2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org)
5 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
6 Copyright (C) 2004,2008 Guenther Deschner (gd@samba.org)
7 Copyright (C) 2005 Jeremy Allison (jra@samba.org)
8 Copyright (C) 2006 Jelmer Vernooij (jelmer@samba.org)
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>. */
24 #include "utils/net.h"
26 static int net_mode_share;
27 static bool sync_files(struct copy_clistate *cp_clistate, const char *mask);
32 * @brief RPC based subcommands for the 'net' utility.
34 * This file should contain much of the functionality that used to
35 * be found in rpcclient, execpt that the commands should change
36 * less often, and the fucntionality should be sane (the user is not
37 * expected to know a rid/sid before they conduct an operation etc.)
39 * @todo Perhaps eventually these should be split out into a number
40 * of files, as this could get quite big.
45 * Many of the RPC functions need the domain sid. This function gets
46 * it at the start of every run
48 * @param cli A cli_state already connected to the remote machine
50 * @return The Domain SID of the remote machine.
53 NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
55 const char **domain_name)
57 struct rpc_pipe_client *lsa_pipe;
59 NTSTATUS result = NT_STATUS_OK;
60 union lsa_PolicyInformation *info = NULL;
62 lsa_pipe = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
64 d_fprintf(stderr, "Could not initialise lsa pipe\n");
68 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False,
69 SEC_RIGHTS_MAXIMUM_ALLOWED,
71 if (!NT_STATUS_IS_OK(result)) {
72 d_fprintf(stderr, "open_policy failed: %s\n",
77 result = rpccli_lsa_QueryInfoPolicy(lsa_pipe, mem_ctx,
79 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
81 if (!NT_STATUS_IS_OK(result)) {
82 d_fprintf(stderr, "lsaquery failed: %s\n",
87 *domain_name = info->account_domain.name.string;
88 *domain_sid = info->account_domain.sid;
90 rpccli_lsa_Close(lsa_pipe, mem_ctx, &pol);
91 cli_rpc_pipe_close(lsa_pipe);
97 * Run a single RPC command, from start to finish.
99 * @param pipe_name the pipe to connect to (usually a PIPE_ constant)
100 * @param conn_flag a NET_FLAG_ combination. Passed to
101 * net_make_ipc_connection.
102 * @param argc Standard main() style argc.
103 * @param argv Standard main() style argv. Initial components are already
105 * @return A shell status integer (0 for success).
108 int run_rpc_command(struct cli_state *cli_arg,
115 struct cli_state *cli = NULL;
116 struct rpc_pipe_client *pipe_hnd = NULL;
120 const char *domain_name;
122 /* make use of cli_state handed over as an argument, if possible */
124 nt_status = net_make_ipc_connection(conn_flags, &cli);
125 if (!NT_STATUS_IS_OK(nt_status)) {
126 DEBUG(1, ("failed to make ipc connection: %s\n",
127 nt_errstr(nt_status)));
140 if (!(mem_ctx = talloc_init("run_rpc_command"))) {
141 DEBUG(0, ("talloc_init() failed\n"));
146 nt_status = net_get_remote_domain_sid(cli, mem_ctx, &domain_sid,
148 if (!NT_STATUS_IS_OK(nt_status)) {
153 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
154 if (lp_client_schannel() && (pipe_idx == PI_NETLOGON)) {
155 /* Always try and create an schannel netlogon pipe. */
156 pipe_hnd = cli_rpc_pipe_open_schannel(cli, pipe_idx,
157 PIPE_AUTH_LEVEL_PRIVACY,
161 DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
162 nt_errstr(nt_status) ));
167 pipe_hnd = cli_rpc_pipe_open_noauth(cli, pipe_idx, &nt_status);
169 DEBUG(0, ("Could not initialise pipe %s. Error was %s\n",
170 cli_get_pipe_name(pipe_idx),
171 nt_errstr(nt_status) ));
178 nt_status = fn(domain_sid, domain_name, cli, pipe_hnd, mem_ctx, argc, argv);
180 if (!NT_STATUS_IS_OK(nt_status)) {
181 DEBUG(1, ("rpc command function failed! (%s)\n", nt_errstr(nt_status)));
183 DEBUG(5, ("rpc command function succedded\n"));
186 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
188 cli_rpc_pipe_close(pipe_hnd);
192 /* close the connection only if it was opened here */
197 talloc_destroy(mem_ctx);
198 return (!NT_STATUS_IS_OK(nt_status));
202 * Force a change of the trust acccount password.
204 * All parameters are provided by the run_rpc_command function, except for
205 * argc, argv which are passed through.
207 * @param domain_sid The domain sid acquired from the remote server
208 * @param cli A cli_state connected to the server.
209 * @param mem_ctx Talloc context, destroyed on completion of the function.
210 * @param argc Standard main() style argc.
211 * @param argv Standard main() style argv. Initial components are already
214 * @return Normal NTSTATUS return.
217 static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid,
218 const char *domain_name,
219 struct cli_state *cli,
220 struct rpc_pipe_client *pipe_hnd,
226 return trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, opt_target_workgroup);
230 * Force a change of the trust acccount password.
232 * @param argc Standard main() style argc.
233 * @param argv Standard main() style argv. Initial components are already
236 * @return A shell status integer (0 for success).
239 int net_rpc_changetrustpw(int argc, const char **argv)
241 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
242 rpc_changetrustpw_internals,
247 * Join a domain, the old way.
249 * This uses 'machinename' as the inital password, and changes it.
251 * The password should be created with 'server manager' or equiv first.
253 * All parameters are provided by the run_rpc_command function, except for
254 * argc, argv which are passed through.
256 * @param domain_sid The domain sid acquired from the remote server.
257 * @param cli A cli_state connected to the server.
258 * @param mem_ctx Talloc context, destroyed on completion of the function.
259 * @param argc Standard main() style argc.
260 * @param argv Standard main() style argv. Initial components are already
263 * @return Normal NTSTATUS return.
266 static NTSTATUS rpc_oldjoin_internals(const DOM_SID *domain_sid,
267 const char *domain_name,
268 struct cli_state *cli,
269 struct rpc_pipe_client *pipe_hnd,
275 fstring trust_passwd;
276 unsigned char orig_trust_passwd_hash[16];
278 uint32 sec_channel_type;
280 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result);
282 DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
285 nt_errstr(result) ));
290 check what type of join - if the user want's to join as
291 a BDC, the server must agree that we are a BDC.
294 sec_channel_type = get_sec_channel_type(argv[0]);
296 sec_channel_type = get_sec_channel_type(NULL);
299 fstrcpy(trust_passwd, global_myname());
300 strlower_m(trust_passwd);
303 * Machine names can be 15 characters, but the max length on
304 * a password is 14. --jerry
307 trust_passwd[14] = '\0';
309 E_md4hash(trust_passwd, orig_trust_passwd_hash);
311 result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, opt_target_workgroup,
312 orig_trust_passwd_hash,
315 if (NT_STATUS_IS_OK(result))
316 printf("Joined domain %s.\n",opt_target_workgroup);
319 if (!secrets_store_domain_sid(opt_target_workgroup, domain_sid)) {
320 DEBUG(0, ("error storing domain sid for %s\n", opt_target_workgroup));
321 result = NT_STATUS_UNSUCCESSFUL;
328 * Join a domain, the old way.
330 * @param argc Standard main() style argc.
331 * @param argv Standard main() style argv. Initial components are already
334 * @return A shell status integer (0 for success)
337 static int net_rpc_perform_oldjoin(int argc, const char **argv)
339 return run_rpc_command(NULL, PI_NETLOGON,
340 NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
341 rpc_oldjoin_internals,
346 * Join a domain, the old way. This function exists to allow
347 * the message to be displayed when oldjoin was explicitly
348 * requested, but not when it was implied by "net rpc join".
350 * @param argc Standard main() style argc.
351 * @param argv Standard main() style argv. Initial components are already
354 * @return A shell status integer (0 for success)
357 static int net_rpc_oldjoin(int argc, const char **argv)
359 int rc = net_rpc_perform_oldjoin(argc, argv);
362 d_fprintf(stderr, "Failed to join domain\n");
369 * Basic usage function for 'net rpc join'.
370 * @param argc Standard main() style argc.
371 * @param argv Standard main() style argv. Initial components are already
375 static int rpc_join_usage(int argc, const char **argv)
377 d_printf("net rpc join -U <username>[%%password] <type>[options]\n"\
378 "\t to join a domain with admin username & password\n"\
379 "\t\t password will be prompted if needed and none is specified\n"\
380 "\t <type> can be (default MEMBER)\n"\
381 "\t\t BDC - Join as a BDC\n"\
382 "\t\t PDC - Join as a PDC\n"\
383 "\t\t MEMBER - Join as a MEMBER server\n");
385 net_common_flags_usage(argc, argv);
390 * 'net rpc join' entrypoint.
391 * @param argc Standard main() style argc.
392 * @param argv Standard main() style argv. Initial components are already
395 * Main 'net_rpc_join()' (where the admin username/password is used) is
397 * Try to just change the password, but if that doesn't work, use/prompt
398 * for a username/password.
401 int net_rpc_join(int argc, const char **argv)
403 if (lp_server_role() == ROLE_STANDALONE) {
404 d_printf("cannot join as standalone machine\n");
408 if (strlen(global_myname()) > 15) {
409 d_printf("Our netbios name can be at most 15 chars long, "
410 "\"%s\" is %u chars long\n",
411 global_myname(), (unsigned int)strlen(global_myname()));
415 if ((net_rpc_perform_oldjoin(argc, argv) == 0))
418 return net_rpc_join_newstyle(argc, argv);
422 * display info about a rpc domain
424 * All parameters are provided by the run_rpc_command function, except for
425 * argc, argv which are passed through.
427 * @param domain_sid The domain sid acquired from the remote server.
428 * @param cli A cli_state connected to the server.
429 * @param mem_ctx Talloc context, destroyed on completion of the function.
430 * @param argc Standard main() style argc.
431 * @param argv Standard main() style argv. Initial components are already
434 * @return Normal NTSTATUS return.
437 NTSTATUS rpc_info_internals(const DOM_SID *domain_sid,
438 const char *domain_name,
439 struct cli_state *cli,
440 struct rpc_pipe_client *pipe_hnd,
445 POLICY_HND connect_pol, domain_pol;
446 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
447 union samr_DomainInfo *info = NULL;
450 sid_to_fstring(sid_str, domain_sid);
452 /* Get sam policy handle */
453 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
454 pipe_hnd->cli->desthost,
455 MAXIMUM_ALLOWED_ACCESS,
457 if (!NT_STATUS_IS_OK(result)) {
458 d_fprintf(stderr, "Could not connect to SAM: %s\n", nt_errstr(result));
462 /* Get domain policy handle */
463 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
465 MAXIMUM_ALLOWED_ACCESS,
466 CONST_DISCARD(struct dom_sid2 *, domain_sid),
468 if (!NT_STATUS_IS_OK(result)) {
469 d_fprintf(stderr, "Could not open domain: %s\n", nt_errstr(result));
473 result = rpccli_samr_QueryDomainInfo(pipe_hnd, mem_ctx,
477 if (NT_STATUS_IS_OK(result)) {
478 d_printf("Domain Name: %s\n", info->info2.domain_name.string);
479 d_printf("Domain SID: %s\n", sid_str);
480 d_printf("Sequence number: %llu\n",
481 (unsigned long long)info->info2.sequence_num);
482 d_printf("Num users: %u\n", info->info2.num_users);
483 d_printf("Num domain groups: %u\n", info->info2.num_groups);
484 d_printf("Num local groups: %u\n", info->info2.num_aliases);
492 * 'net rpc info' entrypoint.
493 * @param argc Standard main() style argc
494 * @param argv Standard main() style argv. Initial components are already
498 int net_rpc_info(int argc, const char **argv)
500 return run_rpc_command(NULL, PI_SAMR, NET_FLAGS_PDC,
506 * Fetch domain SID into the local secrets.tdb
508 * All parameters are provided by the run_rpc_command function, except for
509 * argc, argv which are passed through.
511 * @param domain_sid The domain sid acquired from the remote server.
512 * @param cli A cli_state connected to the server.
513 * @param mem_ctx Talloc context, destroyed on completion of the function.
514 * @param argc Standard main() style argc.
515 * @param argv Standard main() style argv. Initial components are already
518 * @return Normal NTSTATUS return.
521 static NTSTATUS rpc_getsid_internals(const DOM_SID *domain_sid,
522 const char *domain_name,
523 struct cli_state *cli,
524 struct rpc_pipe_client *pipe_hnd,
531 sid_to_fstring(sid_str, domain_sid);
532 d_printf("Storing SID %s for Domain %s in secrets.tdb\n",
533 sid_str, domain_name);
535 if (!secrets_store_domain_sid(domain_name, domain_sid)) {
536 DEBUG(0,("Can't store domain SID\n"));
537 return NT_STATUS_UNSUCCESSFUL;
544 * 'net rpc getsid' entrypoint.
545 * @param argc Standard main() style argc.
546 * @param argv Standard main() style argv. Initial components are already
550 int net_rpc_getsid(int argc, const char **argv)
552 return run_rpc_command(NULL, PI_SAMR, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
553 rpc_getsid_internals,
557 /****************************************************************************/
560 * Basic usage function for 'net rpc user'.
561 * @param argc Standard main() style argc.
562 * @param argv Standard main() style argv. Initial components are already
566 static int rpc_user_usage(int argc, const char **argv)
568 return net_help_user(argc, argv);
572 * Add a new user to a remote RPC server.
574 * @param argc Standard main() style argc.
575 * @param argv Standard main() style argv. Initial components are already
578 * @return A shell status integer (0 for success)
581 static int rpc_user_add(int argc, const char **argv)
583 NET_API_STATUS status;
584 struct USER_INFO_1 info1;
585 uint32_t parm_error = 0;
588 d_printf("User must be specified\n");
589 rpc_user_usage(argc, argv);
595 info1.usri1_name = argv[0];
597 info1.usri1_password = argv[1];
600 status = NetUserAdd(opt_host, 1, (uint8_t *)&info1, &parm_error);
603 d_fprintf(stderr, "Failed to add user '%s' with: %s.\n",
604 argv[0], libnetapi_get_error_string(netapi_ctx, status));
607 d_printf("Added user '%s'.\n", argv[0]);
614 * Rename a user on a remote RPC server.
616 * All parameters are provided by the run_rpc_command function, except for
617 * argc, argv which are passed through.
619 * @param domain_sid The domain sid acquired from the remote server.
620 * @param cli A cli_state connected to the server.
621 * @param mem_ctx Talloc context, destroyed on completion of the function.
622 * @param argc Standard main() style argc.
623 * @param argv Standard main() style argv. Initial components are already
626 * @return Normal NTSTATUS return.
629 static NTSTATUS rpc_user_rename_internals(const DOM_SID *domain_sid,
630 const char *domain_name,
631 struct cli_state *cli,
632 struct rpc_pipe_client *pipe_hnd,
637 POLICY_HND connect_pol, domain_pol, user_pol;
638 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
639 uint32 info_level = 7;
640 const char *old_name, *new_name;
641 struct samr_Ids user_rids, name_types;
642 struct lsa_String lsa_acct_name;
643 union samr_UserInfo *info = NULL;
646 d_printf("Old and new username must be specified\n");
647 rpc_user_usage(argc, argv);
654 /* Get sam policy handle */
656 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
657 pipe_hnd->cli->desthost,
658 MAXIMUM_ALLOWED_ACCESS,
661 if (!NT_STATUS_IS_OK(result)) {
665 /* Get domain policy handle */
667 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
669 MAXIMUM_ALLOWED_ACCESS,
670 CONST_DISCARD(struct dom_sid2 *, domain_sid),
672 if (!NT_STATUS_IS_OK(result)) {
676 init_lsa_String(&lsa_acct_name, old_name);
678 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
684 if (!NT_STATUS_IS_OK(result)) {
688 /* Open domain user */
689 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
691 MAXIMUM_ALLOWED_ACCESS,
695 if (!NT_STATUS_IS_OK(result)) {
699 /* Query user info */
700 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
705 if (!NT_STATUS_IS_OK(result)) {
709 init_samr_user_info7(&info->info7, new_name);
712 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
717 if (!NT_STATUS_IS_OK(result)) {
722 if (!NT_STATUS_IS_OK(result)) {
723 d_fprintf(stderr, "Failed to rename user from %s to %s - %s\n", old_name, new_name,
726 d_printf("Renamed user from %s to %s\n", old_name, new_name);
732 * Rename a user on a remote RPC server.
734 * @param argc Standard main() style argc.
735 * @param argv Standard main() style argv. Initial components are already
738 * @return A shell status integer (0 for success).
741 static int rpc_user_rename(int argc, const char **argv)
743 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_rename_internals,
748 * Delete a user from a remote RPC server.
750 * @param argc Standard main() style argc.
751 * @param argv Standard main() style argv. Initial components are already
754 * @return A shell status integer (0 for success).
757 static int rpc_user_delete(int argc, const char **argv)
759 NET_API_STATUS status;
762 d_printf("User must be specified\n");
763 rpc_user_usage(argc, argv);
767 status = NetUserDel(opt_host, argv[0]);
770 d_fprintf(stderr, "Failed to delete user '%s' with: %s.\n",
772 libnetapi_get_error_string(netapi_ctx, status));
775 d_printf("Deleted user '%s'.\n", argv[0]);
782 * Set a password for a user on a remote RPC server.
784 * All parameters are provided by the run_rpc_command function, except for
785 * argc, argv which are passed through.
787 * @param domain_sid The domain sid acquired from the remote server.
788 * @param cli A cli_state connected to the server.
789 * @param mem_ctx Talloc context, destroyed on completion of the function.
790 * @param argc Standard main() style argc.
791 * @param argv Standard main() style argv. Initial components are already
794 * @return Normal NTSTATUS return.
797 static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
798 const char *domain_name,
799 struct cli_state *cli,
800 struct rpc_pipe_client *pipe_hnd,
805 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
806 POLICY_HND connect_pol, domain_pol, user_pol;
808 const char *new_password;
810 union samr_UserInfo info;
811 struct samr_CryptPassword crypt_pwd;
814 d_printf("User must be specified\n");
815 rpc_user_usage(argc, argv);
822 new_password = argv[1];
824 asprintf(&prompt, "Enter new password for %s:", user);
825 new_password = getpass(prompt);
829 /* Get sam policy and domain handles */
831 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
832 pipe_hnd->cli->desthost,
833 MAXIMUM_ALLOWED_ACCESS,
836 if (!NT_STATUS_IS_OK(result)) {
840 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
842 MAXIMUM_ALLOWED_ACCESS,
843 CONST_DISCARD(struct dom_sid2 *, domain_sid),
846 if (!NT_STATUS_IS_OK(result)) {
850 /* Get handle on user */
853 struct samr_Ids user_rids, name_types;
854 struct lsa_String lsa_acct_name;
856 init_lsa_String(&lsa_acct_name, user);
858 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
864 if (!NT_STATUS_IS_OK(result)) {
868 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
870 MAXIMUM_ALLOWED_ACCESS,
874 if (!NT_STATUS_IS_OK(result)) {
879 /* Set password on account */
881 init_samr_CryptPassword(new_password,
882 &cli->user_session_key,
885 init_samr_user_info24(&info.info24, &crypt_pwd,
886 PASS_DONT_CHANGE_AT_NEXT_LOGON);
888 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
893 if (!NT_STATUS_IS_OK(result)) {
897 /* Display results */
905 * Set a user's password on a remote RPC server.
907 * @param argc Standard main() style argc.
908 * @param argv Standard main() style argv. Initial components are already
911 * @return A shell status integer (0 for success).
914 static int rpc_user_password(int argc, const char **argv)
916 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_password_internals,
921 * List user's groups on a remote RPC server.
923 * All parameters are provided by the run_rpc_command function, except for
924 * argc, argv which are passed through.
926 * @param domain_sid The domain sid acquired from the remote server.
927 * @param cli A cli_state connected to the server.
928 * @param mem_ctx Talloc context, destroyed on completion of the function.
929 * @param argc Standard main() style argc.
930 * @param argv Standard main() style argv. Initial components are already
933 * @return Normal NTSTATUS return.
