2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org)
5 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
6 Copyright (C) 2004,2008 Guenther Deschner (gd@samba.org)
7 Copyright (C) 2005 Jeremy Allison (jra@samba.org)
8 Copyright (C) 2006 Jelmer Vernooij (jelmer@samba.org)
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>. */
24 #include "utils/net.h"
26 static int net_mode_share;
27 static bool sync_files(struct copy_clistate *cp_clistate, const char *mask);
32 * @brief RPC based subcommands for the 'net' utility.
34 * This file should contain much of the functionality that used to
35 * be found in rpcclient, execpt that the commands should change
36 * less often, and the fucntionality should be sane (the user is not
37 * expected to know a rid/sid before they conduct an operation etc.)
39 * @todo Perhaps eventually these should be split out into a number
40 * of files, as this could get quite big.
45 * Many of the RPC functions need the domain sid. This function gets
46 * it at the start of every run
48 * @param cli A cli_state already connected to the remote machine
50 * @return The Domain SID of the remote machine.
53 NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
55 const char **domain_name)
57 struct rpc_pipe_client *lsa_pipe;
59 NTSTATUS result = NT_STATUS_OK;
60 union lsa_PolicyInformation *info = NULL;
62 lsa_pipe = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
64 d_fprintf(stderr, "Could not initialise lsa pipe\n");
68 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False,
69 SEC_RIGHTS_MAXIMUM_ALLOWED,
71 if (!NT_STATUS_IS_OK(result)) {
72 d_fprintf(stderr, "open_policy failed: %s\n",
77 result = rpccli_lsa_QueryInfoPolicy(lsa_pipe, mem_ctx,
79 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
81 if (!NT_STATUS_IS_OK(result)) {
82 d_fprintf(stderr, "lsaquery failed: %s\n",
87 *domain_name = info->account_domain.name.string;
88 *domain_sid = info->account_domain.sid;
90 rpccli_lsa_Close(lsa_pipe, mem_ctx, &pol);
91 cli_rpc_pipe_close(lsa_pipe);
97 * Run a single RPC command, from start to finish.
99 * @param pipe_name the pipe to connect to (usually a PIPE_ constant)
100 * @param conn_flag a NET_FLAG_ combination. Passed to
101 * net_make_ipc_connection.
102 * @param argc Standard main() style argc
103 * @param argc Standard main() style argv. Initial components are already
105 * @return A shell status integer (0 for success)
108 int run_rpc_command(struct cli_state *cli_arg,
115 struct cli_state *cli = NULL;
116 struct rpc_pipe_client *pipe_hnd = NULL;
120 const char *domain_name;
122 /* make use of cli_state handed over as an argument, if possible */
124 nt_status = net_make_ipc_connection(conn_flags, &cli);
125 if (!NT_STATUS_IS_OK(nt_status)) {
126 DEBUG(1, ("failed to make ipc connection: %s\n",
127 nt_errstr(nt_status)));
140 if (!(mem_ctx = talloc_init("run_rpc_command"))) {
141 DEBUG(0, ("talloc_init() failed\n"));
146 nt_status = net_get_remote_domain_sid(cli, mem_ctx, &domain_sid,
148 if (!NT_STATUS_IS_OK(nt_status)) {
153 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
154 if (lp_client_schannel() && (pipe_idx == PI_NETLOGON)) {
155 /* Always try and create an schannel netlogon pipe. */
156 pipe_hnd = cli_rpc_pipe_open_schannel(cli, pipe_idx,
157 PIPE_AUTH_LEVEL_PRIVACY,
161 DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
162 nt_errstr(nt_status) ));
167 pipe_hnd = cli_rpc_pipe_open_noauth(cli, pipe_idx, &nt_status);
169 DEBUG(0, ("Could not initialise pipe %s. Error was %s\n",
170 cli_get_pipe_name(pipe_idx),
171 nt_errstr(nt_status) ));
178 nt_status = fn(domain_sid, domain_name, cli, pipe_hnd, mem_ctx, argc, argv);
180 if (!NT_STATUS_IS_OK(nt_status)) {
181 DEBUG(1, ("rpc command function failed! (%s)\n", nt_errstr(nt_status)));
183 DEBUG(5, ("rpc command function succedded\n"));
186 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
188 cli_rpc_pipe_close(pipe_hnd);
192 /* close the connection only if it was opened here */
197 talloc_destroy(mem_ctx);
198 return (!NT_STATUS_IS_OK(nt_status));
202 * Force a change of the trust acccount password.
204 * All parameters are provided by the run_rpc_command function, except for
205 * argc, argv which are passes through.
207 * @param domain_sid The domain sid aquired from the remote server
208 * @param cli A cli_state connected to the server.
209 * @param mem_ctx Talloc context, destoyed on compleation of the function.
210 * @param argc Standard main() style argc
211 * @param argc Standard main() style argv. Initial components are already
214 * @return Normal NTSTATUS return.
217 static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid,
218 const char *domain_name,
219 struct cli_state *cli,
220 struct rpc_pipe_client *pipe_hnd,
226 return trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, opt_target_workgroup);
230 * Force a change of the trust acccount password.
232 * @param argc Standard main() style argc
233 * @param argc Standard main() style argv. Initial components are already
236 * @return A shell status integer (0 for success)
239 int net_rpc_changetrustpw(int argc, const char **argv)
241 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
242 rpc_changetrustpw_internals,
247 * Join a domain, the old way.
249 * This uses 'machinename' as the inital password, and changes it.
251 * The password should be created with 'server manager' or equiv first.
253 * All parameters are provided by the run_rpc_command function, except for
254 * argc, argv which are passes through.
256 * @param domain_sid The domain sid aquired from the remote server
257 * @param cli A cli_state connected to the server.
258 * @param mem_ctx Talloc context, destoyed on compleation of the function.
259 * @param argc Standard main() style argc
260 * @param argc Standard main() style argv. Initial components are already
263 * @return Normal NTSTATUS return.
266 static NTSTATUS rpc_oldjoin_internals(const DOM_SID *domain_sid,
267 const char *domain_name,
268 struct cli_state *cli,
269 struct rpc_pipe_client *pipe_hnd,
275 fstring trust_passwd;
276 unsigned char orig_trust_passwd_hash[16];
278 uint32 sec_channel_type;
280 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result);
282 DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
285 nt_errstr(result) ));
290 check what type of join - if the user want's to join as
291 a BDC, the server must agree that we are a BDC.
294 sec_channel_type = get_sec_channel_type(argv[0]);
296 sec_channel_type = get_sec_channel_type(NULL);
299 fstrcpy(trust_passwd, global_myname());
300 strlower_m(trust_passwd);
303 * Machine names can be 15 characters, but the max length on
304 * a password is 14. --jerry
307 trust_passwd[14] = '\0';
309 E_md4hash(trust_passwd, orig_trust_passwd_hash);
311 result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, opt_target_workgroup,
312 orig_trust_passwd_hash,
315 if (NT_STATUS_IS_OK(result))
316 printf("Joined domain %s.\n",opt_target_workgroup);
319 if (!secrets_store_domain_sid(opt_target_workgroup, domain_sid)) {
320 DEBUG(0, ("error storing domain sid for %s\n", opt_target_workgroup));
321 result = NT_STATUS_UNSUCCESSFUL;
328 * Join a domain, the old way.
330 * @param argc Standard main() style argc
331 * @param argc Standard main() style argv. Initial components are already
334 * @return A shell status integer (0 for success)
337 static int net_rpc_perform_oldjoin(int argc, const char **argv)
339 return run_rpc_command(NULL, PI_NETLOGON,
340 NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
341 rpc_oldjoin_internals,
346 * Join a domain, the old way. This function exists to allow
347 * the message to be displayed when oldjoin was explicitly
348 * requested, but not when it was implied by "net rpc join"
350 * @param argc Standard main() style argc
351 * @param argc Standard main() style argv. Initial components are already
354 * @return A shell status integer (0 for success)
357 static int net_rpc_oldjoin(int argc, const char **argv)
359 int rc = net_rpc_perform_oldjoin(argc, argv);
362 d_fprintf(stderr, "Failed to join domain\n");
369 * Basic usage function for 'net rpc join'
370 * @param argc Standard main() style argc
371 * @param argc Standard main() style argv. Initial components are already
375 static int rpc_join_usage(int argc, const char **argv)
377 d_printf("net rpc join -U <username>[%%password] <type>[options]\n"\
378 "\t to join a domain with admin username & password\n"\
379 "\t\t password will be prompted if needed and none is specified\n"\
380 "\t <type> can be (default MEMBER)\n"\
381 "\t\t BDC - Join as a BDC\n"\
382 "\t\t PDC - Join as a PDC\n"\
383 "\t\t MEMBER - Join as a MEMBER server\n");
385 net_common_flags_usage(argc, argv);
390 * 'net rpc join' entrypoint.
391 * @param argc Standard main() style argc
392 * @param argc Standard main() style argv. Initial components are already
395 * Main 'net_rpc_join()' (where the admin username/password is used) is
397 * Try to just change the password, but if that doesn't work, use/prompt
398 * for a username/password.
401 int net_rpc_join(int argc, const char **argv)
403 if (lp_server_role() == ROLE_STANDALONE) {
404 d_printf("cannot join as standalone machine\n");
408 if (strlen(global_myname()) > 15) {
409 d_printf("Our netbios name can be at most 15 chars long, "
410 "\"%s\" is %u chars long\n",
411 global_myname(), (unsigned int)strlen(global_myname()));
415 if ((net_rpc_perform_oldjoin(argc, argv) == 0))
418 return net_rpc_join_newstyle(argc, argv);
422 * display info about a rpc domain
424 * All parameters are provided by the run_rpc_command function, except for
425 * argc, argv which are passed through.
427 * @param domain_sid The domain sid acquired from the remote server
428 * @param cli A cli_state connected to the server.
429 * @param mem_ctx Talloc context, destoyed on completion of the function.
430 * @param argc Standard main() style argc
431 * @param argv Standard main() style argv. Initial components are already
434 * @return Normal NTSTATUS return.
437 NTSTATUS rpc_info_internals(const DOM_SID *domain_sid,
438 const char *domain_name,
439 struct cli_state *cli,
440 struct rpc_pipe_client *pipe_hnd,
445 POLICY_HND connect_pol, domain_pol;
446 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
447 union samr_DomainInfo *info = NULL;
450 sid_to_fstring(sid_str, domain_sid);
452 /* Get sam policy handle */
453 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
454 pipe_hnd->cli->desthost,
455 MAXIMUM_ALLOWED_ACCESS,
457 if (!NT_STATUS_IS_OK(result)) {
458 d_fprintf(stderr, "Could not connect to SAM: %s\n", nt_errstr(result));
462 /* Get domain policy handle */
463 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
465 MAXIMUM_ALLOWED_ACCESS,
466 CONST_DISCARD(struct dom_sid2 *, domain_sid),
468 if (!NT_STATUS_IS_OK(result)) {
469 d_fprintf(stderr, "Could not open domain: %s\n", nt_errstr(result));
473 result = rpccli_samr_QueryDomainInfo(pipe_hnd, mem_ctx,
477 if (NT_STATUS_IS_OK(result)) {
478 d_printf("Domain Name: %s\n", info->info2.domain_name.string);
479 d_printf("Domain SID: %s\n", sid_str);
480 d_printf("Sequence number: %llu\n",
481 (unsigned long long)info->info2.sequence_num);
482 d_printf("Num users: %u\n", info->info2.num_users);
483 d_printf("Num domain groups: %u\n", info->info2.num_groups);
484 d_printf("Num local groups: %u\n", info->info2.num_aliases);
492 * 'net rpc info' entrypoint.
493 * @param argc Standard main() style argc
494 * @param argc Standard main() style argv. Initial components are already
498 int net_rpc_info(int argc, const char **argv)
500 return run_rpc_command(NULL, PI_SAMR, NET_FLAGS_PDC,
506 * Fetch domain SID into the local secrets.tdb
508 * All parameters are provided by the run_rpc_command function, except for
509 * argc, argv which are passes through.
511 * @param domain_sid The domain sid acquired from the remote server
512 * @param cli A cli_state connected to the server.
513 * @param mem_ctx Talloc context, destoyed on completion of the function.
514 * @param argc Standard main() style argc
515 * @param argv Standard main() style argv. Initial components are already
518 * @return Normal NTSTATUS return.
521 static NTSTATUS rpc_getsid_internals(const DOM_SID *domain_sid,
522 const char *domain_name,
523 struct cli_state *cli,
524 struct rpc_pipe_client *pipe_hnd,
531 sid_to_fstring(sid_str, domain_sid);
532 d_printf("Storing SID %s for Domain %s in secrets.tdb\n",
533 sid_str, domain_name);
535 if (!secrets_store_domain_sid(domain_name, domain_sid)) {
536 DEBUG(0,("Can't store domain SID\n"));
537 return NT_STATUS_UNSUCCESSFUL;
544 * 'net rpc getsid' entrypoint.
545 * @param argc Standard main() style argc
546 * @param argc Standard main() style argv. Initial components are already
550 int net_rpc_getsid(int argc, const char **argv)
552 return run_rpc_command(NULL, PI_SAMR, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
553 rpc_getsid_internals,
557 /****************************************************************************/
560 * Basic usage function for 'net rpc user'
561 * @param argc Standard main() style argc.
562 * @param argv Standard main() style argv. Initial components are already
566 static int rpc_user_usage(int argc, const char **argv)
568 return net_help_user(argc, argv);
572 * Add a new user to a remote RPC server
574 * All parameters are provided by the run_rpc_command function, except for
575 * argc, argv which are passes through.
577 * @param domain_sid The domain sid acquired from the remote server
578 * @param cli A cli_state connected to the server.
579 * @param mem_ctx Talloc context, destoyed on completion of the function.
580 * @param argc Standard main() style argc
581 * @param argv Standard main() style argv. Initial components are already
584 * @return Normal NTSTATUS return.
587 static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid,
588 const char *domain_name,
589 struct cli_state *cli,
590 struct rpc_pipe_client *pipe_hnd,
592 int argc, const char **argv)
595 POLICY_HND connect_pol, domain_pol, user_pol;
596 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
597 const char *acct_name;
598 struct lsa_String lsa_acct_name;
600 uint32 acct_flags, user_rid;
601 uint32_t access_granted = 0;
602 struct samr_Ids user_rids, name_types;
605 d_printf("User must be specified\n");
606 rpc_user_usage(argc, argv);
611 init_lsa_String(&lsa_acct_name, acct_name);
613 /* Get sam policy handle */
615 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
616 pipe_hnd->cli->desthost,
617 MAXIMUM_ALLOWED_ACCESS,
619 if (!NT_STATUS_IS_OK(result)) {
623 /* Get domain policy handle */
625 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
627 MAXIMUM_ALLOWED_ACCESS,
628 CONST_DISCARD(struct dom_sid2 *, domain_sid),
630 if (!NT_STATUS_IS_OK(result)) {
634 /* Create domain user */
636 acb_info = ACB_NORMAL;
637 acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
638 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
639 SAMR_USER_ACCESS_SET_PASSWORD |
640 SAMR_USER_ACCESS_GET_ATTRIBUTES |
641 SAMR_USER_ACCESS_SET_ATTRIBUTES;
643 result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
652 if (!NT_STATUS_IS_OK(result)) {
658 union samr_UserInfo info;
661 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
668 if (!NT_STATUS_IS_OK(result)) {
672 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
674 MAXIMUM_ALLOWED_ACCESS,
678 if (!NT_STATUS_IS_OK(result)) {
682 /* Set password on account */
684 encode_pw_buffer(pwbuf, argv[1], STR_UNICODE);
686 init_samr_user_info24(&info.info24, pwbuf, 24);
688 SamOEMhashBlob(info.info24.password.data, 516,
689 &cli->user_session_key);
691 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
696 if (!NT_STATUS_IS_OK(result)) {
697 d_fprintf(stderr, "Failed to set password for user %s - %s\n",
698 acct_name, nt_errstr(result));
700 result = rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
703 if (!NT_STATUS_IS_OK(result)) {
704 d_fprintf(stderr, "Failed to delete user %s - %s\n",
705 acct_name, nt_errstr(result));
712 if (!NT_STATUS_IS_OK(result)) {
713 d_fprintf(stderr, "Failed to add user '%s' with %s.\n",
714 acct_name, nt_errstr(result));
716 d_printf("Added user '%s'.\n", acct_name);
722 * Add a new user to a remote RPC server
724 * @param argc Standard main() style argc
725 * @param argv Standard main() style argv. Initial components are already
728 * @return A shell status integer (0 for success)
731 static int rpc_user_add(int argc, const char **argv)
733 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_add_internals,
738 * Delete a user from a remote RPC server
740 * All parameters are provided by the run_rpc_command function, except for
741 * argc, argv which are passes through.
743 * @param domain_sid The domain sid acquired from the remote server
744 * @param cli A cli_state connected to the server.
745 * @param mem_ctx Talloc context, destoyed on completion of the function.
746 * @param argc Standard main() style argc
747 * @param argv Standard main() style argv. Initial components are already
750 * @return Normal NTSTATUS return.
753 static NTSTATUS rpc_user_del_internals(const DOM_SID *domain_sid,
754 const char *domain_name,
755 struct cli_state *cli,
756 struct rpc_pipe_client *pipe_hnd,
761 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
762 POLICY_HND connect_pol, domain_pol, user_pol;
763 const char *acct_name;
766 d_printf("User must be specified\n");
767 rpc_user_usage(argc, argv);
773 /* Get sam policy and domain handles */
775 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
776 pipe_hnd->cli->desthost,
777 MAXIMUM_ALLOWED_ACCESS,
780 if (!NT_STATUS_IS_OK(result)) {
784 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
786 MAXIMUM_ALLOWED_ACCESS,
787 CONST_DISCARD(struct dom_sid2 *, domain_sid),
790 if (!NT_STATUS_IS_OK(result)) {
794 /* Get handle on user */
797 struct samr_Ids user_rids, name_types;
798 struct lsa_String lsa_acct_name;
800 init_lsa_String(&lsa_acct_name, acct_name);
802 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
809 if (!NT_STATUS_IS_OK(result)) {
813 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
815 MAXIMUM_ALLOWED_ACCESS,
819 if (!NT_STATUS_IS_OK(result)) {
826 result = rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
829 if (!NT_STATUS_IS_OK(result)) {
834 if (!NT_STATUS_IS_OK(result)) {
835 d_fprintf(stderr, "Failed to delete user '%s' with %s.\n",
836 acct_name, nt_errstr(result));
838 d_printf("Deleted user '%s'.\n", acct_name);
845 * Rename a user on a remote RPC server
847 * All parameters are provided by the run_rpc_command function, except for
848 * argc, argv which are passes through.
850 * @param domain_sid The domain sid acquired from the remote server
851 * @param cli A cli_state connected to the server.
852 * @param mem_ctx Talloc context, destoyed on completion of the function.
853 * @param argc Standard main() style argc
854 * @param argv Standard main() style argv. Initial components are already
857 * @return Normal NTSTATUS return.
860 static NTSTATUS rpc_user_rename_internals(const DOM_SID *domain_sid,
861 const char *domain_name,
862 struct cli_state *cli,
863 struct rpc_pipe_client *pipe_hnd,
868 POLICY_HND connect_pol, domain_pol, user_pol;
869 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
870 uint32 info_level = 7;
871 const char *old_name, *new_name;
872 struct samr_Ids user_rids, name_types;
873 struct lsa_String lsa_acct_name;
874 union samr_UserInfo *info = NULL;
877 d_printf("Old and new username must be specified\n");
878 rpc_user_usage(argc, argv);
885 /* Get sam policy handle */
887 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
888 pipe_hnd->cli->desthost,
889 MAXIMUM_ALLOWED_ACCESS,
892 if (!NT_STATUS_IS_OK(result)) {
896 /* Get domain policy handle */
898 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
900 MAXIMUM_ALLOWED_ACCESS,
901 CONST_DISCARD(struct dom_sid2 *, domain_sid),
903 if (!NT_STATUS_IS_OK(result)) {
907 init_lsa_String(&lsa_acct_name, old_name);
909 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
915 if (!NT_STATUS_IS_OK(result)) {
919 /* Open domain user */
920 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
922 MAXIMUM_ALLOWED_ACCESS,
926 if (!NT_STATUS_IS_OK(result)) {
930 /* Query user info */
931 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
936 if (!NT_STATUS_IS_OK(result)) {
940 init_samr_user_info7(&info->info7, new_name);
943 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
948 if (!NT_STATUS_IS_OK(result)) {
953 if (!NT_STATUS_IS_OK(result)) {
954 d_fprintf(stderr, "Failed to rename user from %s to %s - %s\n", old_name, new_name,
957 d_printf("Renamed user from %s to %s\n", old_name, new_name);
963 * Rename a user on a remote RPC server
965 * @param argc Standard main() style argc
966 * @param argv Standard main() style argv. Initial components are already
969 * @return A shell status integer (0 for success)
972 static int rpc_user_rename(int argc, const char **argv)
974 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_rename_internals,
979 * Delete a user from a remote RPC server
981 * @param argc Standard main() style argc
982 * @param argv Standard main() style argv. Initial components are already
985 * @return A shell status integer (0 for success)
988 static int rpc_user_delete(int argc, const char **argv)
990 NET_API_STATUS status;
993 d_printf("User must be specified\n");
994 rpc_user_usage(argc, argv);
998 status = NetUserDel(opt_host, argv[0]);
1001 d_fprintf(stderr, "Failed to delete user '%s' with: %s.\n",
1003 libnetapi_get_error_string(NULL, status));
1006 d_printf("Deleted user '%s'.\n", argv[0]);
1013 * Set a password for a user on a remote RPC server
1015 * All parameters are provided by the run_rpc_command function, except for
1016 * argc, argv which are passes through.
