d_fprintf(stderr, _("Could not find machine account for server "
1854 talloc_destroy(mem_ctx);
1858 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1859 srv_cn = ldap_explode_dn(srv_dn, 1);
1861 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1862 printername_escaped = escape_rdn_val_string_alloc(printername);
1863 if (!srv_cn_escaped || !printername_escaped) {
1864 SAFE_FREE(srv_cn_escaped);
1865 SAFE_FREE(printername_escaped);
1866 d_fprintf(stderr, _("Internal error, out of memory!"));
1868 talloc_destroy(mem_ctx);
1872 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1873 SAFE_FREE(srv_cn_escaped);
1874 SAFE_FREE(printername_escaped);
1875 d_fprintf(stderr, _("Internal error, out of memory!"));
1877 talloc_destroy(mem_ctx);
1881 SAFE_FREE(srv_cn_escaped);
1882 SAFE_FREE(printername_escaped);
1884 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1885 if (!NT_STATUS_IS_OK(nt_status)) {
1886 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
1890 talloc_destroy(mem_ctx);
1894 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1898 talloc_destroy(mem_ctx);
1902 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1903 if (!ADS_ERR_OK(rc)) {
1904 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1907 talloc_destroy(mem_ctx);
1911 d_printf("published printer\n");
1914 talloc_destroy(mem_ctx);
1919 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1923 const char *servername;
1925 LDAPMessage *res = NULL;
1927 if (argc < 1 || c->display_usage) {
1930 _("net ads printer remove <printername> [servername]\n"
1931 " Remove a printer from the AD\n"
1932 " printername\tName of the printer\n"
1933 " servername\tName of the print server\n"));
1937 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1942 servername = argv[1];
1944 servername = global_myname();
1947 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1949 if (!ADS_ERR_OK(rc)) {
1950 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1951 ads_msgfree(ads, res);
1956 if (ads_count_replies(ads, res) == 0) {
1957 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1958 ads_msgfree(ads, res);
1963 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1964 ads_msgfree(ads, res);
1965 rc = ads_del_dn(ads, prt_dn);
1966 TALLOC_FREE(prt_dn);
1968 if (!ADS_ERR_OK(rc)) {
1969 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1978 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1980 struct functable func[] = {
1983 net_ads_printer_search,
1985 N_("Search for a printer"),
1986 N_("net ads printer search\n"
1987 " Search for a printer")
1991 net_ads_printer_info,
1993 N_("Display printer information"),
1994 N_("net ads printer info\n"
1995 " Display printer information")
1999 net_ads_printer_publish,
2001 N_("Publish a printer"),
2002 N_("net ads printer publish\n"
2003 " Publish a printer")
2007 net_ads_printer_remove,
2009 N_("Delete a printer"),
2010 N_("net ads printer remove\n"
2011 " Delete a printer")
2013 {NULL, NULL, 0, NULL, NULL}
2016 return net_run_function(c, argc, argv, "net ads printer", func);
2020 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2023 const char *auth_principal = c->opt_user_name;
2024 const char *auth_password = c->opt_password;
2026 const char *new_password = NULL;
2031 if (c->display_usage) {
2034 _("net ads password <username>\n"
2035 " Change password for user\n"
2036 " username\tName of user to change password for\n"));
2040 if (c->opt_user_name == NULL || c->opt_password == NULL) {
2041 d_fprintf(stderr, _("You must supply an administrator "
2042 "username/password\n"));
2047 d_fprintf(stderr, _("ERROR: You must say which username to "
2048 "change password for\n"));
2053 if (!strchr_m(user, '@')) {
2054 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
2060 use_in_memory_ccache();
2061 chr = strchr_m(auth_principal, '@');
2068 /* use the realm so we can eventually change passwords for users
2069 in realms other than default */
2070 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
2074 /* we don't actually need a full connect, but it's the easy way to
2075 fill in the KDC's addresss */
2078 if (!ads->config.realm) {
2079 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2085 new_password = (char *)argv[1];
2087 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
2090 new_password = getpass(prompt);
2094 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
2095 auth_password, user, new_password, ads->auth.time_offset);
2096 if (!ADS_ERR_OK(ret)) {
2097 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2102 d_printf(_("Password change for %s completed.\n"), user);
2108 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2111 char *host_principal;
2115 if (c->display_usage) {
2117 "net ads changetrustpw\n"
2120 _("Change the machine account's trust password"));
2124 if (!secrets_init()) {
2125 DEBUG(1,("Failed to initialise secrets database\n"));
2129 net_use_krb_machine_account(c);
2131 use_in_memory_ccache();
2133 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2137 fstrcpy(my_name, global_myname());
2138 strlower_m(my_name);
2139 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2143 d_printf(_("Changing password for principal: %s\n"), host_principal);
2145 ret = ads_change_trust_account_password(ads, host_principal);
2147 if (!ADS_ERR_OK(ret)) {
