2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "system/passwd.h"
23 #include "utils/net.h"
24 #include "../librpc/gen_ndr/samr.h"
26 #include "../libcli/security/security.h"
27 #include "lib/winbind_util.h"
29 #include "passdb/pdb_ldap_util.h"
30 #include "passdb/pdb_ldap_schema.h"
31 #include "lib/privileges.h"
39 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
41 bool (*fn)(struct samu *, const char *,
42 enum pdb_value_state))
44 struct samu *sam_acct = NULL;
46 enum lsa_SidType type;
47 const char *dom, *name;
50 if (argc != 2 || c->display_usage) {
51 d_fprintf(stderr, "%s\n", _("Usage:"));
52 d_fprintf(stderr, _("net sam set %s <user> <value>\n"),
57 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
58 &dom, &name, &sid, &type)) {
59 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
63 if (type != SID_NAME_USER) {
64 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
65 sid_type_lookup(type));
69 if ( !(sam_acct = samu_new( NULL )) ) {
70 d_fprintf(stderr, _("Internal error\n"));
74 if (!pdb_getsampwsid(sam_acct, &sid)) {
75 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
79 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
80 d_fprintf(stderr, _("Internal error\n"));
84 status = pdb_update_sam_account(sam_acct);
85 if (!NT_STATUS_IS_OK(status)) {
86 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
87 argv[0], nt_errstr(status));
91 TALLOC_FREE(sam_acct);
93 d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
97 static int net_sam_set_fullname(struct net_context *c, int argc,
100 return net_sam_userset(c, argc, argv, "fullname",
104 static int net_sam_set_logonscript(struct net_context *c, int argc,
107 return net_sam_userset(c, argc, argv, "logonscript",
108 pdb_set_logon_script);
111 static int net_sam_set_profilepath(struct net_context *c, int argc,
114 return net_sam_userset(c, argc, argv, "profilepath",
115 pdb_set_profile_path);
118 static int net_sam_set_homedrive(struct net_context *c, int argc,
121 return net_sam_userset(c, argc, argv, "homedrive",
125 static int net_sam_set_homedir(struct net_context *c, int argc,
128 return net_sam_userset(c, argc, argv, "homedir",
132 static int net_sam_set_workstations(struct net_context *c, int argc,
135 return net_sam_userset(c, argc, argv, "workstations",
136 pdb_set_workstations);
143 static int net_sam_set_userflag(struct net_context *c, int argc,
144 const char **argv, const char *field,
147 struct samu *sam_acct = NULL;
149 enum lsa_SidType type;
150 const char *dom, *name;
154 if ((argc != 2) || c->display_usage ||
155 (!strequal(argv[1], "yes") &&
156 !strequal(argv[1], "no"))) {
157 d_fprintf(stderr, "%s\n", _("Usage:"));
158 d_fprintf(stderr, _("net sam set %s <user> [yes|no]\n"),
163 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
164 &dom, &name, &sid, &type)) {
165 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
169 if (type != SID_NAME_USER) {
170 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
171 sid_type_lookup(type));
175 if ( !(sam_acct = samu_new( NULL )) ) {
176 d_fprintf(stderr, _("Internal error\n"));
180 if (!pdb_getsampwsid(sam_acct, &sid)) {
181 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
185 acct_flags = pdb_get_acct_ctrl(sam_acct);
187 if (strequal(argv[1], "yes")) {
193 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
195 status = pdb_update_sam_account(sam_acct);
196 if (!NT_STATUS_IS_OK(status)) {
197 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
198 argv[0], nt_errstr(status));
202 TALLOC_FREE(sam_acct);
204 d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
209 static int net_sam_set_disabled(struct net_context *c, int argc,
212 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
215 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
218 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
221 static int net_sam_set_autolock(struct net_context *c, int argc,
224 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
227 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
230 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
234 * Set pass last change time, based on force pass change now
237 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
240 struct samu *sam_acct = NULL;
242 enum lsa_SidType type;
243 const char *dom, *name;
246 if ((argc != 2) || c->display_usage ||
247 (!strequal(argv[1], "yes") &&
248 !strequal(argv[1], "no"))) {
249 d_fprintf(stderr, "%s\n%s",
251 _("net sam set pwdmustchangenow <user> [yes|no]\n"));
255 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
256 &dom, &name, &sid, &type)) {
257 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
261 if (type != SID_NAME_USER) {
262 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
263 sid_type_lookup(type));
267 if ( !(sam_acct = samu_new( NULL )) ) {
268 d_fprintf(stderr, _("Internal error\n"));
272 if (!pdb_getsampwsid(sam_acct, &sid)) {
273 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
277 if (strequal(argv[1], "yes")) {
278 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
280 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
283 status = pdb_update_sam_account(sam_acct);
284 if (!NT_STATUS_IS_OK(status)) {
285 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
286 argv[0], nt_errstr(status));
290 TALLOC_FREE(sam_acct);
292 d_fprintf(stderr, _("Updated 'user must change password at next logon' "
293 "for %s\\%s to %s\n"), dom,
300 * Set a user's or a group's comment
303 static int net_sam_set_comment(struct net_context *c, int argc,
308 enum lsa_SidType type;
309 const char *dom, *name;
312 if (argc != 2 || c->display_usage) {
313 d_fprintf(stderr, "%s\n%s",
315 _("net sam set comment <name> <comment>\n"));
