2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "system/passwd.h"
23 #include "utils/net.h"
24 #include "../librpc/gen_ndr/samr.h"
26 #include "../libcli/security/security.h"
27 #include "lib/winbind_util.h"
29 #include "passdb/pdb_ldap_util.h"
30 #include "passdb/pdb_ldap_schema.h"
31 #include "lib/privileges.h"
38 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
40 bool (*fn)(struct samu *, const char *,
41 enum pdb_value_state))
43 struct samu *sam_acct = NULL;
45 enum lsa_SidType type;
46 const char *dom, *name;
49 if (argc != 2 || c->display_usage) {
50 d_fprintf(stderr, "%s\n", _("Usage:"));
51 d_fprintf(stderr, _("net sam set %s <user> <value>\n"),
56 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
57 &dom, &name, &sid, &type)) {
58 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
62 if (type != SID_NAME_USER) {
63 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
64 sid_type_lookup(type));
68 if ( !(sam_acct = samu_new( NULL )) ) {
69 d_fprintf(stderr, _("Internal error\n"));
73 if (!pdb_getsampwsid(sam_acct, &sid)) {
74 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
78 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
79 d_fprintf(stderr, _("Internal error\n"));
83 status = pdb_update_sam_account(sam_acct);
84 if (!NT_STATUS_IS_OK(status)) {
85 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
86 argv[0], nt_errstr(status));
90 TALLOC_FREE(sam_acct);
92 d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
96 static int net_sam_set_fullname(struct net_context *c, int argc,
99 return net_sam_userset(c, argc, argv, "fullname",
103 static int net_sam_set_logonscript(struct net_context *c, int argc,
106 return net_sam_userset(c, argc, argv, "logonscript",
107 pdb_set_logon_script);
110 static int net_sam_set_profilepath(struct net_context *c, int argc,
113 return net_sam_userset(c, argc, argv, "profilepath",
114 pdb_set_profile_path);
117 static int net_sam_set_homedrive(struct net_context *c, int argc,
120 return net_sam_userset(c, argc, argv, "homedrive",
124 static int net_sam_set_homedir(struct net_context *c, int argc,
127 return net_sam_userset(c, argc, argv, "homedir",
131 static int net_sam_set_workstations(struct net_context *c, int argc,
134 return net_sam_userset(c, argc, argv, "workstations",
135 pdb_set_workstations);
142 static int net_sam_set_userflag(struct net_context *c, int argc,
143 const char **argv, const char *field,
146 struct samu *sam_acct = NULL;
148 enum lsa_SidType type;
149 const char *dom, *name;
153 if ((argc != 2) || c->display_usage ||
154 (!strequal(argv[1], "yes") &&
155 !strequal(argv[1], "no"))) {
156 d_fprintf(stderr, "%s\n", _("Usage:"));
157 d_fprintf(stderr, _("net sam set %s <user> [yes|no]\n"),
162 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
163 &dom, &name, &sid, &type)) {
164 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
168 if (type != SID_NAME_USER) {
169 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
170 sid_type_lookup(type));
174 if ( !(sam_acct = samu_new( NULL )) ) {
175 d_fprintf(stderr, _("Internal error\n"));
179 if (!pdb_getsampwsid(sam_acct, &sid)) {
180 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
184 acct_flags = pdb_get_acct_ctrl(sam_acct);
186 if (strequal(argv[1], "yes")) {
192 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
194 status = pdb_update_sam_account(sam_acct);
195 if (!NT_STATUS_IS_OK(status)) {
196 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
197 argv[0], nt_errstr(status));
201 TALLOC_FREE(sam_acct);
203 d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
208 static int net_sam_set_disabled(struct net_context *c, int argc,
211 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
214 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
217 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
220 static int net_sam_set_autolock(struct net_context *c, int argc,
223 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
226 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
229 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
233 * Set pass last change time, based on force pass change now
236 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
239 struct samu *sam_acct = NULL;
241 enum lsa_SidType type;
242 const char *dom, *name;
245 if ((argc != 2) || c->display_usage ||
246 (!strequal(argv[1], "yes") &&
247 !strequal(argv[1], "no"))) {
248 d_fprintf(stderr, "%s\n%s",
250 _("net sam set pwdmustchangenow <user> [yes|no]\n"));
254 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
255 &dom, &name, &sid, &type)) {
256 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
260 if (type != SID_NAME_USER) {
261 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
262 sid_type_lookup(type));
266 if ( !(sam_acct = samu_new( NULL )) ) {
267 d_fprintf(stderr, _("Internal error\n"));
271 if (!pdb_getsampwsid(sam_acct, &sid)) {
272 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
276 if (strequal(argv[1], "yes")) {
277 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
279 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
282 status = pdb_update_sam_account(sam_acct);
283 if (!NT_STATUS_IS_OK(status)) {
284 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
285 argv[0], nt_errstr(status));
289 TALLOC_FREE(sam_acct);
291 d_fprintf(stderr, _("Updated 'user must change password at next logon' "
292 "for %s\\%s to %s\n"), dom,
299 * Set a user's or a group's comment
302 static int net_sam_set_comment(struct net_context *c, int argc,
307 enum lsa_SidType type;
308 const char *dom, *name;
311 if (argc != 2 || c->display_usage) {
312 d_fprintf(stderr, "%s\n%s",
