s3-param Remove lp_set_passdb_backend()
[samba.git] / source3 / utils / pdbedit.c
1 /*
2    Unix SMB/CIFS implementation.
3    passdb editing frontend
4
5    Copyright (C) Simo Sorce      2000-2009
6    Copyright (C) Andrew Bartlett 2001
7    Copyright (C) Jelmer Vernooij 2002
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "popt_common.h"
25 #include "../librpc/gen_ndr/samr.h"
26 #include "../libcli/security/security.h"
27 #include "passdb.h"
28
29 #define BIT_BACKEND     0x00000004
30 #define BIT_VERBOSE     0x00000008
31 #define BIT_SPSTYLE     0x00000010
32 #define BIT_CAN_CHANGE  0x00000020
33 #define BIT_MUST_CHANGE 0x00000040
34 #define BIT_USERSIDS    0x00000080
35 #define BIT_FULLNAME    0x00000100
36 #define BIT_HOMEDIR     0x00000200
37 #define BIT_HDIRDRIVE   0x00000400
38 #define BIT_LOGSCRIPT   0x00000800
39 #define BIT_PROFILE     0x00001000
40 #define BIT_MACHINE     0x00002000
41 #define BIT_USERDOMAIN  0x00004000
42 #define BIT_USER        0x00008000
43 #define BIT_LIST        0x00010000
44 #define BIT_MODIFY      0x00020000
45 #define BIT_CREATE      0x00040000
46 #define BIT_DELETE      0x00080000
47 #define BIT_ACCPOLICY   0x00100000
48 #define BIT_ACCPOLVAL   0x00200000
49 #define BIT_ACCTCTRL    0x00400000
50 #define BIT_RESERV_7    0x00800000
51 #define BIT_IMPORT      0x01000000
52 #define BIT_EXPORT      0x02000000
53 #define BIT_FIX_INIT    0x04000000
54 #define BIT_BADPWRESET  0x08000000
55 #define BIT_LOGONHOURS  0x10000000
56 #define BIT_KICKOFFTIME 0x20000000
57 #define BIT_DESCRIPTION 0x40000000
58
59 #define MASK_ALWAYS_GOOD        0x0000001F
60 #define MASK_USER_GOOD          0x60405FE0
61
62 static int get_sid_from_cli_string(struct dom_sid *sid, const char *str_sid)
63 {
64         uint32_t rid;
65
66         if (!string_to_sid(sid, str_sid)) {
67                 /* not a complete sid, may be a RID,
68                  * try building a SID */
69
70                 if (sscanf(str_sid, "%u", &rid) != 1) {
71                         fprintf(stderr, "Error passed string is not "
72                                         "a complete SID or RID!\n");
73                         return -1;
74                 }
75                 sid_compose(sid, get_global_sam_sid(), rid);
76         }
77
78         return 0;
79 }
80
81 /*********************************************************
82  Add all currently available users to another db
83  ********************************************************/
84
85 static int export_database (struct pdb_methods *in,
86                             struct pdb_methods *out,
87                             const char *username)
88 {
89         NTSTATUS status;
90         struct pdb_search *u_search;
91         struct samr_displayentry userentry;
92
93         DEBUG(3, ("export_database: username=\"%s\"\n", username ? username : "(NULL)"));
94
95         u_search = pdb_search_init(talloc_tos(), PDB_USER_SEARCH);
96         if (u_search == NULL) {
97                 DEBUG(0, ("pdb_search_init failed\n"));
98                 return 1;
99         }
100
101         if (!in->search_users(in, u_search, 0)) {
102                 DEBUG(0, ("Could not start searching users\n"));
103                 TALLOC_FREE(u_search);
104                 return 1;
105         }
106
107         while (u_search->next_entry(u_search, &userentry)) {
108                 struct samu *user;
109                 struct samu *account;
110                 struct dom_sid user_sid;
111
112                 DEBUG(4, ("Processing account %s\n", userentry.account_name));
113
114                 if ((username != NULL)
115                     && (strcmp(username, userentry.account_name) != 0)) {
116                         /*
117                          * ignore unwanted users
118                          */
119                         continue;
120                 }
121
122                 user = samu_new(talloc_tos());
123                 if (user == NULL) {
124                         DEBUG(0, ("talloc failed\n"));
125                         break;
126                 }
127
128                 sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
129
130                 status = in->getsampwsid(in, user, &user_sid);
131
132                 if (!NT_STATUS_IS_OK(status)) {
133                         DEBUG(2, ("getsampwsid failed: %s\n",
134                                   nt_errstr(status)));
135                         TALLOC_FREE(user);
136                         continue;
137                 }
138
139                 account = samu_new(NULL);
140                 if (account == NULL) {
141                         fprintf(stderr, "export_database: Memory allocation "
142                                 "failure!\n");
143                         TALLOC_FREE( user );
144                         TALLOC_FREE(u_search);
145                         return 1;
146                 }
147
148                 printf("Importing account for %s...", user->username);
149                 status = out->getsampwnam(out, account, user->username);
150
151                 if (NT_STATUS_IS_OK(status)) {
152                         status = out->update_sam_account( out, user );
153                 } else {
154                         status = out->add_sam_account(out, user);
155                 }
156
157                 if ( NT_STATUS_IS_OK(status) ) {
158                         printf( "ok\n");
159                 } else {
160                         printf( "failed\n");
161                 }
162
163                 TALLOC_FREE( account );
164                 TALLOC_FREE( user );
165         }
166
167         TALLOC_FREE(u_search);
168
169         return 0;
170 }
171
172 /*********************************************************
173  Add all currently available group mappings to another db
174  ********************************************************/
175
176 static int export_groups (struct pdb_methods *in, struct pdb_methods *out)
177 {
178         GROUP_MAP *maps = NULL;
179         size_t i, entries = 0;
180         NTSTATUS status;
181
182         status = in->enum_group_mapping(in, get_global_sam_sid(),
183                         SID_NAME_DOM_GRP, &maps, &entries, False);
184
185         if ( NT_STATUS_IS_ERR(status) ) {
186                 fprintf(stderr, "Unable to enumerate group map entries.\n");
187                 return 1;
188         }
189
190         for (i=0; i<entries; i++) {
191                 out->add_group_mapping_entry(out, &(maps[i]));
192         }
193
194         SAFE_FREE( maps );
195
196         return 0;
197 }
198
199 /*********************************************************
200  Reset account policies to their default values and remove marker
201  ********************************************************/
202
203 static int reinit_account_policies (void)
204 {
205         int i;
206
207         for (i=1; decode_account_policy_name(i) != NULL; i++) {
208                 uint32_t policy_value;
209                 if (!account_policy_get_default(i, &policy_value)) {