319 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
320 &dom, &name, &sid, &type)) {
321 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
325 if (type == SID_NAME_USER) {
326 return net_sam_userset(c, argc, argv, "comment",
330 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
331 (type != SID_NAME_WKN_GRP)) {
332 d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
333 sid_type_lookup(type));
337 map = talloc_zero(talloc_tos(), GROUP_MAP);
339 d_fprintf(stderr, _("Out of memory!\n"));
343 if (!pdb_getgrsid(map, sid)) {
344 d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
348 map->comment = talloc_strdup(map, argv[1]);
350 d_fprintf(stderr, _("Out of memory!\n"));
354 status = pdb_update_group_mapping_entry(map);
356 if (!NT_STATUS_IS_OK(status)) {
357 d_fprintf(stderr, _("Updating group mapping entry failed with "
358 "%s\n"), nt_errstr(status));
362 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
369 static int net_sam_set(struct net_context *c, int argc, const char **argv)
371 struct functable func[] = {
376 N_("Change a user's home directory"),
377 N_("net sam set homedir\n"
378 " Change a user's home directory")
382 net_sam_set_profilepath,
384 N_("Change a user's profile path"),
385 N_("net sam set profilepath\n"
386 " Change a user's profile path")
392 N_("Change a users or groups description"),
393 N_("net sam set comment\n"
394 " Change a users or groups description")
398 net_sam_set_fullname,
400 N_("Change a user's full name"),
401 N_("net sam set fullname\n"
402 " Change a user's full name")
406 net_sam_set_logonscript,
408 N_("Change a user's logon script"),
409 N_("net sam set logonscript\n"
410 " Change a user's logon script")
414 net_sam_set_homedrive,
416 N_("Change a user's home drive"),
417 N_("net sam set homedrive\n"
418 " Change a user's home drive")
422 net_sam_set_workstations,
424 N_("Change a user's allowed workstations"),
425 N_("net sam set workstations\n"
426 " Change a user's allowed workstations")
430 net_sam_set_disabled,
432 N_("Disable/Enable a user"),
433 N_("net sam set disable\n"
434 " Disable/Enable a user")
438 net_sam_set_pwnotreq,
440 N_("Disable/Enable the password not required flag"),
441 N_("net sam set pwnotreq\n"
442 " Disable/Enable the password not required flag")
446 net_sam_set_autolock,
448 N_("Disable/Enable a user's lockout flag"),
449 N_("net sam set autolock\n"
450 " Disable/Enable a user's lockout flag")
456 N_("Disable/Enable whether a user's pw does not "
458 N_("net sam set pwnoexp\n"
459 " Disable/Enable whether a user's pw does not "
464 net_sam_set_pwdmustchangenow,
466 N_("Force users password must change at next logon"),
467 N_("net sam set pwdmustchangenow\n"
468 " Force users password must change at next logon")
470 {NULL, NULL, 0, NULL, NULL}
473 return net_run_function(c, argc, argv, "net sam set", func);
477 * Manage account policies
480 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
482 const char *account_policy = NULL;
484 uint32_t old_value = 0;
485 enum pdb_policy_type field;
488 if (argc != 2 || c->display_usage) {
489 d_fprintf(stderr, "%s\n%s",
491 _("net sam policy set \"<account policy>\" <value>\n"));
495 account_policy = argv[0];
496 field = account_policy_name_to_typenum(account_policy);
498 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
499 || strequal(argv[1], "off")) {
503 value = smb_strtoul(argv[1],
507 SMB_STR_FULL_STR_CONV);
510 d_printf(_("Unable to set policy \"%s\"! Invalid value "
512 account_policy, argv[1]);
521 account_policy_names_list(talloc_tos(), &names, &count);
522 d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
523 d_fprintf(stderr, _("Valid account policies are:\n"));
525 for (i=0; i<count; i++) {
526 d_fprintf(stderr, "%s\n", names[i]);
534 if (!pdb_get_account_policy(field, &old_value)) {
535 d_fprintf(stderr, _("Valid account policy, but unable to fetch "
538 d_printf(_("Account policy \"%s\" value was: %d\n"),
539 account_policy, old_value);
542 if (!pdb_set_account_policy(field, value)) {
543 d_fprintf(stderr, _("Valid account policy, but unable to "
547 d_printf(_("Account policy \"%s\" value is now: %d\n"),
548 account_policy, value);
554 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
556 const char *account_policy = NULL;
558 enum pdb_policy_type field;
560 if (argc != 1 || c->display_usage) {
561 d_fprintf(stderr, "%s\n%s",
563 _("net sam policy show \"<account policy>\"\n"));
567 account_policy = argv[0];
568 field = account_policy_name_to_typenum(account_policy);
574 account_policy_names_list(talloc_tos(), &names, &count);
575 d_fprintf(stderr, _("No account policy by that name!\n"));
577 d_fprintf(stderr, _("Valid account policies "
579 for (i=0; i<count; i++) {
580 d_fprintf(stderr, "%s\n", names[i]);
587 if (!pdb_get_account_policy(field, &old_value)) {
588 fprintf(stderr, _("Valid account policy, but unable to "
593 printf(_("Account policy \"%s\" description: %s\n"),
594 account_policy, account_policy_get_desc(field));
595 printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
600 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
606 if (c->display_usage) {
608 "net sam policy list\n"
611 _("List account policies"));
615 account_policy_names_list(talloc_tos(), &names, &count);
617 d_fprintf(stderr, _("Valid account policies "
619 for (i = 0; i < count ; i++) {
620 d_fprintf(stderr, "%s\n", names[i]);
627 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
629 struct functable func[] = {
634 N_("List account policies"),
635 N_("net sam policy list\n"
636 " List account policies")
642 N_("Show account policies"),
643 N_("net sam policy show\n"
644 " Show account policies")
650 N_("Change account policies"),
651 N_("net sam policy set\n"