1018 * @param domain_sid The domain sid acquired from the remote server
1019 * @param cli A cli_state connected to the server.
1020 * @param mem_ctx Talloc context, destoyed on completion of the function.
1021 * @param argc Standard main() style argc
1022 * @param argv Standard main() style argv. Initial components are already
1025 * @return Normal NTSTATUS return.
1028 static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
1029 const char *domain_name,
1030 struct cli_state *cli,
1031 struct rpc_pipe_client *pipe_hnd,
1032 TALLOC_CTX *mem_ctx,
1036 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1037 POLICY_HND connect_pol, domain_pol, user_pol;
1040 const char *new_password;
1041 char *prompt = NULL;
1042 union samr_UserInfo info;
1045 d_printf("User must be specified\n");
1046 rpc_user_usage(argc, argv);
1047 return NT_STATUS_OK;
1053 new_password = argv[1];
1055 asprintf(&prompt, "Enter new password for %s:", user);
1056 new_password = getpass(prompt);
1060 /* Get sam policy and domain handles */
1062 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1063 pipe_hnd->cli->desthost,
1064 MAXIMUM_ALLOWED_ACCESS,
1067 if (!NT_STATUS_IS_OK(result)) {
1071 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1073 MAXIMUM_ALLOWED_ACCESS,
1074 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1077 if (!NT_STATUS_IS_OK(result)) {
1081 /* Get handle on user */
1084 struct samr_Ids user_rids, name_types;
1085 struct lsa_String lsa_acct_name;
1087 init_lsa_String(&lsa_acct_name, user);
1089 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1095 if (!NT_STATUS_IS_OK(result)) {
1099 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1101 MAXIMUM_ALLOWED_ACCESS,
1105 if (!NT_STATUS_IS_OK(result)) {
1110 /* Set password on account */
1112 encode_pw_buffer(pwbuf, new_password, STR_UNICODE);
1114 init_samr_user_info24(&info.info24, pwbuf, 24);
1116 SamOEMhashBlob(info.info24.password.data, 516,
1117 &cli->user_session_key);
1119 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
1124 if (!NT_STATUS_IS_OK(result)) {
1128 /* Display results */
1136 * Set a user's password on a remote RPC server
1138 * @param argc Standard main() style argc
1139 * @param argv Standard main() style argv. Initial components are already
1142 * @return A shell status integer (0 for success)
1145 static int rpc_user_password(int argc, const char **argv)
1147 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_password_internals,
1152 * List user's groups on a remote RPC server
1154 * All parameters are provided by the run_rpc_command function, except for
1155 * argc, argv which are passes through.
1157 * @param domain_sid The domain sid acquired from the remote server
1158 * @param cli A cli_state connected to the server.
1159 * @param mem_ctx Talloc context, destoyed on completion of the function.
1160 * @param argc Standard main() style argc
1161 * @param argv Standard main() style argv. Initial components are already
1164 * @return Normal NTSTATUS return.
1167 static NTSTATUS rpc_user_info_internals(const DOM_SID *domain_sid,
1168 const char *domain_name,
1169 struct cli_state *cli,
1170 struct rpc_pipe_client *pipe_hnd,
1171 TALLOC_CTX *mem_ctx,
1175 POLICY_HND connect_pol, domain_pol, user_pol;
1176 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1178 struct samr_RidWithAttributeArray *rid_array = NULL;
1179 struct lsa_Strings names;
1180 struct samr_Ids types;
1181 uint32_t *lrids = NULL;
1182 struct samr_Ids rids, name_types;
1183 struct lsa_String lsa_acct_name;
1187 d_printf("User must be specified\n");
1188 rpc_user_usage(argc, argv);
1189 return NT_STATUS_OK;
1191 /* Get sam policy handle */
1193 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1194 pipe_hnd->cli->desthost,
1195 MAXIMUM_ALLOWED_ACCESS,
1197 if (!NT_STATUS_IS_OK(result)) goto done;
1199 /* Get domain policy handle */
1201 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1203 MAXIMUM_ALLOWED_ACCESS,
1204 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1206 if (!NT_STATUS_IS_OK(result)) goto done;
1208 /* Get handle on user */
1210 init_lsa_String(&lsa_acct_name, argv[0]);
1212 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1219 if (!NT_STATUS_IS_OK(result)) goto done;
1221 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1223 MAXIMUM_ALLOWED_ACCESS,
1226 if (!NT_STATUS_IS_OK(result)) goto done;
1228 result = rpccli_samr_GetGroupsForUser(pipe_hnd, mem_ctx,
1232 if (!NT_STATUS_IS_OK(result)) goto done;
1236 if (rid_array->count) {
1237 if ((lrids = TALLOC_ARRAY(mem_ctx, uint32, rid_array->count)) == NULL) {
1238 result = NT_STATUS_NO_MEMORY;
1242 for (i = 0; i < rid_array->count; i++)
1243 lrids[i] = rid_array->rids[i].rid;
1245 result = rpccli_samr_LookupRids(pipe_hnd, mem_ctx,
1252 if (!NT_STATUS_IS_OK(result)) {
1256 /* Display results */
1258 for (i = 0; i < names.count; i++)
1259 printf("%s\n", names.names[i].string);
1266 * List a user's groups from a remote RPC server
1268 * @param argc Standard main() style argc
1269 * @param argv Standard main() style argv. Initial components are already
1272 * @return A shell status integer (0 for success)
1275 static int rpc_user_info(int argc, const char **argv)
1277 return run_rpc_command(NULL, PI_SAMR, 0, rpc_user_info_internals,
1282 * List users on a remote RPC server
1284 * All parameters are provided by the run_rpc_command function, except for
1285 * argc, argv which are passes through.
1287 * @param domain_sid The domain sid acquired from the remote server
1288 * @param cli A cli_state connected to the server.
1289 * @param mem_ctx Talloc context, destoyed on completion of the function.
1290 * @param argc Standard main() style argc
1291 * @param argv Standard main() style argv. Initial components are already
1294 * @return Normal NTSTATUS return.
1297 static NTSTATUS rpc_user_list_internals(const DOM_SID *domain_sid,
1298 const char *domain_name,
1299 struct cli_state *cli,
1300 struct rpc_pipe_client *pipe_hnd,
1301 TALLOC_CTX *mem_ctx,
1305 POLICY_HND connect_pol, domain_pol;
1306 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1307 uint32 start_idx=0, num_entries, i, loop_count = 0;
1309 /* Get sam policy handle */
1311 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1312 pipe_hnd->cli->desthost,
1313 MAXIMUM_ALLOWED_ACCESS,
1315 if (!NT_STATUS_IS_OK(result)) {
1319 /* Get domain policy handle */
1321 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1323 MAXIMUM_ALLOWED_ACCESS,
1324 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1326 if (!NT_STATUS_IS_OK(result)) {
1330 /* Query domain users */
1331 if (opt_long_list_entries)
1332 d_printf("\nUser name Comment"\
1333 "\n-----------------------------\n");
1335 const char *user = NULL;
1336 const char *desc = NULL;
1337 uint32 max_entries, max_size;
1338 uint32_t total_size, returned_size;
1339 union samr_DispInfo info;
1341 get_query_dispinfo_params(
1342 loop_count, &max_entries, &max_size);
1344 result = rpccli_samr_QueryDisplayInfo(pipe_hnd, mem_ctx,
1354 start_idx += info.info1.count;
1355 num_entries = info.info1.count;
1357 for (i = 0; i < num_entries; i++) {
1358 user = info.info1.entries[i].account_name.string;
1359 if (opt_long_list_entries)
1360 desc = info.info1.entries[i].description.string;
1361 if (opt_long_list_entries)
1362 printf("%-21.21s %s\n", user, desc);
1364 printf("%s\n", user);
1366 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
1373 * 'net rpc user' entrypoint.
1374 * @param argc Standard main() style argc
1375 * @param argc Standard main() style argv. Initial components are already
1379 int net_rpc_user(int argc, const char **argv)
1381 struct libnetapi_ctx *ctx = NULL;
1382 NET_API_STATUS status;
1384 struct functable func[] = {
1385 {"add", rpc_user_add},
1386 {"info", rpc_user_info},
1387 {"delete", rpc_user_delete},
1388 {"password", rpc_user_password},
1389 {"rename", rpc_user_rename},
1393 status = libnetapi_init(&ctx);
1397 libnetapi_set_username(ctx, opt_user_name);
1398 libnetapi_set_password(ctx, opt_password);
1401 return run_rpc_command(NULL,PI_SAMR, 0,
1402 rpc_user_list_internals,
1406 return net_run_function(argc, argv, func, rpc_user_usage);
1409 static NTSTATUS rpc_sh_user_list(TALLOC_CTX *mem_ctx,
1410 struct rpc_sh_ctx *ctx,
1411 struct rpc_pipe_client *pipe_hnd,
1412 int argc, const char **argv)
1414 return rpc_user_list_internals(ctx->domain_sid, ctx->domain_name,
1415 ctx->cli, pipe_hnd, mem_ctx,
1419 static NTSTATUS rpc_sh_user_info(TALLOC_CTX *mem_ctx,
1420 struct rpc_sh_ctx *ctx,
1421 struct rpc_pipe_client *pipe_hnd,
1422 int argc, const char **argv)
1424 return rpc_user_info_internals(ctx->domain_sid, ctx->domain_name,
1425 ctx->cli, pipe_hnd, mem_ctx,
1429 static NTSTATUS rpc_sh_handle_user(TALLOC_CTX *mem_ctx,
1430 struct rpc_sh_ctx *ctx,
1431 struct rpc_pipe_client *pipe_hnd,
1432 int argc, const char **argv,
1434 TALLOC_CTX *mem_ctx,
1435 struct rpc_sh_ctx *ctx,
1436 struct rpc_pipe_client *pipe_hnd,
1437 POLICY_HND *user_hnd,
1438 int argc, const char **argv))
1440 POLICY_HND connect_pol, domain_pol, user_pol;
1441 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1444 enum lsa_SidType type;
1447 d_fprintf(stderr, "usage: %s <username>\n", ctx->whoami);
1448 return NT_STATUS_INVALID_PARAMETER;
1451 ZERO_STRUCT(connect_pol);
1452 ZERO_STRUCT(domain_pol);
1453 ZERO_STRUCT(user_pol);
1455 result = net_rpc_lookup_name(mem_ctx, pipe_hnd->cli, argv[0],
1456 NULL, NULL, &sid, &type);
1457 if (!NT_STATUS_IS_OK(result)) {
1458 d_fprintf(stderr, "Could not lookup %s: %s\n", argv[0],
1463 if (type != SID_NAME_USER) {
1464 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
1465 sid_type_lookup(type));
1466 result = NT_STATUS_NO_SUCH_USER;
1470 if (!sid_peek_check_rid(ctx->domain_sid, &sid, &rid)) {
1471 d_fprintf(stderr, "%s is not in our domain\n", argv[0]);
1472 result = NT_STATUS_NO_SUCH_USER;
1476 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1477 pipe_hnd->cli->desthost,
1478 MAXIMUM_ALLOWED_ACCESS,
1480 if (!NT_STATUS_IS_OK(result)) {
1484 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1486 MAXIMUM_ALLOWED_ACCESS,
1489 if (!NT_STATUS_IS_OK(result)) {
1493 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1495 MAXIMUM_ALLOWED_ACCESS,
1498 if (!NT_STATUS_IS_OK(result)) {
1502 result = fn(mem_ctx, ctx, pipe_hnd, &user_pol, argc-1, argv+1);
1505 if (is_valid_policy_hnd(&user_pol)) {
1506 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1508 if (is_valid_policy_hnd(&domain_pol)) {
1509 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1511 if (is_valid_policy_hnd(&connect_pol)) {
1512 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
1517 static NTSTATUS rpc_sh_user_show_internals(TALLOC_CTX *mem_ctx,
1518 struct rpc_sh_ctx *ctx,
1519 struct rpc_pipe_client *pipe_hnd,
1520 POLICY_HND *user_hnd,
1521 int argc, const char **argv)
1524 union samr_UserInfo *info = NULL;
1527 d_fprintf(stderr, "usage: %s show <username>\n", ctx->whoami);
1528 return NT_STATUS_INVALID_PARAMETER;
1531 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1535 if (!NT_STATUS_IS_OK(result)) {
1539 d_printf("user rid: %d, group rid: %d\n",
1541 info->info21.primary_gid);
1546 static NTSTATUS rpc_sh_user_show(TALLOC_CTX *mem_ctx,
1547 struct rpc_sh_ctx *ctx,
1548 struct rpc_pipe_client *pipe_hnd,
1549 int argc, const char **argv)
1551 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1552 rpc_sh_user_show_internals);
1555 #define FETCHSTR(name, rec) \
1556 do { if (strequal(ctx->thiscmd, name)) { \
1557 oldval = talloc_strdup(mem_ctx, info->info21.rec.string); } \
1560 #define SETSTR(name, rec, flag) \
1561 do { if (strequal(ctx->thiscmd, name)) { \
1562 init_lsa_String(&(info->info21.rec), argv[0]); \
1563 info->info21.fields_present |= SAMR_FIELD_##flag; } \
1566 static NTSTATUS rpc_sh_user_str_edit_internals(TALLOC_CTX *mem_ctx,
1567 struct rpc_sh_ctx *ctx,
1568 struct rpc_pipe_client *pipe_hnd,
1569 POLICY_HND *user_hnd,
1570 int argc, const char **argv)
1573 const char *username;
1574 const char *oldval = "";
1575 union samr_UserInfo *info = NULL;
1578 d_fprintf(stderr, "usage: %s <username> [new value|NULL]\n",
1580 return NT_STATUS_INVALID_PARAMETER;
1583 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1587 if (!NT_STATUS_IS_OK(result)) {
1591 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1593 FETCHSTR("fullname", full_name);
1594 FETCHSTR("homedir", home_directory);
1595 FETCHSTR("homedrive", home_drive);
1596 FETCHSTR("logonscript", logon_script);
1597 FETCHSTR("profilepath", profile_path);
1598 FETCHSTR("description", description);
1601 d_printf("%s's %s: [%s]\n", username, ctx->thiscmd, oldval);
1605 if (strcmp(argv[0], "NULL") == 0) {
1609 ZERO_STRUCT(info->info21);
1611 SETSTR("fullname", full_name, FULL_NAME);
1612 SETSTR("homedir", home_directory, HOME_DIRECTORY);
1613 SETSTR("homedrive", home_drive, HOME_DRIVE);
1614 SETSTR("logonscript", logon_script, LOGON_SCRIPT);
1615 SETSTR("profilepath", profile_path, PROFILE_PATH);
1616 SETSTR("description", description, DESCRIPTION);
1618 result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1623 d_printf("Set %s's %s from [%s] to [%s]\n", username,
1624 ctx->thiscmd, oldval, argv[0]);
1631 #define HANDLEFLG(name, rec) \
1632 do { if (strequal(ctx->thiscmd, name)) { \
1633 oldval = (oldflags & ACB_##rec) ? "yes" : "no"; \
1635 newflags = oldflags | ACB_##rec; \
1637 newflags = oldflags & ~ACB_##rec; \
1640 static NTSTATUS rpc_sh_user_str_edit(TALLOC_CTX *mem_ctx,
1641 struct rpc_sh_ctx *ctx,
1642 struct rpc_pipe_client *pipe_hnd,
1643 int argc, const char **argv)
1645 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1646 rpc_sh_user_str_edit_internals);
1649 static NTSTATUS rpc_sh_user_flag_edit_internals(TALLOC_CTX *mem_ctx,
1650 struct rpc_sh_ctx *ctx,
1651 struct rpc_pipe_client *pipe_hnd,
1652 POLICY_HND *user_hnd,
1653 int argc, const char **argv)
1656 const char *username;
1657 const char *oldval = "unknown";
1658 uint32 oldflags, newflags;
1660 union samr_UserInfo *info = NULL;
1663 ((argc == 1) && !strequal(argv[0], "yes") &&
1664 !strequal(argv[0], "no"))) {
1665 d_fprintf(stderr, "usage: %s <username> [yes|no]\n",
1667 return NT_STATUS_INVALID_PARAMETER;
1670 newval = strequal(argv[0], "yes");
1672 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1676 if (!NT_STATUS_IS_OK(result)) {
1680 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1681 oldflags = info->info21.acct_flags;
1682 newflags = info->info21.acct_flags;
1684 HANDLEFLG("disabled", DISABLED);
1685 HANDLEFLG("pwnotreq", PWNOTREQ);
1686 HANDLEFLG("autolock", AUTOLOCK);
1687 HANDLEFLG("pwnoexp", PWNOEXP);
1690 d_printf("%s's %s flag: %s\n", username, ctx->thiscmd, oldval);
1694 ZERO_STRUCT(info->info21);
1696 info->info21.acct_flags = newflags;
1697 info->info21.fields_present = SAMR_FIELD_ACCT_FLAGS;
1699 result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1704 if (NT_STATUS_IS_OK(result)) {
1705 d_printf("Set %s's %s flag from [%s] to [%s]\n", username,
1706 ctx->thiscmd, oldval, argv[0]);
1714 static NTSTATUS rpc_sh_user_flag_edit(TALLOC_CTX *mem_ctx,
1715 struct rpc_sh_ctx *ctx,
1716 struct rpc_pipe_client *pipe_hnd,
1717 int argc, const char **argv)
1719 return rpc_sh_handle_user(mem_ctx, ctx, pipe_hnd, argc, argv,
1720 rpc_sh_user_flag_edit_internals);
1723 struct rpc_sh_cmd *net_rpc_user_edit_cmds(TALLOC_CTX *mem_ctx,
1724 struct rpc_sh_ctx *ctx)
1726 static struct rpc_sh_cmd cmds[] = {
1728 { "fullname", NULL, PI_SAMR, rpc_sh_user_str_edit,
1729 "Show/Set a user's full name" },
1731 { "homedir", NULL, PI_SAMR, rpc_sh_user_str_edit,
1732 "Show/Set a user's home directory" },
1734 { "homedrive", NULL, PI_SAMR, rpc_sh_user_str_edit,
1735 "Show/Set a user's home drive" },
1737 { "logonscript", NULL, PI_SAMR, rpc_sh_user_str_edit,
1738 "Show/Set a user's logon script" },
1740 { "profilepath", NULL, PI_SAMR, rpc_sh_user_str_edit,
1741 "Show/Set a user's profile path" },
1743 { "description", NULL, PI_SAMR, rpc_sh_user_str_edit,
1744 "Show/Set a user's description" },
1746 { "disabled", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1747 "Show/Set whether a user is disabled" },
1749 { "autolock", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1750 "Show/Set whether a user locked out" },
1752 { "pwnotreq", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1753 "Show/Set whether a user does not need a password" },
1755 { "pwnoexp", NULL, PI_SAMR, rpc_sh_user_flag_edit,
1756 "Show/Set whether a user's password does not expire" },
1758 { NULL, NULL, 0, NULL, NULL }
1764 struct rpc_sh_cmd *net_rpc_user_cmds(TALLOC_CTX *mem_ctx,
1765 struct rpc_sh_ctx *ctx)
1767 static struct rpc_sh_cmd cmds[] = {
1769 { "list", NULL, PI_SAMR, rpc_sh_user_list,
1770 "List available users" },
1772 { "info", NULL, PI_SAMR, rpc_sh_user_info,
1773 "List the domain groups a user is member of" },
1775 { "show", NULL, PI_SAMR, rpc_sh_user_show,
1776 "Show info about a user" },
1778 { "edit", net_rpc_user_edit_cmds, 0, NULL,
1779 "Show/Modify a user's fields" },
1781 { NULL, NULL, 0, NULL, NULL }
1787 /****************************************************************************/
1790 * Basic usage function for 'net rpc group'
1791 * @param argc Standard main() style argc.
1792 * @param argv Standard main() style argv. Initial components are already
1796 static int rpc_group_usage(int argc, const char **argv)
1798 return net_help_group(argc, argv);
1802 * Delete group on a remote RPC server
1804 * All parameters are provided by the run_rpc_command function, except for
1805 * argc, argv which are passes through.
1807 * @param domain_sid The domain sid acquired from the remote server
1808 * @param cli A cli_state connected to the server.
1809 * @param mem_ctx Talloc context, destoyed on completion of the function.
1810 * @param argc Standard main() style argc
1811 * @param argv Standard main() style argv. Initial components are already
1814 * @return Normal NTSTATUS return.