210                         fprintf(stderr, "Can't get default account policy\n");
211                         return -1;
212                 }
213                 if (!account_policy_set(i, policy_value)) {
214                         fprintf(stderr, "Can't set account policy in tdb\n");
215                         return -1;
216                 }
217         }
218
219         return 0;
220 }
221
222
223 /*********************************************************
224  Add all currently available account policy from tdb to one backend
225  ********************************************************/
226
227 static int export_account_policies (struct pdb_methods *in, struct pdb_methods *out) 
228 {
229         int i;
230
231         for ( i=1; decode_account_policy_name(i) != NULL; i++ ) {
232                 uint32_t policy_value;
233                 NTSTATUS status;
234
235                 status = in->get_account_policy(in, i, &policy_value);
236
237                 if ( NT_STATUS_IS_ERR(status) ) {
238                         fprintf(stderr, "Unable to get account policy from %s\n", in->name);
239                         return -1;
240                 }
241
242                 status = out->set_account_policy(out, i, policy_value);
243
244                 if ( NT_STATUS_IS_ERR(status) ) {
245                         fprintf(stderr, "Unable to migrate account policy to %s\n", out->name);
246                         return -1;
247                 }
248         }
249
250         return 0;
251 }
252
253
254 /*********************************************************
255  Print info from sam structure
256 **********************************************************/
257
258 static int print_sam_info (struct samu *sam_pwent, bool verbosity, bool smbpwdstyle)
259 {
260         uid_t uid;
261         time_t tmp;
262
263         /* TODO: check if entry is a user or a workstation */
264         if (!sam_pwent) return -1;
265
266         if (verbosity) {
267                 char temp[44];
268                 const uint8_t *hours;
269
270                 printf ("Unix username:        %s\n", pdb_get_username(sam_pwent));
271                 printf ("NT username:          %s\n", pdb_get_nt_username(sam_pwent));
272                 printf ("Account Flags:        %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN));
273                 printf ("User SID:             %s\n",
274                         sid_string_tos(pdb_get_user_sid(sam_pwent)));
275                 printf ("Primary Group SID:    %s\n",
276                         sid_string_tos(pdb_get_group_sid(sam_pwent)));
277                 printf ("Full Name:            %s\n", pdb_get_fullname(sam_pwent));
278                 printf ("Home Directory:       %s\n", pdb_get_homedir(sam_pwent));
279                 printf ("HomeDir Drive:        %s\n", pdb_get_dir_drive(sam_pwent));
280                 printf ("Logon Script:         %s\n", pdb_get_logon_script(sam_pwent));
281                 printf ("Profile Path:         %s\n", pdb_get_profile_path(sam_pwent));
282                 printf ("Domain:               %s\n", pdb_get_domain(sam_pwent));
283                 printf ("Account desc:         %s\n", pdb_get_acct_desc(sam_pwent));
284                 printf ("Workstations:         %s\n", pdb_get_workstations(sam_pwent));
285                 printf ("Munged dial:          %s\n", pdb_get_munged_dial(sam_pwent));
286
287                 tmp = pdb_get_logon_time(sam_pwent);
288                 printf ("Logon time:           %s\n",
289                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
290
291                 tmp = pdb_get_logoff_time(sam_pwent);
292                 printf ("Logoff time:          %s\n",
293                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
294
295                 tmp = pdb_get_kickoff_time(sam_pwent);
296                 printf ("Kickoff time:         %s\n",
297                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
298
299                 tmp = pdb_get_pass_last_set_time(sam_pwent);
300                 printf ("Password last set:    %s\n",
301                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
302
303                 tmp = pdb_get_pass_can_change_time(sam_pwent);
304                 printf ("Password can change:  %s\n",
305                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
306
307                 tmp = pdb_get_pass_must_change_time(sam_pwent);
308                 printf ("Password must change: %s\n",
309                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
310
311                 tmp = pdb_get_bad_password_time(sam_pwent);
312                 printf ("Last bad password   : %s\n",
313                                 tmp ? http_timestring(talloc_tos(), tmp) : "0");
314                 printf ("Bad password count  : %d\n",
315                         pdb_get_bad_password_count(sam_pwent));
316
317                 hours = pdb_get_hours(sam_pwent);
318                 pdb_sethexhours(temp, hours);
319                 printf ("Logon hours         : %s\n", temp);
320
321         } else if (smbpwdstyle) {
322                 char lm_passwd[33];
323                 char nt_passwd[33];
324
325                 uid = nametouid(pdb_get_username(sam_pwent));
326                 pdb_sethexpwd(lm_passwd, pdb_get_lanman_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
327                 pdb_sethexpwd(nt_passwd, pdb_get_nt_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
328
329                 printf("%s:%lu:%s:%s:%s:LCT-%08X:\n",
330                        pdb_get_username(sam_pwent),
331                        (unsigned long)uid,
332                        lm_passwd,
333                        nt_passwd,
334                        pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
335                        (uint32)convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sam_pwent)));
336         } else {
337                 uid = nametouid(pdb_get_username(sam_pwent));
338                 printf ("%s:%lu:%s\n", pdb_get_username(sam_pwent), (unsigned long)uid,
339                         pdb_get_fullname(sam_pwent));
340         }
341
342         return 0;
343 }
344
345 /*********************************************************
346  Get an Print User Info
347 **********************************************************/
348
349 static int print_user_info(const char *username,
350                            bool verbosity, bool smbpwdstyle)
351 {
352         struct samu *sam_pwent = NULL;
353         bool bret;
354         int ret;
355
356         sam_pwent = samu_new(NULL);
357         if (!sam_pwent) {
358                 return -1;
359         }
360
361         bret = pdb_getsampwnam(sam_pwent, username);
362         if (!bret) {
363                 fprintf (stderr, "Username not found!\n");
364                 TALLOC_FREE(sam_pwent);
365                 return -1;
366         }
367
