2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
29 /* when we do not have sufficient input parameters to contact a remote domain
30 * we always fall back to our own realm - Guenther*/
32 static const char *assume_own_realm(struct net_context *c)
34 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
42 do a cldap netlogon query
44 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
46 char addr[INET6_ADDRSTRLEN];
47 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
49 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
50 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
51 d_fprintf(stderr, "CLDAP query failed!\n");
55 d_printf("Information for Domain Controller: %s\n\n",
58 d_printf("Response Type: ");
59 switch (reply.command) {
60 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
61 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
63 case LOGON_SAM_LOGON_RESPONSE_EX:
64 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
67 d_printf("0x%x\n", reply.command);
71 d_printf("GUID: %s\n", GUID_string(talloc_tos(), &reply.domain_uuid));
75 "\tIs a GC of the forest: %s\n"
76 "\tIs an LDAP server: %s\n"
78 "\tIs running a KDC: %s\n"
79 "\tIs running time services: %s\n"
80 "\tIs the closest DC: %s\n"
82 "\tHas a hardware clock: %s\n"
83 "\tIs a non-domain NC serviced by LDAP server: %s\n"
84 "\tIs NT6 DC that has some secrets: %s\n"
85 "\tIs NT6 DC that has all secrets: %s\n",
86 (reply.server_type & NBT_SERVER_PDC) ? "yes" : "no",
87 (reply.server_type & NBT_SERVER_GC) ? "yes" : "no",
88 (reply.server_type & NBT_SERVER_LDAP) ? "yes" : "no",
89 (reply.server_type & NBT_SERVER_DS) ? "yes" : "no",
90 (reply.server_type & NBT_SERVER_KDC) ? "yes" : "no",
91 (reply.server_type & NBT_SERVER_TIMESERV) ? "yes" : "no",
92 (reply.server_type & NBT_SERVER_CLOSEST) ? "yes" : "no",
93 (reply.server_type & NBT_SERVER_WRITABLE) ? "yes" : "no",
94 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? "yes" : "no",
95 (reply.server_type & NBT_SERVER_NDNC) ? "yes" : "no",
96 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? "yes" : "no",
97 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? "yes" : "no");
100 printf("Forest:\t\t\t%s\n", reply.forest);
101 printf("Domain:\t\t\t%s\n", reply.dns_domain);
102 printf("Domain Controller:\t%s\n", reply.pdc_dns_name);
104 printf("Pre-Win2k Domain:\t%s\n", reply.domain);
105 printf("Pre-Win2k Hostname:\t%s\n", reply.pdc_name);
107 if (*reply.user_name) printf("User name:\t%s\n", reply.user_name);
109 printf("Server Site Name :\t\t%s\n", reply.server_site);
110 printf("Client Site Name :\t\t%s\n", reply.client_site);
112 d_printf("NT Version: %d\n", reply.nt_version);
113 d_printf("LMNT Token: %.2x\n", reply.lmnt_token);
114 d_printf("LM20 Token: %.2x\n", reply.lm20_token);
120 this implements the CLDAP based netlogon lookup requests
121 for finding the domain controller of a ADS domain
123 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
127 if (c->display_usage) {
130 " Find the ADS DC using CLDAP lookup.\n");
134 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
135 d_fprintf(stderr, "Didn't find the cldap server!\n");
139 if (!ads->config.realm) {
140 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
141 ads->ldap.port = 389;
144 return net_ads_cldap_netlogon(c, ads);
149 static int net_ads_info(struct net_context *c, int argc, const char **argv)
152 char addr[INET6_ADDRSTRLEN];
154 if (c->display_usage) {
157 " Display information about an Active Directory "
162 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
163 d_fprintf(stderr, "Didn't find the ldap server!\n");
167 if (!ads || !ads->config.realm) {
168 d_fprintf(stderr, "Didn't find the ldap server!\n");
172 /* Try to set the server's current time since we didn't do a full
173 TCP LDAP session initially */
175 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
176 d_fprintf( stderr, "Failed to get server's current time!\n");
179 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
181 d_printf("LDAP server: %s\n", addr);
182 d_printf("LDAP server name: %s\n", ads->config.ldap_server_name);
183 d_printf("Realm: %s\n", ads->config.realm);
184 d_printf("Bind Path: %s\n", ads->config.bind_path);
185 d_printf("LDAP port: %d\n", ads->ldap.port);
186 d_printf("Server time: %s\n",
187 http_timestring(talloc_tos(), ads->config.current_time));
189 d_printf("KDC server: %s\n", ads->auth.kdc_server );
190 d_printf("Server time offset: %d\n", ads->auth.time_offset );
195 static void use_in_memory_ccache(void) {
196 /* Use in-memory credentials cache so we do not interfere with