936 static NTSTATUS rpc_user_info_internals(const DOM_SID *domain_sid,
937 const char *domain_name,
938 struct cli_state *cli,
939 struct rpc_pipe_client *pipe_hnd,
944 POLICY_HND connect_pol, domain_pol, user_pol;
945 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
947 struct samr_RidWithAttributeArray *rid_array = NULL;
948 struct lsa_Strings names;
949 struct samr_Ids types;
950 uint32_t *lrids = NULL;
951 struct samr_Ids rids, name_types;
952 struct lsa_String lsa_acct_name;
956 d_printf("User must be specified\n");
957 rpc_user_usage(argc, argv);
960 /* Get sam policy handle */
962 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
963 pipe_hnd->cli->desthost,
964 MAXIMUM_ALLOWED_ACCESS,
966 if (!NT_STATUS_IS_OK(result)) goto done;
968 /* Get domain policy handle */
970 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
972 MAXIMUM_ALLOWED_ACCESS,
973 CONST_DISCARD(struct dom_sid2 *, domain_sid),
975 if (!NT_STATUS_IS_OK(result)) goto done;
977 /* Get handle on user */
979 init_lsa_String(&lsa_acct_name, argv[0]);
981 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
988 if (!NT_STATUS_IS_OK(result)) goto done;
990 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
992 MAXIMUM_ALLOWED_ACCESS,
995 if (!NT_STATUS_IS_OK(result)) goto done;
997 result = rpccli_samr_GetGroupsForUser(pipe_hnd, mem_ctx,
1001 if (!NT_STATUS_IS_OK(result)) goto done;
1005 if (rid_array->count) {
1006 if ((lrids = TALLOC_ARRAY(mem_ctx, uint32, rid_array->count)) == NULL) {
1007 result = NT_STATUS_NO_MEMORY;
1011 for (i = 0; i < rid_array->count; i++)
1012 lrids[i] = rid_array->rids[i].rid;
1014 result = rpccli_samr_LookupRids(pipe_hnd, mem_ctx,
1021 if (!NT_STATUS_IS_OK(result)) {
1025 /* Display results */
1027 for (i = 0; i < names.count; i++)
1028 printf("%s\n", names.names[i].string);
1035 * List a user's groups from a remote RPC server.
1037 * @param argc Standard main() style argc.
1038 * @param argv Standard main() style argv. Initial components are already
1041 * @return A shell status integer (0 for success).
1044 static int rpc_user_info(int argc, const char **argv)
1046 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_info_internals,
1051 * List users on a remote RPC server.
1053 * All parameters are provided by the run_rpc_command function, except for
1054 * argc, argv which are passed through.
1056 * @param domain_sid The domain sid acquired from the remote server.
1057 * @param cli A cli_state connected to the server.
1058 * @param mem_ctx Talloc context, destroyed on completion of the function.
1059 * @param argc Standard main() style argc.
1060 * @param argv Standard main() style argv. Initial components are already
1063 * @return Normal NTSTATUS return.
1066 static NTSTATUS rpc_user_list_internals(const DOM_SID *domain_sid,
1067 const char *domain_name,
1068 struct cli_state *cli,
1069 struct rpc_pipe_client *pipe_hnd,
1070 TALLOC_CTX *mem_ctx,
1074 POLICY_HND connect_pol, domain_pol;
1075 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1076 uint32 start_idx=0, num_entries, i, loop_count = 0;
1078 /* Get sam policy handle */
1080 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1081 pipe_hnd->cli->desthost,
1082 MAXIMUM_ALLOWED_ACCESS,
1084 if (!NT_STATUS_IS_OK(result)) {
1088 /* Get domain policy handle */
1090 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1092 MAXIMUM_ALLOWED_ACCESS,
1093 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1095 if (!NT_STATUS_IS_OK(result)) {
1099 /* Query domain users */
1100 if (opt_long_list_entries)
1101 d_printf("\nUser name Comment"\
1102 "\n-----------------------------\n");
1104 const char *user = NULL;
1105 const char *desc = NULL;
1106 uint32 max_entries, max_size;
1107 uint32_t total_size, returned_size;
1108 union samr_DispInfo info;
1110 get_query_dispinfo_params(
1111 loop_count, &max_entries, &max_size);
1113 result = rpccli_samr_QueryDisplayInfo(pipe_hnd, mem_ctx,
1123 start_idx += info.info1.count;
1124 num_entries = info.info1.count;
1126 for (i = 0; i < num_entries; i++) {
1127 user = info.info1.entries[i].account_name.string;
1128 if (opt_long_list_entries)
1129 desc = info.info1.entries[i].description.string;
1130 if (opt_long_list_entries)
1131 printf("%-21.21s %s\n", user, desc);
1133 printf("%s\n", user);
1135 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
1142 * 'net rpc user' entrypoint.
1143 * @param argc Standard main() style argc.
1144 * @param argv Standard main() style argv. Initial components are already
1148 int net_rpc_user(int argc, const char **argv)
1150 NET_API_STATUS status;
1152 struct functable func[] = {
1153 {"add", rpc_user_add},
1154 {"info", rpc_user_info},
1155 {"delete", rpc_user_delete},
1156 {"password", rpc_user_password},
1157 {"rename", rpc_user_rename},
1161 status = libnetapi_init(&netapi_ctx);
1165 libnetapi_set_username(netapi_ctx, opt_user_name);
1166 libnetapi_set_password(netapi_ctx, opt_password);
1169 return run_rpc_command(NULL,PI_SAMR, 0,
1170 rpc_user_list_internals,
1174 return net_run_function(argc, argv, func, rpc_user_usage);
1177 static NTSTATUS rpc_sh_user_list(TALLOC_CTX *mem_ctx,
1178 struct rpc_sh_ctx *ctx,
1179 struct rpc_pipe_client *pipe_hnd,
1180 int argc, const char **argv)
1182 return rpc_user_list_internals(ctx->domain_sid, ctx->domain_name,
1183 ctx->cli, pipe_hnd, mem_ctx,
1187 static NTSTATUS rpc_sh_user_info(TALLOC_CTX *mem_ctx,
1188 struct rpc_sh_ctx *ctx,
1189 struct rpc_pipe_client *pipe_hnd,
1190 int argc, const char **argv)
1192 return rpc_user_info_internals(ctx->domain_sid, ctx->domain_name,
1193 ctx->cli, pipe_hnd, mem_ctx,
1197 static NTSTATUS rpc_sh_handle_user(TALLOC_CTX *mem_ctx,
1198 struct rpc_sh_ctx *ctx,
1199 struct rpc_pipe_client *pipe_hnd,
1200 int argc, const char **argv,
1202 TALLOC_CTX *mem_ctx,
1203 struct rpc_sh_ctx *ctx,
1204 struct rpc_pipe_client *pipe_hnd,
1205 POLICY_HND *user_hnd,
1206 int argc, const char **argv))
1208 POLICY_HND connect_pol, domain_pol, user_pol;
1209 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1212 enum lsa_SidType type;
1215 d_fprintf(stderr, "usage: %s <username>\n", ctx->whoami);
1216 return NT_STATUS_INVALID_PARAMETER;
1219 ZERO_STRUCT(connect_pol);
1220 ZERO_STRUCT(domain_pol);
1221 ZERO_STRUCT(user_pol);
1223 result = net_rpc_lookup_name(mem_ctx, pipe_hnd->cli, argv[0],
1224 NULL, NULL, &sid, &type);
1225 if (!NT_STATUS_IS_OK(result)) {
1226 d_fprintf(stderr, "Could not lookup %s: %s\n", argv[0],
1231 if (type != SID_NAME_USER) {
1232 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
1233 sid_type_lookup(type));
1234 result = NT_STATUS_NO_SUCH_USER;
1238 if (!sid_peek_check_rid(ctx->domain_sid, &sid, &rid)) {
1239 d_fprintf(stderr, "%s is not in our domain\n", argv[0]);
1240 result = NT_STATUS_NO_SUCH_USER;
1244 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1245 pipe_hnd->cli->desthost,
1246 MAXIMUM_ALLOWED_ACCESS,
1248 if (!NT_STATUS_IS_OK(result)) {
1252 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1254 MAXIMUM_ALLOWED_ACCESS,
1257 if (!NT_STATUS_IS_OK(result)) {
1261 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1263 MAXIMUM_ALLOWED_ACCESS,
1266 if (!NT_STATUS_IS_OK(result)) {
1270 result = fn(mem_ctx, ctx, pipe_hnd, &user_pol, argc-1, argv+1);
1273 if (is_valid_policy_hnd(&user_pol)) {
1274 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1276 if (is_valid_policy_hnd(&domain_pol)) {
1277 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1279 if (is_valid_policy_hnd(&connect_pol)) {
1280 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
1285 static NTSTATUS rpc_sh_user_show_internals(TALLOC_CTX *mem_ctx,
1286 struct rpc_sh_ctx *ctx,
1287 struct rpc_pipe_client *pipe_hnd,
1288 POLICY_HND *user_hnd,
1289 int argc, const char **argv)
1292 union samr_UserInfo *info = NULL;
1295 d_fprintf(stderr, "usage: %s show <username>\n", ctx->whoami);
1296 return NT_STATUS_INVALID_PARAMETER;
1299 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1303 if (!NT_STATUS_IS_OK(result)) {
1307 d_printf("user rid: %d, group rid: %d\n",
1309 info->info21.primary_gid);
1314 static NTSTATUS rpc_sh_user_show(TALLOC_CTX *mem_ctx,
1315 struct rpc_sh_ctx *ctx,
1316 struct rpc_pipe_client *pipe_hnd,
1317 int argc, const char **argv)
1319 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1320 rpc_sh_user_show_internals);
1323 #define FETCHSTR(name, rec) \
1324 do { if (strequal(ctx->thiscmd, name)) { \
1325 oldval = talloc_strdup(mem_ctx, info->info21.rec.string); } \
1328 #define SETSTR(name, rec, flag) \
1329 do { if (strequal(ctx->thiscmd, name)) { \
1330 init_lsa_String(&(info->info21.rec), argv[0]); \
1331 info->info21.fields_present |= SAMR_FIELD_##flag; } \
1334 static NTSTATUS rpc_sh_user_str_edit_internals(TALLOC_CTX *mem_ctx,
1335 struct rpc_sh_ctx *ctx,
1336 struct rpc_pipe_client *pipe_hnd,
1337 POLICY_HND *user_hnd,
1338 int argc, const char **argv)
1341 const char *username;
1342 const char *oldval = "";
1343 union samr_UserInfo *info = NULL;
1346 d_fprintf(stderr, "usage: %s <username> [new value|NULL]\n",
1348 return NT_STATUS_INVALID_PARAMETER;
1351 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1355 if (!NT_STATUS_IS_OK(result)) {
1359 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1361 FETCHSTR("fullname", full_name);
1362 FETCHSTR("homedir", home_directory);
1363 FETCHSTR("homedrive", home_drive);
1364 FETCHSTR("logonscript", logon_script);
1365 FETCHSTR("profilepath", profile_path);
1366 FETCHSTR("description", description);
1369 d_printf("%s's %s: [%s]\n", username, ctx->thiscmd, oldval);
1373 if (strcmp(argv[0], "NULL") == 0) {
1377 ZERO_STRUCT(info->info21);
1379 SETSTR("fullname", full_name, FULL_NAME);
1380 SETSTR("homedir", home_directory, HOME_DIRECTORY);
1381 SETSTR("homedrive", home_drive, HOME_DRIVE);
1382 SETSTR("logonscript", logon_script, LOGON_SCRIPT);
1383 SETSTR("profilepath", profile_path, PROFILE_PATH);
1384 SETSTR("description", description, DESCRIPTION);
1386 result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1391 d_printf("Set %s's %s from [%s] to [%s]\n", username,
1392 ctx->thiscmd, oldval, argv[0]);
1399 #define HANDLEFLG(name, rec) \
1400 do { if (strequal(ctx->thiscmd, name)) { \
1401 oldval = (oldflags & ACB_##rec) ? "yes" : "no"; \
1403 newflags = oldflags | ACB_##rec; \
1405 newflags = oldflags & ~ACB_##rec; \
1408 static NTSTATUS rpc_sh_user_str_edit(TALLOC_CTX *mem_ctx,
1409 struct rpc_sh_ctx *ctx,
1410 struct rpc_pipe_client *pipe_hnd,
1411 int argc, const char **argv)
1413 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1414 rpc_sh_user_str_edit_internals);
1417 static NTSTATUS rpc_sh_user_flag_edit_internals(TALLOC_CTX *mem_ctx,
1418 struct rpc_sh_ctx *ctx,
1419 struct rpc_pipe_client *pipe_hnd,
1420 POLICY_HND *user_hnd,
1421 int argc, const char **argv)
1424 const char *username;
1425 const char *oldval = "unknown";
1426 uint32 oldflags, newflags;
1428 union samr_UserInfo *info = NULL;
1431 ((argc == 1) && !strequal(argv[0], "yes") &&
1432 !strequal(argv[0], "no"))) {
1433 d_fprintf(stderr, "usage: %s <username> [yes|no]\n",
1435 return NT_STATUS_INVALID_PARAMETER;
1438 newval = strequal(argv[0], "yes");
1440 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1444 if (!NT_STATUS_IS_OK(result)) {
1448 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1449 oldflags = info->info21.acct_flags;
1450 newflags = info->info21.acct_flags;
1452 HANDLEFLG("disabled", DISABLED);
1453 HANDLEFLG("pwnotreq", PWNOTREQ);
1454 HANDLEFLG("autolock", AUTOLOCK);
1455 HANDLEFLG("pwnoexp", PWNOEXP);
1458 d_printf("%s's %s flag: %s\n", username, ctx->thiscmd, oldval);
1462 ZERO_STRUCT(info->info21);
1464 info->info21.acct_flags = newflags;
1465 info->info21.fields_present = SAMR_FIELD_ACCT_FLAGS;
1467 result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1472 if (NT_STATUS_IS_OK(result)) {
1473 d_printf("Set %s's %s flag from [%s] to [%s]\n", username,
1474 ctx->thiscmd, oldval, argv[0]);
1482 static NTSTATUS rpc_sh_user_flag_edit(TALLOC_CTX *mem_ctx,
1483 struct rpc_sh_ctx *ctx,
1484 struct rpc_pipe_client *pipe_hnd,
1485 int argc, const char **argv)
1487 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1488 rpc_sh_user_flag_edit_internals);
1491 struct rpc_sh_cmd *net_rpc_user_edit_cmds(TALLOC_CTX *mem_ctx,
1492 struct rpc_sh_ctx *ctx)
1494 static struct rpc_sh_cmd cmds[] = {
1496 { "fullname", NULL, PI_SAMR, rpc_sh_user_str_edit,
1497 "Show/Set a user's full name" },
1499 { "homedir", NULL, PI_SAMR, rpc_sh_user_str_edit,
1500 "Show/Set a user's home directory" },
1502 { "homedrive", NULL, PI_SAMR, rpc_sh_user_str_edit,
1503 "Show/Set a user's home drive" },
1505 { "logonscript", NULL, PI_SAMR, rpc_sh_user_str_edit,
1506 "Show/Set a user's logon script" },
1508 { "profilepath", NULL, PI_SAMR, rpc_sh_user_str_edit,
1509 "Show/Set a user's profile path" },
1511 { "description", NULL, PI_SAMR, rpc_sh_user_str_edit,
1512 "Show/Set a user's description" },
1514 { "disabled", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1515 "Show/Set whether a user is disabled" },
1517 { "autolock", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1518 "Show/Set whether a user locked out" },
1520 { "pwnotreq", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1521 "Show/Set whether a user does not need a password" },
1523 { "pwnoexp", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1524 "Show/Set whether a user's password does not expire" },
1526 { NULL, NULL, 0, NULL, NULL }
1532 struct rpc_sh_cmd *net_rpc_user_cmds(TALLOC_CTX *mem_ctx,
1533 struct rpc_sh_ctx *ctx)
1535 static struct rpc_sh_cmd cmds[] = {
1537 { "list", NULL, PI_SAMR, rpc_sh_user_list,
1538 "List available users" },
1540 { "info", NULL, PI_SAMR, rpc_sh_user_info,
1541 "List the domain groups a user is member of" },
1543 { "show", NULL, PI_SAMR, rpc_sh_user_show,
1544 "Show info about a user" },
1546 { "edit", net_rpc_user_edit_cmds, 0, NULL,
1547 "Show/Modify a user's fields" },
1549 { NULL, NULL, 0, NULL, NULL }
1555 /****************************************************************************/
1558 * Basic usage function for 'net rpc group'.
1559 * @param argc Standard main() style argc.
1560 * @param argv Standard main() style argv. Initial components are already
1564 static int rpc_group_usage(int argc, const char **argv)
1566 return net_help_group(argc, argv);
1570 * Delete group on a remote RPC server.
1572 * All parameters are provided by the run_rpc_command function, except for
1573 * argc, argv which are passed through.
1575 * @param domain_sid The domain sid acquired from the remote server.
1576 * @param cli A cli_state connected to the server.
1577 * @param mem_ctx Talloc context, destroyed on completion of the function.
1578 * @param argc Standard main() style argc.
1579 * @param argv Standard main() style argv. Initial components are already
1582 * @return Normal NTSTATUS return.