368         ret = print_sam_info(sam_pwent, verbosity, smbpwdstyle);
369
370         TALLOC_FREE(sam_pwent);
371         return ret;
372 }
373
374 /*********************************************************
375  List Users
376 **********************************************************/
377 static int print_users_list(bool verbosity, bool smbpwdstyle)
378 {
379         struct pdb_search *u_search;
380         struct samr_displayentry userentry;
381         struct samu *sam_pwent;
382         TALLOC_CTX *tosctx;
383         struct dom_sid user_sid;
384         bool bret;
385         int ret;
386
387         tosctx = talloc_tos();
388         if (!tosctx) {
389                 DEBUG(0, ("talloc failed\n"));
390                 return 1;
391         }
392
393         u_search = pdb_search_users(tosctx, 0);
394         if (!u_search) {
395                 DEBUG(0, ("User Search failed!\n"));
396                 ret = 1;
397                 goto done;
398         }
399
400         while (u_search->next_entry(u_search, &userentry)) {
401
402                 sam_pwent = samu_new(tosctx);
403                 if (sam_pwent == NULL) {
404                         DEBUG(0, ("talloc failed\n"));
405                         ret = 1;
406                         goto done;
407                 }
408
409                 sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
410
411                 bret = pdb_getsampwsid(sam_pwent, &user_sid);
412                 if (!bret) {
413                         DEBUG(2, ("getsampwsid failed\n"));
414                         TALLOC_FREE(sam_pwent);
415                         continue;
416                 }
417
418                 if (verbosity) {
419                         printf ("---------------\n");
420                 }
421                 print_sam_info(sam_pwent, verbosity, smbpwdstyle);
422                 TALLOC_FREE(sam_pwent);
423         }
424
425         ret = 0;
426
427 done:
428         TALLOC_FREE(tosctx);
429         return ret;
430 }
431
432 /*********************************************************
433  Fix a list of Users for uninitialised passwords
434 **********************************************************/
435 static int fix_users_list(void)
436 {
437         struct pdb_search *u_search;
438         struct samr_displayentry userentry;
439         struct samu *sam_pwent;
440         TALLOC_CTX *tosctx;
441         struct dom_sid user_sid;
442         NTSTATUS status;
443         bool bret;
444         int ret;
445
446         tosctx = talloc_tos();
447         if (!tosctx) {
448                 fprintf(stderr, "Out of memory!\n");
449                 return 1;
450         }
451
452         u_search = pdb_search_users(tosctx, 0);
453         if (!u_search) {
454                 fprintf(stderr, "User Search failed!\n");
455                 ret = 1;
456                 goto done;
457         }
458
459         while (u_search->next_entry(u_search, &userentry)) {
460
461                 sam_pwent = samu_new(tosctx);
462                 if (sam_pwent == NULL) {
463                         fprintf(stderr, "Out of memory!\n");
464                         ret = 1;
465                         goto done;
466                 }
467
468                 sid_compose(&user_sid, get_global_sam_sid(), userentry.rid);
469
470                 bret = pdb_getsampwsid(sam_pwent, &user_sid);
471                 if (!bret) {
472                         DEBUG(2, ("getsampwsid failed\n"));
473                         TALLOC_FREE(sam_pwent);
474                         continue;
475                 }
476
477                 status = pdb_update_sam_account(sam_pwent);
478                 if (!NT_STATUS_IS_OK(status)) {
479                         printf("Update of user %s failed!\n",
480                                pdb_get_username(sam_pwent));
481                 }
482                 TALLOC_FREE(sam_pwent);
483         }
484
485         ret = 0;
486
487 done:
488         TALLOC_FREE(tosctx);
489         return ret;
490 }
491
492 /*********************************************************
493  Set User Info
494 **********************************************************/
495
496 static int set_user_info(const char *username, const char *fullname,
497                          const char *homedir, const char *acct_desc,
498                          const char *drive, const char *script,
499                          const char *profile, const char *account_control,
500                          const char *user_sid, const char *user_domain,
501                          const bool badpw, const bool hours,
502                          const char *kickoff_time)
503 {
504         bool updated_autolock = False, updated_badpw = False;
505         struct samu *sam_pwent;
506         uint8_t hours_array[MAX_HOURS_LEN];
507         uint32_t hours_len;
508         uint32_t acb_flags;
509         uint32_t not_settable;
510         uint32_t new_flags;
511         struct dom_sid u_sid;
512         bool ret;
513
514         sam_pwent = samu_new(NULL);
515         if (!sam_pwent) {
516                 return 1;
517         }
518
519         ret = pdb_getsampwnam(sam_pwent, username);
520         if (!ret) {
521                 fprintf (stderr, "Username not found!\n");
522                 TALLOC_FREE(sam_pwent);
523                 return -1;
524         }
525
526         if (hours) {
527                 hours_len = pdb_get_hours_len(sam_pwent);
528                 memset(hours_array, 0xff, hours_len);
529
530                 pdb_set_hours(sam_pwent, hours_array, hours_len, PDB_CHANGED);
531         }
532
533         if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) {
534                 DEBUG(2,("pdb_update_autolock_flag failed.\n"));
535         }
536
537         if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) {
538                 DEBUG(2,("pdb_update_bad_password_count failed.\n"));
539         }
540
541         if (fullname)
542                 pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
543         if (acct_desc)
544                 pdb_set_acct_desc(sam_pwent, acct_desc, PDB_CHANGED);
545         if (homedir)
546                 pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED);
547         if (drive)
548                 pdb_set_dir_drive(sam_pwent,drive, PDB_CHANGED);
549         if (script)
550                 pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
551         if (profile)
552                 pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED);
553         if (user_domain)
554                 pdb_set_domain(sam_pwent, user_domain, PDB_CHANGED);
555
556         if (account_control) {
557                 not_settable = ~(ACB_DISABLED | ACB_HOMDIRREQ |
558                                  ACB_PWNOTREQ | ACB_PWNOEXP | ACB_AUTOLOCK);
559
560                 new_flags = pdb_decode_acct_ctrl(account_control);
561
562                 if (new_flags & not_settable) {
563                         fprintf(stderr, "Can only set [NDHLX] flags\n");
