2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org)
5 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
6 Copyright (C) 2004,2008 Guenther Deschner (gd@samba.org)
7 Copyright (C) 2005 Jeremy Allison (jra@samba.org)
8 Copyright (C) 2006 Jelmer Vernooij (jelmer@samba.org)
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>. */
24 #include "utils/net.h"
25 #include "../libcli/auth/libcli_auth.h"
26 #include "../librpc/gen_ndr/ndr_samr_c.h"
27 #include "rpc_client/cli_samr.h"
28 #include "rpc_client/init_samr.h"
29 #include "../librpc/gen_ndr/cli_lsa.h"
30 #include "rpc_client/cli_lsarpc.h"
31 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "../librpc/gen_ndr/ndr_srvsvc_c.h"
33 #include "../librpc/gen_ndr/ndr_spoolss.h"
34 #include "../librpc/gen_ndr/ndr_initshutdown_c.h"
35 #include "../librpc/gen_ndr/ndr_winreg_c.h"
37 #include "lib/netapi/netapi.h"
38 #include "lib/netapi/netapi_net.h"
39 #include "rpc_client/init_lsa.h"
40 #include "../libcli/security/security.h"
42 static int net_mode_share;
43 static NTSTATUS sync_files(struct copy_clistate *cp_clistate, const char *mask);
48 * @brief RPC based subcommands for the 'net' utility.
50 * This file should contain much of the functionality that used to
51 * be found in rpcclient, execpt that the commands should change
52 * less often, and the fucntionality should be sane (the user is not
53 * expected to know a rid/sid before they conduct an operation etc.)
55 * @todo Perhaps eventually these should be split out into a number
56 * of files, as this could get quite big.
61 * Many of the RPC functions need the domain sid. This function gets
62 * it at the start of every run
64 * @param cli A cli_state already connected to the remote machine
66 * @return The Domain SID of the remote machine.
69 NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
70 struct dom_sid **domain_sid,
71 const char **domain_name)
73 struct rpc_pipe_client *lsa_pipe = NULL;
74 struct policy_handle pol;
75 NTSTATUS result = NT_STATUS_OK;
76 union lsa_PolicyInformation *info = NULL;
78 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
80 if (!NT_STATUS_IS_OK(result)) {
81 d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
85 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false,
86 SEC_FLAG_MAXIMUM_ALLOWED,
88 if (!NT_STATUS_IS_OK(result)) {
89 d_fprintf(stderr, "open_policy %s: %s\n",
95 result = rpccli_lsa_QueryInfoPolicy(lsa_pipe, mem_ctx,
97 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
99 if (!NT_STATUS_IS_OK(result)) {
100 d_fprintf(stderr, "lsaquery %s: %s\n",
106 *domain_name = info->account_domain.name.string;
107 *domain_sid = info->account_domain.sid;
109 rpccli_lsa_Close(lsa_pipe, mem_ctx, &pol);
110 TALLOC_FREE(lsa_pipe);
116 * Run a single RPC command, from start to finish.
118 * @param pipe_name the pipe to connect to (usually a PIPE_ constant)
119 * @param conn_flag a NET_FLAG_ combination. Passed to
120 * net_make_ipc_connection.
121 * @param argc Standard main() style argc.
122 * @param argv Standard main() style argv. Initial components are already
124 * @return A shell status integer (0 for success).
127 int run_rpc_command(struct net_context *c,
128 struct cli_state *cli_arg,
129 const struct ndr_syntax_id *interface,
135 struct cli_state *cli = NULL;
136 struct rpc_pipe_client *pipe_hnd = NULL;
139 struct dom_sid *domain_sid;
140 const char *domain_name;
143 /* make use of cli_state handed over as an argument, if possible */
145 nt_status = net_make_ipc_connection(c, conn_flags, &cli);
146 if (!NT_STATUS_IS_OK(nt_status)) {
147 DEBUG(1, ("failed to make ipc connection: %s\n",
148 nt_errstr(nt_status)));
161 if (!(mem_ctx = talloc_init("run_rpc_command"))) {
162 DEBUG(0, ("talloc_init() failed\n"));
166 nt_status = net_get_remote_domain_sid(cli, mem_ctx, &domain_sid,
168 if (!NT_STATUS_IS_OK(nt_status)) {
172 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
173 if (lp_client_schannel()
174 && (ndr_syntax_id_equal(interface,
175 &ndr_table_netlogon.syntax_id))) {
176 /* Always try and create an schannel netlogon pipe. */
177 nt_status = cli_rpc_pipe_open_schannel(
178 cli, interface, NCACN_NP,
179 DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
181 if (!NT_STATUS_IS_OK(nt_status)) {
182 DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
183 nt_errstr(nt_status) ));
187 if (conn_flags & NET_FLAGS_SEAL) {
188 nt_status = cli_rpc_pipe_open_ntlmssp(
190 (conn_flags & NET_FLAGS_TCP) ?
191 NCACN_IP_TCP : NCACN_NP,
192 DCERPC_AUTH_LEVEL_PRIVACY,
193 lp_workgroup(), c->opt_user_name,
194 c->opt_password, &pipe_hnd);
196 nt_status = cli_rpc_pipe_open_noauth(
200 if (!NT_STATUS_IS_OK(nt_status)) {
201 DEBUG(0, ("Could not initialise pipe %s. Error was %s\n",
202 get_pipe_name_from_syntax(
203 talloc_tos(), interface),
204 nt_errstr(nt_status) ));
210 nt_status = fn(c, domain_sid, domain_name, cli, pipe_hnd, mem_ctx, argc, argv);
212 if (!NT_STATUS_IS_OK(nt_status)) {
213 DEBUG(1, ("rpc command function failed! (%s)\n", nt_errstr(nt_status)));
216 DEBUG(5, ("rpc command function succedded\n"));
219 if (!(conn_flags & NET_FLAGS_NO_PIPE)) {
221 TALLOC_FREE(pipe_hnd);
226 /* close the connection only if it was opened here */
231 talloc_destroy(mem_ctx);
236 * Force a change of the trust acccount password.
238 * All parameters are provided by the run_rpc_command function, except for
239 * argc, argv which are passed through.
241 * @param domain_sid The domain sid acquired from the remote server.
242 * @param cli A cli_state connected to the server.
243 * @param mem_ctx Talloc context, destroyed on completion of the function.
244 * @param argc Standard main() style argc.
245 * @param argv Standard main() style argv. Initial components are already
248 * @return Normal NTSTATUS return.
251 static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
252 const struct dom_sid *domain_sid,
253 const char *domain_name,
254 struct cli_state *cli,
255 struct rpc_pipe_client *pipe_hnd,
262 status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
263 if (!NT_STATUS_IS_OK(status)) {
264 d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
273 * Force a change of the trust acccount password.
275 * @param argc Standard main() style argc.
276 * @param argv Standard main() style argv. Initial components are already
279 * @return A shell status integer (0 for success).
282 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
284 if (c->display_usage) {
286 "net rpc changetrustpw\n"
289 _("Change the machine trust password"));
293 return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id,
294 NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
295 rpc_changetrustpw_internals,
300 * Join a domain, the old way.
302 * This uses 'machinename' as the inital password, and changes it.
304 * The password should be created with 'server manager' or equiv first.
306 * All parameters are provided by the run_rpc_command function, except for
307 * argc, argv which are passed through.
309 * @param domain_sid The domain sid acquired from the remote server.
310 * @param cli A cli_state connected to the server.
311 * @param mem_ctx Talloc context, destroyed on completion of the function.
312 * @param argc Standard main() style argc.
313 * @param argv Standard main() style argv. Initial components are already
316 * @return Normal NTSTATUS return.
319 static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
320 const struct dom_sid *domain_sid,
321 const char *domain_name,
322 struct cli_state *cli,
323 struct rpc_pipe_client *pipe_hnd,
329 fstring trust_passwd;
330 unsigned char orig_trust_passwd_hash[16];
332 enum netr_SchannelType sec_channel_type;
334 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
336 if (!NT_STATUS_IS_OK(result)) {
337 DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
340 nt_errstr(result) ));
345 check what type of join - if the user want's to join as
346 a BDC, the server must agree that we are a BDC.
349 sec_channel_type = get_sec_channel_type(argv[0]);
351 sec_channel_type = get_sec_channel_type(NULL);
354 fstrcpy(trust_passwd, global_myname());
355 strlower_m(trust_passwd);
358 * Machine names can be 15 characters, but the max length on
359 * a password is 14. --jerry
362 trust_passwd[14] = '\0';
364 E_md4hash(trust_passwd, orig_trust_passwd_hash);
366 result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
368 orig_trust_passwd_hash,
371 if (NT_STATUS_IS_OK(result))
372 printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
375 if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
376 DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
377 result = NT_STATUS_UNSUCCESSFUL;
384 * Join a domain, the old way.
386 * @param argc Standard main() style argc.
387 * @param argv Standard main() style argv. Initial components are already
390 * @return A shell status integer (0 for success).
393 static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
395 return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id,
396 NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
397 rpc_oldjoin_internals,
402 * Join a domain, the old way. This function exists to allow
403 * the message to be displayed when oldjoin was explicitly
404 * requested, but not when it was implied by "net rpc join".
406 * @param argc Standard main() style argc.
407 * @param argv Standard main() style argv. Initial components are already
410 * @return A shell status integer (0 for success).
413 static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
417 if (c->display_usage) {
422 _("Join a domain the old way"));
426 rc = net_rpc_perform_oldjoin(c, argc, argv);
429 d_fprintf(stderr, _("Failed to join domain\n"));
436 * 'net rpc join' entrypoint.
437 * @param argc Standard main() style argc.
438 * @param argv Standard main() style argv. Initial components are already
441 * Main 'net_rpc_join()' (where the admin username/password is used) is
443 * Try to just change the password, but if that doesn't work, use/prompt
444 * for a username/password.
447 int net_rpc_join(struct net_context *c, int argc, const char **argv)
449 if (c->display_usage) {
452 _("net rpc join -U <username>[%%password] <type>\n"
454 " username\tName of the admin user"
455 " password\tPassword of the admin user, will "
456 "prompt if not specified\n"
457 " type\tCan be one of the following:\n"
458 "\t\tMEMBER\tJoin as member server (default)\n"
459 "\t\tBDC\tJoin as BDC\n"
460 "\t\tPDC\tJoin as PDC\n"));
464 if (lp_server_role() == ROLE_STANDALONE) {
465 d_printf(_("cannot join as standalone machine\n"));
469 if (strlen(global_myname()) > 15) {
470 d_printf(_("Our netbios name can be at most 15 chars long, "
471 "\"%s\" is %u chars long\n"),
472 global_myname(), (unsigned int)strlen(global_myname()));
476 if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
479 return net_rpc_join_newstyle(c, argc, argv);
483 * display info about a rpc domain
485 * All parameters are provided by the run_rpc_command function, except for
486 * argc, argv which are passed through.
488 * @param domain_sid The domain sid acquired from the remote server
489 * @param cli A cli_state connected to the server.
490 * @param mem_ctx Talloc context, destroyed on completion of the function.
491 * @param argc Standard main() style argc.
492 * @param argv Standard main() style argv. Initial components are already
495 * @return Normal NTSTATUS return.
498 NTSTATUS rpc_info_internals(struct net_context *c,
499 const struct dom_sid *domain_sid,
500 const char *domain_name,
501 struct cli_state *cli,
502 struct rpc_pipe_client *pipe_hnd,
507 struct policy_handle connect_pol, domain_pol;
508 NTSTATUS status, result;
509 union samr_DomainInfo *info = NULL;
511 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
513 sid_to_fstring(sid_str, domain_sid);
515 /* Get sam policy handle */
516 status = dcerpc_samr_Connect2(b, mem_ctx,
518 MAXIMUM_ALLOWED_ACCESS,
521 if (!NT_STATUS_IS_OK(status)) {
522 d_fprintf(stderr, _("Could not connect to SAM: %s\n"),
527 if (!NT_STATUS_IS_OK(result)) {
529 d_fprintf(stderr, _("Could not connect to SAM: %s\n"),
534 /* Get domain policy handle */
535 status = dcerpc_samr_OpenDomain(b, mem_ctx,
537 MAXIMUM_ALLOWED_ACCESS,
538 CONST_DISCARD(struct dom_sid2 *, domain_sid),
541 if (!NT_STATUS_IS_OK(status)) {
542 d_fprintf(stderr, _("Could not open domain: %s\n"),
546 if (!NT_STATUS_IS_OK(result)) {
548 d_fprintf(stderr, _("Could not open domain: %s\n"),
553 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
558 if (!NT_STATUS_IS_OK(status)) {
562 if (NT_STATUS_IS_OK(result)) {
563 d_printf(_("Domain Name: %s\n"),
564 info->general.domain_name.string);
565 d_printf(_("Domain SID: %s\n"), sid_str);
566 d_printf(_("Sequence number: %llu\n"),
567 (unsigned long long)info->general.sequence_num);
568 d_printf(_("Num users: %u\n"), info->general.num_users);
569 d_printf(_("Num domain groups: %u\n"),info->general.num_groups);
570 d_printf(_("Num local groups: %u\n"),info->general.num_aliases);
578 * 'net rpc info' entrypoint.
579 * @param argc Standard main() style argc.
580 * @param argv Standard main() style argv. Initial components are already
584 int net_rpc_info(struct net_context *c, int argc, const char **argv)
586 if (c->display_usage) {
591 _("Display information about the domain"));
595 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id,
596 NET_FLAGS_PDC, rpc_info_internals,
601 * Fetch domain SID into the local secrets.tdb.
603 * All parameters are provided by the run_rpc_command function, except for
604 * argc, argv which are passed through.
606 * @param domain_sid The domain sid acquired from the remote server.
607 * @param cli A cli_state connected to the server.
608 * @param mem_ctx Talloc context, destroyed on completion of the function.
609 * @param argc Standard main() style argc.
610 * @param argv Standard main() style argv. Initial components are already
613 * @return Normal NTSTATUS return.
616 static NTSTATUS rpc_getsid_internals(struct net_context *c,
617 const struct dom_sid *domain_sid,
618 const char *domain_name,
619 struct cli_state *cli,
620 struct rpc_pipe_client *pipe_hnd,
627 sid_to_fstring(sid_str, domain_sid);
628 d_printf(_("Storing SID %s for Domain %s in secrets.tdb\n"),
629 sid_str, domain_name);
631 if (!secrets_store_domain_sid(domain_name, domain_sid)) {
632 DEBUG(0,("Can't store domain SID\n"));
633 return NT_STATUS_UNSUCCESSFUL;
640 * 'net rpc getsid' entrypoint.
641 * @param argc Standard main() style argc.
642 * @param argv Standard main() style argv. Initial components are already
646 int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
648 int conn_flags = NET_FLAGS_PDC;
650 if (!c->opt_user_specified) {
651 conn_flags |= NET_FLAGS_ANONYMOUS;
654 if (c->display_usage) {
659 _("Fetch domain SID into local secrets.tdb"));
663 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id,
665 rpc_getsid_internals,
669 /****************************************************************************/
672 * Basic usage function for 'net rpc user'.
673 * @param argc Standard main() style argc.
674 * @param argv Standard main() style argv. Initial components are already
678 static int rpc_user_usage(struct net_context *c, int argc, const char **argv)
680 return net_user_usage(c, argc, argv);
684 * Add a new user to a remote RPC server.
686 * @param argc Standard main() style argc.
687 * @param argv Standard main() style argv. Initial components are already
690 * @return A shell status integer (0 for success).
693 static int rpc_user_add(struct net_context *c, int argc, const char **argv)
695 NET_API_STATUS status;
696 struct USER_INFO_1 info1;
697 uint32_t parm_error = 0;
699 if (argc < 1 || c->display_usage) {
700 rpc_user_usage(c, argc, argv);
706 info1.usri1_name = argv[0];
708 info1.usri1_password = argv[1];
711 status = NetUserAdd(c->opt_host, 1, (uint8_t *)&info1, &parm_error);
714 d_fprintf(stderr,_("Failed to add user '%s' with error: %s.\n"),
715 argv[0], libnetapi_get_error_string(c->netapi_ctx,
719 d_printf(_("Added user '%s'.\n"), argv[0]);
726 * Rename a user on a remote RPC server.
728 * @param argc Standard main() style argc.
729 * @param argv Standard main() style argv. Initial components are already
732 * @return A shell status integer (0 for success).
735 static int rpc_user_rename(struct net_context *c, int argc, const char **argv)
737 NET_API_STATUS status;
738 struct USER_INFO_0 u0;
739 uint32_t parm_err = 0;
741 if (argc != 2 || c->display_usage) {
742 rpc_user_usage(c, argc, argv);
746 u0.usri0_name = argv[1];
748 status = NetUserSetInfo(c->opt_host, argv[0],
749 0, (uint8_t *)&u0, &parm_err);
752 _("Failed to rename user from %s to %s - %s\n"),
754 libnetapi_get_error_string(c->netapi_ctx, status));
756 d_printf(_("Renamed user from %s to %s\n"), argv[0], argv[1]);
763 * Set a user's primary group
765 * @param argc Standard main() style argc.
766 * @param argv Standard main() style argv. Initial components are already
769 * @return A shell status integer (0 for success).
772 static int rpc_user_setprimarygroup(struct net_context *c, int argc,
775 NET_API_STATUS status;
777 struct GROUP_INFO_2 *g2;
778 struct USER_INFO_1051 u1051;
779 uint32_t parm_err = 0;
781 if (argc != 2 || c->display_usage) {
782 rpc_user_usage(c, argc, argv);
786 status = NetGroupGetInfo(c->opt_host, argv[1], 2, &buffer);
788 d_fprintf(stderr, _("Failed to find group name %s -- %s\n"),
790 libnetapi_get_error_string(c->netapi_ctx, status));
793 g2 = (struct GROUP_INFO_2 *)buffer;
795 u1051.usri1051_primary_group_id = g2->grpi2_group_id;
797 NetApiBufferFree(buffer);
799 status = NetUserSetInfo(c->opt_host, argv[0], 1051,
800 (uint8_t *)&u1051, &parm_err);
803 _("Failed to set user's primary group %s to %s - "
804 "%s\n"), argv[0], argv[1],
805 libnetapi_get_error_string(c->netapi_ctx, status));
807 d_printf(_("Set primary group of user %s to %s\n"), argv[0],
814 * Delete a user from a remote RPC server.
816 * @param argc Standard main() style argc.
817 * @param argv Standard main() style argv. Initial components are already
820 * @return A shell status integer (0 for success).
823 static int rpc_user_delete(struct net_context *c, int argc, const char **argv)
825 NET_API_STATUS status;
827 if (argc < 1 || c->display_usage) {
828 rpc_user_usage(c, argc, argv);
832 status = NetUserDel(c->opt_host, argv[0]);
835 d_fprintf(stderr, _("Failed to delete user '%s' with: %s.\n"),
837 libnetapi_get_error_string(c->netapi_ctx, status));
840 d_printf(_("Deleted user '%s'.\n"), argv[0]);
847 * Set a user's password on a remote RPC server.
849 * @param argc Standard main() style argc.
850 * @param argv Standard main() style argv. Initial components are already
853 * @return A shell status integer (0 for success).
856 static int rpc_user_password(struct net_context *c, int argc, const char **argv)
858 NET_API_STATUS status;
860 struct USER_INFO_1003 u1003;
861 uint32_t parm_err = 0;
864 if (argc < 1 || c->display_usage) {
865 rpc_user_usage(c, argc, argv);
870 u1003.usri1003_password = argv[1];
872 ret = asprintf(&prompt, _("Enter new password for %s:"),
877 u1003.usri1003_password = talloc_strdup(c, getpass(prompt));
879 if (u1003.usri1003_password == NULL) {
884 status = NetUserSetInfo(c->opt_host, argv[0], 1003, (uint8_t *)&u1003, &parm_err);
886 /* Display results */
889 _("Failed to set password for '%s' with error: %s.\n"),
890 argv[0], libnetapi_get_error_string(c->netapi_ctx,
899 * List a user's groups from a remote RPC server.
901 * @param argc Standard main() style argc.
902 * @param argv Standard main() style argv. Initial components are already
905 * @return A shell status integer (0 for success)
908 static int rpc_user_info(struct net_context *c, int argc, const char **argv)
911 NET_API_STATUS status;
912 struct GROUP_USERS_INFO_0 *u0 = NULL;
913 uint32_t entries_read = 0;
914 uint32_t total_entries = 0;
918 if (argc < 1 || c->display_usage) {
919 rpc_user_usage(c, argc, argv);
923 status = NetUserGetGroups(c->opt_host,
926 (uint8_t **)(void *)&u0,
932 _("Failed to get groups for '%s' with error: %s.\n"),
933 argv[0], libnetapi_get_error_string(c->netapi_ctx,
938 for (i=0; i < entries_read; i++) {
939 printf("%s\n", u0->grui0_name);
947 * List users on a remote RPC server.
949 * All parameters are provided by the run_rpc_command function, except for
950 * argc, argv which are passed through.
952 * @param domain_sid The domain sid acquired from the remote server.
953 * @param cli A cli_state connected to the server.
954 * @param mem_ctx Talloc context, destroyed on completion of the function.
955 * @param argc Standard main() style argc.
956 * @param argv Standard main() style argv. Initial components are already
959 * @return Normal NTSTATUS return.