652 " Change account policies")
654 {NULL, NULL, 0, NULL, NULL}
657 return net_run_function(c, argc, argv, "net sam policy", func);
660 static int net_sam_rights_list(struct net_context *c, int argc,
663 enum sec_privilege privilege;
665 if (argc > 1 || c->display_usage) {
666 d_fprintf(stderr, "%s\n%s",
668 _("net sam rights list [privilege name]\n"));
674 int num = num_privileges_in_short_list();
676 for (i=0; i<num; i++) {
677 d_printf("%s\n", sec_privilege_name_from_index(i));
682 privilege = sec_privilege_id(argv[0]);
684 if (privilege != SEC_PRIV_INVALID) {
685 struct dom_sid *sids;
689 status = privilege_enum_sids(privilege, talloc_tos(),
691 if (!NT_STATUS_IS_OK(status)) {
692 d_fprintf(stderr, _("Could not list rights: %s\n"),
697 for (i=0; i<num_sids; i++) {
698 const char *dom, *name;
699 enum lsa_SidType type;
700 struct dom_sid_buf buf;
702 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
704 d_printf("%s\\%s\n", dom, name);
708 dom_sid_str_buf(&sids[i], &buf));
717 static int net_sam_rights_grant(struct net_context *c, int argc,
721 enum lsa_SidType type;
722 const char *dom, *name;
725 if (argc < 2 || c->display_usage) {
726 d_fprintf(stderr, "%s\n%s",
728 _("net sam rights grant <name> <rights> ...\n"));
732 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
733 &dom, &name, &sid, &type)) {
734 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
738 for (i=1; i < argc; i++) {
739 enum sec_privilege privilege = sec_privilege_id(argv[i]);
740 if (privilege == SEC_PRIV_INVALID) {
741 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
745 if (!grant_privilege_by_name(&sid, argv[i])) {
746 d_fprintf(stderr, _("Could not grant privilege\n"));
750 d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
756 static int net_sam_rights_revoke(struct net_context *c, int argc,
760 enum lsa_SidType type;
761 const char *dom, *name;
764 if (argc < 2 || c->display_usage) {
765 d_fprintf(stderr, "%s\n%s",
767 _("net sam rights revoke <name> <rights>\n"));
771 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
772 &dom, &name, &sid, &type)) {
773 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
777 for (i=1; i < argc; i++) {
778 enum sec_privilege privilege = sec_privilege_id(argv[i]);
779 if (privilege == SEC_PRIV_INVALID) {
780 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
784 if (!revoke_privilege_by_name(&sid, argv[i])) {
785 d_fprintf(stderr, _("Could not revoke privilege\n"));
789 d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
795 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
797 struct functable func[] = {
802 N_("List possible user rights"),
803 N_("net sam rights list\n"
804 " List possible user rights")
808 net_sam_rights_grant,
810 N_("Grant right(s)"),
811 N_("net sam rights grant\n"
816 net_sam_rights_revoke,
818 N_("Revoke right(s)"),
819 N_("net sam rights revoke\n"
822 {NULL, NULL, 0, NULL, NULL}
824 return net_run_function(c, argc, argv, "net sam rights", func);
828 * Map a unix group to a domain group
831 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *map)
833 const char *dom, *name;
836 if (pdb_getgrgid(map, grp->gr_gid)) {
837 return NT_STATUS_GROUP_EXISTS;
840 map->gid = grp->gr_gid;
842 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
843 &dom, &name, NULL, NULL)) {
845 map->nt_name = talloc_asprintf(map, "Unix Group %s",
848 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
849 grp->gr_name, dom, name, map->nt_name));
852 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
853 NULL, NULL, NULL, NULL)) {
854 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
855 return NT_STATUS_GROUP_EXISTS;
858 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
859 if (!pdb_new_rid(&rid)) {
860 DEBUG(3, ("Could not get a new RID for %s\n",
862 return NT_STATUS_ACCESS_DENIED;
865 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
868 sid_compose(&map->sid, get_global_sam_sid(), rid);
869 map->sid_name_use = SID_NAME_DOM_GRP;
870 map->comment = talloc_asprintf(map, "Unix Group %s", grp->gr_name);
872 return pdb_add_group_mapping_entry(map);
875 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
880 struct dom_sid_buf buf;
882 if (argc != 1 || c->display_usage) {
883 d_fprintf(stderr, "%s\n%s",
885 _("net sam mapunixgroup <name>\n"));
889 grp = getgrnam(argv[0]);
891 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
895 map = talloc_zero(talloc_tos(), GROUP_MAP);
897 d_fprintf(stderr, _("Out of memory!\n"));
901 status = map_unix_group(grp, map);
903 if (!NT_STATUS_IS_OK(status)) {
904 d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
905 argv[0], nt_errstr(status));
909 d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
910 dom_sid_str_buf(&map->sid, &buf));
917 * Remove a group mapping
920 static NTSTATUS unmap_unix_group(const struct group *grp)
922 struct dom_sid dom_sid;
925 if (!lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
926 NULL, NULL, NULL, NULL)) {
927 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
928 return NT_STATUS_NO_SUCH_GROUP;
932 id.type = ID_TYPE_GID;
933 if (!pdb_id_to_sid(&id, &dom_sid)) {
934 return NT_STATUS_UNSUCCESSFUL;
937 return pdb_delete_group_mapping_entry(dom_sid);
940 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
945 if (argc != 1 || c->display_usage) {
946 d_fprintf(stderr, "%s\n%s",
948 _("net sam unmapunixgroup <name>\n"));
952 grp = getgrnam(argv[0]);
954 d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
959 status = unmap_unix_group(grp);
961 if (!NT_STATUS_IS_OK(status)) {
962 d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
963 argv[0], nt_errstr(status));
967 d_printf(_("Unmapped unix group %s.\n"), argv[0]);
973 * Create a domain group