1585 static NTSTATUS rpc_group_delete_internals(const DOM_SID *domain_sid,
1586 const char *domain_name,
1587 struct cli_state *cli,
1588 struct rpc_pipe_client *pipe_hnd,
1589 TALLOC_CTX *mem_ctx,
1593 POLICY_HND connect_pol, domain_pol, group_pol, user_pol;
1594 bool group_is_primary = False;
1595 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1597 struct samr_RidTypeArray *rids = NULL;
1600 /* DOM_GID *user_gids; */
1602 struct samr_Ids group_rids, name_types;
1603 struct lsa_String lsa_acct_name;
1604 union samr_UserInfo *info = NULL;
1607 d_printf("specify group\n");
1608 rpc_group_usage(argc,argv);
1609 return NT_STATUS_OK; /* ok? */
1612 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1613 pipe_hnd->cli->desthost,
1614 MAXIMUM_ALLOWED_ACCESS,
1617 if (!NT_STATUS_IS_OK(result)) {
1618 d_fprintf(stderr, "Request samr_Connect2 failed\n");
1622 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1624 MAXIMUM_ALLOWED_ACCESS,
1625 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1628 if (!NT_STATUS_IS_OK(result)) {
1629 d_fprintf(stderr, "Request open_domain failed\n");
1633 init_lsa_String(&lsa_acct_name, argv[0]);
1635 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1641 if (!NT_STATUS_IS_OK(result)) {
1642 d_fprintf(stderr, "Lookup of '%s' failed\n",argv[0]);
1646 switch (name_types.ids[0])
1648 case SID_NAME_DOM_GRP:
1649 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
1651 MAXIMUM_ALLOWED_ACCESS,
1654 if (!NT_STATUS_IS_OK(result)) {
1655 d_fprintf(stderr, "Request open_group failed");
1659 group_rid = group_rids.ids[0];
1661 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
1665 if (!NT_STATUS_IS_OK(result)) {
1666 d_fprintf(stderr, "Unable to query group members of %s",argv[0]);
1671 d_printf("Domain Group %s (rid: %d) has %d members\n",
1672 argv[0],group_rid, rids->count);
1675 /* Check if group is anyone's primary group */
1676 for (i = 0; i < rids->count; i++)
1678 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1680 MAXIMUM_ALLOWED_ACCESS,
1684 if (!NT_STATUS_IS_OK(result)) {
1685 d_fprintf(stderr, "Unable to open group member %d\n",
1690 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1695 if (!NT_STATUS_IS_OK(result)) {
1696 d_fprintf(stderr, "Unable to lookup userinfo for group member %d\n",
1701 if (info->info21.primary_gid == group_rid) {
1703 d_printf("Group is primary group of %s\n",
1704 info->info21.account_name.string);
1706 group_is_primary = True;
1709 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1712 if (group_is_primary) {
1713 d_fprintf(stderr, "Unable to delete group because some "
1714 "of it's members have it as primary group\n");
1715 result = NT_STATUS_MEMBERS_PRIMARY_GROUP;
1719 /* remove all group members */
1720 for (i = 0; i < rids->count; i++)
1723 d_printf("Remove group member %d...",
1725 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
1729 if (NT_STATUS_IS_OK(result)) {
1734 d_printf("failed\n");
1739 result = rpccli_samr_DeleteDomainGroup(pipe_hnd, mem_ctx,
1743 /* removing a local group is easier... */
1744 case SID_NAME_ALIAS:
1745 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
1747 MAXIMUM_ALLOWED_ACCESS,
1751 if (!NT_STATUS_IS_OK(result)) {
1752 d_fprintf(stderr, "Request open_alias failed\n");
1756 result = rpccli_samr_DeleteDomAlias(pipe_hnd, mem_ctx,
1760 d_fprintf(stderr, "%s is of type %s. This command is only for deleting local or global groups\n",
1761 argv[0],sid_type_lookup(name_types.ids[0]));
1762 result = NT_STATUS_UNSUCCESSFUL;
1767 if (NT_STATUS_IS_OK(result)) {
1769 d_printf("Deleted %s '%s'\n",sid_type_lookup(name_types.ids[0]),argv[0]);
1771 d_fprintf(stderr, "Deleting of %s failed: %s\n",argv[0],
1772 get_friendly_nt_error_msg(result));
1780 static int rpc_group_delete(int argc, const char **argv)
1782 return run_rpc_command(NULL, PI_SAMR, 0, rpc_group_delete_internals,
1786 static NTSTATUS rpc_group_add_internals(const DOM_SID *domain_sid,
1787 const char *domain_name,
1788 struct cli_state *cli,
1789 struct rpc_pipe_client *pipe_hnd,
1790 TALLOC_CTX *mem_ctx,
1794 POLICY_HND connect_pol, domain_pol, group_pol;
1795 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1796 union samr_GroupInfo group_info;
1797 struct lsa_String grp_name;
1801 d_printf("Group name must be specified\n");
1802 rpc_group_usage(argc, argv);
1803 return NT_STATUS_OK;
1806 init_lsa_String(&grp_name, argv[0]);
1808 /* Get sam policy handle */
1810 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1811 pipe_hnd->cli->desthost,
1812 MAXIMUM_ALLOWED_ACCESS,
1814 if (!NT_STATUS_IS_OK(result)) goto done;
1816 /* Get domain policy handle */
1818 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1820 MAXIMUM_ALLOWED_ACCESS,
1821 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1823 if (!NT_STATUS_IS_OK(result)) goto done;
1825 /* Create the group */
1827 result = rpccli_samr_CreateDomainGroup(pipe_hnd, mem_ctx,
1830 MAXIMUM_ALLOWED_ACCESS,
1833 if (!NT_STATUS_IS_OK(result)) goto done;
1835 if (strlen(opt_comment) == 0) goto done;
1837 /* We've got a comment to set */
1839 init_lsa_String(&group_info.description, opt_comment);
1841 result = rpccli_samr_SetGroupInfo(pipe_hnd, mem_ctx,
1845 if (!NT_STATUS_IS_OK(result)) goto done;
1848 if (NT_STATUS_IS_OK(result))
1849 DEBUG(5, ("add group succeeded\n"));
1851 d_fprintf(stderr, "add group failed: %s\n", nt_errstr(result));
1856 static NTSTATUS rpc_alias_add_internals(const DOM_SID *domain_sid,
1857 const char *domain_name,
1858 struct cli_state *cli,
1859 struct rpc_pipe_client *pipe_hnd,
1860 TALLOC_CTX *mem_ctx,
1864 POLICY_HND connect_pol, domain_pol, alias_pol;
1865 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1866 union samr_AliasInfo alias_info;
1867 struct lsa_String alias_name;
1871 d_printf("Alias name must be specified\n");
1872 rpc_group_usage(argc, argv);
1873 return NT_STATUS_OK;
1876 init_lsa_String(&alias_name, argv[0]);
1878 /* Get sam policy handle */
1880 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1881 pipe_hnd->cli->desthost,
1882 MAXIMUM_ALLOWED_ACCESS,
1884 if (!NT_STATUS_IS_OK(result)) goto done;
1886 /* Get domain policy handle */
1888 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1890 MAXIMUM_ALLOWED_ACCESS,
1891 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1893 if (!NT_STATUS_IS_OK(result)) goto done;
1895 /* Create the group */
1897 result = rpccli_samr_CreateDomAlias(pipe_hnd, mem_ctx,
1900 MAXIMUM_ALLOWED_ACCESS,
1903 if (!NT_STATUS_IS_OK(result)) goto done;
1905 if (strlen(opt_comment) == 0) goto done;
1907 /* We've got a comment to set */
1909 init_lsa_String(&alias_info.description, opt_comment);
1911 result = rpccli_samr_SetAliasInfo(pipe_hnd, mem_ctx,
1916 if (!NT_STATUS_IS_OK(result)) goto done;
1919 if (NT_STATUS_IS_OK(result))
1920 DEBUG(5, ("add alias succeeded\n"));
1922 d_fprintf(stderr, "add alias failed: %s\n", nt_errstr(result));
1927 static int rpc_group_add(int argc, const char **argv)
1930 return run_rpc_command(NULL, PI_SAMR, 0,
1931 rpc_alias_add_internals,
1934 return run_rpc_command(NULL, PI_SAMR, 0,
1935 rpc_group_add_internals,
1939 static NTSTATUS get_sid_from_name(struct cli_state *cli,
1940 TALLOC_CTX *mem_ctx,
1943 enum lsa_SidType *type)
1945 DOM_SID *sids = NULL;
1946 enum lsa_SidType *types = NULL;
1947 struct rpc_pipe_client *pipe_hnd;
1949 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1951 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
1956 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, False,
1957 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
1959 if (!NT_STATUS_IS_OK(result)) {
1963 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &lsa_pol, 1,
1964 &name, NULL, 1, &sids, &types);
1966 if (NT_STATUS_IS_OK(result)) {
1967 sid_copy(sid, &sids[0]);
1971 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
1975 cli_rpc_pipe_close(pipe_hnd);
1978 if (!NT_STATUS_IS_OK(result) && (StrnCaseCmp(name, "S-", 2) == 0)) {
1980 /* Try as S-1-5-whatever */
1984 if (string_to_sid(&tmp_sid, name)) {
1985 sid_copy(sid, &tmp_sid);
1986 *type = SID_NAME_UNKNOWN;
1987 result = NT_STATUS_OK;
1994 static NTSTATUS rpc_add_groupmem(struct rpc_pipe_client *pipe_hnd,
1995 TALLOC_CTX *mem_ctx,
1996 const DOM_SID *group_sid,
1999 POLICY_HND connect_pol, domain_pol;
2002 POLICY_HND group_pol;
2004 struct samr_Ids rids, rid_types;
2005 struct lsa_String lsa_acct_name;
2009 sid_copy(&sid, group_sid);
2011 if (!sid_split_rid(&sid, &group_rid)) {
2012 return NT_STATUS_UNSUCCESSFUL;
2015 /* Get sam policy handle */
2016 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2017 pipe_hnd->cli->desthost,
2018 MAXIMUM_ALLOWED_ACCESS,
2020 if (!NT_STATUS_IS_OK(result)) {
2024 /* Get domain policy handle */
2025 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2027 MAXIMUM_ALLOWED_ACCESS,
2030 if (!NT_STATUS_IS_OK(result)) {
2034 init_lsa_String(&lsa_acct_name, member);
2036 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2043 if (!NT_STATUS_IS_OK(result)) {
2044 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2048 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2050 MAXIMUM_ALLOWED_ACCESS,
2054 if (!NT_STATUS_IS_OK(result)) {
2058 result = rpccli_samr_AddGroupMember(pipe_hnd, mem_ctx,
2061 0x0005); /* unknown flags */
2064 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2068 static NTSTATUS rpc_add_aliasmem(struct rpc_pipe_client *pipe_hnd,
2069 TALLOC_CTX *mem_ctx,
2070 const DOM_SID *alias_sid,
2073 POLICY_HND connect_pol, domain_pol;
2076 POLICY_HND alias_pol;
2079 enum lsa_SidType member_type;
2083 sid_copy(&sid, alias_sid);
2085 if (!sid_split_rid(&sid, &alias_rid)) {
2086 return NT_STATUS_UNSUCCESSFUL;
2089 result = get_sid_from_name(pipe_hnd->cli, mem_ctx, member,
2090 &member_sid, &member_type);
2092 if (!NT_STATUS_IS_OK(result)) {
2093 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2097 /* Get sam policy handle */
2098 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2099 pipe_hnd->cli->desthost,
2100 MAXIMUM_ALLOWED_ACCESS,
2102 if (!NT_STATUS_IS_OK(result)) {
2106 /* Get domain policy handle */
2107 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2109 MAXIMUM_ALLOWED_ACCESS,
2112 if (!NT_STATUS_IS_OK(result)) {
2116 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2118 MAXIMUM_ALLOWED_ACCESS,
2122 if (!NT_STATUS_IS_OK(result)) {
2126 result = rpccli_samr_AddAliasMember(pipe_hnd, mem_ctx,
2130 if (!NT_STATUS_IS_OK(result)) {
2135 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2139 static NTSTATUS rpc_group_addmem_internals(const DOM_SID *domain_sid,
2140 const char *domain_name,
2141 struct cli_state *cli,
2142 struct rpc_pipe_client *pipe_hnd,
2143 TALLOC_CTX *mem_ctx,
2148 enum lsa_SidType group_type;
2151 d_printf("Usage: 'net rpc group addmem <group> <member>\n");
2152 return NT_STATUS_UNSUCCESSFUL;
2155 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2156 &group_sid, &group_type))) {
2157 d_fprintf(stderr, "Could not lookup group name %s\n", argv[0]);
2158 return NT_STATUS_UNSUCCESSFUL;
2161 if (group_type == SID_NAME_DOM_GRP) {
2162 NTSTATUS result = rpc_add_groupmem(pipe_hnd, mem_ctx,
2163 &group_sid, argv[1]);
2165 if (!NT_STATUS_IS_OK(result)) {
2166 d_fprintf(stderr, "Could not add %s to %s: %s\n",
2167 argv[1], argv[0], nt_errstr(result));
2172 if (group_type == SID_NAME_ALIAS) {
2173 NTSTATUS result = rpc_add_aliasmem(pipe_hnd, mem_ctx,
2174 &group_sid, argv[1]);
2176 if (!NT_STATUS_IS_OK(result)) {
2177 d_fprintf(stderr, "Could not add %s to %s: %s\n",
2178 argv[1], argv[0], nt_errstr(result));
2183 d_fprintf(stderr, "Can only add members to global or local groups "
2184 "which %s is not\n", argv[0]);
2186 return NT_STATUS_UNSUCCESSFUL;
2189 static int rpc_group_addmem(int argc, const char **argv)
2191 return run_rpc_command(NULL, PI_SAMR, 0,
2192 rpc_group_addmem_internals,
2196 static NTSTATUS rpc_del_groupmem(struct rpc_pipe_client *pipe_hnd,
2197 TALLOC_CTX *mem_ctx,
2198 const DOM_SID *group_sid,
2201 POLICY_HND connect_pol, domain_pol;
2204 POLICY_HND group_pol;
2206 struct samr_Ids rids, rid_types;
2207 struct lsa_String lsa_acct_name;
2211 sid_copy(&sid, group_sid);
2213 if (!sid_split_rid(&sid, &group_rid))
2214 return NT_STATUS_UNSUCCESSFUL;
2216 /* Get sam policy handle */
2217 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2218 pipe_hnd->cli->desthost,
2219 MAXIMUM_ALLOWED_ACCESS,
2221 if (!NT_STATUS_IS_OK(result))
2224 /* Get domain policy handle */
2225 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2227 MAXIMUM_ALLOWED_ACCESS,
2230 if (!NT_STATUS_IS_OK(result))
2233 init_lsa_String(&lsa_acct_name, member);
2235 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2241 if (!NT_STATUS_IS_OK(result)) {
2242 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2246 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2248 MAXIMUM_ALLOWED_ACCESS,
2252 if (!NT_STATUS_IS_OK(result))
2255 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
2260 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2264 static NTSTATUS rpc_del_aliasmem(struct rpc_pipe_client *pipe_hnd,
2265 TALLOC_CTX *mem_ctx,
2266 const DOM_SID *alias_sid,
2269 POLICY_HND connect_pol, domain_pol;
2272 POLICY_HND alias_pol;
2275 enum lsa_SidType member_type;
2279 sid_copy(&sid, alias_sid);
2281 if (!sid_split_rid(&sid, &alias_rid))
2282 return NT_STATUS_UNSUCCESSFUL;
2284 result = get_sid_from_name(pipe_hnd->cli, mem_ctx, member,
2285 &member_sid, &member_type);
2287 if (!NT_STATUS_IS_OK(result)) {
2288 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2292 /* Get sam policy handle */
2293 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2294 pipe_hnd->cli->desthost,
2295 MAXIMUM_ALLOWED_ACCESS,
2297 if (!NT_STATUS_IS_OK(result)) {
2301 /* Get domain policy handle */
2302 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2304 MAXIMUM_ALLOWED_ACCESS,
2307 if (!NT_STATUS_IS_OK(result)) {
2311 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2313 MAXIMUM_ALLOWED_ACCESS,
2317 if (!NT_STATUS_IS_OK(result))
2320 result = rpccli_samr_DeleteAliasMember(pipe_hnd, mem_ctx,
2324 if (!NT_STATUS_IS_OK(result))
2328 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2332 static NTSTATUS rpc_group_delmem_internals(const DOM_SID *domain_sid,
2333 const char *domain_name,
2334 struct cli_state *cli,
2335 struct rpc_pipe_client *pipe_hnd,
2336 TALLOC_CTX *mem_ctx,
2341 enum lsa_SidType group_type;
2344 d_printf("Usage: 'net rpc group delmem <group> <member>\n");
2345 return NT_STATUS_UNSUCCESSFUL;
2348 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2349 &group_sid, &group_type))) {
2350 d_fprintf(stderr, "Could not lookup group name %s\n", argv[0]);
2351 return NT_STATUS_UNSUCCESSFUL;
2354 if (group_type == SID_NAME_DOM_GRP) {
2355 NTSTATUS result = rpc_del_groupmem(pipe_hnd, mem_ctx,
2356 &group_sid, argv[1]);
2358 if (!NT_STATUS_IS_OK(result)) {
2359 d_fprintf(stderr, "Could not del %s from %s: %s\n",
2360 argv[1], argv[0], nt_errstr(result));
2365 if (group_type == SID_NAME_ALIAS) {
2366 NTSTATUS result = rpc_del_aliasmem(pipe_hnd, mem_ctx,
2367 &group_sid, argv[1]);
2369 if (!NT_STATUS_IS_OK(result)) {
2370 d_fprintf(stderr, "Could not del %s from %s: %s\n",
2371 argv[1], argv[0], nt_errstr(result));
2376 d_fprintf(stderr, "Can only delete members from global or local groups "
2377 "which %s is not\n", argv[0]);
2379 return NT_STATUS_UNSUCCESSFUL;
2382 static int rpc_group_delmem(int argc, const char **argv)
2384 return run_rpc_command(NULL, PI_SAMR, 0,
2385 rpc_group_delmem_internals,
2390 * List groups on a remote RPC server.
2392 * All parameters are provided by the run_rpc_command function, except for
2393 * argc, argv which are passed through.
2395 * @param domain_sid The domain sid acquired from the remote server.
2396 * @param cli A cli_state connected to the server.
2397 * @param mem_ctx Talloc context, destroyed on completion of the function.
2398 * @param argc Standard main() style argc.
2399 * @param argv Standard main() style argv. Initial components are already
2402 * @return Normal NTSTATUS return.