1817 static NTSTATUS rpc_group_delete_internals(const DOM_SID *domain_sid,
1818 const char *domain_name,
1819 struct cli_state *cli,
1820 struct rpc_pipe_client *pipe_hnd,
1821 TALLOC_CTX *mem_ctx,
1825 POLICY_HND connect_pol, domain_pol, group_pol, user_pol;
1826 bool group_is_primary = False;
1827 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1829 struct samr_RidTypeArray *rids = NULL;
1832 /* DOM_GID *user_gids; */
1834 struct samr_Ids group_rids, name_types;
1835 struct lsa_String lsa_acct_name;
1836 union samr_UserInfo *info = NULL;
1839 d_printf("specify group\n");
1840 rpc_group_usage(argc,argv);
1841 return NT_STATUS_OK; /* ok? */
1844 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1845 pipe_hnd->cli->desthost,
1846 MAXIMUM_ALLOWED_ACCESS,
1849 if (!NT_STATUS_IS_OK(result)) {
1850 d_fprintf(stderr, "Request samr_Connect2 failed\n");
1854 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1856 MAXIMUM_ALLOWED_ACCESS,
1857 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1860 if (!NT_STATUS_IS_OK(result)) {
1861 d_fprintf(stderr, "Request open_domain failed\n");
1865 init_lsa_String(&lsa_acct_name, argv[0]);
1867 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1873 if (!NT_STATUS_IS_OK(result)) {
1874 d_fprintf(stderr, "Lookup of '%s' failed\n",argv[0]);
1878 switch (name_types.ids[0])
1880 case SID_NAME_DOM_GRP:
1881 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
1883 MAXIMUM_ALLOWED_ACCESS,
1886 if (!NT_STATUS_IS_OK(result)) {
1887 d_fprintf(stderr, "Request open_group failed");
1891 group_rid = group_rids.ids[0];
1893 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
1897 if (!NT_STATUS_IS_OK(result)) {
1898 d_fprintf(stderr, "Unable to query group members of %s",argv[0]);
1903 d_printf("Domain Group %s (rid: %d) has %d members\n",
1904 argv[0],group_rid, rids->count);
1907 /* Check if group is anyone's primary group */
1908 for (i = 0; i < rids->count; i++)
1910 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1912 MAXIMUM_ALLOWED_ACCESS,
1916 if (!NT_STATUS_IS_OK(result)) {
1917 d_fprintf(stderr, "Unable to open group member %d\n",
1922 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1927 if (!NT_STATUS_IS_OK(result)) {
1928 d_fprintf(stderr, "Unable to lookup userinfo for group member %d\n",
1933 if (info->info21.primary_gid == group_rid) {
1935 d_printf("Group is primary group of %s\n",
1936 info->info21.account_name.string);
1938 group_is_primary = True;
1941 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1944 if (group_is_primary) {
1945 d_fprintf(stderr, "Unable to delete group because some "
1946 "of it's members have it as primary group\n");
1947 result = NT_STATUS_MEMBERS_PRIMARY_GROUP;
1951 /* remove all group members */
1952 for (i = 0; i < rids->count; i++)
1955 d_printf("Remove group member %d...",
1957 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
1961 if (NT_STATUS_IS_OK(result)) {
1966 d_printf("failed\n");
1971 result = rpccli_samr_DeleteDomainGroup(pipe_hnd, mem_ctx,
1975 /* removing a local group is easier... */
1976 case SID_NAME_ALIAS:
1977 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
1979 MAXIMUM_ALLOWED_ACCESS,
1983 if (!NT_STATUS_IS_OK(result)) {
1984 d_fprintf(stderr, "Request open_alias failed\n");
1988 result = rpccli_samr_DeleteDomAlias(pipe_hnd, mem_ctx,
1992 d_fprintf(stderr, "%s is of type %s. This command is only for deleting local or global groups\n",
1993 argv[0],sid_type_lookup(name_types.ids[0]));
1994 result = NT_STATUS_UNSUCCESSFUL;
1999 if (NT_STATUS_IS_OK(result)) {
2001 d_printf("Deleted %s '%s'\n",sid_type_lookup(name_types.ids[0]),argv[0]);
2003 d_fprintf(stderr, "Deleting of %s failed: %s\n",argv[0],
2004 get_friendly_nt_error_msg(result));
2012 static int rpc_group_delete(int argc, const char **argv)
2014 return run_rpc_command(NULL, PI_SAMR, 0, rpc_group_delete_internals,
2018 static NTSTATUS rpc_group_add_internals(const DOM_SID *domain_sid,
2019 const char *domain_name,
2020 struct cli_state *cli,
2021 struct rpc_pipe_client *pipe_hnd,
2022 TALLOC_CTX *mem_ctx,
2026 POLICY_HND connect_pol, domain_pol, group_pol;
2027 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2028 union samr_GroupInfo group_info;
2029 struct lsa_String grp_name;
2033 d_printf("Group name must be specified\n");
2034 rpc_group_usage(argc, argv);
2035 return NT_STATUS_OK;
2038 init_lsa_String(&grp_name, argv[0]);
2040 /* Get sam policy handle */
2042 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2043 pipe_hnd->cli->desthost,
2044 MAXIMUM_ALLOWED_ACCESS,
2046 if (!NT_STATUS_IS_OK(result)) goto done;
2048 /* Get domain policy handle */
2050 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2052 MAXIMUM_ALLOWED_ACCESS,
2053 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2055 if (!NT_STATUS_IS_OK(result)) goto done;
2057 /* Create the group */
2059 result = rpccli_samr_CreateDomainGroup(pipe_hnd, mem_ctx,
2062 MAXIMUM_ALLOWED_ACCESS,
2065 if (!NT_STATUS_IS_OK(result)) goto done;
2067 if (strlen(opt_comment) == 0) goto done;
2069 /* We've got a comment to set */
2071 init_lsa_String(&group_info.description, opt_comment);
2073 result = rpccli_samr_SetGroupInfo(pipe_hnd, mem_ctx,
2077 if (!NT_STATUS_IS_OK(result)) goto done;
2080 if (NT_STATUS_IS_OK(result))
2081 DEBUG(5, ("add group succeeded\n"));
2083 d_fprintf(stderr, "add group failed: %s\n", nt_errstr(result));
2088 static NTSTATUS rpc_alias_add_internals(const DOM_SID *domain_sid,
2089 const char *domain_name,
2090 struct cli_state *cli,
2091 struct rpc_pipe_client *pipe_hnd,
2092 TALLOC_CTX *mem_ctx,
2096 POLICY_HND connect_pol, domain_pol, alias_pol;
2097 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2098 union samr_AliasInfo alias_info;
2099 struct lsa_String alias_name;
2103 d_printf("Alias name must be specified\n");
2104 rpc_group_usage(argc, argv);
2105 return NT_STATUS_OK;
2108 init_lsa_String(&alias_name, argv[0]);
2110 /* Get sam policy handle */
2112 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2113 pipe_hnd->cli->desthost,
2114 MAXIMUM_ALLOWED_ACCESS,
2116 if (!NT_STATUS_IS_OK(result)) goto done;
2118 /* Get domain policy handle */
2120 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2122 MAXIMUM_ALLOWED_ACCESS,
2123 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2125 if (!NT_STATUS_IS_OK(result)) goto done;
2127 /* Create the group */
2129 result = rpccli_samr_CreateDomAlias(pipe_hnd, mem_ctx,
2132 MAXIMUM_ALLOWED_ACCESS,
2135 if (!NT_STATUS_IS_OK(result)) goto done;
2137 if (strlen(opt_comment) == 0) goto done;
2139 /* We've got a comment to set */
2141 init_lsa_String(&alias_info.description, opt_comment);
2143 result = rpccli_samr_SetAliasInfo(pipe_hnd, mem_ctx,
2148 if (!NT_STATUS_IS_OK(result)) goto done;
2151 if (NT_STATUS_IS_OK(result))
2152 DEBUG(5, ("add alias succeeded\n"));
2154 d_fprintf(stderr, "add alias failed: %s\n", nt_errstr(result));
2159 static int rpc_group_add(int argc, const char **argv)
2162 return run_rpc_command(NULL, PI_SAMR, 0,
2163 rpc_alias_add_internals,
2166 return run_rpc_command(NULL, PI_SAMR, 0,
2167 rpc_group_add_internals,
2171 static NTSTATUS get_sid_from_name(struct cli_state *cli,
2172 TALLOC_CTX *mem_ctx,
2175 enum lsa_SidType *type)
2177 DOM_SID *sids = NULL;
2178 enum lsa_SidType *types = NULL;
2179 struct rpc_pipe_client *pipe_hnd;
2181 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2183 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
2188 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, False,
2189 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
2191 if (!NT_STATUS_IS_OK(result)) {
2195 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &lsa_pol, 1,
2196 &name, NULL, 1, &sids, &types);
2198 if (NT_STATUS_IS_OK(result)) {
2199 sid_copy(sid, &sids[0]);
2203 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
2207 cli_rpc_pipe_close(pipe_hnd);
2210 if (!NT_STATUS_IS_OK(result) && (StrnCaseCmp(name, "S-", 2) == 0)) {
2212 /* Try as S-1-5-whatever */
2216 if (string_to_sid(&tmp_sid, name)) {
2217 sid_copy(sid, &tmp_sid);
2218 *type = SID_NAME_UNKNOWN;
2219 result = NT_STATUS_OK;
2226 static NTSTATUS rpc_add_groupmem(struct rpc_pipe_client *pipe_hnd,
2227 TALLOC_CTX *mem_ctx,
2228 const DOM_SID *group_sid,
2231 POLICY_HND connect_pol, domain_pol;
2234 POLICY_HND group_pol;
2236 struct samr_Ids rids, rid_types;
2237 struct lsa_String lsa_acct_name;
2241 sid_copy(&sid, group_sid);
2243 if (!sid_split_rid(&sid, &group_rid)) {
2244 return NT_STATUS_UNSUCCESSFUL;
2247 /* Get sam policy handle */
2248 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2249 pipe_hnd->cli->desthost,
2250 MAXIMUM_ALLOWED_ACCESS,
2252 if (!NT_STATUS_IS_OK(result)) {
2256 /* Get domain policy handle */
2257 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2259 MAXIMUM_ALLOWED_ACCESS,
2262 if (!NT_STATUS_IS_OK(result)) {
2266 init_lsa_String(&lsa_acct_name, member);
2268 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2275 if (!NT_STATUS_IS_OK(result)) {
2276 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2280 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2282 MAXIMUM_ALLOWED_ACCESS,
2286 if (!NT_STATUS_IS_OK(result)) {
2290 result = rpccli_samr_AddGroupMember(pipe_hnd, mem_ctx,
2293 0x0005); /* unknown flags */
2296 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2300 static NTSTATUS rpc_add_aliasmem(struct rpc_pipe_client *pipe_hnd,
2301 TALLOC_CTX *mem_ctx,
2302 const DOM_SID *alias_sid,
2305 POLICY_HND connect_pol, domain_pol;
2308 POLICY_HND alias_pol;
2311 enum lsa_SidType member_type;
2315 sid_copy(&sid, alias_sid);
2317 if (!sid_split_rid(&sid, &alias_rid)) {
2318 return NT_STATUS_UNSUCCESSFUL;
2321 result = get_sid_from_name(pipe_hnd->cli, mem_ctx, member,
2322 &member_sid, &member_type);
2324 if (!NT_STATUS_IS_OK(result)) {
2325 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2329 /* Get sam policy handle */
2330 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2331 pipe_hnd->cli->desthost,
2332 MAXIMUM_ALLOWED_ACCESS,
2334 if (!NT_STATUS_IS_OK(result)) {
2338 /* Get domain policy handle */
2339 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2341 MAXIMUM_ALLOWED_ACCESS,
2344 if (!NT_STATUS_IS_OK(result)) {
2348 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2350 MAXIMUM_ALLOWED_ACCESS,
2354 if (!NT_STATUS_IS_OK(result)) {
2358 result = rpccli_samr_AddAliasMember(pipe_hnd, mem_ctx,
2362 if (!NT_STATUS_IS_OK(result)) {
2367 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2371 static NTSTATUS rpc_group_addmem_internals(const DOM_SID *domain_sid,
2372 const char *domain_name,
2373 struct cli_state *cli,
2374 struct rpc_pipe_client *pipe_hnd,
2375 TALLOC_CTX *mem_ctx,
2380 enum lsa_SidType group_type;
2383 d_printf("Usage: 'net rpc group addmem <group> <member>\n");
2384 return NT_STATUS_UNSUCCESSFUL;
2387 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2388 &group_sid, &group_type))) {
2389 d_fprintf(stderr, "Could not lookup group name %s\n", argv[0]);
2390 return NT_STATUS_UNSUCCESSFUL;
2393 if (group_type == SID_NAME_DOM_GRP) {
2394 NTSTATUS result = rpc_add_groupmem(pipe_hnd, mem_ctx,
2395 &group_sid, argv[1]);
2397 if (!NT_STATUS_IS_OK(result)) {
2398 d_fprintf(stderr, "Could not add %s to %s: %s\n",
2399 argv[1], argv[0], nt_errstr(result));
2404 if (group_type == SID_NAME_ALIAS) {
2405 NTSTATUS result = rpc_add_aliasmem(pipe_hnd, mem_ctx,
2406 &group_sid, argv[1]);
2408 if (!NT_STATUS_IS_OK(result)) {
2409 d_fprintf(stderr, "Could not add %s to %s: %s\n",
2410 argv[1], argv[0], nt_errstr(result));
2415 d_fprintf(stderr, "Can only add members to global or local groups "
2416 "which %s is not\n", argv[0]);
2418 return NT_STATUS_UNSUCCESSFUL;
2421 static int rpc_group_addmem(int argc, const char **argv)
2423 return run_rpc_command(NULL, PI_SAMR, 0,
2424 rpc_group_addmem_internals,
2428 static NTSTATUS rpc_del_groupmem(struct rpc_pipe_client *pipe_hnd,
2429 TALLOC_CTX *mem_ctx,
2430 const DOM_SID *group_sid,
2433 POLICY_HND connect_pol, domain_pol;
2436 POLICY_HND group_pol;
2438 struct samr_Ids rids, rid_types;
2439 struct lsa_String lsa_acct_name;
2443 sid_copy(&sid, group_sid);
2445 if (!sid_split_rid(&sid, &group_rid))
2446 return NT_STATUS_UNSUCCESSFUL;
2448 /* Get sam policy handle */
2449 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2450 pipe_hnd->cli->desthost,
2451 MAXIMUM_ALLOWED_ACCESS,
2453 if (!NT_STATUS_IS_OK(result))
2456 /* Get domain policy handle */
2457 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2459 MAXIMUM_ALLOWED_ACCESS,
2462 if (!NT_STATUS_IS_OK(result))
2465 init_lsa_String(&lsa_acct_name, member);
2467 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2473 if (!NT_STATUS_IS_OK(result)) {
2474 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2478 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2480 MAXIMUM_ALLOWED_ACCESS,
2484 if (!NT_STATUS_IS_OK(result))
2487 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
2492 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2496 static NTSTATUS rpc_del_aliasmem(struct rpc_pipe_client *pipe_hnd,
2497 TALLOC_CTX *mem_ctx,
2498 const DOM_SID *alias_sid,
2501 POLICY_HND connect_pol, domain_pol;
2504 POLICY_HND alias_pol;
2507 enum lsa_SidType member_type;
2511 sid_copy(&sid, alias_sid);
2513 if (!sid_split_rid(&sid, &alias_rid))
2514 return NT_STATUS_UNSUCCESSFUL;
2516 result = get_sid_from_name(pipe_hnd->cli, mem_ctx, member,
2517 &member_sid, &member_type);
2519 if (!NT_STATUS_IS_OK(result)) {
2520 d_fprintf(stderr, "Could not lookup up group member %s\n", member);
2524 /* Get sam policy handle */
2525 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2526 pipe_hnd->cli->desthost,
2527 MAXIMUM_ALLOWED_ACCESS,
2529 if (!NT_STATUS_IS_OK(result)) {
2533 /* Get domain policy handle */
2534 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2536 MAXIMUM_ALLOWED_ACCESS,
2539 if (!NT_STATUS_IS_OK(result)) {
2543 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2545 MAXIMUM_ALLOWED_ACCESS,
2549 if (!NT_STATUS_IS_OK(result))
2552 result = rpccli_samr_DeleteAliasMember(pipe_hnd, mem_ctx,
2556 if (!NT_STATUS_IS_OK(result))
2560 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2564 static NTSTATUS rpc_group_delmem_internals(const DOM_SID *domain_sid,
2565 const char *domain_name,
2566 struct cli_state *cli,
2567 struct rpc_pipe_client *pipe_hnd,
2568 TALLOC_CTX *mem_ctx,
2573 enum lsa_SidType group_type;
2576 d_printf("Usage: 'net rpc group delmem <group> <member>\n");
2577 return NT_STATUS_UNSUCCESSFUL;
2580 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2581 &group_sid, &group_type))) {
2582 d_fprintf(stderr, "Could not lookup group name %s\n", argv[0]);
2583 return NT_STATUS_UNSUCCESSFUL;
2586 if (group_type == SID_NAME_DOM_GRP) {
2587 NTSTATUS result = rpc_del_groupmem(pipe_hnd, mem_ctx,
2588 &group_sid, argv[1]);
2590 if (!NT_STATUS_IS_OK(result)) {
2591 d_fprintf(stderr, "Could not del %s from %s: %s\n",
2592 argv[1], argv[0], nt_errstr(result));
2597 if (group_type == SID_NAME_ALIAS) {
2598 NTSTATUS result = rpc_del_aliasmem(pipe_hnd, mem_ctx,
2599 &group_sid, argv[1]);
2601 if (!NT_STATUS_IS_OK(result)) {
2602 d_fprintf(stderr, "Could not del %s from %s: %s\n",
2603 argv[1], argv[0], nt_errstr(result));
2608 d_fprintf(stderr, "Can only delete members from global or local groups "
2609 "which %s is not\n", argv[0]);
2611 return NT_STATUS_UNSUCCESSFUL;
2614 static int rpc_group_delmem(int argc, const char **argv)
2616 return run_rpc_command(NULL, PI_SAMR, 0,
2617 rpc_group_delmem_internals,
2622 * List groups on a remote RPC server
2624 * All parameters are provided by the run_rpc_command function, except for
2625 * argc, argv which are passes through.
2627 * @param domain_sid The domain sid acquired from the remote server
2628 * @param cli A cli_state connected to the server.
2629 * @param mem_ctx Talloc context, destoyed on completion of the function.
2630 * @param argc Standard main() style argc
2631 * @param argv Standard main() style argv. Initial components are already
2634 * @return Normal NTSTATUS return.