976 static int net_sam_createdomaingroup(struct net_context *c, int argc,
982 if (argc != 1 || c->display_usage) {
983 d_fprintf(stderr, "%s\n%s",
985 _("net sam createdomaingroup <name>\n"));
989 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
991 if (!NT_STATUS_IS_OK(status)) {
992 d_fprintf(stderr, _("Creating %s failed with %s\n"),
993 argv[0], nt_errstr(status));
997 d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
1003 * Delete a domain group
1006 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
1011 enum lsa_SidType type;
1012 const char *dom, *name;
1015 if (argc != 1 || c->display_usage) {
1016 d_fprintf(stderr, "%s\n%s",
1018 _("net sam deletelocalgroup <name>\n"));
1022 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1023 &dom, &name, &sid, &type)) {
1024 d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
1028 if (type != SID_NAME_DOM_GRP) {
1029 d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
1030 argv[0], sid_type_lookup(type));
1034 sid_peek_rid(&sid, &rid);
1036 status = pdb_delete_dom_group(talloc_tos(), rid);
1038 if (!NT_STATUS_IS_OK(status)) {
1039 d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1040 argv[0], nt_errstr(status));
1044 d_printf(_("Deleted domain group %s.\n"), argv[0]);
1050 * Create a local group
1053 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1058 if (argc != 1 || c->display_usage) {
1059 d_fprintf(stderr, "%s\n%s",
1061 _("net sam createlocalgroup <name>\n"));
1065 if (!winbind_ping()) {
1066 d_fprintf(stderr, _("winbind seems not to run. "
1067 "createlocalgroup only works when winbind runs.\n"));
1071 status = pdb_create_alias(argv[0], &rid);
1073 if (!NT_STATUS_IS_OK(status)) {
1074 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1075 argv[0], nt_errstr(status));
1079 d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1085 * Delete a local group
1088 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1091 enum lsa_SidType type;
1092 const char *dom, *name;
1095 if (argc != 1 || c->display_usage) {
1096 d_fprintf(stderr, "%s\n%s",
1098 _("net sam deletelocalgroup <name>\n"));
1102 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1103 &dom, &name, &sid, &type)) {
1104 d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1108 if (type != SID_NAME_ALIAS) {
1109 d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1110 sid_type_lookup(type));
1114 status = pdb_delete_alias(&sid);
1116 if (!NT_STATUS_IS_OK(status)) {
1117 d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1118 argv[0], nt_errstr(status));
1122 d_printf(_("Deleted local group %s.\n"), argv[0]);
1128 * Create a builtin group
1131 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1135 enum lsa_SidType type;
1139 if (argc != 1 || c->display_usage) {
1140 d_fprintf(stderr, "%s\n%s",
1142 _("net sam createbuiltingroup <name>\n"));
1146 if (!winbind_ping()) {
1147 d_fprintf(stderr, _("winbind seems not to run. "
1148 "createbuiltingroup only works when winbind "
1153 /* validate the name and get the group */
1155 fstrcpy( groupname, "BUILTIN\\" );
1156 fstrcat( groupname, argv[0] );
1158 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1159 NULL, &sid, &type)) {
1160 d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1164 if ( !sid_peek_rid( &sid, &rid ) ) {
1165 d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1169 status = pdb_create_builtin(rid);
1171 if (!NT_STATUS_IS_OK(status)) {
1172 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1173 argv[0], nt_errstr(status));
1177 d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1183 * Add a group member
1186 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1188 const char *groupdomain, *groupname, *memberdomain, *membername;
1189 struct dom_sid group, member;
1190 enum lsa_SidType grouptype, membertype;
1193 if (argc != 2 || c->display_usage) {
1194 d_fprintf(stderr, "%s\n%s",
1196 _("net sam addmem <group> <member>\n"));
1200 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1201 &groupdomain, &groupname, &group, &grouptype)) {
1202 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1206 /* check to see if the member to be added is a name or a SID */
1208 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1209 &memberdomain, &membername, &member, &membertype))
1211 /* try it as a SID */
1213 if ( !string_to_sid( &member, argv[1] ) ) {
1214 d_fprintf(stderr, _("Could not find member %s\n"),
1219 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1220 &membername, &membertype) )
1222 d_fprintf(stderr, _("Could not resolve SID %s\n"),
1228 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1229 if ((membertype != SID_NAME_USER) &&
1230 (membertype != SID_NAME_ALIAS) &&
1231 (membertype != SID_NAME_DOM_GRP)) {
1232 d_fprintf(stderr, _("Can't add %s: only users, domain "
1233 "groups and domain local groups "
1234 "can be added. %s is a %s\n"),
1236 sid_type_lookup(membertype));
1239 status = pdb_add_aliasmem(&group, &member);
1241 if (!NT_STATUS_IS_OK(status)) {
1242 d_fprintf(stderr, _("Adding local group member failed "
1243 "with %s\n"), nt_errstr(status));
1246 } else if (grouptype == SID_NAME_DOM_GRP) {
1247 uint32_t grouprid, memberrid;
1249 sid_peek_rid(&group, &grouprid);
1250 sid_peek_rid(&member, &memberrid);
1252 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1253 if (!NT_STATUS_IS_OK(status)) {
1254 d_fprintf(stderr, _("Adding domain group member failed "
1255 "with %s\n"), nt_errstr(status));
1259 d_fprintf(stderr, _("Can only add members to local groups so "
1260 "far, %s is a %s\n"), argv[0],
1261 sid_type_lookup(grouptype));
1265 d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1266 groupdomain, groupname);
1272 * Delete a group member