197 * existing credentials */
198 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
201 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
202 uint32 auth_flags, ADS_STRUCT **ads_ret)
204 ADS_STRUCT *ads = NULL;
206 bool need_password = false;
207 bool second_time = false;
209 const char *realm = NULL;
210 bool tried_closest_dc = false;
212 /* lp_realm() should be handled by a command line param,
213 However, the join requires that realm be set in smb.conf
214 and compares our realm with the remote server's so this is
215 ok until someone needs more flexibility */
220 if (only_own_domain) {
223 realm = assume_own_realm(c);
226 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
228 if (!c->opt_user_name) {
229 c->opt_user_name = "administrator";
232 if (c->opt_user_specified) {
233 need_password = true;
237 if (!c->opt_password && need_password && !c->opt_machine_pass) {
238 c->opt_password = net_prompt_pass(c, c->opt_user_name);
239 if (!c->opt_password) {
241 return ADS_ERROR(LDAP_NO_MEMORY);
245 if (c->opt_password) {
246 use_in_memory_ccache();
247 SAFE_FREE(ads->auth.password);
248 ads->auth.password = smb_xstrdup(c->opt_password);
251 ads->auth.flags |= auth_flags;
252 SAFE_FREE(ads->auth.user_name);
253 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
256 * If the username is of the form "name@realm",
257 * extract the realm and convert to upper case.
258 * This is only used to establish the connection.
260 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
262 SAFE_FREE(ads->auth.realm);
263 ads->auth.realm = smb_xstrdup(cp);
264 strupper_m(ads->auth.realm);
267 status = ads_connect(ads);
269 if (!ADS_ERR_OK(status)) {
271 if (NT_STATUS_EQUAL(ads_ntstatus(status),
272 NT_STATUS_NO_LOGON_SERVERS)) {
273 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
278 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
279 need_password = true;
288 /* when contacting our own domain, make sure we use the closest DC.
289 * This is done by reconnecting to ADS because only the first call to
290 * ads_connect will give us our own sitename */
292 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
294 tried_closest_dc = true; /* avoid loop */
296 if (!ads_closest_dc(ads)) {
298 namecache_delete(ads->server.realm, 0x1C);
299 namecache_delete(ads->server.workgroup, 0x1C);
312 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
314 return ads_startup_int(c, only_own_domain, 0, ads);
317 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
319 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
323 Check to see if connection can be made via ads.
324 ads_startup() stores the password in opt_password if it needs to so
325 that rpc or rap can use it without re-prompting.
327 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
332 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
336 ads->auth.flags |= ADS_AUTH_NO_BIND;
338 status = ads_connect(ads);
339 if ( !ADS_ERR_OK(status) ) {
347 int net_ads_check_our_domain(struct net_context *c)
349 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
352 int net_ads_check(struct net_context *c)
354 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
358 determine the netbios workgroup name for a domain
360 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
363 char addr[INET6_ADDRSTRLEN];
364 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
366 if (c->display_usage) {
368 "net ads workgroup\n"
369 " Print the workgroup name\n");
373 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
374 d_fprintf(stderr, "Didn't find the cldap server!\n");
378 if (!ads->config.realm) {
379 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
380 ads->ldap.port = 389;
383 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
384 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
385 d_fprintf(stderr, "CLDAP query failed!\n");
389 d_printf("Workgroup: %s\n", reply.domain);
398 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
400 char **disp_fields = (char **) data_area;
402 if (!field) { /* must be end of record */
403 if (disp_fields[0]) {
404 if (!strchr_m(disp_fields[0], '$')) {
406 d_printf("%-21.21s %s\n",
407 disp_fields[0], disp_fields[1]);
409 d_printf("%s\n", disp_fields[0]);
412 SAFE_FREE(disp_fields[0]);
413 SAFE_FREE(disp_fields[1]);
416 if (!values) /* must be new field, indicate string field */
418 if (StrCaseCmp(field, "sAMAccountName") == 0) {
419 disp_fields[0] = SMB_STRDUP((char *) values[0]);
421 if (StrCaseCmp(field, "description") == 0)
422 disp_fields[1] = SMB_STRDUP((char *) values[0]);
426 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