2637 static NTSTATUS rpc_group_list_internals(const DOM_SID *domain_sid,
2638 const char *domain_name,
2639 struct cli_state *cli,
2640 struct rpc_pipe_client *pipe_hnd,
2641 TALLOC_CTX *mem_ctx,
2645 POLICY_HND connect_pol, domain_pol;
2646 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2647 uint32 start_idx=0, max_entries=250, num_entries, i, loop_count = 0;
2648 struct samr_SamArray *groups = NULL;
2649 bool global = False;
2651 bool builtin = False;
2659 for (i=0; i<argc; i++) {
2660 if (strequal(argv[i], "global"))
2663 if (strequal(argv[i], "local"))
2666 if (strequal(argv[i], "builtin"))
2670 /* Get sam policy handle */
2672 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2673 pipe_hnd->cli->desthost,
2674 MAXIMUM_ALLOWED_ACCESS,
2676 if (!NT_STATUS_IS_OK(result)) {
2680 /* Get domain policy handle */
2682 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2684 MAXIMUM_ALLOWED_ACCESS,
2685 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2687 if (!NT_STATUS_IS_OK(result)) {
2691 /* Query domain groups */
2692 if (opt_long_list_entries)
2693 d_printf("\nGroup name Comment"\
2694 "\n-----------------------------\n");
2696 uint32_t max_size, total_size, returned_size;
2697 union samr_DispInfo info;
2701 get_query_dispinfo_params(
2702 loop_count, &max_entries, &max_size);
2704 result = rpccli_samr_QueryDisplayInfo(pipe_hnd, mem_ctx,
2713 num_entries = info.info3.count;
2714 start_idx += info.info3.count;
2716 if (!NT_STATUS_IS_OK(result) &&
2717 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2720 for (i = 0; i < num_entries; i++) {
2722 const char *group = NULL;
2723 const char *desc = NULL;
2725 group = info.info3.entries[i].account_name.string;
2726 desc = info.info3.entries[i].description.string;
2728 if (opt_long_list_entries)
2729 printf("%-21.21s %-50.50s\n",
2732 printf("%s\n", group);
2734 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2735 /* query domain aliases */
2740 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2746 if (!NT_STATUS_IS_OK(result) &&
2747 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2750 for (i = 0; i < num_entries; i++) {
2752 const char *description = NULL;
2754 if (opt_long_list_entries) {
2756 POLICY_HND alias_pol;
2757 union samr_AliasInfo *info = NULL;
2759 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2762 groups->entries[i].idx,
2764 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2768 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2770 description = info->description.string;
2774 if (description != NULL) {
2775 printf("%-21.21s %-50.50s\n",
2776 groups->entries[i].name.string,
2779 printf("%s\n", groups->entries[i].name.string);
2782 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2783 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
2784 /* Get builtin policy handle */
2786 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2788 MAXIMUM_ALLOWED_ACCESS,
2789 CONST_DISCARD(struct dom_sid2 *, &global_sid_Builtin),
2791 if (!NT_STATUS_IS_OK(result)) {
2794 /* query builtin aliases */
2797 if (!builtin) break;
2799 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2805 if (!NT_STATUS_IS_OK(result) &&
2806 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2809 for (i = 0; i < num_entries; i++) {
2811 const char *description = NULL;
2813 if (opt_long_list_entries) {
2815 POLICY_HND alias_pol;
2816 union samr_AliasInfo *info = NULL;
2818 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2821 groups->entries[i].idx,
2823 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2827 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2829 description = info->description.string;
2833 if (description != NULL) {
2834 printf("%-21.21s %-50.50s\n",
2835 groups->entries[i].name.string,
2838 printf("%s\n", groups->entries[i].name.string);
2841 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2847 static int rpc_group_list(int argc, const char **argv)
2849 return run_rpc_command(NULL, PI_SAMR, 0,
2850 rpc_group_list_internals,
2854 static NTSTATUS rpc_list_group_members(struct rpc_pipe_client *pipe_hnd,
2855 TALLOC_CTX *mem_ctx,
2856 const char *domain_name,
2857 const DOM_SID *domain_sid,
2858 POLICY_HND *domain_pol,
2862 POLICY_HND group_pol;
2863 uint32 num_members, *group_rids;
2865 struct samr_RidTypeArray *rids = NULL;
2866 struct lsa_Strings names;
2867 struct samr_Ids types;
2870 sid_to_fstring(sid_str, domain_sid);
2872 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2874 MAXIMUM_ALLOWED_ACCESS,
2878 if (!NT_STATUS_IS_OK(result))
2881 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
2885 if (!NT_STATUS_IS_OK(result))
2888 num_members = rids->count;
2889 group_rids = rids->rids;
2891 while (num_members > 0) {
2892 int this_time = 512;
2894 if (num_members < this_time)
2895 this_time = num_members;
2897 result = rpccli_samr_LookupRids(pipe_hnd, mem_ctx,
2904 if (!NT_STATUS_IS_OK(result))
2907 /* We only have users as members, but make the output
2908 the same as the output of alias members */
2910 for (i = 0; i < this_time; i++) {
2912 if (opt_long_list_entries) {
2913 printf("%s-%d %s\\%s %d\n", sid_str,
2914 group_rids[i], domain_name,
2915 names.names[i].string,
2918 printf("%s\\%s\n", domain_name,
2919 names.names[i].string);
2923 num_members -= this_time;
2927 return NT_STATUS_OK;
2930 static NTSTATUS rpc_list_alias_members(struct rpc_pipe_client *pipe_hnd,
2931 TALLOC_CTX *mem_ctx,
2932 POLICY_HND *domain_pol,
2936 struct rpc_pipe_client *lsa_pipe;
2937 POLICY_HND alias_pol, lsa_pol;
2939 DOM_SID *alias_sids;
2942 enum lsa_SidType *types;
2944 struct lsa_SidArray sid_array;
2946 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2948 MAXIMUM_ALLOWED_ACCESS,
2952 if (!NT_STATUS_IS_OK(result))
2955 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
2959 if (!NT_STATUS_IS_OK(result)) {
2960 d_fprintf(stderr, "Couldn't list alias members\n");
2964 num_members = sid_array.num_sids;
2966 if (num_members == 0) {
2967 return NT_STATUS_OK;
2970 lsa_pipe = cli_rpc_pipe_open_noauth(pipe_hnd->cli, PI_LSARPC, &result);
2972 d_fprintf(stderr, "Couldn't open LSA pipe. Error was %s\n",
2973 nt_errstr(result) );
2977 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
2978 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
2980 if (!NT_STATUS_IS_OK(result)) {
2981 d_fprintf(stderr, "Couldn't open LSA policy handle\n");
2982 cli_rpc_pipe_close(lsa_pipe);
2986 alias_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
2988 d_fprintf(stderr, "Out of memory\n");
2989 cli_rpc_pipe_close(lsa_pipe);
2990 return NT_STATUS_NO_MEMORY;
2993 for (i=0; i<num_members; i++) {
2994 sid_copy(&alias_sids[i], sid_array.sids[i].sid);
2997 result = rpccli_lsa_lookup_sids(lsa_pipe, mem_ctx, &lsa_pol, num_members,
2999 &domains, &names, &types);
3001 if (!NT_STATUS_IS_OK(result) &&
3002 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
3003 d_fprintf(stderr, "Couldn't lookup SIDs\n");
3004 cli_rpc_pipe_close(lsa_pipe);
3008 for (i = 0; i < num_members; i++) {
3010 sid_to_fstring(sid_str, &alias_sids[i]);
3012 if (opt_long_list_entries) {
3013 printf("%s %s\\%s %d\n", sid_str,
3014 domains[i] ? domains[i] : "*unknown*",
3015 names[i] ? names[i] : "*unknown*", types[i]);
3018 printf("%s\\%s\n", domains[i], names[i]);
3020 printf("%s\n", sid_str);
3024 cli_rpc_pipe_close(lsa_pipe);
3025 return NT_STATUS_OK;
3028 static NTSTATUS rpc_group_members_internals(const DOM_SID *domain_sid,
3029 const char *domain_name,
3030 struct cli_state *cli,
3031 struct rpc_pipe_client *pipe_hnd,
3032 TALLOC_CTX *mem_ctx,
3037 POLICY_HND connect_pol, domain_pol;
3038 struct samr_Ids rids, rid_types;
3039 struct lsa_String lsa_acct_name;
3041 /* Get sam policy handle */
3043 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
3044 pipe_hnd->cli->desthost,
3045 MAXIMUM_ALLOWED_ACCESS,
3048 if (!NT_STATUS_IS_OK(result))
3051 /* Get domain policy handle */
3053 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
3055 MAXIMUM_ALLOWED_ACCESS,
3056 CONST_DISCARD(struct dom_sid2 *, domain_sid),
3059 if (!NT_STATUS_IS_OK(result))
3062 init_lsa_String(&lsa_acct_name, argv[0]); /* sure? */
3064 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
3071 if (!NT_STATUS_IS_OK(result)) {
3073 /* Ok, did not find it in the global sam, try with builtin */
3075 DOM_SID sid_Builtin;
3077 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
3079 sid_copy(&sid_Builtin, &global_sid_Builtin);
3081 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
3083 MAXIMUM_ALLOWED_ACCESS,
3087 if (!NT_STATUS_IS_OK(result)) {
3088 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
3092 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
3099 if (!NT_STATUS_IS_OK(result)) {
3100 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
3105 if (rids.count != 1) {
3106 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
3110 if (rid_types.ids[0] == SID_NAME_DOM_GRP) {
3111 return rpc_list_group_members(pipe_hnd, mem_ctx, domain_name,
3112 domain_sid, &domain_pol,
3116 if (rid_types.ids[0] == SID_NAME_ALIAS) {
3117 return rpc_list_alias_members(pipe_hnd, mem_ctx, &domain_pol,
3121 return NT_STATUS_NO_SUCH_GROUP;
3124 static int rpc_group_members(int argc, const char **argv)
3127 return rpc_group_usage(argc, argv);
3130 return run_rpc_command(NULL, PI_SAMR, 0,
3131 rpc_group_members_internals,
3135 static NTSTATUS rpc_group_rename_internals(const DOM_SID *domain_sid,
3136 const char *domain_name,
3137 struct cli_state *cli,
3138 struct rpc_pipe_client *pipe_hnd,
3139 TALLOC_CTX *mem_ctx,
3144 POLICY_HND connect_pol, domain_pol, group_pol;
3145 union samr_GroupInfo group_info;
3146 struct samr_Ids rids, rid_types;
3147 struct lsa_String lsa_acct_name;
3150 d_printf("Usage: 'net rpc group rename group newname'\n");
3151 return NT_STATUS_UNSUCCESSFUL;
3154 /* Get sam policy handle */
3156 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
3157 pipe_hnd->cli->desthost,
3158 MAXIMUM_ALLOWED_ACCESS,
3161 if (!NT_STATUS_IS_OK(result))
3164 /* Get domain policy handle */
3166 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
3168 MAXIMUM_ALLOWED_ACCESS,
3169 CONST_DISCARD(struct dom_sid2 *, domain_sid),
3172 if (!NT_STATUS_IS_OK(result))
3175 init_lsa_String(&lsa_acct_name, argv[0]);
3177 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
3184 if (rids.count != 1) {
3185 d_fprintf(stderr, "Couldn't find group %s\n", argv[0]);
3189 if (rid_types.ids[0] != SID_NAME_DOM_GRP) {
3190 d_fprintf(stderr, "Can only rename domain groups\n");
3191 return NT_STATUS_UNSUCCESSFUL;
3194 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
3196 MAXIMUM_ALLOWED_ACCESS,
3200 if (!NT_STATUS_IS_OK(result))
3203 init_lsa_String(&group_info.name, argv[1]);
3205 result = rpccli_samr_SetGroupInfo(pipe_hnd, mem_ctx,
3210 if (!NT_STATUS_IS_OK(result))
3213 return NT_STATUS_NO_SUCH_GROUP;
3216 static int rpc_group_rename(int argc, const char **argv)
3219 return rpc_group_usage(argc, argv);
3222 return run_rpc_command(NULL, PI_SAMR, 0,
3223 rpc_group_rename_internals,
3228 * 'net rpc group' entrypoint.
3229 * @param argc Standard main() style argc
3230 * @param argc Standard main() style argv. Initial components are already
3234 int net_rpc_group(int argc, const char **argv)
3236 struct functable func[] = {
3237 {"add", rpc_group_add},
3238 {"delete", rpc_group_delete},
3239 {"addmem", rpc_group_addmem},
3240 {"delmem", rpc_group_delmem},
3241 {"list", rpc_group_list},
3242 {"members", rpc_group_members},
3243 {"rename", rpc_group_rename},
3248 return run_rpc_command(NULL, PI_SAMR, 0,
3249 rpc_group_list_internals,
3253 return net_run_function(argc, argv, func, rpc_group_usage);
3256 /****************************************************************************/
3258 static int rpc_share_usage(int argc, const char **argv)
3260 return net_help_share(argc, argv);
3264 * Add a share on a remote RPC server
3266 * All parameters are provided by the run_rpc_command function, except for
3267 * argc, argv which are passes through.
3269 * @param domain_sid The domain sid acquired from the remote server
3270 * @param cli A cli_state connected to the server.
3271 * @param mem_ctx Talloc context, destoyed on completion of the function.
3272 * @param argc Standard main() style argc
3273 * @param argv Standard main() style argv. Initial components are already
3276 * @return Normal NTSTATUS return.
3278 static NTSTATUS rpc_share_add_internals(const DOM_SID *domain_sid,
3279 const char *domain_name,
3280 struct cli_state *cli,
3281 struct rpc_pipe_client *pipe_hnd,
3282 TALLOC_CTX *mem_ctx,int argc,
3289 uint32 type = STYPE_DISKTREE; /* only allow disk shares to be added */
3290 uint32 num_users=0, perms=0;
3291 char *password=NULL; /* don't allow a share password */
3293 union srvsvc_NetShareInfo info;
3294 struct srvsvc_NetShareInfo2 info2;
3295 uint32_t parm_error = 0;
3297 if ((sharename = talloc_strdup(mem_ctx, argv[0])) == NULL) {
3298 return NT_STATUS_NO_MEMORY;
3301 path = strchr(sharename, '=');
3303 return NT_STATUS_UNSUCCESSFUL;
3306 info2.name = sharename;
3308 info2.comment = opt_comment;
3309 info2.permissions = perms;
3310 info2.max_users = opt_maxusers;
3311 info2.current_users = num_users;
3313 info2.password = password;
3315 info.info2 = &info2;
3317 status = rpccli_srvsvc_NetShareAdd(pipe_hnd, mem_ctx,
3318 pipe_hnd->cli->desthost,
3326 static int rpc_share_add(int argc, const char **argv)
3328 if ((argc < 1) || !strchr(argv[0], '=')) {
3329 DEBUG(1,("Sharename or path not specified on add\n"));
3330 return rpc_share_usage(argc, argv);
3332 return run_rpc_command(NULL, PI_SRVSVC, 0,
3333 rpc_share_add_internals,
3338 * Delete a share on a remote RPC server
3340 * All parameters are provided by the run_rpc_command function, except for
3341 * argc, argv which are passes through.
3343 * @param domain_sid The domain sid acquired from the remote server
3344 * @param cli A cli_state connected to the server.
3345 * @param mem_ctx Talloc context, destoyed on completion of the function.
3346 * @param argc Standard main() style argc
3347 * @param argv Standard main() style argv. Initial components are already
3350 * @return Normal NTSTATUS return.
3352 static NTSTATUS rpc_share_del_internals(const DOM_SID *domain_sid,
3353 const char *domain_name,
3354 struct cli_state *cli,
3355 struct rpc_pipe_client *pipe_hnd,
3356 TALLOC_CTX *mem_ctx,
3362 return rpccli_srvsvc_NetShareDel(pipe_hnd, mem_ctx,
3363 pipe_hnd->cli->desthost,
3370 * Delete a share on a remote RPC server
3372 * @param domain_sid The domain sid acquired from the remote server
3373 * @param argc Standard main() style argc
3374 * @param argv Standard main() style argv. Initial components are already
3377 * @return A shell status integer (0 for success)
3379 static int rpc_share_delete(int argc, const char **argv)
3382 DEBUG(1,("Sharename not specified on delete\n"));
3383 return rpc_share_usage(argc, argv);
3385 return run_rpc_command(NULL, PI_SRVSVC, 0,
3386 rpc_share_del_internals,
3391 * Formatted print of share info
3393 * @param info1 pointer to SRV_SHARE_INFO_1 to format
3396 static void display_share_info_1(struct srvsvc_NetShareInfo1 *r)
3398 if (opt_long_list_entries) {
3399 d_printf("%-12s %-8.8s %-50s\n",
3401 share_type[r->type & ~(STYPE_TEMPORARY|STYPE_HIDDEN)],
3404 d_printf("%s\n", r->name);
3408 static WERROR get_share_info(struct rpc_pipe_client *pipe_hnd,
3409 TALLOC_CTX *mem_ctx,
3413 struct srvsvc_NetShareInfoCtr *info_ctr)
3417 union srvsvc_NetShareInfo info;
3419 /* no specific share requested, enumerate all */
3422 uint32_t preferred_len = 0xffffffff;
3423 uint32_t total_entries = 0;
3424 uint32_t resume_handle = 0;
3426 info_ctr->level = level;
3428 status = rpccli_srvsvc_NetShareEnumAll(pipe_hnd, mem_ctx,
3429 pipe_hnd->cli->desthost,
3438 /* request just one share */
3439 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
3440 pipe_hnd->cli->desthost,
3446 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
3451 ZERO_STRUCTP(info_ctr);
3453 info_ctr->level = level;
3458 struct srvsvc_NetShareCtr1 *ctr1;
3460 ctr1 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr1);
3461 W_ERROR_HAVE_NO_MEMORY(ctr1);
3464 ctr1->array = info.info1;
3466 info_ctr->ctr.ctr1 = ctr1;
3470 struct srvsvc_NetShareCtr2 *ctr2;
3472 ctr2 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr2);
3473 W_ERROR_HAVE_NO_MEMORY(ctr2);
3476 ctr2->array = info.info2;
3478 info_ctr->ctr.ctr2 = ctr2;
3482 struct srvsvc_NetShareCtr502 *ctr502;
3484 ctr502 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr502);
3485 W_ERROR_HAVE_NO_MEMORY(ctr502);
3488 ctr502->array = info.info502;
3490 info_ctr->ctr.ctr502 = ctr502;
3498 * List shares on a remote RPC server
3500 * All parameters are provided by the run_rpc_command function, except for
3501 * argc, argv which are passes through.
3503 * @param domain_sid The domain sid acquired from the remote server
3504 * @param cli A cli_state connected to the server.
3505 * @param mem_ctx Talloc context, destoyed on completion of the function.
3506 * @param argc Standard main() style argc
3507 * @param argv Standard main() style argv. Initial components are already
3510 * @return Normal NTSTATUS return.
3513 static NTSTATUS rpc_share_list_internals(const DOM_SID *domain_sid,
3514 const char *domain_name,
3515 struct cli_state *cli,
3516 struct rpc_pipe_client *pipe_hnd,
3517 TALLOC_CTX *mem_ctx,
3521 struct srvsvc_NetShareInfoCtr info_ctr;
3522 struct srvsvc_NetShareCtr1 ctr1;
3524 uint32 i, level = 1;
3526 ZERO_STRUCT(info_ctr);
3530 info_ctr.ctr.ctr1 = &ctr1;
3532 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &info_ctr);
3533 if (!W_ERROR_IS_OK(result))
3536 /* Display results */
3538 if (opt_long_list_entries) {
3540 "\nEnumerating shared resources (exports) on remote server:\n\n"\
3541 "\nShare name Type Description\n"\
3542 "---------- ---- -----------\n");
3544 for (i = 0; i < info_ctr.ctr.ctr1->count; i++)
3545 display_share_info_1(&info_ctr.ctr.ctr1->array[i]);
3547 return W_ERROR_IS_OK(result) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3551 * 'net rpc share list' entrypoint.
3552 * @param argc Standard main() style argc
3553 * @param argv Standard main() style argv. Initial components are already
3556 static int rpc_share_list(int argc, const char **argv)
3558 return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_list_internals, argc, argv);
3561 static bool check_share_availability(struct cli_state *cli, const char *netname)
3563 if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
3564 d_printf("skipping [%s]: not a file share.\n", netname);
3574 static bool check_share_sanity(struct cli_state *cli, const char *netname, uint32 type)
3576 /* only support disk shares */
3577 if (! ( type == STYPE_DISKTREE || type == (STYPE_DISKTREE | STYPE_HIDDEN)) ) {
3578 printf("share [%s] is not a diskshare (type: %x)\n", netname, type);
3582 /* skip builtin shares */
3583 /* FIXME: should print$ be added too ? */
3584 if (strequal(netname,"IPC$") || strequal(netname,"ADMIN$") ||
3585 strequal(netname,"global"))
3588 if (opt_exclude && in_list(netname, opt_exclude, False)) {
3589 printf("excluding [%s]\n", netname);
3593 return check_share_availability(cli, netname);
3597 * Migrate shares from a remote RPC server to the local RPC server
3599 * All parameters are provided by the run_rpc_command function, except for
3600 * argc, argv which are passed through.
3602 * @param domain_sid The domain sid acquired from the remote server
3603 * @param cli A cli_state connected to the server.
3604 * @param mem_ctx Talloc context, destroyed on completion of the function.
3605 * @param argc Standard main() style argc
3606 * @param argv Standard main() style argv. Initial components are already
3609 * @return Normal NTSTATUS return.
3612 static NTSTATUS rpc_share_migrate_shares_internals(const DOM_SID *domain_sid,
3613 const char *domain_name,
3614 struct cli_state *cli,
3615 struct rpc_pipe_client *pipe_hnd,
3616 TALLOC_CTX *mem_ctx,
3621 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3622 struct srvsvc_NetShareInfoCtr ctr_src;
3624 struct rpc_pipe_client *srvsvc_pipe = NULL;
3625 struct cli_state *cli_dst = NULL;
3626 uint32 level = 502; /* includes secdesc */
3627 uint32_t parm_error = 0;
3629 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
3630 if (!W_ERROR_IS_OK(result))
3633 /* connect destination PI_SRVSVC */
3634 nt_status = connect_dst_pipe(&cli_dst, &srvsvc_pipe, PI_SRVSVC);
3635 if (!NT_STATUS_IS_OK(nt_status))
3639 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3641 union srvsvc_NetShareInfo info;
3642 struct srvsvc_NetShareInfo502 info502 =
3643 ctr_src.ctr.ctr502->array[i];
3645 /* reset error-code */
3646 nt_status = NT_STATUS_UNSUCCESSFUL;
3648 if (!check_share_sanity(cli, info502.name, info502.type))
3651 /* finally add the share on the dst server */
3653 printf("migrating: [%s], path: %s, comment: %s, without share-ACLs\n",
3654 info502.name, info502.path, info502.comment);
3656 info.info502 = &info502;
3658 nt_status = rpccli_srvsvc_NetShareAdd(srvsvc_pipe, mem_ctx,
3659 srvsvc_pipe->cli->desthost,
3665 if (W_ERROR_V(result) == W_ERROR_V(WERR_ALREADY_EXISTS)) {
3666 printf(" [%s] does already exist\n",
3671 if (!NT_STATUS_IS_OK(nt_status) || !W_ERROR_IS_OK(result)) {
3672 printf("cannot add share: %s\n", dos_errstr(result));
3678 nt_status = NT_STATUS_OK;
3682 cli_shutdown(cli_dst);
3690 * Migrate shares from a rpc-server to another
3692 * @param argc Standard main() style argc
3693 * @param argv Standard main() style argv. Initial components are already
3696 * @return A shell status integer (0 for success)
3698 static int rpc_share_migrate_shares(int argc, const char **argv)
3702 printf("no server to migrate\n");
3706 return run_rpc_command(NULL, PI_SRVSVC, 0,
3707 rpc_share_migrate_shares_internals,
3714 * @param f file_info
3715 * @param mask current search mask
3716 * @param state arg-pointer
3719 static void copy_fn(const char *mnt, file_info *f, const char *mask, void *state)
3721 static NTSTATUS nt_status;
3722 static struct copy_clistate *local_state;
3723 static fstring filename, new_mask;
3727 local_state = (struct copy_clistate *)state;
3728 nt_status = NT_STATUS_UNSUCCESSFUL;
3730 if (strequal(f->name, ".") || strequal(f->name, ".."))