2405 static NTSTATUS rpc_group_list_internals(const DOM_SID *domain_sid,
2406 const char *domain_name,
2407 struct cli_state *cli,
2408 struct rpc_pipe_client *pipe_hnd,
2409 TALLOC_CTX *mem_ctx,
2413 POLICY_HND connect_pol, domain_pol;
2414 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2415 uint32 start_idx=0, max_entries=250, num_entries, i, loop_count = 0;
2416 struct samr_SamArray *groups = NULL;
2417 bool global = False;
2419 bool builtin = False;
2427 for (i=0; i<argc; i++) {
2428 if (strequal(argv[i], "global"))
2431 if (strequal(argv[i], "local"))
2434 if (strequal(argv[i], "builtin"))
2438 /* Get sam policy handle */
2440 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2441 pipe_hnd->cli->desthost,
2442 MAXIMUM_ALLOWED_ACCESS,
2444 if (!NT_STATUS_IS_OK(result)) {
2448 /* Get domain policy handle */
2450 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2452 MAXIMUM_ALLOWED_ACCESS,
2453 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2455 if (!NT_STATUS_IS_OK(result)) {
2459 /* Query domain groups */
2460 if (opt_long_list_entries)
2461 d_printf("\nGroup name Comment"\
2462 "\n-----------------------------\n");
2464 uint32_t max_size, total_size, returned_size;
2465 union samr_DispInfo info;
2469 get_query_dispinfo_params(
2470 loop_count, &max_entries, &max_size);
2472 result = rpccli_samr_QueryDisplayInfo(pipe_hnd, mem_ctx,
2481 num_entries = info.info3.count;
2482 start_idx += info.info3.count;
2484 if (!NT_STATUS_IS_OK(result) &&
2485 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2488 for (i = 0; i < num_entries; i++) {
2490 const char *group = NULL;
2491 const char *desc = NULL;
2493 group = info.info3.entries[i].account_name.string;
2494 desc = info.info3.entries[i].description.string;
2496 if (opt_long_list_entries)
2497 printf("%-21.21s %-50.50s\n",
2500 printf("%s\n", group);
2502 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2503 /* query domain aliases */
2508 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2514 if (!NT_STATUS_IS_OK(result) &&
2515 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2518 for (i = 0; i < num_entries; i++) {
2520 const char *description = NULL;
2522 if (opt_long_list_entries) {
2524 POLICY_HND alias_pol;
2525 union samr_AliasInfo *info = NULL;
2527 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2530 groups->entries[i].idx,
2532 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2536 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2538 description = info->description.string;
2542 if (description != NULL) {
2543 printf("%-21.21s %-50.50s\n",
2544 groups->entries[i].name.string,
2547 printf("%s\n", groups->entries[i].name.string);
2550 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2551 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
2552 /* Get builtin policy handle */
2554 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2556 MAXIMUM_ALLOWED_ACCESS,
2557 CONST_DISCARD(struct dom_sid2 *, &global_sid_Builtin),
2559 if (!NT_STATUS_IS_OK(result)) {
2562 /* query builtin aliases */
2565 if (!builtin) break;
2567 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2573 if (!NT_STATUS_IS_OK(result) &&
2574 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2577 for (i = 0; i < num_entries; i++) {
2579 const char *description = NULL;
2581 if (opt_long_list_entries) {
2583 POLICY_HND alias_pol;
2584 union samr_AliasInfo *info = NULL;
2586 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2589 groups->entries[i].idx,
2591 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2595 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2597 description = info->description.string;
2601 if (description != NULL) {
2602 printf("%-21.21s %-50.50s\n",
2603 groups->entries[i].name.string,
2606 printf("%s\n", groups->entries[i].name.string);
2609 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2615 static int rpc_group_list(int argc, const char **argv)
2617 return run_rpc_command(NULL, PI_SAMR, 0,
2618 rpc_group_list_internals,
2622 static NTSTATUS rpc_list_group_members(struct rpc_pipe_client *pipe_hnd,
2623 TALLOC_CTX *mem_ctx,
2624 const char *domain_name,
2625 const DOM_SID *domain_sid,
2626 POLICY_HND *domain_pol,
2630 POLICY_HND group_pol;
2631 uint32 num_members, *group_rids;
2633 struct samr_RidTypeArray *rids = NULL;
2634 struct lsa_Strings names;
2635 struct samr_Ids types;
2638 sid_to_fstring(sid_str, domain_sid);
2640 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2642 MAXIMUM_ALLOWED_ACCESS,
2646 if (!NT_STATUS_IS_OK(result))
2649 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
2653 if (!NT_STATUS_IS_OK(result))
2656 num_members = rids->count;
2657 group_rids = rids->rids;
2659 while (num_members > 0) {
2660 int this_time = 512;
2662 if (num_members < this_time)
2663 this_time = num_members;
2665 result = rpccli_samr_LookupRids(pipe_hnd, mem_ctx,
2672 if (!NT_STATUS_IS_OK(result))
2675 /* We only have users as members, but make the output
2676 the same as the output of alias members */
2678 for (i = 0; i < this_time; i++) {
2680 if (opt_long_list_entries) {
2681 printf("%s-%d %s\\%s %d\n", sid_str,
2682 group_rids[i], domain_name,
2683 names.names[i].string,
2686 printf("%s\\%s\n", domain_name,
2687 names.names[i].string);
2691 num_members -= this_time;
2695 return NT_STATUS_OK;
2698 static NTSTATUS rpc_list_alias_members(struct rpc_pipe_client *pipe_hnd,
2699 TALLOC_CTX *mem_ctx,
2700 POLICY_HND *domain_pol,
2704 struct rpc_pipe_client *lsa_pipe;
2705 POLICY_HND alias_pol, lsa_pol;
2707 DOM_SID *alias_sids;
2710 enum lsa_SidType *types;
2712 struct lsa_SidArray sid_array;
2714 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2716 MAXIMUM_ALLOWED_ACCESS,
2720 if (!NT_STATUS_IS_OK(result))
2723 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
2727 if (!NT_STATUS_IS_OK(result)) {
2728 d_fprintf(stderr, "Couldn't list alias members\n");
2732 num_members = sid_array.num_sids;
2734 if (num_members == 0) {
2735 return NT_STATUS_OK;
2738 lsa_pipe = cli_rpc_pipe_open_noauth(pipe_hnd->cli, PI_LSARPC, &result);
2740 d_fprintf(stderr, "Couldn't open LSA pipe. Error was %s\n",
2741 nt_errstr(result) );
2745 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
2746 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
2748 if (!NT_STATUS_IS_OK(result)) {
2749 d_fprintf(stderr, "Couldn't open LSA policy handle\n");
2750 cli_rpc_pipe_close(lsa_pipe);
2754 alias_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
2756 d_fprintf(stderr, "Out of memory\n");
2757 cli_rpc_pipe_close(lsa_pipe);
2758 return NT_STATUS_NO_MEMORY;
2761 for (i=0; i<num_members; i++) {
2762 sid_copy(&alias_sids[i], sid_array.sids[i].sid);
2765 result = rpccli_lsa_lookup_sids(lsa_pipe, mem_ctx, &lsa_pol, num_members,
2767 &domains, &names, &types);
2769 if (!NT_STATUS_IS_OK(result) &&
2770 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
2771 d_fprintf(stderr, "Couldn't lookup SIDs\n");
2772 cli_rpc_pipe_close(lsa_pipe);
2776 for (i = 0; i < num_members; i++) {
2778 sid_to_fstring(sid_str, &alias_sids[i]);
2780 if (opt_long_list_entries) {
2781 printf("%s %s\\%s %d\n", sid_str,
2782 domains[i] ? domains[i] : "*unknown*",
2783 names[i] ? names[i] : "*unknown*", types[i]);
2786 printf("%s\\%s\n", domains[i], names[i]);
2788 printf("%s\n", sid_str);
2792 cli_rpc_pipe_close(lsa_pipe);
2793 return NT_STATUS_OK;
2796 static NTSTATUS rpc_group_members_internals(const DOM_SID *domain_sid,
2797 const char *domain_name,
2798 struct cli_state *cli,
2799 struct rpc_pipe_client *pipe_hnd,
2800 TALLOC_CTX *mem_ctx,
2805 POLICY_HND connect_pol, domain_pol;
2806 struct samr_Ids rids, rid_types;
2807 struct lsa_String lsa_acct_name;
2809 /* Get sam policy handle */
2811 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2812 pipe_hnd->cli->desthost,
2813 MAXIMUM_ALLOWED_ACCESS,
2816 if (!NT_STATUS_IS_OK(result))
2819 /* Get domain policy handle */
2821 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2823 MAXIMUM_ALLOWED_ACCESS,
2824 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2827 if (!NT_STATUS_IS_OK(result))
2830 init_lsa_String(&lsa_acct_name, argv[0]); /* sure? */
2832 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2839 if (!NT_STATUS_IS_OK(result)) {
2841 /* Ok, did not find it in the global sam, try with builtin */
2843 DOM_SID sid_Builtin;
2845 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
2847 sid_copy(&sid_Builtin, &global_sid_Builtin);
2849 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2851 MAXIMUM_ALLOWED_ACCESS,
2855 if (!NT_STATUS_IS_OK(result)) {
2856 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
2860 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2867 if (!NT_STATUS_IS_OK(result)) {
2868 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
2873 if (rids.count != 1) {
2874 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
2878 if (rid_types.ids[0] == SID_NAME_DOM_GRP) {
2879 return rpc_list_group_members(pipe_hnd, mem_ctx, domain_name,
2880 domain_sid, &domain_pol,
2884 if (rid_types.ids[0] == SID_NAME_ALIAS) {
2885 return rpc_list_alias_members(pipe_hnd, mem_ctx, &domain_pol,
2889 return NT_STATUS_NO_SUCH_GROUP;
2892 static int rpc_group_members(int argc, const char **argv)
2895 return rpc_group_usage(argc, argv);
2898 return run_rpc_command(NULL, PI_SAMR, 0,
2899 rpc_group_members_internals,
2903 static NTSTATUS rpc_group_rename_internals(const DOM_SID *domain_sid,
2904 const char *domain_name,
2905 struct cli_state *cli,
2906 struct rpc_pipe_client *pipe_hnd,
2907 TALLOC_CTX *mem_ctx,
2912 POLICY_HND connect_pol, domain_pol, group_pol;
2913 union samr_GroupInfo group_info;
2914 struct samr_Ids rids, rid_types;
2915 struct lsa_String lsa_acct_name;
2918 d_printf("Usage: 'net rpc group rename group newname'\n");
2919 return NT_STATUS_UNSUCCESSFUL;
2922 /* Get sam policy handle */
2924 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2925 pipe_hnd->cli->desthost,
2926 MAXIMUM_ALLOWED_ACCESS,
2929 if (!NT_STATUS_IS_OK(result))
2932 /* Get domain policy handle */
2934 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2936 MAXIMUM_ALLOWED_ACCESS,
2937 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2940 if (!NT_STATUS_IS_OK(result))
2943 init_lsa_String(&lsa_acct_name, argv[0]);
2945 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2952 if (rids.count != 1) {
2953 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
2957 if (rid_types.ids[0] != SID_NAME_DOM_GRP) {
2958 d_fprintf(stderr, "Can only rename domain groups\n");
2959 return NT_STATUS_UNSUCCESSFUL;
2962 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2964 MAXIMUM_ALLOWED_ACCESS,
2968 if (!NT_STATUS_IS_OK(result))
2971 init_lsa_String(&group_info.name, argv[1]);
2973 result = rpccli_samr_SetGroupInfo(pipe_hnd, mem_ctx,
2978 if (!NT_STATUS_IS_OK(result))
2981 return NT_STATUS_NO_SUCH_GROUP;
2984 static int rpc_group_rename(int argc, const char **argv)
2987 return rpc_group_usage(argc, argv);
2990 return run_rpc_command(NULL, PI_SAMR, 0,
2991 rpc_group_rename_internals,
2996 * 'net rpc group' entrypoint.
2997 * @param argc Standard main() style argc.
2998 * @param argv Standard main() style argv. Initial components are already
3002 int net_rpc_group(int argc, const char **argv)
3004 struct functable func[] = {
3005 {"add", rpc_group_add},
3006 {"delete", rpc_group_delete},
3007 {"addmem", rpc_group_addmem},
3008 {"delmem", rpc_group_delmem},
3009 {"list", rpc_group_list},
3010 {"members", rpc_group_members},
3011 {"rename", rpc_group_rename},
3016 return run_rpc_command(NULL, PI_SAMR, 0,
3017 rpc_group_list_internals,
3021 return net_run_function(argc, argv, func, rpc_group_usage);
3024 /****************************************************************************/
3026 static int rpc_share_usage(int argc, const char **argv)
3028 return net_help_share(argc, argv);
3032 * Add a share on a remote RPC server.
3034 * All parameters are provided by the run_rpc_command function, except for
3035 * argc, argv which are passed through.
3037 * @param domain_sid The domain sid acquired from the remote server.
3038 * @param cli A cli_state connected to the server.
3039 * @param mem_ctx Talloc context, destroyed on completion of the function.
3040 * @param argc Standard main() style argc.
3041 * @param argv Standard main() style argv. Initial components are already
3044 * @return Normal NTSTATUS return.
3046 static NTSTATUS rpc_share_add_internals(const DOM_SID *domain_sid,
3047 const char *domain_name,
3048 struct cli_state *cli,
3049 struct rpc_pipe_client *pipe_hnd,
3050 TALLOC_CTX *mem_ctx,int argc,
3057 uint32 type = STYPE_DISKTREE; /* only allow disk shares to be added */
3058 uint32 num_users=0, perms=0;
3059 char *password=NULL; /* don't allow a share password */
3061 union srvsvc_NetShareInfo info;
3062 struct srvsvc_NetShareInfo2 info2;
3063 uint32_t parm_error = 0;
3065 if ((sharename = talloc_strdup(mem_ctx, argv[0])) == NULL) {
3066 return NT_STATUS_NO_MEMORY;
3069 path = strchr(sharename, '=');
3071 return NT_STATUS_UNSUCCESSFUL;
3074 info2.name = sharename;
3076 info2.comment = opt_comment;
3077 info2.permissions = perms;
3078 info2.max_users = opt_maxusers;
3079 info2.current_users = num_users;
3081 info2.password = password;
3083 info.info2 = &info2;
3085 status = rpccli_srvsvc_NetShareAdd(pipe_hnd, mem_ctx,
3086 pipe_hnd->cli->desthost,
3094 static int rpc_share_add(int argc, const char **argv)
3096 if ((argc < 1) || !strchr(argv[0], '=')) {
3097 DEBUG(1,("Sharename or path not specified on add\n"));
3098 return rpc_share_usage(argc, argv);
3100 return run_rpc_command(NULL, PI_SRVSVC, 0,
3101 rpc_share_add_internals,
3106 * Delete a share on a remote RPC server.
3108 * All parameters are provided by the run_rpc_command function, except for
3109 * argc, argv which are passed through.
3111 * @param domain_sid The domain sid acquired from the remote server.
3112 * @param cli A cli_state connected to the server.
3113 * @param mem_ctx Talloc context, destroyed on completion of the function.
3114 * @param argc Standard main() style argc.
3115 * @param argv Standard main() style argv. Initial components are already
3118 * @return Normal NTSTATUS return.
3120 static NTSTATUS rpc_share_del_internals(const DOM_SID *domain_sid,
3121 const char *domain_name,
3122 struct cli_state *cli,
3123 struct rpc_pipe_client *pipe_hnd,
3124 TALLOC_CTX *mem_ctx,
3130 return rpccli_srvsvc_NetShareDel(pipe_hnd, mem_ctx,
3131 pipe_hnd->cli->desthost,
3138 * Delete a share on a remote RPC server.
3140 * @param domain_sid The domain sid acquired from the remote server.
3141 * @param argc Standard main() style argc.
3142 * @param argv Standard main() style argv. Initial components are already
3145 * @return A shell status integer (0 for success).
3147 static int rpc_share_delete(int argc, const char **argv)
3150 DEBUG(1,("Sharename not specified on delete\n"));
3151 return rpc_share_usage(argc, argv);
3153 return run_rpc_command(NULL, PI_SRVSVC, 0,
3154 rpc_share_del_internals,
3159 * Formatted print of share info
3161 * @param info1 pointer to SRV_SHARE_INFO_1 to format
3164 static void display_share_info_1(struct srvsvc_NetShareInfo1 *r)
3166 if (opt_long_list_entries) {
3167 d_printf("%-12s %-8.8s %-50s\n",
3169 share_type[r->type & ~(STYPE_TEMPORARY|STYPE_HIDDEN)],
3172 d_printf("%s\n", r->name);
3176 static WERROR get_share_info(struct rpc_pipe_client *pipe_hnd,
3177 TALLOC_CTX *mem_ctx,
3181 struct srvsvc_NetShareInfoCtr *info_ctr)
3185 union srvsvc_NetShareInfo info;
3187 /* no specific share requested, enumerate all */
3190 uint32_t preferred_len = 0xffffffff;
3191 uint32_t total_entries = 0;
3192 uint32_t resume_handle = 0;
3194 info_ctr->level = level;
3196 status = rpccli_srvsvc_NetShareEnumAll(pipe_hnd, mem_ctx,
3197 pipe_hnd->cli->desthost,
3206 /* request just one share */
3207 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
3208 pipe_hnd->cli->desthost,
3214 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
3219 ZERO_STRUCTP(info_ctr);
3221 info_ctr->level = level;
3226 struct srvsvc_NetShareCtr1 *ctr1;
3228 ctr1 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr1);
3229 W_ERROR_HAVE_NO_MEMORY(ctr1);
3232 ctr1->array = info.info1;
3234 info_ctr->ctr.ctr1 = ctr1;
3238 struct srvsvc_NetShareCtr2 *ctr2;
3240 ctr2 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr2);
3241 W_ERROR_HAVE_NO_MEMORY(ctr2);
3244 ctr2->array = info.info2;
3246 info_ctr->ctr.ctr2 = ctr2;
3250 struct srvsvc_NetShareCtr502 *ctr502;
3252 ctr502 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr502);
3253 W_ERROR_HAVE_NO_MEMORY(ctr502);
3256 ctr502->array = info.info502;
3258 info_ctr->ctr.ctr502 = ctr502;
3266 * List shares on a remote RPC server.
3268 * All parameters are provided by the run_rpc_command function, except for
3269 * argc, argv which are passed through.
3271 * @param domain_sid The domain sid acquired from the remote server.
3272 * @param cli A cli_state connected to the server.
3273 * @param mem_ctx Talloc context, destroyed on completion of the function.
3274 * @param argc Standard main() style argc.
3275 * @param argv Standard main() style argv. Initial components are already
3278 * @return Normal NTSTATUS return.
3281 static NTSTATUS rpc_share_list_internals(const DOM_SID *domain_sid,
3282 const char *domain_name,
3283 struct cli_state *cli,
3284 struct rpc_pipe_client *pipe_hnd,
3285 TALLOC_CTX *mem_ctx,
3289 struct srvsvc_NetShareInfoCtr info_ctr;
3290 struct srvsvc_NetShareCtr1 ctr1;
3292 uint32 i, level = 1;
3294 ZERO_STRUCT(info_ctr);
3298 info_ctr.ctr.ctr1 = &ctr1;
3300 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &info_ctr);
3301 if (!W_ERROR_IS_OK(result))
3304 /* Display results */
3306 if (opt_long_list_entries) {
3308 "\nEnumerating shared resources (exports) on remote server:\n\n"\
3309 "\nShare name Type Description\n"\
3310 "---------- ---- -----------\n");
3312 for (i = 0; i < info_ctr.ctr.ctr1->count; i++)
3313 display_share_info_1(&info_ctr.ctr.ctr1->array[i]);
3315 return W_ERROR_IS_OK(result) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3319 * 'net rpc share list' entrypoint.
3320 * @param argc Standard main() style argc
3321 * @param argv Standard main() style argv. Initial components are already
3324 static int rpc_share_list(int argc, const char **argv)
3326 return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_list_internals, argc, argv);
3329 static bool check_share_availability(struct cli_state *cli, const char *netname)
3331 if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
3332 d_printf("skipping [%s]: not a file share.\n", netname);
3342 static bool check_share_sanity(struct cli_state *cli, const char *netname, uint32 type)
3344 /* only support disk shares */
3345 if (! ( type == STYPE_DISKTREE || type == (STYPE_DISKTREE | STYPE_HIDDEN)) ) {
3346 printf("share [%s] is not a diskshare (type: %x)\n", netname, type);
3350 /* skip builtin shares */
3351 /* FIXME: should print$ be added too ? */
3352 if (strequal(netname,"IPC$") || strequal(netname,"ADMIN$") ||
3353 strequal(netname,"global"))
3356 if (opt_exclude && in_list(netname, opt_exclude, False)) {
3357 printf("excluding [%s]\n", netname);
3361 return check_share_availability(cli, netname);
3365 * Migrate shares from a remote RPC server to the local RPC server.
3367 * All parameters are provided by the run_rpc_command function, except for
3368 * argc, argv which are passed through.
3370 * @param domain_sid The domain sid acquired from the remote server.
3371 * @param cli A cli_state connected to the server.
3372 * @param mem_ctx Talloc context, destroyed on completion of the function.
3373 * @param argc Standard main() style argc.
3374 * @param argv Standard main() style argv. Initial components are already
3377 * @return Normal NTSTATUS return.
3380 static NTSTATUS rpc_share_migrate_shares_internals(const DOM_SID *domain_sid,
3381 const char *domain_name,
3382 struct cli_state *cli,
3383 struct rpc_pipe_client *pipe_hnd,
3384 TALLOC_CTX *mem_ctx,
3389 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3390 struct srvsvc_NetShareInfoCtr ctr_src;
3392 struct rpc_pipe_client *srvsvc_pipe = NULL;
3393 struct cli_state *cli_dst = NULL;
3394 uint32 level = 502; /* includes secdesc */
3395 uint32_t parm_error = 0;
3397 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
3398 if (!W_ERROR_IS_OK(result))
3401 /* connect destination PI_SRVSVC */
3402 nt_status = connect_dst_pipe(&cli_dst, &srvsvc_pipe, PI_SRVSVC);
3403 if (!NT_STATUS_IS_OK(nt_status))
3407 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3409 union srvsvc_NetShareInfo info;
3410 struct srvsvc_NetShareInfo502 info502 =
3411 ctr_src.ctr.ctr502->array[i];
3413 /* reset error-code */
3414 nt_status = NT_STATUS_UNSUCCESSFUL;
3416 if (!check_share_sanity(cli, info502.name, info502.type))
3419 /* finally add the share on the dst server */
3421 printf("migrating: [%s], path: %s, comment: %s, without share-ACLs\n",
3422 info502.name, info502.path, info502.comment);
3424 info.info502 = &info502;
3426 nt_status = rpccli_srvsvc_NetShareAdd(srvsvc_pipe, mem_ctx,
3427 srvsvc_pipe->cli->desthost,
3433 if (W_ERROR_V(result) == W_ERROR_V(WERR_ALREADY_EXISTS)) {
3434 printf(" [%s] does already exist\n",
3439 if (!NT_STATUS_IS_OK(nt_status) || !W_ERROR_IS_OK(result)) {
3440 printf("cannot add share: %s\n", dos_errstr(result));
3446 nt_status = NT_STATUS_OK;
3450 cli_shutdown(cli_dst);
3458 * Migrate shares from a rpc-server to another.
3460 * @param argc Standard main() style argc.
3461 * @param argv Standard main() style argv. Initial components are already
3464 * @return A shell status integer (0 for success).
3466 static int rpc_share_migrate_shares(int argc, const char **argv)
3470 printf("no server to migrate\n");
3474 return run_rpc_command(NULL, PI_SRVSVC, 0,
3475 rpc_share_migrate_shares_internals,
3482 * @param f file_info
3483 * @param mask current search mask
3484 * @param state arg-pointer
3487 static void copy_fn(const char *mnt, file_info *f, const char *mask, void *state)
3489 static NTSTATUS nt_status;
3490 static struct copy_clistate *local_state;
3491 static fstring filename, new_mask;
3495 local_state = (struct copy_clistate *)state;
3496 nt_status = NT_STATUS_UNSUCCESSFUL;
3498 if (strequal(f->name, ".") || strequal(f->name, ".."))
3501 DEBUG(3,("got mask: %s, name: %s\n", mask, f->name));
3504 if (f->mode & aDIR) {
3506 DEBUG(3,("got dir: %s\n", f->name));
3508 fstrcpy(dir, local_state->cwd);
3510 fstrcat(dir, f->name);
3512 switch (net_mode_share)
3514 case NET_MODE_SHARE_MIGRATE:
3515 /* create that directory */
3516 nt_status = net_copy_file(local_state->mem_ctx,
3517 local_state->cli_share_src,
3518 local_state->cli_share_dst,
3520 opt_acls? True : False,
3521 opt_attrs? True : False,
3522 opt_timestamps? True : False,
3526 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3530 if (!NT_STATUS_IS_OK(nt_status))
3531 printf("could not handle dir %s: %s\n",
3532 dir, nt_errstr(nt_status));
3534 /* search below that directory */
3535 fstrcpy(new_mask, dir);
3536 fstrcat(new_mask, "\\*");
3538 old_dir = local_state->cwd;
3539 local_state->cwd = dir;
3540 if (!sync_files(local_state, new_mask))
3541 printf("could not handle files\n");
3542 local_state->cwd = old_dir;
3549 fstrcpy(filename, local_state->cwd);
3550 fstrcat(filename, "\\");
3551 fstrcat(filename, f->name);
3553 DEBUG(3,("got file: %s\n", filename));
3555 switch (net_mode_share)
3557 case NET_MODE_SHARE_MIGRATE:
3558 nt_status = net_copy_file(local_state->mem_ctx,
3559 local_state->cli_share_src,
3560 local_state->cli_share_dst,
3562 opt_acls? True : False,
3563 opt_attrs? True : False,
3564 opt_timestamps? True: False,
3568 d_fprintf(stderr, "Unsupported file mode %d\n", net_mode_share);
3572 if (!NT_STATUS_IS_OK(nt_status))
3573 printf("could not handle file %s: %s\n",
3574 filename, nt_errstr(nt_status));
3579 * sync files, can be called recursivly to list files
3580 * and then call copy_fn for each file
3582 * @param cp_clistate pointer to the copy_clistate we work with
3583 * @param mask the current search mask
3585 * @return Boolean result
3587 static bool sync_files(struct copy_clistate *cp_clistate, const char *mask)
3589 struct cli_state *targetcli;
3590 char *targetpath = NULL;
3592 DEBUG(3,("calling cli_list with mask: %s\n", mask));
3594 if ( !cli_resolve_path(talloc_tos(), "", cp_clistate->cli_share_src,
3595 mask, &targetcli, &targetpath ) ) {
3596 d_fprintf(stderr, "cli_resolve_path %s failed with error: %s\n",
3597 mask, cli_errstr(cp_clistate->cli_share_src));
3601 if (cli_list(targetcli, targetpath, cp_clistate->attribute, copy_fn, cp_clistate) == -1) {
3602 d_fprintf(stderr, "listing %s failed with error: %s\n",
3603 mask, cli_errstr(targetcli));
3612 * Set the top level directory permissions before we do any further copies.