564                         TALLOC_FREE(sam_pwent);
565                         return -1;
566                 }
567
568                 acb_flags = pdb_get_acct_ctrl(sam_pwent);
569
570                 pdb_set_acct_ctrl(sam_pwent,
571                                   (acb_flags & not_settable) | new_flags,
572                                   PDB_CHANGED);
573         }
574         if (user_sid) {
575                 if (get_sid_from_cli_string(&u_sid, user_sid)) {
576                         fprintf(stderr, "Failed to parse SID\n");
577                         return -1;
578                 }
579                 pdb_set_user_sid(sam_pwent, &u_sid, PDB_CHANGED);
580         }
581
582         if (badpw) {
583                 pdb_set_bad_password_count(sam_pwent, 0, PDB_CHANGED);
584                 pdb_set_bad_password_time(sam_pwent, 0, PDB_CHANGED);
585         }
586
587         if (kickoff_time) {
588                 char *endptr;
589                 time_t value = get_time_t_max();
590
591                 if (strcmp(kickoff_time, "never") != 0) {
592                         uint32_t num = strtoul(kickoff_time, &endptr, 10);
593
594                         if ((endptr == kickoff_time) || (endptr[0] != '\0')) {
595                                 fprintf(stderr, "Failed to parse kickoff time\n");
596                                 return -1;
597                         }
598
599                         value = convert_uint32_t_to_time_t(num);
600                 }
601
602                 pdb_set_kickoff_time(sam_pwent, value, PDB_CHANGED);
603         }
604
605         if (NT_STATUS_IS_OK(pdb_update_sam_account(sam_pwent))) {
606                 print_user_info(username, True, False);
607         } else {
608                 fprintf (stderr, "Unable to modify entry!\n");
609                 TALLOC_FREE(sam_pwent);
610                 return -1;
611         }
612         TALLOC_FREE(sam_pwent);
613         return 0;
614 }
615
616 static int set_machine_info(const char *machinename,
617                             const char *account_control,
618                             const char *machine_sid)
619 {
620         struct samu *sam_pwent = NULL;
621         TALLOC_CTX *tosctx;
622         uint32_t acb_flags;
623         uint32_t not_settable;
624         uint32_t new_flags;
625         struct dom_sid m_sid;
626         char *name;
627         int len;
628         bool ret;
629
630         len = strlen(machinename);
631         if (len == 0) {
632                 fprintf(stderr, "No machine name given\n");
633                 return -1;
634         }
635
636         tosctx = talloc_tos();
637         if (!tosctx) {
638                 fprintf(stderr, "Out of memory!\n");
639                 return -1;
640         }
641
642         sam_pwent = samu_new(tosctx);
643         if (!sam_pwent) {
644                 return 1;
645         }
646
647         if (machinename[len-1] == '$') {
648                 name = talloc_strdup(sam_pwent, machinename);
649         } else {
650                 name = talloc_asprintf(sam_pwent, "%s$", machinename);
651         }
652         if (!name) {
653                 fprintf(stderr, "Out of memory!\n");
654                 TALLOC_FREE(sam_pwent);
655                 return -1;
656         }
657
658         strlower_m(name);
659
660         ret = pdb_getsampwnam(sam_pwent, name);
661         if (!ret) {
662                 fprintf (stderr, "Username not found!\n");
663                 TALLOC_FREE(sam_pwent);
664                 return -1;
665         }
666
667         if (account_control) {
668                 not_settable = ~(ACB_DISABLED);
669
670                 new_flags = pdb_decode_acct_ctrl(account_control);
671
672                 if (new_flags & not_settable) {
673                         fprintf(stderr, "Can only set [D] flags\n");
674                         TALLOC_FREE(sam_pwent);
675                         return -1;
676                 }
677
678                 acb_flags = pdb_get_acct_ctrl(sam_pwent);
679
680                 pdb_set_acct_ctrl(sam_pwent,
681                                   (acb_flags & not_settable) | new_flags,
682                                   PDB_CHANGED);
683         }
684         if (machine_sid) {
685                 if (get_sid_from_cli_string(&m_sid, machine_sid)) {
686                         fprintf(stderr, "Failed to parse SID\n");
687                         return -1;
688                 }
689                 pdb_set_user_sid(sam_pwent, &m_sid, PDB_CHANGED);
690         }
691
692         if (NT_STATUS_IS_OK(pdb_update_sam_account(sam_pwent))) {
693                 print_user_info(name, True, False);
694         } else {
695                 fprintf (stderr, "Unable to modify entry!\n");
696                 TALLOC_FREE(sam_pwent);
697                 return -1;
698         }
699         TALLOC_FREE(sam_pwent);
700         return 0;
701 }
702
703 /*********************************************************
704  Add New User
705 **********************************************************/
706 static int new_user(const char *username, const char *fullname,
707                     const char *homedir, const char *drive,
708                     const char *script, const char *profile,
709                     char *user_sid, bool stdin_get)
710 {
711         char *pwd1 = NULL, *pwd2 = NULL;
712         char *err = NULL, *msg = NULL;
713         struct samu *sam_pwent = NULL;
714         TALLOC_CTX *tosctx;
715         NTSTATUS status;
716         struct dom_sid u_sid;
717         int flags;
718         int ret;
719
720         tosctx = talloc_tos();
721         if (!tosctx) {
722                 fprintf(stderr, "Out of memory!\n");
723                 return -1;
724         }
725
726         if (user_sid) {
727                 if (get_sid_from_cli_string(&u_sid, user_sid)) {
728                         fprintf(stderr, "Failed to parse SID\n");
729                         return -1;
730                 }
731         }
732
733         pwd1 = get_pass( "new password:", stdin_get);
734         pwd2 = get_pass( "retype new password:", stdin_get);
735         if (!pwd1 || !pwd2) {
736                 fprintf(stderr, "Failed to read passwords.\n");
737                 return -1;
738         }
739         ret = strcmp(pwd1, pwd2);
740         if (ret != 0) {
741                 fprintf (stderr, "Passwords do not match!\n");
742                 goto done;
743         }
744
745         flags = LOCAL_ADD_USER | LOCAL_SET_PASSWORD;
746
747         status = local_password_change(username, flags, pwd1, &err, &msg);
748         if (!NT_STATUS_IS_OK(status)) {
749                 if (err) fprintf(stderr, "%s", err);
750                 ret = -1;
751                 goto done;
752         }
753
754         sam_pwent = samu_new(tosctx);
755         if (!sam_pwent) {
756                 fprintf(stderr, "Out of memory!\n");
757                 ret = -1;
758                 goto done;
759         }
760