2148 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2150 SAFE_FREE(host_principal);
2154 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2156 if (USE_SYSTEM_KEYTAB) {
2157 d_printf(_("Attempting to update system keytab with new password.\n"));
2158 if (ads_keytab_create_default(ads)) {
2159 d_printf(_("Failed to update system keytab.\n"));
2164 SAFE_FREE(host_principal);
2170 help for net ads search
2172 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2175 "\nnet ads search <expression> <attributes...>\n"
2176 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2177 "The expression is a standard LDAP search expression, and the\n"
2178 "attributes are a list of LDAP fields to show in the results.\n\n"
2179 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2181 net_common_flags_usage(c, argc, argv);
2187 general ADS search function. Useful in diagnosing problems in ADS
2189 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2193 const char *ldap_exp;
2195 LDAPMessage *res = NULL;
2197 if (argc < 1 || c->display_usage) {
2198 return net_ads_search_usage(c, argc, argv);
2201 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2208 rc = ads_do_search_all(ads, ads->config.bind_path,
2210 ldap_exp, attrs, &res);
2211 if (!ADS_ERR_OK(rc)) {
2212 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2217 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2219 /* dump the results */
2222 ads_msgfree(ads, res);
2230 help for net ads search
2232 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2235 "\nnet ads dn <dn> <attributes...>\n"
2236 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2237 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2238 "to show in the results\n\n"
2239 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2240 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2242 net_common_flags_usage(c, argc, argv);
2248 general ADS search function. Useful in diagnosing problems in ADS
2250 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2256 LDAPMessage *res = NULL;
2258 if (argc < 1 || c->display_usage) {
2259 return net_ads_dn_usage(c, argc, argv);
2262 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2269 rc = ads_do_search_all(ads, dn,
2271 "(objectclass=*)", attrs, &res);
2272 if (!ADS_ERR_OK(rc)) {
2273 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2278 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2280 /* dump the results */
2283 ads_msgfree(ads, res);
2290 help for net ads sid search
2292 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2295 "\nnet ads sid <sid> <attributes...>\n"
2296 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2297 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2298 "to show in the results\n\n"
2299 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2301 net_common_flags_usage(c, argc, argv);
2307 general ADS search function. Useful in diagnosing problems in ADS
2309 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2313 const char *sid_string;
2315 LDAPMessage *res = NULL;
2318 if (argc < 1 || c->display_usage) {
2319 return net_ads_sid_usage(c, argc, argv);
2322 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2326 sid_string = argv[0];
2329 if (!string_to_sid(&sid, sid_string)) {
2330 d_fprintf(stderr, _("could not convert sid\n"));
2335 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2336 if (!ADS_ERR_OK(rc)) {
2337 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2342 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2344 /* dump the results */
2347 ads_msgfree(ads, res);
2353 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2358 if (c->display_usage) {
2360 "net ads keytab flush\n"
2363 _("Delete the whole keytab"));
2367 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2370 ret = ads_keytab_flush(ads);
2375 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2381 if (c->display_usage) {
2384 _("net ads keytab add <principal> [principal ...]\n"
2385 " Add principals to local keytab\n"
2386 " principal\tKerberos principal to add to "
2391 d_printf(_("Processing principals to add...\n"));
2392 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2395 for (i = 0; i < argc; i++) {
2396 ret |= ads_keytab_add_entry(ads, argv[i]);
2402 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2407 if (c->display_usage) {
2409 "net ads keytab create\n"
2412 _("Create new default keytab"));
2416 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2419 ret = ads_keytab_create_default(ads);
2424 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2426 const char *keytab = NULL;
2428 if (c->display_usage) {
2431 _("net ads keytab list [keytab]\n"
2432 " List a local keytab\n"
2433 " keytab\tKeytab to list\n"));
2441 return ads_keytab_list(keytab);
2445 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2447 struct functable func[] = {
2452 N_("Add a service principal"),
2453 N_("net ads keytab add\n"
2454 " Add a service principal")
2458 net_ads_keytab_create,
2460 N_("Create a fresh keytab"),
2461 N_("net ads keytab create\n"
2462 " Create a fresh keytab")
2466 net_ads_keytab_flush,
2468 N_("Remove all keytab entries"),
2469 N_("net ads keytab flush\n"
2470 " Remove all keytab entries")
2474 net_ads_keytab_list,
2476 N_("List a keytab"),
2477 N_("net ads keytab list\n"
2480 {NULL, NULL, 0, NULL, NULL}
2483 if (!USE_KERBEROS_KEYTAB) {