3613 * Should set up ACL inheritance.
3616 bool copy_top_level_perms(struct copy_clistate *cp_clistate,
3617 const char *sharename)
3619 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3621 switch (net_mode_share) {
3622 case NET_MODE_SHARE_MIGRATE:
3623 DEBUG(3,("calling net_copy_fileattr for '.' directory in share %s\n", sharename));
3624 nt_status = net_copy_fileattr(cp_clistate->mem_ctx,
3625 cp_clistate->cli_share_src,
3626 cp_clistate->cli_share_dst,
3628 opt_acls? True : False,
3629 opt_attrs? True : False,
3630 opt_timestamps? True: False,
3634 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3638 if (!NT_STATUS_IS_OK(nt_status)) {
3639 printf("Could handle directory attributes for top level directory of share %s. Error %s\n",
3640 sharename, nt_errstr(nt_status));
3648 * Sync all files inside a remote share to another share (over smb).
3650 * All parameters are provided by the run_rpc_command function, except for
3651 * argc, argv which are passed through.
3653 * @param domain_sid The domain sid acquired from the remote server.
3654 * @param cli A cli_state connected to the server.
3655 * @param mem_ctx Talloc context, destroyed on completion of the function.
3656 * @param argc Standard main() style argc.
3657 * @param argv Standard main() style argv. Initial components are already
3660 * @return Normal NTSTATUS return.
3663 static NTSTATUS rpc_share_migrate_files_internals(const DOM_SID *domain_sid,
3664 const char *domain_name,
3665 struct cli_state *cli,
3666 struct rpc_pipe_client *pipe_hnd,
3667 TALLOC_CTX *mem_ctx,
3672 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3673 struct srvsvc_NetShareInfoCtr ctr_src;
3676 struct copy_clistate cp_clistate;
3677 bool got_src_share = False;
3678 bool got_dst_share = False;
3679 const char *mask = "\\*";
3682 dst = SMB_STRDUP(opt_destination?opt_destination:"127.0.0.1");
3684 nt_status = NT_STATUS_NO_MEMORY;
3688 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
3690 if (!W_ERROR_IS_OK(result))
3693 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3695 struct srvsvc_NetShareInfo502 info502 =
3696 ctr_src.ctr.ctr502->array[i];
3698 if (!check_share_sanity(cli, info502.name, info502.type))
3701 /* one might not want to mirror whole discs :) */
3702 if (strequal(info502.name, "print$") || info502.name[1] == '$') {
3703 d_printf("skipping [%s]: builtin/hidden share\n", info502.name);
3707 switch (net_mode_share)
3709 case NET_MODE_SHARE_MIGRATE:
3713 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3716 printf(" [%s] files and directories %s ACLs, %s DOS Attributes %s\n",
3718 opt_acls ? "including" : "without",
3719 opt_attrs ? "including" : "without",
3720 opt_timestamps ? "(preserving timestamps)" : "");
3722 cp_clistate.mem_ctx = mem_ctx;
3723 cp_clistate.cli_share_src = NULL;
3724 cp_clistate.cli_share_dst = NULL;
3725 cp_clistate.cwd = NULL;
3726 cp_clistate.attribute = aSYSTEM | aHIDDEN | aDIR;
3728 /* open share source */
3729 nt_status = connect_to_service(&cp_clistate.cli_share_src,
3730 &cli->dest_ss, cli->desthost,
3731 info502.name, "A:");
3732 if (!NT_STATUS_IS_OK(nt_status))
3735 got_src_share = True;
3737 if (net_mode_share == NET_MODE_SHARE_MIGRATE) {
3738 /* open share destination */
3739 nt_status = connect_to_service(&cp_clistate.cli_share_dst,
3740 NULL, dst, info502.name, "A:");
3741 if (!NT_STATUS_IS_OK(nt_status))
3744 got_dst_share = True;
3747 if (!copy_top_level_perms(&cp_clistate, info502.name)) {
3748 d_fprintf(stderr, "Could not handle the top level directory permissions for the share: %s\n", info502.name);
3749 nt_status = NT_STATUS_UNSUCCESSFUL;
3753 if (!sync_files(&cp_clistate, mask)) {
3754 d_fprintf(stderr, "could not handle files for share: %s\n", info502.name);
3755 nt_status = NT_STATUS_UNSUCCESSFUL;
3760 nt_status = NT_STATUS_OK;
3765 cli_shutdown(cp_clistate.cli_share_src);
3768 cli_shutdown(cp_clistate.cli_share_dst);
3775 static int rpc_share_migrate_files(int argc, const char **argv)
3779 printf("no server to migrate\n");
3783 return run_rpc_command(NULL, PI_SRVSVC, 0,
3784 rpc_share_migrate_files_internals,
3789 * Migrate share-ACLs from a remote RPC server to the local RPC server.
3791 * All parameters are provided by the run_rpc_command function, except for
3792 * argc, argv which are passed through.
3794 * @param domain_sid The domain sid acquired from the remote server.
3795 * @param cli A cli_state connected to the server.
3796 * @param mem_ctx Talloc context, destroyed on completion of the function.
3797 * @param argc Standard main() style argc.
3798 * @param argv Standard main() style argv. Initial components are already
3801 * @return Normal NTSTATUS return.
3804 static NTSTATUS rpc_share_migrate_security_internals(const DOM_SID *domain_sid,
3805 const char *domain_name,
3806 struct cli_state *cli,
3807 struct rpc_pipe_client *pipe_hnd,
3808 TALLOC_CTX *mem_ctx,
3813 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3814 struct srvsvc_NetShareInfoCtr ctr_src;
3815 union srvsvc_NetShareInfo info;
3817 struct rpc_pipe_client *srvsvc_pipe = NULL;
3818 struct cli_state *cli_dst = NULL;
3819 uint32 level = 502; /* includes secdesc */
3820 uint32_t parm_error = 0;
3822 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
3824 if (!W_ERROR_IS_OK(result))
3827 /* connect destination PI_SRVSVC */
3828 nt_status = connect_dst_pipe(&cli_dst, &srvsvc_pipe, PI_SRVSVC);
3829 if (!NT_STATUS_IS_OK(nt_status))
3833 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3835 struct srvsvc_NetShareInfo502 info502 =
3836 ctr_src.ctr.ctr502->array[i];
3838 /* reset error-code */
3839 nt_status = NT_STATUS_UNSUCCESSFUL;
3841 if (!check_share_sanity(cli, info502.name, info502.type))
3844 printf("migrating: [%s], path: %s, comment: %s, including share-ACLs\n",
3845 info502.name, info502.path, info502.comment);
3848 display_sec_desc(info502.sd_buf.sd);
3850 /* FIXME: shouldn't we be able to just set the security descriptor ? */
3851 info.info502 = &info502;
3853 /* finally modify the share on the dst server */
3854 nt_status = rpccli_srvsvc_NetShareSetInfo(srvsvc_pipe, mem_ctx,
3855 srvsvc_pipe->cli->desthost,
3861 if (!NT_STATUS_IS_OK(nt_status) || !W_ERROR_IS_OK(result)) {
3862 printf("cannot set share-acl: %s\n", dos_errstr(result));
3868 nt_status = NT_STATUS_OK;
3872 cli_shutdown(cli_dst);
3880 * Migrate share-acls from a rpc-server to another.
3882 * @param argc Standard main() style argc.
3883 * @param argv Standard main() style argv. Initial components are already
3886 * @return A shell status integer (0 for success)
3888 static int rpc_share_migrate_security(int argc, const char **argv)
3892 printf("no server to migrate\n");
3896 return run_rpc_command(NULL, PI_SRVSVC, 0,
3897 rpc_share_migrate_security_internals,
3902 * Migrate shares (including share-definitions, share-acls and files with acls/attrs)
3903 * from one server to another
3905 * @param argc Standard main() style argc.
3906 * @param argv Standard main() style argv. Initial components are already
3909 * @return A shell status integer (0 for success)
3912 static int rpc_share_migrate_all(int argc, const char **argv)
3917 printf("no server to migrate\n");
3921 /* order is important. we don't want to be locked out by the share-acl
3922 * before copying files - gd */
3924 ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_shares_internals, argc, argv);
3928 ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_files_internals, argc, argv);
3932 return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_security_internals, argc, argv);
3937 * 'net rpc share migrate' entrypoint.
3938 * @param argc Standard main() style argc.
3939 * @param argv Standard main() style argv. Initial components are already
3942 static int rpc_share_migrate(int argc, const char **argv)
3945 struct functable func[] = {
3946 {"all", rpc_share_migrate_all},
3947 {"files", rpc_share_migrate_files},
3948 {"help", rpc_share_usage},
3949 {"security", rpc_share_migrate_security},
3950 {"shares", rpc_share_migrate_shares},
3954 net_mode_share = NET_MODE_SHARE_MIGRATE;
3956 return net_run_function(argc, argv, func, rpc_share_usage);
3965 static int num_server_aliases;
3966 static struct full_alias *server_aliases;
3969 * Add an alias to the static list.
3971 static void push_alias(TALLOC_CTX *mem_ctx, struct full_alias *alias)
3973 if (server_aliases == NULL)
3974 server_aliases = SMB_MALLOC_ARRAY(struct full_alias, 100);
3976 server_aliases[num_server_aliases] = *alias;
3977 num_server_aliases += 1;
3981 * For a specific domain on the server, fetch all the aliases
3982 * and their members. Add all of them to the server_aliases.
3985 static NTSTATUS rpc_fetch_domain_aliases(struct rpc_pipe_client *pipe_hnd,
3986 TALLOC_CTX *mem_ctx,
3987 POLICY_HND *connect_pol,
3988 const DOM_SID *domain_sid)
3990 uint32 start_idx, max_entries, num_entries, i;
3991 struct samr_SamArray *groups = NULL;
3993 POLICY_HND domain_pol;
3995 /* Get domain policy handle */
3997 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
3999 MAXIMUM_ALLOWED_ACCESS,
4000 CONST_DISCARD(struct dom_sid2 *, domain_sid),
4002 if (!NT_STATUS_IS_OK(result))
4009 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
4015 for (i = 0; i < num_entries; i++) {
4017 POLICY_HND alias_pol;
4018 struct full_alias alias;
4019 struct lsa_SidArray sid_array;
4022 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
4024 MAXIMUM_ALLOWED_ACCESS,
4025 groups->entries[i].idx,
4027 if (!NT_STATUS_IS_OK(result))
4030 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
4033 if (!NT_STATUS_IS_OK(result))
4036 alias.num_members = sid_array.num_sids;
4038 result = rpccli_samr_Close(pipe_hnd, mem_ctx, &alias_pol);
4039 if (!NT_STATUS_IS_OK(result))
4042 alias.members = NULL;
4044 if (alias.num_members > 0) {
4045 alias.members = SMB_MALLOC_ARRAY(DOM_SID, alias.num_members);
4047 for (j = 0; j < alias.num_members; j++)
4048 sid_copy(&alias.members[j],
4049 sid_array.sids[j].sid);
4052 sid_copy(&alias.sid, domain_sid);
4053 sid_append_rid(&alias.sid, groups->entries[i].idx);
4055 push_alias(mem_ctx, &alias);
4057 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
4059 result = NT_STATUS_OK;
4062 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
4068 * Dump server_aliases as names for debugging purposes.
4071 static NTSTATUS rpc_aliaslist_dump(const DOM_SID *domain_sid,
4072 const char *domain_name,
4073 struct cli_state *cli,
4074 struct rpc_pipe_client *pipe_hnd,
4075 TALLOC_CTX *mem_ctx,
4083 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
4084 SEC_RIGHTS_MAXIMUM_ALLOWED,
4086 if (!NT_STATUS_IS_OK(result))
4089 for (i=0; i<num_server_aliases; i++) {
4092 enum lsa_SidType *types;
4095 struct full_alias *alias = &server_aliases[i];
4097 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol, 1,
4099 &domains, &names, &types);
4100 if (!NT_STATUS_IS_OK(result))
4103 DEBUG(1, ("%s\\%s %d: ", domains[0], names[0], types[0]));
4105 if (alias->num_members == 0) {
4110 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol,
4113 &domains, &names, &types);
4115 if (!NT_STATUS_IS_OK(result) &&
4116 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
4119 for (j=0; j<alias->num_members; j++)
4120 DEBUG(1, ("%s\\%s (%d); ",
4121 domains[j] ? domains[j] : "*unknown*",
4122 names[j] ? names[j] : "*unknown*",types[j]));
4126 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
4128 return NT_STATUS_OK;
4132 * Fetch a list of all server aliases and their members into
4136 static NTSTATUS rpc_aliaslist_internals(const DOM_SID *domain_sid,
4137 const char *domain_name,
4138 struct cli_state *cli,
4139 struct rpc_pipe_client *pipe_hnd,
4140 TALLOC_CTX *mem_ctx,
4145 POLICY_HND connect_pol;
4147 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
4148 pipe_hnd->cli->desthost,
4149 MAXIMUM_ALLOWED_ACCESS,
4152 if (!NT_STATUS_IS_OK(result))
4155 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4156 &global_sid_Builtin);
4158 if (!NT_STATUS_IS_OK(result))
4161 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4164 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
4169 static void init_user_token(NT_USER_TOKEN *token, DOM_SID *user_sid)
4171 token->num_sids = 4;
4173 if (!(token->user_sids = SMB_MALLOC_ARRAY(DOM_SID, 4))) {
4174 d_fprintf(stderr, "malloc failed\n");
4175 token->num_sids = 0;
4179 token->user_sids[0] = *user_sid;
4180 sid_copy(&token->user_sids[1], &global_sid_World);
4181 sid_copy(&token->user_sids[2], &global_sid_Network);
4182 sid_copy(&token->user_sids[3], &global_sid_Authenticated_Users);
4185 static void free_user_token(NT_USER_TOKEN *token)
4187 SAFE_FREE(token->user_sids);
4190 static void add_sid_to_token(NT_USER_TOKEN *token, DOM_SID *sid)
4192 if (is_sid_in_token(token, sid))
4195 token->user_sids = SMB_REALLOC_ARRAY(token->user_sids, DOM_SID, token->num_sids+1);
4196 if (!token->user_sids) {
4200 sid_copy(&token->user_sids[token->num_sids], sid);
4202 token->num_sids += 1;
4207 NT_USER_TOKEN token;
4210 static void dump_user_token(struct user_token *token)
4214 d_printf("%s\n", token->name);
4216 for (i=0; i<token->token.num_sids; i++) {
4217 d_printf(" %s\n", sid_string_tos(&token->token.user_sids[i]));
4221 static bool is_alias_member(DOM_SID *sid, struct full_alias *alias)
4225 for (i=0; i<alias->num_members; i++) {
4226 if (sid_compare(sid, &alias->members[i]) == 0)
4233 static void collect_sid_memberships(NT_USER_TOKEN *token, DOM_SID sid)
4237 for (i=0; i<num_server_aliases; i++) {
4238 if (is_alias_member(&sid, &server_aliases[i]))
4239 add_sid_to_token(token, &server_aliases[i].sid);
4244 * We got a user token with all the SIDs we can know about without asking the
4245 * server directly. These are the user and domain group sids. All of these can
4246 * be members of aliases. So scan the list of aliases for each of the SIDs and
4247 * add them to the token.
4250 static void collect_alias_memberships(NT_USER_TOKEN *token)
4252 int num_global_sids = token->num_sids;
4255 for (i=0; i<num_global_sids; i++) {
4256 collect_sid_memberships(token, token->user_sids[i]);
4260 static bool get_user_sids(const char *domain, const char *user, NT_USER_TOKEN *token)
4262 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4263 enum wbcSidType type;
4265 struct wbcDomainSid wsid;
4266 char *sid_str = NULL;
4268 uint32_t num_groups;
4269 gid_t *groups = NULL;
4272 fstr_sprintf(full_name, "%s%c%s",
4273 domain, *lp_winbind_separator(), user);
4275 /* First let's find out the user sid */
4277 wbc_status = wbcLookupName(domain, user, &wsid, &type);
4279 if (!WBC_ERROR_IS_OK(wbc_status)) {
4280 DEBUG(1, ("winbind could not find %s: %s\n",
4281 full_name, wbcErrorString(wbc_status)));
4285 wbc_status = wbcSidToString(&wsid, &sid_str);
4286 if (!WBC_ERROR_IS_OK(wbc_status)) {
4290 if (type != SID_NAME_USER) {
4291 wbcFreeMemory(sid_str);
4292 DEBUG(1, ("%s is not a user\n", full_name));
4296 string_to_sid(&user_sid, sid_str);
4297 wbcFreeMemory(sid_str);
4300 init_user_token(token, &user_sid);
4302 /* And now the groups winbind knows about */
4304 wbc_status = wbcGetGroups(full_name, &num_groups, &groups);
4305 if (!WBC_ERROR_IS_OK(wbc_status)) {
4306 DEBUG(1, ("winbind could not get groups of %s: %s\n",
4307 full_name, wbcErrorString(wbc_status)));
4311 for (i = 0; i < num_groups; i++) {
4312 gid_t gid = groups[i];
4315 wbc_status = wbcGidToSid(gid, &wsid);
4316 if (!WBC_ERROR_IS_OK(wbc_status)) {
4317 DEBUG(1, ("winbind could not find SID of gid %d: %s\n",
4318 gid, wbcErrorString(wbc_status)));
4319 wbcFreeMemory(groups);
4323 wbc_status = wbcSidToString(&wsid, &sid_str);
4324 if (!WBC_ERROR_IS_OK(wbc_status)) {
4325 wbcFreeMemory(groups);
4329 DEBUG(3, (" %s\n", sid_str));
4331 string_to_sid(&sid, sid_str);
4332 wbcFreeMemory(sid_str);
4335 add_sid_to_token(token, &sid);
4337 wbcFreeMemory(groups);
4343 * Get a list of all user tokens we want to look at
4346 static bool get_user_tokens(int *num_tokens, struct user_token **user_tokens)
4348 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4349 uint32_t i, num_users;
4351 struct user_token *result;
4352 TALLOC_CTX *frame = NULL;
4354 if (lp_winbind_use_default_domain() &&
4355 (opt_target_workgroup == NULL)) {
4356 d_fprintf(stderr, "winbind use default domain = yes set, "
4357 "please specify a workgroup\n");
4361 /* Send request to winbind daemon */
4363 wbc_status = wbcListUsers(NULL, &num_users, &users);
4364 if (!WBC_ERROR_IS_OK(wbc_status)) {
4365 DEBUG(1, ("winbind could not list users: %s\n",
4366 wbcErrorString(wbc_status)));
4370 result = SMB_MALLOC_ARRAY(struct user_token, num_users);
4372 if (result == NULL) {
4373 DEBUG(1, ("Could not malloc sid array\n"));
4374 wbcFreeMemory(users);
4378 frame = talloc_stackframe();
4379 for (i=0; i < num_users; i++) {
4380 fstring domain, user;
4383 fstrcpy(result[i].name, users[i]);
4385 p = strchr(users[i], *lp_winbind_separator());
4387 DEBUG(3, ("%s\n", users[i]));
4390 fstrcpy(domain, opt_target_workgroup);
4391 fstrcpy(user, users[i]);
4394 fstrcpy(domain, users[i]);
4399 get_user_sids(domain, user, &(result[i].token));
4403 wbcFreeMemory(users);
4405 *num_tokens = num_users;
4406 *user_tokens = result;
4411 static bool get_user_tokens_from_file(FILE *f,
4413 struct user_token **tokens)
4415 struct user_token *token = NULL;
4420 if (fgets(line, sizeof(line)-1, f) == NULL) {
4424 if (line[strlen(line)-1] == '\n')
4425 line[strlen(line)-1] = '\0';
4427 if (line[0] == ' ') {
4431 string_to_sid(&sid, &line[1]);
4433 if (token == NULL) {
4434 DEBUG(0, ("File does not begin with username"));
4438 add_sid_to_token(&token->token, &sid);
4442 /* And a new user... */
4445 *tokens = SMB_REALLOC_ARRAY(*tokens, struct user_token, *num_tokens);
4446 if (*tokens == NULL) {
4447 DEBUG(0, ("Could not realloc tokens\n"));
4451 token = &((*tokens)[*num_tokens-1]);
4453 fstrcpy(token->name, line);
4454 token->token.num_sids = 0;
4455 token->token.user_sids = NULL;
4464 * Show the list of all users that have access to a share
4467 static void show_userlist(struct rpc_pipe_client *pipe_hnd,
4468 TALLOC_CTX *mem_ctx,
4469 const char *netname,
4471 struct user_token *tokens)
4474 SEC_DESC *share_sd = NULL;
4475 SEC_DESC *root_sd = NULL;
4476 struct cli_state *cli = pipe_hnd->cli;
4478 union srvsvc_NetShareInfo info;
4483 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
4484 pipe_hnd->cli->desthost,
4490 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
4491 DEBUG(1, ("Coult not query secdesc for share %s\n",
4496 share_sd = info.info502->sd_buf.sd;
4497 if (share_sd == NULL) {
4498 DEBUG(1, ("Got no secdesc for share %s\n",
4504 if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
4508 fnum = cli_nt_create(cli, "\\", READ_CONTROL_ACCESS);
4511 root_sd = cli_query_secdesc(cli, fnum, mem_ctx);
4514 for (i=0; i<num_tokens; i++) {
4517 if (share_sd != NULL) {
4518 if (!se_access_check(share_sd, &tokens[i].token,
4519 1, &acc_granted, &status)) {
4520 DEBUG(1, ("Could not check share_sd for "
4526 if (!NT_STATUS_IS_OK(status))
4530 if (root_sd == NULL) {
4531 d_printf(" %s\n", tokens[i].name);
4535 if (!se_access_check(root_sd, &tokens[i].token,
4536 1, &acc_granted, &status)) {
4537 DEBUG(1, ("Could not check root_sd for user %s\n",
4542 if (!NT_STATUS_IS_OK(status))
4545 d_printf(" %s\n", tokens[i].name);
4549 cli_close(cli, fnum);
4561 static void collect_share(const char *name, uint32 m,
4562 const char *comment, void *state)
4564 struct share_list *share_list = (struct share_list *)state;
4566 if (m != STYPE_DISKTREE)
4569 share_list->num_shares += 1;
4570 share_list->shares = SMB_REALLOC_ARRAY(share_list->shares, char *, share_list->num_shares);
4571 if (!share_list->shares) {
4572 share_list->num_shares = 0;
4575 share_list->shares[share_list->num_shares-1] = SMB_STRDUP(name);
4578 static void rpc_share_userlist_usage(void)
4584 * List shares on a remote RPC server, including the security descriptors.
