2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
29 #include "libads/cldap.h"
30 #include "libads/dns.h"
31 #include "../libds/common/flags.h"
32 #include "librpc/gen_ndr/libnet_join.h"
33 #include "libnet/libnet_join.h"
37 #include "../libcli/security/security.h"
41 /* when we do not have sufficient input parameters to contact a remote domain
42 * we always fall back to our own realm - Guenther*/
44 static const char *assume_own_realm(struct net_context *c)
46 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
54 do a cldap netlogon query
56 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
58 char addr[INET6_ADDRSTRLEN];
59 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
61 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
62 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
63 d_fprintf(stderr, _("CLDAP query failed!\n"));
67 d_printf(_("Information for Domain Controller: %s\n\n"),
70 d_printf(_("Response Type: "));
71 switch (reply.command) {
72 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
73 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
75 case LOGON_SAM_LOGON_RESPONSE_EX:
76 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
79 d_printf("0x%x\n", reply.command);
83 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
87 "\tIs a GC of the forest: %s\n"
88 "\tIs an LDAP server: %s\n"
90 "\tIs running a KDC: %s\n"
91 "\tIs running time services: %s\n"
92 "\tIs the closest DC: %s\n"
94 "\tHas a hardware clock: %s\n"
95 "\tIs a non-domain NC serviced by LDAP server: %s\n"
96 "\tIs NT6 DC that has some secrets: %s\n"
97 "\tIs NT6 DC that has all secrets: %s\n"),
98 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
100 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
101 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
102 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
103 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
104 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
105 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
106 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
107 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
108 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
109 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
112 printf(_("Forest:\t\t\t%s\n"), reply.forest);
113 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
114 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
116 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain_name);
117 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
119 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
121 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
122 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
124 d_printf(_("NT Version: %d\n"), reply.nt_version);
125 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
126 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
132 this implements the CLDAP based netlogon lookup requests
133 for finding the domain controller of a ADS domain
135 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
140 if (c->display_usage) {
145 _("Find the ADS DC using CLDAP lookup.\n"));
149 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
150 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
155 if (!ads->config.realm) {
156 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
157 ads->ldap.port = 389;
160 ret = net_ads_cldap_netlogon(c, ads);
167 static int net_ads_info(struct net_context *c, int argc, const char **argv)
170 char addr[INET6_ADDRSTRLEN];
172 if (c->display_usage) {
177 _("Display information about an Active Directory "
182 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
183 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
187 if (!ads || !ads->config.realm) {
188 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
193 /* Try to set the server's current time since we didn't do a full
194 TCP LDAP session initially */
196 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
197 d_fprintf( stderr, _("Failed to get server's current time!\n"));
200 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
202 d_printf(_("LDAP server: %s\n"), addr);
203 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
204 d_printf(_("Realm: %s\n"), ads->config.realm);
205 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
206 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
207 d_printf(_("Server time: %s\n"),
208 http_timestring(talloc_tos(), ads->config.current_time));
210 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
211 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
217 static void use_in_memory_ccache(void) {
218 /* Use in-memory credentials cache so we do not interfere with
219 * existing credentials */
220 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
223 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
224 uint32 auth_flags, ADS_STRUCT **ads_ret)
226 ADS_STRUCT *ads = NULL;
228 bool need_password = false;
229 bool second_time = false;
231 const char *realm = NULL;
232 bool tried_closest_dc = false;
234 /* lp_realm() should be handled by a command line param,
235 However, the join requires that realm be set in smb.conf
236 and compares our realm with the remote server's so this is
237 ok until someone needs more flexibility */
242 if (only_own_domain) {
245 realm = assume_own_realm(c);
248 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
250 if (!c->opt_user_name) {
251 c->opt_user_name = "administrator";
254 if (c->opt_user_specified) {
255 need_password = true;
259 if (!c->opt_password && need_password && !c->opt_machine_pass) {
260 c->opt_password = net_prompt_pass(c, c->opt_user_name);
261 if (!c->opt_password) {
263 return ADS_ERROR(LDAP_NO_MEMORY);
267 if (c->opt_password) {
268 use_in_memory_ccache();
269 SAFE_FREE(ads->auth.password);
270 ads->auth.password = smb_xstrdup(c->opt_password);
273 ads->auth.flags |= auth_flags;
274 SAFE_FREE(ads->auth.user_name);
275 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
278 * If the username is of the form "name@realm",
279 * extract the realm and convert to upper case.
280 * This is only used to establish the connection.
282 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
284 SAFE_FREE(ads->auth.realm);
285 ads->auth.realm = smb_xstrdup(cp);
286 strupper_m(ads->auth.realm);
289 status = ads_connect(ads);
291 if (!ADS_ERR_OK(status)) {
293 if (NT_STATUS_EQUAL(ads_ntstatus(status),
294 NT_STATUS_NO_LOGON_SERVERS)) {
295 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
300 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
301 need_password = true;
310 /* when contacting our own domain, make sure we use the closest DC.
311 * This is done by reconnecting to ADS because only the first call to
312 * ads_connect will give us our own sitename */
314 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
316 tried_closest_dc = true; /* avoid loop */
318 if (!ads_closest_dc(ads)) {
320 namecache_delete(ads->server.realm, 0x1C);
321 namecache_delete(ads->server.workgroup, 0x1C);
334 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
336 return ads_startup_int(c, only_own_domain, 0, ads);
339 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
341 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
345 Check to see if connection can be made via ads.
346 ads_startup() stores the password in opt_password if it needs to so
347 that rpc or rap can use it without re-prompting.