2484 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2485 "keytab method to use keytab functions.\n"));
2488 return net_run_function(c, argc, argv, "net ads keytab", func);
2491 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2495 if (c->display_usage) {
2497 "net ads kerberos renew\n"
2500 _("Renew TGT from existing credential cache"));
2504 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2506 d_printf(_("failed to renew kerberos ticket: %s\n"),
2507 error_message(ret));
2512 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2514 struct PAC_LOGON_INFO *info = NULL;
2515 TALLOC_CTX *mem_ctx = NULL;
2518 const char *impersonate_princ_s = NULL;
2520 if (c->display_usage) {
2522 "net ads kerberos pac\n"
2525 _("Dump the Kerberos PAC"));
2529 mem_ctx = talloc_init("net_ads_kerberos_pac");
2535 impersonate_princ_s = argv[0];
2538 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2540 status = kerberos_return_pac(mem_ctx,
2549 2592000, /* one month */
2550 impersonate_princ_s,
2552 if (!NT_STATUS_IS_OK(status)) {
2553 d_printf(_("failed to query kerberos PAC: %s\n"),
2560 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2561 d_printf(_("The Pac: %s\n"), s);
2566 TALLOC_FREE(mem_ctx);
2570 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2572 TALLOC_CTX *mem_ctx = NULL;
2576 if (c->display_usage) {
2578 "net ads kerberos kinit\n"
2581 _("Get Ticket Granting Ticket (TGT) for the user"));
2585 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2590 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2592 ret = kerberos_kinit_password_ext(c->opt_user_name,
2600 2592000, /* one month */
2603 d_printf(_("failed to kinit password: %s\n"),
2610 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2612 struct functable func[] = {
2615 net_ads_kerberos_kinit,
2617 N_("Retrieve Ticket Granting Ticket (TGT)"),
2618 N_("net ads kerberos kinit\n"
2619 " Receive Ticket Granting Ticket (TGT)")
2623 net_ads_kerberos_renew,
2625 N_("Renew Ticket Granting Ticket from credential cache"),
2626 N_("net ads kerberos renew\n"
2627 " Renew Ticket Granting Ticket (TGT) from "
2632 net_ads_kerberos_pac,
2634 N_("Dump Kerberos PAC"),
2635 N_("net ads kerberos pac\n"
2636 " Dump Kerberos PAC")
2638 {NULL, NULL, 0, NULL, NULL}
2641 return net_run_function(c, argc, argv, "net ads kerberos", func);
2644 int net_ads(struct net_context *c, int argc, const char **argv)
2646 struct functable func[] = {
2651 N_("Display details on remote ADS server"),
2653 " Display details on remote ADS server")
2659 N_("Join the local machine to ADS realm"),
2661 " Join the local machine to ADS realm")
2667 N_("Validate machine account"),
2668 N_("net ads testjoin\n"
2669 " Validate machine account")
2675 N_("Remove the local machine from ADS"),
2676 N_("net ads leave\n"
2677 " Remove the local machine from ADS")
2683 N_("Display machine account details"),
2684 N_("net ads status\n"
2685 " Display machine account details")
2691 N_("List/modify users"),
2693 " List/modify users")
2699 N_("List/modify groups"),
2700 N_("net ads group\n"
2701 " List/modify groups")
2707 N_("Issue dynamic DNS update"),
2709 " Issue dynamic DNS update")
2715 N_("Change user passwords"),
2716 N_("net ads password\n"
2717 " Change user passwords")
2721 net_ads_changetrustpw,
2723 N_("Change trust account password"),
2724 N_("net ads changetrustpw\n"
2725 " Change trust account password")
2731 N_("List/modify printer entries"),
2732 N_("net ads printer\n"
2733 " List/modify printer entries")
2739 N_("Issue LDAP search using filter"),
2740 N_("net ads search\n"
2741 " Issue LDAP search using filter")
2747 N_("Issue LDAP search by DN"),
2749 " Issue LDAP search by DN")
2755 N_("Issue LDAP search by SID"),
2757 " Issue LDAP search by SID")
2763 N_("Display workgroup name"),
2764 N_("net ads workgroup\n"
2765 " Display the workgroup name")
2771 N_("Perfom CLDAP query on DC"),
2772 N_("net ads lookup\n"
2773 " Find the ADS DC using CLDAP lookups")
2779 N_("Manage local keytab file"),
2780 N_("net ads keytab\n"
2781 " Manage local keytab file")
2787 N_("Manage group policy objects"),
2789 " Manage group policy objects")
2795 N_("Manage kerberos keytab"),
2796 N_("net ads kerberos\n"
2797 " Manage kerberos keytab")
2799 {NULL, NULL, 0, NULL, NULL}
2802 return net_run_function(c, argc, argv, "net ads", func);
2807 static int net_ads_noads(void)
2809 d_fprintf(stderr, _("ADS support not compiled in\n"));
2813 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2815 return net_ads_noads();
2818 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2820 return net_ads_noads();
2823 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2825 return net_ads_noads();
2828 int net_ads_join(struct net_context *c, int argc, const char **argv)
2830 return net_ads_noads();
2833 int net_ads_user(struct net_context *c, int argc, const char **argv)
2835 return net_ads_noads();
2838 int net_ads_group(struct net_context *c, int argc, const char **argv)
2840 return net_ads_noads();
2843 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2845 return net_ads_noads();
2848 /* this one shouldn't display a message */
2849 int net_ads_check(struct net_context *c)
2854 int net_ads_check_our_domain(struct net_context *c)
2859 int net_ads(struct net_context *c, int argc, const char **argv)
2861 return net_ads_noads();
2864 #endif /* HAVE_ADS */