4586 * All parameters are provided by the run_rpc_command function, except for
4587 * argc, argv which are passed through.
4589 * @param domain_sid The domain sid acquired from the remote server.
4590 * @param cli A cli_state connected to the server.
4591 * @param mem_ctx Talloc context, destroyed on completion of the function.
4592 * @param argc Standard main() style argc.
4593 * @param argv Standard main() style argv. Initial components are already
4596 * @return Normal NTSTATUS return.
4599 static NTSTATUS rpc_share_allowedusers_internals(const DOM_SID *domain_sid,
4600 const char *domain_name,
4601 struct cli_state *cli,
4602 struct rpc_pipe_client *pipe_hnd,
4603 TALLOC_CTX *mem_ctx,
4612 struct user_token *tokens = NULL;
4615 struct share_list share_list;
4618 rpc_share_userlist_usage();
4619 return NT_STATUS_UNSUCCESSFUL;
4625 f = fopen(argv[0], "r");
4629 DEBUG(0, ("Could not open userlist: %s\n", strerror(errno)));
4630 return NT_STATUS_UNSUCCESSFUL;
4633 r = get_user_tokens_from_file(f, &num_tokens, &tokens);
4639 DEBUG(0, ("Could not read users from file\n"));
4640 return NT_STATUS_UNSUCCESSFUL;
4643 for (i=0; i<num_tokens; i++)
4644 collect_alias_memberships(&tokens[i].token);
4646 share_list.num_shares = 0;
4647 share_list.shares = NULL;
4649 ret = cli_RNetShareEnum(cli, collect_share, &share_list);
4652 DEBUG(0, ("Error returning browse list: %s\n",
4657 for (i = 0; i < share_list.num_shares; i++) {
4658 char *netname = share_list.shares[i];
4660 if (netname[strlen(netname)-1] == '$')
4663 d_printf("%s\n", netname);
4665 show_userlist(pipe_hnd, mem_ctx, netname,
4666 num_tokens, tokens);
4669 for (i=0; i<num_tokens; i++) {
4670 free_user_token(&tokens[i].token);
4673 SAFE_FREE(share_list.shares);
4675 return NT_STATUS_OK;
4678 static int rpc_share_allowedusers(int argc, const char **argv)
4682 result = run_rpc_command(NULL, PI_SAMR, 0,
4683 rpc_aliaslist_internals,
4688 result = run_rpc_command(NULL, PI_LSARPC, 0,
4694 return run_rpc_command(NULL, PI_SRVSVC, 0,
4695 rpc_share_allowedusers_internals,
4699 int net_usersidlist(int argc, const char **argv)
4702 struct user_token *tokens = NULL;
4706 net_usersidlist_usage(argc, argv);
4710 if (!get_user_tokens(&num_tokens, &tokens)) {
4711 DEBUG(0, ("Could not get the user/sid list\n"));
4715 for (i=0; i<num_tokens; i++) {
4716 dump_user_token(&tokens[i]);
4717 free_user_token(&tokens[i].token);
4724 int net_usersidlist_usage(int argc, const char **argv)
4726 d_printf("net usersidlist\n"
4727 "\tprints out a list of all users the running winbind knows\n"
4728 "\tabout, together with all their SIDs. This is used as\n"
4729 "\tinput to the 'net rpc share allowedusers' command.\n\n");
4731 net_common_flags_usage(argc, argv);
4736 * 'net rpc share' entrypoint.
4737 * @param argc Standard main() style argc.
4738 * @param argv Standard main() style argv. Initial components are already
4742 int net_rpc_share(int argc, const char **argv)
4744 struct functable func[] = {
4745 {"add", rpc_share_add},
4746 {"delete", rpc_share_delete},
4747 {"allowedusers", rpc_share_allowedusers},
4748 {"migrate", rpc_share_migrate},
4749 {"list", rpc_share_list},
4754 return run_rpc_command(NULL, PI_SRVSVC, 0,
4755 rpc_share_list_internals,
4758 return net_run_function(argc, argv, func, rpc_share_usage);
4761 static NTSTATUS rpc_sh_share_list(TALLOC_CTX *mem_ctx,
4762 struct rpc_sh_ctx *ctx,
4763 struct rpc_pipe_client *pipe_hnd,
4764 int argc, const char **argv)
4766 return rpc_share_list_internals(ctx->domain_sid, ctx->domain_name,
4767 ctx->cli, pipe_hnd, mem_ctx,
4771 static NTSTATUS rpc_sh_share_add(TALLOC_CTX *mem_ctx,
4772 struct rpc_sh_ctx *ctx,
4773 struct rpc_pipe_client *pipe_hnd,
4774 int argc, const char **argv)
4778 uint32_t parm_err = 0;
4779 union srvsvc_NetShareInfo info;
4780 struct srvsvc_NetShareInfo2 info2;
4782 if ((argc < 2) || (argc > 3)) {
4783 d_fprintf(stderr, "usage: %s <share> <path> [comment]\n",
4785 return NT_STATUS_INVALID_PARAMETER;
4788 info2.name = argv[0];
4789 info2.type = STYPE_DISKTREE;
4790 info2.comment = (argc == 3) ? argv[2] : "";
4791 info2.permissions = 0;
4792 info2.max_users = 0;
4793 info2.current_users = 0;
4794 info2.path = argv[1];
4795 info2.password = NULL;
4797 info.info2 = &info2;
4799 status = rpccli_srvsvc_NetShareAdd(pipe_hnd, mem_ctx,
4800 pipe_hnd->cli->desthost,
4809 static NTSTATUS rpc_sh_share_delete(TALLOC_CTX *mem_ctx,
4810 struct rpc_sh_ctx *ctx,
4811 struct rpc_pipe_client *pipe_hnd,
4812 int argc, const char **argv)
4818 d_fprintf(stderr, "usage: %s <share>\n", ctx->whoami);
4819 return NT_STATUS_INVALID_PARAMETER;
4822 status = rpccli_srvsvc_NetShareDel(pipe_hnd, mem_ctx,
4823 pipe_hnd->cli->desthost,
4831 static NTSTATUS rpc_sh_share_info(TALLOC_CTX *mem_ctx,
4832 struct rpc_sh_ctx *ctx,
4833 struct rpc_pipe_client *pipe_hnd,
4834 int argc, const char **argv)
4836 union srvsvc_NetShareInfo info;
4841 d_fprintf(stderr, "usage: %s <share>\n", ctx->whoami);
4842 return NT_STATUS_INVALID_PARAMETER;
4845 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
4846 pipe_hnd->cli->desthost,
4851 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
4855 d_printf("Name: %s\n", info.info2->name);
4856 d_printf("Comment: %s\n", info.info2->comment);
4857 d_printf("Path: %s\n", info.info2->path);
4858 d_printf("Password: %s\n", info.info2->password);
4861 return werror_to_ntstatus(result);
4864 struct rpc_sh_cmd *net_rpc_share_cmds(TALLOC_CTX *mem_ctx,
4865 struct rpc_sh_ctx *ctx)
4867 static struct rpc_sh_cmd cmds[] = {
4869 { "list", NULL, PI_SRVSVC, rpc_sh_share_list,
4870 "List available shares" },
4872 { "add", NULL, PI_SRVSVC, rpc_sh_share_add,
4875 { "delete", NULL, PI_SRVSVC, rpc_sh_share_delete,
4878 { "info", NULL, PI_SRVSVC, rpc_sh_share_info,
4879 "Get information about a share" },
4881 { NULL, NULL, 0, NULL, NULL }
4887 /****************************************************************************/
4889 static int rpc_file_usage(int argc, const char **argv)
4891 return net_help_file(argc, argv);
4895 * Close a file on a remote RPC server.
4897 * All parameters are provided by the run_rpc_command function, except for
4898 * argc, argv which are passed through.
4900 * @param domain_sid The domain sid acquired from the remote server.
4901 * @param cli A cli_state connected to the server.
4902 * @param mem_ctx Talloc context, destroyed on completion of the function.
4903 * @param argc Standard main() style argc.
4904 * @param argv Standard main() style argv. Initial components are already
4907 * @return Normal NTSTATUS return.
4909 static NTSTATUS rpc_file_close_internals(const DOM_SID *domain_sid,
4910 const char *domain_name,
4911 struct cli_state *cli,
4912 struct rpc_pipe_client *pipe_hnd,
4913 TALLOC_CTX *mem_ctx,
4917 return rpccli_srvsvc_NetFileClose(pipe_hnd, mem_ctx,
4918 pipe_hnd->cli->desthost,
4919 atoi(argv[0]), NULL);
4923 * Close a file on a remote RPC server.
4925 * @param argc Standard main() style argc.
4926 * @param argv Standard main() style argv. Initial components are already
4929 * @return A shell status integer (0 for success).
4931 static int rpc_file_close(int argc, const char **argv)
4934 DEBUG(1, ("No fileid given on close\n"));
4935 return(rpc_file_usage(argc, argv));
4938 return run_rpc_command(NULL, PI_SRVSVC, 0,
4939 rpc_file_close_internals,
4944 * Formatted print of open file info
4946 * @param r struct srvsvc_NetFileInfo3 contents
4949 static void display_file_info_3(struct srvsvc_NetFileInfo3 *r)
4951 d_printf("%-7.1d %-20.20s 0x%-4.2x %-6.1d %s\n",
4952 r->fid, r->user, r->permissions, r->num_locks, r->path);
4956 * List open files on a remote RPC server.
4958 * All parameters are provided by the run_rpc_command function, except for
4959 * argc, argv which are passed through.
4961 * @param domain_sid The domain sid acquired from the remote server.
4962 * @param cli A cli_state connected to the server.
4963 * @param mem_ctx Talloc context, destroyed on completion of the function.
4964 * @param argc Standard main() style argc.
4965 * @param argv Standard main() style argv. Initial components are already
4968 * @return Normal NTSTATUS return.
4971 static NTSTATUS rpc_file_list_internals(const DOM_SID *domain_sid,
4972 const char *domain_name,
4973 struct cli_state *cli,
4974 struct rpc_pipe_client *pipe_hnd,
4975 TALLOC_CTX *mem_ctx,
4979 struct srvsvc_NetFileInfoCtr info_ctr;
4980 struct srvsvc_NetFileCtr3 ctr3;
4983 uint32 preferred_len = 0xffffffff, i;
4984 const char *username=NULL;
4985 uint32_t total_entries = 0;
4986 uint32_t resume_handle = 0;
4988 /* if argc > 0, must be user command */
4990 username = smb_xstrdup(argv[0]);
4992 ZERO_STRUCT(info_ctr);
4996 info_ctr.ctr.ctr3 = &ctr3;
4998 status = rpccli_srvsvc_NetFileEnum(pipe_hnd, mem_ctx,
4999 pipe_hnd->cli->desthost,
5008 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result))
5011 /* Display results */
5014 "\nEnumerating open files on remote server:\n\n"\
5015 "\nFileId Opened by Perms Locks Path"\
5016 "\n------ --------- ----- ----- ---- \n");
5017 for (i = 0; i < total_entries; i++)
5018 display_file_info_3(&info_ctr.ctr.ctr3->array[i]);
5020 return W_ERROR_IS_OK(result) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
5024 * List files for a user on a remote RPC server.
5026 * @param argc Standard main() style argc.
5027 * @param argv Standard main() style argv. Initial components are already
5030 * @return A shell status integer (0 for success).
5033 static int rpc_file_user(int argc, const char **argv)
5036 DEBUG(1, ("No username given\n"));
5037 return(rpc_file_usage(argc, argv));
5040 return run_rpc_command(NULL, PI_SRVSVC, 0,
5041 rpc_file_list_internals,
5046 * 'net rpc file' entrypoint.
5047 * @param argc Standard main() style argc.
5048 * @param argv Standard main() style argv. Initial components are already
5052 int net_rpc_file(int argc, const char **argv)
5054 struct functable func[] = {
5055 {"close", rpc_file_close},
5056 {"user", rpc_file_user},
5058 {"info", rpc_file_info},
5064 return run_rpc_command(NULL, PI_SRVSVC, 0,
5065 rpc_file_list_internals,
5068 return net_run_function(argc, argv, func, rpc_file_usage);
5072 * ABORT the shutdown of a remote RPC Server, over initshutdown pipe.
5074 * All parameters are provided by the run_rpc_command function, except for
5075 * argc, argv which are passed through.
5077 * @param domain_sid The domain sid acquired from the remote server.
5078 * @param cli A cli_state connected to the server.
5079 * @param mem_ctx Talloc context, destroyed on completion of the function.
5080 * @param argc Standard main() style argc.
5081 * @param argv Standard main() style argv. Initial components are already
5084 * @return Normal NTSTATUS return.
5087 static NTSTATUS rpc_shutdown_abort_internals(const DOM_SID *domain_sid,
5088 const char *domain_name,
5089 struct cli_state *cli,
5090 struct rpc_pipe_client *pipe_hnd,
5091 TALLOC_CTX *mem_ctx,
5095 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5097 result = rpccli_initshutdown_Abort(pipe_hnd, mem_ctx, NULL, NULL);
5099 if (NT_STATUS_IS_OK(result)) {
5100 d_printf("\nShutdown successfully aborted\n");
5101 DEBUG(5,("cmd_shutdown_abort: query succeeded\n"));
5103 DEBUG(5,("cmd_shutdown_abort: query failed\n"));
5109 * ABORT the shutdown of a remote RPC Server, over winreg pipe.
5111 * All parameters are provided by the run_rpc_command function, except for
5112 * argc, argv which are passed through.
5114 * @param domain_sid The domain sid acquired from the remote server.
5115 * @param cli A cli_state connected to the server.
5116 * @param mem_ctx Talloc context, destroyed on completion of the function.
5117 * @param argc Standard main() style argc.
5118 * @param argv Standard main() style argv. Initial components are already
5121 * @return Normal NTSTATUS return.
5124 static NTSTATUS rpc_reg_shutdown_abort_internals(const DOM_SID *domain_sid,
5125 const char *domain_name,
5126 struct cli_state *cli,
5127 struct rpc_pipe_client *pipe_hnd,
5128 TALLOC_CTX *mem_ctx,
5132 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5134 result = rpccli_winreg_AbortSystemShutdown(pipe_hnd, mem_ctx, NULL, NULL);
5136 if (NT_STATUS_IS_OK(result)) {
5137 d_printf("\nShutdown successfully aborted\n");
5138 DEBUG(5,("cmd_reg_abort_shutdown: query succeeded\n"));
5140 DEBUG(5,("cmd_reg_abort_shutdown: query failed\n"));
5146 * ABORT the Shut down of a remote RPC server.
5148 * @param argc Standard main() style argc.
5149 * @param argv Standard main() style argv. Initial components are already
5152 * @return A shell status integer (0 for success).
5155 static int rpc_shutdown_abort(int argc, const char **argv)
5157 int rc = run_rpc_command(NULL, PI_INITSHUTDOWN, 0,
5158 rpc_shutdown_abort_internals,
5164 DEBUG(1, ("initshutdown pipe didn't work, trying winreg pipe\n"));
5166 return run_rpc_command(NULL, PI_WINREG, 0,
5167 rpc_reg_shutdown_abort_internals,
5172 * Shut down a remote RPC Server via initshutdown pipe.
5174 * All parameters are provided by the run_rpc_command function, except for
5175 * argc, argv which are passed through.
5177 * @param domain_sid The domain sid acquired from the remote server.
5178 * @param cli A cli_state connected to the server.
5179 * @param mem_ctx Talloc context, destroyed on completion of the function.
5180 * @param argc Standard main() style argc.
5181 * @param argv Standard main() style argv. Initial components are already
5184 * @return Normal NTSTATUS return.
5187 NTSTATUS rpc_init_shutdown_internals(const DOM_SID *domain_sid,
5188 const char *domain_name,
5189 struct cli_state *cli,
5190 struct rpc_pipe_client *pipe_hnd,
5191 TALLOC_CTX *mem_ctx,
5195 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5196 const char *msg = "This machine will be shutdown shortly";
5197 uint32 timeout = 20;
5198 struct initshutdown_String msg_string;
5199 struct initshutdown_String_sub s;
5201 if (opt_comment && strlen(opt_comment)) {
5205 timeout = opt_timeout;
5209 msg_string.name = &s;
5211 /* create an entry */
5212 result = rpccli_initshutdown_Init(pipe_hnd, mem_ctx, NULL,
5213 &msg_string, timeout, opt_force, opt_reboot, NULL);
5215 if (NT_STATUS_IS_OK(result)) {
5216 d_printf("\nShutdown of remote machine succeeded\n");
5217 DEBUG(5,("Shutdown of remote machine succeeded\n"));
5219 DEBUG(1,("Shutdown of remote machine failed!\n"));
5225 * Shut down a remote RPC Server via winreg pipe.
5227 * All parameters are provided by the run_rpc_command function, except for
5228 * argc, argv which are passed through.
5230 * @param domain_sid The domain sid acquired from the remote server.
5231 * @param cli A cli_state connected to the server.
5232 * @param mem_ctx Talloc context, destroyed on completion of the function.
5233 * @param argc Standard main() style argc.
5234 * @param argv Standard main() style argv. Initial components are already
5237 * @return Normal NTSTATUS return.