314 _("net sam set comment <name> <comment>\n"));
318 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
319 &dom, &name, &sid, &type)) {
320 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
324 if (type == SID_NAME_USER) {
325 return net_sam_userset(c, argc, argv, "comment",
329 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
330 (type != SID_NAME_WKN_GRP)) {
331 d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
332 sid_type_lookup(type));
336 map = talloc_zero(talloc_tos(), GROUP_MAP);
338 d_fprintf(stderr, _("Out of memory!\n"));
342 if (!pdb_getgrsid(map, sid)) {
343 d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
347 map->comment = talloc_strdup(map, argv[1]);
349 d_fprintf(stderr, _("Out of memory!\n"));
353 status = pdb_update_group_mapping_entry(map);
355 if (!NT_STATUS_IS_OK(status)) {
356 d_fprintf(stderr, _("Updating group mapping entry failed with "
357 "%s\n"), nt_errstr(status));
361 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
368 static int net_sam_set(struct net_context *c, int argc, const char **argv)
370 struct functable func[] = {
375 N_("Change a user's home directory"),
376 N_("net sam set homedir\n"
377 " Change a user's home directory")
381 net_sam_set_profilepath,
383 N_("Change a user's profile path"),
384 N_("net sam set profilepath\n"
385 " Change a user's profile path")
391 N_("Change a users or groups description"),
392 N_("net sam set comment\n"
393 " Change a users or groups description")
397 net_sam_set_fullname,
399 N_("Change a user's full name"),
400 N_("net sam set fullname\n"
401 " Change a user's full name")
405 net_sam_set_logonscript,
407 N_("Change a user's logon script"),
408 N_("net sam set logonscript\n"
409 " Change a user's logon script")
413 net_sam_set_homedrive,
415 N_("Change a user's home drive"),
416 N_("net sam set homedrive\n"
417 " Change a user's home drive")
421 net_sam_set_workstations,
423 N_("Change a user's allowed workstations"),
424 N_("net sam set workstations\n"
425 " Change a user's allowed workstations")
429 net_sam_set_disabled,
431 N_("Disable/Enable a user"),
432 N_("net sam set disable\n"
433 " Disable/Enable a user")
437 net_sam_set_pwnotreq,
439 N_("Disable/Enable the password not required flag"),
440 N_("net sam set pwnotreq\n"
441 " Disable/Enable the password not required flag")
445 net_sam_set_autolock,
447 N_("Disable/Enable a user's lockout flag"),
448 N_("net sam set autolock\n"
449 " Disable/Enable a user's lockout flag")
455 N_("Disable/Enable whether a user's pw does not "
457 N_("net sam set pwnoexp\n"
458 " Disable/Enable whether a user's pw does not "
463 net_sam_set_pwdmustchangenow,
465 N_("Force users password must change at next logon"),
466 N_("net sam set pwdmustchangenow\n"
467 " Force users password must change at next logon")
469 {NULL, NULL, 0, NULL, NULL}
472 return net_run_function(c, argc, argv, "net sam set", func);
476 * Manage account policies
479 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
481 const char *account_policy = NULL;
483 uint32 old_value = 0;
484 enum pdb_policy_type field;
487 if (argc != 2 || c->display_usage) {
488 d_fprintf(stderr, "%s\n%s",
490 _("net sam policy set \"<account policy>\" <value>\n"));
494 account_policy = argv[0];
495 field = account_policy_name_to_typenum(account_policy);
497 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
498 || strequal(argv[1], "off")) {
502 value = strtoul(argv[1], &endptr, 10);
504 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
505 d_printf(_("Unable to set policy \"%s\"! Invalid value "
507 account_policy, argv[1]);
516 account_policy_names_list(talloc_tos(), &names, &count);
517 d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
518 d_fprintf(stderr, _("Valid account policies are:\n"));
520 for (i=0; i<count; i++) {
521 d_fprintf(stderr, "%s\n", names[i]);
529 if (!pdb_get_account_policy(field, &old_value)) {
530 d_fprintf(stderr, _("Valid account policy, but unable to fetch "
533 d_printf(_("Account policy \"%s\" value was: %d\n"),
534 account_policy, old_value);
537 if (!pdb_set_account_policy(field, value)) {
538 d_fprintf(stderr, _("Valid account policy, but unable to "
542 d_printf(_("Account policy \"%s\" value is now: %d\n"),
543 account_policy, value);
549 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
551 const char *account_policy = NULL;
553 enum pdb_policy_type field;
555 if (argc != 1 || c->display_usage) {
556 d_fprintf(stderr, "%s\n%s",
558 _("net sam policy show \"<account policy>\"\n"));
562 account_policy = argv[0];
563 field = account_policy_name_to_typenum(account_policy);
569 account_policy_names_list(talloc_tos(), &names, &count);
570 d_fprintf(stderr, _("No account policy by that name!\n"));
572 d_fprintf(stderr, _("Valid account policies "
574 for (i=0; i<count; i++) {
575 d_fprintf(stderr, "%s\n", names[i]);
582 if (!pdb_get_account_policy(field, &old_value)) {
583 fprintf(stderr, _("Valid account policy, but unable to "
588 printf(_("Account policy \"%s\" description: %s\n"),
589 account_policy, account_policy_get_desc(field));
590 printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
595 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
601 if (c->display_usage) {
603 "net sam policy list\n"
606 _("List account policies"));
610 account_policy_names_list(talloc_tos(), &names, &count);
612 d_fprintf(stderr, _("Valid account policies "
614 for (i = 0; i < count ; i++) {
615 d_fprintf(stderr, "%s\n", names[i]);
622 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
624 struct functable func[] = {
629 N_("List account policies"),
630 N_("net sam policy list\n"
631 " List account policies")
637 N_("Show account policies"),