761         if (!pdb_getsampwnam(sam_pwent, username)) {
762                 fprintf(stderr, "User %s not found!\n", username);
763                 ret = -1;
764                 goto done;
765         }
766
767         if (fullname)
768                 pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED);
769         if (homedir)
770                 pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED);
771         if (drive)
772                 pdb_set_dir_drive(sam_pwent, drive, PDB_CHANGED);
773         if (script)
774                 pdb_set_logon_script(sam_pwent, script, PDB_CHANGED);
775         if (profile)
776                 pdb_set_profile_path(sam_pwent, profile, PDB_CHANGED);
777         if (user_sid)
778                 pdb_set_user_sid(sam_pwent, &u_sid, PDB_CHANGED);
779
780         status = pdb_update_sam_account(sam_pwent);
781         if (!NT_STATUS_IS_OK(status)) {
782                 fprintf(stderr,
783                         "Failed to modify entry for user %s.!\n",
784                         username);
785                 ret = -1;
786                 goto done;
787         }
788
789         print_user_info(username, True, False);
790         ret = 0;
791
792 done:
793         if (pwd1) memset(pwd1, 0, strlen(pwd1));
794         if (pwd2) memset(pwd2, 0, strlen(pwd2));
795         SAFE_FREE(pwd1);
796         SAFE_FREE(pwd2);
797         SAFE_FREE(err);
798         SAFE_FREE(msg);
799         TALLOC_FREE(sam_pwent);
800         return ret;
801 }
802
803 /*********************************************************
804  Add New Machine
805 **********************************************************/
806
807 static int new_machine(const char *machinename, char *machine_sid)
808 {
809         char *err = NULL, *msg = NULL;
810         struct samu *sam_pwent = NULL;
811         TALLOC_CTX *tosctx;
812         NTSTATUS status;
813         struct dom_sid m_sid;
814         char *compatpwd;
815         char *name;
816         int flags;
817         int len;
818         int ret;
819
820         len = strlen(machinename);
821         if (len == 0) {
822                 fprintf(stderr, "No machine name given\n");
823                 return -1;
824         }
825
826         tosctx = talloc_tos();
827         if (!tosctx) {
828                 fprintf(stderr, "Out of memory!\n");
829                 return -1;
830         }
831
832         if (machine_sid) {
833                 if (get_sid_from_cli_string(&m_sid, machine_sid)) {
834                         fprintf(stderr, "Failed to parse SID\n");
835                         return -1;
836                 }
837         }
838
839         compatpwd = talloc_strdup(tosctx, machinename);
840         if (!compatpwd) {
841                 fprintf(stderr, "Out of memory!\n");
842                 return -1;
843         }
844
845         if (machinename[len-1] == '$') {
846                 name = talloc_strdup(tosctx, machinename);
847                 compatpwd[len-1] = '\0';
848         } else {
849                 name = talloc_asprintf(tosctx, "%s$", machinename);
850         }
851         if (!name) {
852                 fprintf(stderr, "Out of memory!\n");
853                 return -1;
854         }
855
856         strlower_m(name);
857
858         flags = LOCAL_ADD_USER | LOCAL_TRUST_ACCOUNT | LOCAL_SET_PASSWORD;
859
860         status = local_password_change(name, flags, compatpwd, &err, &msg);
861
862         if (!NT_STATUS_IS_OK(status)) {
863                 if (err) fprintf(stderr, "%s", err);
864                 ret = -1;
865         }
866
867         sam_pwent = samu_new(tosctx);
868         if (!sam_pwent) {
869                 fprintf(stderr, "Out of memory!\n");
870                 ret = -1;
871                 goto done;
872         }
873
874         if (!pdb_getsampwnam(sam_pwent, name)) {
875                 fprintf(stderr, "Machine %s not found!\n", name);
876                 ret = -1;
877                 goto done;
878         }
879
880         if (machine_sid)
881                 pdb_set_user_sid(sam_pwent, &m_sid, PDB_CHANGED);
882
883         status = pdb_update_sam_account(sam_pwent);
884         if (!NT_STATUS_IS_OK(status)) {
885                 fprintf(stderr,
886                         "Failed to modify entry for %s.!\n", name);
887                 ret = -1;
888                 goto done;
889         }
890
891         print_user_info(name, True, False);
892         ret = 0;
893
894 done:
895         SAFE_FREE(err);
896         SAFE_FREE(msg);
897         TALLOC_FREE(sam_pwent);
898         return ret;
899 }
900
901 /*********************************************************
902  Delete user entry
903 **********************************************************/
904
905 static int delete_user_entry(const char *username)
906 {
907         struct samu *samaccount;
908
909         samaccount = samu_new(NULL);
910         if (!samaccount) {
911                 fprintf(stderr, "Out of memory!\n");
912                 return -1;
913         }
914
915         if (!pdb_getsampwnam(samaccount, username)) {
916                 fprintf (stderr,
917                          "user %s does not exist in the passdb\n", username);
918                 TALLOC_FREE(samaccount);
919                 return -1;
920         }
921
922         if (!NT_STATUS_IS_OK(pdb_delete_sam_account(samaccount))) {
923                 fprintf (stderr, "Unable to delete user %s\n", username);
924                 TALLOC_FREE(samaccount);
925                 return -1;
926         }
927
928         TALLOC_FREE(samaccount);
929         return 0;
930 }
931
932 /*********************************************************
933  Delete machine entry
934 **********************************************************/
935
936 static int delete_machine_entry(const char *machinename)
937 {
938         struct samu *samaccount = NULL;
939         const char *name;
940
941         if (strlen(machinename) == 0) {
942                 fprintf(stderr, "No machine name given\n");
943                 return -1;
944         }
945
946         samaccount = samu_new(NULL);
947         if (!samaccount) {
948                 fprintf(stderr, "Out of memory!\n");
949                 return -1;
950         }
951
952         if (machinename[strlen(machinename)-1] != '$') {
953                 name = talloc_asprintf(samaccount, "%s$", machinename);
954         } else {
955                 name = machinename;
956         }
957
958         if (!pdb_getsampwnam(samaccount, name)) {
959                 fprintf (stderr,
960                          "machine %s does not exist in the passdb\n", name);
961                 return -1;
962                 TALLOC_FREE(samaccount);
963         }
964
965         if (!NT_STATUS_IS_OK(pdb_delete_sam_account(samaccount))) {
966                 fprintf (stderr, "Unable to delete machine %s\n", name);
967                 TALLOC_FREE(samaccount);
968                 return -1;
969         }
970
971         TALLOC_FREE(samaccount);
972         return 0;