349 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
354 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
358 ads->auth.flags |= ADS_AUTH_NO_BIND;
360 status = ads_connect(ads);
361 if ( !ADS_ERR_OK(status) ) {
369 int net_ads_check_our_domain(struct net_context *c)
371 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
374 int net_ads_check(struct net_context *c)
376 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
380 determine the netbios workgroup name for a domain
382 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
385 char addr[INET6_ADDRSTRLEN];
386 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
388 if (c->display_usage) {
390 "net ads workgroup\n"
393 _("Print the workgroup name"));
397 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
398 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
402 if (!ads->config.realm) {
403 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
404 ads->ldap.port = 389;
407 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
408 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
409 d_fprintf(stderr, _("CLDAP query failed!\n"));
414 d_printf(_("Workgroup: %s\n"), reply.domain_name);
423 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
425 char **disp_fields = (char **) data_area;
427 if (!field) { /* must be end of record */
428 if (disp_fields[0]) {
429 if (!strchr_m(disp_fields[0], '$')) {
431 d_printf("%-21.21s %s\n",
432 disp_fields[0], disp_fields[1]);
434 d_printf("%s\n", disp_fields[0]);
437 SAFE_FREE(disp_fields[0]);
438 SAFE_FREE(disp_fields[1]);
441 if (!values) /* must be new field, indicate string field */
443 if (StrCaseCmp(field, "sAMAccountName") == 0) {
444 disp_fields[0] = SMB_STRDUP((char *) values[0]);
446 if (StrCaseCmp(field, "description") == 0)
447 disp_fields[1] = SMB_STRDUP((char *) values[0]);
451 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
453 return net_user_usage(c, argc, argv);
456 static int ads_user_add(struct net_context *c, int argc, const char **argv)
461 LDAPMessage *res=NULL;
465 if (argc < 1 || c->display_usage)
466 return net_ads_user_usage(c, argc, argv);
468 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
472 status = ads_find_user_acct(ads, &res, argv[0]);
474 if (!ADS_ERR_OK(status)) {
475 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
479 if (ads_count_replies(ads, res)) {
480 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
485 if (c->opt_container) {
486 ou_str = SMB_STRDUP(c->opt_container);
488 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
491 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
493 if (!ADS_ERR_OK(status)) {
494 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
499 /* if no password is to be set, we're done */
501 d_printf(_("User %s added\n"), argv[0]);
506 /* try setting the password */
507 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
510 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
511 ads->auth.time_offset);
513 if (ADS_ERR_OK(status)) {
514 d_printf(_("User %s added\n"), argv[0]);
519 /* password didn't set, delete account */
520 d_fprintf(stderr, _("Could not add user %s. "
521 "Error setting password %s\n"),
522 argv[0], ads_errstr(status));
523 ads_msgfree(ads, res);
524 status=ads_find_user_acct(ads, &res, argv[0]);
525 if (ADS_ERR_OK(status)) {
526 userdn = ads_get_dn(ads, talloc_tos(), res);
527 ads_del_dn(ads, userdn);
533 ads_msgfree(ads, res);
539 static int ads_user_info(struct net_context *c, int argc, const char **argv)
541 ADS_STRUCT *ads = NULL;
543 LDAPMessage *res = NULL;
547 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
548 char *searchstring=NULL;
552 struct dom_sid primary_group_sid;
554 enum wbcSidType type;
556 if (argc < 1 || c->display_usage) {
557 return net_ads_user_usage(c, argc, argv);
560 frame = talloc_new(talloc_tos());
565 escaped_user = escape_ldap_string(frame, argv[0]);
568 _("ads_user_info: failed to escape user %s\n"),
573 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
578 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
582 rc = ads_search(ads, &res, searchstring, attrs);
583 SAFE_FREE(searchstring);
585 if (!ADS_ERR_OK(rc)) {
586 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
591 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
592 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
597 rc = ads_domain_sid(ads, &primary_group_sid);
598 if (!ADS_ERR_OK(rc)) {
599 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
604 sid_append_rid(&primary_group_sid, group_rid);
606 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
607 NULL, /* don't look up domain */
610 if (!WBC_ERROR_IS_OK(wbc_status)) {
611 d_fprintf(stderr, "wbcLookupSid: %s\n",
612 wbcErrorString(wbc_status));
617 d_printf("%s\n", primary_group);
619 wbcFreeMemory(primary_group);
621 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
622 (LDAPMessage *)res, "memberOf");
627 for (i=0;grouplist[i];i++) {
628 groupname = ldap_explode_dn(grouplist[i], 1);
629 d_printf("%s\n", groupname[0]);
630 ldap_value_free(groupname);
632 ldap_value_free(grouplist);
636 if (res) ads_msgfree(ads, res);
637 if (ads) ads_destroy(&ads);
642 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
646 LDAPMessage *res = NULL;
650 return net_ads_user_usage(c, argc, argv);
653 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
657 rc = ads_find_user_acct(ads, &res, argv[0]);
658 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
659 d_printf(_("User %s does not exist.\n"), argv[0]);
660 ads_msgfree(ads, res);
664 userdn = ads_get_dn(ads, talloc_tos(), res);
665 ads_msgfree(ads, res);
666 rc = ads_del_dn(ads, userdn);
668 if (ADS_ERR_OK(rc)) {
669 d_printf(_("User %s deleted\n"), argv[0]);
673 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
679 int net_ads_user(struct net_context *c, int argc, const char **argv)
681 struct functable func[] = {
686 N_("Add an AD user"),
687 N_("net ads user add\n"
694 N_("Display information about an AD user"),
695 N_("net ads user info\n"
696 " Display information about an AD user")
702 N_("Delete an AD user"),
703 N_("net ads user delete\n"
704 " Delete an AD user")
706 {NULL, NULL, 0, NULL, NULL}
710 const char *shortattrs[] = {"sAMAccountName", NULL};
711 const char *longattrs[] = {"sAMAccountName", "description", NULL};