1275 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1277 const char *groupdomain, *groupname;
1278 const char *memberdomain = NULL;
1279 const char *membername = NULL;
1280 struct dom_sid group, member;
1281 enum lsa_SidType grouptype;
1284 if (argc != 2 || c->display_usage) {
1285 d_fprintf(stderr,"%s\n%s",
1287 _("net sam delmem <group> <member>\n"));
1291 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1292 &groupdomain, &groupname, &group, &grouptype)) {
1293 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1297 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1298 &memberdomain, &membername, &member, NULL)) {
1299 if (!string_to_sid(&member, argv[1])) {
1300 d_fprintf(stderr, _("Could not find member %s\n"),
1306 if ((grouptype == SID_NAME_ALIAS) ||
1307 (grouptype == SID_NAME_WKN_GRP)) {
1308 status = pdb_del_aliasmem(&group, &member);
1310 if (!NT_STATUS_IS_OK(status)) {
1311 d_fprintf(stderr,_("Deleting local group member failed "
1312 "with %s\n"), nt_errstr(status));
1315 } else if (grouptype == SID_NAME_DOM_GRP) {
1316 uint32_t grouprid, memberrid;
1318 sid_peek_rid(&group, &grouprid);
1319 sid_peek_rid(&member, &memberrid);
1321 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1322 if (!NT_STATUS_IS_OK(status)) {
1323 d_fprintf(stderr, _("Deleting domain group member "
1324 "failed with %s\n"), nt_errstr(status));
1328 d_fprintf(stderr, _("Can only delete members from local groups "
1329 "so far, %s is a %s\n"), argv[0],
1330 sid_type_lookup(grouptype));
1334 if (membername != NULL) {
1335 d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1336 memberdomain, membername, groupdomain, groupname);
1338 struct dom_sid_buf buf;
1339 d_printf(_("Deleted %s from %s\\%s\n"),
1340 dom_sid_str_buf(&member, &buf),
1349 * List group members
1352 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1354 const char *groupdomain, *groupname;
1355 struct dom_sid group;
1356 struct dom_sid *members = NULL;
1357 size_t i, num_members = 0;
1358 enum lsa_SidType grouptype;
1361 if (argc != 1 || c->display_usage) {
1362 d_fprintf(stderr, "%s\n%s",
1364 _("net sam listmem <group>\n"));
1368 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1369 &groupdomain, &groupname, &group, &grouptype)) {
1370 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1374 if ((grouptype == SID_NAME_ALIAS) ||
1375 (grouptype == SID_NAME_WKN_GRP)) {
1376 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1378 if (!NT_STATUS_IS_OK(status)) {
1379 d_fprintf(stderr, _("Listing group members failed with "
1380 "%s\n"), nt_errstr(status));
1383 } else if (grouptype == SID_NAME_DOM_GRP) {
1386 status = pdb_enum_group_members(talloc_tos(), &group,
1387 &rids, &num_members);
1388 if (!NT_STATUS_IS_OK(status)) {
1389 d_fprintf(stderr, _("Listing group members failed with "
1390 "%s\n"), nt_errstr(status));
1394 members = talloc_array(talloc_tos(), struct dom_sid,
1396 if (members == NULL) {
1401 for (i=0; i<num_members; i++) {
1402 sid_compose(&members[i], get_global_sam_sid(),
1407 d_fprintf(stderr,_("Can only list local group members so far.\n"
1408 "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1412 d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1413 (unsigned int)num_members);
1414 for (i=0; i<num_members; i++) {
1415 const char *dom, *name;
1416 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1417 d_printf(" %s\\%s\n", dom, name);
1419 struct dom_sid_buf buf;
1421 dom_sid_str_buf(&members[i], &buf));
1425 TALLOC_FREE(members);
1433 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1434 struct pdb_search *search, const char *what)
1436 bool verbose = (argc == 1);
1438 if ((argc > 1) || c->display_usage ||
1439 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1440 d_fprintf(stderr, "%s\n", _("Usage:"));
1441 d_fprintf(stderr, _("net sam list %s [verbose]\n"), what);
1445 if (search == NULL) {
1446 d_fprintf(stderr, _("Could not start search\n"));
1451 struct samr_displayentry entry;
1452 if (!search->next_entry(search, &entry)) {
1456 d_printf("%s:%d:%s\n",
1461 d_printf("%s\n", entry.account_name);
1465 TALLOC_FREE(search);
1469 static int net_sam_list_users(struct net_context *c, int argc,
1472 return net_sam_do_list(c, argc, argv,
1473 pdb_search_users(talloc_tos(), ACB_NORMAL),
1477 static int net_sam_list_groups(struct net_context *c, int argc,
1480 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1484 static int net_sam_list_localgroups(struct net_context *c, int argc,
1487 return net_sam_do_list(c, argc, argv,
1488 pdb_search_aliases(talloc_tos(),
1489 get_global_sam_sid()),
1493 static int net_sam_list_builtin(struct net_context *c, int argc,
1496 return net_sam_do_list(c, argc, argv,
1497 pdb_search_aliases(talloc_tos(),
1498 &global_sid_Builtin),
1502 static int net_sam_list_workstations(struct net_context *c, int argc,
1505 return net_sam_do_list(c, argc, argv,
1506 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1514 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1516 struct functable func[] = {
1520 NET_TRANSPORT_LOCAL,
1521 N_("List SAM users"),
1522 N_("net sam list users\n"
1527 net_sam_list_groups,
1528 NET_TRANSPORT_LOCAL,
1529 N_("List SAM groups"),
1530 N_("net sam list groups\n"
1535 net_sam_list_localgroups,
1536 NET_TRANSPORT_LOCAL,
1537 N_("List SAM local groups"),
1538 N_("net sam list localgroups\n"
1539 " List SAM local groups")
1543 net_sam_list_builtin,
1544 NET_TRANSPORT_LOCAL,
1545 N_("List builtin groups"),
1546 N_("net sam list builtin\n"
1547 " List builtin groups")
1551 net_sam_list_workstations,
1552 NET_TRANSPORT_LOCAL,
1553 N_("List domain member workstations"),
1554 N_("net sam list workstations\n"
1555 " List domain member workstations")