3733 DEBUG(3,("got mask: %s, name: %s\n", mask, f->name));
3736 if (f->mode & aDIR) {
3738 DEBUG(3,("got dir: %s\n", f->name));
3740 fstrcpy(dir, local_state->cwd);
3742 fstrcat(dir, f->name);
3744 switch (net_mode_share)
3746 case NET_MODE_SHARE_MIGRATE:
3747 /* create that directory */
3748 nt_status = net_copy_file(local_state->mem_ctx,
3749 local_state->cli_share_src,
3750 local_state->cli_share_dst,
3752 opt_acls? True : False,
3753 opt_attrs? True : False,
3754 opt_timestamps? True : False,
3758 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3762 if (!NT_STATUS_IS_OK(nt_status))
3763 printf("could not handle dir %s: %s\n",
3764 dir, nt_errstr(nt_status));
3766 /* search below that directory */
3767 fstrcpy(new_mask, dir);
3768 fstrcat(new_mask, "\\*");
3770 old_dir = local_state->cwd;
3771 local_state->cwd = dir;
3772 if (!sync_files(local_state, new_mask))
3773 printf("could not handle files\n");
3774 local_state->cwd = old_dir;
3781 fstrcpy(filename, local_state->cwd);
3782 fstrcat(filename, "\\");
3783 fstrcat(filename, f->name);
3785 DEBUG(3,("got file: %s\n", filename));
3787 switch (net_mode_share)
3789 case NET_MODE_SHARE_MIGRATE:
3790 nt_status = net_copy_file(local_state->mem_ctx,
3791 local_state->cli_share_src,
3792 local_state->cli_share_dst,
3794 opt_acls? True : False,
3795 opt_attrs? True : False,
3796 opt_timestamps? True: False,
3800 d_fprintf(stderr, "Unsupported file mode %d\n", net_mode_share);
3804 if (!NT_STATUS_IS_OK(nt_status))
3805 printf("could not handle file %s: %s\n",
3806 filename, nt_errstr(nt_status));
3811 * sync files, can be called recursivly to list files
3812 * and then call copy_fn for each file
3814 * @param cp_clistate pointer to the copy_clistate we work with
3815 * @param mask the current search mask
3817 * @return Boolean result
3819 static bool sync_files(struct copy_clistate *cp_clistate, const char *mask)
3821 struct cli_state *targetcli;
3822 char *targetpath = NULL;
3824 DEBUG(3,("calling cli_list with mask: %s\n", mask));
3826 if ( !cli_resolve_path(talloc_tos(), "", cp_clistate->cli_share_src,
3827 mask, &targetcli, &targetpath ) ) {
3828 d_fprintf(stderr, "cli_resolve_path %s failed with error: %s\n",
3829 mask, cli_errstr(cp_clistate->cli_share_src));
3833 if (cli_list(targetcli, targetpath, cp_clistate->attribute, copy_fn, cp_clistate) == -1) {
3834 d_fprintf(stderr, "listing %s failed with error: %s\n",
3835 mask, cli_errstr(targetcli));
3844 * Set the top level directory permissions before we do any further copies.
3845 * Should set up ACL inheritance.
3848 bool copy_top_level_perms(struct copy_clistate *cp_clistate,
3849 const char *sharename)
3851 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3853 switch (net_mode_share) {
3854 case NET_MODE_SHARE_MIGRATE:
3855 DEBUG(3,("calling net_copy_fileattr for '.' directory in share %s\n", sharename));
3856 nt_status = net_copy_fileattr(cp_clistate->mem_ctx,
3857 cp_clistate->cli_share_src,
3858 cp_clistate->cli_share_dst,
3860 opt_acls? True : False,
3861 opt_attrs? True : False,
3862 opt_timestamps? True: False,
3866 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3870 if (!NT_STATUS_IS_OK(nt_status)) {
3871 printf("Could handle directory attributes for top level directory of share %s. Error %s\n",
3872 sharename, nt_errstr(nt_status));
3880 * Sync all files inside a remote share to another share (over smb)
3882 * All parameters are provided by the run_rpc_command function, except for
3883 * argc, argv which are passes through.
3885 * @param domain_sid The domain sid acquired from the remote server
3886 * @param cli A cli_state connected to the server.
3887 * @param mem_ctx Talloc context, destoyed on completion of the function.
3888 * @param argc Standard main() style argc
3889 * @param argv Standard main() style argv. Initial components are already
3892 * @return Normal NTSTATUS return.
3895 static NTSTATUS rpc_share_migrate_files_internals(const DOM_SID *domain_sid,
3896 const char *domain_name,
3897 struct cli_state *cli,
3898 struct rpc_pipe_client *pipe_hnd,
3899 TALLOC_CTX *mem_ctx,
3904 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3905 struct srvsvc_NetShareInfoCtr ctr_src;
3908 struct copy_clistate cp_clistate;
3909 bool got_src_share = False;
3910 bool got_dst_share = False;
3911 const char *mask = "\\*";
3914 dst = SMB_STRDUP(opt_destination?opt_destination:"127.0.0.1");
3916 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
3918 if (!W_ERROR_IS_OK(result))
3921 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3923 struct srvsvc_NetShareInfo502 info502 =
3924 ctr_src.ctr.ctr502->array[i];
3926 if (!check_share_sanity(cli, info502.name, info502.type))
3929 /* one might not want to mirror whole discs :) */
3930 if (strequal(info502.name, "print$") || info502.name[1] == '$') {
3931 d_printf("skipping [%s]: builtin/hidden share\n", info502.name);
3935 switch (net_mode_share)
3937 case NET_MODE_SHARE_MIGRATE:
3941 d_fprintf(stderr, "Unsupported mode %d\n", net_mode_share);
3944 printf(" [%s] files and directories %s ACLs, %s DOS Attributes %s\n",
3946 opt_acls ? "including" : "without",
3947 opt_attrs ? "including" : "without",
3948 opt_timestamps ? "(preserving timestamps)" : "");
3950 cp_clistate.mem_ctx = mem_ctx;
3951 cp_clistate.cli_share_src = NULL;
3952 cp_clistate.cli_share_dst = NULL;
3953 cp_clistate.cwd = NULL;
3954 cp_clistate.attribute = aSYSTEM | aHIDDEN | aDIR;
3956 /* open share source */
3957 nt_status = connect_to_service(&cp_clistate.cli_share_src,
3958 &cli->dest_ss, cli->desthost,
3959 info502.name, "A:");
3960 if (!NT_STATUS_IS_OK(nt_status))
3963 got_src_share = True;
3965 if (net_mode_share == NET_MODE_SHARE_MIGRATE) {
3966 /* open share destination */
3967 nt_status = connect_to_service(&cp_clistate.cli_share_dst,
3968 NULL, dst, info502.name, "A:");
3969 if (!NT_STATUS_IS_OK(nt_status))
3972 got_dst_share = True;
3975 if (!copy_top_level_perms(&cp_clistate, info502.name)) {
3976 d_fprintf(stderr, "Could not handle the top level directory permissions for the share: %s\n", info502.name);
3977 nt_status = NT_STATUS_UNSUCCESSFUL;
3981 if (!sync_files(&cp_clistate, mask)) {
3982 d_fprintf(stderr, "could not handle files for share: %s\n", info502.name);
3983 nt_status = NT_STATUS_UNSUCCESSFUL;
3988 nt_status = NT_STATUS_OK;
3993 cli_shutdown(cp_clistate.cli_share_src);
3996 cli_shutdown(cp_clistate.cli_share_dst);
4002 static int rpc_share_migrate_files(int argc, const char **argv)
4006 printf("no server to migrate\n");
4010 return run_rpc_command(NULL, PI_SRVSVC, 0,
4011 rpc_share_migrate_files_internals,
4016 * Migrate share-ACLs from a remote RPC server to the local RPC srever
4018 * All parameters are provided by the run_rpc_command function, except for
4019 * argc, argv which are passes through.
4021 * @param domain_sid The domain sid acquired from the remote server
4022 * @param cli A cli_state connected to the server.
4023 * @param mem_ctx Talloc context, destoyed on completion of the function.
4024 * @param argc Standard main() style argc
4025 * @param argv Standard main() style argv. Initial components are already
4028 * @return Normal NTSTATUS return.
4031 static NTSTATUS rpc_share_migrate_security_internals(const DOM_SID *domain_sid,
4032 const char *domain_name,
4033 struct cli_state *cli,
4034 struct rpc_pipe_client *pipe_hnd,
4035 TALLOC_CTX *mem_ctx,
4040 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
4041 struct srvsvc_NetShareInfoCtr ctr_src;
4042 union srvsvc_NetShareInfo info;
4044 struct rpc_pipe_client *srvsvc_pipe = NULL;
4045 struct cli_state *cli_dst = NULL;
4046 uint32 level = 502; /* includes secdesc */
4047 uint32_t parm_error = 0;
4049 result = get_share_info(pipe_hnd, mem_ctx, level, argc, argv, &ctr_src);
4051 if (!W_ERROR_IS_OK(result))
4054 /* connect destination PI_SRVSVC */
4055 nt_status = connect_dst_pipe(&cli_dst, &srvsvc_pipe, PI_SRVSVC);
4056 if (!NT_STATUS_IS_OK(nt_status))
4060 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
4062 struct srvsvc_NetShareInfo502 info502 =
4063 ctr_src.ctr.ctr502->array[i];
4065 /* reset error-code */
4066 nt_status = NT_STATUS_UNSUCCESSFUL;
4068 if (!check_share_sanity(cli, info502.name, info502.type))
4071 printf("migrating: [%s], path: %s, comment: %s, including share-ACLs\n",
4072 info502.name, info502.path, info502.comment);
4075 display_sec_desc(info502.sd_buf.sd);
4077 /* FIXME: shouldn't we be able to just set the security descriptor ? */
4078 info.info502 = &info502;
4080 /* finally modify the share on the dst server */
4081 nt_status = rpccli_srvsvc_NetShareSetInfo(srvsvc_pipe, mem_ctx,
4082 srvsvc_pipe->cli->desthost,
4088 if (!NT_STATUS_IS_OK(nt_status) || !W_ERROR_IS_OK(result)) {
4089 printf("cannot set share-acl: %s\n", dos_errstr(result));
4095 nt_status = NT_STATUS_OK;
4099 cli_shutdown(cli_dst);
4107 * Migrate share-acls from a rpc-server to another
4109 * @param argc Standard main() style argc
4110 * @param argv Standard main() style argv. Initial components are already
4113 * @return A shell status integer (0 for success)
4115 static int rpc_share_migrate_security(int argc, const char **argv)
4119 printf("no server to migrate\n");
4123 return run_rpc_command(NULL, PI_SRVSVC, 0,
4124 rpc_share_migrate_security_internals,
4129 * Migrate shares (including share-definitions, share-acls and files with acls/attrs)
4130 * from one server to another
4132 * @param argc Standard main() style argc
4133 * @param argv Standard main() style argv. Initial components are already
4136 * @return A shell status integer (0 for success)
4139 static int rpc_share_migrate_all(int argc, const char **argv)
4144 printf("no server to migrate\n");
4148 /* order is important. we don't want to be locked out by the share-acl
4149 * before copying files - gd */
4151 ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_shares_internals, argc, argv);
4155 ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_files_internals, argc, argv);
4159 return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_security_internals, argc, argv);
4164 * 'net rpc share migrate' entrypoint.
4165 * @param argc Standard main() style argc
4166 * @param argv Standard main() style argv. Initial components are already
4169 static int rpc_share_migrate(int argc, const char **argv)
4172 struct functable func[] = {
4173 {"all", rpc_share_migrate_all},
4174 {"files", rpc_share_migrate_files},
4175 {"help", rpc_share_usage},
4176 {"security", rpc_share_migrate_security},
4177 {"shares", rpc_share_migrate_shares},
4181 net_mode_share = NET_MODE_SHARE_MIGRATE;
4183 return net_run_function(argc, argv, func, rpc_share_usage);
4192 static int num_server_aliases;
4193 static struct full_alias *server_aliases;
4196 * Add an alias to the static list.
4198 static void push_alias(TALLOC_CTX *mem_ctx, struct full_alias *alias)
4200 if (server_aliases == NULL)
4201 server_aliases = SMB_MALLOC_ARRAY(struct full_alias, 100);
4203 server_aliases[num_server_aliases] = *alias;
4204 num_server_aliases += 1;
4208 * For a specific domain on the server, fetch all the aliases
4209 * and their members. Add all of them to the server_aliases.
4212 static NTSTATUS rpc_fetch_domain_aliases(struct rpc_pipe_client *pipe_hnd,
4213 TALLOC_CTX *mem_ctx,
4214 POLICY_HND *connect_pol,
4215 const DOM_SID *domain_sid)
4217 uint32 start_idx, max_entries, num_entries, i;
4218 struct samr_SamArray *groups = NULL;
4220 POLICY_HND domain_pol;
4222 /* Get domain policy handle */
4224 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
4226 MAXIMUM_ALLOWED_ACCESS,
4227 CONST_DISCARD(struct dom_sid2 *, domain_sid),
4229 if (!NT_STATUS_IS_OK(result))
4236 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
4242 for (i = 0; i < num_entries; i++) {
4244 POLICY_HND alias_pol;
4245 struct full_alias alias;
4246 struct lsa_SidArray sid_array;
4249 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
4251 MAXIMUM_ALLOWED_ACCESS,
4252 groups->entries[i].idx,
4254 if (!NT_STATUS_IS_OK(result))
4257 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
4260 if (!NT_STATUS_IS_OK(result))
4263 alias.num_members = sid_array.num_sids;
4265 result = rpccli_samr_Close(pipe_hnd, mem_ctx, &alias_pol);
4266 if (!NT_STATUS_IS_OK(result))
4269 alias.members = NULL;
4271 if (alias.num_members > 0) {
4272 alias.members = SMB_MALLOC_ARRAY(DOM_SID, alias.num_members);
4274 for (j = 0; j < alias.num_members; j++)
4275 sid_copy(&alias.members[j],
4276 sid_array.sids[j].sid);
4279 sid_copy(&alias.sid, domain_sid);
4280 sid_append_rid(&alias.sid, groups->entries[i].idx);
4282 push_alias(mem_ctx, &alias);
4284 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
4286 result = NT_STATUS_OK;
4289 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
4295 * Dump server_aliases as names for debugging purposes.
4298 static NTSTATUS rpc_aliaslist_dump(const DOM_SID *domain_sid,
4299 const char *domain_name,
4300 struct cli_state *cli,
4301 struct rpc_pipe_client *pipe_hnd,
4302 TALLOC_CTX *mem_ctx,
4310 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
4311 SEC_RIGHTS_MAXIMUM_ALLOWED,
4313 if (!NT_STATUS_IS_OK(result))
4316 for (i=0; i<num_server_aliases; i++) {
4319 enum lsa_SidType *types;
4322 struct full_alias *alias = &server_aliases[i];
4324 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol, 1,
4326 &domains, &names, &types);
4327 if (!NT_STATUS_IS_OK(result))
4330 DEBUG(1, ("%s\\%s %d: ", domains[0], names[0], types[0]));
4332 if (alias->num_members == 0) {
4337 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol,
4340 &domains, &names, &types);
4342 if (!NT_STATUS_IS_OK(result) &&
4343 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
4346 for (j=0; j<alias->num_members; j++)
4347 DEBUG(1, ("%s\\%s (%d); ",
4348 domains[j] ? domains[j] : "*unknown*",
4349 names[j] ? names[j] : "*unknown*",types[j]));
4353 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
4355 return NT_STATUS_OK;
4359 * Fetch a list of all server aliases and their members into
4363 static NTSTATUS rpc_aliaslist_internals(const DOM_SID *domain_sid,
4364 const char *domain_name,
4365 struct cli_state *cli,
4366 struct rpc_pipe_client *pipe_hnd,
4367 TALLOC_CTX *mem_ctx,
4372 POLICY_HND connect_pol;
4374 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
4375 pipe_hnd->cli->desthost,
4376 MAXIMUM_ALLOWED_ACCESS,
4379 if (!NT_STATUS_IS_OK(result))
4382 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4383 &global_sid_Builtin);
4385 if (!NT_STATUS_IS_OK(result))
4388 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4391 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
4396 static void init_user_token(NT_USER_TOKEN *token, DOM_SID *user_sid)
4398 token->num_sids = 4;
4400 if (!(token->user_sids = SMB_MALLOC_ARRAY(DOM_SID, 4))) {
4401 d_fprintf(stderr, "malloc failed\n");
4402 token->num_sids = 0;
4406 token->user_sids[0] = *user_sid;
4407 sid_copy(&token->user_sids[1], &global_sid_World);
4408 sid_copy(&token->user_sids[2], &global_sid_Network);
4409 sid_copy(&token->user_sids[3], &global_sid_Authenticated_Users);
4412 static void free_user_token(NT_USER_TOKEN *token)
4414 SAFE_FREE(token->user_sids);
4417 static bool is_sid_in_token(NT_USER_TOKEN *token, DOM_SID *sid)
4421 for (i=0; i<token->num_sids; i++) {
4422 if (sid_compare(sid, &token->user_sids[i]) == 0)
4428 static void add_sid_to_token(NT_USER_TOKEN *token, DOM_SID *sid)
4430 if (is_sid_in_token(token, sid))
4433 token->user_sids = SMB_REALLOC_ARRAY(token->user_sids, DOM_SID, token->num_sids+1);
4434 if (!token->user_sids) {
4438 sid_copy(&token->user_sids[token->num_sids], sid);
4440 token->num_sids += 1;
4445 NT_USER_TOKEN token;
4448 static void dump_user_token(struct user_token *token)
4452 d_printf("%s\n", token->name);
4454 for (i=0; i<token->token.num_sids; i++) {
4455 d_printf(" %s\n", sid_string_tos(&token->token.user_sids[i]));
4459 static bool is_alias_member(DOM_SID *sid, struct full_alias *alias)
4463 for (i=0; i<alias->num_members; i++) {
4464 if (sid_compare(sid, &alias->members[i]) == 0)
4471 static void collect_sid_memberships(NT_USER_TOKEN *token, DOM_SID sid)
4475 for (i=0; i<num_server_aliases; i++) {
4476 if (is_alias_member(&sid, &server_aliases[i]))
4477 add_sid_to_token(token, &server_aliases[i].sid);
4482 * We got a user token with all the SIDs we can know about without asking the
4483 * server directly. These are the user and domain group sids. All of these can
4484 * be members of aliases. So scan the list of aliases for each of the SIDs and
4485 * add them to the token.