712 char *disp_fields[2] = {NULL, NULL};
715 if (c->display_usage) {
721 net_display_usage_from_functable(func);
725 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
729 if (c->opt_long_list_entries)
730 d_printf(_("\nUser name Comment"
731 "\n-----------------------------\n"));
733 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
735 "(objectCategory=user)",
736 c->opt_long_list_entries ? longattrs :
737 shortattrs, usergrp_display,
740 return ADS_ERR_OK(rc) ? 0 : -1;
743 return net_run_function(c, argc, argv, "net ads user", func);
746 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
748 return net_group_usage(c, argc, argv);
751 static int ads_group_add(struct net_context *c, int argc, const char **argv)
755 LDAPMessage *res=NULL;
759 if (argc < 1 || c->display_usage) {
760 return net_ads_group_usage(c, argc, argv);
763 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
767 status = ads_find_user_acct(ads, &res, argv[0]);
769 if (!ADS_ERR_OK(status)) {
770 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
774 if (ads_count_replies(ads, res)) {
775 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
779 if (c->opt_container) {
780 ou_str = SMB_STRDUP(c->opt_container);
782 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
785 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
787 if (ADS_ERR_OK(status)) {
788 d_printf(_("Group %s added\n"), argv[0]);
791 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
797 ads_msgfree(ads, res);
803 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
807 LDAPMessage *res = NULL;
810 if (argc < 1 || c->display_usage) {
811 return net_ads_group_usage(c, argc, argv);
814 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
818 rc = ads_find_user_acct(ads, &res, argv[0]);
819 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
820 d_printf(_("Group %s does not exist.\n"), argv[0]);
821 ads_msgfree(ads, res);
825 groupdn = ads_get_dn(ads, talloc_tos(), res);
826 ads_msgfree(ads, res);
827 rc = ads_del_dn(ads, groupdn);
828 TALLOC_FREE(groupdn);
829 if (ADS_ERR_OK(rc)) {
830 d_printf(_("Group %s deleted\n"), argv[0]);
834 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
840 int net_ads_group(struct net_context *c, int argc, const char **argv)
842 struct functable func[] = {
847 N_("Add an AD group"),
848 N_("net ads group add\n"
855 N_("Delete an AD group"),
856 N_("net ads group delete\n"
857 " Delete an AD group")
859 {NULL, NULL, 0, NULL, NULL}
863 const char *shortattrs[] = {"sAMAccountName", NULL};
864 const char *longattrs[] = {"sAMAccountName", "description", NULL};
865 char *disp_fields[2] = {NULL, NULL};
868 if (c->display_usage) {
873 _("List AD groups"));
874 net_display_usage_from_functable(func);
878 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
882 if (c->opt_long_list_entries)
883 d_printf(_("\nGroup name Comment"
884 "\n-----------------------------\n"));
885 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
887 "(objectCategory=group)",
888 c->opt_long_list_entries ? longattrs :
889 shortattrs, usergrp_display,
893 return ADS_ERR_OK(rc) ? 0 : -1;
895 return net_run_function(c, argc, argv, "net ads group", func);
898 static int net_ads_status(struct net_context *c, int argc, const char **argv)
904 if (c->display_usage) {
909 _("Display machine account details"));
913 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
917 rc = ads_find_machine_acct(ads, &res, global_myname());
918 if (!ADS_ERR_OK(rc)) {
919 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
924 if (ads_count_replies(ads, res) == 0) {
925 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
935 /*******************************************************************
936 Leave an AD domain. Windows XP disables the machine account.
937 We'll try the same. The old code would do an LDAP delete.
938 That only worked using the machine creds because added the machine
939 with full control to the computer object's ACL.
940 *******************************************************************/
942 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
945 struct libnet_UnjoinCtx *r = NULL;
948 if (c->display_usage) {
953 _("Leave an AD domain"));
958 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
962 if (!(ctx = talloc_init("net_ads_leave"))) {
963 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
967 if (!c->opt_kerberos) {
968 use_in_memory_ccache();
971 werr = libnet_init_UnjoinCtx(ctx, &r);
972 if (!W_ERROR_IS_OK(werr)) {
973 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
978 r->in.use_kerberos = c->opt_kerberos;
979 r->in.dc_name = c->opt_host;
980 r->in.domain_name = lp_realm();
981 r->in.admin_account = c->opt_user_name;
982 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
983 r->in.modify_config = lp_config_backend_is_registry();
985 /* Try to delete it, but if that fails, disable it. The
986 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
987 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
988 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
989 r->in.delete_machine_account = true;
990 r->in.msg_ctx = c->msg_ctx;
992 werr = libnet_Unjoin(ctx, r);
993 if (!W_ERROR_IS_OK(werr)) {
994 d_printf(_("Failed to leave domain: %s\n"),
995 r->out.error_string ? r->out.error_string :
996 get_friendly_werror_msg(werr));
1000 if (r->out.deleted_machine_account) {
1001 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1002 r->in.machine_name, r->out.dns_domain_name);
1006 /* We couldn't delete it - see if the disable succeeded. */
1007 if (r->out.disabled_machine_account) {
1008 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1009 r->in.machine_name, r->out.dns_domain_name);
1014 /* Based on what we requseted, we shouldn't get here, but if
1015 we did, it means the secrets were removed, and therefore
1016 we have left the domain */
1017 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1018 r->in.machine_name, r->out.dns_domain_name);
1024 if (W_ERROR_IS_OK(werr)) {
1031 static NTSTATUS net_ads_join_ok(struct net_context *c)
1033 ADS_STRUCT *ads = NULL;
1036 struct sockaddr_storage dcip;
1038 if (!secrets_init()) {
1039 DEBUG(1,("Failed to initialise secrets database\n"));
1040 return NT_STATUS_ACCESS_DENIED;
1043 net_use_krb_machine_account(c);