1557 {NULL, NULL, 0, NULL, NULL}
1560 return net_run_function(c, argc, argv, "net sam list", func);
1564 * Show details of SAM entries
1567 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1570 struct dom_sid_buf buf;
1571 enum lsa_SidType type;
1572 const char *dom, *name;
1574 if (argc != 1 || c->display_usage) {
1575 d_fprintf(stderr, "%s\n%s",
1577 _("net sam show <name>\n"));
1581 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1582 &dom, &name, &sid, &type)) {
1583 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1587 d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1588 sid_type_lookup(type), dom_sid_str_buf(&sid, &buf));
1596 * Init an LDAP tree with default users and Groups
1597 * if ldapsam:editposix is enabled
1600 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1604 char *ldap_uri = NULL;
1606 struct smbldap_state *state = NULL;
1607 GROUP_MAP *gmap = NULL;
1608 struct dom_sid gsid;
1609 gid_t domusers_gid = -1;
1610 gid_t domadmins_gid = -1;
1611 struct samu *samuser;
1613 bool is_ipa = false;
1614 char *bind_dn = NULL;
1615 char *bind_secret = NULL;
1618 if (c->display_usage) {
1620 "net sam provision\n"
1623 _("Init an LDAP tree with default users/groups"));
1627 tc = talloc_new(NULL);
1629 d_fprintf(stderr, _("Out of Memory!\n"));
1633 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1634 d_fprintf(stderr, _("talloc failed\n"));
1638 p = strchr(ldap_bk, ':');
1641 ldap_uri = talloc_strdup(tc, p+1);
1642 trim_char(ldap_uri, ' ', ' ');
1645 trim_char(ldap_bk, ' ', ' ');
1647 if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
1651 if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
1653 _("Provisioning works only with ldapsam backend\n"));
1657 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1658 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1660 d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1661 " and ldapsam:editposix are enabled.\n"));
1665 if (!is_ipa && !winbind_ping()) {
1666 d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1667 "LDAP only works when winbind runs.\n"));
1671 if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1672 d_fprintf(stderr, _("Failed to retrieve LDAP password from secrets.tdb\n"));
1676 status = smbldap_init(tc, NULL, ldap_uri, false, bind_dn, bind_secret, &state);
1678 memset(bind_secret, '\0', strlen(bind_secret));
1679 SAFE_FREE(bind_secret);
1682 if (!NT_STATUS_IS_OK(status)) {
1683 d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1687 d_printf(_("Checking for Domain Users group.\n"));
1689 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
1691 gmap = talloc_zero(tc, GROUP_MAP);
1693 d_printf(_("Out of memory!\n"));
1697 if (!pdb_getgrsid(gmap, gsid)) {
1698 struct dom_sid_buf gsid_str;
1699 LDAPMod **mods = NULL;
1707 d_printf(_("Adding the Domain Users group.\n"));
1709 /* lets allocate a new groupid for this group */
1713 if (!winbind_allocate_gid(&domusers_gid)) {
1714 d_fprintf(stderr, _("Unable to allocate a new gid to "
1715 "create Domain Users group!\n"));
1720 uname = talloc_strdup(tc, "domusers");
1721 wname = talloc_strdup(tc, "Domain Users");
1722 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers",
1723 lp_ldap_group_suffix(talloc_tos()));
1724 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1725 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1727 if (!uname || !wname || !dn || !gidstr || !gtype) {
1728 d_fprintf(stderr, "Out of Memory!\n");
1732 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1733 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1735 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1736 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1737 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1739 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1740 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1741 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1742 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1743 dom_sid_str_buf(&gsid, &gsid_str));
1744 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1746 smbldap_talloc_autofree_ldapmod(tc, mods);
1748 rc = smbldap_add(state, dn, mods);
1750 if (rc != LDAP_SUCCESS) {
1751 d_fprintf(stderr, _("Failed to add Domain Users group "
1752 "to ldap directory\n"));
1756 if (!pdb_getgrsid(gmap, gsid)) {
1757 d_fprintf(stderr, _("Failed to read just "
1758 "created domain group.\n"));
1761 domusers_gid = gmap->gid;
1765 domusers_gid = gmap->gid;
1766 d_printf(_("found!\n"));
1771 d_printf(_("Checking for Domain Admins group.\n"));
1773 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
1775 if (!pdb_getgrsid(gmap, gsid)) {
1776 struct dom_sid_buf gsid_str;
1777 LDAPMod **mods = NULL;
1785 d_printf(_("Adding the Domain Admins group.\n"));
1787 /* lets allocate a new groupid for this group */
1789 domadmins_gid = 999;
1791 if (!winbind_allocate_gid(&domadmins_gid)) {
1792 d_fprintf(stderr, _("Unable to allocate a new gid to "
1793 "create Domain Admins group!\n"));
1798 uname = talloc_strdup(tc, "domadmins");
1799 wname = talloc_strdup(tc, "Domain Admins");
1800 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins",
1801 lp_ldap_group_suffix(talloc_tos()));
1802 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1803 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1805 if (!uname || !wname || !dn || !gidstr || !gtype) {
1806 d_fprintf(stderr, _("Out of Memory!\n"));