962 static int rpc_user_list(struct net_context *c, int argc, const char **argv)
964 NET_API_STATUS status;
965 uint32_t start_idx=0, num_entries, i, loop_count = 0;
966 struct NET_DISPLAY_USER *info = NULL;
969 /* Query domain users */
970 if (c->opt_long_list_entries)
971 d_printf(_("\nUser name Comment"
972 "\n-----------------------------\n"));
974 uint32_t max_entries, max_size;
976 dcerpc_get_query_dispinfo_params(
977 loop_count, &max_entries, &max_size);
979 status = NetQueryDisplayInformation(c->opt_host,
986 if (status != 0 && status != ERROR_MORE_DATA) {
990 info = (struct NET_DISPLAY_USER *)buffer;
992 for (i = 0; i < num_entries; i++) {
994 if (c->opt_long_list_entries)
995 printf("%-21.21s %s\n", info->usri1_name,
996 info->usri1_comment);
998 printf("%s\n", info->usri1_name);
1002 NetApiBufferFree(buffer);
1005 start_idx += num_entries;
1007 } while (status == ERROR_MORE_DATA);
1013 * 'net rpc user' entrypoint.
1014 * @param argc Standard main() style argc.
1015 * @param argv Standard main() style argv. Initial components are already
1019 int net_rpc_user(struct net_context *c, int argc, const char **argv)
1021 NET_API_STATUS status;
1023 struct functable func[] = {
1028 N_("Add specified user"),
1029 N_("net rpc user add\n"
1030 " Add specified user")
1036 N_("List domain groups of user"),
1037 N_("net rpc user info\n"
1038 " List domain groups of user")
1044 N_("Remove specified user"),
1045 N_("net rpc user delete\n"
1046 " Remove specified user")
1052 N_("Change user password"),
1053 N_("net rpc user password\n"
1054 " Change user password")
1060 N_("Rename specified user"),
1061 N_("net rpc user rename\n"
1062 " Rename specified user")
1066 rpc_user_setprimarygroup,
1068 "Set a user's primary group",
1069 "net rpc user setprimarygroup\n"
1070 " Set a user's primary group"
1072 {NULL, NULL, 0, NULL, NULL}
1075 status = libnetapi_net_init(&c->netapi_ctx);
1079 libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
1080 libnetapi_set_password(c->netapi_ctx, c->opt_password);
1081 if (c->opt_kerberos) {
1082 libnetapi_set_use_kerberos(c->netapi_ctx);
1086 if (c->display_usage) {
1091 _("List all users"));
1092 net_display_usage_from_functable(func);
1096 return rpc_user_list(c, argc, argv);
1099 return net_run_function(c, argc, argv, "net rpc user", func);
1102 static NTSTATUS rpc_sh_user_list(struct net_context *c,
1103 TALLOC_CTX *mem_ctx,
1104 struct rpc_sh_ctx *ctx,
1105 struct rpc_pipe_client *pipe_hnd,
1106 int argc, const char **argv)
1108 return werror_to_ntstatus(W_ERROR(rpc_user_list(c, argc, argv)));
1111 static NTSTATUS rpc_sh_user_info(struct net_context *c,
1112 TALLOC_CTX *mem_ctx,
1113 struct rpc_sh_ctx *ctx,
1114 struct rpc_pipe_client *pipe_hnd,
1115 int argc, const char **argv)
1117 return werror_to_ntstatus(W_ERROR(rpc_user_info(c, argc, argv)));
1120 static NTSTATUS rpc_sh_handle_user(struct net_context *c,
1121 TALLOC_CTX *mem_ctx,
1122 struct rpc_sh_ctx *ctx,
1123 struct rpc_pipe_client *pipe_hnd,
1124 int argc, const char **argv,
1126 struct net_context *c,
1127 TALLOC_CTX *mem_ctx,
1128 struct rpc_sh_ctx *ctx,
1129 struct rpc_pipe_client *pipe_hnd,
1130 struct policy_handle *user_hnd,
1131 int argc, const char **argv))
1133 struct policy_handle connect_pol, domain_pol, user_pol;
1134 NTSTATUS status, result;
1137 enum lsa_SidType type;
1138 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
1141 d_fprintf(stderr, "%s %s <username>\n", _("Usage:"),
1143 return NT_STATUS_INVALID_PARAMETER;
1146 ZERO_STRUCT(connect_pol);
1147 ZERO_STRUCT(domain_pol);
1148 ZERO_STRUCT(user_pol);
1150 status = net_rpc_lookup_name(c, mem_ctx, rpc_pipe_np_smb_conn(pipe_hnd),
1151 argv[0], NULL, NULL, &sid, &type);
1152 if (!NT_STATUS_IS_OK(status)) {
1153 d_fprintf(stderr, _("Could not lookup %s: %s\n"), argv[0],
1158 if (type != SID_NAME_USER) {
1159 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
1160 sid_type_lookup(type));
1161 status = NT_STATUS_NO_SUCH_USER;
1165 if (!sid_peek_check_rid(ctx->domain_sid, &sid, &rid)) {
1166 d_fprintf(stderr, _("%s is not in our domain\n"), argv[0]);
1167 status = NT_STATUS_NO_SUCH_USER;
1171 status = dcerpc_samr_Connect2(b, mem_ctx,
1173 MAXIMUM_ALLOWED_ACCESS,
1176 if (!NT_STATUS_IS_OK(status)) {
1179 if (!NT_STATUS_IS_OK(result)) {
1184 status = dcerpc_samr_OpenDomain(b, mem_ctx,
1186 MAXIMUM_ALLOWED_ACCESS,
1190 if (!NT_STATUS_IS_OK(status)) {
1193 if (!NT_STATUS_IS_OK(result)) {
1198 status = dcerpc_samr_OpenUser(b, mem_ctx,
1200 MAXIMUM_ALLOWED_ACCESS,
1204 if (!NT_STATUS_IS_OK(status)) {
1207 if (!NT_STATUS_IS_OK(result)) {
1212 status = fn(c, mem_ctx, ctx, pipe_hnd, &user_pol, argc-1, argv+1);
1215 if (is_valid_policy_hnd(&user_pol)) {
1216 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1218 if (is_valid_policy_hnd(&domain_pol)) {
1219 dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1221 if (is_valid_policy_hnd(&connect_pol)) {
1222 dcerpc_samr_Close(b, mem_ctx, &connect_pol, &result);
1227 static NTSTATUS rpc_sh_user_show_internals(struct net_context *c,
1228 TALLOC_CTX *mem_ctx,
1229 struct rpc_sh_ctx *ctx,
1230 struct rpc_pipe_client *pipe_hnd,
1231 struct policy_handle *user_hnd,
1232 int argc, const char **argv)
1234 NTSTATUS status, result;
1235 union samr_UserInfo *info = NULL;
1236 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
1239 d_fprintf(stderr, "%s %s show <username>\n", _("Usage:"),
1241 return NT_STATUS_INVALID_PARAMETER;
1244 status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1249 if (!NT_STATUS_IS_OK(status)) {
1252 if (!NT_STATUS_IS_OK(result)) {
1256 d_printf(_("user rid: %d, group rid: %d\n"),
1258 info->info21.primary_gid);
1263 static NTSTATUS rpc_sh_user_show(struct net_context *c,
1264 TALLOC_CTX *mem_ctx,
1265 struct rpc_sh_ctx *ctx,
1266 struct rpc_pipe_client *pipe_hnd,
1267 int argc, const char **argv)
1269 return rpc_sh_handle_user(c, mem_ctx, ctx, pipe_hnd, argc, argv,
1270 rpc_sh_user_show_internals);
1273 #define FETCHSTR(name, rec) \
1274 do { if (strequal(ctx->thiscmd, name)) { \
1275 oldval = talloc_strdup(mem_ctx, info->info21.rec.string); } \
1278 #define SETSTR(name, rec, flag) \
1279 do { if (strequal(ctx->thiscmd, name)) { \
1280 init_lsa_String(&(info->info21.rec), argv[0]); \
1281 info->info21.fields_present |= SAMR_FIELD_##flag; } \
1284 static NTSTATUS rpc_sh_user_str_edit_internals(struct net_context *c,
1285 TALLOC_CTX *mem_ctx,
1286 struct rpc_sh_ctx *ctx,
1287 struct rpc_pipe_client *pipe_hnd,
1288 struct policy_handle *user_hnd,
1289 int argc, const char **argv)
1291 NTSTATUS status, result;
1292 const char *username;
1293 const char *oldval = "";
1294 union samr_UserInfo *info = NULL;
1295 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
1298 d_fprintf(stderr, "%s %s <username> [new value|NULL]\n",
1299 _("Usage:"), ctx->whoami);
1300 return NT_STATUS_INVALID_PARAMETER;
1303 status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1308 if (!NT_STATUS_IS_OK(status)) {
1311 if (!NT_STATUS_IS_OK(result)) {
1315 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1317 FETCHSTR("fullname", full_name);
1318 FETCHSTR("homedir", home_directory);
1319 FETCHSTR("homedrive", home_drive);
1320 FETCHSTR("logonscript", logon_script);
1321 FETCHSTR("profilepath", profile_path);
1322 FETCHSTR("description", description);
1325 d_printf(_("%s's %s: [%s]\n"), username, ctx->thiscmd, oldval);
1329 if (strcmp(argv[0], "NULL") == 0) {
1333 ZERO_STRUCT(info->info21);
1335 SETSTR("fullname", full_name, FULL_NAME);
1336 SETSTR("homedir", home_directory, HOME_DIRECTORY);
1337 SETSTR("homedrive", home_drive, HOME_DRIVE);
1338 SETSTR("logonscript", logon_script, LOGON_SCRIPT);
1339 SETSTR("profilepath", profile_path, PROFILE_PATH);
1340 SETSTR("description", description, DESCRIPTION);
1342 status = dcerpc_samr_SetUserInfo(b, mem_ctx,
1347 if (!NT_STATUS_IS_OK(status)) {
1353 d_printf(_("Set %s's %s from [%s] to [%s]\n"), username,
1354 ctx->thiscmd, oldval, argv[0]);
1361 #define HANDLEFLG(name, rec) \
1362 do { if (strequal(ctx->thiscmd, name)) { \
1363 oldval = (oldflags & ACB_##rec) ? "yes" : "no"; \
1365 newflags = oldflags | ACB_##rec; \
1367 newflags = oldflags & ~ACB_##rec; \
1370 static NTSTATUS rpc_sh_user_str_edit(struct net_context *c,
1371 TALLOC_CTX *mem_ctx,
1372 struct rpc_sh_ctx *ctx,
1373 struct rpc_pipe_client *pipe_hnd,
1374 int argc, const char **argv)
1376 return rpc_sh_handle_user(c, mem_ctx, ctx, pipe_hnd, argc, argv,
1377 rpc_sh_user_str_edit_internals);
1380 static NTSTATUS rpc_sh_user_flag_edit_internals(struct net_context *c,
1381 TALLOC_CTX *mem_ctx,
1382 struct rpc_sh_ctx *ctx,
1383 struct rpc_pipe_client *pipe_hnd,
1384 struct policy_handle *user_hnd,
1385 int argc, const char **argv)
1388 const char *username;
1389 const char *oldval = "unknown";
1390 uint32 oldflags, newflags;
1392 union samr_UserInfo *info = NULL;
1395 ((argc == 1) && !strequal(argv[0], "yes") &&
1396 !strequal(argv[0], "no"))) {
1397 /* TRANSATORS: The yes|no here are program keywords. Please do
1399 d_fprintf(stderr, _("Usage: %s <username> [yes|no]\n"),
1401 return NT_STATUS_INVALID_PARAMETER;
1404 newval = strequal(argv[0], "yes");
1406 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1410 if (!NT_STATUS_IS_OK(result)) {
1414 username = talloc_strdup(mem_ctx, info->info21.account_name.string);
1415 oldflags = info->info21.acct_flags;
1416 newflags = info->info21.acct_flags;
1418 HANDLEFLG("disabled", DISABLED);
1419 HANDLEFLG("pwnotreq", PWNOTREQ);
1420 HANDLEFLG("autolock", AUTOLOCK);
1421 HANDLEFLG("pwnoexp", PWNOEXP);
1424 d_printf(_("%s's %s flag: %s\n"), username, ctx->thiscmd,
1429 ZERO_STRUCT(info->info21);
1431 info->info21.acct_flags = newflags;
1432 info->info21.fields_present = SAMR_FIELD_ACCT_FLAGS;
1434 result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1439 if (NT_STATUS_IS_OK(result)) {
1440 d_printf(_("Set %s's %s flag from [%s] to [%s]\n"), username,
1441 ctx->thiscmd, oldval, argv[0]);
1449 static NTSTATUS rpc_sh_user_flag_edit(struct net_context *c,
1450 TALLOC_CTX *mem_ctx,
1451 struct rpc_sh_ctx *ctx,
1452 struct rpc_pipe_client *pipe_hnd,
1453 int argc, const char **argv)
1455 return rpc_sh_handle_user(c, mem_ctx, ctx, pipe_hnd, argc, argv,
1456 rpc_sh_user_flag_edit_internals);
1459 struct rpc_sh_cmd *net_rpc_user_edit_cmds(struct net_context *c,
1460 TALLOC_CTX *mem_ctx,
1461 struct rpc_sh_ctx *ctx)
1463 static struct rpc_sh_cmd cmds[] = {
1465 { "fullname", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1466 N_("Show/Set a user's full name") },
1468 { "homedir", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1469 N_("Show/Set a user's home directory") },
1471 { "homedrive", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1472 N_("Show/Set a user's home drive") },
1474 { "logonscript", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1475 N_("Show/Set a user's logon script") },
1477 { "profilepath", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1478 N_("Show/Set a user's profile path") },
1480 { "description", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_str_edit,
1481 N_("Show/Set a user's description") },
1483 { "disabled", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_flag_edit,
1484 N_("Show/Set whether a user is disabled") },
1486 { "autolock", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_flag_edit,
1487 N_("Show/Set whether a user locked out") },
1489 { "pwnotreq", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_flag_edit,
1490 N_("Show/Set whether a user does not need a password") },
1492 { "pwnoexp", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_flag_edit,
1493 N_("Show/Set whether a user's password does not expire") },
1495 { NULL, NULL, 0, NULL, NULL }
1501 struct rpc_sh_cmd *net_rpc_user_cmds(struct net_context *c,
1502 TALLOC_CTX *mem_ctx,
1503 struct rpc_sh_ctx *ctx)
1505 static struct rpc_sh_cmd cmds[] = {
1507 { "list", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_list,
1508 N_("List available users") },
1510 { "info", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_info,
1511 N_("List the domain groups a user is member of") },
1513 { "show", NULL, &ndr_table_samr.syntax_id, rpc_sh_user_show,
1514 N_("Show info about a user") },
1516 { "edit", net_rpc_user_edit_cmds, 0, NULL,
1517 N_("Show/Modify a user's fields") },
1519 { NULL, NULL, 0, NULL, NULL }
1525 /****************************************************************************/
1528 * Basic usage function for 'net rpc group'.
1529 * @param argc Standard main() style argc.
1530 * @param argv Standard main() style argv. Initial components are already
1534 static int rpc_group_usage(struct net_context *c, int argc, const char **argv)
1536 return net_group_usage(c, argc, argv);
1540 * Delete group on a remote RPC server.
1542 * All parameters are provided by the run_rpc_command function, except for
1543 * argc, argv which are passed through.
1545 * @param domain_sid The domain sid acquired from the remote server.
1546 * @param cli A cli_state connected to the server.
1547 * @param mem_ctx Talloc context, destroyed on completion of the function.
1548 * @param argc Standard main() style argc.
1549 * @param argv Standard main() style argv. Initial components are already
1552 * @return Normal NTSTATUS return.
1555 static NTSTATUS rpc_group_delete_internals(struct net_context *c,
1556 const struct dom_sid *domain_sid,
1557 const char *domain_name,
1558 struct cli_state *cli,
1559 struct rpc_pipe_client *pipe_hnd,
1560 TALLOC_CTX *mem_ctx,
1564 struct policy_handle connect_pol, domain_pol, group_pol, user_pol;
1565 bool group_is_primary = false;
1566 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1568 struct samr_RidAttrArray *rids = NULL;
1571 /* struct samr_RidWithAttribute *user_gids; */
1573 struct samr_Ids group_rids, name_types;
1574 struct lsa_String lsa_acct_name;
1575 union samr_UserInfo *info = NULL;
1577 if (argc < 1 || c->display_usage) {
1578 rpc_group_usage(c, argc,argv);
1579 return NT_STATUS_OK; /* ok? */
1582 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1584 MAXIMUM_ALLOWED_ACCESS,
1587 if (!NT_STATUS_IS_OK(result)) {
1588 d_fprintf(stderr, _("Request samr_Connect2 failed\n"));
1592 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1594 MAXIMUM_ALLOWED_ACCESS,
1595 CONST_DISCARD(struct dom_sid2 *, domain_sid),
1598 if (!NT_STATUS_IS_OK(result)) {
1599 d_fprintf(stderr, _("Request open_domain failed\n"));
1603 init_lsa_String(&lsa_acct_name, argv[0]);
1605 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1611 if (!NT_STATUS_IS_OK(result)) {
1612 d_fprintf(stderr, _("Lookup of '%s' failed\n"),argv[0]);
1616 switch (name_types.ids[0])
1618 case SID_NAME_DOM_GRP:
1619 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
1621 MAXIMUM_ALLOWED_ACCESS,
1624 if (!NT_STATUS_IS_OK(result)) {
1625 d_fprintf(stderr, _("Request open_group failed"));
1629 group_rid = group_rids.ids[0];
1631 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
1635 if (!NT_STATUS_IS_OK(result)) {
1637 _("Unable to query group members of %s"),
1642 if (c->opt_verbose) {
1644 _("Domain Group %s (rid: %d) has %d members\n"),
1645 argv[0],group_rid, rids->count);
1648 /* Check if group is anyone's primary group */
1649 for (i = 0; i < rids->count; i++)
1651 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1653 MAXIMUM_ALLOWED_ACCESS,
1657 if (!NT_STATUS_IS_OK(result)) {
1659 _("Unable to open group member %d\n"),
1664 result = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1669 if (!NT_STATUS_IS_OK(result)) {
1671 _("Unable to lookup userinfo for group "
1677 if (info->info21.primary_gid == group_rid) {
1678 if (c->opt_verbose) {
1679 d_printf(_("Group is primary group "
1681 info->info21.account_name.string);
1683 group_is_primary = true;
1686 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1689 if (group_is_primary) {
1690 d_fprintf(stderr, _("Unable to delete group because "
1691 "some of it's members have it as primary "
1693 result = NT_STATUS_MEMBERS_PRIMARY_GROUP;
1697 /* remove all group members */
1698 for (i = 0; i < rids->count; i++)
1701 d_printf(_("Remove group member %d..."),
1703 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
1707 if (NT_STATUS_IS_OK(result)) {
1709 d_printf(_("ok\n"));
1712 d_printf("%s\n", _("failed"));
1717 result = rpccli_samr_DeleteDomainGroup(pipe_hnd, mem_ctx,
1721 /* removing a local group is easier... */
1722 case SID_NAME_ALIAS:
1723 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
1725 MAXIMUM_ALLOWED_ACCESS,
1729 if (!NT_STATUS_IS_OK(result)) {
1730 d_fprintf(stderr, _("Request open_alias failed\n"));
1734 result = rpccli_samr_DeleteDomAlias(pipe_hnd, mem_ctx,
1738 d_fprintf(stderr, _("%s is of type %s. This command is only "
1739 "for deleting local or global groups\n"),
1740 argv[0],sid_type_lookup(name_types.ids[0]));
1741 result = NT_STATUS_UNSUCCESSFUL;
1745 if (NT_STATUS_IS_OK(result)) {
1747 d_printf(_("Deleted %s '%s'\n"),
1748 sid_type_lookup(name_types.ids[0]), argv[0]);
1750 d_fprintf(stderr, _("Deleting of %s failed: %s\n"), argv[0],
1751 get_friendly_nt_error_msg(result));
1759 static int rpc_group_delete(struct net_context *c, int argc, const char **argv)
1761 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
1762 rpc_group_delete_internals, argc,argv);
1765 static int rpc_group_add_internals(struct net_context *c, int argc, const char **argv)
1767 NET_API_STATUS status;
1768 struct GROUP_INFO_1 info1;
1769 uint32_t parm_error = 0;
1771 if (argc != 1 || c->display_usage) {
1772 rpc_group_usage(c, argc, argv);
1778 info1.grpi1_name = argv[0];
1779 if (c->opt_comment && strlen(c->opt_comment) > 0) {
1780 info1.grpi1_comment = c->opt_comment;
1783 status = NetGroupAdd(c->opt_host, 1, (uint8_t *)&info1, &parm_error);
1787 _("Failed to add group '%s' with error: %s.\n"),
1788 argv[0], libnetapi_get_error_string(c->netapi_ctx,
1792 d_printf(_("Added group '%s'.\n"), argv[0]);
1798 static int rpc_alias_add_internals(struct net_context *c, int argc, const char **argv)
1800 NET_API_STATUS status;
1801 struct LOCALGROUP_INFO_1 info1;
1802 uint32_t parm_error = 0;
1804 if (argc != 1 || c->display_usage) {
1805 rpc_group_usage(c, argc, argv);
1811 info1.lgrpi1_name = argv[0];
1812 if (c->opt_comment && strlen(c->opt_comment) > 0) {
1813 info1.lgrpi1_comment = c->opt_comment;
1816 status = NetLocalGroupAdd(c->opt_host, 1, (uint8_t *)&info1, &parm_error);
1820 _("Failed to add alias '%s' with error: %s.\n"),
1821 argv[0], libnetapi_get_error_string(c->netapi_ctx,
1825 d_printf(_("Added alias '%s'.\n"), argv[0]);
1831 static int rpc_group_add(struct net_context *c, int argc, const char **argv)
1833 if (c->opt_localgroup)
1834 return rpc_alias_add_internals(c, argc, argv);
1836 return rpc_group_add_internals(c, argc, argv);
1839 static NTSTATUS get_sid_from_name(struct cli_state *cli,
1840 TALLOC_CTX *mem_ctx,
1842 struct dom_sid *sid,
1843 enum lsa_SidType *type)
1845 struct dom_sid *sids = NULL;
1846 enum lsa_SidType *types = NULL;
1847 struct rpc_pipe_client *pipe_hnd = NULL;
1848 struct policy_handle lsa_pol;
1849 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1851 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
1853 if (!NT_STATUS_IS_OK(result)) {
1857 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, false,
1858 SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
1860 if (!NT_STATUS_IS_OK(result)) {
1864 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &lsa_pol, 1,
1865 &name, NULL, 1, &sids, &types);
1867 if (NT_STATUS_IS_OK(result)) {
1868 sid_copy(sid, &sids[0]);
1872 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
1876 TALLOC_FREE(pipe_hnd);