638 N_("net sam policy show\n"
639 " Show account policies")
645 N_("Change account policies"),
646 N_("net sam policy set\n"
647 " Change account policies")
649 {NULL, NULL, 0, NULL, NULL}
652 return net_run_function(c, argc, argv, "net sam policy", func);
655 static int net_sam_rights_list(struct net_context *c, int argc,
658 enum sec_privilege privilege;
660 if (argc > 1 || c->display_usage) {
661 d_fprintf(stderr, "%s\n%s",
663 _("net sam rights list [privilege name]\n"));
669 int num = num_privileges_in_short_list();
671 for (i=0; i<num; i++) {
672 d_printf("%s\n", sec_privilege_name_from_index(i));
677 privilege = sec_privilege_id(argv[0]);
679 if (privilege != SEC_PRIV_INVALID) {
680 struct dom_sid *sids;
684 status = privilege_enum_sids(privilege, talloc_tos(),
686 if (!NT_STATUS_IS_OK(status)) {
687 d_fprintf(stderr, _("Could not list rights: %s\n"),
692 for (i=0; i<num_sids; i++) {
693 const char *dom, *name;
694 enum lsa_SidType type;
696 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
698 d_printf("%s\\%s\n", dom, name);
701 d_printf("%s\n", sid_string_tos(&sids[i]));
710 static int net_sam_rights_grant(struct net_context *c, int argc,
714 enum lsa_SidType type;
715 const char *dom, *name;
718 if (argc < 2 || c->display_usage) {
719 d_fprintf(stderr, "%s\n%s",
721 _("net sam rights grant <name> <rights> ...\n"));
725 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
726 &dom, &name, &sid, &type)) {
727 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
731 for (i=1; i < argc; i++) {
732 enum sec_privilege privilege = sec_privilege_id(argv[i]);
733 if (privilege == SEC_PRIV_INVALID) {
734 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
738 if (!grant_privilege_by_name(&sid, argv[i])) {
739 d_fprintf(stderr, _("Could not grant privilege\n"));
743 d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
749 static int net_sam_rights_revoke(struct net_context *c, int argc,
753 enum lsa_SidType type;
754 const char *dom, *name;
757 if (argc < 2 || c->display_usage) {
758 d_fprintf(stderr, "%s\n%s",
760 _("net sam rights revoke <name> <rights>\n"));
764 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
765 &dom, &name, &sid, &type)) {
766 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
770 for (i=1; i < argc; i++) {
771 enum sec_privilege privilege = sec_privilege_id(argv[i]);
772 if (privilege == SEC_PRIV_INVALID) {
773 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
777 if (!revoke_privilege_by_name(&sid, argv[i])) {
778 d_fprintf(stderr, _("Could not revoke privilege\n"));
782 d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
788 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
790 struct functable func[] = {
795 N_("List possible user rights"),
796 N_("net sam rights list\n"
797 " List possible user rights")
801 net_sam_rights_grant,
803 N_("Grant right(s)"),
804 N_("net sam rights grant\n"
809 net_sam_rights_revoke,
811 N_("Revoke right(s)"),
812 N_("net sam rights revoke\n"
815 {NULL, NULL, 0, NULL, NULL}
817 return net_run_function(c, argc, argv, "net sam rights", func);
821 * Map a unix group to a domain group
824 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *map)
826 const char *dom, *name;
829 if (pdb_getgrgid(map, grp->gr_gid)) {
830 return NT_STATUS_GROUP_EXISTS;
833 map->gid = grp->gr_gid;
835 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
836 &dom, &name, NULL, NULL)) {
838 map->nt_name = talloc_asprintf(map, "Unix Group %s",
841 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
842 grp->gr_name, dom, name, map->nt_name));
845 if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
846 NULL, NULL, NULL, NULL)) {
847 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
848 return NT_STATUS_GROUP_EXISTS;
851 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
852 if (!pdb_new_rid(&rid)) {
853 DEBUG(3, ("Could not get a new RID for %s\n",
855 return NT_STATUS_ACCESS_DENIED;
858 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
861 sid_compose(&map->sid, get_global_sam_sid(), rid);
862 map->sid_name_use = SID_NAME_DOM_GRP;
863 map->comment = talloc_asprintf(map, "Unix Group %s", grp->gr_name);
865 return pdb_add_group_mapping_entry(map);
868 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
874 if (argc != 1 || c->display_usage) {
875 d_fprintf(stderr, "%s\n%s",
877 _("net sam mapunixgroup <name>\n"));
881 grp = getgrnam(argv[0]);
883 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
887 map = talloc_zero(talloc_tos(), GROUP_MAP);
889 d_fprintf(stderr, _("Out of memory!\n"));
893 status = map_unix_group(grp, map);
895 if (!NT_STATUS_IS_OK(status)) {
896 d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
897 argv[0], nt_errstr(status));
901 d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
902 sid_string_tos(&map->sid));
909 * Remove a group mapping
912 static NTSTATUS unmap_unix_group(const struct group *grp)
914 struct dom_sid dom_sid;
916 if (!lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
917 NULL, NULL, NULL, NULL)) {
918 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
919 return NT_STATUS_NO_SUCH_GROUP;
922 if (!pdb_gid_to_sid(grp->gr_gid, &dom_sid)) {
923 return NT_STATUS_UNSUCCESSFUL;
926 return pdb_delete_group_mapping_entry(dom_sid);
929 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
934 if (argc != 1 || c->display_usage) {
935 d_fprintf(stderr, "%s\n%s",
937 _("net sam unmapunixgroup <name>\n"));
941 grp = getgrnam(argv[0]);
943 d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
948 status = unmap_unix_group(grp);
950 if (!NT_STATUS_IS_OK(status)) {
951 d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