1045 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1047 status = ads_startup(c, true, &ads);
1048 if (!ADS_ERR_OK(status)) {
1049 return ads_ntstatus(status);
1053 return NT_STATUS_OK;
1057 check that an existing join is OK
1059 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1062 use_in_memory_ccache();
1064 if (c->display_usage) {
1066 "net ads testjoin\n"
1069 _("Test if the existing join is ok"));
1073 /* Display success or failure */
1074 status = net_ads_join_ok(c);
1075 if (!NT_STATUS_IS_OK(status)) {
1076 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1077 get_friendly_nt_error_msg(status));
1081 printf(_("Join is OK\n"));
1085 /*******************************************************************
1086 Simple configu checks before beginning the join
1087 ********************************************************************/
1089 static WERROR check_ads_config( void )
1091 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1092 d_printf(_("Host is not configured as a member server.\n"));
1093 return WERR_INVALID_DOMAIN_ROLE;
1096 if (strlen(global_myname()) > 15) {
1097 d_printf(_("Our netbios name can be at most 15 chars long, "
1098 "\"%s\" is %u chars long\n"), global_myname(),
1099 (unsigned int)strlen(global_myname()));
1100 return WERR_INVALID_COMPUTERNAME;
1103 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1104 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1105 "join to succeed.\n"), get_dyn_CONFIGFILE());
1106 return WERR_INVALID_PARAM;
1112 /*******************************************************************
1113 Send a DNS update request
1114 *******************************************************************/
1116 #if defined(WITH_DNS_UPDATES)
1118 DNS_ERROR DoDNSUpdate(char *pszServerName,
1119 const char *pszDomainName, const char *pszHostName,
1120 const struct sockaddr_storage *sslist,
1123 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1124 const char *machine_name,
1125 const struct sockaddr_storage *addrs,
1128 struct dns_rr_ns *nameservers = NULL;
1130 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1133 const char *dnsdomain = NULL;
1134 char *root_domain = NULL;
1136 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1137 d_printf(_("No DNS domain configured for %s. "
1138 "Unable to perform DNS Update.\n"), machine_name);
1139 status = NT_STATUS_INVALID_PARAMETER;
1144 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1145 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1146 /* Child domains often do not have NS records. Look
1147 for the NS record for the forest root domain
1148 (rootDomainNamingContext in therootDSE) */
1150 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1151 LDAPMessage *msg = NULL;
1153 ADS_STATUS ads_status;
1155 if ( !ads->ldap.ld ) {
1156 ads_status = ads_connect( ads );
1157 if ( !ADS_ERR_OK(ads_status) ) {
1158 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1163 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1164 "(objectclass=*)", rootname_attrs, &msg);
1165 if (!ADS_ERR_OK(ads_status)) {
1169 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1171 ads_msgfree( ads, msg );
1175 root_domain = ads_build_domain( root_dn );
1178 ads_msgfree( ads, msg );
1180 /* try again for NS servers */
1182 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1184 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1185 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1186 "realm\n", ads->config.realm));
1190 dnsdomain = root_domain;
1194 /* Now perform the dns update - we'll try non-secure and if we fail,
1195 we'll follow it up with a secure update */
1197 fstrcpy( dns_server, nameservers[0].hostname );
1199 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1200 if (!ERR_DNS_IS_OK(dns_err)) {
1201 status = NT_STATUS_UNSUCCESSFUL;
1206 SAFE_FREE( root_domain );
1211 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1214 struct sockaddr_storage *iplist = NULL;
1215 fstring machine_name;
1218 name_to_fqdn( machine_name, global_myname() );
1219 strlower_m( machine_name );
1221 /* Get our ip address (not the 127.0.0.x address but a real ip
1224 num_addrs = get_my_ip_address( &iplist );
1225 if ( num_addrs <= 0 ) {
1226 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1228 return NT_STATUS_INVALID_PARAMETER;
1231 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1233 SAFE_FREE( iplist );
1239 /*******************************************************************
1240 ********************************************************************/
1242 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1244 d_printf(_("net ads join [options]\n"
1245 "Valid options:\n"));
1246 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1247 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1248 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1249 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1250 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1251 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1252 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1253 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1254 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1255 " NB: osName and osVer must be specified together for either to take effect.\n"
1256 " Also, the operatingSystemService attribute is also set when along with\n"
1257 " the two other attributes.\n"));
1262 /*******************************************************************
1263 ********************************************************************/
1265 int net_ads_join(struct net_context *c, int argc, const char **argv)
1267 TALLOC_CTX *ctx = NULL;
1268 struct libnet_JoinCtx *r = NULL;
1269 const char *domain = lp_realm();
1270 WERROR werr = WERR_SETUP_NOT_JOINED;
1271 bool createupn = false;
1272 const char *machineupn = NULL;
1273 const char *create_in_ou = NULL;
1275 const char *os_name = NULL;
1276 const char *os_version = NULL;
1277 bool modify_config = lp_config_backend_is_registry();
1279 if (c->display_usage)
1280 return net_ads_join_usage(c, argc, argv);
1282 if (!modify_config) {
1284 werr = check_ads_config();
1285 if (!W_ERROR_IS_OK(werr)) {
1286 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1291 if (!(ctx = talloc_init("net_ads_join"))) {