973 }
974
975 /*********************************************************
976  Start here.
977 **********************************************************/
978
979 int main (int argc, char **argv)
980 {
981         static int list_users = False;
982         static int verbose = False;
983         static int spstyle = False;
984         static int machine = False;
985         static int add_user = False;
986         static int delete_user = False;
987         static int modify_user = False;
988         uint32  setparms, checkparms;
989         int opt;
990         static char *full_name = NULL;
991         static char *acct_desc = NULL;
992         static const char *user_name = NULL;
993         static char *home_dir = NULL;
994         static char *home_drive = NULL;
995         static const char *backend = NULL;
996         static char *backend_in = NULL;
997         static char *backend_out = NULL;
998         static int transfer_groups = False;
999         static int transfer_account_policies = False;
1000         static int reset_account_policies = False;
1001         static int  force_initialised_password = False;
1002         static char *logon_script = NULL;
1003         static char *profile_path = NULL;
1004         static char *user_domain = NULL;
1005         static char *account_control = NULL;
1006         static char *account_policy = NULL;
1007         static char *user_sid = NULL;
1008         static char *machine_sid = NULL;
1009         static long int account_policy_value = 0;
1010         bool account_policy_value_set = False;
1011         static int badpw_reset = False;
1012         static int hours_reset = False;
1013         static char *pwd_time_format = NULL;
1014         static int pw_from_stdin = False;
1015         struct pdb_methods *bin, *bout;
1016         static char *kickoff_time = NULL;
1017         TALLOC_CTX *frame = talloc_stackframe();
1018         NTSTATUS status;
1019         poptContext pc;
1020         struct poptOption long_options[] = {
1021                 POPT_AUTOHELP
1022                 {"list",        'L', POPT_ARG_NONE, &list_users, 0, "list all users", NULL},
1023                 {"verbose",     'v', POPT_ARG_NONE, &verbose, 0, "be verbose", NULL },
1024                 {"smbpasswd-style",     'w',POPT_ARG_NONE, &spstyle, 0, "give output in smbpasswd style", NULL},
1025                 {"user",        'u', POPT_ARG_STRING, &user_name, 0, "use username", "USER" },
1026                 {"account-desc",        'N', POPT_ARG_STRING, &acct_desc, 0, "set account description", NULL},
1027                 {"fullname",    'f', POPT_ARG_STRING, &full_name, 0, "set full name", NULL},
1028                 {"homedir",     'h', POPT_ARG_STRING, &home_dir, 0, "set home directory", NULL},
1029                 {"drive",       'D', POPT_ARG_STRING, &home_drive, 0, "set home drive", NULL},
1030                 {"script",      'S', POPT_ARG_STRING, &logon_script, 0, "set logon script", NULL},
1031                 {"profile",     'p', POPT_ARG_STRING, &profile_path, 0, "set profile path", NULL},
1032                 {"domain",      'I', POPT_ARG_STRING, &user_domain, 0, "set a users' domain", NULL},
1033                 {"user SID",    'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL},
1034                 {"machine SID", 'M', POPT_ARG_STRING, &machine_sid, 0, "set machine SID or RID", NULL},
1035                 {"create",      'a', POPT_ARG_NONE, &add_user, 0, "create user", NULL},
1036                 {"modify",      'r', POPT_ARG_NONE, &modify_user, 0, "modify user", NULL},
1037                 {"machine",     'm', POPT_ARG_NONE, &machine, 0, "account is a machine account", NULL},
1038                 {"delete",      'x', POPT_ARG_NONE, &delete_user, 0, "delete user", NULL},
1039                 {"backend",     'b', POPT_ARG_STRING, &backend, 0, "use different passdb backend as default backend", NULL},
1040                 {"import",      'i', POPT_ARG_STRING, &backend_in, 0, "import user accounts from this backend", NULL},
1041                 {"export",      'e', POPT_ARG_STRING, &backend_out, 0, "export user accounts to this backend", NULL},
1042                 {"group",       'g', POPT_ARG_NONE, &transfer_groups, 0, "use -i and -e for groups", NULL},
1043                 {"policies",    'y', POPT_ARG_NONE, &transfer_account_policies, 0, "use -i and -e to move account policies between backends", NULL},
1044                 {"policies-reset",      0, POPT_ARG_NONE, &reset_account_policies, 0, "restore default policies", NULL},
1045                 {"account-policy",      'P', POPT_ARG_STRING, &account_policy, 0,"value of an account policy (like maximum password age)",NULL},
1046                 {"value",       'C', POPT_ARG_LONG, &account_policy_value, 'C',"set the account policy to this value", NULL},
1047                 {"account-control",     'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL},
1048                 {"force-initialized-passwords", 0, POPT_ARG_NONE, &force_initialised_password, 0, "Force initialization of corrupt password strings in a passdb backend", NULL},
1049                 {"bad-password-count-reset", 'z', POPT_ARG_NONE, &badpw_reset, 0, "reset bad password count", NULL},
1050                 {"logon-hours-reset", 'Z', POPT_ARG_NONE, &hours_reset, 0, "reset logon hours", NULL},
1051                 {"time-format", 0, POPT_ARG_STRING, &pwd_time_format, 0, "The time format for time parameters", NULL },
1052                 {"password-from-stdin", 't', POPT_ARG_NONE, &pw_from_stdin, 0, "get password from standard in", NULL},
1053                 {"kickoff-time", 'K', POPT_ARG_STRING, &kickoff_time, 0, "set the kickoff time", NULL},
1054                 POPT_COMMON_SAMBA
1055                 POPT_TABLEEND
1056         };
1057
1058         bin = bout = NULL;
1059
1060         load_case_tables();
1061
1062         setup_logging("pdbedit", DEBUG_STDOUT);
1063
1064         pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
1065                             POPT_CONTEXT_KEEP_FIRST);
1066
1067         while((opt = poptGetNextOpt(pc)) != -1) {