952 argv[0], nt_errstr(status));
956 d_printf(_("Unmapped unix group %s.\n"), argv[0]);
962 * Create a domain group
965 static int net_sam_createdomaingroup(struct net_context *c, int argc,
971 if (argc != 1 || c->display_usage) {
972 d_fprintf(stderr, "%s\n%s",
974 _("net sam createdomaingroup <name>\n"));
978 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
980 if (!NT_STATUS_IS_OK(status)) {
981 d_fprintf(stderr, _("Creating %s failed with %s\n"),
982 argv[0], nt_errstr(status));
986 d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
992 * Delete a domain group
995 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
1000 enum lsa_SidType type;
1001 const char *dom, *name;
1004 if (argc != 1 || c->display_usage) {
1005 d_fprintf(stderr, "%s\n%s",
1007 _("net sam deletelocalgroup <name>\n"));
1011 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1012 &dom, &name, &sid, &type)) {
1013 d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
1017 if (type != SID_NAME_DOM_GRP) {
1018 d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
1019 argv[0], sid_type_lookup(type));
1023 sid_peek_rid(&sid, &rid);
1025 status = pdb_delete_dom_group(talloc_tos(), rid);
1027 if (!NT_STATUS_IS_OK(status)) {
1028 d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1029 argv[0], nt_errstr(status));
1033 d_printf(_("Deleted domain group %s.\n"), argv[0]);
1039 * Create a local group
1042 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1047 if (argc != 1 || c->display_usage) {
1048 d_fprintf(stderr, "%s\n%s",
1050 _("net sam createlocalgroup <name>\n"));
1054 if (!winbind_ping()) {
1055 d_fprintf(stderr, _("winbind seems not to run. "
1056 "createlocalgroup only works when winbind runs.\n"));
1060 status = pdb_create_alias(argv[0], &rid);
1062 if (!NT_STATUS_IS_OK(status)) {
1063 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1064 argv[0], nt_errstr(status));
1068 d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1074 * Delete a local group
1077 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1080 enum lsa_SidType type;
1081 const char *dom, *name;
1084 if (argc != 1 || c->display_usage) {
1085 d_fprintf(stderr, "%s\n%s",
1087 _("net sam deletelocalgroup <name>\n"));
1091 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1092 &dom, &name, &sid, &type)) {
1093 d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1097 if (type != SID_NAME_ALIAS) {
1098 d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1099 sid_type_lookup(type));
1103 status = pdb_delete_alias(&sid);
1105 if (!NT_STATUS_IS_OK(status)) {
1106 d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1107 argv[0], nt_errstr(status));
1111 d_printf(_("Deleted local group %s.\n"), argv[0]);
1117 * Create a builtin group
1120 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1124 enum lsa_SidType type;
1128 if (argc != 1 || c->display_usage) {
1129 d_fprintf(stderr, "%s\n%s",
1131 _("net sam createbuiltingroup <name>\n"));
1135 if (!winbind_ping()) {
1136 d_fprintf(stderr, _("winbind seems not to run. "
1137 "createbuiltingroup only works when winbind "
1142 /* validate the name and get the group */
1144 fstrcpy( groupname, "BUILTIN\\" );
1145 fstrcat( groupname, argv[0] );
1147 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1148 NULL, &sid, &type)) {
1149 d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1153 if ( !sid_peek_rid( &sid, &rid ) ) {
1154 d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1158 status = pdb_create_builtin(rid);
1160 if (!NT_STATUS_IS_OK(status)) {
1161 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1162 argv[0], nt_errstr(status));
1166 d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1172 * Add a group member
1175 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1177 const char *groupdomain, *groupname, *memberdomain, *membername;
1178 struct dom_sid group, member;
1179 enum lsa_SidType grouptype, membertype;
1182 if (argc != 2 || c->display_usage) {
1183 d_fprintf(stderr, "%s\n%s",
1185 _("net sam addmem <group> <member>\n"));
1189 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1190 &groupdomain, &groupname, &group, &grouptype)) {
1191 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1195 /* check to see if the member to be added is a name or a SID */
1197 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1198 &memberdomain, &membername, &member, &membertype))
1200 /* try it as a SID */
1202 if ( !string_to_sid( &member, argv[1] ) ) {
1203 d_fprintf(stderr, _("Could not find member %s\n"),
1208 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1209 &membername, &membertype) )
1211 d_fprintf(stderr, _("Could not resolve SID %s\n"),
1217 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1218 if ((membertype != SID_NAME_USER) &&
1219 (membertype != SID_NAME_DOM_GRP)) {
1220 d_fprintf(stderr, _("%s is a local group, only users "
1221 "and domain groups can be added.\n"
1222 "%s is a %s\n"), argv[0], argv[1],
1223 sid_type_lookup(membertype));
1226 status = pdb_add_aliasmem(&group, &member);
1228 if (!NT_STATUS_IS_OK(status)) {
1229 d_fprintf(stderr, _("Adding local group member failed "
1230 "with %s\n"), nt_errstr(status));
1233 } else if (grouptype == SID_NAME_DOM_GRP) {
1234 uint32_t grouprid, memberrid;
1236 sid_peek_rid(&group, &grouprid);
1237 sid_peek_rid(&member, &memberrid);
1239 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1240 if (!NT_STATUS_IS_OK(status)) {
1241 d_fprintf(stderr, _("Adding domain group member failed "
1242 "with %s\n"), nt_errstr(status));
1246 d_fprintf(stderr, _("Can only add members to local groups so "
1247 "far, %s is a %s\n"), argv[0],
1248 sid_type_lookup(grouptype));