5240 NTSTATUS rpc_reg_shutdown_internals(const DOM_SID *domain_sid,
5241 const char *domain_name,
5242 struct cli_state *cli,
5243 struct rpc_pipe_client *pipe_hnd,
5244 TALLOC_CTX *mem_ctx,
5248 const char *msg = "This machine will be shutdown shortly";
5249 uint32 timeout = 20;
5250 struct initshutdown_String msg_string;
5251 struct initshutdown_String_sub s;
5255 if (opt_comment && strlen(opt_comment)) {
5259 msg_string.name = &s;
5262 timeout = opt_timeout;
5265 /* create an entry */
5266 result = rpccli_winreg_InitiateSystemShutdown(pipe_hnd, mem_ctx, NULL,
5267 &msg_string, timeout, opt_force, opt_reboot, &werr);
5269 if (NT_STATUS_IS_OK(result)) {
5270 d_printf("\nShutdown of remote machine succeeded\n");
5272 d_fprintf(stderr, "\nShutdown of remote machine failed\n");
5273 if ( W_ERROR_EQUAL(werr, WERR_MACHINE_LOCKED) )
5274 d_fprintf(stderr, "\nMachine locked, use -f switch to force\n");
5276 d_fprintf(stderr, "\nresult was: %s\n", dos_errstr(werr));
5283 * Shut down a remote RPC server.
5285 * @param argc Standard main() style argc.
5286 * @param argv Standard main() style argv. Initial components are already
5289 * @return A shell status integer (0 for success).
5292 static int rpc_shutdown(int argc, const char **argv)
5294 int rc = run_rpc_command(NULL, PI_INITSHUTDOWN, 0,
5295 rpc_init_shutdown_internals,
5299 DEBUG(1, ("initshutdown pipe failed, trying winreg pipe\n"));
5300 rc = run_rpc_command(NULL, PI_WINREG, 0,
5301 rpc_reg_shutdown_internals, argc, argv);
5307 /***************************************************************************
5308 NT Domain trusts code (i.e. 'net rpc trustdom' functionality)
5310 ***************************************************************************/
5313 * Add interdomain trust account to the RPC server.
5314 * All parameters (except for argc and argv) are passed by run_rpc_command
5317 * @param domain_sid The domain sid acquired from the server.
5318 * @param cli A cli_state connected to the server.
5319 * @param mem_ctx Talloc context, destroyed on completion of the function.
5320 * @param argc Standard main() style argc.
5321 * @param argv Standard main() style argv. Initial components are already
5324 * @return normal NTSTATUS return code.
5327 static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
5328 const char *domain_name,
5329 struct cli_state *cli,
5330 struct rpc_pipe_client *pipe_hnd,
5331 TALLOC_CTX *mem_ctx,
5335 POLICY_HND connect_pol, domain_pol, user_pol;
5336 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5338 struct lsa_String lsa_acct_name;
5340 uint32 acct_flags=0;
5342 uint32_t access_granted = 0;
5343 union samr_UserInfo info;
5344 unsigned int orig_timeout;
5347 d_printf("Usage: net rpc trustdom add <domain_name> <trust password>\n");
5348 return NT_STATUS_INVALID_PARAMETER;
5352 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5355 if (asprintf(&acct_name, "%s$", argv[0]) < 0) {
5356 return NT_STATUS_NO_MEMORY;
5359 strupper_m(acct_name);
5361 init_lsa_String(&lsa_acct_name, acct_name);
5363 /* Get samr policy handle */
5364 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5365 pipe_hnd->cli->desthost,
5366 MAXIMUM_ALLOWED_ACCESS,
5368 if (!NT_STATUS_IS_OK(result)) {
5372 /* Get domain policy handle */
5373 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5375 MAXIMUM_ALLOWED_ACCESS,
5376 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5378 if (!NT_STATUS_IS_OK(result)) {
5382 /* This call can take a long time - allow the server to time out.
5383 * 35 seconds should do it. */
5385 orig_timeout = cli_set_timeout(pipe_hnd->cli, 35000);
5387 /* Create trusting domain's account */
5388 acb_info = ACB_NORMAL;
5389 acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
5390 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
5391 SAMR_USER_ACCESS_SET_PASSWORD |
5392 SAMR_USER_ACCESS_GET_ATTRIBUTES |
5393 SAMR_USER_ACCESS_SET_ATTRIBUTES;
5395 result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
5404 /* And restore our original timeout. */
5405 cli_set_timeout(pipe_hnd->cli, orig_timeout);
5407 if (!NT_STATUS_IS_OK(result)) {
5408 d_printf("net rpc trustdom add: create user %s failed %s\n",
5409 acct_name, nt_errstr(result));
5415 struct samr_LogonHours hours;
5416 struct lsa_BinaryString parameters;
5417 const int units_per_week = 168;
5418 struct samr_CryptPassword crypt_pwd;
5420 ZERO_STRUCT(notime);
5422 ZERO_STRUCT(parameters);
5424 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
5426 result = NT_STATUS_NO_MEMORY;
5429 hours.units_per_week = units_per_week;
5430 memset(hours.bits, 0xFF, units_per_week);
5432 init_samr_CryptPassword(argv[1],
5433 &cli->user_session_key,
5436 init_samr_user_info23(&info.info23,
5437 notime, notime, notime,
5438 notime, notime, notime,
5439 NULL, NULL, NULL, NULL, NULL,
5440 NULL, NULL, NULL, NULL, ¶meters,
5442 SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_PASSWORD,
5444 0, 0, 0, 0, 0, 0, 0,
5447 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
5452 if (!NT_STATUS_IS_OK(result)) {
5453 DEBUG(0,("Could not set trust account password: %s\n",
5454 nt_errstr(result)));
5460 SAFE_FREE(acct_name);
5465 * Create interdomain trust account for a remote domain.
5467 * @param argc Standard argc.
5468 * @param argv Standard argv without initial components.
5470 * @return Integer status (0 means success)
5473 static int rpc_trustdom_add(int argc, const char **argv)
5476 return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_add_internals,
5479 d_printf("Usage: net rpc trustdom add <domain_name> <trust password>\n");
5486 * Remove interdomain trust account from the RPC server.
5487 * All parameters (except for argc and argv) are passed by run_rpc_command
5490 * @param domain_sid The domain sid acquired from the server.
5491 * @param cli A cli_state connected to the server.
5492 * @param mem_ctx Talloc context, destroyed on completion of the function.
5493 * @param argc Standard main() style argc.
5494 * @param argv Standard main() style argv. Initial components are already
5497 * @return normal NTSTATUS return code.
5500 static NTSTATUS rpc_trustdom_del_internals(const DOM_SID *domain_sid,
5501 const char *domain_name,
5502 struct cli_state *cli,
5503 struct rpc_pipe_client *pipe_hnd,
5504 TALLOC_CTX *mem_ctx,
5508 POLICY_HND connect_pol, domain_pol, user_pol;
5509 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5511 DOM_SID trust_acct_sid;
5512 struct samr_Ids user_rids, name_types;
5513 struct lsa_String lsa_acct_name;
5516 d_printf("Usage: net rpc trustdom del <domain_name>\n");
5517 return NT_STATUS_INVALID_PARAMETER;
5521 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5523 acct_name = talloc_asprintf(mem_ctx, "%s$", argv[0]);
5525 if (acct_name == NULL)
5526 return NT_STATUS_NO_MEMORY;
5528 strupper_m(acct_name);
5530 /* Get samr policy handle */
5531 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5532 pipe_hnd->cli->desthost,
5533 MAXIMUM_ALLOWED_ACCESS,
5535 if (!NT_STATUS_IS_OK(result)) {
5539 /* Get domain policy handle */
5540 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5542 MAXIMUM_ALLOWED_ACCESS,
5543 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5545 if (!NT_STATUS_IS_OK(result)) {
5549 init_lsa_String(&lsa_acct_name, acct_name);
5551 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
5558 if (!NT_STATUS_IS_OK(result)) {
5559 d_printf("net rpc trustdom del: LookupNames on user %s failed %s\n",
5560 acct_name, nt_errstr(result) );
5564 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
5566 MAXIMUM_ALLOWED_ACCESS,
5570 if (!NT_STATUS_IS_OK(result)) {
5571 d_printf("net rpc trustdom del: OpenUser on user %s failed %s\n",
5572 acct_name, nt_errstr(result) );
5576 /* append the rid to the domain sid */
5577 sid_copy(&trust_acct_sid, domain_sid);
5578 if (!sid_append_rid(&trust_acct_sid, user_rids.ids[0])) {
5582 /* remove the sid */
5584 result = rpccli_samr_RemoveMemberFromForeignDomain(pipe_hnd, mem_ctx,
5587 if (!NT_STATUS_IS_OK(result)) {
5588 d_printf("net rpc trustdom del: RemoveMemberFromForeignDomain on user %s failed %s\n",
5589 acct_name, nt_errstr(result) );
5595 result = rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
5598 if (!NT_STATUS_IS_OK(result)) {
5599 d_printf("net rpc trustdom del: DeleteUser on user %s failed %s\n",
5600 acct_name, nt_errstr(result) );
5604 if (!NT_STATUS_IS_OK(result)) {
5605 d_printf("Could not set trust account password: %s\n",
5615 * Delete interdomain trust account for a remote domain.
5617 * @param argc Standard argc.
5618 * @param argv Standard argv without initial components.
5620 * @return Integer status (0 means success).
5623 static int rpc_trustdom_del(int argc, const char **argv)
5626 return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_del_internals,
5629 d_printf("Usage: net rpc trustdom del <domain>\n");
5634 static NTSTATUS rpc_trustdom_get_pdc(struct cli_state *cli,
5635 TALLOC_CTX *mem_ctx,
5636 const char *domain_name)
5638 char *dc_name = NULL;
5639 const char *buffer = NULL;
5640 struct rpc_pipe_client *netr;
5643 /* Use NetServerEnum2 */
5645 if (cli_get_pdc_name(cli, domain_name, &dc_name)) {
5647 return NT_STATUS_OK;
5650 DEBUG(1,("NetServerEnum2 error: Couldn't find primary domain controller\
5651 for domain %s\n", domain_name));
5653 /* Try netr_GetDcName */
5655 netr = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &status);
5660 status = rpccli_netr_GetDcName(netr, mem_ctx,
5665 cli_rpc_pipe_close(netr);
5667 if (NT_STATUS_IS_OK(status)) {
5671 DEBUG(1,("netr_GetDcName error: Couldn't find primary domain controller\
5672 for domain %s\n", domain_name));
5678 * Establish trust relationship to a trusting domain.
5679 * Interdomain account must already be created on remote PDC.
5681 * @param argc Standard argc.
5682 * @param argv Standard argv without initial components.
5684 * @return Integer status (0 means success).
5687 static int rpc_trustdom_establish(int argc, const char **argv)
5689 struct cli_state *cli = NULL;
5690 struct sockaddr_storage server_ss;
5691 struct rpc_pipe_client *pipe_hnd = NULL;
5692 POLICY_HND connect_hnd;
5693 TALLOC_CTX *mem_ctx;
5695 DOM_SID *domain_sid;
5700 union lsa_PolicyInformation *info = NULL;
5703 * Connect to \\server\ipc$ as 'our domain' account with password
5707 d_printf("Usage: net rpc trustdom establish <domain_name>\n");
5711 domain_name = smb_xstrdup(argv[0]);
5712 strupper_m(domain_name);
5714 /* account name used at first is our domain's name with '$' */
5715 asprintf(&acct_name, "%s$", lp_workgroup());
5716 strupper_m(acct_name);
5719 * opt_workgroup will be used by connection functions further,
5720 * hence it should be set to remote domain name instead of ours
5722 if (opt_workgroup) {
5723 opt_workgroup = smb_xstrdup(domain_name);
5726 opt_user_name = acct_name;
5728 /* find the domain controller */
5729 if (!net_find_pdc(&server_ss, pdc_name, domain_name)) {
5730 DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name));
5734 /* connect to ipc$ as username/password */
5735 nt_status = connect_to_ipc(&cli, &server_ss, pdc_name);
5736 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
5738 /* Is it trusting domain account for sure ? */
5739 DEBUG(0, ("Couldn't verify trusting domain account. Error was %s\n",
5740 nt_errstr(nt_status)));
5744 /* store who we connected to */
5746 saf_store( domain_name, pdc_name );
5749 * Connect to \\server\ipc$ again (this time anonymously)
5752 nt_status = connect_to_ipc_anonymous(&cli, &server_ss, (char*)pdc_name);
5754 if (NT_STATUS_IS_ERR(nt_status)) {
5755 DEBUG(0, ("Couldn't connect to domain %s controller. Error was %s.\n",
5756 domain_name, nt_errstr(nt_status)));
5760 if (!(mem_ctx = talloc_init("establishing trust relationship to "
5761 "domain %s", domain_name))) {
5762 DEBUG(0, ("talloc_init() failed\n"));
5767 /* Make sure we're talking to a proper server */
5769 nt_status = rpc_trustdom_get_pdc(cli, mem_ctx, domain_name);
5770 if (!NT_STATUS_IS_OK(nt_status)) {
5772 talloc_destroy(mem_ctx);
5777 * Call LsaOpenPolicy and LsaQueryInfo
5780 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
5782 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
5784 talloc_destroy(mem_ctx);
5788 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True, SEC_RIGHTS_QUERY_VALUE,
5790 if (NT_STATUS_IS_ERR(nt_status)) {
5791 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
5792 nt_errstr(nt_status)));
5794 talloc_destroy(mem_ctx);
5798 /* Querying info level 5 */
5800 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
5802 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
5804 if (NT_STATUS_IS_ERR(nt_status)) {
5805 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
5806 nt_errstr(nt_status)));
5808 talloc_destroy(mem_ctx);
5812 domain_sid = info->account_domain.sid;
5814 /* There should be actually query info level 3 (following nt serv behaviour),
5815 but I still don't know if it's _really_ necessary */
5818 * Store the password in secrets db
5821 if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
5822 DEBUG(0, ("Storing password for trusted domain failed.\n"));
5824 talloc_destroy(mem_ctx);
5829 * Close the pipes and clean up
5832 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
5833 if (NT_STATUS_IS_ERR(nt_status)) {
5834 DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n",
5835 nt_errstr(nt_status)));
5837 talloc_destroy(mem_ctx);
5843 talloc_destroy(mem_ctx);
5845 d_printf("Trust to domain %s established\n", domain_name);
5850 * Revoke trust relationship to the remote domain.
5852 * @param argc Standard argc.
5853 * @param argv Standard argv without initial components.
5855 * @return Integer status (0 means success).
5858 static int rpc_trustdom_revoke(int argc, const char **argv)
5863 if (argc < 1) return -1;
5865 /* generate upper cased domain name */
5866 domain_name = smb_xstrdup(argv[0]);
5867 strupper_m(domain_name);
5869 /* delete password of the trust */
5870 if (!pdb_del_trusteddom_pw(domain_name)) {
5871 DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
5878 SAFE_FREE(domain_name);
5883 * Usage for 'net rpc trustdom' command
5885 * @param argc standard argc
5886 * @param argv standard argv without inital components
5888 * @return Integer status returned to shell
5891 static int rpc_trustdom_usage(int argc, const char **argv)
5893 d_printf(" net rpc trustdom add \t\t add trusting domain's account\n");
5894 d_printf(" net rpc trustdom del \t\t delete trusting domain's account\n");
5895 d_printf(" net rpc trustdom establish \t establish relationship to trusted domain\n");
5896 d_printf(" net rpc trustdom revoke \t abandon relationship to trusted domain\n");
5897 d_printf(" net rpc trustdom list \t show current interdomain trust relationships\n");
5898 d_printf(" net rpc trustdom vampire \t vampire interdomain trust relationships from remote server\n");
5903 static NTSTATUS rpc_query_domain_sid(const DOM_SID *domain_sid,
5904 const char *domain_name,
5905 struct cli_state *cli,
5906 struct rpc_pipe_client *pipe_hnd,
5907 TALLOC_CTX *mem_ctx,
5912 sid_to_fstring(str_sid, domain_sid);
5913 d_printf("%s\n", str_sid);
5914 return NT_STATUS_OK;
5917 static void print_trusted_domain(DOM_SID *dom_sid, const char *trusted_dom_name)
5919 fstring ascii_sid, padding;
5920 int pad_len, col_len = 20;
5922 /* convert sid into ascii string */
5923 sid_to_fstring(ascii_sid, dom_sid);
5925 /* calculate padding space for d_printf to look nicer */
5926 pad_len = col_len - strlen(trusted_dom_name);
5927 padding[pad_len] = 0;
5928 do padding[--pad_len] = ' '; while (pad_len);
5930 d_printf("%s%s%s\n", trusted_dom_name, padding, ascii_sid);
5933 static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
5934 TALLOC_CTX *mem_ctx,
5937 const char *trusted_dom_name)
5940 union lsa_TrustedDomainInfo *info = NULL;
5941 char *cleartextpwd = NULL;
5944 nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx,
5947 LSA_TRUSTED_DOMAIN_INFO_PASSWORD,
5949 if (NT_STATUS_IS_ERR(nt_status)) {
5950 DEBUG(0,("Could not query trusted domain info. Error was %s\n",
5951 nt_errstr(nt_status)));
5955 data = data_blob(info->password.password->data,
5956 info->password.password->length);
5958 cleartextpwd = decrypt_trustdom_secret(pipe_hnd->cli->pwd.password,
5961 if (cleartextpwd == NULL) {
5962 DEBUG(0,("retrieved NULL password\n"));
5963 nt_status = NT_STATUS_UNSUCCESSFUL;
5967 if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
5968 DEBUG(0, ("Storing password for trusted domain failed.\n"));
5969 nt_status = NT_STATUS_UNSUCCESSFUL;
5973 #ifdef DEBUG_PASSWORD
5974 DEBUG(100,("successfully vampired trusted domain [%s], sid: [%s], "
5975 "password: [%s]\n", trusted_dom_name,
5976 sid_string_dbg(&dom_sid), cleartextpwd));
5980 SAFE_FREE(cleartextpwd);
5981 data_blob_free(&data);
5986 static int rpc_trustdom_vampire(int argc, const char **argv)
5988 /* common variables */
5989 TALLOC_CTX* mem_ctx;
5990 struct cli_state *cli = NULL;
5991 struct rpc_pipe_client *pipe_hnd = NULL;
5993 const char *domain_name = NULL;
5994 DOM_SID *queried_dom_sid;
5995 POLICY_HND connect_hnd;
5996 union lsa_PolicyInformation *info = NULL;
5998 /* trusted domains listing variables */
5999 unsigned int enum_ctx = 0;
6001 struct lsa_DomainList dom_list;
6005 * Listing trusted domains (stored in secrets.tdb, if local)
6008 mem_ctx = talloc_init("trust relationships vampire");
6011 * set domain and pdc name to local samba server (default)
6012 * or to remote one given in command line
6015 if (StrCaseCmp(opt_workgroup, lp_workgroup())) {
6016 domain_name = opt_workgroup;
6017 opt_target_workgroup = opt_workgroup;
6019 fstrcpy(pdc_name, global_myname());
6020 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6021 opt_target_workgroup = domain_name;
6024 /* open \PIPE\lsarpc and open policy handle */
6025 nt_status = net_make_ipc_connection(NET_FLAGS_PDC, &cli);
6026 if (!NT_STATUS_IS_OK(nt_status)) {
6027 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6028 nt_errstr(nt_status)));
6029 talloc_destroy(mem_ctx);
6033 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
6035 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6036 nt_errstr(nt_status) ));
6038 talloc_destroy(mem_ctx);
6042 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, False, SEC_RIGHTS_QUERY_VALUE,
6044 if (NT_STATUS_IS_ERR(nt_status)) {
6045 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6046 nt_errstr(nt_status)));
6048 talloc_destroy(mem_ctx);
6052 /* query info level 5 to obtain sid of a domain being queried */
6053 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6055 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6058 if (NT_STATUS_IS_ERR(nt_status)) {
6059 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6060 nt_errstr(nt_status)));
6062 talloc_destroy(mem_ctx);
6066 queried_dom_sid = info->account_domain.sid;
6069 * Keep calling LsaEnumTrustdom over opened pipe until
6070 * the end of enumeration is reached
6073 d_printf("Vampire trusted domains:\n\n");
6076 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6081 if (NT_STATUS_IS_ERR(nt_status)) {
6082 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6083 nt_errstr(nt_status)));
6085 talloc_destroy(mem_ctx);
6089 for (i = 0; i < dom_list.count; i++) {
6091 print_trusted_domain(dom_list.domains[i].sid,
6092 dom_list.domains[i].name.string);
6094 nt_status = vampire_trusted_domain(pipe_hnd, mem_ctx, &connect_hnd,
6095 *dom_list.domains[i].sid,
6096 dom_list.domains[i].name.string);
6097 if (!NT_STATUS_IS_OK(nt_status)) {
6099 talloc_destroy(mem_ctx);
6105 * in case of no trusted domains say something rather
6106 * than just display blank line
6108 if (!dom_list.count) d_printf("none\n");
6110 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6112 /* close this connection before doing next one */
6113 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6114 if (NT_STATUS_IS_ERR(nt_status)) {
6115 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6116 nt_errstr(nt_status)));
6118 talloc_destroy(mem_ctx);
6122 /* close lsarpc pipe and connection to IPC$ */
6125 talloc_destroy(mem_ctx);
6129 static int rpc_trustdom_list(int argc, const char **argv)
6131 /* common variables */
6132 TALLOC_CTX* mem_ctx;
6133 struct cli_state *cli = NULL, *remote_cli = NULL;