1879 if (!NT_STATUS_IS_OK(result) && (StrnCaseCmp(name, "S-", 2) == 0)) {
1881 /* Try as S-1-5-whatever */
1883 struct dom_sid tmp_sid;
1885 if (string_to_sid(&tmp_sid, name)) {
1886 sid_copy(sid, &tmp_sid);
1887 *type = SID_NAME_UNKNOWN;
1888 result = NT_STATUS_OK;
1895 static NTSTATUS rpc_add_groupmem(struct rpc_pipe_client *pipe_hnd,
1896 TALLOC_CTX *mem_ctx,
1897 const struct dom_sid *group_sid,
1900 struct policy_handle connect_pol, domain_pol;
1903 struct policy_handle group_pol;
1905 struct samr_Ids rids, rid_types;
1906 struct lsa_String lsa_acct_name;
1910 sid_copy(&sid, group_sid);
1912 if (!sid_split_rid(&sid, &group_rid)) {
1913 return NT_STATUS_UNSUCCESSFUL;
1916 /* Get sam policy handle */
1917 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1919 MAXIMUM_ALLOWED_ACCESS,
1921 if (!NT_STATUS_IS_OK(result)) {
1925 /* Get domain policy handle */
1926 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1928 MAXIMUM_ALLOWED_ACCESS,
1931 if (!NT_STATUS_IS_OK(result)) {
1935 init_lsa_String(&lsa_acct_name, member);
1937 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1944 if (!NT_STATUS_IS_OK(result)) {
1945 d_fprintf(stderr, _("Could not lookup up group member %s\n"),
1950 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
1952 MAXIMUM_ALLOWED_ACCESS,
1956 if (!NT_STATUS_IS_OK(result)) {
1960 result = rpccli_samr_AddGroupMember(pipe_hnd, mem_ctx,
1963 0x0005); /* unknown flags */
1966 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
1970 static NTSTATUS rpc_add_aliasmem(struct rpc_pipe_client *pipe_hnd,
1971 TALLOC_CTX *mem_ctx,
1972 const struct dom_sid *alias_sid,
1975 struct policy_handle connect_pol, domain_pol;
1978 struct policy_handle alias_pol;
1980 struct dom_sid member_sid;
1981 enum lsa_SidType member_type;
1985 sid_copy(&sid, alias_sid);
1987 if (!sid_split_rid(&sid, &alias_rid)) {
1988 return NT_STATUS_UNSUCCESSFUL;
1991 result = get_sid_from_name(rpc_pipe_np_smb_conn(pipe_hnd), mem_ctx,
1992 member, &member_sid, &member_type);
1994 if (!NT_STATUS_IS_OK(result)) {
1995 d_fprintf(stderr, _("Could not lookup up group member %s\n"),
2000 /* Get sam policy handle */
2001 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2003 MAXIMUM_ALLOWED_ACCESS,
2005 if (!NT_STATUS_IS_OK(result)) {
2009 /* Get domain policy handle */
2010 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2012 MAXIMUM_ALLOWED_ACCESS,
2015 if (!NT_STATUS_IS_OK(result)) {
2019 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2021 MAXIMUM_ALLOWED_ACCESS,
2025 if (!NT_STATUS_IS_OK(result)) {
2029 result = rpccli_samr_AddAliasMember(pipe_hnd, mem_ctx,
2033 if (!NT_STATUS_IS_OK(result)) {
2038 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2042 static NTSTATUS rpc_group_addmem_internals(struct net_context *c,
2043 const struct dom_sid *domain_sid,
2044 const char *domain_name,
2045 struct cli_state *cli,
2046 struct rpc_pipe_client *pipe_hnd,
2047 TALLOC_CTX *mem_ctx,
2051 struct dom_sid group_sid;
2052 enum lsa_SidType group_type;
2054 if (argc != 2 || c->display_usage) {
2057 _("net rpc group addmem <group> <member>\n"
2058 " Add a member to a group\n"
2059 " group\tGroup to add member to\n"
2060 " member\tMember to add to group\n"));
2061 return NT_STATUS_UNSUCCESSFUL;
2064 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2065 &group_sid, &group_type))) {
2066 d_fprintf(stderr, _("Could not lookup group name %s\n"),
2068 return NT_STATUS_UNSUCCESSFUL;
2071 if (group_type == SID_NAME_DOM_GRP) {
2072 NTSTATUS result = rpc_add_groupmem(pipe_hnd, mem_ctx,
2073 &group_sid, argv[1]);
2075 if (!NT_STATUS_IS_OK(result)) {
2076 d_fprintf(stderr, _("Could not add %s to %s: %s\n"),
2077 argv[1], argv[0], nt_errstr(result));
2082 if (group_type == SID_NAME_ALIAS) {
2083 NTSTATUS result = rpc_add_aliasmem(pipe_hnd, mem_ctx,
2084 &group_sid, argv[1]);
2086 if (!NT_STATUS_IS_OK(result)) {
2087 d_fprintf(stderr, _("Could not add %s to %s: %s\n"),
2088 argv[1], argv[0], nt_errstr(result));
2093 d_fprintf(stderr, _("Can only add members to global or local groups "
2094 "which %s is not\n"), argv[0]);
2096 return NT_STATUS_UNSUCCESSFUL;
2099 static int rpc_group_addmem(struct net_context *c, int argc, const char **argv)
2101 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
2102 rpc_group_addmem_internals,
2106 static NTSTATUS rpc_del_groupmem(struct net_context *c,
2107 struct rpc_pipe_client *pipe_hnd,
2108 TALLOC_CTX *mem_ctx,
2109 const struct dom_sid *group_sid,
2112 struct policy_handle connect_pol, domain_pol;
2115 struct policy_handle group_pol;
2117 struct samr_Ids rids, rid_types;
2118 struct lsa_String lsa_acct_name;
2122 sid_copy(&sid, group_sid);
2124 if (!sid_split_rid(&sid, &group_rid))
2125 return NT_STATUS_UNSUCCESSFUL;
2127 /* Get sam policy handle */
2128 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2130 MAXIMUM_ALLOWED_ACCESS,
2132 if (!NT_STATUS_IS_OK(result))
2135 /* Get domain policy handle */
2136 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2138 MAXIMUM_ALLOWED_ACCESS,
2141 if (!NT_STATUS_IS_OK(result))
2144 init_lsa_String(&lsa_acct_name, member);
2146 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2152 if (!NT_STATUS_IS_OK(result)) {
2153 d_fprintf(stderr, _("Could not lookup up group member %s\n"),
2158 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2160 MAXIMUM_ALLOWED_ACCESS,
2164 if (!NT_STATUS_IS_OK(result))
2167 result = rpccli_samr_DeleteGroupMember(pipe_hnd, mem_ctx,
2172 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2176 static NTSTATUS rpc_del_aliasmem(struct rpc_pipe_client *pipe_hnd,
2177 TALLOC_CTX *mem_ctx,
2178 const struct dom_sid *alias_sid,
2181 struct policy_handle connect_pol, domain_pol;
2184 struct policy_handle alias_pol;
2186 struct dom_sid member_sid;
2187 enum lsa_SidType member_type;
2191 sid_copy(&sid, alias_sid);
2193 if (!sid_split_rid(&sid, &alias_rid))
2194 return NT_STATUS_UNSUCCESSFUL;
2196 result = get_sid_from_name(rpc_pipe_np_smb_conn(pipe_hnd), mem_ctx,
2197 member, &member_sid, &member_type);
2199 if (!NT_STATUS_IS_OK(result)) {
2200 d_fprintf(stderr, _("Could not lookup up group member %s\n"),
2205 /* Get sam policy handle */
2206 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2208 MAXIMUM_ALLOWED_ACCESS,
2210 if (!NT_STATUS_IS_OK(result)) {
2214 /* Get domain policy handle */
2215 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2217 MAXIMUM_ALLOWED_ACCESS,
2220 if (!NT_STATUS_IS_OK(result)) {
2224 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2226 MAXIMUM_ALLOWED_ACCESS,
2230 if (!NT_STATUS_IS_OK(result))
2233 result = rpccli_samr_DeleteAliasMember(pipe_hnd, mem_ctx,
2237 if (!NT_STATUS_IS_OK(result))
2241 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
2245 static NTSTATUS rpc_group_delmem_internals(struct net_context *c,
2246 const struct dom_sid *domain_sid,
2247 const char *domain_name,
2248 struct cli_state *cli,
2249 struct rpc_pipe_client *pipe_hnd,
2250 TALLOC_CTX *mem_ctx,
2254 struct dom_sid group_sid;
2255 enum lsa_SidType group_type;
2257 if (argc != 2 || c->display_usage) {
2260 _("net rpc group delmem <group> <member>\n"
2261 " Delete a member from a group\n"
2262 " group\tGroup to delete member from\n"
2263 " member\tMember to delete from group\n"));
2264 return NT_STATUS_UNSUCCESSFUL;
2267 if (!NT_STATUS_IS_OK(get_sid_from_name(cli, mem_ctx, argv[0],
2268 &group_sid, &group_type))) {
2269 d_fprintf(stderr, _("Could not lookup group name %s\n"),
2271 return NT_STATUS_UNSUCCESSFUL;
2274 if (group_type == SID_NAME_DOM_GRP) {
2275 NTSTATUS result = rpc_del_groupmem(c, pipe_hnd, mem_ctx,
2276 &group_sid, argv[1]);
2278 if (!NT_STATUS_IS_OK(result)) {
2279 d_fprintf(stderr, _("Could not del %s from %s: %s\n"),
2280 argv[1], argv[0], nt_errstr(result));
2285 if (group_type == SID_NAME_ALIAS) {
2286 NTSTATUS result = rpc_del_aliasmem(pipe_hnd, mem_ctx,
2287 &group_sid, argv[1]);
2289 if (!NT_STATUS_IS_OK(result)) {
2290 d_fprintf(stderr, _("Could not del %s from %s: %s\n"),
2291 argv[1], argv[0], nt_errstr(result));
2296 d_fprintf(stderr, _("Can only delete members from global or local "
2297 "groups which %s is not\n"), argv[0]);
2299 return NT_STATUS_UNSUCCESSFUL;
2302 static int rpc_group_delmem(struct net_context *c, int argc, const char **argv)
2304 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
2305 rpc_group_delmem_internals,
2310 * List groups on a remote RPC server.
2312 * All parameters are provided by the run_rpc_command function, except for
2313 * argc, argv which are passes through.
2315 * @param domain_sid The domain sid acquired from the remote server.
2316 * @param cli A cli_state connected to the server.
2317 * @param mem_ctx Talloc context, destroyed on completion of the function.
2318 * @param argc Standard main() style argc.
2319 * @param argv Standard main() style argv. Initial components are already
2322 * @return Normal NTSTATUS return.
2325 static NTSTATUS rpc_group_list_internals(struct net_context *c,
2326 const struct dom_sid *domain_sid,
2327 const char *domain_name,
2328 struct cli_state *cli,
2329 struct rpc_pipe_client *pipe_hnd,
2330 TALLOC_CTX *mem_ctx,
2334 struct policy_handle connect_pol, domain_pol;
2335 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2336 uint32 start_idx=0, max_entries=250, num_entries, i, loop_count = 0;
2337 struct samr_SamArray *groups = NULL;
2338 bool global = false;
2340 bool builtin = false;
2342 if (c->display_usage) {
2345 _("net rpc group list [global] [local] [builtin]\n"
2346 " List groups on RPC server\n"
2347 " global\tList global groups\n"
2348 " local\tList local groups\n"
2349 " builtin\tList builtin groups\n"
2350 " If none of global, local or builtin is "
2351 "specified, all three options are considered "
2353 return NT_STATUS_OK;
2362 for (i=0; i<argc; i++) {
2363 if (strequal(argv[i], "global"))
2366 if (strequal(argv[i], "local"))
2369 if (strequal(argv[i], "builtin"))
2373 /* Get sam policy handle */
2375 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2377 MAXIMUM_ALLOWED_ACCESS,
2379 if (!NT_STATUS_IS_OK(result)) {
2383 /* Get domain policy handle */
2385 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2387 MAXIMUM_ALLOWED_ACCESS,
2388 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2390 if (!NT_STATUS_IS_OK(result)) {
2394 /* Query domain groups */
2395 if (c->opt_long_list_entries)
2396 d_printf(_("\nGroup name Comment"
2397 "\n-----------------------------\n"));
2399 uint32_t max_size, total_size, returned_size;
2400 union samr_DispInfo info;
2404 dcerpc_get_query_dispinfo_params(
2405 loop_count, &max_entries, &max_size);
2407 result = rpccli_samr_QueryDisplayInfo(pipe_hnd, mem_ctx,
2416 num_entries = info.info3.count;
2417 start_idx += info.info3.count;
2419 if (!NT_STATUS_IS_OK(result) &&
2420 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2423 for (i = 0; i < num_entries; i++) {
2425 const char *group = NULL;
2426 const char *desc = NULL;
2428 group = info.info3.entries[i].account_name.string;
2429 desc = info.info3.entries[i].description.string;
2431 if (c->opt_long_list_entries)
2432 printf("%-21.21s %-50.50s\n",
2435 printf("%s\n", group);
2437 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2438 /* query domain aliases */
2443 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2449 if (!NT_STATUS_IS_OK(result) &&
2450 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2453 for (i = 0; i < num_entries; i++) {
2455 const char *description = NULL;
2457 if (c->opt_long_list_entries) {
2459 struct policy_handle alias_pol;
2460 union samr_AliasInfo *info = NULL;
2462 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2465 groups->entries[i].idx,
2467 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2471 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2473 description = info->description.string;
2477 if (description != NULL) {
2478 printf("%-21.21s %-50.50s\n",
2479 groups->entries[i].name.string,
2482 printf("%s\n", groups->entries[i].name.string);
2485 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2486 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
2487 /* Get builtin policy handle */
2489 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2491 MAXIMUM_ALLOWED_ACCESS,
2492 CONST_DISCARD(struct dom_sid2 *, &global_sid_Builtin),
2494 if (!NT_STATUS_IS_OK(result)) {
2497 /* query builtin aliases */
2500 if (!builtin) break;
2502 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
2508 if (!NT_STATUS_IS_OK(result) &&
2509 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
2512 for (i = 0; i < num_entries; i++) {
2514 const char *description = NULL;
2516 if (c->opt_long_list_entries) {
2518 struct policy_handle alias_pol;
2519 union samr_AliasInfo *info = NULL;
2521 if ((NT_STATUS_IS_OK(rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2524 groups->entries[i].idx,
2526 (NT_STATUS_IS_OK(rpccli_samr_QueryAliasInfo(pipe_hnd, mem_ctx,
2530 (NT_STATUS_IS_OK(rpccli_samr_Close(pipe_hnd, mem_ctx,
2532 description = info->description.string;
2536 if (description != NULL) {
2537 printf("%-21.21s %-50.50s\n",
2538 groups->entries[i].name.string,
2541 printf("%s\n", groups->entries[i].name.string);
2544 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2550 static int rpc_group_list(struct net_context *c, int argc, const char **argv)
2552 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
2553 rpc_group_list_internals,
2557 static NTSTATUS rpc_list_group_members(struct net_context *c,
2558 struct rpc_pipe_client *pipe_hnd,
2559 TALLOC_CTX *mem_ctx,
2560 const char *domain_name,
2561 const struct dom_sid *domain_sid,
2562 struct policy_handle *domain_pol,
2566 struct policy_handle group_pol;
2567 uint32 num_members, *group_rids;
2569 struct samr_RidAttrArray *rids = NULL;
2570 struct lsa_Strings names;
2571 struct samr_Ids types;
2574 sid_to_fstring(sid_str, domain_sid);
2576 result = rpccli_samr_OpenGroup(pipe_hnd, mem_ctx,
2578 MAXIMUM_ALLOWED_ACCESS,
2582 if (!NT_STATUS_IS_OK(result))
2585 result = rpccli_samr_QueryGroupMember(pipe_hnd, mem_ctx,
2589 if (!NT_STATUS_IS_OK(result))
2592 num_members = rids->count;
2593 group_rids = rids->rids;
2595 while (num_members > 0) {
2596 int this_time = 512;
2598 if (num_members < this_time)
2599 this_time = num_members;
2601 result = rpccli_samr_LookupRids(pipe_hnd, mem_ctx,
2608 if (!NT_STATUS_IS_OK(result))
2611 /* We only have users as members, but make the output
2612 the same as the output of alias members */
2614 for (i = 0; i < this_time; i++) {
2616 if (c->opt_long_list_entries) {
2617 printf("%s-%d %s\\%s %d\n", sid_str,
2618 group_rids[i], domain_name,
2619 names.names[i].string,
2622 printf("%s\\%s\n", domain_name,
2623 names.names[i].string);
2627 num_members -= this_time;
2631 return NT_STATUS_OK;
2634 static NTSTATUS rpc_list_alias_members(struct net_context *c,
2635 struct rpc_pipe_client *pipe_hnd,
2636 TALLOC_CTX *mem_ctx,
2637 struct policy_handle *domain_pol,
2641 struct rpc_pipe_client *lsa_pipe;
2642 struct policy_handle alias_pol, lsa_pol;
2644 struct dom_sid *alias_sids;
2647 enum lsa_SidType *types;
2649 struct lsa_SidArray sid_array;
2651 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
2653 MAXIMUM_ALLOWED_ACCESS,
2657 if (!NT_STATUS_IS_OK(result))
2660 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
2664 if (!NT_STATUS_IS_OK(result)) {
2665 d_fprintf(stderr, _("Couldn't list alias members\n"));
2669 num_members = sid_array.num_sids;
2671 if (num_members == 0) {
2672 return NT_STATUS_OK;
2675 result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
2676 &ndr_table_lsarpc.syntax_id,
2678 if (!NT_STATUS_IS_OK(result)) {
2679 d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
2680 nt_errstr(result) );
2684 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, true,
2685 SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
2687 if (!NT_STATUS_IS_OK(result)) {
2688 d_fprintf(stderr, _("Couldn't open LSA policy handle\n"));
2689 TALLOC_FREE(lsa_pipe);
2693 alias_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
2695 d_fprintf(stderr, _("Out of memory\n"));
2696 TALLOC_FREE(lsa_pipe);
2697 return NT_STATUS_NO_MEMORY;
2700 for (i=0; i<num_members; i++) {
2701 sid_copy(&alias_sids[i], sid_array.sids[i].sid);
2704 result = rpccli_lsa_lookup_sids(lsa_pipe, mem_ctx, &lsa_pol,
2705 num_members, alias_sids,
2706 &domains, &names, &types);
2708 if (!NT_STATUS_IS_OK(result) &&
2709 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
2710 d_fprintf(stderr, _("Couldn't lookup SIDs\n"));
2711 TALLOC_FREE(lsa_pipe);
2715 for (i = 0; i < num_members; i++) {
2717 sid_to_fstring(sid_str, &alias_sids[i]);
2719 if (c->opt_long_list_entries) {
2720 printf("%s %s\\%s %d\n", sid_str,
2721 domains[i] ? domains[i] : _("*unknown*"),
2722 names[i] ? names[i] : _("*unknown*"), types[i]);
2725 printf("%s\\%s\n", domains[i], names[i]);
2727 printf("%s\n", sid_str);
2731 TALLOC_FREE(lsa_pipe);
2732 return NT_STATUS_OK;
2735 static NTSTATUS rpc_group_members_internals(struct net_context *c,
2736 const struct dom_sid *domain_sid,
2737 const char *domain_name,
2738 struct cli_state *cli,
2739 struct rpc_pipe_client *pipe_hnd,
2740 TALLOC_CTX *mem_ctx,
2745 struct policy_handle connect_pol, domain_pol;
2746 struct samr_Ids rids, rid_types;
2747 struct lsa_String lsa_acct_name;
2749 /* Get sam policy handle */
2751 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
2753 MAXIMUM_ALLOWED_ACCESS,
2756 if (!NT_STATUS_IS_OK(result))
2759 /* Get domain policy handle */
2761 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2763 MAXIMUM_ALLOWED_ACCESS,
2764 CONST_DISCARD(struct dom_sid2 *, domain_sid),
2767 if (!NT_STATUS_IS_OK(result))
2770 init_lsa_String(&lsa_acct_name, argv[0]); /* sure? */
2772 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2779 if (!NT_STATUS_IS_OK(result)) {
2781 /* Ok, did not find it in the global sam, try with builtin */
2783 struct dom_sid sid_Builtin;
2785 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
2787 sid_copy(&sid_Builtin, &global_sid_Builtin);
2789 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
2791 MAXIMUM_ALLOWED_ACCESS,
2795 if (!NT_STATUS_IS_OK(result)) {
2796 d_fprintf(stderr, _("Couldn't find group %s\n"),
2801 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
2808 if (!NT_STATUS_IS_OK(result)) {
2809 d_fprintf(stderr, _("Couldn't find group %s\n"),
2815 if (rids.count != 1) {
2816 d_fprintf(stderr, _("Couldn't find group %s\n"),
2821 if (rid_types.ids[0] == SID_NAME_DOM_GRP) {
2822 return rpc_list_group_members(c, pipe_hnd, mem_ctx, domain_name,
2823 domain_sid, &domain_pol,
2827 if (rid_types.ids[0] == SID_NAME_ALIAS) {
2828 return rpc_list_alias_members(c, pipe_hnd, mem_ctx, &domain_pol,
2832 return NT_STATUS_NO_SUCH_GROUP;
2835 static int rpc_group_members(struct net_context *c, int argc, const char **argv)
2837 if (argc != 1 || c->display_usage) {
2838 return rpc_group_usage(c, argc, argv);
2841 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
2842 rpc_group_members_internals,
2846 static int rpc_group_rename_internals(struct net_context *c, int argc, const char **argv)
2848 NET_API_STATUS status;
2849 struct GROUP_INFO_0 g0;
2853 d_printf(_("Usage:\n"));
2854 d_printf("net rpc group rename group newname\n");
2858 g0.grpi0_name = argv[1];
2860 status = NetGroupSetInfo(c->opt_host,
2867 d_fprintf(stderr, _("Renaming group %s failed with: %s\n"),
2868 argv[0], libnetapi_get_error_string(c->netapi_ctx,
2876 static int rpc_group_rename(struct net_context *c, int argc, const char **argv)
2878 if (argc != 2 || c->display_usage) {
2879 return rpc_group_usage(c, argc, argv);
2882 return rpc_group_rename_internals(c, argc, argv);
2886 * 'net rpc group' entrypoint.