1252 d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1253 groupdomain, groupname);
1259 * Delete a group member
1262 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1264 const char *groupdomain, *groupname;
1265 const char *memberdomain = NULL;
1266 const char *membername = NULL;
1267 struct dom_sid group, member;
1268 enum lsa_SidType grouptype;
1271 if (argc != 2 || c->display_usage) {
1272 d_fprintf(stderr,"%s\n%s",
1274 _("net sam delmem <group> <member>\n"));
1278 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1279 &groupdomain, &groupname, &group, &grouptype)) {
1280 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1284 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1285 &memberdomain, &membername, &member, NULL)) {
1286 if (!string_to_sid(&member, argv[1])) {
1287 d_fprintf(stderr, _("Could not find member %s\n"),
1293 if ((grouptype == SID_NAME_ALIAS) ||
1294 (grouptype == SID_NAME_WKN_GRP)) {
1295 status = pdb_del_aliasmem(&group, &member);
1297 if (!NT_STATUS_IS_OK(status)) {
1298 d_fprintf(stderr,_("Deleting local group member failed "
1299 "with %s\n"), nt_errstr(status));
1302 } else if (grouptype == SID_NAME_DOM_GRP) {
1303 uint32_t grouprid, memberrid;
1305 sid_peek_rid(&group, &grouprid);
1306 sid_peek_rid(&member, &memberrid);
1308 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1309 if (!NT_STATUS_IS_OK(status)) {
1310 d_fprintf(stderr, _("Deleting domain group member "
1311 "failed with %s\n"), nt_errstr(status));
1315 d_fprintf(stderr, _("Can only delete members from local groups "
1316 "so far, %s is a %s\n"), argv[0],
1317 sid_type_lookup(grouptype));
1321 if (membername != NULL) {
1322 d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1323 memberdomain, membername, groupdomain, groupname);
1325 d_printf(_("Deleted %s from %s\\%s\n"),
1326 sid_string_tos(&member), groupdomain, groupname);
1333 * List group members
1336 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1338 const char *groupdomain, *groupname;
1339 struct dom_sid group;
1340 struct dom_sid *members = NULL;
1341 size_t i, num_members = 0;
1342 enum lsa_SidType grouptype;
1345 if (argc != 1 || c->display_usage) {
1346 d_fprintf(stderr, "%s\n%s",
1348 _("net sam listmem <group>\n"));
1352 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1353 &groupdomain, &groupname, &group, &grouptype)) {
1354 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1358 if ((grouptype == SID_NAME_ALIAS) ||
1359 (grouptype == SID_NAME_WKN_GRP)) {
1360 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1362 if (!NT_STATUS_IS_OK(status)) {
1363 d_fprintf(stderr, _("Listing group members failed with "
1364 "%s\n"), nt_errstr(status));
1367 } else if (grouptype == SID_NAME_DOM_GRP) {
1370 status = pdb_enum_group_members(talloc_tos(), &group,
1371 &rids, &num_members);
1372 if (!NT_STATUS_IS_OK(status)) {
1373 d_fprintf(stderr, _("Listing group members failed with "
1374 "%s\n"), nt_errstr(status));
1378 members = talloc_array(talloc_tos(), struct dom_sid,
1380 if (members == NULL) {
1385 for (i=0; i<num_members; i++) {
1386 sid_compose(&members[i], get_global_sam_sid(),
1391 d_fprintf(stderr,_("Can only list local group members so far.\n"
1392 "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1396 d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1397 (unsigned int)num_members);
1398 for (i=0; i<num_members; i++) {
1399 const char *dom, *name;
1400 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1401 d_printf(" %s\\%s\n", dom, name);
1403 d_printf(" %s\n", sid_string_tos(&members[i]));
1407 TALLOC_FREE(members);
1415 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1416 struct pdb_search *search, const char *what)
1418 bool verbose = (argc == 1);
1420 if ((argc > 1) || c->display_usage ||
1421 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1422 d_fprintf(stderr, "%s\n", _("Usage:"));
1423 d_fprintf(stderr, _("net sam list %s [verbose]\n"), what);
1427 if (search == NULL) {
1428 d_fprintf(stderr, _("Could not start search\n"));
1433 struct samr_displayentry entry;
1434 if (!search->next_entry(search, &entry)) {
1438 d_printf("%s:%d:%s\n",
1443 d_printf("%s\n", entry.account_name);
1447 TALLOC_FREE(search);
1451 static int net_sam_list_users(struct net_context *c, int argc,
1454 return net_sam_do_list(c, argc, argv,
1455 pdb_search_users(talloc_tos(), ACB_NORMAL),
1459 static int net_sam_list_groups(struct net_context *c, int argc,
1462 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1466 static int net_sam_list_localgroups(struct net_context *c, int argc,
1469 return net_sam_do_list(c, argc, argv,
1470 pdb_search_aliases(talloc_tos(),
1471 get_global_sam_sid()),
1475 static int net_sam_list_builtin(struct net_context *c, int argc,
1478 return net_sam_do_list(c, argc, argv,
1479 pdb_search_aliases(talloc_tos(),
1480 &global_sid_Builtin),
1484 static int net_sam_list_workstations(struct net_context *c, int argc,
1487 return net_sam_do_list(c, argc, argv,
1488 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1496 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1498 struct functable func[] = {
1502 NET_TRANSPORT_LOCAL,
1503 N_("List SAM users"),
1504 N_("net sam list users\n"
1509 net_sam_list_groups,
1510 NET_TRANSPORT_LOCAL,
1511 N_("List SAM groups"),
1512 N_("net sam list groups\n"
1517 net_sam_list_localgroups,
1518 NET_TRANSPORT_LOCAL,
1519 N_("List SAM local groups"),
1520 N_("net sam list localgroups\n"
1521 " List SAM local groups")
1525 net_sam_list_builtin,
1526 NET_TRANSPORT_LOCAL,
1527 N_("List builtin groups"),
1528 N_("net sam list builtin\n"
1529 " List builtin groups")
1533 net_sam_list_workstations,