1810 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1811 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1813 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1814 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1815 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1817 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1818 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1819 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1820 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1821 dom_sid_str_buf(&gsid, &gsid_str));
1822 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1824 smbldap_talloc_autofree_ldapmod(tc, mods);
1826 rc = smbldap_add(state, dn, mods);
1828 if (rc != LDAP_SUCCESS) {
1829 d_fprintf(stderr, _("Failed to add Domain Admins group "
1830 "to ldap directory\n"));
1834 if (!pdb_getgrsid(gmap, gsid)) {
1835 d_fprintf(stderr, _("Failed to read just "
1836 "created domain group.\n"));
1839 domadmins_gid = gmap->gid;
1843 domadmins_gid = gmap->gid;
1844 d_printf(_("found!\n"));
1849 d_printf(_("Check for Administrator account.\n"));
1851 samuser = samu_new(tc);
1853 d_fprintf(stderr, _("Out of Memory!\n"));
1857 if (!pdb_getsampwnam(samuser, "Administrator")) {
1858 LDAPMod **mods = NULL;
1860 struct dom_sid_buf sid_str;
1871 d_printf(_("Adding the Administrator user.\n"));
1873 if (domadmins_gid == -1) {
1875 _("Can't create Administrator user, Domain "
1876 "Admins group not available!\n"));
1883 if (!winbind_allocate_uid(&uid)) {
1885 _("Unable to allocate a new uid to create "
1886 "the Administrator user!\n"));
1891 name = talloc_strdup(tc, "Administrator");
1892 dn = talloc_asprintf(tc, "uid=Administrator,%s",
1893 lp_ldap_user_suffix(talloc_tos()));
1894 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1895 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1896 dir = talloc_sub_specified(tc, lp_template_homedir(),
1899 get_global_sam_name(),
1900 uid, domadmins_gid);
1901 shell = talloc_sub_specified(tc, lp_template_shell(),
1904 get_global_sam_name(),
1905 uid, domadmins_gid);
1907 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1908 d_fprintf(stderr, _("Out of Memory!\n"));
1912 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
1914 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1915 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1916 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1918 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
1919 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
1920 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
1921 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
1922 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
1923 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
1924 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
1925 princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
1927 d_fprintf(stderr, _("Out of Memory!\n"));
1930 smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
1932 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1933 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1934 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1935 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1936 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1937 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1938 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1939 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1940 dom_sid_str_buf(&sid, &sid_str));
1941 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1942 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1943 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1945 smbldap_talloc_autofree_ldapmod(tc, mods);
1947 rc = smbldap_add(state, dn, mods);
1949 if (rc != LDAP_SUCCESS) {
1950 d_fprintf(stderr, _("Failed to add Administrator user "
1951 "to ldap directory\n"));
1955 if (!pdb_getsampwnam(samuser, "Administrator")) {
1956 d_fprintf(stderr, _("Failed to read just "
1957 "created user.\n"));
1962 d_printf(_("found!\n"));
1965 d_printf(_("Checking for Guest user.\n"));
1967 samuser = samu_new(tc);
1969 d_fprintf(stderr, _("Out of Memory!\n"));
1973 if (!pdb_getsampwnam(samuser, lp_guest_account())) {
1974 LDAPMod **mods = NULL;
1976 struct dom_sid_buf sid_str;
1982 d_printf(_("Adding the Guest user.\n"));
1984 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
1986 pwd = Get_Pwnam_alloc(tc, lp_guest_account());
1989 if (domusers_gid == -1) {
1991 _("Can't create Guest user, Domain "
1992 "Users group not available!\n"));
1995 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1996 d_fprintf(stderr, _("talloc failed\n"));
1999 pwd->pw_name = talloc_strdup(pwd, lp_guest_account());
2004 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
2006 _("Unable to allocate a new uid to "
2007 "create the Guest user!\n"));
2011 pwd->pw_gid = domusers_gid;
2012 pwd->pw_dir = talloc_strdup(tc, "/");
2013 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
2014 if (!pwd->pw_dir || !pwd->pw_shell) {
2015 d_fprintf(stderr, _("Out of Memory!\n"));
2020 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name,
2021 lp_ldap_user_suffix (talloc_tos()));
2022 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
2023 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2024 if (!dn || !uidstr || !gidstr) {
2025 d_fprintf(stderr, _("Out of Memory!\n"));
2029 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
2030 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
2031 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
2033 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
2034 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
2035 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
2036 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
2037 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
2038 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
2039 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