1292 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1297 if (!c->opt_kerberos) {
1298 use_in_memory_ccache();
1301 werr = libnet_init_JoinCtx(ctx, &r);
1302 if (!W_ERROR_IS_OK(werr)) {
1306 /* process additional command line args */
1308 for ( i=0; i<argc; i++ ) {
1309 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1311 machineupn = get_string_param(argv[i]);
1313 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1314 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1315 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1316 werr = WERR_INVALID_PARAM;
1320 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1321 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1322 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1323 werr = WERR_INVALID_PARAM;
1327 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1328 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1329 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1330 werr = WERR_INVALID_PARAM;
1340 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1341 werr = WERR_INVALID_PARAM;
1345 /* Do the domain join here */
1347 r->in.domain_name = domain;
1348 r->in.create_upn = createupn;
1349 r->in.upn = machineupn;
1350 r->in.account_ou = create_in_ou;
1351 r->in.os_name = os_name;
1352 r->in.os_version = os_version;
1353 r->in.dc_name = c->opt_host;
1354 r->in.admin_account = c->opt_user_name;
1355 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1357 r->in.use_kerberos = c->opt_kerberos;
1358 r->in.modify_config = modify_config;
1359 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1360 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1361 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1362 r->in.msg_ctx = c->msg_ctx;
1364 werr = libnet_Join(ctx, r);
1365 if (!W_ERROR_IS_OK(werr)) {
1369 /* Check the short name of the domain */
1371 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1372 d_printf(_("The workgroup in %s does not match the short\n"
1373 "domain name obtained from the server.\n"
1374 "Using the name [%s] from the server.\n"
1375 "You should set \"workgroup = %s\" in %s.\n"),
1376 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1377 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1380 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1382 if (r->out.dns_domain_name) {
1383 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1384 r->out.dns_domain_name);
1386 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1387 r->out.netbios_domain_name);
1390 #if defined(WITH_DNS_UPDATES)
1391 if (r->out.domain_is_ad) {
1392 /* We enter this block with user creds */
1393 ADS_STRUCT *ads_dns = NULL;
1395 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1396 /* kinit with the machine password */
1398 use_in_memory_ccache();
1399 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1402 ads_dns->auth.password = secrets_fetch_machine_password(
1403 r->out.netbios_domain_name, NULL, NULL );
1404 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1405 strupper_m(ads_dns->auth.realm );
1406 ads_kinit_password( ads_dns );
1409 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1410 d_fprintf( stderr, _("DNS update failed!\n") );
1413 /* exit from this block using machine creds */
1414 ads_destroy(&ads_dns);
1423 /* issue an overall failure message at the end. */
1424 d_printf(_("Failed to join domain: %s\n"),
1425 r && r->out.error_string ? r->out.error_string :
1426 get_friendly_werror_msg(werr));
1432 /*******************************************************************
1433 ********************************************************************/
1435 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1437 #if defined(WITH_DNS_UPDATES)
1443 talloc_enable_leak_report();
1446 if (argc > 0 || c->display_usage) {
1448 "net ads dns register\n"
1451 _("Register hostname with DNS\n"));
1455 if (!(ctx = talloc_init("net_ads_dns"))) {
1456 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1460 status = ads_startup(c, true, &ads);
1461 if ( !ADS_ERR_OK(status) ) {
1462 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1467 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1468 d_fprintf( stderr, _("DNS update failed!\n") );
1469 ads_destroy( &ads );
1474 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1482 _("DNS update support not enabled at compile time!\n"));
1487 #if defined(WITH_DNS_UPDATES)
1488 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1491 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1493 #if defined(WITH_DNS_UPDATES)
1497 talloc_enable_leak_report();
1500 if (argc != 2 || c->display_usage) {
1505 _("net ads dns gethostbyname <server> <name>\n"),
1506 _(" Look up hostname from the AD\n"
1507 " server\tName server to use\n"
1508 " name\tName to look up\n"));
1512 err = do_gethostbyname(argv[0], argv[1]);
1514 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1519 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1521 struct functable func[] = {
1524 net_ads_dns_register,
1526 N_("Add host dns entry to AD"),
1527 N_("net ads dns register\n"
1528 " Add host dns entry to AD")
1532 net_ads_dns_gethostbyname,
1535 N_("net ads dns gethostbyname\n"
1538 {NULL, NULL, 0, NULL, NULL}
1541 return net_run_function(c, argc, argv, "net ads dns", func);
1544 /*******************************************************************
1545 ********************************************************************/
1547 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1550 "\nnet ads printer search <printer>"
1551 "\n\tsearch for a printer in the directory\n"
1552 "\nnet ads printer info <printer> <server>"
1553 "\n\tlookup info in directory for printer on server"
1554 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1555 "\nnet ads printer publish <printername>"
1556 "\n\tpublish printer in directory"
1557 "\n\t(note: printer name is required)\n"
1558 "\nnet ads printer remove <printername>"
1559 "\n\tremove printer from directory"
1560 "\n\t(note: printer name is required)\n"));
1564 /*******************************************************************
1565 ********************************************************************/
1567 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1571 LDAPMessage *res = NULL;
1573 if (c->display_usage) {