6134 struct rpc_pipe_client *pipe_hnd = NULL;
6136 const char *domain_name = NULL;
6137 DOM_SID *queried_dom_sid;
6139 int ascii_dom_name_len;
6140 POLICY_HND connect_hnd;
6141 union lsa_PolicyInformation *info = NULL;
6143 /* trusted domains listing variables */
6144 unsigned int num_domains, enum_ctx = 0;
6145 int i, pad_len, col_len = 20;
6146 struct lsa_DomainList dom_list;
6149 /* trusting domains listing variables */
6150 POLICY_HND domain_hnd;
6151 struct samr_SamArray *trusts = NULL;
6154 * Listing trusted domains (stored in secrets.tdb, if local)
6157 mem_ctx = talloc_init("trust relationships listing");
6160 * set domain and pdc name to local samba server (default)
6161 * or to remote one given in command line
6164 if (StrCaseCmp(opt_workgroup, lp_workgroup())) {
6165 domain_name = opt_workgroup;
6166 opt_target_workgroup = opt_workgroup;
6168 fstrcpy(pdc_name, global_myname());
6169 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6170 opt_target_workgroup = domain_name;
6173 /* open \PIPE\lsarpc and open policy handle */
6174 nt_status = net_make_ipc_connection(NET_FLAGS_PDC, &cli);
6175 if (!NT_STATUS_IS_OK(nt_status)) {
6176 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6177 nt_errstr(nt_status)));
6178 talloc_destroy(mem_ctx);
6182 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
6184 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6185 nt_errstr(nt_status) ));
6187 talloc_destroy(mem_ctx);
6191 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, False, SEC_RIGHTS_QUERY_VALUE,
6193 if (NT_STATUS_IS_ERR(nt_status)) {
6194 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6195 nt_errstr(nt_status)));
6197 talloc_destroy(mem_ctx);
6201 /* query info level 5 to obtain sid of a domain being queried */
6202 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6204 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6207 if (NT_STATUS_IS_ERR(nt_status)) {
6208 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6209 nt_errstr(nt_status)));
6211 talloc_destroy(mem_ctx);
6215 queried_dom_sid = info->account_domain.sid;
6218 * Keep calling LsaEnumTrustdom over opened pipe until
6219 * the end of enumeration is reached
6222 d_printf("Trusted domains list:\n\n");
6225 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6230 if (NT_STATUS_IS_ERR(nt_status)) {
6231 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6232 nt_errstr(nt_status)));
6234 talloc_destroy(mem_ctx);
6238 for (i = 0; i < dom_list.count; i++) {
6239 print_trusted_domain(dom_list.domains[i].sid,
6240 dom_list.domains[i].name.string);
6244 * in case of no trusted domains say something rather
6245 * than just display blank line
6247 if (!dom_list.count) d_printf("none\n");
6249 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6251 /* close this connection before doing next one */
6252 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6253 if (NT_STATUS_IS_ERR(nt_status)) {
6254 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6255 nt_errstr(nt_status)));
6257 talloc_destroy(mem_ctx);
6261 cli_rpc_pipe_close(pipe_hnd);
6264 * Listing trusting domains (stored in passdb backend, if local)
6267 d_printf("\nTrusting domains list:\n\n");
6270 * Open \PIPE\samr and get needed policy handles
6272 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &nt_status);
6274 DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
6276 talloc_destroy(mem_ctx);
6281 nt_status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
6282 pipe_hnd->cli->desthost,
6283 SA_RIGHT_SAM_LOOKUP_DOMAIN,
6285 if (!NT_STATUS_IS_OK(nt_status)) {
6286 DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n",
6287 nt_errstr(nt_status)));
6289 talloc_destroy(mem_ctx);
6293 /* SamrOpenDomain - we have to open domain policy handle in order to be
6294 able to enumerate accounts*/
6295 nt_status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
6297 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
6300 if (!NT_STATUS_IS_OK(nt_status)) {
6301 DEBUG(0, ("Couldn't open domain object. Error was %s\n",
6302 nt_errstr(nt_status)));
6304 talloc_destroy(mem_ctx);
6309 * perform actual enumeration
6312 enum_ctx = 0; /* reset enumeration context from last enumeration */
6315 nt_status = rpccli_samr_EnumDomainUsers(pipe_hnd, mem_ctx,
6322 if (NT_STATUS_IS_ERR(nt_status)) {
6323 DEBUG(0, ("Couldn't enumerate accounts. Error was: %s\n",
6324 nt_errstr(nt_status)));
6326 talloc_destroy(mem_ctx);
6330 for (i = 0; i < num_domains; i++) {
6332 char *str = CONST_DISCARD(char *, trusts->entries[i].name.string);
6335 * get each single domain's sid (do we _really_ need this ?):
6336 * 1) connect to domain's pdc
6337 * 2) query the pdc for domain's sid
6340 /* get rid of '$' tail */
6341 ascii_dom_name_len = strlen(str);
6342 if (ascii_dom_name_len && ascii_dom_name_len < FSTRING_LEN)
6343 str[ascii_dom_name_len - 1] = '\0';
6345 /* calculate padding space for d_printf to look nicer */
6346 pad_len = col_len - strlen(str);
6347 padding[pad_len] = 0;
6348 do padding[--pad_len] = ' '; while (pad_len);
6350 /* set opt_* variables to remote domain */
6352 opt_workgroup = talloc_strdup(mem_ctx, str);
6353 opt_target_workgroup = opt_workgroup;
6355 d_printf("%s%s", str, padding);
6357 /* connect to remote domain controller */
6358 nt_status = net_make_ipc_connection(
6359 NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS,
6361 if (NT_STATUS_IS_OK(nt_status)) {
6362 /* query for domain's sid */
6363 if (run_rpc_command(remote_cli, PI_LSARPC, 0, rpc_query_domain_sid, argc, argv))
6364 d_fprintf(stderr, "couldn't get domain's sid\n");
6366 cli_shutdown(remote_cli);
6369 d_fprintf(stderr, "domain controller is not "
6371 nt_errstr(nt_status));
6375 if (!num_domains) d_printf("none\n");
6377 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6379 /* close opened samr and domain policy handles */
6380 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_hnd);
6381 if (!NT_STATUS_IS_OK(nt_status)) {
6382 DEBUG(0, ("Couldn't properly close domain policy handle for domain %s\n", domain_name));
6385 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_hnd);
6386 if (!NT_STATUS_IS_OK(nt_status)) {
6387 DEBUG(0, ("Couldn't properly close samr policy handle for domain %s\n", domain_name));
6390 /* close samr pipe and connection to IPC$ */
6393 talloc_destroy(mem_ctx);
6398 * Entrypoint for 'net rpc trustdom' code.
6400 * @param argc Standard argc.
6401 * @param argv Standard argv without initial components.
6403 * @return Integer status (0 means success).
6406 static int rpc_trustdom(int argc, const char **argv)
6408 struct functable func[] = {
6409 {"add", rpc_trustdom_add},
6410 {"del", rpc_trustdom_del},
6411 {"establish", rpc_trustdom_establish},
6412 {"revoke", rpc_trustdom_revoke},
6413 {"help", rpc_trustdom_usage},
6414 {"list", rpc_trustdom_list},
6415 {"vampire", rpc_trustdom_vampire},
6420 rpc_trustdom_usage(argc, argv);
6424 return (net_run_function(argc, argv, func, rpc_trustdom_usage));
6428 * Check if a server will take rpc commands
6429 * @param flags Type of server to connect to (PDC, DMB, localhost)
6430 * if the host is not explicitly specified
6431 * @return bool (true means rpc supported)
6433 bool net_rpc_check(unsigned flags)
6435 struct cli_state *cli;
6437 struct sockaddr_storage server_ss;
6438 char *server_name = NULL;
6441 /* flags (i.e. server type) may depend on command */
6442 if (!net_find_server(NULL, flags, &server_ss, &server_name))
6445 if ((cli = cli_initialise()) == NULL) {
6449 status = cli_connect(cli, server_name, &server_ss);
6450 if (!NT_STATUS_IS_OK(status))
6452 if (!attempt_netbios_session_request(&cli, global_myname(),
6453 server_name, &server_ss))
6455 if (!cli_negprot(cli))
6457 if (cli->protocol < PROTOCOL_NT1)
6466 /* dump sam database via samsync rpc calls */
6467 static int rpc_samdump(int argc, const char **argv) {
6468 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS, rpc_samdump_internals,
6472 /* syncronise sam database via samsync rpc calls */
6473 static int rpc_vampire(int argc, const char **argv) {
6474 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS, rpc_vampire_internals,
6479 * Migrate everything from a print-server.
6481 * @param argc Standard main() style argc.
6482 * @param argv Standard main() style argv. Initial components are already
6485 * @return A shell status integer (0 for success).
6487 * The order is important !
6488 * To successfully add drivers the print-queues have to exist !
6489 * Applying ACLs should be the last step, because you're easily locked out.
6492 static int rpc_printer_migrate_all(int argc, const char **argv)
6497 printf("no server to migrate\n");
6501 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_printers_internals, argc, argv);
6505 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_drivers_internals, argc, argv);
6509 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_forms_internals, argc, argv);
6513 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_settings_internals, argc, argv);
6517 return run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_security_internals, argc, argv);
6522 * Migrate print-drivers from a print-server.
6524 * @param argc Standard main() style argc.
6525 * @param argv Standard main() style argv. Initial components are already
6528 * @return A shell status integer (0 for success).
6530 static int rpc_printer_migrate_drivers(int argc, const char **argv)
6533 printf("no server to migrate\n");
6537 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6538 rpc_printer_migrate_drivers_internals,
6543 * Migrate print-forms from a print-server.
6545 * @param argc Standard main() style argc.
6546 * @param argv Standard main() style argv. Initial components are already
6549 * @return A shell status integer (0 for success).
6551 static int rpc_printer_migrate_forms(int argc, const char **argv)
6554 printf("no server to migrate\n");
6558 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6559 rpc_printer_migrate_forms_internals,
6564 * Migrate printers from a print-server.
6566 * @param argc Standard main() style argc.
6567 * @param argv Standard main() style argv. Initial components are already
6570 * @return A shell status integer (0 for success).
6572 static int rpc_printer_migrate_printers(int argc, const char **argv)
6575 printf("no server to migrate\n");
6579 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6580 rpc_printer_migrate_printers_internals,
6585 * Migrate printer-ACLs from a print-server.
6587 * @param argc Standard main() style argc.
6588 * @param argv Standard main() style argv. Initial components are already
6591 * @return A shell status integer (0 for success).
6593 static int rpc_printer_migrate_security(int argc, const char **argv)
6596 printf("no server to migrate\n");
6600 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6601 rpc_printer_migrate_security_internals,
6606 * Migrate printer-settings from a print-server.
6608 * @param argc Standard main() style argc.
6609 * @param argv Standard main() style argv. Initial components are already
6612 * @return A shell status integer (0 for success).
6614 static int rpc_printer_migrate_settings(int argc, const char **argv)
6617 printf("no server to migrate\n");
6621 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6622 rpc_printer_migrate_settings_internals,
6627 * 'net rpc printer' entrypoint.
6628 * @param argc Standard main() style argc.
6629 * @param argv Standard main() style argv. Initial components are already
6633 int rpc_printer_migrate(int argc, const char **argv)
6636 /* ouch: when addriver and setdriver are called from within
6637 rpc_printer_migrate_drivers_internals, the printer-queue already
6640 struct functable func[] = {
6641 {"all", rpc_printer_migrate_all},
6642 {"drivers", rpc_printer_migrate_drivers},
6643 {"forms", rpc_printer_migrate_forms},
6644 {"help", rpc_printer_usage},
6645 {"printers", rpc_printer_migrate_printers},
6646 {"security", rpc_printer_migrate_security},
6647 {"settings", rpc_printer_migrate_settings},
6651 return net_run_function(argc, argv, func, rpc_printer_usage);
6656 * List printers on a remote RPC server.
6658 * @param argc Standard main() style argc.
6659 * @param argv Standard main() style argv. Initial components are already
6662 * @return A shell status integer (0 for success).
6664 static int rpc_printer_list(int argc, const char **argv)
6667 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6668 rpc_printer_list_internals,
6673 * List printer-drivers on a remote RPC server.
6675 * @param argc Standard main() style argc.
6676 * @param argv Standard main() style argv. Initial components are already
6679 * @return A shell status integer (0 for success).
6681 static int rpc_printer_driver_list(int argc, const char **argv)
6684 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6685 rpc_printer_driver_list_internals,
6690 * Publish printer in ADS via MSRPC.
6692 * @param argc Standard main() style argc.
6693 * @param argv Standard main() style argv. Initial components are already
6696 * @return A shell status integer (0 for success).
6698 static int rpc_printer_publish_publish(int argc, const char **argv)
6701 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6702 rpc_printer_publish_publish_internals,
6707 * Update printer in ADS via MSRPC.
6709 * @param argc Standard main() style argc.
6710 * @param argv Standard main() style argv. Initial components are already
6713 * @return A shell status integer (0 for success).
6715 static int rpc_printer_publish_update(int argc, const char **argv)
6718 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6719 rpc_printer_publish_update_internals,
6724 * UnPublish printer in ADS via MSRPC
6726 * @param argc Standard main() style argc.
6727 * @param argv Standard main() style argv. Initial components are already
6730 * @return A shell status integer (0 for success).
6732 static int rpc_printer_publish_unpublish(int argc, const char **argv)
6735 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6736 rpc_printer_publish_unpublish_internals,
6741 * List published printers via MSRPC.
6743 * @param argc Standard main() style argc.
6744 * @param argv Standard main() style argv. Initial components are already
6747 * @return A shell status integer (0 for success).
6749 static int rpc_printer_publish_list(int argc, const char **argv)
6752 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6753 rpc_printer_publish_list_internals,
6759 * Publish printer in ADS.
6761 * @param argc Standard main() style argc.
6762 * @param argv Standard main() style argv. Initial components are already
6765 * @return A shell status integer (0 for success).
6767 static int rpc_printer_publish(int argc, const char **argv)
6770 struct functable func[] = {
6771 {"publish", rpc_printer_publish_publish},
6772 {"update", rpc_printer_publish_update},
6773 {"unpublish", rpc_printer_publish_unpublish},
6774 {"list", rpc_printer_publish_list},
6775 {"help", rpc_printer_usage},
6780 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6781 rpc_printer_publish_list_internals,
6784 return net_run_function(argc, argv, func, rpc_printer_usage);
6790 * Display rpc printer help page.
6791 * @param argc Standard main() style argc.
6792 * @param argv Standard main() style argv. Initial components are already
6795 int rpc_printer_usage(int argc, const char **argv)
6797 return net_help_printer(argc, argv);
6801 * 'net rpc printer' entrypoint.
6802 * @param argc Standard main() style argc.
6803 * @param argv Standard main() style argv. Initial components are already
6806 int net_rpc_printer(int argc, const char **argv)
6808 struct functable func[] = {
6809 {"list", rpc_printer_list},
6810 {"migrate", rpc_printer_migrate},
6811 {"driver", rpc_printer_driver_list},
6812 {"publish", rpc_printer_publish},
6817 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6818 rpc_printer_list_internals,
6821 return net_run_function(argc, argv, func, rpc_printer_usage);
6824 /****************************************************************************/
6828 * Basic usage function for 'net rpc'.
6829 * @param argc Standard main() style argc.
6830 * @param argv Standard main() style argv. Initial components are already
6834 int net_rpc_usage(int argc, const char **argv)
6836 d_printf(" net rpc info \t\t\tshow basic info about a domain \n");
6837 d_printf(" net rpc join \t\t\tto join a domain \n");
6838 d_printf(" net rpc oldjoin \t\tto join a domain created in server manager\n");
6839 d_printf(" net rpc testjoin \t\ttests that a join is valid\n");
6840 d_printf(" net rpc user \t\t\tto add, delete and list users\n");
6841 d_printf(" net rpc password <username> [<password>] -Uadmin_username%%admin_pass\n");
6842 d_printf(" net rpc group \t\tto list groups\n");
6843 d_printf(" net rpc share \t\tto add, delete, list and migrate shares\n");
6844 d_printf(" net rpc printer \t\tto list and migrate printers\n");
6845 d_printf(" net rpc file \t\t\tto list open files\n");
6846 d_printf(" net rpc changetrustpw \tto change the trust account password\n");
6847 d_printf(" net rpc getsid \t\tfetch the domain sid into the local secrets.tdb\n");
6848 d_printf(" net rpc vampire \t\tsyncronise an NT PDC's users and groups into the local passdb\n");
6849 d_printf(" net rpc samdump \t\tdisplay an NT PDC's users, groups and other data\n");
6850 d_printf(" net rpc trustdom \t\tto create trusting domain's account or establish trust\n");
6851 d_printf(" net rpc abortshutdown \tto abort the shutdown of a remote server\n");
6852 d_printf(" net rpc shutdown \t\tto shutdown a remote server\n");
6853 d_printf(" net rpc rights\t\tto manage privileges assigned to SIDs\n");
6854 d_printf(" net rpc registry\t\tto manage registry hives\n");
6855 d_printf(" net rpc service\t\tto start, stop and query services\n");
6856 d_printf(" net rpc audit\t\t\tto modify global auditing settings\n");
6857 d_printf(" net rpc shell\t\t\tto open an interactive shell for remote server/account management\n");
6859 d_printf("'net rpc shutdown' also accepts the following miscellaneous options:\n"); /* misc options */
6860 d_printf("\t-r or --reboot\trequest remote server reboot on shutdown\n");
6861 d_printf("\t-f or --force\trequest the remote server force its shutdown\n");
6862 d_printf("\t-t or --timeout=<timeout>\tnumber of seconds before shutdown\n");
6863 d_printf("\t-C or --comment=<message>\ttext message to display on impending shutdown\n");
6869 * Help function for 'net rpc'. Calls command specific help if requested
6870 * or displays usage of net rpc.
6871 * @param argc Standard main() style argc.
6872 * @param argv Standard main() style argv. Initial components are already
6876 int net_rpc_help(int argc, const char **argv)
6878 struct functable func[] = {
6879 {"join", rpc_join_usage},
6880 {"user", rpc_user_usage},
6881 {"group", rpc_group_usage},
6882 {"share", rpc_share_usage},
6883 /*{"changetrustpw", rpc_changetrustpw_usage}, */
6884 {"trustdom", rpc_trustdom_usage},
6885 /*{"abortshutdown", rpc_shutdown_abort_usage},*/
6886 /*{"shutdown", rpc_shutdown_usage}, */
6887 {"vampire", rpc_vampire_usage},
6892 net_rpc_usage(argc, argv);
6896 return (net_run_function(argc, argv, func, rpc_user_usage));
6900 * 'net rpc' entrypoint.
6901 * @param argc Standard main() style argc.
6902 * @param argv Standard main() style argv. Initial components are already
6906 int net_rpc(int argc, const char **argv)
6908 struct functable func[] = {
6909 {"audit", net_rpc_audit},
6910 {"info", net_rpc_info},
6911 {"join", net_rpc_join},
6912 {"oldjoin", net_rpc_oldjoin},
6913 {"testjoin", net_rpc_testjoin},
6914 {"user", net_rpc_user},
6915 {"password", rpc_user_password},
6916 {"group", net_rpc_group},
6917 {"share", net_rpc_share},
6918 {"file", net_rpc_file},
6919 {"printer", net_rpc_printer},
6920 {"changetrustpw", net_rpc_changetrustpw},
6921 {"trustdom", rpc_trustdom},
6922 {"abortshutdown", rpc_shutdown_abort},
6923 {"shutdown", rpc_shutdown},
6924 {"samdump", rpc_samdump},
6925 {"vampire", rpc_vampire},
6926 {"getsid", net_rpc_getsid},
6927 {"rights", net_rpc_rights},
6928 {"service", net_rpc_service},
6929 {"registry", net_rpc_registry},
6930 {"shell", net_rpc_shell},
6931 {"help", net_rpc_help},
6934 return net_run_function(argc, argv, func, net_rpc_usage);