1068                 switch (opt) {
1069                 case 'C':
1070                         account_policy_value_set = True;
1071                         break;
1072                 }
1073         }
1074
1075         poptGetArg(pc); /* Drop argv[0], the program name */
1076
1077         if (user_name == NULL)
1078                 user_name = poptGetArg(pc);
1079
1080         if (!lp_load(get_dyn_CONFIGFILE(),True,False,False,True)) {
1081                 fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE());
1082                 exit(1);
1083         }
1084
1085         if (!init_names())
1086                 exit(1);
1087
1088         setparms =      (backend ? BIT_BACKEND : 0) +
1089                         (verbose ? BIT_VERBOSE : 0) +
1090                         (spstyle ? BIT_SPSTYLE : 0) +
1091                         (full_name ? BIT_FULLNAME : 0) +
1092                         (home_dir ? BIT_HOMEDIR : 0) +
1093                         (home_drive ? BIT_HDIRDRIVE : 0) +
1094                         (logon_script ? BIT_LOGSCRIPT : 0) +
1095                         (profile_path ? BIT_PROFILE : 0) +
1096                         (user_domain ? BIT_USERDOMAIN : 0) +
1097                         (machine ? BIT_MACHINE : 0) +
1098                         (user_name ? BIT_USER : 0) +
1099                         (list_users ? BIT_LIST : 0) +
1100                         (force_initialised_password ? BIT_FIX_INIT : 0) +
1101                         (user_sid ? BIT_USERSIDS : 0) +
1102                         (machine_sid ? BIT_USERSIDS : 0) +
1103                         (modify_user ? BIT_MODIFY : 0) +
1104                         (add_user ? BIT_CREATE : 0) +
1105                         (delete_user ? BIT_DELETE : 0) +
1106                         (account_control ? BIT_ACCTCTRL : 0) +
1107                         (account_policy ? BIT_ACCPOLICY : 0) +
1108                         (account_policy_value_set ? BIT_ACCPOLVAL : 0) +
1109                         (backend_in ? BIT_IMPORT : 0) +
1110                         (backend_out ? BIT_EXPORT : 0) +
1111                         (badpw_reset ? BIT_BADPWRESET : 0) +
1112                         (hours_reset ? BIT_LOGONHOURS : 0) +
1113                         (kickoff_time ? BIT_KICKOFFTIME : 0) +
1114                         (acct_desc ? BIT_DESCRIPTION : 0);
1115
1116         if (setparms & BIT_BACKEND) {
1117                 /* HACK: set the global passdb backend by overwriting globals.
1118                  * This way we can use regular pdb functions for default
1119                  * operations that do not involve passdb migrations */
1120                 lp_set_cmdline("passdb backend", backend);
1121         } else {
1122                 backend = lp_passdb_backend();
1123         }
1124
1125         if (!initialize_password_db(False, NULL)) {
1126                 fprintf(stderr, "Can't initialize passdb backend.\n");
1127                 exit(1);
1128         }
1129
1130         /* the lowest bit options are always accepted */
1131         checkparms = setparms & ~MASK_ALWAYS_GOOD;
1132
1133         if (checkparms & BIT_FIX_INIT) {
1134                 return fix_users_list();
1135         }
1136
1137         /* account policy operations */
1138         if ((checkparms & BIT_ACCPOLICY) && !(checkparms & ~(BIT_ACCPOLICY + BIT_ACCPOLVAL))) {
1139                 uint32_t value;
1140                 enum pdb_policy_type field = account_policy_name_to_typenum(account_policy);
1141                 if (field == 0) {
1142                         const char **names;
1143                         int count;
1144                         int i;
1145                         account_policy_names_list(&names, &count);
1146                         fprintf(stderr, "No account policy by that name!\n");
1147                         if (count !=0) {
1148                                 fprintf(stderr, "Account policy names are:\n");
1149                                 for (i = 0; i < count ; i++) {
1150                                         d_fprintf(stderr, "%s\n", names[i]);
1151                                 }
1152                         }
1153                         SAFE_FREE(names);
1154                         exit(1);
1155                 }
1156                 if (!pdb_get_account_policy(field, &value)) {
1157                         fprintf(stderr, "valid account policy, but unable to fetch value!\n");
1158                         if (!account_policy_value_set)
1159                                 exit(1);
1160                 }
1161                 printf("account policy \"%s\" description: %s\n", account_policy, account_policy_get_desc(field));
1162                 if (account_policy_value_set) {
1163                         printf("account policy \"%s\" value was: %u\n", account_policy, value);
1164                         if (!pdb_set_account_policy(field, account_policy_value)) {
1165                                 fprintf(stderr, "valid account policy, but unable to set value!\n");
1166                                 exit(1);
1167                         }
1168                         printf("account policy \"%s\" value is now: %lu\n", account_policy, account_policy_value);
1169                         exit(0);
1170                 } else {
1171                         printf("account policy \"%s\" value is: %u\n", account_policy, value);
1172                         exit(0);
1173                 }
1174         }
1175
1176         if (reset_account_policies) {
1177                 if (!reinit_account_policies()) {
1178                         exit(1);
1179                 }
1180
1181                 exit(0);
1182         }
1183
1184         /* import and export operations */
1185
1186         if (((checkparms & BIT_IMPORT) ||
1187              (checkparms & BIT_EXPORT)) &&
1188             !(checkparms & ~(BIT_IMPORT +BIT_EXPORT +BIT_USER))) {
1189
1190                 if (backend_in) {
1191                         status = make_pdb_method_name(&bin, backend_in);
1192                 } else {