4488 static void collect_alias_memberships(NT_USER_TOKEN *token)
4490 int num_global_sids = token->num_sids;
4493 for (i=0; i<num_global_sids; i++) {
4494 collect_sid_memberships(token, token->user_sids[i]);
4498 static bool get_user_sids(const char *domain, const char *user, NT_USER_TOKEN *token)
4500 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4501 enum wbcSidType type;
4503 struct wbcDomainSid wsid;
4504 char *sid_str = NULL;
4506 uint32_t num_groups;
4507 gid_t *groups = NULL;
4510 fstr_sprintf(full_name, "%s%c%s",
4511 domain, *lp_winbind_separator(), user);
4513 /* First let's find out the user sid */
4515 wbc_status = wbcLookupName(domain, user, &wsid, &type);
4517 if (!WBC_ERROR_IS_OK(wbc_status)) {
4518 DEBUG(1, ("winbind could not find %s: %s\n",
4519 full_name, wbcErrorString(wbc_status)));
4523 wbc_status = wbcSidToString(&wsid, &sid_str);
4524 if (!WBC_ERROR_IS_OK(wbc_status)) {
4528 if (type != SID_NAME_USER) {
4529 wbcFreeMemory(sid_str);
4530 DEBUG(1, ("%s is not a user\n", full_name));
4534 string_to_sid(&user_sid, sid_str);
4535 wbcFreeMemory(sid_str);
4538 init_user_token(token, &user_sid);
4540 /* And now the groups winbind knows about */
4542 wbc_status = wbcGetGroups(full_name, &num_groups, &groups);
4543 if (!WBC_ERROR_IS_OK(wbc_status)) {
4544 DEBUG(1, ("winbind could not get groups of %s: %s\n",
4545 full_name, wbcErrorString(wbc_status)));
4549 for (i = 0; i < num_groups; i++) {
4550 gid_t gid = groups[i];
4553 wbc_status = wbcGidToSid(gid, &wsid);
4554 if (!WBC_ERROR_IS_OK(wbc_status)) {
4555 DEBUG(1, ("winbind could not find SID of gid %d: %s\n",
4556 gid, wbcErrorString(wbc_status)));
4557 wbcFreeMemory(groups);
4561 wbc_status = wbcSidToString(&wsid, &sid_str);
4562 if (!WBC_ERROR_IS_OK(wbc_status)) {
4563 wbcFreeMemory(groups);
4567 DEBUG(3, (" %s\n", sid_str));
4569 string_to_sid(&sid, sid_str);
4570 wbcFreeMemory(sid_str);
4573 add_sid_to_token(token, &sid);
4575 wbcFreeMemory(groups);
4581 * Get a list of all user tokens we want to look at
4584 static bool get_user_tokens(int *num_tokens, struct user_token **user_tokens)
4586 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4587 uint32_t i, num_users;
4589 struct user_token *result;
4590 TALLOC_CTX *frame = NULL;
4592 if (lp_winbind_use_default_domain() &&
4593 (opt_target_workgroup == NULL)) {
4594 d_fprintf(stderr, "winbind use default domain = yes set, "
4595 "please specify a workgroup\n");
4599 /* Send request to winbind daemon */
4601 wbc_status = wbcListUsers(NULL, &num_users, &users);
4602 if (!WBC_ERROR_IS_OK(wbc_status)) {
4603 DEBUG(1, ("winbind could not list users: %s\n",
4604 wbcErrorString(wbc_status)));
4608 result = SMB_MALLOC_ARRAY(struct user_token, num_users);
4610 if (result == NULL) {
4611 DEBUG(1, ("Could not malloc sid array\n"));
4612 wbcFreeMemory(users);
4616 frame = talloc_stackframe();
4617 for (i=0; i < num_users; i++) {
4618 fstring domain, user;
4621 fstrcpy(result[i].name, users[i]);
4623 p = strchr(users[i], *lp_winbind_separator());
4625 DEBUG(3, ("%s\n", users[i]));
4628 fstrcpy(domain, opt_target_workgroup);
4629 fstrcpy(user, users[i]);
4632 fstrcpy(domain, users[i]);
4637 get_user_sids(domain, user, &(result[i].token));
4641 wbcFreeMemory(users);
4643 *num_tokens = num_users;
4644 *user_tokens = result;
4649 static bool get_user_tokens_from_file(FILE *f,
4651 struct user_token **tokens)
4653 struct user_token *token = NULL;
4658 if (fgets(line, sizeof(line)-1, f) == NULL) {
4662 if (line[strlen(line)-1] == '\n')
4663 line[strlen(line)-1] = '\0';
4665 if (line[0] == ' ') {
4669 string_to_sid(&sid, &line[1]);
4671 if (token == NULL) {
4672 DEBUG(0, ("File does not begin with username"));
4676 add_sid_to_token(&token->token, &sid);
4680 /* And a new user... */
4683 *tokens = SMB_REALLOC_ARRAY(*tokens, struct user_token, *num_tokens);
4684 if (*tokens == NULL) {
4685 DEBUG(0, ("Could not realloc tokens\n"));
4689 token = &((*tokens)[*num_tokens-1]);
4691 fstrcpy(token->name, line);
4692 token->token.num_sids = 0;
4693 token->token.user_sids = NULL;
4702 * Show the list of all users that have access to a share
4705 static void show_userlist(struct rpc_pipe_client *pipe_hnd,
4706 TALLOC_CTX *mem_ctx,
4707 const char *netname,
4709 struct user_token *tokens)
4712 SEC_DESC *share_sd = NULL;
4713 SEC_DESC *root_sd = NULL;
4714 struct cli_state *cli = pipe_hnd->cli;
4716 union srvsvc_NetShareInfo info;
4721 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
4722 pipe_hnd->cli->desthost,
4728 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
4729 DEBUG(1, ("Coult not query secdesc for share %s\n",
4734 share_sd = info.info502->sd_buf.sd;
4735 if (share_sd == NULL) {
4736 DEBUG(1, ("Got no secdesc for share %s\n",
4742 if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
4746 fnum = cli_nt_create(cli, "\\", READ_CONTROL_ACCESS);
4749 root_sd = cli_query_secdesc(cli, fnum, mem_ctx);
4752 for (i=0; i<num_tokens; i++) {
4755 if (share_sd != NULL) {
4756 if (!se_access_check(share_sd, &tokens[i].token,
4757 1, &acc_granted, &status)) {
4758 DEBUG(1, ("Could not check share_sd for "
4764 if (!NT_STATUS_IS_OK(status))
4768 if (root_sd == NULL) {
4769 d_printf(" %s\n", tokens[i].name);
4773 if (!se_access_check(root_sd, &tokens[i].token,
4774 1, &acc_granted, &status)) {
4775 DEBUG(1, ("Could not check root_sd for user %s\n",
4780 if (!NT_STATUS_IS_OK(status))
4783 d_printf(" %s\n", tokens[i].name);
4787 cli_close(cli, fnum);
4799 static void collect_share(const char *name, uint32 m,
4800 const char *comment, void *state)
4802 struct share_list *share_list = (struct share_list *)state;
4804 if (m != STYPE_DISKTREE)
4807 share_list->num_shares += 1;
4808 share_list->shares = SMB_REALLOC_ARRAY(share_list->shares, char *, share_list->num_shares);
4809 if (!share_list->shares) {
4810 share_list->num_shares = 0;
4813 share_list->shares[share_list->num_shares-1] = SMB_STRDUP(name);
4816 static void rpc_share_userlist_usage(void)
4822 * List shares on a remote RPC server, including the security descriptors
4824 * All parameters are provided by the run_rpc_command function, except for
4825 * argc, argv which are passes through.
4827 * @param domain_sid The domain sid acquired from the remote server
4828 * @param cli A cli_state connected to the server.
4829 * @param mem_ctx Talloc context, destoyed on completion of the function.
4830 * @param argc Standard main() style argc
4831 * @param argv Standard main() style argv. Initial components are already
4834 * @return Normal NTSTATUS return.
4837 static NTSTATUS rpc_share_allowedusers_internals(const DOM_SID *domain_sid,
4838 const char *domain_name,
4839 struct cli_state *cli,
4840 struct rpc_pipe_client *pipe_hnd,
4841 TALLOC_CTX *mem_ctx,
4851 struct user_token *tokens = NULL;
4854 struct share_list share_list;
4857 rpc_share_userlist_usage();
4858 return NT_STATUS_UNSUCCESSFUL;
4864 f = fopen(argv[0], "r");
4868 DEBUG(0, ("Could not open userlist: %s\n", strerror(errno)));
4869 return NT_STATUS_UNSUCCESSFUL;
4872 r = get_user_tokens_from_file(f, &num_tokens, &tokens);
4878 DEBUG(0, ("Could not read users from file\n"));
4879 return NT_STATUS_UNSUCCESSFUL;
4882 for (i=0; i<num_tokens; i++)
4883 collect_alias_memberships(&tokens[i].token);
4885 init_enum_hnd(&hnd, 0);
4887 share_list.num_shares = 0;
4888 share_list.shares = NULL;
4890 ret = cli_RNetShareEnum(cli, collect_share, &share_list);
4893 DEBUG(0, ("Error returning browse list: %s\n",
4898 for (i = 0; i < share_list.num_shares; i++) {
4899 char *netname = share_list.shares[i];
4901 if (netname[strlen(netname)-1] == '$')
4904 d_printf("%s\n", netname);
4906 show_userlist(pipe_hnd, mem_ctx, netname,
4907 num_tokens, tokens);
4910 for (i=0; i<num_tokens; i++) {
4911 free_user_token(&tokens[i].token);
4914 SAFE_FREE(share_list.shares);
4916 return NT_STATUS_OK;
4919 static int rpc_share_allowedusers(int argc, const char **argv)
4923 result = run_rpc_command(NULL, PI_SAMR, 0,
4924 rpc_aliaslist_internals,
4929 result = run_rpc_command(NULL, PI_LSARPC, 0,
4935 return run_rpc_command(NULL, PI_SRVSVC, 0,
4936 rpc_share_allowedusers_internals,
4940 int net_usersidlist(int argc, const char **argv)
4943 struct user_token *tokens = NULL;
4947 net_usersidlist_usage(argc, argv);
4951 if (!get_user_tokens(&num_tokens, &tokens)) {
4952 DEBUG(0, ("Could not get the user/sid list\n"));
4956 for (i=0; i<num_tokens; i++) {
4957 dump_user_token(&tokens[i]);
4958 free_user_token(&tokens[i].token);
4965 int net_usersidlist_usage(int argc, const char **argv)
4967 d_printf("net usersidlist\n"
4968 "\tprints out a list of all users the running winbind knows\n"
4969 "\tabout, together with all their SIDs. This is used as\n"
4970 "\tinput to the 'net rpc share allowedusers' command.\n\n");
4972 net_common_flags_usage(argc, argv);
4977 * 'net rpc share' entrypoint.
4978 * @param argc Standard main() style argc
4979 * @param argv Standard main() style argv. Initial components are already
4983 int net_rpc_share(int argc, const char **argv)
4985 struct functable func[] = {
4986 {"add", rpc_share_add},
4987 {"delete", rpc_share_delete},
4988 {"allowedusers", rpc_share_allowedusers},
4989 {"migrate", rpc_share_migrate},
4990 {"list", rpc_share_list},
4995 return run_rpc_command(NULL, PI_SRVSVC, 0,
4996 rpc_share_list_internals,
4999 return net_run_function(argc, argv, func, rpc_share_usage);
5002 static NTSTATUS rpc_sh_share_list(TALLOC_CTX *mem_ctx,
5003 struct rpc_sh_ctx *ctx,
5004 struct rpc_pipe_client *pipe_hnd,
5005 int argc, const char **argv)
5007 return rpc_share_list_internals(ctx->domain_sid, ctx->domain_name,
5008 ctx->cli, pipe_hnd, mem_ctx,
5012 static NTSTATUS rpc_sh_share_add(TALLOC_CTX *mem_ctx,
5013 struct rpc_sh_ctx *ctx,
5014 struct rpc_pipe_client *pipe_hnd,
5015 int argc, const char **argv)
5019 uint32_t parm_err = 0;
5020 union srvsvc_NetShareInfo info;
5021 struct srvsvc_NetShareInfo2 info2;
5023 if ((argc < 2) || (argc > 3)) {
5024 d_fprintf(stderr, "usage: %s <share> <path> [comment]\n",
5026 return NT_STATUS_INVALID_PARAMETER;
5029 info2.name = argv[0];
5030 info2.type = STYPE_DISKTREE;
5031 info2.comment = (argc == 3) ? argv[2] : "";
5032 info2.permissions = 0;
5033 info2.max_users = 0;
5034 info2.current_users = 0;
5035 info2.path = argv[1];
5036 info2.password = NULL;
5038 info.info2 = &info2;
5040 status = rpccli_srvsvc_NetShareAdd(pipe_hnd, mem_ctx,
5041 pipe_hnd->cli->desthost,
5050 static NTSTATUS rpc_sh_share_delete(TALLOC_CTX *mem_ctx,
5051 struct rpc_sh_ctx *ctx,
5052 struct rpc_pipe_client *pipe_hnd,
5053 int argc, const char **argv)
5059 d_fprintf(stderr, "usage: %s <share>\n", ctx->whoami);
5060 return NT_STATUS_INVALID_PARAMETER;
5063 status = rpccli_srvsvc_NetShareDel(pipe_hnd, mem_ctx,
5064 pipe_hnd->cli->desthost,
5072 static NTSTATUS rpc_sh_share_info(TALLOC_CTX *mem_ctx,
5073 struct rpc_sh_ctx *ctx,
5074 struct rpc_pipe_client *pipe_hnd,
5075 int argc, const char **argv)
5077 union srvsvc_NetShareInfo info;
5082 d_fprintf(stderr, "usage: %s <share>\n", ctx->whoami);
5083 return NT_STATUS_INVALID_PARAMETER;
5086 status = rpccli_srvsvc_NetShareGetInfo(pipe_hnd, mem_ctx,
5087 pipe_hnd->cli->desthost,
5092 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
5096 d_printf("Name: %s\n", info.info2->name);
5097 d_printf("Comment: %s\n", info.info2->comment);
5098 d_printf("Path: %s\n", info.info2->path);
5099 d_printf("Password: %s\n", info.info2->password);
5102 return werror_to_ntstatus(result);
5105 struct rpc_sh_cmd *net_rpc_share_cmds(TALLOC_CTX *mem_ctx,
5106 struct rpc_sh_ctx *ctx)
5108 static struct rpc_sh_cmd cmds[] = {
5110 { "list", NULL, PI_SRVSVC, rpc_sh_share_list,
5111 "List available shares" },
5113 { "add", NULL, PI_SRVSVC, rpc_sh_share_add,
5116 { "delete", NULL, PI_SRVSVC, rpc_sh_share_delete,
5119 { "info", NULL, PI_SRVSVC, rpc_sh_share_info,
5120 "Get information about a share" },
5122 { NULL, NULL, 0, NULL, NULL }
5128 /****************************************************************************/
5130 static int rpc_file_usage(int argc, const char **argv)
5132 return net_help_file(argc, argv);
5136 * Close a file on a remote RPC server
5138 * All parameters are provided by the run_rpc_command function, except for
5139 * argc, argv which are passes through.
5141 * @param domain_sid The domain sid acquired from the remote server
5142 * @param cli A cli_state connected to the server.
5143 * @param mem_ctx Talloc context, destoyed on completion of the function.
5144 * @param argc Standard main() style argc
5145 * @param argv Standard main() style argv. Initial components are already
5148 * @return Normal NTSTATUS return.
5150 static NTSTATUS rpc_file_close_internals(const DOM_SID *domain_sid,
5151 const char *domain_name,
5152 struct cli_state *cli,
5153 struct rpc_pipe_client *pipe_hnd,
5154 TALLOC_CTX *mem_ctx,
5158 return rpccli_srvsvc_NetFileClose(pipe_hnd, mem_ctx,
5159 pipe_hnd->cli->desthost,
5160 atoi(argv[0]), NULL);
5164 * Close a file on a remote RPC server
5166 * @param argc Standard main() style argc
5167 * @param argv Standard main() style argv. Initial components are already
5170 * @return A shell status integer (0 for success)
5172 static int rpc_file_close(int argc, const char **argv)
5175 DEBUG(1, ("No fileid given on close\n"));
5176 return(rpc_file_usage(argc, argv));
5179 return run_rpc_command(NULL, PI_SRVSVC, 0,
5180 rpc_file_close_internals,
5185 * Formatted print of open file info
5187 * @param r struct srvsvc_NetFileInfo3 contents
5190 static void display_file_info_3(struct srvsvc_NetFileInfo3 *r)
5192 d_printf("%-7.1d %-20.20s 0x%-4.2x %-6.1d %s\n",
5193 r->fid, r->user, r->permissions, r->num_locks, r->path);
5197 * List open files on a remote RPC server
5199 * All parameters are provided by the run_rpc_command function, except for
5200 * argc, argv which are passes through.
5202 * @param domain_sid The domain sid acquired from the remote server
5203 * @param cli A cli_state connected to the server.
5204 * @param mem_ctx Talloc context, destoyed on completion of the function.
5205 * @param argc Standard main() style argc
5206 * @param argv Standard main() style argv. Initial components are already
5209 * @return Normal NTSTATUS return.
5212 static NTSTATUS rpc_file_list_internals(const DOM_SID *domain_sid,
5213 const char *domain_name,
5214 struct cli_state *cli,
5215 struct rpc_pipe_client *pipe_hnd,
5216 TALLOC_CTX *mem_ctx,
5220 struct srvsvc_NetFileInfoCtr info_ctr;
5221 struct srvsvc_NetFileCtr3 ctr3;
5224 uint32 preferred_len = 0xffffffff, i;
5225 const char *username=NULL;
5226 uint32_t total_entries = 0;
5227 uint32_t resume_handle = 0;
5229 /* if argc > 0, must be user command */
5231 username = smb_xstrdup(argv[0]);
5233 ZERO_STRUCT(info_ctr);
5237 info_ctr.ctr.ctr3 = &ctr3;
5239 status = rpccli_srvsvc_NetFileEnum(pipe_hnd, mem_ctx,
5240 pipe_hnd->cli->desthost,
5249 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result))
5252 /* Display results */
5255 "\nEnumerating open files on remote server:\n\n"\
5256 "\nFileId Opened by Perms Locks Path"\
5257 "\n------ --------- ----- ----- ---- \n");
5258 for (i = 0; i < total_entries; i++)
5259 display_file_info_3(&info_ctr.ctr.ctr3->array[i]);
5261 return W_ERROR_IS_OK(result) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
5265 * List files for a user on a remote RPC server
5267 * @param argc Standard main() style argc
5268 * @param argv Standard main() style argv. Initial components are already
5271 * @return A shell status integer (0 for success)
5274 static int rpc_file_user(int argc, const char **argv)
5277 DEBUG(1, ("No username given\n"));
5278 return(rpc_file_usage(argc, argv));
5281 return run_rpc_command(NULL, PI_SRVSVC, 0,
5282 rpc_file_list_internals,
5287 * 'net rpc file' entrypoint.
5288 * @param argc Standard main() style argc
5289 * @param argv Standard main() style argv. Initial components are already
5293 int net_rpc_file(int argc, const char **argv)
5295 struct functable func[] = {
5296 {"close", rpc_file_close},
5297 {"user", rpc_file_user},
5299 {"info", rpc_file_info},
5305 return run_rpc_command(NULL, PI_SRVSVC, 0,
5306 rpc_file_list_internals,
5309 return net_run_function(argc, argv, func, rpc_file_usage);
5313 * ABORT the shutdown of a remote RPC Server over, initshutdown pipe
5315 * All parameters are provided by the run_rpc_command function, except for
5316 * argc, argv which are passed through.
5318 * @param domain_sid The domain sid aquired from the remote server
5319 * @param cli A cli_state connected to the server.
5320 * @param mem_ctx Talloc context, destoyed on compleation of the function.
5321 * @param argc Standard main() style argc
5322 * @param argv Standard main() style argv. Initial components are already
5325 * @return Normal NTSTATUS return.
5328 static NTSTATUS rpc_shutdown_abort_internals(const DOM_SID *domain_sid,
5329 const char *domain_name,
5330 struct cli_state *cli,
5331 struct rpc_pipe_client *pipe_hnd,
5332 TALLOC_CTX *mem_ctx,
5336 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5338 result = rpccli_initshutdown_Abort(pipe_hnd, mem_ctx, NULL, NULL);
5340 if (NT_STATUS_IS_OK(result)) {
5341 d_printf("\nShutdown successfully aborted\n");
5342 DEBUG(5,("cmd_shutdown_abort: query succeeded\n"));
5344 DEBUG(5,("cmd_shutdown_abort: query failed\n"));
5350 * ABORT the shutdown of a remote RPC Server, over winreg pipe
5352 * All parameters are provided by the run_rpc_command function, except for
5353 * argc, argv which are passed through.
5355 * @param domain_sid The domain sid aquired from the remote server
5356 * @param cli A cli_state connected to the server.
5357 * @param mem_ctx Talloc context, destoyed on compleation of the function.
5358 * @param argc Standard main() style argc
5359 * @param argv Standard main() style argv. Initial components are already
5362 * @return Normal NTSTATUS return.
5365 static NTSTATUS rpc_reg_shutdown_abort_internals(const DOM_SID *domain_sid,
5366 const char *domain_name,
5367 struct cli_state *cli,
5368 struct rpc_pipe_client *pipe_hnd,
5369 TALLOC_CTX *mem_ctx,
5373 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5375 result = rpccli_winreg_AbortSystemShutdown(pipe_hnd, mem_ctx, NULL, NULL);
5377 if (NT_STATUS_IS_OK(result)) {
5378 d_printf("\nShutdown successfully aborted\n");
5379 DEBUG(5,("cmd_reg_abort_shutdown: query succeeded\n"));
5381 DEBUG(5,("cmd_reg_abort_shutdown: query failed\n"));
5387 * ABORT the Shut down of a remote RPC server
5389 * @param argc Standard main() style argc
5390 * @param argv Standard main() style argv. Initial components are already
5393 * @return A shell status integer (0 for success)
5396 static int rpc_shutdown_abort(int argc, const char **argv)
5398 int rc = run_rpc_command(NULL, PI_INITSHUTDOWN, 0,
5399 rpc_shutdown_abort_internals,
5405 DEBUG(1, ("initshutdown pipe didn't work, trying winreg pipe\n"));
5407 return run_rpc_command(NULL, PI_WINREG, 0,
5408 rpc_reg_shutdown_abort_internals,
5413 * Shut down a remote RPC Server via initshutdown pipe
5415 * All parameters are provided by the run_rpc_command function, except for
5416 * argc, argv which are passes through.
5418 * @param domain_sid The domain sid aquired from the remote server
5419 * @param cli A cli_state connected to the server.
5420 * @param mem_ctx Talloc context, destoyed on compleation of the function.
5421 * @param argc Standard main() style argc
5422 * @param argc Standard main() style argv. Initial components are already
5425 * @return Normal NTSTATUS return.