1575 "net ads printer search\n"
1578 _("List printers in the AD"));
1582 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1586 rc = ads_find_printers(ads, &res);
1588 if (!ADS_ERR_OK(rc)) {
1589 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1590 ads_msgfree(ads, res);
1595 if (ads_count_replies(ads, res) == 0) {
1596 d_fprintf(stderr, _("No results found\n"));
1597 ads_msgfree(ads, res);
1603 ads_msgfree(ads, res);
1608 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1612 const char *servername, *printername;
1613 LDAPMessage *res = NULL;
1615 if (c->display_usage) {
1618 _("net ads printer info [printername [servername]]\n"
1619 " Display printer info from AD\n"
1620 " printername\tPrinter name or wildcard\n"
1621 " servername\tName of the print server\n"));
1625 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1630 printername = argv[0];
1636 servername = argv[1];
1638 servername = global_myname();
1641 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1643 if (!ADS_ERR_OK(rc)) {
1644 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1645 servername, ads_errstr(rc));
1646 ads_msgfree(ads, res);
1651 if (ads_count_replies(ads, res) == 0) {
1652 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1653 ads_msgfree(ads, res);
1659 ads_msgfree(ads, res);
1665 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1669 const char *servername, *printername;
1670 struct cli_state *cli = NULL;
1671 struct rpc_pipe_client *pipe_hnd = NULL;
1672 struct sockaddr_storage server_ss;
1674 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1675 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1676 char *prt_dn, *srv_dn, **srv_cn;
1677 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1678 LDAPMessage *res = NULL;
1680 if (argc < 1 || c->display_usage) {
1683 _("net ads printer publish <printername> [servername]\n"
1684 " Publish printer in AD\n"
1685 " printername\tName of the printer\n"
1686 " servername\tName of the print server\n"));
1687 talloc_destroy(mem_ctx);
1691 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1692 talloc_destroy(mem_ctx);
1696 printername = argv[0];
1699 servername = argv[1];
1701 servername = global_myname();
1704 /* Get printer data from SPOOLSS */
1706 resolve_name(servername, &server_ss, 0x20, false);
1708 nt_status = cli_full_connection(&cli, global_myname(), servername,
1711 c->opt_user_name, c->opt_workgroup,
1712 c->opt_password ? c->opt_password : "",
1713 CLI_FULL_CONNECTION_USE_KERBEROS,
1716 if (NT_STATUS_IS_ERR(nt_status)) {
1717 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1718 "obtain data for %s\n"),
1719 servername, printername);
1721 talloc_destroy(mem_ctx);
1725 /* Publish on AD server */
1727 ads_find_machine_acct(ads, &res, servername);
1729 if (ads_count_replies(ads, res) == 0) {
1730 d_fprintf(stderr, _("Could not find machine account for server "
1734 talloc_destroy(mem_ctx);
1738 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1739 srv_cn = ldap_explode_dn(srv_dn, 1);
1741 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1742 printername_escaped = escape_rdn_val_string_alloc(printername);
1743 if (!srv_cn_escaped || !printername_escaped) {
1744 SAFE_FREE(srv_cn_escaped);
1745 SAFE_FREE(printername_escaped);
1746 d_fprintf(stderr, _("Internal error, out of memory!"));
1748 talloc_destroy(mem_ctx);
1752 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1753 SAFE_FREE(srv_cn_escaped);
1754 SAFE_FREE(printername_escaped);
1755 d_fprintf(stderr, _("Internal error, out of memory!"));
1757 talloc_destroy(mem_ctx);
1761 SAFE_FREE(srv_cn_escaped);
1762 SAFE_FREE(printername_escaped);
1764 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1765 if (!NT_STATUS_IS_OK(nt_status)) {
1766 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1770 talloc_destroy(mem_ctx);
1774 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1778 talloc_destroy(mem_ctx);
1782 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1783 if (!ADS_ERR_OK(rc)) {
1784 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1787 talloc_destroy(mem_ctx);
1791 d_printf("published printer\n");
1794 talloc_destroy(mem_ctx);
1799 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1803 const char *servername;
1805 LDAPMessage *res = NULL;
1807 if (argc < 1 || c->display_usage) {
1810 _("net ads printer remove <printername> [servername]\n"
1811 " Remove a printer from the AD\n"
1812 " printername\tName of the printer\n"
1813 " servername\tName of the print server\n"));
1817 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1822 servername = argv[1];
1824 servername = global_myname();
1827 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1829 if (!ADS_ERR_OK(rc)) {
1830 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1831 ads_msgfree(ads, res);
1836 if (ads_count_replies(ads, res) == 0) {
1837 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1838 ads_msgfree(ads, res);
1843 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1844 ads_msgfree(ads, res);
1845 rc = ads_del_dn(ads, prt_dn);
1846 TALLOC_FREE(prt_dn);
1848 if (!ADS_ERR_OK(rc)) {
1849 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1858 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1860 struct functable func[] = {
1863 net_ads_printer_search,
1865 N_("Search for a printer"),
1866 N_("net ads printer search\n"
1867 " Search for a printer")
1871 net_ads_printer_info,
1873 N_("Display printer information"),
1874 N_("net ads printer info\n"
1875 " Display printer information")
1879 net_ads_printer_publish,
1881 N_("Publish a printer"),
1882 N_("net ads printer publish\n"
1883 " Publish a printer")
1887 net_ads_printer_remove,
1889 N_("Delete a printer"),
1890 N_("net ads printer remove\n"
1891 " Delete a printer")
1893 {NULL, NULL, 0, NULL, NULL}
1896 return net_run_function(c, argc, argv, "net ads printer", func);
1900 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1903 const char *auth_principal = c->opt_user_name;
1904 const char *auth_password = c->opt_password;
1906 char *new_password = NULL;
1911 if (c->display_usage) {
1914 _("net ads password <username>\n"
1915 " Change password for user\n"
1916 " username\tName of user to change password for\n"));
1920 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1921 d_fprintf(stderr, _("You must supply an administrator "