2887 * @param argc Standard main() style argc.
2888 * @param argv Standard main() style argv. Initial components are already
2892 int net_rpc_group(struct net_context *c, int argc, const char **argv)
2894 NET_API_STATUS status;
2896 struct functable func[] = {
2901 N_("Create specified group"),
2902 N_("net rpc group add\n"
2903 " Create specified group")
2909 N_("Delete specified group"),
2910 N_("net rpc group delete\n"
2911 " Delete specified group")
2917 N_("Add member to group"),
2918 N_("net rpc group addmem\n"
2919 " Add member to group")
2925 N_("Remove member from group"),
2926 N_("net rpc group delmem\n"
2927 " Remove member from group")
2934 N_("net rpc group list\n"
2941 N_("List group members"),
2942 N_("net rpc group members\n"
2943 " List group members")
2950 N_("net rpc group rename\n"
2953 {NULL, NULL, 0, NULL, NULL}
2956 status = libnetapi_net_init(&c->netapi_ctx);
2960 libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
2961 libnetapi_set_password(c->netapi_ctx, c->opt_password);
2962 if (c->opt_kerberos) {
2963 libnetapi_set_use_kerberos(c->netapi_ctx);
2967 if (c->display_usage) {
2968 d_printf(_("Usage:\n"));
2969 d_printf(_("net rpc group\n"
2970 " Alias for net rpc group list global "
2971 "local builtin\n"));
2972 net_display_usage_from_functable(func);
2976 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
2977 rpc_group_list_internals,
2981 return net_run_function(c, argc, argv, "net rpc group", func);
2984 /****************************************************************************/
2986 static int rpc_share_usage(struct net_context *c, int argc, const char **argv)
2988 return net_share_usage(c, argc, argv);
2992 * Add a share on a remote RPC server.
2994 * @param argc Standard main() style argc.
2995 * @param argv Standard main() style argv. Initial components are already
2998 * @return A shell status integer (0 for success).
3001 static int rpc_share_add(struct net_context *c, int argc, const char **argv)
3003 NET_API_STATUS status;
3006 uint32 type = STYPE_DISKTREE; /* only allow disk shares to be added */
3007 uint32 num_users=0, perms=0;
3008 char *password=NULL; /* don't allow a share password */
3009 struct SHARE_INFO_2 i2;
3010 uint32_t parm_error = 0;
3012 if ((argc < 1) || !strchr(argv[0], '=') || c->display_usage) {
3013 return rpc_share_usage(c, argc, argv);
3016 if ((sharename = talloc_strdup(c, argv[0])) == NULL) {
3020 path = strchr(sharename, '=');
3027 i2.shi2_netname = sharename;
3028 i2.shi2_type = type;
3029 i2.shi2_remark = c->opt_comment;
3030 i2.shi2_permissions = perms;
3031 i2.shi2_max_uses = c->opt_maxusers;
3032 i2.shi2_current_uses = num_users;
3033 i2.shi2_path = path;
3034 i2.shi2_passwd = password;
3036 status = NetShareAdd(c->opt_host,
3041 printf(_("NetShareAdd failed with: %s\n"),
3042 libnetapi_get_error_string(c->netapi_ctx, status));
3049 * Delete a share on a remote RPC server.
3051 * @param domain_sid The domain sid acquired from the remote server.
3052 * @param argc Standard main() style argc.
3053 * @param argv Standard main() style argv. Initial components are already
3056 * @return A shell status integer (0 for success).
3058 static int rpc_share_delete(struct net_context *c, int argc, const char **argv)
3060 if (argc < 1 || c->display_usage) {
3061 return rpc_share_usage(c, argc, argv);
3064 return NetShareDel(c->opt_host, argv[0], 0);
3068 * Formatted print of share info
3070 * @param r pointer to SHARE_INFO_1 to format
3073 static void display_share_info_1(struct net_context *c,
3074 struct SHARE_INFO_1 *r)
3076 if (c->opt_long_list_entries) {
3077 d_printf("%-12s %-8.8s %-50s\n",
3079 net_share_type_str(r->shi1_type & ~(STYPE_TEMPORARY|STYPE_HIDDEN)),
3082 d_printf("%s\n", r->shi1_netname);
3086 static WERROR get_share_info(struct net_context *c,
3087 struct rpc_pipe_client *pipe_hnd,
3088 TALLOC_CTX *mem_ctx,
3092 struct srvsvc_NetShareInfoCtr *info_ctr)
3096 union srvsvc_NetShareInfo info;
3097 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
3099 /* no specific share requested, enumerate all */
3102 uint32_t preferred_len = 0xffffffff;
3103 uint32_t total_entries = 0;
3104 uint32_t resume_handle = 0;
3106 info_ctr->level = level;
3108 status = dcerpc_srvsvc_NetShareEnumAll(b, mem_ctx,
3115 if (!NT_STATUS_IS_OK(status)) {
3116 return ntstatus_to_werror(status);
3121 /* request just one share */
3122 status = dcerpc_srvsvc_NetShareGetInfo(b, mem_ctx,
3129 if (!NT_STATUS_IS_OK(status)) {
3130 result = ntstatus_to_werror(status);
3134 if (!W_ERROR_IS_OK(result)) {
3139 ZERO_STRUCTP(info_ctr);
3141 info_ctr->level = level;
3146 struct srvsvc_NetShareCtr1 *ctr1;
3148 ctr1 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr1);
3149 W_ERROR_HAVE_NO_MEMORY(ctr1);
3152 ctr1->array = info.info1;
3154 info_ctr->ctr.ctr1 = ctr1;
3160 struct srvsvc_NetShareCtr2 *ctr2;
3162 ctr2 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr2);
3163 W_ERROR_HAVE_NO_MEMORY(ctr2);
3166 ctr2->array = info.info2;
3168 info_ctr->ctr.ctr2 = ctr2;
3174 struct srvsvc_NetShareCtr502 *ctr502;
3176 ctr502 = TALLOC_ZERO_P(mem_ctx, struct srvsvc_NetShareCtr502);
3177 W_ERROR_HAVE_NO_MEMORY(ctr502);
3180 ctr502->array = info.info502;
3182 info_ctr->ctr.ctr502 = ctr502;
3192 * 'net rpc share list' entrypoint.
3193 * @param argc Standard main() style argc.
3194 * @param argv Standard main() style argv. Initial components are already
3197 static int rpc_share_list(struct net_context *c, int argc, const char **argv)
3199 NET_API_STATUS status;
3200 struct SHARE_INFO_1 *i1 = NULL;
3201 uint32_t entries_read = 0;
3202 uint32_t total_entries = 0;
3203 uint32_t resume_handle = 0;
3204 uint32_t i, level = 1;
3206 if (c->display_usage) {
3208 "net rpc share list\n"
3211 _("List shares on remote server"));
3215 status = NetShareEnum(c->opt_host,
3217 (uint8_t **)(void *)&i1,
3226 /* Display results */
3228 if (c->opt_long_list_entries) {
3230 "\nEnumerating shared resources (exports) on remote server:\n\n"
3231 "\nShare name Type Description\n"
3232 "---------- ---- -----------\n"));
3234 for (i = 0; i < entries_read; i++)
3235 display_share_info_1(c, &i1[i]);
3240 static bool check_share_availability(struct cli_state *cli, const char *netname)
3244 status = cli_tcon_andx(cli, netname, "A:", "", 0);
3245 if (!NT_STATUS_IS_OK(status)) {
3246 d_printf(_("skipping [%s]: not a file share.\n"), netname);
3250 status = cli_tdis(cli);
3251 if (!NT_STATUS_IS_OK(status)) {
3252 d_printf(_("cli_tdis returned %s\n"), nt_errstr(status));
3259 static bool check_share_sanity(struct net_context *c, struct cli_state *cli,
3260 const char *netname, uint32 type)
3262 /* only support disk shares */
3263 if (! ( type == STYPE_DISKTREE || type == (STYPE_DISKTREE | STYPE_HIDDEN)) ) {
3264 printf(_("share [%s] is not a diskshare (type: %x)\n"), netname,
3269 /* skip builtin shares */
3270 /* FIXME: should print$ be added too ? */
3271 if (strequal(netname,"IPC$") || strequal(netname,"ADMIN$") ||
3272 strequal(netname,"global"))
3275 if (c->opt_exclude && in_list(netname, c->opt_exclude, false)) {
3276 printf(_("excluding [%s]\n"), netname);
3280 return check_share_availability(cli, netname);
3284 * Migrate shares from a remote RPC server to the local RPC server.
3286 * All parameters are provided by the run_rpc_command function, except for
3287 * argc, argv which are passed through.
3289 * @param domain_sid The domain sid acquired from the remote server.
3290 * @param cli A cli_state connected to the server.
3291 * @param mem_ctx Talloc context, destroyed on completion of the function.
3292 * @param argc Standard main() style argc.
3293 * @param argv Standard main() style argv. Initial components are already
3296 * @return Normal NTSTATUS return.
3299 static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
3300 const struct dom_sid *domain_sid,
3301 const char *domain_name,
3302 struct cli_state *cli,
3303 struct rpc_pipe_client *pipe_hnd,
3304 TALLOC_CTX *mem_ctx,
3309 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3310 struct srvsvc_NetShareInfoCtr ctr_src;
3312 struct rpc_pipe_client *srvsvc_pipe = NULL;
3313 struct cli_state *cli_dst = NULL;
3314 uint32 level = 502; /* includes secdesc */
3315 uint32_t parm_error = 0;
3316 struct dcerpc_binding_handle *b;
3318 result = get_share_info(c, pipe_hnd, mem_ctx, level, argc, argv,
3320 if (!W_ERROR_IS_OK(result))
3323 /* connect destination PI_SRVSVC */
3324 nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
3325 &ndr_table_srvsvc.syntax_id);
3326 if (!NT_STATUS_IS_OK(nt_status))
3329 b = srvsvc_pipe->binding_handle;
3331 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3333 union srvsvc_NetShareInfo info;
3334 struct srvsvc_NetShareInfo502 info502 =
3335 ctr_src.ctr.ctr502->array[i];
3337 /* reset error-code */
3338 nt_status = NT_STATUS_UNSUCCESSFUL;
3340 if (!check_share_sanity(c, cli, info502.name, info502.type))
3343 /* finally add the share on the dst server */
3345 printf(_("migrating: [%s], path: %s, comment: %s, without "
3347 info502.name, info502.path, info502.comment);
3349 info.info502 = &info502;
3351 nt_status = dcerpc_srvsvc_NetShareAdd(b, mem_ctx,
3352 srvsvc_pipe->desthost,
3357 if (!NT_STATUS_IS_OK(nt_status)) {
3358 printf(_("cannot add share: %s\n"),
3359 nt_errstr(nt_status));
3362 if (W_ERROR_V(result) == W_ERROR_V(WERR_FILE_EXISTS)) {
3363 printf(_(" [%s] does already exist\n"),
3368 if (!W_ERROR_IS_OK(result)) {
3369 nt_status = werror_to_ntstatus(result);
3370 printf(_("cannot add share: %s\n"),
3371 win_errstr(result));
3377 nt_status = NT_STATUS_OK;
3381 cli_shutdown(cli_dst);
3389 * Migrate shares from a RPC server to another.
3391 * @param argc Standard main() style argc.
3392 * @param argv Standard main() style argv. Initial components are already
3395 * @return A shell status integer (0 for success).
3397 static int rpc_share_migrate_shares(struct net_context *c, int argc,
3400 if (c->display_usage) {
3402 "net rpc share migrate shares\n"
3405 _("Migrate shares to local server"));
3410 printf(_("no server to migrate\n"));
3414 return run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3415 rpc_share_migrate_shares_internals,
3422 * @param f file_info
3423 * @param mask current search mask
3424 * @param state arg-pointer
3427 static NTSTATUS copy_fn(const char *mnt, struct file_info *f,
3428 const char *mask, void *state)
3430 static NTSTATUS nt_status;
3431 static struct copy_clistate *local_state;
3432 static fstring filename, new_mask;
3435 struct net_context *c;
3437 local_state = (struct copy_clistate *)state;
3438 nt_status = NT_STATUS_UNSUCCESSFUL;
3442 if (strequal(f->name, ".") || strequal(f->name, ".."))
3443 return NT_STATUS_OK;
3445 DEBUG(3,("got mask: %s, name: %s\n", mask, f->name));
3448 if (f->mode & aDIR) {
3450 DEBUG(3,("got dir: %s\n", f->name));
3452 fstrcpy(dir, local_state->cwd);
3454 fstrcat(dir, f->name);
3456 switch (net_mode_share)
3458 case NET_MODE_SHARE_MIGRATE:
3459 /* create that directory */
3460 nt_status = net_copy_file(c, local_state->mem_ctx,
3461 local_state->cli_share_src,
3462 local_state->cli_share_dst,
3464 c->opt_acls? true : false,
3465 c->opt_attrs? true : false,
3466 c->opt_timestamps? true:false,
3470 d_fprintf(stderr, _("Unsupported mode %d\n"), net_mode_share);
3471 return NT_STATUS_INTERNAL_ERROR;
3474 if (!NT_STATUS_IS_OK(nt_status)) {
3475 printf(_("could not handle dir %s: %s\n"),
3476 dir, nt_errstr(nt_status));
3480 /* search below that directory */
3481 fstrcpy(new_mask, dir);
3482 fstrcat(new_mask, "\\*");
3484 old_dir = local_state->cwd;
3485 local_state->cwd = dir;
3486 nt_status = sync_files(local_state, new_mask);
3487 if (!NT_STATUS_IS_OK(nt_status)) {
3488 printf(_("could not handle files\n"));
3490 local_state->cwd = old_dir;
3497 fstrcpy(filename, local_state->cwd);
3498 fstrcat(filename, "\\");
3499 fstrcat(filename, f->name);
3501 DEBUG(3,("got file: %s\n", filename));
3503 switch (net_mode_share)
3505 case NET_MODE_SHARE_MIGRATE:
3506 nt_status = net_copy_file(c, local_state->mem_ctx,
3507 local_state->cli_share_src,
3508 local_state->cli_share_dst,
3510 c->opt_acls? true : false,
3511 c->opt_attrs? true : false,
3512 c->opt_timestamps? true: false,
3516 d_fprintf(stderr, _("Unsupported file mode %d\n"),
3518 return NT_STATUS_INTERNAL_ERROR;
3521 if (!NT_STATUS_IS_OK(nt_status))
3522 printf(_("could not handle file %s: %s\n"),
3523 filename, nt_errstr(nt_status));
3528 * sync files, can be called recursivly to list files
3529 * and then call copy_fn for each file
3531 * @param cp_clistate pointer to the copy_clistate we work with
3532 * @param mask the current search mask
3534 * @return Boolean result
3536 static NTSTATUS sync_files(struct copy_clistate *cp_clistate, const char *mask)
3538 struct cli_state *targetcli;
3539 char *targetpath = NULL;
3542 DEBUG(3,("calling cli_list with mask: %s\n", mask));
3544 if ( !cli_resolve_path(talloc_tos(), "", NULL, cp_clistate->cli_share_src,
3545 mask, &targetcli, &targetpath ) ) {
3546 d_fprintf(stderr, _("cli_resolve_path %s failed with error: "
3548 mask, cli_errstr(cp_clistate->cli_share_src));
3549 return cli_nt_error(cp_clistate->cli_share_src);
3552 status = cli_list(targetcli, targetpath, cp_clistate->attribute,
3553 copy_fn, cp_clistate);
3554 if (!NT_STATUS_IS_OK(status)) {
3555 d_fprintf(stderr, _("listing %s failed with error: %s\n"),
3556 mask, nt_errstr(status));
3564 * Set the top level directory permissions before we do any further copies.
3565 * Should set up ACL inheritance.
3568 bool copy_top_level_perms(struct net_context *c,
3569 struct copy_clistate *cp_clistate,
3570 const char *sharename)
3572 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3574 switch (net_mode_share) {
3575 case NET_MODE_SHARE_MIGRATE:
3576 DEBUG(3,("calling net_copy_fileattr for '.' directory in share %s\n", sharename));
3577 nt_status = net_copy_fileattr(c,
3578 cp_clistate->mem_ctx,
3579 cp_clistate->cli_share_src,
3580 cp_clistate->cli_share_dst,
3582 c->opt_acls? true : false,
3583 c->opt_attrs? true : false,
3584 c->opt_timestamps? true: false,
3588 d_fprintf(stderr, _("Unsupported mode %d\n"), net_mode_share);
3592 if (!NT_STATUS_IS_OK(nt_status)) {
3593 printf(_("Could handle directory attributes for top level "
3594 "directory of share %s. Error %s\n"),
3595 sharename, nt_errstr(nt_status));
3603 * Sync all files inside a remote share to another share (over smb).
3605 * All parameters are provided by the run_rpc_command function, except for
3606 * argc, argv which are passed through.
3608 * @param domain_sid The domain sid acquired from the remote server.
3609 * @param cli A cli_state connected to the server.
3610 * @param mem_ctx Talloc context, destroyed on completion of the function.
3611 * @param argc Standard main() style argc.
3612 * @param argv Standard main() style argv. Initial components are already
3615 * @return Normal NTSTATUS return.
3618 static NTSTATUS rpc_share_migrate_files_internals(struct net_context *c,
3619 const struct dom_sid *domain_sid,
3620 const char *domain_name,
3621 struct cli_state *cli,
3622 struct rpc_pipe_client *pipe_hnd,
3623 TALLOC_CTX *mem_ctx,
3628 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3629 struct srvsvc_NetShareInfoCtr ctr_src;
3632 struct copy_clistate cp_clistate;
3633 bool got_src_share = false;
3634 bool got_dst_share = false;
3635 const char *mask = "\\*";
3638 dst = SMB_STRDUP(c->opt_destination?c->opt_destination:"127.0.0.1");
3640 nt_status = NT_STATUS_NO_MEMORY;
3644 result = get_share_info(c, pipe_hnd, mem_ctx, level, argc, argv,
3647 if (!W_ERROR_IS_OK(result))
3650 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3652 struct srvsvc_NetShareInfo502 info502 =
3653 ctr_src.ctr.ctr502->array[i];
3655 if (!check_share_sanity(c, cli, info502.name, info502.type))
3658 /* one might not want to mirror whole discs :) */
3659 if (strequal(info502.name, "print$") || info502.name[1] == '$') {
3660 d_printf(_("skipping [%s]: builtin/hidden share\n"),
3665 switch (net_mode_share)
3667 case NET_MODE_SHARE_MIGRATE:
3671 d_fprintf(stderr, _("Unsupported mode %d\n"),
3675 printf(_(" [%s] files and directories %s ACLs, %s DOS "
3678 c->opt_acls ? _("including") : _("without"),
3679 c->opt_attrs ? _("including") : _("without"),
3680 c->opt_timestamps ? _("(preserving timestamps)") : "");
3682 cp_clistate.mem_ctx = mem_ctx;
3683 cp_clistate.cli_share_src = NULL;
3684 cp_clistate.cli_share_dst = NULL;
3685 cp_clistate.cwd = NULL;
3686 cp_clistate.attribute = aSYSTEM | aHIDDEN | aDIR;
3689 /* open share source */
3690 nt_status = connect_to_service(c, &cp_clistate.cli_share_src,
3691 &cli->dest_ss, cli->desthost,
3692 info502.name, "A:");
3693 if (!NT_STATUS_IS_OK(nt_status))
3696 got_src_share = true;
3698 if (net_mode_share == NET_MODE_SHARE_MIGRATE) {
3699 /* open share destination */
3700 nt_status = connect_to_service(c, &cp_clistate.cli_share_dst,
3701 NULL, dst, info502.name, "A:");
3702 if (!NT_STATUS_IS_OK(nt_status))
3705 got_dst_share = true;
3708 if (!copy_top_level_perms(c, &cp_clistate, info502.name)) {
3709 d_fprintf(stderr, _("Could not handle the top level "
3710 "directory permissions for the "
3711 "share: %s\n"), info502.name);
3712 nt_status = NT_STATUS_UNSUCCESSFUL;
3716 nt_status = sync_files(&cp_clistate, mask);
3717 if (!NT_STATUS_IS_OK(nt_status)) {
3718 d_fprintf(stderr, _("could not handle files for share: "
3719 "%s\n"), info502.name);
3724 nt_status = NT_STATUS_OK;
3729 cli_shutdown(cp_clistate.cli_share_src);
3732 cli_shutdown(cp_clistate.cli_share_dst);
3739 static int rpc_share_migrate_files(struct net_context *c, int argc, const char **argv)
3741 if (c->display_usage) {
3743 "net share migrate files\n"
3746 _("Migrate files to local server"));
3751 d_printf(_("no server to migrate\n"));
3755 return run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3756 rpc_share_migrate_files_internals,
3761 * Migrate share-ACLs from a remote RPC server to the local RPC server.