1534 NET_TRANSPORT_LOCAL,
1535 N_("List domain member workstations"),
1536 N_("net sam list workstations\n"
1537 " List domain member workstations")
1539 {NULL, NULL, 0, NULL, NULL}
1542 return net_run_function(c, argc, argv, "net sam list", func);
1546 * Show details of SAM entries
1549 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1552 enum lsa_SidType type;
1553 const char *dom, *name;
1555 if (argc != 1 || c->display_usage) {
1556 d_fprintf(stderr, "%s\n%s",
1558 _("net sam show <name>\n"));
1562 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1563 &dom, &name, &sid, &type)) {
1564 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1568 d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1569 sid_type_lookup(type), sid_string_tos(&sid));
1577 * Init an LDAP tree with default users and Groups
1578 * if ldapsam:editposix is enabled
1581 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1585 char *ldap_uri = NULL;
1587 struct smbldap_state *state = NULL;
1588 GROUP_MAP *gmap = NULL;
1589 struct dom_sid gsid;
1590 gid_t domusers_gid = -1;
1591 gid_t domadmins_gid = -1;
1592 struct samu *samuser;
1594 bool is_ipa = false;
1595 char *bind_dn = NULL;
1596 char *bind_secret = NULL;
1599 if (c->display_usage) {
1601 "net sam provision\n"
1604 _("Init an LDAP tree with default users/groups"));
1608 tc = talloc_new(NULL);
1610 d_fprintf(stderr, _("Out of Memory!\n"));
1614 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1615 d_fprintf(stderr, _("talloc failed\n"));
1619 p = strchr(ldap_bk, ':');
1622 ldap_uri = talloc_strdup(tc, p+1);
1623 trim_char(ldap_uri, ' ', ' ');
1626 trim_char(ldap_bk, ' ', ' ');
1628 if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
1632 if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
1634 _("Provisioning works only with ldapsam backend\n"));
1638 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1639 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1641 d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1642 " and ldapsam:editposix are enabled.\n"));
1646 if (!is_ipa && !winbind_ping()) {
1647 d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1648 "LDAP only works when winbind runs.\n"));
1652 if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1653 d_fprintf(stderr, _("Failed to retrieve LDAP password from secrets.tdb\n"));
1657 status = smbldap_init(tc, NULL, ldap_uri, false, bind_dn, bind_secret, &state);
1659 memset(bind_secret, '\0', strlen(bind_secret));
1660 SAFE_FREE(bind_secret);
1663 if (!NT_STATUS_IS_OK(status)) {
1664 d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1668 d_printf(_("Checking for Domain Users group.\n"));
1670 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
1672 gmap = talloc_zero(tc, GROUP_MAP);
1674 d_printf(_("Out of memory!\n"));
1678 if (!pdb_getgrsid(gmap, gsid)) {
1679 LDAPMod **mods = NULL;
1687 d_printf(_("Adding the Domain Users group.\n"));
1689 /* lets allocate a new groupid for this group */
1693 if (!winbind_allocate_gid(&domusers_gid)) {
1694 d_fprintf(stderr, _("Unable to allocate a new gid to "
1695 "create Domain Users group!\n"));
1700 uname = talloc_strdup(tc, "domusers");
1701 wname = talloc_strdup(tc, "Domain Users");
1702 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers",
1703 lp_ldap_group_suffix(talloc_tos()));
1704 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1705 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1707 if (!uname || !wname || !dn || !gidstr || !gtype) {
1708 d_fprintf(stderr, "Out of Memory!\n");
1712 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1713 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1715 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1716 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1717 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1719 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1720 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1721 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1722 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1723 sid_string_talloc(tc, &gsid));
1724 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1726 smbldap_talloc_autofree_ldapmod(tc, mods);
1728 rc = smbldap_add(state, dn, mods);
1730 if (rc != LDAP_SUCCESS) {
1731 d_fprintf(stderr, _("Failed to add Domain Users group "
1732 "to ldap directory\n"));
1736 if (!pdb_getgrsid(gmap, gsid)) {
1737 d_fprintf(stderr, _("Failed to read just "
1738 "created domain group.\n"));
1741 domusers_gid = gmap->gid;
1745 domusers_gid = gmap->gid;
1746 d_printf(_("found!\n"));
1751 d_printf(_("Checking for Domain Admins group.\n"));
1753 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
1755 if (!pdb_getgrsid(gmap, gsid)) {
1756 LDAPMod **mods = NULL;
1764 d_printf(_("Adding the Domain Admins group.\n"));
1766 /* lets allocate a new groupid for this group */
1768 domadmins_gid = 999;
1770 if (!winbind_allocate_gid(&domadmins_gid)) {
1771 d_fprintf(stderr, _("Unable to allocate a new gid to "
1772 "create Domain Admins group!\n"));
1777 uname = talloc_strdup(tc, "domadmins");
1778 wname = talloc_strdup(tc, "Domain Admins");
1779 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins",
1780 lp_ldap_group_suffix(talloc_tos()));
1781 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1782 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1784 if (!uname || !wname || !dn || !gidstr || !gtype) {
1785 d_fprintf(stderr, _("Out of Memory!\n"));