1922 "username/password\n"));
1927 d_fprintf(stderr, _("ERROR: You must say which username to "
1928 "change password for\n"));
1933 if (!strchr_m(user, '@')) {
1934 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1940 use_in_memory_ccache();
1941 chr = strchr_m(auth_principal, '@');
1948 /* use the realm so we can eventually change passwords for users
1949 in realms other than default */
1950 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1954 /* we don't actually need a full connect, but it's the easy way to
1955 fill in the KDC's addresss */
1958 if (!ads->config.realm) {
1959 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1965 new_password = (char *)argv[1];
1967 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1970 new_password = getpass(prompt);
1974 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1975 auth_password, user, new_password, ads->auth.time_offset);
1976 if (!ADS_ERR_OK(ret)) {
1977 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
1982 d_printf(_("Password change for %s completed.\n"), user);
1988 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1991 char *host_principal;
1995 if (c->display_usage) {
1997 "net ads changetrustpw\n"
2000 _("Change the machine account's trust password"));
2004 if (!secrets_init()) {
2005 DEBUG(1,("Failed to initialise secrets database\n"));
2009 net_use_krb_machine_account(c);
2011 use_in_memory_ccache();
2013 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2017 fstrcpy(my_name, global_myname());
2018 strlower_m(my_name);
2019 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2023 d_printf(_("Changing password for principal: %s\n"), host_principal);
2025 ret = ads_change_trust_account_password(ads, host_principal);
2027 if (!ADS_ERR_OK(ret)) {
2028 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2030 SAFE_FREE(host_principal);
2034 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2036 if (USE_SYSTEM_KEYTAB) {
2037 d_printf(_("Attempting to update system keytab with new password.\n"));
2038 if (ads_keytab_create_default(ads)) {
2039 d_printf(_("Failed to update system keytab.\n"));
2044 SAFE_FREE(host_principal);
2050 help for net ads search
2052 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2055 "\nnet ads search <expression> <attributes...>\n"
2056 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2057 "The expression is a standard LDAP search expression, and the\n"
2058 "attributes are a list of LDAP fields to show in the results.\n\n"
2059 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2061 net_common_flags_usage(c, argc, argv);
2067 general ADS search function. Useful in diagnosing problems in ADS
2069 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2073 const char *ldap_exp;
2075 LDAPMessage *res = NULL;
2077 if (argc < 1 || c->display_usage) {
2078 return net_ads_search_usage(c, argc, argv);
2081 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2088 rc = ads_do_search_all(ads, ads->config.bind_path,
2090 ldap_exp, attrs, &res);
2091 if (!ADS_ERR_OK(rc)) {
2092 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2097 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2099 /* dump the results */
2102 ads_msgfree(ads, res);
2110 help for net ads search
2112 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2115 "\nnet ads dn <dn> <attributes...>\n"
2116 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2117 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2118 "to show in the results\n\n"
2119 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2120 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2122 net_common_flags_usage(c, argc, argv);
2128 general ADS search function. Useful in diagnosing problems in ADS
2130 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2136 LDAPMessage *res = NULL;
2138 if (argc < 1 || c->display_usage) {
2139 return net_ads_dn_usage(c, argc, argv);
2142 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2149 rc = ads_do_search_all(ads, dn,
2151 "(objectclass=*)", attrs, &res);
2152 if (!ADS_ERR_OK(rc)) {
2153 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2158 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2160 /* dump the results */
2163 ads_msgfree(ads, res);
2170 help for net ads sid search
2172 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2175 "\nnet ads sid <sid> <attributes...>\n"
2176 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2177 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2178 "to show in the results\n\n"
2179 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2181 net_common_flags_usage(c, argc, argv);
2187 general ADS search function. Useful in diagnosing problems in ADS
2189 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2193 const char *sid_string;
2195 LDAPMessage *res = NULL;
2198 if (argc < 1 || c->display_usage) {
2199 return net_ads_sid_usage(c, argc, argv);
2202 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2206 sid_string = argv[0];
2209 if (!string_to_sid(&sid, sid_string)) {
2210 d_fprintf(stderr, _("could not convert sid\n"));
2215 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2216 if (!ADS_ERR_OK(rc)) {
2217 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2222 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2224 /* dump the results */
2227 ads_msgfree(ads, res);
2233 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2238 if (c->display_usage) {
2240 "net ads keytab flush\n"
2243 _("Delete the whole keytab"));
2247 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2250 ret = ads_keytab_flush(ads);
2255 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2261 if (c->display_usage) {
2264 _("net ads keytab add <principal> [principal ...]\n"
2265 " Add principals to local keytab\n"
2266 " principal\tKerberos principal to add to "
2271 d_printf(_("Processing principals to add...\n"));
2272 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2275 for (i = 0; i < argc; i++) {
2276 ret |= ads_keytab_add_entry(ads, argv[i]);
2282 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2287 if (c->display_usage) {
2289 "net ads keytab create\n"
2292 _("Create new default keytab"));
2296 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2299 ret = ads_keytab_create_default(ads);