3763 * All parameters are provided by the run_rpc_command function, except for
3764 * argc, argv which are passed through.
3766 * @param domain_sid The domain sid acquired from the remote server.
3767 * @param cli A cli_state connected to the server.
3768 * @param mem_ctx Talloc context, destroyed on completion of the function.
3769 * @param argc Standard main() style argc.
3770 * @param argv Standard main() style argv. Initial components are already
3773 * @return Normal NTSTATUS return.
3776 static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
3777 const struct dom_sid *domain_sid,
3778 const char *domain_name,
3779 struct cli_state *cli,
3780 struct rpc_pipe_client *pipe_hnd,
3781 TALLOC_CTX *mem_ctx,
3786 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
3787 struct srvsvc_NetShareInfoCtr ctr_src;
3788 union srvsvc_NetShareInfo info;
3790 struct rpc_pipe_client *srvsvc_pipe = NULL;
3791 struct cli_state *cli_dst = NULL;
3792 uint32 level = 502; /* includes secdesc */
3793 uint32_t parm_error = 0;
3794 struct dcerpc_binding_handle *b;
3796 result = get_share_info(c, pipe_hnd, mem_ctx, level, argc, argv,
3799 if (!W_ERROR_IS_OK(result))
3802 /* connect destination PI_SRVSVC */
3803 nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
3804 &ndr_table_srvsvc.syntax_id);
3805 if (!NT_STATUS_IS_OK(nt_status))
3808 b = srvsvc_pipe->binding_handle;
3810 for (i = 0; i < ctr_src.ctr.ctr502->count; i++) {
3812 struct srvsvc_NetShareInfo502 info502 =
3813 ctr_src.ctr.ctr502->array[i];
3815 /* reset error-code */
3816 nt_status = NT_STATUS_UNSUCCESSFUL;
3818 if (!check_share_sanity(c, cli, info502.name, info502.type))
3821 printf(_("migrating: [%s], path: %s, comment: %s, including "
3823 info502.name, info502.path, info502.comment);
3826 display_sec_desc(info502.sd_buf.sd);
3828 /* FIXME: shouldn't we be able to just set the security descriptor ? */
3829 info.info502 = &info502;
3831 /* finally modify the share on the dst server */
3832 nt_status = dcerpc_srvsvc_NetShareSetInfo(b, mem_ctx,
3833 srvsvc_pipe->desthost,
3839 if (!NT_STATUS_IS_OK(nt_status)) {
3840 printf(_("cannot set share-acl: %s\n"),
3841 nt_errstr(nt_status));
3844 if (!W_ERROR_IS_OK(result)) {
3845 nt_status = werror_to_ntstatus(result);
3846 printf(_("cannot set share-acl: %s\n"),
3847 win_errstr(result));
3853 nt_status = NT_STATUS_OK;
3857 cli_shutdown(cli_dst);
3865 * Migrate share-acls from a RPC server to another.
3867 * @param argc Standard main() style argc.
3868 * @param argv Standard main() style argv. Initial components are already
3871 * @return A shell status integer (0 for success).
3873 static int rpc_share_migrate_security(struct net_context *c, int argc,
3876 if (c->display_usage) {
3878 "net rpc share migrate security\n"
3881 _("Migrate share-acls to local server"));
3886 d_printf(_("no server to migrate\n"));
3890 return run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3891 rpc_share_migrate_security_internals,
3896 * Migrate shares (including share-definitions, share-acls and files with acls/attrs)
3897 * from one server to another.
3899 * @param argc Standard main() style argc.
3900 * @param argv Standard main() style argv. Initial components are already
3903 * @return A shell status integer (0 for success).
3906 static int rpc_share_migrate_all(struct net_context *c, int argc,
3911 if (c->display_usage) {
3913 "net rpc share migrate all\n"
3916 _("Migrates shares including all share settings"));
3921 d_printf(_("no server to migrate\n"));
3925 /* order is important. we don't want to be locked out by the share-acl
3926 * before copying files - gd */
3928 ret = run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3929 rpc_share_migrate_shares_internals, argc, argv);
3933 ret = run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3934 rpc_share_migrate_files_internals, argc, argv);
3938 return run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
3939 rpc_share_migrate_security_internals, argc,
3945 * 'net rpc share migrate' entrypoint.
3946 * @param argc Standard main() style argc.
3947 * @param argv Standard main() style argv. Initial components are already
3950 static int rpc_share_migrate(struct net_context *c, int argc, const char **argv)
3953 struct functable func[] = {
3956 rpc_share_migrate_all,
3958 N_("Migrate shares from remote to local server"),
3959 N_("net rpc share migrate all\n"
3960 " Migrate shares from remote to local server")
3964 rpc_share_migrate_files,
3966 N_("Migrate files from remote to local server"),
3967 N_("net rpc share migrate files\n"
3968 " Migrate files from remote to local server")
3972 rpc_share_migrate_security,
3974 N_("Migrate share-ACLs from remote to local server"),
3975 N_("net rpc share migrate security\n"
3976 " Migrate share-ACLs from remote to local server")
3980 rpc_share_migrate_shares,
3982 N_("Migrate shares from remote to local server"),
3983 N_("net rpc share migrate shares\n"
3984 " Migrate shares from remote to local server")
3986 {NULL, NULL, 0, NULL, NULL}
3989 net_mode_share = NET_MODE_SHARE_MIGRATE;
3991 return net_run_function(c, argc, argv, "net rpc share migrate", func);
3997 struct dom_sid *members;
4000 static int num_server_aliases;
4001 static struct full_alias *server_aliases;
4004 * Add an alias to the static list.
4006 static void push_alias(TALLOC_CTX *mem_ctx, struct full_alias *alias)
4008 if (server_aliases == NULL)
4009 server_aliases = SMB_MALLOC_ARRAY(struct full_alias, 100);
4011 server_aliases[num_server_aliases] = *alias;
4012 num_server_aliases += 1;
4016 * For a specific domain on the server, fetch all the aliases
4017 * and their members. Add all of them to the server_aliases.
4020 static NTSTATUS rpc_fetch_domain_aliases(struct rpc_pipe_client *pipe_hnd,
4021 TALLOC_CTX *mem_ctx,
4022 struct policy_handle *connect_pol,
4023 const struct dom_sid *domain_sid)
4025 uint32 start_idx, max_entries, num_entries, i;
4026 struct samr_SamArray *groups = NULL;
4028 struct policy_handle domain_pol;
4030 /* Get domain policy handle */
4032 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
4034 MAXIMUM_ALLOWED_ACCESS,
4035 CONST_DISCARD(struct dom_sid2 *, domain_sid),
4037 if (!NT_STATUS_IS_OK(result))
4044 result = rpccli_samr_EnumDomainAliases(pipe_hnd, mem_ctx,
4050 for (i = 0; i < num_entries; i++) {
4052 struct policy_handle alias_pol;
4053 struct full_alias alias;
4054 struct lsa_SidArray sid_array;
4057 result = rpccli_samr_OpenAlias(pipe_hnd, mem_ctx,
4059 MAXIMUM_ALLOWED_ACCESS,
4060 groups->entries[i].idx,
4062 if (!NT_STATUS_IS_OK(result))
4065 result = rpccli_samr_GetMembersInAlias(pipe_hnd, mem_ctx,
4068 if (!NT_STATUS_IS_OK(result))
4071 alias.num_members = sid_array.num_sids;
4073 result = rpccli_samr_Close(pipe_hnd, mem_ctx, &alias_pol);
4074 if (!NT_STATUS_IS_OK(result))
4077 alias.members = NULL;
4079 if (alias.num_members > 0) {
4080 alias.members = SMB_MALLOC_ARRAY(struct dom_sid, alias.num_members);
4082 for (j = 0; j < alias.num_members; j++)
4083 sid_copy(&alias.members[j],
4084 sid_array.sids[j].sid);
4087 sid_compose(&alias.sid, domain_sid,
4088 groups->entries[i].idx);
4090 push_alias(mem_ctx, &alias);
4092 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
4094 result = NT_STATUS_OK;
4097 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
4103 * Dump server_aliases as names for debugging purposes.
4106 static NTSTATUS rpc_aliaslist_dump(struct net_context *c,
4107 const struct dom_sid *domain_sid,
4108 const char *domain_name,
4109 struct cli_state *cli,
4110 struct rpc_pipe_client *pipe_hnd,
4111 TALLOC_CTX *mem_ctx,
4117 struct policy_handle lsa_pol;
4119 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
4120 SEC_FLAG_MAXIMUM_ALLOWED,
4122 if (!NT_STATUS_IS_OK(result))
4125 for (i=0; i<num_server_aliases; i++) {
4128 enum lsa_SidType *types;
4131 struct full_alias *alias = &server_aliases[i];
4133 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol, 1,
4135 &domains, &names, &types);
4136 if (!NT_STATUS_IS_OK(result))
4139 DEBUG(1, ("%s\\%s %d: ", domains[0], names[0], types[0]));
4141 if (alias->num_members == 0) {
4146 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &lsa_pol,
4149 &domains, &names, &types);
4151 if (!NT_STATUS_IS_OK(result) &&
4152 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
4155 for (j=0; j<alias->num_members; j++)
4156 DEBUG(1, ("%s\\%s (%d); ",
4157 domains[j] ? domains[j] : "*unknown*",
4158 names[j] ? names[j] : "*unknown*",types[j]));
4162 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
4164 return NT_STATUS_OK;
4168 * Fetch a list of all server aliases and their members into
4172 static NTSTATUS rpc_aliaslist_internals(struct net_context *c,
4173 const struct dom_sid *domain_sid,
4174 const char *domain_name,
4175 struct cli_state *cli,
4176 struct rpc_pipe_client *pipe_hnd,
4177 TALLOC_CTX *mem_ctx,
4182 struct policy_handle connect_pol;
4184 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
4186 MAXIMUM_ALLOWED_ACCESS,
4189 if (!NT_STATUS_IS_OK(result))
4192 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4193 &global_sid_Builtin);
4195 if (!NT_STATUS_IS_OK(result))
4198 result = rpc_fetch_domain_aliases(pipe_hnd, mem_ctx, &connect_pol,
4201 rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_pol);
4206 static void init_user_token(struct security_token *token, struct dom_sid *user_sid)
4208 token->num_sids = 4;
4210 if (!(token->sids = SMB_MALLOC_ARRAY(struct dom_sid, 4))) {
4211 d_fprintf(stderr, "malloc %s\n",_("failed"));
4212 token->num_sids = 0;
4216 token->sids[0] = *user_sid;
4217 sid_copy(&token->sids[1], &global_sid_World);
4218 sid_copy(&token->sids[2], &global_sid_Network);
4219 sid_copy(&token->sids[3], &global_sid_Authenticated_Users);
4222 static void free_user_token(struct security_token *token)
4224 SAFE_FREE(token->sids);
4227 static void add_sid_to_token(struct security_token *token, struct dom_sid *sid)
4229 if (security_token_has_sid(token, sid))
4232 token->sids = SMB_REALLOC_ARRAY(token->sids, struct dom_sid, token->num_sids+1);
4237 sid_copy(&token->sids[token->num_sids], sid);
4239 token->num_sids += 1;
4244 struct security_token token;
4247 static void dump_user_token(struct user_token *token)
4251 d_printf("%s\n", token->name);
4253 for (i=0; i<token->token.num_sids; i++) {
4254 d_printf(" %s\n", sid_string_tos(&token->token.sids[i]));
4258 static bool is_alias_member(struct dom_sid *sid, struct full_alias *alias)
4262 for (i=0; i<alias->num_members; i++) {
4263 if (dom_sid_compare(sid, &alias->members[i]) == 0)
4270 static void collect_sid_memberships(struct security_token *token, struct dom_sid sid)
4274 for (i=0; i<num_server_aliases; i++) {
4275 if (is_alias_member(&sid, &server_aliases[i]))
4276 add_sid_to_token(token, &server_aliases[i].sid);
4281 * We got a user token with all the SIDs we can know about without asking the
4282 * server directly. These are the user and domain group sids. All of these can
4283 * be members of aliases. So scan the list of aliases for each of the SIDs and
4284 * add them to the token.
4287 static void collect_alias_memberships(struct security_token *token)
4289 int num_global_sids = token->num_sids;
4292 for (i=0; i<num_global_sids; i++) {
4293 collect_sid_memberships(token, token->sids[i]);
4297 static bool get_user_sids(const char *domain, const char *user, struct security_token *token)
4299 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4300 enum wbcSidType type;
4302 struct wbcDomainSid wsid;
4303 char *sid_str = NULL;
4304 struct dom_sid user_sid;
4305 uint32_t num_groups;
4306 gid_t *groups = NULL;
4309 fstr_sprintf(full_name, "%s%c%s",
4310 domain, *lp_winbind_separator(), user);
4312 /* First let's find out the user sid */
4314 wbc_status = wbcLookupName(domain, user, &wsid, &type);
4316 if (!WBC_ERROR_IS_OK(wbc_status)) {
4317 DEBUG(1, ("winbind could not find %s: %s\n",
4318 full_name, wbcErrorString(wbc_status)));
4322 wbc_status = wbcSidToString(&wsid, &sid_str);
4323 if (!WBC_ERROR_IS_OK(wbc_status)) {
4327 if (type != WBC_SID_NAME_USER) {
4328 wbcFreeMemory(sid_str);
4329 DEBUG(1, ("%s is not a user\n", full_name));
4333 if (!string_to_sid(&user_sid, sid_str)) {
4334 DEBUG(1,("Could not convert sid %s from string\n", sid_str));
4338 wbcFreeMemory(sid_str);
4341 init_user_token(token, &user_sid);
4343 /* And now the groups winbind knows about */
4345 wbc_status = wbcGetGroups(full_name, &num_groups, &groups);
4346 if (!WBC_ERROR_IS_OK(wbc_status)) {
4347 DEBUG(1, ("winbind could not get groups of %s: %s\n",
4348 full_name, wbcErrorString(wbc_status)));
4352 for (i = 0; i < num_groups; i++) {
4353 gid_t gid = groups[i];
4356 wbc_status = wbcGidToSid(gid, &wsid);
4357 if (!WBC_ERROR_IS_OK(wbc_status)) {
4358 DEBUG(1, ("winbind could not find SID of gid %u: %s\n",
4359 (unsigned int)gid, wbcErrorString(wbc_status)));
4360 wbcFreeMemory(groups);
4364 wbc_status = wbcSidToString(&wsid, &sid_str);
4365 if (!WBC_ERROR_IS_OK(wbc_status)) {
4366 wbcFreeMemory(groups);
4370 DEBUG(3, (" %s\n", sid_str));
4372 string_to_sid(&sid, sid_str);
4373 wbcFreeMemory(sid_str);
4376 add_sid_to_token(token, &sid);
4378 wbcFreeMemory(groups);
4384 * Get a list of all user tokens we want to look at
4387 static bool get_user_tokens(struct net_context *c, int *num_tokens,
4388 struct user_token **user_tokens)
4390 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
4391 uint32_t i, num_users;
4393 struct user_token *result;
4394 TALLOC_CTX *frame = NULL;
4396 if (lp_winbind_use_default_domain() &&
4397 (c->opt_target_workgroup == NULL)) {
4398 d_fprintf(stderr, _("winbind use default domain = yes set, "
4399 "please specify a workgroup\n"));
4403 /* Send request to winbind daemon */
4405 wbc_status = wbcListUsers(NULL, &num_users, &users);
4406 if (!WBC_ERROR_IS_OK(wbc_status)) {
4407 DEBUG(1, (_("winbind could not list users: %s\n"),
4408 wbcErrorString(wbc_status)));
4412 result = SMB_MALLOC_ARRAY(struct user_token, num_users);
4414 if (result == NULL) {
4415 DEBUG(1, ("Could not malloc sid array\n"));
4416 wbcFreeMemory(users);
4420 frame = talloc_stackframe();
4421 for (i=0; i < num_users; i++) {
4422 fstring domain, user;
4425 fstrcpy(result[i].name, users[i]);
4427 p = strchr(users[i], *lp_winbind_separator());
4429 DEBUG(3, ("%s\n", users[i]));
4432 fstrcpy(domain, c->opt_target_workgroup);
4433 fstrcpy(user, users[i]);
4436 fstrcpy(domain, users[i]);
4441 get_user_sids(domain, user, &(result[i].token));
4444 wbcFreeMemory(users);
4446 *num_tokens = num_users;
4447 *user_tokens = result;
4452 static bool get_user_tokens_from_file(FILE *f,
4454 struct user_token **tokens)
4456 struct user_token *token = NULL;
4461 if (fgets(line, sizeof(line)-1, f) == NULL) {
4465 if ((strlen(line) > 0) && (line[strlen(line)-1] == '\n')) {
4466 line[strlen(line)-1] = '\0';
4469 if (line[0] == ' ') {
4473 if(!string_to_sid(&sid, &line[1])) {
4474 DEBUG(1,("get_user_tokens_from_file: Could "
4475 "not convert sid %s \n",&line[1]));
4479 if (token == NULL) {
4480 DEBUG(0, ("File does not begin with username"));
4484 add_sid_to_token(&token->token, &sid);
4488 /* And a new user... */
4491 *tokens = SMB_REALLOC_ARRAY(*tokens, struct user_token, *num_tokens);
4492 if (*tokens == NULL) {
4493 DEBUG(0, ("Could not realloc tokens\n"));
4497 token = &((*tokens)[*num_tokens-1]);
4499 fstrcpy(token->name, line);
4500 token->token.num_sids = 0;
4501 token->token.sids = NULL;
4510 * Show the list of all users that have access to a share
4513 static void show_userlist(struct rpc_pipe_client *pipe_hnd,
4514 TALLOC_CTX *mem_ctx,
4515 const char *netname,
4517 struct user_token *tokens)
4520 struct security_descriptor *share_sd = NULL;
4521 struct security_descriptor *root_sd = NULL;
4522 struct cli_state *cli = rpc_pipe_np_smb_conn(pipe_hnd);
4524 union srvsvc_NetShareInfo info;
4528 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
4530 status = dcerpc_srvsvc_NetShareGetInfo(b, mem_ctx,
4537 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
4538 DEBUG(1, ("Coult not query secdesc for share %s\n",
4543 share_sd = info.info502->sd_buf.sd;
4544 if (share_sd == NULL) {
4545 DEBUG(1, ("Got no secdesc for share %s\n",
4551 if (!NT_STATUS_IS_OK(cli_tcon_andx(cli, netname, "A:", "", 0))) {
4555 if (!NT_STATUS_IS_OK(cli_ntcreate(cli, "\\", 0, READ_CONTROL_ACCESS, 0,
4556 FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum))) {
4557 root_sd = cli_query_secdesc(cli, fnum, mem_ctx);
4560 for (i=0; i<num_tokens; i++) {
4563 if (share_sd != NULL) {
4564 status = se_access_check(share_sd, &tokens[i].token,
4567 if (!NT_STATUS_IS_OK(status)) {
4568 DEBUG(1, ("Could not check share_sd for "
4575 if (root_sd == NULL) {
4576 d_printf(" %s\n", tokens[i].name);
4580 status = se_access_check(root_sd, &tokens[i].token,
4582 if (!NT_STATUS_IS_OK(status)) {
4583 DEBUG(1, ("Could not check root_sd for user %s\n",
4587 d_printf(" %s\n", tokens[i].name);
4590 if (fnum != (uint16_t)-1)
4591 cli_close(cli, fnum);
4603 static void collect_share(const char *name, uint32 m,
4604 const char *comment, void *state)
4606 struct share_list *share_list = (struct share_list *)state;
4608 if (m != STYPE_DISKTREE)
4611 share_list->num_shares += 1;
4612 share_list->shares = SMB_REALLOC_ARRAY(share_list->shares, char *, share_list->num_shares);
4613 if (!share_list->shares) {
4614 share_list->num_shares = 0;
4617 share_list->shares[share_list->num_shares-1] = SMB_STRDUP(name);
4621 * List shares on a remote RPC server, including the security descriptors.
4623 * All parameters are provided by the run_rpc_command function, except for
4624 * argc, argv which are passed through.
4626 * @param domain_sid The domain sid acquired from the remote server.
4627 * @param cli A cli_state connected to the server.
4628 * @param mem_ctx Talloc context, destroyed on completion of the function.
4629 * @param argc Standard main() style argc.
4630 * @param argv Standard main() style argv. Initial components are already
4633 * @return Normal NTSTATUS return.