1789 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1790 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1792 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1793 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1794 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1796 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1797 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1798 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1799 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1800 sid_string_talloc(tc, &gsid));
1801 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1803 smbldap_talloc_autofree_ldapmod(tc, mods);
1805 rc = smbldap_add(state, dn, mods);
1807 if (rc != LDAP_SUCCESS) {
1808 d_fprintf(stderr, _("Failed to add Domain Admins group "
1809 "to ldap directory\n"));
1813 if (!pdb_getgrsid(gmap, gsid)) {
1814 d_fprintf(stderr, _("Failed to read just "
1815 "created domain group.\n"));
1818 domadmins_gid = gmap->gid;
1822 domadmins_gid = gmap->gid;
1823 d_printf(_("found!\n"));
1828 d_printf(_("Check for Administrator account.\n"));
1830 samuser = samu_new(tc);
1832 d_fprintf(stderr, _("Out of Memory!\n"));
1836 if (!pdb_getsampwnam(samuser, "Administrator")) {
1837 LDAPMod **mods = NULL;
1849 d_printf(_("Adding the Administrator user.\n"));
1851 if (domadmins_gid == -1) {
1853 _("Can't create Administrator user, Domain "
1854 "Admins group not available!\n"));
1861 if (!winbind_allocate_uid(&uid)) {
1863 _("Unable to allocate a new uid to create "
1864 "the Administrator user!\n"));
1869 name = talloc_strdup(tc, "Administrator");
1870 dn = talloc_asprintf(tc, "uid=Administrator,%s",
1871 lp_ldap_user_suffix(talloc_tos()));
1872 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1873 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1874 dir = talloc_sub_specified(tc, lp_template_homedir(),
1876 get_global_sam_name(),
1877 uid, domadmins_gid);
1878 shell = talloc_sub_specified(tc, lp_template_shell(),
1880 get_global_sam_name(),
1881 uid, domadmins_gid);
1883 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1884 d_fprintf(stderr, _("Out of Memory!\n"));
1888 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
1890 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1891 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1892 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1894 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
1895 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
1896 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
1897 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
1898 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
1899 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
1900 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
1901 princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
1903 d_fprintf(stderr, _("Out of Memory!\n"));
1906 smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
1908 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1909 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1910 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1911 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1912 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1913 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1914 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1915 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1916 sid_string_talloc(tc, &sid));
1917 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1918 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1919 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1921 smbldap_talloc_autofree_ldapmod(tc, mods);
1923 rc = smbldap_add(state, dn, mods);
1925 if (rc != LDAP_SUCCESS) {
1926 d_fprintf(stderr, _("Failed to add Administrator user "
1927 "to ldap directory\n"));
1931 if (!pdb_getsampwnam(samuser, "Administrator")) {
1932 d_fprintf(stderr, _("Failed to read just "
1933 "created user.\n"));
1938 d_printf(_("found!\n"));
1941 d_printf(_("Checking for Guest user.\n"));
1943 samuser = samu_new(tc);
1945 d_fprintf(stderr, _("Out of Memory!\n"));
1949 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1950 LDAPMod **mods = NULL;
1957 d_printf(_("Adding the Guest user.\n"));
1959 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
1961 pwd = Get_Pwnam_alloc(tc, lp_guestaccount());
1964 if (domusers_gid == -1) {
1966 _("Can't create Guest user, Domain "
1967 "Users group not available!\n"));
1970 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1971 d_fprintf(stderr, _("talloc failed\n"));
1974 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1979 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1981 _("Unable to allocate a new uid to "
1982 "create the Guest user!\n"));
1986 pwd->pw_gid = domusers_gid;
1987 pwd->pw_dir = talloc_strdup(tc, "/");
1988 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1989 if (!pwd->pw_dir || !pwd->pw_shell) {
1990 d_fprintf(stderr, _("Out of Memory!\n"));
1995 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name,
1996 lp_ldap_user_suffix (talloc_tos()));
1997 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
1998 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1999 if (!dn || !uidstr || !gidstr) {
2000 d_fprintf(stderr, _("Out of Memory!\n"));
2004 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
2005 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
2006 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
2008 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
2009 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
2010 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
2011 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
2012 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
2013 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
2014 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