5428 NTSTATUS rpc_init_shutdown_internals(const DOM_SID *domain_sid,
5429 const char *domain_name,
5430 struct cli_state *cli,
5431 struct rpc_pipe_client *pipe_hnd,
5432 TALLOC_CTX *mem_ctx,
5436 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5437 const char *msg = "This machine will be shutdown shortly";
5438 uint32 timeout = 20;
5439 struct initshutdown_String msg_string;
5440 struct initshutdown_String_sub s;
5446 timeout = opt_timeout;
5450 msg_string.name = &s;
5452 /* create an entry */
5453 result = rpccli_initshutdown_Init(pipe_hnd, mem_ctx, NULL,
5454 &msg_string, timeout, opt_force, opt_reboot, NULL);
5456 if (NT_STATUS_IS_OK(result)) {
5457 d_printf("\nShutdown of remote machine succeeded\n");
5458 DEBUG(5,("Shutdown of remote machine succeeded\n"));
5460 DEBUG(1,("Shutdown of remote machine failed!\n"));
5466 * Shut down a remote RPC Server via winreg pipe
5468 * All parameters are provided by the run_rpc_command function, except for
5469 * argc, argv which are passes through.
5471 * @param domain_sid The domain sid aquired from the remote server
5472 * @param cli A cli_state connected to the server.
5473 * @param mem_ctx Talloc context, destoyed on compleation of the function.
5474 * @param argc Standard main() style argc
5475 * @param argc Standard main() style argv. Initial components are already
5478 * @return Normal NTSTATUS return.
5481 NTSTATUS rpc_reg_shutdown_internals(const DOM_SID *domain_sid,
5482 const char *domain_name,
5483 struct cli_state *cli,
5484 struct rpc_pipe_client *pipe_hnd,
5485 TALLOC_CTX *mem_ctx,
5489 const char *msg = "This machine will be shutdown shortly";
5490 uint32 timeout = 20;
5491 struct initshutdown_String msg_string;
5492 struct initshutdown_String_sub s;
5500 msg_string.name = &s;
5503 timeout = opt_timeout;
5506 /* create an entry */
5507 result = rpccli_winreg_InitiateSystemShutdown(pipe_hnd, mem_ctx, NULL,
5508 &msg_string, timeout, opt_force, opt_reboot, &werr);
5510 if (NT_STATUS_IS_OK(result)) {
5511 d_printf("\nShutdown of remote machine succeeded\n");
5513 d_fprintf(stderr, "\nShutdown of remote machine failed\n");
5514 if ( W_ERROR_EQUAL(werr, WERR_MACHINE_LOCKED) )
5515 d_fprintf(stderr, "\nMachine locked, use -f switch to force\n");
5517 d_fprintf(stderr, "\nresult was: %s\n", dos_errstr(werr));
5524 * Shut down a remote RPC server
5526 * @param argc Standard main() style argc
5527 * @param argc Standard main() style argv. Initial components are already
5530 * @return A shell status integer (0 for success)
5533 static int rpc_shutdown(int argc, const char **argv)
5535 int rc = run_rpc_command(NULL, PI_INITSHUTDOWN, 0,
5536 rpc_init_shutdown_internals,
5540 DEBUG(1, ("initshutdown pipe failed, trying winreg pipe\n"));
5541 rc = run_rpc_command(NULL, PI_WINREG, 0,
5542 rpc_reg_shutdown_internals, argc, argv);
5548 /***************************************************************************
5549 NT Domain trusts code (i.e. 'net rpc trustdom' functionality)
5551 ***************************************************************************/
5554 * Add interdomain trust account to the RPC server.
5555 * All parameters (except for argc and argv) are passed by run_rpc_command
5558 * @param domain_sid The domain sid acquired from the server
5559 * @param cli A cli_state connected to the server.
5560 * @param mem_ctx Talloc context, destoyed on completion of the function.
5561 * @param argc Standard main() style argc
5562 * @param argc Standard main() style argv. Initial components are already
5565 * @return normal NTSTATUS return code
5568 static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
5569 const char *domain_name,
5570 struct cli_state *cli,
5571 struct rpc_pipe_client *pipe_hnd,
5572 TALLOC_CTX *mem_ctx,
5576 POLICY_HND connect_pol, domain_pol, user_pol;
5577 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5579 struct lsa_String lsa_acct_name;
5581 uint32 acct_flags=0;
5583 uint32_t access_granted = 0;
5584 union samr_UserInfo info;
5587 d_printf("Usage: net rpc trustdom add <domain_name> <pw>\n");
5588 return NT_STATUS_INVALID_PARAMETER;
5592 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5595 if (asprintf(&acct_name, "%s$", argv[0]) < 0) {
5596 return NT_STATUS_NO_MEMORY;
5599 strupper_m(acct_name);
5601 init_lsa_String(&lsa_acct_name, acct_name);
5603 /* Get samr policy handle */
5604 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5605 pipe_hnd->cli->desthost,
5606 MAXIMUM_ALLOWED_ACCESS,
5608 if (!NT_STATUS_IS_OK(result)) {
5612 /* Get domain policy handle */
5613 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5615 MAXIMUM_ALLOWED_ACCESS,
5616 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5618 if (!NT_STATUS_IS_OK(result)) {
5622 /* Create trusting domain's account */
5623 acb_info = ACB_NORMAL;
5624 acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
5625 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
5626 SAMR_USER_ACCESS_SET_PASSWORD |
5627 SAMR_USER_ACCESS_GET_ATTRIBUTES |
5628 SAMR_USER_ACCESS_SET_ATTRIBUTES;
5630 result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
5638 if (!NT_STATUS_IS_OK(result)) {
5644 struct samr_LogonHours hours;
5645 struct lsa_BinaryString parameters;
5646 const int units_per_week = 168;
5649 encode_pw_buffer(pwbuf, argv[1], STR_UNICODE);
5651 ZERO_STRUCT(notime);
5653 ZERO_STRUCT(parameters);
5655 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
5657 result = NT_STATUS_NO_MEMORY;
5660 hours.units_per_week = units_per_week;
5661 memset(hours.bits, 0xFF, units_per_week);
5663 init_samr_user_info23(&info.info23,
5664 notime, notime, notime,
5665 notime, notime, notime,
5666 NULL, NULL, NULL, NULL, NULL,
5667 NULL, NULL, NULL, NULL, ¶meters,
5668 0, 0, ACB_DOMTRUST, SAMR_FIELD_ACCT_FLAGS,
5670 0, 0, 0, 0, 0, 0, 0,
5673 SamOEMhashBlob(info.info23.password.data, 516,
5674 &cli->user_session_key);
5676 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
5681 if (!NT_STATUS_IS_OK(result)) {
5682 DEBUG(0,("Could not set trust account password: %s\n",
5683 nt_errstr(result)));
5689 SAFE_FREE(acct_name);
5694 * Create interdomain trust account for a remote domain.
5696 * @param argc standard argc
5697 * @param argv standard argv without initial components
5699 * @return Integer status (0 means success)
5702 static int rpc_trustdom_add(int argc, const char **argv)
5705 return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_add_internals,
5708 d_printf("Usage: net rpc trustdom add <domain>\n");
5715 * Remove interdomain trust account from the RPC server.
5716 * All parameters (except for argc and argv) are passed by run_rpc_command
5719 * @param domain_sid The domain sid acquired from the server
5720 * @param cli A cli_state connected to the server.
5721 * @param mem_ctx Talloc context, destoyed on completion of the function.
5722 * @param argc Standard main() style argc
5723 * @param argc Standard main() style argv. Initial components are already
5726 * @return normal NTSTATUS return code
5729 static NTSTATUS rpc_trustdom_del_internals(const DOM_SID *domain_sid,
5730 const char *domain_name,
5731 struct cli_state *cli,
5732 struct rpc_pipe_client *pipe_hnd,
5733 TALLOC_CTX *mem_ctx,
5737 POLICY_HND connect_pol, domain_pol, user_pol;
5738 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5740 DOM_SID trust_acct_sid;
5741 struct samr_Ids user_rids, name_types;
5742 struct lsa_String lsa_acct_name;
5745 d_printf("Usage: net rpc trustdom del <domain_name>\n");
5746 return NT_STATUS_INVALID_PARAMETER;
5750 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5752 acct_name = talloc_asprintf(mem_ctx, "%s$", argv[0]);
5754 if (acct_name == NULL)
5755 return NT_STATUS_NO_MEMORY;
5757 strupper_m(acct_name);
5759 /* Get samr policy handle */
5760 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5761 pipe_hnd->cli->desthost,
5762 MAXIMUM_ALLOWED_ACCESS,
5764 if (!NT_STATUS_IS_OK(result)) {
5768 /* Get domain policy handle */
5769 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5771 MAXIMUM_ALLOWED_ACCESS,
5772 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5774 if (!NT_STATUS_IS_OK(result)) {
5778 init_lsa_String(&lsa_acct_name, acct_name);
5780 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
5787 if (!NT_STATUS_IS_OK(result)) {
5791 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
5793 MAXIMUM_ALLOWED_ACCESS,
5797 if (!NT_STATUS_IS_OK(result)) {
5801 /* append the rid to the domain sid */
5802 sid_copy(&trust_acct_sid, domain_sid);
5803 if (!sid_append_rid(&trust_acct_sid, user_rids.ids[0])) {
5807 /* remove the sid */
5809 result = rpccli_samr_RemoveMemberFromForeignDomain(pipe_hnd, mem_ctx,
5812 if (!NT_STATUS_IS_OK(result)) {
5818 result = rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
5821 if (!NT_STATUS_IS_OK(result)) {
5825 if (!NT_STATUS_IS_OK(result)) {
5826 DEBUG(0,("Could not set trust account password: %s\n",
5827 nt_errstr(result)));
5836 * Delete interdomain trust account for a remote domain.
5838 * @param argc standard argc
5839 * @param argv standard argv without initial components
5841 * @return Integer status (0 means success)
5844 static int rpc_trustdom_del(int argc, const char **argv)
5847 return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_del_internals,
5850 d_printf("Usage: net rpc trustdom del <domain>\n");
5855 static NTSTATUS rpc_trustdom_get_pdc(struct cli_state *cli,
5856 TALLOC_CTX *mem_ctx,
5857 const char *domain_name)
5859 char *dc_name = NULL;
5860 const char *buffer = NULL;
5861 struct rpc_pipe_client *netr;
5864 /* Use NetServerEnum2 */
5866 if (cli_get_pdc_name(cli, domain_name, &dc_name)) {
5868 return NT_STATUS_OK;
5871 DEBUG(1,("NetServerEnum2 error: Couldn't find primary domain controller\
5872 for domain %s\n", domain_name));
5874 /* Try netr_GetDcName */
5876 netr = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &status);
5881 status = rpccli_netr_GetDcName(netr, mem_ctx,
5886 cli_rpc_pipe_close(netr);
5888 if (NT_STATUS_IS_OK(status)) {
5892 DEBUG(1,("netr_GetDcName error: Couldn't find primary domain controller\
5893 for domain %s\n", domain_name));
5899 * Establish trust relationship to a trusting domain.
5900 * Interdomain account must already be created on remote PDC.
5902 * @param argc standard argc
5903 * @param argv standard argv without initial components
5905 * @return Integer status (0 means success)
5908 static int rpc_trustdom_establish(int argc, const char **argv)
5910 struct cli_state *cli = NULL;
5911 struct sockaddr_storage server_ss;
5912 struct rpc_pipe_client *pipe_hnd = NULL;
5913 POLICY_HND connect_hnd;
5914 TALLOC_CTX *mem_ctx;
5916 DOM_SID *domain_sid;
5921 union lsa_PolicyInformation *info = NULL;
5924 * Connect to \\server\ipc$ as 'our domain' account with password
5928 d_printf("Usage: net rpc trustdom establish <domain_name>\n");
5932 domain_name = smb_xstrdup(argv[0]);
5933 strupper_m(domain_name);
5935 /* account name used at first is our domain's name with '$' */
5936 asprintf(&acct_name, "%s$", lp_workgroup());
5937 strupper_m(acct_name);
5940 * opt_workgroup will be used by connection functions further,
5941 * hence it should be set to remote domain name instead of ours
5943 if (opt_workgroup) {
5944 opt_workgroup = smb_xstrdup(domain_name);
5947 opt_user_name = acct_name;
5949 /* find the domain controller */
5950 if (!net_find_pdc(&server_ss, pdc_name, domain_name)) {
5951 DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name));
5955 /* connect to ipc$ as username/password */
5956 nt_status = connect_to_ipc(&cli, &server_ss, pdc_name);
5957 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
5959 /* Is it trusting domain account for sure ? */
5960 DEBUG(0, ("Couldn't verify trusting domain account. Error was %s\n",
5961 nt_errstr(nt_status)));
5965 /* store who we connected to */
5967 saf_store( domain_name, pdc_name );
5970 * Connect to \\server\ipc$ again (this time anonymously)
5973 nt_status = connect_to_ipc_anonymous(&cli, &server_ss, (char*)pdc_name);
5975 if (NT_STATUS_IS_ERR(nt_status)) {
5976 DEBUG(0, ("Couldn't connect to domain %s controller. Error was %s.\n",
5977 domain_name, nt_errstr(nt_status)));
5981 if (!(mem_ctx = talloc_init("establishing trust relationship to "
5982 "domain %s", domain_name))) {
5983 DEBUG(0, ("talloc_init() failed\n"));
5988 /* Make sure we're talking to a proper server */
5990 nt_status = rpc_trustdom_get_pdc(cli, mem_ctx, domain_name);
5991 if (!NT_STATUS_IS_OK(nt_status)) {
5993 talloc_destroy(mem_ctx);
5998 * Call LsaOpenPolicy and LsaQueryInfo
6001 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
6003 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
6005 talloc_destroy(mem_ctx);
6009 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True, SEC_RIGHTS_QUERY_VALUE,
6011 if (NT_STATUS_IS_ERR(nt_status)) {
6012 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6013 nt_errstr(nt_status)));
6015 talloc_destroy(mem_ctx);
6019 /* Querying info level 5 */
6021 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6023 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6025 if (NT_STATUS_IS_ERR(nt_status)) {
6026 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6027 nt_errstr(nt_status)));
6029 talloc_destroy(mem_ctx);
6033 domain_sid = info->account_domain.sid;
6035 /* There should be actually query info level 3 (following nt serv behaviour),
6036 but I still don't know if it's _really_ necessary */
6039 * Store the password in secrets db
6042 if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
6043 DEBUG(0, ("Storing password for trusted domain failed.\n"));
6045 talloc_destroy(mem_ctx);
6050 * Close the pipes and clean up
6053 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6054 if (NT_STATUS_IS_ERR(nt_status)) {
6055 DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n",
6056 nt_errstr(nt_status)));
6058 talloc_destroy(mem_ctx);
6064 talloc_destroy(mem_ctx);
6066 d_printf("Trust to domain %s established\n", domain_name);
6071 * Revoke trust relationship to the remote domain
6073 * @param argc standard argc
6074 * @param argv standard argv without initial components
6076 * @return Integer status (0 means success)
6079 static int rpc_trustdom_revoke(int argc, const char **argv)
6084 if (argc < 1) return -1;
6086 /* generate upper cased domain name */
6087 domain_name = smb_xstrdup(argv[0]);
6088 strupper_m(domain_name);
6090 /* delete password of the trust */
6091 if (!pdb_del_trusteddom_pw(domain_name)) {
6092 DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
6099 SAFE_FREE(domain_name);
6104 * Usage for 'net rpc trustdom' command
6106 * @param argc standard argc
6107 * @param argv standard argv without inital components
6109 * @return Integer status returned to shell
6112 static int rpc_trustdom_usage(int argc, const char **argv)
6114 d_printf(" net rpc trustdom add \t\t add trusting domain's account\n");
6115 d_printf(" net rpc trustdom del \t\t delete trusting domain's account\n");
6116 d_printf(" net rpc trustdom establish \t establish relationship to trusted domain\n");
6117 d_printf(" net rpc trustdom revoke \t abandon relationship to trusted domain\n");
6118 d_printf(" net rpc trustdom list \t show current interdomain trust relationships\n");
6119 d_printf(" net rpc trustdom vampire \t vampire interdomain trust relationships from remote server\n");
6124 static NTSTATUS rpc_query_domain_sid(const DOM_SID *domain_sid,
6125 const char *domain_name,
6126 struct cli_state *cli,
6127 struct rpc_pipe_client *pipe_hnd,
6128 TALLOC_CTX *mem_ctx,
6133 sid_to_fstring(str_sid, domain_sid);
6134 d_printf("%s\n", str_sid);
6135 return NT_STATUS_OK;
6138 static void print_trusted_domain(DOM_SID *dom_sid, const char *trusted_dom_name)
6140 fstring ascii_sid, padding;
6141 int pad_len, col_len = 20;
6143 /* convert sid into ascii string */
6144 sid_to_fstring(ascii_sid, dom_sid);
6146 /* calculate padding space for d_printf to look nicer */
6147 pad_len = col_len - strlen(trusted_dom_name);
6148 padding[pad_len] = 0;
6149 do padding[--pad_len] = ' '; while (pad_len);
6151 d_printf("%s%s%s\n", trusted_dom_name, padding, ascii_sid);
6154 static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
6155 TALLOC_CTX *mem_ctx,
6158 const char *trusted_dom_name)
6161 union lsa_TrustedDomainInfo *info = NULL;
6162 char *cleartextpwd = NULL;
6165 nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx,
6168 LSA_TRUSTED_DOMAIN_INFO_PASSWORD,
6170 if (NT_STATUS_IS_ERR(nt_status)) {
6171 DEBUG(0,("Could not query trusted domain info. Error was %s\n",
6172 nt_errstr(nt_status)));
6176 data = data_blob(info->password.password->data,
6177 info->password.password->length);
6179 cleartextpwd = decrypt_trustdom_secret(pipe_hnd->cli->pwd.password,
6182 if (cleartextpwd == NULL) {
6183 DEBUG(0,("retrieved NULL password\n"));
6184 nt_status = NT_STATUS_UNSUCCESSFUL;
6188 if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
6189 DEBUG(0, ("Storing password for trusted domain failed.\n"));
6190 nt_status = NT_STATUS_UNSUCCESSFUL;
6194 #ifdef DEBUG_PASSWORD
6195 DEBUG(100,("successfully vampired trusted domain [%s], sid: [%s], "
6196 "password: [%s]\n", trusted_dom_name,
6197 sid_string_dbg(&dom_sid), cleartextpwd));
6201 SAFE_FREE(cleartextpwd);
6202 data_blob_free(&data);
6207 static int rpc_trustdom_vampire(int argc, const char **argv)
6209 /* common variables */
6210 TALLOC_CTX* mem_ctx;
6211 struct cli_state *cli = NULL;
6212 struct rpc_pipe_client *pipe_hnd = NULL;
6214 const char *domain_name = NULL;
6215 DOM_SID *queried_dom_sid;
6216 POLICY_HND connect_hnd;
6217 union lsa_PolicyInformation *info = NULL;
6219 /* trusted domains listing variables */
6220 unsigned int enum_ctx = 0;
6222 struct lsa_DomainList dom_list;
6226 * Listing trusted domains (stored in secrets.tdb, if local)
6229 mem_ctx = talloc_init("trust relationships vampire");
6232 * set domain and pdc name to local samba server (default)
6233 * or to remote one given in command line
6236 if (StrCaseCmp(opt_workgroup, lp_workgroup())) {
6237 domain_name = opt_workgroup;
6238 opt_target_workgroup = opt_workgroup;
6240 fstrcpy(pdc_name, global_myname());
6241 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6242 opt_target_workgroup = domain_name;
6245 /* open \PIPE\lsarpc and open policy handle */
6246 nt_status = net_make_ipc_connection(NET_FLAGS_PDC, &cli);
6247 if (!NT_STATUS_IS_OK(nt_status)) {
6248 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6249 nt_errstr(nt_status)));
6250 talloc_destroy(mem_ctx);
6254 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
6256 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6257 nt_errstr(nt_status) ));
6259 talloc_destroy(mem_ctx);
6263 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, False, SEC_RIGHTS_QUERY_VALUE,
6265 if (NT_STATUS_IS_ERR(nt_status)) {
6266 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6267 nt_errstr(nt_status)));
6269 talloc_destroy(mem_ctx);
6273 /* query info level 5 to obtain sid of a domain being queried */
6274 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6276 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6279 if (NT_STATUS_IS_ERR(nt_status)) {
6280 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6281 nt_errstr(nt_status)));
6283 talloc_destroy(mem_ctx);
6287 queried_dom_sid = info->account_domain.sid;
6290 * Keep calling LsaEnumTrustdom over opened pipe until
6291 * the end of enumeration is reached
6294 d_printf("Vampire trusted domains:\n\n");
6297 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6302 if (NT_STATUS_IS_ERR(nt_status)) {
6303 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6304 nt_errstr(nt_status)));
6306 talloc_destroy(mem_ctx);
6310 for (i = 0; i < dom_list.count; i++) {
6312 print_trusted_domain(dom_list.domains[i].sid,
6313 dom_list.domains[i].name.string);
6315 nt_status = vampire_trusted_domain(pipe_hnd, mem_ctx, &connect_hnd,
6316 *dom_list.domains[i].sid,
6317 dom_list.domains[i].name.string);
6318 if (!NT_STATUS_IS_OK(nt_status)) {
6320 talloc_destroy(mem_ctx);
6326 * in case of no trusted domains say something rather
6327 * than just display blank line
6329 if (!dom_list.count) d_printf("none\n");
6331 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6333 /* close this connection before doing next one */
6334 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6335 if (NT_STATUS_IS_ERR(nt_status)) {
6336 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6337 nt_errstr(nt_status)));
6339 talloc_destroy(mem_ctx);