4636 static NTSTATUS rpc_share_allowedusers_internals(struct net_context *c,
4637 const struct dom_sid *domain_sid,
4638 const char *domain_name,
4639 struct cli_state *cli,
4640 struct rpc_pipe_client *pipe_hnd,
4641 TALLOC_CTX *mem_ctx,
4650 struct user_token *tokens = NULL;
4653 struct share_list share_list;
4658 f = fopen(argv[0], "r");
4662 DEBUG(0, ("Could not open userlist: %s\n", strerror(errno)));
4663 return NT_STATUS_UNSUCCESSFUL;
4666 r = get_user_tokens_from_file(f, &num_tokens, &tokens);
4672 DEBUG(0, ("Could not read users from file\n"));
4673 return NT_STATUS_UNSUCCESSFUL;
4676 for (i=0; i<num_tokens; i++)
4677 collect_alias_memberships(&tokens[i].token);
4679 share_list.num_shares = 0;
4680 share_list.shares = NULL;
4682 ret = cli_RNetShareEnum(cli, collect_share, &share_list);
4685 DEBUG(0, ("Error returning browse list: %s\n",
4690 for (i = 0; i < share_list.num_shares; i++) {
4691 char *netname = share_list.shares[i];
4693 if (netname[strlen(netname)-1] == '$')
4696 d_printf("%s\n", netname);
4698 show_userlist(pipe_hnd, mem_ctx, netname,
4699 num_tokens, tokens);
4702 for (i=0; i<num_tokens; i++) {
4703 free_user_token(&tokens[i].token);
4706 SAFE_FREE(share_list.shares);
4708 return NT_STATUS_OK;
4711 static int rpc_share_allowedusers(struct net_context *c, int argc,
4716 if (c->display_usage) {
4718 "net rpc share allowedusers\n"
4721 _("List allowed users"));
4725 result = run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
4726 rpc_aliaslist_internals,
4731 result = run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
4737 return run_rpc_command(c, NULL, &ndr_table_srvsvc.syntax_id, 0,
4738 rpc_share_allowedusers_internals,
4742 int net_usersidlist(struct net_context *c, int argc, const char **argv)
4745 struct user_token *tokens = NULL;
4749 net_usersidlist_usage(c, argc, argv);
4753 if (!get_user_tokens(c, &num_tokens, &tokens)) {
4754 DEBUG(0, ("Could not get the user/sid list\n"));
4758 for (i=0; i<num_tokens; i++) {
4759 dump_user_token(&tokens[i]);
4760 free_user_token(&tokens[i].token);
4767 int net_usersidlist_usage(struct net_context *c, int argc, const char **argv)
4769 d_printf(_("net usersidlist\n"
4770 "\tprints out a list of all users the running winbind knows\n"
4771 "\tabout, together with all their SIDs. This is used as\n"
4772 "\tinput to the 'net rpc share allowedusers' command.\n\n"));
4774 net_common_flags_usage(c, argc, argv);
4779 * 'net rpc share' entrypoint.
4780 * @param argc Standard main() style argc.
4781 * @param argv Standard main() style argv. Initial components are already
4785 int net_rpc_share(struct net_context *c, int argc, const char **argv)
4787 NET_API_STATUS status;
4789 struct functable func[] = {
4795 N_("net rpc share add\n"
4803 N_("net rpc share delete\n"
4808 rpc_share_allowedusers,
4810 N_("Modify allowed users"),
4811 N_("net rpc share allowedusers\n"
4812 " Modify allowed users")
4818 N_("Migrate share to local server"),
4819 N_("net rpc share migrate\n"
4820 " Migrate share to local server")
4827 N_("net rpc share list\n"
4830 {NULL, NULL, 0, NULL, NULL}
4833 status = libnetapi_net_init(&c->netapi_ctx);
4837 libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
4838 libnetapi_set_password(c->netapi_ctx, c->opt_password);
4839 if (c->opt_kerberos) {
4840 libnetapi_set_use_kerberos(c->netapi_ctx);
4844 if (c->display_usage) {
4849 " Alias for net rpc share list\n"));
4850 net_display_usage_from_functable(func);
4854 return rpc_share_list(c, argc, argv);
4857 return net_run_function(c, argc, argv, "net rpc share", func);
4860 static NTSTATUS rpc_sh_share_list(struct net_context *c,
4861 TALLOC_CTX *mem_ctx,
4862 struct rpc_sh_ctx *ctx,
4863 struct rpc_pipe_client *pipe_hnd,
4864 int argc, const char **argv)
4867 return werror_to_ntstatus(W_ERROR(rpc_share_list(c, argc, argv)));
4870 static NTSTATUS rpc_sh_share_add(struct net_context *c,
4871 TALLOC_CTX *mem_ctx,
4872 struct rpc_sh_ctx *ctx,
4873 struct rpc_pipe_client *pipe_hnd,
4874 int argc, const char **argv)
4876 NET_API_STATUS status;
4877 uint32_t parm_err = 0;
4878 struct SHARE_INFO_2 i2;
4880 if ((argc < 2) || (argc > 3)) {
4881 d_fprintf(stderr, _("Usage: %s <share> <path> [comment]\n"),
4883 return NT_STATUS_INVALID_PARAMETER;
4886 i2.shi2_netname = argv[0];
4887 i2.shi2_type = STYPE_DISKTREE;
4888 i2.shi2_remark = (argc == 3) ? argv[2] : "";
4889 i2.shi2_permissions = 0;
4890 i2.shi2_max_uses = 0;
4891 i2.shi2_current_uses = 0;
4892 i2.shi2_path = argv[1];
4893 i2.shi2_passwd = NULL;
4895 status = NetShareAdd(pipe_hnd->desthost,
4900 return werror_to_ntstatus(W_ERROR(status));
4903 static NTSTATUS rpc_sh_share_delete(struct net_context *c,
4904 TALLOC_CTX *mem_ctx,
4905 struct rpc_sh_ctx *ctx,
4906 struct rpc_pipe_client *pipe_hnd,
4907 int argc, const char **argv)
4910 d_fprintf(stderr, "%s %s <share>\n", _("Usage:"), ctx->whoami);
4911 return NT_STATUS_INVALID_PARAMETER;
4914 return werror_to_ntstatus(W_ERROR(NetShareDel(pipe_hnd->desthost, argv[0], 0)));
4917 static NTSTATUS rpc_sh_share_info(struct net_context *c,
4918 TALLOC_CTX *mem_ctx,
4919 struct rpc_sh_ctx *ctx,
4920 struct rpc_pipe_client *pipe_hnd,
4921 int argc, const char **argv)
4923 union srvsvc_NetShareInfo info;
4926 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
4929 d_fprintf(stderr, "%s %s <share>\n", _("Usage:"), ctx->whoami);
4930 return NT_STATUS_INVALID_PARAMETER;
4933 status = dcerpc_srvsvc_NetShareGetInfo(b, mem_ctx,
4939 if (!NT_STATUS_IS_OK(status)) {
4940 result = ntstatus_to_werror(status);
4943 if (!W_ERROR_IS_OK(result)) {
4947 d_printf(_("Name: %s\n"), info.info2->name);
4948 d_printf(_("Comment: %s\n"), info.info2->comment);
4949 d_printf(_("Path: %s\n"), info.info2->path);
4950 d_printf(_("Password: %s\n"), info.info2->password);
4953 return werror_to_ntstatus(result);
4956 struct rpc_sh_cmd *net_rpc_share_cmds(struct net_context *c, TALLOC_CTX *mem_ctx,
4957 struct rpc_sh_ctx *ctx)
4959 static struct rpc_sh_cmd cmds[] = {
4961 { "list", NULL, &ndr_table_srvsvc.syntax_id, rpc_sh_share_list,
4962 N_("List available shares") },
4964 { "add", NULL, &ndr_table_srvsvc.syntax_id, rpc_sh_share_add,
4965 N_("Add a share") },
4967 { "delete", NULL, &ndr_table_srvsvc.syntax_id, rpc_sh_share_delete,
4968 N_("Delete a share") },
4970 { "info", NULL, &ndr_table_srvsvc.syntax_id, rpc_sh_share_info,
4971 N_("Get information about a share") },
4973 { NULL, NULL, 0, NULL, NULL }
4979 /****************************************************************************/
4981 static int rpc_file_usage(struct net_context *c, int argc, const char **argv)
4983 return net_file_usage(c, argc, argv);
4987 * Close a file on a remote RPC server.
4989 * @param argc Standard main() style argc.
4990 * @param argv Standard main() style argv. Initial components are already
4993 * @return A shell status integer (0 for success).
4995 static int rpc_file_close(struct net_context *c, int argc, const char **argv)
4997 if (argc < 1 || c->display_usage) {
4998 return rpc_file_usage(c, argc, argv);
5001 return NetFileClose(c->opt_host, atoi(argv[0]));
5005 * Formatted print of open file info
5007 * @param r struct FILE_INFO_3 contents
5010 static void display_file_info_3(struct FILE_INFO_3 *r)
5012 d_printf("%-7.1d %-20.20s 0x%-4.2x %-6.1d %s\n",
5013 r->fi3_id, r->fi3_username, r->fi3_permissions,
5014 r->fi3_num_locks, r->fi3_pathname);
5018 * List files for a user on a remote RPC server.
5020 * @param argc Standard main() style argc.
5021 * @param argv Standard main() style argv. Initial components are already
5024 * @return A shell status integer (0 for success)..
5027 static int rpc_file_user(struct net_context *c, int argc, const char **argv)
5029 NET_API_STATUS status;
5030 uint32 preferred_len = 0xffffffff, i;
5031 const char *username=NULL;
5032 uint32_t total_entries = 0;
5033 uint32_t entries_read = 0;
5034 uint32_t resume_handle = 0;
5035 struct FILE_INFO_3 *i3 = NULL;
5037 if (c->display_usage) {
5038 return rpc_file_usage(c, argc, argv);
5041 /* if argc > 0, must be user command */
5043 username = smb_xstrdup(argv[0]);
5046 status = NetFileEnum(c->opt_host,
5050 (uint8_t **)(void *)&i3,
5060 /* Display results */
5063 "\nEnumerating open files on remote server:\n\n"
5064 "\nFileId Opened by Perms Locks Path"
5065 "\n------ --------- ----- ----- ---- \n"));
5066 for (i = 0; i < entries_read; i++) {
5067 display_file_info_3(&i3[i]);
5074 * 'net rpc file' entrypoint.
5075 * @param argc Standard main() style argc.
5076 * @param argv Standard main() style argv. Initial components are already
5080 int net_rpc_file(struct net_context *c, int argc, const char **argv)
5082 NET_API_STATUS status;
5084 struct functable func[] = {
5089 N_("Close opened file"),
5090 N_("net rpc file close\n"
5091 " Close opened file")
5097 N_("List files opened by user"),
5098 N_("net rpc file user\n"
5099 " List files opened by user")
5106 N_("Display information about opened file"),
5107 N_("net rpc file info\n"
5108 " Display information about opened file")
5111 {NULL, NULL, 0, NULL, NULL}
5114 status = libnetapi_net_init(&c->netapi_ctx);
5118 libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
5119 libnetapi_set_password(c->netapi_ctx, c->opt_password);
5120 if (c->opt_kerberos) {
5121 libnetapi_set_use_kerberos(c->netapi_ctx);
5125 if (c->display_usage) {
5126 d_printf(_("Usage:\n"));
5127 d_printf(_("net rpc file\n"
5128 " List opened files\n"));
5129 net_display_usage_from_functable(func);
5133 return rpc_file_user(c, argc, argv);
5136 return net_run_function(c, argc, argv, "net rpc file", func);
5140 * ABORT the shutdown of a remote RPC Server, over initshutdown pipe.
5142 * All parameters are provided by the run_rpc_command function, except for
5143 * argc, argv which are passed through.
5145 * @param c A net_context structure.
5146 * @param domain_sid The domain sid acquired from the remote server.
5147 * @param cli A cli_state connected to the server.
5148 * @param mem_ctx Talloc context, destroyed on completion of the function.
5149 * @param argc Standard main() style argc.
5150 * @param argv Standard main() style argv. Initial components are already
5153 * @return Normal NTSTATUS return.
5156 static NTSTATUS rpc_shutdown_abort_internals(struct net_context *c,
5157 const struct dom_sid *domain_sid,
5158 const char *domain_name,
5159 struct cli_state *cli,
5160 struct rpc_pipe_client *pipe_hnd,
5161 TALLOC_CTX *mem_ctx,
5165 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
5167 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
5169 status = dcerpc_initshutdown_Abort(b, mem_ctx, NULL, &result);
5170 if (!NT_STATUS_IS_OK(status)) {
5173 if (W_ERROR_IS_OK(result)) {
5174 d_printf(_("\nShutdown successfully aborted\n"));
5175 DEBUG(5,("cmd_shutdown_abort: query succeeded\n"));
5177 DEBUG(5,("cmd_shutdown_abort: query failed\n"));
5179 return werror_to_ntstatus(result);
5183 * ABORT the shutdown of a remote RPC Server, over winreg pipe.
5185 * All parameters are provided by the run_rpc_command function, except for
5186 * argc, argv which are passed through.
5188 * @param c A net_context structure.
5189 * @param domain_sid The domain sid acquired from the remote server.
5190 * @param cli A cli_state connected to the server.
5191 * @param mem_ctx Talloc context, destroyed on completion of the function.
5192 * @param argc Standard main() style argc.
5193 * @param argv Standard main() style argv. Initial components are already
5196 * @return Normal NTSTATUS return.
5199 static NTSTATUS rpc_reg_shutdown_abort_internals(struct net_context *c,
5200 const struct dom_sid *domain_sid,
5201 const char *domain_name,
5202 struct cli_state *cli,
5203 struct rpc_pipe_client *pipe_hnd,
5204 TALLOC_CTX *mem_ctx,
5208 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5210 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
5212 result = dcerpc_winreg_AbortSystemShutdown(b, mem_ctx, NULL, &werr);
5214 if (!NT_STATUS_IS_OK(result)) {
5215 DEBUG(5,("cmd_reg_abort_shutdown: query failed\n"));
5218 if (W_ERROR_IS_OK(werr)) {
5219 d_printf(_("\nShutdown successfully aborted\n"));
5220 DEBUG(5,("cmd_reg_abort_shutdown: query succeeded\n"));
5222 DEBUG(5,("cmd_reg_abort_shutdown: query failed\n"));
5224 return werror_to_ntstatus(werr);
5228 * ABORT the shutdown of a remote RPC server.
5230 * @param argc Standard main() style argc.
5231 * @param argv Standard main() style argv. Initial components are already
5234 * @return A shell status integer (0 for success).
5237 static int rpc_shutdown_abort(struct net_context *c, int argc,
5242 if (c->display_usage) {
5244 "net rpc abortshutdown\n"
5247 _("Abort a scheduled shutdown"));
5251 rc = run_rpc_command(c, NULL, &ndr_table_initshutdown.syntax_id, 0,
5252 rpc_shutdown_abort_internals, argc, argv);
5257 DEBUG(1, ("initshutdown pipe didn't work, trying winreg pipe\n"));
5259 return run_rpc_command(c, NULL, &ndr_table_winreg.syntax_id, 0,
5260 rpc_reg_shutdown_abort_internals,
5265 * Shut down a remote RPC Server via initshutdown pipe.
5267 * All parameters are provided by the run_rpc_command function, except for
5268 * argc, argv which are passed through.
5270 * @param c A net_context structure.
5271 * @param domain_sid The domain sid acquired from the remote server.
5272 * @param cli A cli_state connected to the server.
5273 * @param mem_ctx Talloc context, destroyed on completion of the function.
5274 * @param argc Standard main() style argc.
5275 * @param argv Standard main() style argv. Initial components are already
5278 * @return Normal NTSTATUS return.
5281 NTSTATUS rpc_init_shutdown_internals(struct net_context *c,
5282 const struct dom_sid *domain_sid,
5283 const char *domain_name,
5284 struct cli_state *cli,
5285 struct rpc_pipe_client *pipe_hnd,
5286 TALLOC_CTX *mem_ctx,
5290 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
5292 const char *msg = N_("This machine will be shutdown shortly");
5293 uint32 timeout = 20;
5294 struct lsa_StringLarge msg_string;
5295 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
5297 if (c->opt_comment) {
5298 msg = c->opt_comment;
5300 if (c->opt_timeout) {
5301 timeout = c->opt_timeout;
5304 msg_string.string = msg;
5306 /* create an entry */
5307 status = dcerpc_initshutdown_Init(b, mem_ctx, NULL,
5308 &msg_string, timeout, c->opt_force, c->opt_reboot,
5310 if (!NT_STATUS_IS_OK(status)) {
5313 if (W_ERROR_IS_OK(result)) {
5314 d_printf(_("\nShutdown of remote machine succeeded\n"));
5315 DEBUG(5,("Shutdown of remote machine succeeded\n"));
5317 DEBUG(1,("Shutdown of remote machine failed!\n"));
5319 return werror_to_ntstatus(result);
5323 * Shut down a remote RPC Server via winreg pipe.
5325 * All parameters are provided by the run_rpc_command function, except for
5326 * argc, argv which are passed through.
5328 * @param c A net_context structure.
5329 * @param domain_sid The domain sid acquired from the remote server.
5330 * @param cli A cli_state connected to the server.
5331 * @param mem_ctx Talloc context, destroyed on completion of the function.
5332 * @param argc Standard main() style argc.
5333 * @param argv Standard main() style argv. Initial components are already
5336 * @return Normal NTSTATUS return.
5339 NTSTATUS rpc_reg_shutdown_internals(struct net_context *c,
5340 const struct dom_sid *domain_sid,
5341 const char *domain_name,
5342 struct cli_state *cli,
5343 struct rpc_pipe_client *pipe_hnd,
5344 TALLOC_CTX *mem_ctx,
5348 const char *msg = N_("This machine will be shutdown shortly");
5349 uint32 timeout = 20;
5350 struct lsa_StringLarge msg_string;
5353 struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
5355 if (c->opt_comment) {
5356 msg = c->opt_comment;
5358 msg_string.string = msg;
5360 if (c->opt_timeout) {
5361 timeout = c->opt_timeout;
5364 /* create an entry */
5365 result = dcerpc_winreg_InitiateSystemShutdown(b, mem_ctx, NULL,
5366 &msg_string, timeout, c->opt_force, c->opt_reboot,
5368 if (!NT_STATUS_IS_OK(result)) {
5369 d_fprintf(stderr, "\nShutdown of remote machine failed\n");
5373 if (W_ERROR_IS_OK(werr)) {
5374 d_printf(_("\nShutdown of remote machine succeeded\n"));
5376 d_fprintf(stderr, "\nShutdown of remote machine failed\n");
5377 if ( W_ERROR_EQUAL(werr, WERR_MACHINE_LOCKED) )
5378 d_fprintf(stderr, "\nMachine locked, use -f switch to force\n");
5380 d_fprintf(stderr, "\nresult was: %s\n", win_errstr(werr));
5383 return werror_to_ntstatus(werr);
5387 * Shut down a remote RPC server.
5389 * @param argc Standard main() style argc.
5390 * @param argv Standard main() style argv. Initial components are already
5393 * @return A shell status integer (0 for success).
5396 static int rpc_shutdown(struct net_context *c, int argc, const char **argv)
5400 if (c->display_usage) {
5402 "net rpc shutdown\n"
5405 _("Shut down a remote RPC server"));
5409 rc = run_rpc_command(c, NULL, &ndr_table_initshutdown.syntax_id, 0,
5410 rpc_init_shutdown_internals, argc, argv);
5413 DEBUG(1, ("initshutdown pipe failed, trying winreg pipe\n"));
5414 rc = run_rpc_command(c, NULL, &ndr_table_winreg.syntax_id, 0,
5415 rpc_reg_shutdown_internals, argc, argv);
5421 /***************************************************************************
5422 NT Domain trusts code (i.e. 'net rpc trustdom' functionality)
5423 ***************************************************************************/
5426 * Add interdomain trust account to the RPC server.
5427 * All parameters (except for argc and argv) are passed by run_rpc_command
5430 * @param c A net_context structure.
5431 * @param domain_sid The domain sid acquired from the server.
5432 * @param cli A cli_state connected to the server.
5433 * @param mem_ctx Talloc context, destroyed on completion of the function.
5434 * @param argc Standard main() style argc.
5435 * @param argv Standard main() style argv. Initial components are already
5438 * @return normal NTSTATUS return code.
5441 static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
5442 const struct dom_sid *domain_sid,
5443 const char *domain_name,
5444 struct cli_state *cli,
5445 struct rpc_pipe_client *pipe_hnd,
5446 TALLOC_CTX *mem_ctx,
5450 struct policy_handle connect_pol, domain_pol, user_pol;
5451 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5453 struct lsa_String lsa_acct_name;
5455 uint32 acct_flags=0;
5457 uint32_t access_granted = 0;
5458 union samr_UserInfo info;
5459 unsigned int orig_timeout;
5464 _(" net rpc trustdom add <domain_name> "
5465 "<trust password>\n"));
5466 return NT_STATUS_INVALID_PARAMETER;
5470 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5473 if (asprintf(&acct_name, "%s$", argv[0]) < 0) {
5474 return NT_STATUS_NO_MEMORY;
5477 strupper_m(acct_name);
5479 init_lsa_String(&lsa_acct_name, acct_name);
5481 /* Get samr policy handle */
5482 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5484 MAXIMUM_ALLOWED_ACCESS,
5486 if (!NT_STATUS_IS_OK(result)) {
5490 /* Get domain policy handle */
5491 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5493 MAXIMUM_ALLOWED_ACCESS,
5494 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5496 if (!NT_STATUS_IS_OK(result)) {
5500 /* This call can take a long time - allow the server to time out.
5501 * 35 seconds should do it. */
5503 orig_timeout = rpccli_set_timeout(pipe_hnd, 35000);
5505 /* Create trusting domain's account */
5506 acb_info = ACB_NORMAL;
5507 acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
5508 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
5509 SAMR_USER_ACCESS_SET_PASSWORD |
5510 SAMR_USER_ACCESS_GET_ATTRIBUTES |
5511 SAMR_USER_ACCESS_SET_ATTRIBUTES;
5513 result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
5522 /* And restore our original timeout. */
5523 rpccli_set_timeout(pipe_hnd, orig_timeout);
5525 if (!NT_STATUS_IS_OK(result)) {
5526 d_printf(_("net rpc trustdom add: create user %s failed %s\n"),
5527 acct_name, nt_errstr(result));
5532 struct samr_CryptPassword crypt_pwd;
5534 ZERO_STRUCT(info.info23);
5536 init_samr_CryptPassword(argv[1],
5537 &cli->user_session_key,
5540 info.info23.info.fields_present = SAMR_FIELD_ACCT_FLAGS |
5541 SAMR_FIELD_NT_PASSWORD_PRESENT;
5542 info.info23.info.acct_flags = ACB_DOMTRUST;
5543 info.info23.password = crypt_pwd;
5545 result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
5550 if (!NT_STATUS_IS_OK(result)) {
5551 DEBUG(0,("Could not set trust account password: %s\n",
5552 nt_errstr(result)));
5558 SAFE_FREE(acct_name);
5563 * Create interdomain trust account for a remote domain.