2016 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
2017 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
2018 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
2019 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
2020 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2021 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
2022 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
2024 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
2025 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
2027 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
2028 sid_string_talloc(tc, &sid));
2029 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
2030 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
2031 NEW_PW_FORMAT_SPACE_PADDED_LEN));
2033 smbldap_talloc_autofree_ldapmod(tc, mods);
2035 rc = smbldap_add(state, dn, mods);
2037 if (rc != LDAP_SUCCESS) {
2038 d_fprintf(stderr, _("Failed to add Guest user to "
2039 "ldap directory\n"));
2043 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
2044 d_fprintf(stderr, _("Failed to read just "
2045 "created user.\n"));
2050 d_printf(_("found!\n"));
2053 d_printf(_("Checking Guest's group.\n"));
2055 pwd = Get_Pwnam_alloc(tc, lp_guestaccount());
2058 _("Failed to find just created Guest account!\n"
2059 " Is nss properly configured?!\n"));
2063 if (pwd->pw_gid == domusers_gid) {
2064 d_printf(_("found!\n"));
2068 if (!pdb_getgrgid(gmap, pwd->pw_gid)) {
2069 LDAPMod **mods = NULL;
2077 d_printf(_("Adding the Domain Guests group.\n"));
2079 uname = talloc_strdup(tc, "domguests");
2080 wname = talloc_strdup(tc, "Domain Guests");
2081 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests",
2082 lp_ldap_group_suffix(talloc_tos()));
2083 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2084 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
2086 if (!uname || !wname || !dn || !gidstr || !gtype) {
2087 d_fprintf(stderr, _("Out of Memory!\n"));
2091 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
2093 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
2094 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
2096 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
2097 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
2098 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
2100 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
2101 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
2102 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2103 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
2104 sid_string_talloc(tc, &gsid));
2105 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
2107 smbldap_talloc_autofree_ldapmod(tc, mods);
2109 rc = smbldap_add(state, dn, mods);
2111 if (rc != LDAP_SUCCESS) {
2113 _("Failed to add Domain Guests group to ldap "
2117 d_printf(_("found!\n"));
2132 /***********************************************************
2133 migrated functionality from smbgroupedit
2134 **********************************************************/
2135 int net_sam(struct net_context *c, int argc, const char **argv)
2137 struct functable func[] = {
2139 "createbuiltingroup",
2140 net_sam_createbuiltingroup,
2141 NET_TRANSPORT_LOCAL,
2142 N_("Create a new BUILTIN group"),
2143 N_("net sam createbuiltingroup\n"
2144 " Create a new BUILTIN group")
2148 net_sam_createlocalgroup,
2149 NET_TRANSPORT_LOCAL,
2150 N_("Create a new local group"),
2151 N_("net sam createlocalgroup\n"
2152 " Create a new local group")
2155 "createdomaingroup",
2156 net_sam_createdomaingroup,
2157 NET_TRANSPORT_LOCAL,
2158 N_("Create a new group"),
2159 N_("net sam createdomaingroup\n"
2160 " Create a new group")
2164 net_sam_deletelocalgroup,
2165 NET_TRANSPORT_LOCAL,
2166 N_("Delete an existing local group"),
2167 N_("net sam deletelocalgroup\n"
2168 " Delete an existing local group")
2171 "deletedomaingroup",
2172 net_sam_deletedomaingroup,
2173 NET_TRANSPORT_LOCAL,
2174 N_("Delete a domain group"),
2175 N_("net sam deletedomaingroup\n"
2180 net_sam_mapunixgroup,
2181 NET_TRANSPORT_LOCAL,
2182 N_("Map a unix group to a domain group"),
2183 N_("net sam mapunixgroup\n"
2184 " Map a unix group to a domain group")
2188 net_sam_unmapunixgroup,
2189 NET_TRANSPORT_LOCAL,
2190 N_("Remove a group mapping of an unix group to a "
2192 N_("net sam unmapunixgroup\n"
2193 " Remove a group mapping of an unix group to a "
2199 NET_TRANSPORT_LOCAL,
2200 N_("Add a member to a group"),
2201 N_("net sam addmem\n"
2202 " Add a member to a group")
2207 NET_TRANSPORT_LOCAL,
2208 N_("Delete a member from a group"),
2209 N_("net sam delmem\n"
2210 " Delete a member from a group")
2215 NET_TRANSPORT_LOCAL,
2216 N_("List group members"),
2217 N_("net sam listmem\n"
2218 " List group members")
2223 NET_TRANSPORT_LOCAL,
2224 N_("List users, groups and local groups"),
2226 " List users, groups and local groups")
2231 NET_TRANSPORT_LOCAL,
2232 N_("Show details of a SAM entry"),
2234 " Show details of a SAM entry")
2239 NET_TRANSPORT_LOCAL,
2240 N_("Set details of a SAM account"),
2242 " Set details of a SAM account")
2247 NET_TRANSPORT_LOCAL,
2248 N_("Set account policies"),
2249 N_("net sam policy\n"
2250 " Set account policies")
2255 NET_TRANSPORT_LOCAL,
2256 N_("Manipulate user privileges"),
2257 N_("net sam rights\n"
2258 " Manipulate user privileges")
2264 NET_TRANSPORT_LOCAL,
2265 N_("Provision a clean user database"),
2266 N_("net sam privison\n"
2267 " Provision a clear user database")
2270 {NULL, NULL, 0, NULL, NULL}
2273 if (getuid() != 0) {
2274 d_fprintf(stderr, _("You are not root, most things won't "
2278 return net_run_function(c, argc, argv, "net sam", func);