1193                         status = make_pdb_method_name(&bin, backend);
1194                 }
1195
1196                 if (!NT_STATUS_IS_OK(status)) {
1197                         fprintf(stderr, "Unable to initialize %s.\n",
1198                                 backend_in ? backend_in : backend);
1199                         return 1;
1200                 }
1201
1202                 if (backend_out) {
1203                         status = make_pdb_method_name(&bout, backend_out);
1204                 } else {
1205                         status = make_pdb_method_name(&bout, backend);
1206                 }
1207
1208                 if (!NT_STATUS_IS_OK(status)) {
1209                         fprintf(stderr, "Unable to initialize %s.\n",
1210                                 backend_out ? backend_out : backend);
1211                         return 1;
1212                 }
1213
1214                 if (transfer_account_policies) {
1215
1216                         if (!(checkparms & BIT_USER)) {
1217                                 return export_account_policies(bin, bout);
1218                         }
1219
1220                 } else  if (transfer_groups) {
1221
1222                         if (!(checkparms & BIT_USER)) {
1223                                 return export_groups(bin, bout);
1224                         }
1225
1226                 } else {
1227                         return export_database(bin, bout,
1228                                 (checkparms & BIT_USER) ? user_name : NULL);
1229                 }
1230         }
1231
1232         /* if BIT_USER is defined but nothing else then threat it as -l -u for compatibility */
1233         /* fake up BIT_LIST if only BIT_USER is defined */
1234         if ((checkparms & BIT_USER) && !(checkparms & ~BIT_USER)) {
1235                 checkparms += BIT_LIST;
1236         }
1237
1238         /* modify flag is optional to maintain backwards compatibility */
1239         /* fake up BIT_MODIFY if BIT_USER  and at least one of MASK_USER_GOOD is defined */
1240         if (!((checkparms & ~MASK_USER_GOOD) & ~BIT_USER) && (checkparms & MASK_USER_GOOD)) {
1241                 checkparms += BIT_MODIFY;
1242         }
1243
1244         /* list users operations */
1245         if (checkparms & BIT_LIST) {
1246                 if (!(checkparms & ~BIT_LIST)) {
1247                         return print_users_list(verbose, spstyle);
1248                 }
1249                 if (!(checkparms & ~(BIT_USER + BIT_LIST))) {
1250                         return print_user_info(user_name, verbose, spstyle);
1251                 }
1252         }
1253
1254         /* mask out users options */
1255         checkparms &= ~MASK_USER_GOOD;
1256
1257         /* if bad password count is reset, we must be modifying */
1258         if (checkparms & BIT_BADPWRESET) {
1259                 checkparms |= BIT_MODIFY;
1260                 checkparms &= ~BIT_BADPWRESET;
1261         }
1262
1263         /* if logon hours is reset, must modify */
1264         if (checkparms & BIT_LOGONHOURS) {
1265                 checkparms |= BIT_MODIFY;
1266                 checkparms &= ~BIT_LOGONHOURS;
1267         }
1268
1269         /* account operation */
1270         if ((checkparms & BIT_CREATE) || (checkparms & BIT_MODIFY) || (checkparms & BIT_DELETE)) {
1271                 /* check use of -u option */
1272                 if (!(checkparms & BIT_USER)) {
1273                         fprintf (stderr, "Username not specified! (use -u option)\n");
1274                         return -1;
1275                 }
1276
1277                 /* account creation operations */
1278                 if (!(checkparms & ~(BIT_CREATE + BIT_USER + BIT_MACHINE))) {
1279                         if (checkparms & BIT_MACHINE) {
1280                                 return new_machine(user_name, machine_sid);
1281                         } else {
1282                                 return new_user(user_name, full_name,
1283                                                 home_dir, home_drive,
1284                                                 logon_script, profile_path,
1285                                                 user_sid, pw_from_stdin);
1286                         }
1287                 }
1288
1289                 /* account deletion operations */
1290                 if (!(checkparms & ~(BIT_DELETE + BIT_USER + BIT_MACHINE))) {
1291                         if (checkparms & BIT_MACHINE) {
1292                                 return delete_machine_entry(user_name);
1293                         } else {
1294                                 return delete_user_entry(user_name);
1295                         }
1296                 }
1297
1298                 /* account modification operations */
1299                 if (!(checkparms & ~(BIT_MODIFY + BIT_USER + BIT_MACHINE))) {
1300                         if (checkparms & BIT_MACHINE) {
1301                                 return set_machine_info(user_name,
1302                                                         account_control,
1303                                                         machine_sid);
1304                         } else {
1305                                 return set_user_info(user_name, full_name,
1306                                                      home_dir, acct_desc,
1307                                                      home_drive, logon_script,
1308                                                      profile_path, account_control,
1309                                                      user_sid, user_domain,
1310                                                      badpw_reset, hours_reset,
1311                                                      kickoff_time);
1312                         }
1313                 }
1314         }
1315
1316         if (setparms >= 0x20) {
1317                 fprintf (stderr, "Incompatible or insufficient options on command line!\n");
1318         }
1319         poptPrintHelp(pc, stderr, 0);
1320
1321         TALLOC_FREE(frame);
1322         return 1;
1323 }