5565 * @param argc Standard argc.
5566 * @param argv Standard argv without initial components.
5568 * @return Integer status (0 means success).
5571 static int rpc_trustdom_add(struct net_context *c, int argc, const char **argv)
5573 if (argc > 0 && !c->display_usage) {
5574 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
5575 rpc_trustdom_add_internals, argc, argv);
5579 _("net rpc trustdom add <domain_name> <trust "
5587 * Remove interdomain trust account from the RPC server.
5588 * All parameters (except for argc and argv) are passed by run_rpc_command
5591 * @param c A net_context structure.
5592 * @param domain_sid The domain sid acquired from the server.
5593 * @param cli A cli_state connected to the server.
5594 * @param mem_ctx Talloc context, destroyed on completion of the function.
5595 * @param argc Standard main() style argc.
5596 * @param argv Standard main() style argv. Initial components are already
5599 * @return normal NTSTATUS return code.
5602 static NTSTATUS rpc_trustdom_del_internals(struct net_context *c,
5603 const struct dom_sid *domain_sid,
5604 const char *domain_name,
5605 struct cli_state *cli,
5606 struct rpc_pipe_client *pipe_hnd,
5607 TALLOC_CTX *mem_ctx,
5611 struct policy_handle connect_pol, domain_pol, user_pol;
5612 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
5614 struct dom_sid trust_acct_sid;
5615 struct samr_Ids user_rids, name_types;
5616 struct lsa_String lsa_acct_name;
5621 _(" net rpc trustdom del <domain_name>\n"));
5622 return NT_STATUS_INVALID_PARAMETER;
5626 * Make valid trusting domain account (ie. uppercased and with '$' appended)
5628 acct_name = talloc_asprintf(mem_ctx, "%s$", argv[0]);
5630 if (acct_name == NULL)
5631 return NT_STATUS_NO_MEMORY;
5633 strupper_m(acct_name);
5635 /* Get samr policy handle */
5636 result = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
5638 MAXIMUM_ALLOWED_ACCESS,
5640 if (!NT_STATUS_IS_OK(result)) {
5644 /* Get domain policy handle */
5645 result = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
5647 MAXIMUM_ALLOWED_ACCESS,
5648 CONST_DISCARD(struct dom_sid2 *, domain_sid),
5650 if (!NT_STATUS_IS_OK(result)) {
5654 init_lsa_String(&lsa_acct_name, acct_name);
5656 result = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
5663 if (!NT_STATUS_IS_OK(result)) {
5664 d_printf(_("net rpc trustdom del: LookupNames on user %s "
5666 acct_name, nt_errstr(result) );
5670 result = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
5672 MAXIMUM_ALLOWED_ACCESS,
5676 if (!NT_STATUS_IS_OK(result)) {
5677 d_printf(_("net rpc trustdom del: OpenUser on user %s failed "
5679 acct_name, nt_errstr(result) );
5683 /* append the rid to the domain sid */
5684 if (!sid_compose(&trust_acct_sid, domain_sid, user_rids.ids[0])) {
5688 /* remove the sid */
5690 result = rpccli_samr_RemoveMemberFromForeignDomain(pipe_hnd, mem_ctx,
5693 if (!NT_STATUS_IS_OK(result)) {
5694 d_printf(_("net rpc trustdom del: RemoveMemberFromForeignDomain"
5695 " on user %s failed %s\n"),
5696 acct_name, nt_errstr(result) );
5702 result = rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
5705 if (!NT_STATUS_IS_OK(result)) {
5706 d_printf(_("net rpc trustdom del: DeleteUser on user %s failed "
5708 acct_name, nt_errstr(result) );
5712 if (!NT_STATUS_IS_OK(result)) {
5713 d_printf(_("Could not set trust account password: %s\n"),
5723 * Delete interdomain trust account for a remote domain.
5725 * @param argc Standard argc.
5726 * @param argv Standard argv without initial components.
5728 * @return Integer status (0 means success).
5731 static int rpc_trustdom_del(struct net_context *c, int argc, const char **argv)
5733 if (argc > 0 && !c->display_usage) {
5734 return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id, 0,
5735 rpc_trustdom_del_internals, argc, argv);
5739 _("net rpc trustdom del <domain>\n"));
5744 static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
5745 struct cli_state *cli,
5746 TALLOC_CTX *mem_ctx,
5747 const char *domain_name)
5749 char *dc_name = NULL;
5750 const char *buffer = NULL;
5751 struct rpc_pipe_client *netr;
5754 struct dcerpc_binding_handle *b;
5756 /* Use NetServerEnum2 */
5758 if (cli_get_pdc_name(cli, domain_name, &dc_name)) {
5760 return NT_STATUS_OK;
5763 DEBUG(1,("NetServerEnum2 error: Couldn't find primary domain controller\
5764 for domain %s\n", domain_name));
5766 /* Try netr_GetDcName */
5768 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
5770 if (!NT_STATUS_IS_OK(status)) {
5774 b = netr->binding_handle;
5776 status = dcerpc_netr_GetDcName(b, mem_ctx,
5783 if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(result)) {
5787 DEBUG(1,("netr_GetDcName error: Couldn't find primary domain controller\
5788 for domain %s\n", domain_name));
5790 if (!NT_STATUS_IS_OK(status)) {
5794 return werror_to_ntstatus(result);
5798 * Establish trust relationship to a trusting domain.
5799 * Interdomain account must already be created on remote PDC.
5801 * @param c A net_context structure.
5802 * @param argc Standard argc.
5803 * @param argv Standard argv without initial components.
5805 * @return Integer status (0 means success).
5808 static int rpc_trustdom_establish(struct net_context *c, int argc,
5811 struct cli_state *cli = NULL;
5812 struct sockaddr_storage server_ss;
5813 struct rpc_pipe_client *pipe_hnd = NULL;
5814 struct policy_handle connect_hnd;
5815 TALLOC_CTX *mem_ctx;
5817 struct dom_sid *domain_sid;
5822 union lsa_PolicyInformation *info = NULL;
5825 * Connect to \\server\ipc$ as 'our domain' account with password
5828 if (argc != 1 || c->display_usage) {
5831 _("net rpc trustdom establish <domain_name>\n"));
5835 domain_name = smb_xstrdup(argv[0]);
5836 strupper_m(domain_name);
5838 /* account name used at first is our domain's name with '$' */
5839 if (asprintf(&acct_name, "%s$", lp_workgroup()) == -1) {
5842 strupper_m(acct_name);
5845 * opt_workgroup will be used by connection functions further,
5846 * hence it should be set to remote domain name instead of ours
5848 if (c->opt_workgroup) {
5849 c->opt_workgroup = smb_xstrdup(domain_name);
5852 c->opt_user_name = acct_name;
5854 /* find the domain controller */
5855 if (!net_find_pdc(&server_ss, pdc_name, domain_name)) {
5856 DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name));
5860 /* connect to ipc$ as username/password */
5861 nt_status = connect_to_ipc(c, &cli, &server_ss, pdc_name);
5862 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
5864 /* Is it trusting domain account for sure ? */
5865 DEBUG(0, ("Couldn't verify trusting domain account. Error was %s\n",
5866 nt_errstr(nt_status)));
5870 /* store who we connected to */
5872 saf_store( domain_name, pdc_name );
5875 * Connect to \\server\ipc$ again (this time anonymously)
5878 nt_status = connect_to_ipc_anonymous(c, &cli, &server_ss,
5881 if (NT_STATUS_IS_ERR(nt_status)) {
5882 DEBUG(0, ("Couldn't connect to domain %s controller. Error was %s.\n",
5883 domain_name, nt_errstr(nt_status)));
5887 if (!(mem_ctx = talloc_init("establishing trust relationship to "
5888 "domain %s", domain_name))) {
5889 DEBUG(0, ("talloc_init() failed\n"));
5894 /* Make sure we're talking to a proper server */
5896 nt_status = rpc_trustdom_get_pdc(c, cli, mem_ctx, domain_name);
5897 if (!NT_STATUS_IS_OK(nt_status)) {
5899 talloc_destroy(mem_ctx);
5904 * Call LsaOpenPolicy and LsaQueryInfo
5907 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
5909 if (!NT_STATUS_IS_OK(nt_status)) {
5910 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
5912 talloc_destroy(mem_ctx);
5916 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, KEY_QUERY_VALUE,
5918 if (NT_STATUS_IS_ERR(nt_status)) {
5919 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
5920 nt_errstr(nt_status)));
5922 talloc_destroy(mem_ctx);
5926 /* Querying info level 5 */
5928 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
5930 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
5932 if (NT_STATUS_IS_ERR(nt_status)) {
5933 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
5934 nt_errstr(nt_status)));
5936 talloc_destroy(mem_ctx);
5940 domain_sid = info->account_domain.sid;
5942 /* There should be actually query info level 3 (following nt serv behaviour),
5943 but I still don't know if it's _really_ necessary */
5946 * Store the password in secrets db
5949 if (!pdb_set_trusteddom_pw(domain_name, c->opt_password, domain_sid)) {
5950 DEBUG(0, ("Storing password for trusted domain failed.\n"));
5952 talloc_destroy(mem_ctx);
5957 * Close the pipes and clean up
5960 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
5961 if (NT_STATUS_IS_ERR(nt_status)) {
5962 DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n",
5963 nt_errstr(nt_status)));
5965 talloc_destroy(mem_ctx);
5971 talloc_destroy(mem_ctx);
5973 d_printf(_("Trust to domain %s established\n"), domain_name);
5978 * Revoke trust relationship to the remote domain.
5980 * @param c A net_context structure.
5981 * @param argc Standard argc.
5982 * @param argv Standard argv without initial components.
5984 * @return Integer status (0 means success).
5987 static int rpc_trustdom_revoke(struct net_context *c, int argc,
5993 if (argc < 1 || c->display_usage) {
5996 _("net rpc trustdom revoke <domain_name>\n"
5997 " Revoke trust relationship\n"
5998 " domain_name\tName of domain to revoke trust\n"));
6002 /* generate upper cased domain name */
6003 domain_name = smb_xstrdup(argv[0]);
6004 strupper_m(domain_name);
6006 /* delete password of the trust */
6007 if (!pdb_del_trusteddom_pw(domain_name)) {
6008 DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
6015 SAFE_FREE(domain_name);
6019 static NTSTATUS rpc_query_domain_sid(struct net_context *c,
6020 const struct dom_sid *domain_sid,
6021 const char *domain_name,
6022 struct cli_state *cli,
6023 struct rpc_pipe_client *pipe_hnd,
6024 TALLOC_CTX *mem_ctx,
6029 if (!sid_to_fstring(str_sid, domain_sid)) {
6030 return NT_STATUS_UNSUCCESSFUL;
6032 d_printf("%s\n", str_sid);
6033 return NT_STATUS_OK;
6036 static void print_trusted_domain(struct dom_sid *dom_sid, const char *trusted_dom_name)
6040 /* convert sid into ascii string */
6041 sid_to_fstring(ascii_sid, dom_sid);
6043 d_printf("%-20s%s\n", trusted_dom_name, ascii_sid);
6046 static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
6047 TALLOC_CTX *mem_ctx,
6048 struct policy_handle *pol,
6049 struct dom_sid dom_sid,
6050 const char *trusted_dom_name)
6053 union lsa_TrustedDomainInfo *info = NULL;
6054 char *cleartextpwd = NULL;
6055 uint8_t session_key[16];
6056 DATA_BLOB session_key_blob;
6057 DATA_BLOB data = data_blob_null;
6059 nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx,
6062 LSA_TRUSTED_DOMAIN_INFO_PASSWORD,
6064 if (NT_STATUS_IS_ERR(nt_status)) {
6065 DEBUG(0,("Could not query trusted domain info. Error was %s\n",
6066 nt_errstr(nt_status)));
6070 data = data_blob(info->password.password->data,
6071 info->password.password->length);
6073 if (!rpccli_get_pwd_hash(pipe_hnd, session_key)) {
6074 DEBUG(0, ("Could not retrieve password hash\n"));
6078 session_key_blob = data_blob_const(session_key, sizeof(session_key));
6079 cleartextpwd = sess_decrypt_string(mem_ctx, &data, &session_key_blob);
6081 if (cleartextpwd == NULL) {
6082 DEBUG(0,("retrieved NULL password\n"));
6083 nt_status = NT_STATUS_UNSUCCESSFUL;
6087 if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
6088 DEBUG(0, ("Storing password for trusted domain failed.\n"));
6089 nt_status = NT_STATUS_UNSUCCESSFUL;
6093 #ifdef DEBUG_PASSWORD
6094 DEBUG(100,("successfully vampired trusted domain [%s], sid: [%s], "
6095 "password: [%s]\n", trusted_dom_name,
6096 sid_string_dbg(&dom_sid), cleartextpwd));
6100 SAFE_FREE(cleartextpwd);
6101 data_blob_free(&data);
6106 static int rpc_trustdom_vampire(struct net_context *c, int argc,
6109 /* common variables */
6110 TALLOC_CTX* mem_ctx;
6111 struct cli_state *cli = NULL;
6112 struct rpc_pipe_client *pipe_hnd = NULL;
6114 const char *domain_name = NULL;
6115 struct dom_sid *queried_dom_sid;
6116 struct policy_handle connect_hnd;
6117 union lsa_PolicyInformation *info = NULL;
6119 /* trusted domains listing variables */
6120 unsigned int enum_ctx = 0;
6122 struct lsa_DomainList dom_list;
6125 if (c->display_usage) {
6127 "net rpc trustdom vampire\n"
6130 _("Vampire trust relationship from remote server"));
6135 * Listing trusted domains (stored in secrets.tdb, if local)
6138 mem_ctx = talloc_init("trust relationships vampire");
6141 * set domain and pdc name to local samba server (default)
6142 * or to remote one given in command line
6145 if (StrCaseCmp(c->opt_workgroup, lp_workgroup())) {
6146 domain_name = c->opt_workgroup;
6147 c->opt_target_workgroup = c->opt_workgroup;
6149 fstrcpy(pdc_name, global_myname());
6150 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6151 c->opt_target_workgroup = domain_name;
6154 /* open \PIPE\lsarpc and open policy handle */
6155 nt_status = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli);
6156 if (!NT_STATUS_IS_OK(nt_status)) {
6157 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6158 nt_errstr(nt_status)));
6159 talloc_destroy(mem_ctx);
6163 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
6165 if (!NT_STATUS_IS_OK(nt_status)) {
6166 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6167 nt_errstr(nt_status) ));
6169 talloc_destroy(mem_ctx);
6173 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE,
6175 if (NT_STATUS_IS_ERR(nt_status)) {
6176 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6177 nt_errstr(nt_status)));
6179 talloc_destroy(mem_ctx);
6183 /* query info level 5 to obtain sid of a domain being queried */
6184 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6186 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6189 if (NT_STATUS_IS_ERR(nt_status)) {
6190 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6191 nt_errstr(nt_status)));
6193 talloc_destroy(mem_ctx);
6197 queried_dom_sid = info->account_domain.sid;
6200 * Keep calling LsaEnumTrustdom over opened pipe until
6201 * the end of enumeration is reached
6204 d_printf(_("Vampire trusted domains:\n\n"));
6207 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6212 if (NT_STATUS_IS_ERR(nt_status)) {
6213 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6214 nt_errstr(nt_status)));
6216 talloc_destroy(mem_ctx);
6220 for (i = 0; i < dom_list.count; i++) {
6222 print_trusted_domain(dom_list.domains[i].sid,
6223 dom_list.domains[i].name.string);
6225 nt_status = vampire_trusted_domain(pipe_hnd, mem_ctx, &connect_hnd,
6226 *dom_list.domains[i].sid,
6227 dom_list.domains[i].name.string);
6228 if (!NT_STATUS_IS_OK(nt_status)) {
6230 talloc_destroy(mem_ctx);
6236 * in case of no trusted domains say something rather
6237 * than just display blank line
6239 if (!dom_list.count) d_printf(_("none\n"));
6241 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6243 /* close this connection before doing next one */
6244 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6245 if (NT_STATUS_IS_ERR(nt_status)) {
6246 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6247 nt_errstr(nt_status)));
6249 talloc_destroy(mem_ctx);
6253 /* close lsarpc pipe and connection to IPC$ */
6256 talloc_destroy(mem_ctx);
6260 static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
6262 /* common variables */
6263 TALLOC_CTX* mem_ctx;
6264 struct cli_state *cli = NULL, *remote_cli = NULL;
6265 struct rpc_pipe_client *pipe_hnd = NULL;
6267 const char *domain_name = NULL;
6268 struct dom_sid *queried_dom_sid;
6269 int ascii_dom_name_len;
6270 struct policy_handle connect_hnd;
6271 union lsa_PolicyInformation *info = NULL;
6273 /* trusted domains listing variables */
6274 unsigned int num_domains, enum_ctx = 0;
6276 struct lsa_DomainList dom_list;
6280 /* trusting domains listing variables */
6281 struct policy_handle domain_hnd;
6282 struct samr_SamArray *trusts = NULL;
6284 if (c->display_usage) {
6286 "net rpc trustdom list\n"
6289 _("List incoming and outgoing trust relationships"));
6294 * Listing trusted domains (stored in secrets.tdb, if local)
6297 mem_ctx = talloc_init("trust relationships listing");
6300 * set domain and pdc name to local samba server (default)
6301 * or to remote one given in command line
6304 if (StrCaseCmp(c->opt_workgroup, lp_workgroup())) {
6305 domain_name = c->opt_workgroup;
6306 c->opt_target_workgroup = c->opt_workgroup;
6308 fstrcpy(pdc_name, global_myname());
6309 domain_name = talloc_strdup(mem_ctx, lp_workgroup());
6310 c->opt_target_workgroup = domain_name;
6313 /* open \PIPE\lsarpc and open policy handle */
6314 nt_status = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli);
6315 if (!NT_STATUS_IS_OK(nt_status)) {
6316 DEBUG(0, ("Couldn't connect to domain controller: %s\n",
6317 nt_errstr(nt_status)));
6318 talloc_destroy(mem_ctx);
6322 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
6324 if (!NT_STATUS_IS_OK(nt_status)) {
6325 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
6326 nt_errstr(nt_status) ));
6328 talloc_destroy(mem_ctx);
6332 nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE,
6334 if (NT_STATUS_IS_ERR(nt_status)) {
6335 DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
6336 nt_errstr(nt_status)));
6338 talloc_destroy(mem_ctx);
6342 /* query info level 5 to obtain sid of a domain being queried */
6343 nt_status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
6345 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
6348 if (NT_STATUS_IS_ERR(nt_status)) {
6349 DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
6350 nt_errstr(nt_status)));
6352 talloc_destroy(mem_ctx);
6356 queried_dom_sid = info->account_domain.sid;
6359 * Keep calling LsaEnumTrustdom over opened pipe until
6360 * the end of enumeration is reached
6363 d_printf(_("Trusted domains list:\n\n"));
6365 found_domain = false;
6368 nt_status = rpccli_lsa_EnumTrustDom(pipe_hnd, mem_ctx,
6373 if (NT_STATUS_IS_ERR(nt_status)) {
6374 DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
6375 nt_errstr(nt_status)));
6377 talloc_destroy(mem_ctx);
6381 for (i = 0; i < dom_list.count; i++) {
6382 print_trusted_domain(dom_list.domains[i].sid,
6383 dom_list.domains[i].name.string);
6384 found_domain = true;
6388 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6391 * in case of no trusted domains say something rather
6392 * than just display blank line
6394 if (!found_domain) {
6395 d_printf(_("none\n"));
6398 /* close this connection before doing next one */
6399 nt_status = rpccli_lsa_Close(pipe_hnd, mem_ctx, &connect_hnd);
6400 if (NT_STATUS_IS_ERR(nt_status)) {
6401 DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
6402 nt_errstr(nt_status)));
6404 talloc_destroy(mem_ctx);
6408 TALLOC_FREE(pipe_hnd);
6411 * Listing trusting domains (stored in passdb backend, if local)
6414 d_printf(_("\nTrusting domains list:\n\n"));
6417 * Open \PIPE\samr and get needed policy handles
6419 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
6421 if (!NT_STATUS_IS_OK(nt_status)) {
6422 DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
6424 talloc_destroy(mem_ctx);
6429 nt_status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
6431 SAMR_ACCESS_LOOKUP_DOMAIN,
6433 if (!NT_STATUS_IS_OK(nt_status)) {
6434 DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n",
6435 nt_errstr(nt_status)));
6437 talloc_destroy(mem_ctx);
6441 /* SamrOpenDomain - we have to open domain policy handle in order to be
6442 able to enumerate accounts*/
6443 nt_status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
6445 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
6448 if (!NT_STATUS_IS_OK(nt_status)) {
6449 DEBUG(0, ("Couldn't open domain object. Error was %s\n",
6450 nt_errstr(nt_status)));
6452 talloc_destroy(mem_ctx);
6457 * perform actual enumeration
6460 found_domain = false;
6462 enum_ctx = 0; /* reset enumeration context from last enumeration */
6465 nt_status = rpccli_samr_EnumDomainUsers(pipe_hnd, mem_ctx,
6472 if (NT_STATUS_IS_ERR(nt_status)) {
6473 DEBUG(0, ("Couldn't enumerate accounts. Error was: %s\n",
6474 nt_errstr(nt_status)));
6476 talloc_destroy(mem_ctx);
6480 for (i = 0; i < num_domains; i++) {
6482 char *str = CONST_DISCARD(char *, trusts->entries[i].name.string);
6484 found_domain = true;
6487 * get each single domain's sid (do we _really_ need this ?):
6488 * 1) connect to domain's pdc
6489 * 2) query the pdc for domain's sid
6492 /* get rid of '$' tail */
6493 ascii_dom_name_len = strlen(str);
6494 if (ascii_dom_name_len && ascii_dom_name_len < FSTRING_LEN)
6495 str[ascii_dom_name_len - 1] = '\0';
6497 /* set opt_* variables to remote domain */
6499 c->opt_workgroup = talloc_strdup(mem_ctx, str);
6500 c->opt_target_workgroup = c->opt_workgroup;
6502 d_printf("%-20s", str);
6504 /* connect to remote domain controller */
6505 nt_status = net_make_ipc_connection(c,
6506 NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS,
6508 if (NT_STATUS_IS_OK(nt_status)) {
6509 /* query for domain's sid */
6510 if (run_rpc_command(
6512 &ndr_table_lsarpc.syntax_id, 0,
6513 rpc_query_domain_sid, argc,
6515 d_printf(_("strange - couldn't get domain's sid\n"));
6517 cli_shutdown(remote_cli);
6520 d_fprintf(stderr, _("domain controller is not "
6521 "responding: %s\n"),
6522 nt_errstr(nt_status));
6523 d_printf(_("couldn't get domain's sid\n"));
6527 } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
6529 if (!found_domain) {
6533 /* close opened samr and domain policy handles */
6534 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_hnd);
6535 if (!NT_STATUS_IS_OK(nt_status)) {
6536 DEBUG(0, ("Couldn't properly close domain policy handle for domain %s\n", domain_name));
6539 nt_status = rpccli_samr_Close(pipe_hnd, mem_ctx, &connect_hnd);
6540 if (!NT_STATUS_IS_OK(nt_status)) {
6541 DEBUG(0, ("Couldn't properly close samr policy handle for domain %s\n", domain_name));
6544 /* close samr pipe and connection to IPC$ */
6547 talloc_destroy(mem_ctx);
6552 * Entrypoint for 'net rpc trustdom' code.