2041 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
2042 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
2043 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
2044 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
2045 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2046 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
2047 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
2049 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
2050 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
2052 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
2053 dom_sid_str_buf(&sid, &sid_str));
2054 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
2055 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
2056 NEW_PW_FORMAT_SPACE_PADDED_LEN));
2058 smbldap_talloc_autofree_ldapmod(tc, mods);
2060 rc = smbldap_add(state, dn, mods);
2062 if (rc != LDAP_SUCCESS) {
2063 d_fprintf(stderr, _("Failed to add Guest user to "
2064 "ldap directory\n"));
2068 if (!pdb_getsampwnam(samuser, lp_guest_account())) {
2069 d_fprintf(stderr, _("Failed to read just "
2070 "created user.\n"));
2075 d_printf(_("found!\n"));
2078 d_printf(_("Checking Guest's group.\n"));
2080 pwd = Get_Pwnam_alloc(tc, lp_guest_account());
2083 _("Failed to find just created Guest account!\n"
2084 " Is nss properly configured?!\n"));
2088 if (pwd->pw_gid == domusers_gid) {
2089 d_printf(_("found!\n"));
2093 if (!pdb_getgrgid(gmap, pwd->pw_gid)) {
2094 struct dom_sid_buf gsid_str;
2095 LDAPMod **mods = NULL;
2103 d_printf(_("Adding the Domain Guests group.\n"));
2105 uname = talloc_strdup(tc, "domguests");
2106 wname = talloc_strdup(tc, "Domain Guests");
2107 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests",
2108 lp_ldap_group_suffix(talloc_tos()));
2109 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2110 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
2112 if (!uname || !wname || !dn || !gidstr || !gtype) {
2113 d_fprintf(stderr, _("Out of Memory!\n"));
2117 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
2119 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
2120 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
2122 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
2123 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
2124 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
2126 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
2127 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
2128 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2129 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
2130 dom_sid_str_buf(&gsid, &gsid_str));
2131 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
2133 smbldap_talloc_autofree_ldapmod(tc, mods);
2135 rc = smbldap_add(state, dn, mods);
2137 if (rc != LDAP_SUCCESS) {
2139 _("Failed to add Domain Guests group to ldap "
2143 d_printf(_("found!\n"));
2158 /***********************************************************
2159 migrated functionality from smbgroupedit
2160 **********************************************************/
2161 int net_sam(struct net_context *c, int argc, const char **argv)
2163 struct functable func[] = {
2165 "createbuiltingroup",
2166 net_sam_createbuiltingroup,
2167 NET_TRANSPORT_LOCAL,
2168 N_("Create a new BUILTIN group"),
2169 N_("net sam createbuiltingroup\n"
2170 " Create a new BUILTIN group")
2174 net_sam_createlocalgroup,
2175 NET_TRANSPORT_LOCAL,
2176 N_("Create a new local group"),
2177 N_("net sam createlocalgroup\n"
2178 " Create a new local group")
2181 "createdomaingroup",
2182 net_sam_createdomaingroup,
2183 NET_TRANSPORT_LOCAL,
2184 N_("Create a new group"),
2185 N_("net sam createdomaingroup\n"
2186 " Create a new group")
2190 net_sam_deletelocalgroup,
2191 NET_TRANSPORT_LOCAL,
2192 N_("Delete an existing local group"),
2193 N_("net sam deletelocalgroup\n"
2194 " Delete an existing local group")
2197 "deletedomaingroup",
2198 net_sam_deletedomaingroup,
2199 NET_TRANSPORT_LOCAL,
2200 N_("Delete a domain group"),
2201 N_("net sam deletedomaingroup\n"
2206 net_sam_mapunixgroup,
2207 NET_TRANSPORT_LOCAL,
2208 N_("Map a unix group to a domain group"),
2209 N_("net sam mapunixgroup\n"
2210 " Map a unix group to a domain group")
2214 net_sam_unmapunixgroup,
2215 NET_TRANSPORT_LOCAL,
2216 N_("Remove a group mapping of an unix group to a "
2218 N_("net sam unmapunixgroup\n"
2219 " Remove a group mapping of an unix group to a "
2225 NET_TRANSPORT_LOCAL,
2226 N_("Add a member to a group"),
2227 N_("net sam addmem\n"
2228 " Add a member to a group")
2233 NET_TRANSPORT_LOCAL,
2234 N_("Delete a member from a group"),
2235 N_("net sam delmem\n"
2236 " Delete a member from a group")
2241 NET_TRANSPORT_LOCAL,
2242 N_("List group members"),
2243 N_("net sam listmem\n"
2244 " List group members")
2249 NET_TRANSPORT_LOCAL,
2250 N_("List users, groups and local groups"),
2252 " List users, groups and local groups")
2257 NET_TRANSPORT_LOCAL,
2258 N_("Show details of a SAM entry"),
2260 " Show details of a SAM entry")
2265 NET_TRANSPORT_LOCAL,
2266 N_("Set details of a SAM account"),
2268 " Set details of a SAM account")
2273 NET_TRANSPORT_LOCAL,
2274 N_("Set account policies"),
2275 N_("net sam policy\n"
2276 " Set account policies")
2281 NET_TRANSPORT_LOCAL,
2282 N_("Manipulate user privileges"),
2283 N_("net sam rights\n"
2284 " Manipulate user privileges")
2290 NET_TRANSPORT_LOCAL,
2291 N_("Provision a clean user database"),
2292 N_("net sam privison\n"
2293 " Provision a clear user database")
2296 {NULL, NULL, 0, NULL, NULL}
2299 if (getuid() != 0) {
2300 d_fprintf(stderr, _("You are not root, most things won't "
2304 return net_run_function(c, argc, argv, "net sam", func);
git.samba.org / samba.git / blob