2304 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2306 const char *keytab = NULL;
2308 if (c->display_usage) {
2311 _("net ads keytab list [keytab]\n"
2312 " List a local keytab\n"
2313 " keytab\tKeytab to list\n"));
2321 return ads_keytab_list(keytab);
2325 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2327 struct functable func[] = {
2332 N_("Add a service principal"),
2333 N_("net ads keytab add\n"
2334 " Add a service principal")
2338 net_ads_keytab_create,
2340 N_("Create a fresh keytab"),
2341 N_("net ads keytab create\n"
2342 " Create a fresh keytab")
2346 net_ads_keytab_flush,
2348 N_("Remove all keytab entries"),
2349 N_("net ads keytab flush\n"
2350 " Remove all keytab entries")
2354 net_ads_keytab_list,
2356 N_("List a keytab"),
2357 N_("net ads keytab list\n"
2360 {NULL, NULL, 0, NULL, NULL}
2363 if (!USE_KERBEROS_KEYTAB) {
2364 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2365 "keytab method to use keytab functions.\n"));
2368 return net_run_function(c, argc, argv, "net ads keytab", func);
2371 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2375 if (c->display_usage) {
2377 "net ads kerberos renew\n"
2380 _("Renew TGT from existing credential cache"));
2384 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2386 d_printf(_("failed to renew kerberos ticket: %s\n"),
2387 error_message(ret));
2392 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2394 struct PAC_LOGON_INFO *info = NULL;
2395 TALLOC_CTX *mem_ctx = NULL;
2398 const char *impersonate_princ_s = NULL;
2400 if (c->display_usage) {
2402 "net ads kerberos pac\n"
2405 _("Dump the Kerberos PAC"));
2409 mem_ctx = talloc_init("net_ads_kerberos_pac");
2415 impersonate_princ_s = argv[0];
2418 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2420 status = kerberos_return_pac(mem_ctx,
2429 2592000, /* one month */
2430 impersonate_princ_s,
2432 if (!NT_STATUS_IS_OK(status)) {
2433 d_printf(_("failed to query kerberos PAC: %s\n"),
2440 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2441 d_printf(_("The Pac: %s\n"), s);
2446 TALLOC_FREE(mem_ctx);
2450 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2452 TALLOC_CTX *mem_ctx = NULL;
2456 if (c->display_usage) {
2458 "net ads kerberos kinit\n"
2461 _("Get Ticket Granting Ticket (TGT) for the user"));
2465 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2470 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2472 ret = kerberos_kinit_password_ext(c->opt_user_name,
2480 2592000, /* one month */
2483 d_printf(_("failed to kinit password: %s\n"),
2490 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2492 struct functable func[] = {
2495 net_ads_kerberos_kinit,
2497 N_("Retrieve Ticket Granting Ticket (TGT)"),
2498 N_("net ads kerberos kinit\n"
2499 " Receive Ticket Granting Ticket (TGT)")
2503 net_ads_kerberos_renew,
2505 N_("Renew Ticket Granting Ticket from credential cache"),
2506 N_("net ads kerberos renew\n"
2507 " Renew Ticket Granting Ticket (TGT) from "
2512 net_ads_kerberos_pac,
2514 N_("Dump Kerberos PAC"),
2515 N_("net ads kerberos pac\n"
2516 " Dump Kerberos PAC")
2518 {NULL, NULL, 0, NULL, NULL}
2521 return net_run_function(c, argc, argv, "net ads kerberos", func);
2524 int net_ads(struct net_context *c, int argc, const char **argv)
2526 struct functable func[] = {
2531 N_("Display details on remote ADS server"),
2533 " Display details on remote ADS server")
2539 N_("Join the local machine to ADS realm"),
2541 " Join the local machine to ADS realm")
2547 N_("Validate machine account"),
2548 N_("net ads testjoin\n"
2549 " Validate machine account")
2555 N_("Remove the local machine from ADS"),
2556 N_("net ads leave\n"
2557 " Remove the local machine from ADS")
2563 N_("Display machine account details"),
2564 N_("net ads status\n"
2565 " Display machine account details")
2571 N_("List/modify users"),
2573 " List/modify users")
2579 N_("List/modify groups"),
2580 N_("net ads group\n"
2581 " List/modify groups")
2587 N_("Issue dynamic DNS update"),
2589 " Issue dynamic DNS update")
2595 N_("Change user passwords"),
2596 N_("net ads password\n"
2597 " Change user passwords")
2601 net_ads_changetrustpw,
2603 N_("Change trust account password"),
2604 N_("net ads changetrustpw\n"
2605 " Change trust account password")
2611 N_("List/modify printer entries"),
2612 N_("net ads printer\n"
2613 " List/modify printer entries")
2619 N_("Issue LDAP search using filter"),
2620 N_("net ads search\n"
2621 " Issue LDAP search using filter")
2627 N_("Issue LDAP search by DN"),
2629 " Issue LDAP search by DN")
2635 N_("Issue LDAP search by SID"),
2637 " Issue LDAP search by SID")
2643 N_("Display workgroup name"),
2644 N_("net ads workgroup\n"
2645 " Display the workgroup name")
2651 N_("Perfom CLDAP query on DC"),
2652 N_("net ads lookup\n"
2653 " Find the ADS DC using CLDAP lookups")
2659 N_("Manage local keytab file"),
2660 N_("net ads keytab\n"
2661 " Manage local keytab file")
2667 N_("Manage group policy objects"),
2669 " Manage group policy objects")
2675 N_("Manage kerberos keytab"),
2676 N_("net ads kerberos\n"
2677 " Manage kerberos keytab")
2679 {NULL, NULL, 0, NULL, NULL}
2682 return net_run_function(c, argc, argv, "net ads", func);
2687 static int net_ads_noads(void)
2689 d_fprintf(stderr, _("ADS support not compiled in\n"));
2693 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2695 return net_ads_noads();
2698 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2700 return net_ads_noads();
2703 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2705 return net_ads_noads();
2708 int net_ads_join(struct net_context *c, int argc, const char **argv)
2710 return net_ads_noads();
2713 int net_ads_user(struct net_context *c, int argc, const char **argv)
2715 return net_ads_noads();
2718 int net_ads_group(struct net_context *c, int argc, const char **argv)
2720 return net_ads_noads();
2723 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
2725 return net_ads_noads();
2728 /* this one shouldn't display a message */
2729 int net_ads_check(struct net_context *c)
2734 int net_ads_check_our_domain(struct net_context *c)
2739 int net_ads(struct net_context *c, int argc, const char **argv)
2741 return net_ads_noads();
2744 #endif /* WITH_ADS */
git.samba.org / samba.git / blob