6554 * @param argc Standard argc.
6555 * @param argv Standard argv without initial components.
6557 * @return Integer status (0 means success).
6560 static int rpc_trustdom(struct net_context *c, int argc, const char **argv)
6562 struct functable func[] = {
6567 N_("Add trusting domain's account"),
6568 N_("net rpc trustdom add\n"
6569 " Add trusting domain's account")
6575 N_("Remove trusting domain's account"),
6576 N_("net rpc trustdom del\n"
6577 " Remove trusting domain's account")
6581 rpc_trustdom_establish,
6583 N_("Establish outgoing trust relationship"),
6584 N_("net rpc trustdom establish\n"
6585 " Establish outgoing trust relationship")
6589 rpc_trustdom_revoke,
6591 N_("Revoke outgoing trust relationship"),
6592 N_("net rpc trustdom revoke\n"
6593 " Revoke outgoing trust relationship")
6599 N_("List in- and outgoing domain trusts"),
6600 N_("net rpc trustdom list\n"
6601 " List in- and outgoing domain trusts")
6605 rpc_trustdom_vampire,
6607 N_("Vampire trusts from remote server"),
6608 N_("net rpc trustdom vampire\n"
6609 " Vampire trusts from remote server")
6611 {NULL, NULL, 0, NULL, NULL}
6614 return net_run_function(c, argc, argv, "net rpc trustdom", func);
6618 * Check if a server will take rpc commands
6619 * @param flags Type of server to connect to (PDC, DMB, localhost)
6620 * if the host is not explicitly specified
6621 * @return bool (true means rpc supported)
6623 bool net_rpc_check(struct net_context *c, unsigned flags)
6625 struct cli_state *cli;
6627 struct sockaddr_storage server_ss;
6628 char *server_name = NULL;
6631 /* flags (i.e. server type) may depend on command */
6632 if (!net_find_server(c, NULL, flags, &server_ss, &server_name))
6635 if ((cli = cli_initialise()) == NULL) {
6639 status = cli_connect(cli, server_name, &server_ss);
6640 if (!NT_STATUS_IS_OK(status))
6642 if (!attempt_netbios_session_request(&cli, global_myname(),
6643 server_name, &server_ss))
6645 status = cli_negprot(cli);
6646 if (!NT_STATUS_IS_OK(status))
6648 if (cli->protocol < PROTOCOL_NT1)
6657 /* dump sam database via samsync rpc calls */
6658 static int rpc_samdump(struct net_context *c, int argc, const char **argv) {
6659 if (c->display_usage) {
6664 _("Dump remote SAM database"));
6668 return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id,
6669 NET_FLAGS_ANONYMOUS,
6670 rpc_samdump_internals, argc, argv);
6673 /* syncronise sam database via samsync rpc calls */
6674 static int rpc_vampire(struct net_context *c, int argc, const char **argv)
6676 struct functable func[] = {
6681 N_("Dump remote SAM database to ldif"),
6682 N_("net rpc vampire ldif\n"
6683 " Dump remote SAM database to LDIF file or "
6690 N_("Dump remote SAM database to Kerberos Keytab"),
6691 N_("net rpc vampire keytab\n"
6692 " Dump remote SAM database to Kerberos keytab "
6699 N_("Dump remote SAM database to passdb"),
6700 N_("net rpc vampire passdb\n"
6701 " Dump remote SAM database to passdb")
6704 {NULL, NULL, 0, NULL, NULL}
6708 if (c->display_usage) {
6713 _("Vampire remote SAM database"));
6717 return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id,
6718 NET_FLAGS_ANONYMOUS,
6719 rpc_vampire_internals,
6723 return net_run_function(c, argc, argv, "net rpc vampire", func);
6727 * Migrate everything from a print server.
6729 * @param c A net_context structure.
6730 * @param argc Standard main() style argc.
6731 * @param argv Standard main() style argv. Initial components are already
6734 * @return A shell status integer (0 for success).
6736 * The order is important !
6737 * To successfully add drivers the print queues have to exist !
6738 * Applying ACLs should be the last step, because you're easily locked out.
6741 static int rpc_printer_migrate_all(struct net_context *c, int argc,
6746 if (c->display_usage) {
6748 "net rpc printer migrate all\n"
6751 _("Migrate everything from a print server"));
6756 d_printf(_("no server to migrate\n"));
6760 ret = run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6761 rpc_printer_migrate_printers_internals, argc,
6766 ret = run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6767 rpc_printer_migrate_drivers_internals, argc,
6772 ret = run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6773 rpc_printer_migrate_forms_internals, argc, argv);
6777 ret = run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6778 rpc_printer_migrate_settings_internals, argc,
6783 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6784 rpc_printer_migrate_security_internals, argc,
6790 * Migrate print drivers from a print server.
6792 * @param c A net_context structure.
6793 * @param argc Standard main() style argc.
6794 * @param argv Standard main() style argv. Initial components are already
6797 * @return A shell status integer (0 for success).
6799 static int rpc_printer_migrate_drivers(struct net_context *c, int argc,
6802 if (c->display_usage) {
6804 "net rpc printer migrate drivers\n"
6807 _("Migrate print-drivers from a print-server"));
6812 d_printf(_("no server to migrate\n"));
6816 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6817 rpc_printer_migrate_drivers_internals,
6822 * Migrate print-forms from a print-server.
6824 * @param c A net_context structure.
6825 * @param argc Standard main() style argc.
6826 * @param argv Standard main() style argv. Initial components are already
6829 * @return A shell status integer (0 for success).
6831 static int rpc_printer_migrate_forms(struct net_context *c, int argc,
6834 if (c->display_usage) {
6836 "net rpc printer migrate forms\n"
6839 _("Migrate print-forms from a print-server"));
6844 d_printf(_("no server to migrate\n"));
6848 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6849 rpc_printer_migrate_forms_internals,
6854 * Migrate printers from a print-server.
6856 * @param c A net_context structure.
6857 * @param argc Standard main() style argc.
6858 * @param argv Standard main() style argv. Initial components are already
6861 * @return A shell status integer (0 for success).
6863 static int rpc_printer_migrate_printers(struct net_context *c, int argc,
6866 if (c->display_usage) {
6868 "net rpc printer migrate printers\n"
6871 _("Migrate printers from a print-server"));
6876 d_printf(_("no server to migrate\n"));
6880 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6881 rpc_printer_migrate_printers_internals,
6886 * Migrate printer-ACLs from a print-server
6888 * @param c A net_context structure.
6889 * @param argc Standard main() style argc.
6890 * @param argv Standard main() style argv. Initial components are already
6893 * @return A shell status integer (0 for success).
6895 static int rpc_printer_migrate_security(struct net_context *c, int argc,
6898 if (c->display_usage) {
6900 "net rpc printer migrate security\n"
6903 _("Migrate printer-ACLs from a print-server"));
6908 d_printf(_("no server to migrate\n"));
6912 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6913 rpc_printer_migrate_security_internals,
6918 * Migrate printer-settings from a print-server.
6920 * @param c A net_context structure.
6921 * @param argc Standard main() style argc.
6922 * @param argv Standard main() style argv. Initial components are already
6925 * @return A shell status integer (0 for success).
6927 static int rpc_printer_migrate_settings(struct net_context *c, int argc,
6930 if (c->display_usage) {
6932 "net rpc printer migrate settings\n"
6935 _("Migrate printer-settings from a "
6941 d_printf(_("no server to migrate\n"));
6945 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
6946 rpc_printer_migrate_settings_internals,
6951 * 'net rpc printer' entrypoint.
6953 * @param c A net_context structure.
6954 * @param argc Standard main() style argc.
6955 * @param argv Standard main() style argv. Initial components are already
6959 int rpc_printer_migrate(struct net_context *c, int argc, const char **argv)
6962 /* ouch: when addriver and setdriver are called from within
6963 rpc_printer_migrate_drivers_internals, the printer-queue already
6966 struct functable func[] = {
6969 rpc_printer_migrate_all,
6971 N_("Migrate all from remote to local print server"),
6972 N_("net rpc printer migrate all\n"
6973 " Migrate all from remote to local print server")
6977 rpc_printer_migrate_drivers,
6979 N_("Migrate drivers to local server"),
6980 N_("net rpc printer migrate drivers\n"
6981 " Migrate drivers to local server")
6985 rpc_printer_migrate_forms,
6987 N_("Migrate froms to local server"),
6988 N_("net rpc printer migrate forms\n"
6989 " Migrate froms to local server")
6993 rpc_printer_migrate_printers,
6995 N_("Migrate printers to local server"),
6996 N_("net rpc printer migrate printers\n"
6997 " Migrate printers to local server")
7001 rpc_printer_migrate_security,
7003 N_("Mirgate printer ACLs to local server"),
7004 N_("net rpc printer migrate security\n"
7005 " Mirgate printer ACLs to local server")
7009 rpc_printer_migrate_settings,
7011 N_("Migrate printer settings to local server"),
7012 N_("net rpc printer migrate settings\n"
7013 " Migrate printer settings to local server")
7015 {NULL, NULL, 0, NULL, NULL}
7018 return net_run_function(c, argc, argv, "net rpc printer migrate",func);
7023 * List printers on a remote RPC server.
7025 * @param c A net_context structure.
7026 * @param argc Standard main() style argc.
7027 * @param argv Standard main() style argv. Initial components are already
7030 * @return A shell status integer (0 for success).
7032 static int rpc_printer_list(struct net_context *c, int argc, const char **argv)
7034 if (c->display_usage) {
7036 "net rpc printer list\n"
7039 _("List printers on a remote RPC server"));
7043 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7044 rpc_printer_list_internals,
7049 * List printer-drivers on a remote RPC server.
7051 * @param c A net_context structure.
7052 * @param argc Standard main() style argc.
7053 * @param argv Standard main() style argv. Initial components are already
7056 * @return A shell status integer (0 for success).
7058 static int rpc_printer_driver_list(struct net_context *c, int argc,
7061 if (c->display_usage) {
7063 "net rpc printer driver\n"
7066 _("List printer-drivers on a remote RPC server"));
7070 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7071 rpc_printer_driver_list_internals,
7076 * Publish printer in ADS via MSRPC.
7078 * @param c A net_context structure.
7079 * @param argc Standard main() style argc.
7080 * @param argv Standard main() style argv. Initial components are already
7083 * @return A shell status integer (0 for success).
7085 static int rpc_printer_publish_publish(struct net_context *c, int argc,
7088 if (c->display_usage) {
7090 "net rpc printer publish publish\n"
7093 _("Publish printer in ADS via MSRPC"));
7097 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7098 rpc_printer_publish_publish_internals,
7103 * Update printer in ADS via MSRPC.
7105 * @param c A net_context structure.
7106 * @param argc Standard main() style argc.
7107 * @param argv Standard main() style argv. Initial components are already
7110 * @return A shell status integer (0 for success).
7112 static int rpc_printer_publish_update(struct net_context *c, int argc, const char **argv)
7114 if (c->display_usage) {
7116 "net rpc printer publish update\n"
7119 _("Update printer in ADS via MSRPC"));
7123 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7124 rpc_printer_publish_update_internals,
7129 * UnPublish printer in ADS via MSRPC.
7131 * @param c A net_context structure.
7132 * @param argc Standard main() style argc.
7133 * @param argv Standard main() style argv. Initial components are already
7136 * @return A shell status integer (0 for success).
7138 static int rpc_printer_publish_unpublish(struct net_context *c, int argc,
7141 if (c->display_usage) {
7143 "net rpc printer publish unpublish\n"
7146 _("UnPublish printer in ADS via MSRPC"));
7150 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7151 rpc_printer_publish_unpublish_internals,
7156 * List published printers via MSRPC.
7158 * @param c A net_context structure.
7159 * @param argc Standard main() style argc.
7160 * @param argv Standard main() style argv. Initial components are already
7163 * @return A shell status integer (0 for success).
7165 static int rpc_printer_publish_list(struct net_context *c, int argc,
7168 if (c->display_usage) {
7170 "net rpc printer publish list\n"
7173 _("List published printers via MSRPC"));
7177 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7178 rpc_printer_publish_list_internals,
7184 * Publish printer in ADS.
7186 * @param c A net_context structure.
7187 * @param argc Standard main() style argc.
7188 * @param argv Standard main() style argv. Initial components are already
7191 * @return A shell status integer (0 for success).
7193 static int rpc_printer_publish(struct net_context *c, int argc,
7197 struct functable func[] = {
7200 rpc_printer_publish_publish,
7202 N_("Publish printer in AD"),
7203 N_("net rpc printer publish publish\n"
7204 " Publish printer in AD")
7208 rpc_printer_publish_update,
7210 N_("Update printer in AD"),
7211 N_("net rpc printer publish update\n"
7212 " Update printer in AD")
7216 rpc_printer_publish_unpublish,
7218 N_("Unpublish printer"),
7219 N_("net rpc printer publish unpublish\n"
7220 " Unpublish printer")
7224 rpc_printer_publish_list,
7226 N_("List published printers"),
7227 N_("net rpc printer publish list\n"
7228 " List published printers")
7230 {NULL, NULL, 0, NULL, NULL}
7234 if (c->display_usage) {
7235 d_printf(_("Usage:\n"));
7236 d_printf(_("net rpc printer publish\n"
7237 " List published printers\n"
7238 " Alias of net rpc printer publish "
7240 net_display_usage_from_functable(func);
7243 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7244 rpc_printer_publish_list_internals,
7248 return net_run_function(c, argc, argv, "net rpc printer publish",func);
7254 * Display rpc printer help page.
7256 * @param c A net_context structure.
7257 * @param argc Standard main() style argc.
7258 * @param argv Standard main() style argv. Initial components are already
7261 int rpc_printer_usage(struct net_context *c, int argc, const char **argv)
7263 d_printf(_("net rpc printer LIST [printer] [misc. options] [targets]\n"
7264 "\tlists all printers on print-server\n\n"));
7265 d_printf(_("net rpc printer DRIVER [printer] [misc. options] [targets]\n"
7266 "\tlists all printer-drivers on print-server\n\n"));
7267 d_printf(_("net rpc printer PUBLISH action [printer] [misc. options] [targets]\n"
7268 "\tpublishes printer settings in Active Directory\n"
7269 "\taction can be one of PUBLISH, UPDATE, UNPUBLISH or LIST\n\n"));
7270 d_printf(_("net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]"
7271 "\n\tmigrates printers from remote to local server\n\n"));
7272 d_printf(_("net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]"
7273 "\n\tmigrates printer-settings from remote to local server\n\n"));
7274 d_printf(_("net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]"
7275 "\n\tmigrates printer-drivers from remote to local server\n\n"));
7276 d_printf(_("net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]"
7277 "\n\tmigrates printer-forms from remote to local server\n\n"));
7278 d_printf(_("net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]"
7279 "\n\tmigrates printer-ACLs from remote to local server\n\n"));
7280 d_printf(_("net rpc printer MIGRATE ALL [printer] [misc. options] [targets]"
7281 "\n\tmigrates drivers, forms, queues, settings and acls from\n"
7282 "\tremote to local print-server\n\n"));
7283 net_common_methods_usage(c, argc, argv);
7284 net_common_flags_usage(c, argc, argv);
7286 "\t-v or --verbose\t\t\tgive verbose output\n"
7287 "\t --destination\t\tmigration target server (default: localhost)\n"));
7293 * 'net rpc printer' entrypoint.
7295 * @param c A net_context structure.
7296 * @param argc Standard main() style argc.
7297 * @param argv Standard main() style argv. Initial components are already
7300 int net_rpc_printer(struct net_context *c, int argc, const char **argv)
7302 struct functable func[] = {
7307 N_("List all printers on print server"),
7308 N_("net rpc printer list\n"
7309 " List all printers on print server")
7313 rpc_printer_migrate,
7315 N_("Migrate printer to local server"),
7316 N_("net rpc printer migrate\n"
7317 " Migrate printer to local server")
7321 rpc_printer_driver_list,
7323 N_("List printer drivers"),
7324 N_("net rpc printer driver\n"
7325 " List printer drivers")
7329 rpc_printer_publish,
7331 N_("Publish printer in AD"),
7332 N_("net rpc printer publish\n"
7333 " Publish printer in AD")
7335 {NULL, NULL, 0, NULL, NULL}
7339 if (c->display_usage) {
7340 d_printf(_("Usage:\n"));
7341 d_printf(_("net rpc printer\n"
7342 " List printers\n"));
7343 net_display_usage_from_functable(func);
7346 return run_rpc_command(c, NULL, &ndr_table_spoolss.syntax_id, 0,
7347 rpc_printer_list_internals,
7351 return net_run_function(c, argc, argv, "net rpc printer", func);
7355 * 'net rpc' entrypoint.
7357 * @param c A net_context structure.
7358 * @param argc Standard main() style argc.
7359 * @param argv Standard main() style argv. Initial components are already
7363 int net_rpc(struct net_context *c, int argc, const char **argv)
7365 NET_API_STATUS status;
7367 struct functable func[] = {
7372 N_("Modify global audit settings"),
7373 N_("net rpc audit\n"
7374 " Modify global audit settings")
7380 N_("Show basic info about a domain"),
7382 " Show basic info about a domain")
7388 N_("Join a domain"),
7396 N_("Join a domain created in server manager"),
7397 N_("net rpc oldjoin\n"
7398 " Join a domain created in server manager")
7404 N_("Test that a join is valid"),
7405 N_("net rpc testjoin\n"
7406 " Test that a join is valid")
7412 N_("List/modify users"),
7414 " List/modify users")
7420 N_("Change a user password"),
7421 N_("net rpc password\n"
7422 " Change a user password\n"
7423 " Alias for net rpc user password")
7429 N_("List/modify groups"),
7430 N_("net rpc group\n"
7431 " List/modify groups")
7437 N_("List/modify shares"),
7438 N_("net rpc share\n"
7439 " List/modify shares")
7445 N_("List open files"),
7453 N_("List/modify printers"),
7454 N_("net rpc printer\n"
7455 " List/modify printers")
7459 net_rpc_changetrustpw,
7461 N_("Change trust account password"),
7462 N_("net rpc changetrustpw\n"
7463 " Change trust account password")
7469 N_("Modify domain trusts"),
7470 N_("net rpc trustdom\n"
7471 " Modify domain trusts")
7477 N_("Abort a remote shutdown"),
7478 N_("net rpc abortshutdown\n"
7479 " Abort a remote shutdown")
7485 N_("Shutdown a remote server"),
7486 N_("net rpc shutdown\n"
7487 " Shutdown a remote server")
7493 N_("Dump SAM data of remote NT PDC"),
7494 N_("net rpc samdump\n"
7495 " Dump SAM data of remote NT PDC")
7501 N_("Sync a remote NT PDC's data into local passdb"),
7502 N_("net rpc vampire\n"
7503 " Sync a remote NT PDC's data into local passdb")
7509 N_("Fetch the domain sid into local secrets.tdb"),
7510 N_("net rpc getsid\n"
7511 " Fetch the domain sid into local secrets.tdb")
7517 N_("Manage privileges assigned to SID"),
7518 N_("net rpc rights\n"
7519 " Manage privileges assigned to SID")
7525 N_("Start/stop/query remote services"),
7526 N_("net rpc service\n"
7527 " Start/stop/query remote services")
7533 N_("Manage registry hives"),
7534 N_("net rpc registry\n"
7535 " Manage registry hives")
7541 N_("Open interactive shell on remote server"),
7542 N_("net rpc shell\n"
7543 " Open interactive shell on remote server")
7545 {NULL, NULL, 0, NULL, NULL}
7548 status = libnetapi_net_init(&c->netapi_ctx);
7552 libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
7553 libnetapi_set_password(c->netapi_ctx, c->opt_password);
7554 if (c->opt_kerberos) {
7555 libnetapi_set_use_kerberos(c->netapi_ctx);
7557 if (c->opt_ccache) {
7558 libnetapi_set_use_ccache(c->netapi_ctx);
7561 return net_run_function(c, argc, argv, "net rpc", func);