6343 /* close lsarpc pipe and connection to IPC$ */
6346 talloc_destroy(mem_ctx);
6350 static int rpc_trustdom_list(int argc, const char **argv)
6352 /* common variables */
6353 TALLOC_CTX* mem_ctx;
6354 struct cli_state *cli = NULL, *remote_cli = NULL;
6355 struct rpc_pipe_client *pipe_hnd = NULL;
6357 const char *domain_name = NULL;
6358 DOM_SID *queried_dom_sid;
6360 int ascii_dom_name_len;
6361 POLICY_HND connect_hnd;
6362 union lsa_PolicyInformation *info = NULL;
6364 /* trusted domains listing variables */
6365 unsigned int num_domains, enum_ctx = 0;
6366 int i, pad_len, col_len = 20;
6367 struct lsa_DomainList dom_list;
6370 /* trusting domains listing variables */
6371 POLICY_HND domain_hnd;
6372 struct samr_SamArray *trusts = NULL;
6375 * Listing trusted domains (stored in secrets.tdb, if local)
6378 mem_ctx = talloc_init("trust relationships listing");
6381 * set domain and pdc name to local samba server (default)
6382 * or to remote one given in command line
6385 if (StrCaseCmp(opt_workgroup, lp_workgroup())) {
6386 domain_name = opt_workgroup;
6387 opt_target_workgroup = opt_workgroup;
6389 fstrcpy(pdc_name, global_myname());
6390 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6391 opt_target_workgroup = domain_name;
6394 /* open \PIPE\lsarpc and open policy handle */
6395 nt_status = net_make_ipc_connection(NET_FLAGS_PDC, &cli);
6396 if (!NT_STATUS_IS_OK(nt_status)) {
6397 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6398 nt_errstr(nt_status)));
6399 talloc_destroy(mem_ctx);
6403 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &nt_status);
6405 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6406 nt_errstr(nt_status) ));
6408 talloc_destroy(mem_ctx);
6412 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, False, SEC_RIGHTS_QUERY_VALUE,
6414 if (NT_STATUS_IS_ERR(nt_status)) {
6415 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6416 nt_errstr(nt_status)));
6418 talloc_destroy(mem_ctx);
6422 /* query info level 5 to obtain sid of a domain being queried */
6423 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6425 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6428 if (NT_STATUS_IS_ERR(nt_status)) {
6429 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6430 nt_errstr(nt_status)));
6432 talloc_destroy(mem_ctx);
6436 queried_dom_sid = info->account_domain.sid;
6439 * Keep calling LsaEnumTrustdom over opened pipe until
6440 * the end of enumeration is reached
6443 d_printf("Trusted domains list:\n\n");
6446 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6451 if (NT_STATUS_IS_ERR(nt_status)) {
6452 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6453 nt_errstr(nt_status)));
6455 talloc_destroy(mem_ctx);
6459 for (i = 0; i < dom_list.count; i++) {
6460 print_trusted_domain(dom_list.domains[i].sid,
6461 dom_list.domains[i].name.string);
6465 * in case of no trusted domains say something rather
6466 * than just display blank line
6468 if (!dom_list.count) d_printf("none\n");
6470 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6472 /* close this connection before doing next one */
6473 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6474 if (NT_STATUS_IS_ERR(nt_status)) {
6475 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6476 nt_errstr(nt_status)));
6478 talloc_destroy(mem_ctx);
6482 cli_rpc_pipe_close(pipe_hnd);
6485 * Listing trusting domains (stored in passdb backend, if local)
6488 d_printf("\nTrusting domains list:\n\n");
6491 * Open \PIPE\samr and get needed policy handles
6493 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &nt_status);
6495 DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
6497 talloc_destroy(mem_ctx);
6502 nt_status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
6503 pipe_hnd->cli->desthost,
6504 SA_RIGHT_SAM_OPEN_DOMAIN,
6506 if (!NT_STATUS_IS_OK(nt_status)) {
6507 DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n",
6508 nt_errstr(nt_status)));
6510 talloc_destroy(mem_ctx);
6514 /* SamrOpenDomain - we have to open domain policy handle in order to be
6515 able to enumerate accounts*/
6516 nt_status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
6518 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
6521 if (!NT_STATUS_IS_OK(nt_status)) {
6522 DEBUG(0, ("Couldn't open domain object. Error was %s\n",
6523 nt_errstr(nt_status)));
6525 talloc_destroy(mem_ctx);
6530 * perform actual enumeration
6533 enum_ctx = 0; /* reset enumeration context from last enumeration */
6536 nt_status = rpccli_samr_EnumDomainUsers(pipe_hnd, mem_ctx,
6543 if (NT_STATUS_IS_ERR(nt_status)) {
6544 DEBUG(0, ("Couldn't enumerate accounts. Error was: %s\n",
6545 nt_errstr(nt_status)));
6547 talloc_destroy(mem_ctx);
6551 for (i = 0; i < num_domains; i++) {
6553 char *str = CONST_DISCARD(char *, trusts->entries[i].name.string);
6556 * get each single domain's sid (do we _really_ need this ?):
6557 * 1) connect to domain's pdc
6558 * 2) query the pdc for domain's sid
6561 /* get rid of '$' tail */
6562 ascii_dom_name_len = strlen(str);
6563 if (ascii_dom_name_len && ascii_dom_name_len < FSTRING_LEN)
6564 str[ascii_dom_name_len - 1] = '\0';
6566 /* calculate padding space for d_printf to look nicer */
6567 pad_len = col_len - strlen(str);
6568 padding[pad_len] = 0;
6569 do padding[--pad_len] = ' '; while (pad_len);
6571 /* set opt_* variables to remote domain */
6573 opt_workgroup = talloc_strdup(mem_ctx, str);
6574 opt_target_workgroup = opt_workgroup;
6576 d_printf("%s%s", str, padding);
6578 /* connect to remote domain controller */
6579 nt_status = net_make_ipc_connection(
6580 NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS,
6582 if (NT_STATUS_IS_OK(nt_status)) {
6583 /* query for domain's sid */
6584 if (run_rpc_command(remote_cli, PI_LSARPC, 0, rpc_query_domain_sid, argc, argv))
6585 d_fprintf(stderr, "couldn't get domain's sid\n");
6587 cli_shutdown(remote_cli);
6590 d_fprintf(stderr, "domain controller is not "
6592 nt_errstr(nt_status));
6596 if (!num_domains) d_printf("none\n");
6598 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6600 /* close opened samr and domain policy handles */
6601 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_hnd);
6602 if (!NT_STATUS_IS_OK(nt_status)) {
6603 DEBUG(0, ("Couldn't properly close domain policy handle for domain %s\n", domain_name));
6606 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_hnd);
6607 if (!NT_STATUS_IS_OK(nt_status)) {
6608 DEBUG(0, ("Couldn't properly close samr policy handle for domain %s\n", domain_name));
6611 /* close samr pipe and connection to IPC$ */
6614 talloc_destroy(mem_ctx);
6619 * Entrypoint for 'net rpc trustdom' code
6621 * @param argc standard argc
6622 * @param argv standard argv without initial components
6624 * @return Integer status (0 means success)
6627 static int rpc_trustdom(int argc, const char **argv)
6629 struct functable func[] = {
6630 {"add", rpc_trustdom_add},
6631 {"del", rpc_trustdom_del},
6632 {"establish", rpc_trustdom_establish},
6633 {"revoke", rpc_trustdom_revoke},
6634 {"help", rpc_trustdom_usage},
6635 {"list", rpc_trustdom_list},
6636 {"vampire", rpc_trustdom_vampire},
6641 rpc_trustdom_usage(argc, argv);
6645 return (net_run_function(argc, argv, func, rpc_user_usage));
6649 * Check if a server will take rpc commands
6650 * @param flags Type of server to connect to (PDC, DMB, localhost)
6651 * if the host is not explicitly specified
6652 * @return bool (true means rpc supported)
6654 bool net_rpc_check(unsigned flags)
6656 struct cli_state *cli;
6658 struct sockaddr_storage server_ss;
6659 char *server_name = NULL;
6662 /* flags (i.e. server type) may depend on command */
6663 if (!net_find_server(NULL, flags, &server_ss, &server_name))
6666 if ((cli = cli_initialise()) == NULL) {
6670 status = cli_connect(cli, server_name, &server_ss);
6671 if (!NT_STATUS_IS_OK(status))
6673 if (!attempt_netbios_session_request(&cli, global_myname(),
6674 server_name, &server_ss))
6676 if (!cli_negprot(cli))
6678 if (cli->protocol < PROTOCOL_NT1)
6687 /* dump sam database via samsync rpc calls */
6688 static int rpc_samdump(int argc, const char **argv) {
6689 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS, rpc_samdump_internals,
6693 /* syncronise sam database via samsync rpc calls */
6694 static int rpc_vampire(int argc, const char **argv) {
6695 return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS, rpc_vampire_internals,
6700 * Migrate everything from a print-server
6702 * @param argc Standard main() style argc
6703 * @param argv Standard main() style argv. Initial components are already
6706 * @return A shell status integer (0 for success)
6708 * The order is important !
6709 * To successfully add drivers the print-queues have to exist !
6710 * Applying ACLs should be the last step, because you're easily locked out
6713 static int rpc_printer_migrate_all(int argc, const char **argv)
6718 printf("no server to migrate\n");
6722 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_printers_internals, argc, argv);
6726 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_drivers_internals, argc, argv);
6730 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_forms_internals, argc, argv);
6734 ret = run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_settings_internals, argc, argv);
6738 return run_rpc_command(NULL, PI_SPOOLSS, 0, rpc_printer_migrate_security_internals, argc, argv);
6743 * Migrate print-drivers from a print-server
6745 * @param argc Standard main() style argc
6746 * @param argv Standard main() style argv. Initial components are already
6749 * @return A shell status integer (0 for success)
6751 static int rpc_printer_migrate_drivers(int argc, const char **argv)
6754 printf("no server to migrate\n");
6758 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6759 rpc_printer_migrate_drivers_internals,
6764 * Migrate print-forms from a print-server
6766 * @param argc Standard main() style argc
6767 * @param argv Standard main() style argv. Initial components are already
6770 * @return A shell status integer (0 for success)
6772 static int rpc_printer_migrate_forms(int argc, const char **argv)
6775 printf("no server to migrate\n");
6779 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6780 rpc_printer_migrate_forms_internals,
6785 * Migrate printers from a print-server
6787 * @param argc Standard main() style argc
6788 * @param argv Standard main() style argv. Initial components are already
6791 * @return A shell status integer (0 for success)
6793 static int rpc_printer_migrate_printers(int argc, const char **argv)
6796 printf("no server to migrate\n");
6800 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6801 rpc_printer_migrate_printers_internals,
6806 * Migrate printer-ACLs from a print-server
6808 * @param argc Standard main() style argc
6809 * @param argv Standard main() style argv. Initial components are already
6812 * @return A shell status integer (0 for success)
6814 static int rpc_printer_migrate_security(int argc, const char **argv)
6817 printf("no server to migrate\n");
6821 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6822 rpc_printer_migrate_security_internals,
6827 * Migrate printer-settings from a print-server
6829 * @param argc Standard main() style argc
6830 * @param argv Standard main() style argv. Initial components are already
6833 * @return A shell status integer (0 for success)
6835 static int rpc_printer_migrate_settings(int argc, const char **argv)
6838 printf("no server to migrate\n");
6842 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6843 rpc_printer_migrate_settings_internals,
6848 * 'net rpc printer' entrypoint.
6849 * @param argc Standard main() style argc
6850 * @param argv Standard main() style argv. Initial components are already
6854 int rpc_printer_migrate(int argc, const char **argv)
6857 /* ouch: when addriver and setdriver are called from within
6858 rpc_printer_migrate_drivers_internals, the printer-queue already
6861 struct functable func[] = {
6862 {"all", rpc_printer_migrate_all},
6863 {"drivers", rpc_printer_migrate_drivers},
6864 {"forms", rpc_printer_migrate_forms},
6865 {"help", rpc_printer_usage},
6866 {"printers", rpc_printer_migrate_printers},
6867 {"security", rpc_printer_migrate_security},
6868 {"settings", rpc_printer_migrate_settings},
6872 return net_run_function(argc, argv, func, rpc_printer_usage);
6877 * List printers on a remote RPC server
6879 * @param argc Standard main() style argc
6880 * @param argv Standard main() style argv. Initial components are already
6883 * @return A shell status integer (0 for success)
6885 static int rpc_printer_list(int argc, const char **argv)
6888 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6889 rpc_printer_list_internals,
6894 * List printer-drivers on a remote RPC server
6896 * @param argc Standard main() style argc
6897 * @param argv Standard main() style argv. Initial components are already
6900 * @return A shell status integer (0 for success)
6902 static int rpc_printer_driver_list(int argc, const char **argv)
6905 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6906 rpc_printer_driver_list_internals,
6911 * Publish printer in ADS via MSRPC
6913 * @param argc Standard main() style argc
6914 * @param argv Standard main() style argv. Initial components are already
6917 * @return A shell status integer (0 for success)
6919 static int rpc_printer_publish_publish(int argc, const char **argv)
6922 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6923 rpc_printer_publish_publish_internals,
6928 * Update printer in ADS via MSRPC
6930 * @param argc Standard main() style argc
6931 * @param argv Standard main() style argv. Initial components are already
6934 * @return A shell status integer (0 for success)
6936 static int rpc_printer_publish_update(int argc, const char **argv)
6939 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6940 rpc_printer_publish_update_internals,
6945 * UnPublish printer in ADS via MSRPC
6947 * @param argc Standard main() style argc
6948 * @param argv Standard main() style argv. Initial components are already
6951 * @return A shell status integer (0 for success)
6953 static int rpc_printer_publish_unpublish(int argc, const char **argv)
6956 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6957 rpc_printer_publish_unpublish_internals,
6962 * List published printers via MSRPC
6964 * @param argc Standard main() style argc
6965 * @param argv Standard main() style argv. Initial components are already
6968 * @return A shell status integer (0 for success)
6970 static int rpc_printer_publish_list(int argc, const char **argv)
6973 return run_rpc_command(NULL, PI_SPOOLSS, 0,
6974 rpc_printer_publish_list_internals,
6980 * Publish printer in ADS
6982 * @param argc Standard main() style argc
6983 * @param argv Standard main() style argv. Initial components are already
6986 * @return A shell status integer (0 for success)
6988 static int rpc_printer_publish(int argc, const char **argv)
6991 struct functable func[] = {
6992 {"publish", rpc_printer_publish_publish},
6993 {"update", rpc_printer_publish_update},
6994 {"unpublish", rpc_printer_publish_unpublish},
6995 {"list", rpc_printer_publish_list},
6996 {"help", rpc_printer_usage},
7001 return run_rpc_command(NULL, PI_SPOOLSS, 0,
7002 rpc_printer_publish_list_internals,
7005 return net_run_function(argc, argv, func, rpc_printer_usage);
7011 * Display rpc printer help page.
7012 * @param argc Standard main() style argc
7013 * @param argv Standard main() style argv. Initial components are already
7016 int rpc_printer_usage(int argc, const char **argv)
7018 return net_help_printer(argc, argv);
7022 * 'net rpc printer' entrypoint.
7023 * @param argc Standard main() style argc
7024 * @param argv Standard main() style argv. Initial components are already
7027 int net_rpc_printer(int argc, const char **argv)
7029 struct functable func[] = {
7030 {"list", rpc_printer_list},
7031 {"migrate", rpc_printer_migrate},
7032 {"driver", rpc_printer_driver_list},
7033 {"publish", rpc_printer_publish},
7038 return run_rpc_command(NULL, PI_SPOOLSS, 0,
7039 rpc_printer_list_internals,
7042 return net_run_function(argc, argv, func, rpc_printer_usage);
7045 /****************************************************************************/
7049 * Basic usage function for 'net rpc'
7050 * @param argc Standard main() style argc
7051 * @param argv Standard main() style argv. Initial components are already
7055 int net_rpc_usage(int argc, const char **argv)
7057 d_printf(" net rpc info \t\t\tshow basic info about a domain \n");
7058 d_printf(" net rpc join \t\t\tto join a domain \n");
7059 d_printf(" net rpc oldjoin \t\tto join a domain created in server manager\n");
7060 d_printf(" net rpc testjoin \t\ttests that a join is valid\n");
7061 d_printf(" net rpc user \t\t\tto add, delete and list users\n");
7062 d_printf(" net rpc password <username> [<password>] -Uadmin_username%%admin_pass\n");
7063 d_printf(" net rpc group \t\tto list groups\n");
7064 d_printf(" net rpc share \t\tto add, delete, list and migrate shares\n");
7065 d_printf(" net rpc printer \t\tto list and migrate printers\n");
7066 d_printf(" net rpc file \t\t\tto list open files\n");
7067 d_printf(" net rpc changetrustpw \tto change the trust account password\n");
7068 d_printf(" net rpc getsid \t\tfetch the domain sid into the local secrets.tdb\n");
7069 d_printf(" net rpc vampire \t\tsyncronise an NT PDC's users and groups into the local passdb\n");
7070 d_printf(" net rpc samdump \t\tdisplay an NT PDC's users, groups and other data\n");
7071 d_printf(" net rpc trustdom \t\tto create trusting domain's account or establish trust\n");
7072 d_printf(" net rpc abortshutdown \tto abort the shutdown of a remote server\n");
7073 d_printf(" net rpc shutdown \t\tto shutdown a remote server\n");
7074 d_printf(" net rpc rights\t\tto manage privileges assigned to SIDs\n");
7075 d_printf(" net rpc registry\t\tto manage registry hives\n");
7076 d_printf(" net rpc service\t\tto start, stop and query services\n");
7077 d_printf(" net rpc audit\t\t\tto modify global auditing settings\n");
7078 d_printf(" net rpc shell\t\t\tto open an interactive shell for remote server/account management\n");
7080 d_printf("'net rpc shutdown' also accepts the following miscellaneous options:\n"); /* misc options */
7081 d_printf("\t-r or --reboot\trequest remote server reboot on shutdown\n");
7082 d_printf("\t-f or --force\trequest the remote server force its shutdown\n");
7083 d_printf("\t-t or --timeout=<timeout>\tnumber of seconds before shutdown\n");
7084 d_printf("\t-C or --comment=<message>\ttext message to display on impending shutdown\n");
7090 * Help function for 'net rpc'. Calls command specific help if requested
7091 * or displays usage of net rpc
7092 * @param argc Standard main() style argc
7093 * @param argv Standard main() style argv. Initial components are already
7097 int net_rpc_help(int argc, const char **argv)
7099 struct functable func[] = {
7100 {"join", rpc_join_usage},
7101 {"user", rpc_user_usage},
7102 {"group", rpc_group_usage},
7103 {"share", rpc_share_usage},
7104 /*{"changetrustpw", rpc_changetrustpw_usage}, */
7105 {"trustdom", rpc_trustdom_usage},
7106 /*{"abortshutdown", rpc_shutdown_abort_usage},*/
7107 /*{"shutdown", rpc_shutdown_usage}, */
7108 {"vampire", rpc_vampire_usage},
7113 net_rpc_usage(argc, argv);
7117 return (net_run_function(argc, argv, func, rpc_user_usage));
7121 * 'net rpc' entrypoint.
7122 * @param argc Standard main() style argc
7123 * @param argv Standard main() style argv. Initial components are already
7127 int net_rpc(int argc, const char **argv)
7129 struct functable func[] = {
7130 {"audit", net_rpc_audit},
7131 {"info", net_rpc_info},
7132 {"join", net_rpc_join},
7133 {"oldjoin", net_rpc_oldjoin},
7134 {"testjoin", net_rpc_testjoin},
7135 {"user", net_rpc_user},
7136 {"password", rpc_user_password},
7137 {"group", net_rpc_group},
7138 {"share", net_rpc_share},
7139 {"file", net_rpc_file},
7140 {"printer", net_rpc_printer},
7141 {"changetrustpw", net_rpc_changetrustpw},
7142 {"trustdom", rpc_trustdom},
7143 {"abortshutdown", rpc_shutdown_abort},
7144 {"shutdown", rpc_shutdown},
7145 {"samdump", rpc_samdump},
7146 {"vampire", rpc_vampire},
7147 {"getsid", net_rpc_getsid},
7148 {"rights", net_rpc_rights},
7149 {"service", net_rpc_service},
7150 {"registry", net_rpc_registry},
7151 {"shell", net_rpc_shell},
7152 {"help", net_rpc_help},
7155 return net_run_function(argc, argv, func, net_rpc_usage);