428 return net_user_usage(c, argc, argv);
431 static int ads_user_add(struct net_context *c, int argc, const char **argv)
436 LDAPMessage *res=NULL;
440 if (argc < 1 || c->display_usage)
441 return net_ads_user_usage(c, argc, argv);
443 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
447 status = ads_find_user_acct(ads, &res, argv[0]);
449 if (!ADS_ERR_OK(status)) {
450 d_fprintf(stderr, "ads_user_add: %s\n", ads_errstr(status));
454 if (ads_count_replies(ads, res)) {
455 d_fprintf(stderr, "ads_user_add: User %s already exists\n", argv[0]);
459 if (c->opt_container) {
460 ou_str = SMB_STRDUP(c->opt_container);
462 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
465 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
467 if (!ADS_ERR_OK(status)) {
468 d_fprintf(stderr, "Could not add user %s: %s\n", argv[0],
473 /* if no password is to be set, we're done */
475 d_printf("User %s added\n", argv[0]);
480 /* try setting the password */
481 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
484 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
485 ads->auth.time_offset);
487 if (ADS_ERR_OK(status)) {
488 d_printf("User %s added\n", argv[0]);
493 /* password didn't set, delete account */
494 d_fprintf(stderr, "Could not add user %s. Error setting password %s\n",
495 argv[0], ads_errstr(status));
496 ads_msgfree(ads, res);
497 status=ads_find_user_acct(ads, &res, argv[0]);
498 if (ADS_ERR_OK(status)) {
499 userdn = ads_get_dn(ads, res);
500 ads_del_dn(ads, userdn);
501 ads_memfree(ads, userdn);
506 ads_msgfree(ads, res);
512 static int ads_user_info(struct net_context *c, int argc, const char **argv)
517 const char *attrs[] = {"memberOf", NULL};
518 char *searchstring=NULL;
522 if (argc < 1 || c->display_usage) {
523 return net_ads_user_usage(c, argc, argv);
526 escaped_user = escape_ldap_string_alloc(argv[0]);
529 d_fprintf(stderr, "ads_user_info: failed to escape user %s\n", argv[0]);
533 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
534 SAFE_FREE(escaped_user);
538 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
539 SAFE_FREE(escaped_user);
542 rc = ads_search(ads, &res, searchstring, attrs);
543 SAFE_FREE(searchstring);
545 if (!ADS_ERR_OK(rc)) {
546 d_fprintf(stderr, "ads_search: %s\n", ads_errstr(rc));
548 SAFE_FREE(escaped_user);
552 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
553 (LDAPMessage *)res, "memberOf");
558 for (i=0;grouplist[i];i++) {
559 groupname = ldap_explode_dn(grouplist[i], 1);
560 d_printf("%s\n", groupname[0]);
561 ldap_value_free(groupname);
563 ldap_value_free(grouplist);
566 ads_msgfree(ads, res);
568 SAFE_FREE(escaped_user);
572 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
576 LDAPMessage *res = NULL;
580 return net_ads_user_usage(c, argc, argv);
583 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
587 rc = ads_find_user_acct(ads, &res, argv[0]);
588 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
589 d_printf("User %s does not exist.\n", argv[0]);
590 ads_msgfree(ads, res);
594 userdn = ads_get_dn(ads, res);
595 ads_msgfree(ads, res);
596 rc = ads_del_dn(ads, userdn);
597 ads_memfree(ads, userdn);
598 if (ADS_ERR_OK(rc)) {
599 d_printf("User %s deleted\n", argv[0]);
603 d_fprintf(stderr, "Error deleting user %s: %s\n", argv[0],
609 int net_ads_user(struct net_context *c, int argc, const char **argv)
611 struct functable func[] = {
624 "Display information about an AD user",
625 "net ads user info\n"
626 " Display information about an AD user"
633 "net ads user delete\n"
636 {NULL, NULL, 0, NULL, NULL}
640 const char *shortattrs[] = {"sAMAccountName", NULL};
641 const char *longattrs[] = {"sAMAccountName", "description", NULL};
642 char *disp_fields[2] = {NULL, NULL};
645 if (c->display_usage) {
646 d_printf("Usage:\n");
647 d_printf("net ads user\n"
649 net_display_usage_from_functable(func);
653 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
657 if (c->opt_long_list_entries)
658 d_printf("\nUser name Comment"
659 "\n-----------------------------\n");
661 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
663 "(objectCategory=user)",
664 c->opt_long_list_entries ? longattrs :
665 shortattrs, usergrp_display,
668 return ADS_ERR_OK(rc) ? 0 : -1;
671 return net_run_function(c, argc, argv, "net ads user", func);
674 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
676 return net_group_usage(c, argc, argv);
679 static int ads_group_add(struct net_context *c, int argc, const char **argv)
683 LDAPMessage *res=NULL;
687 if (argc < 1 || c->display_usage) {
688 return net_ads_group_usage(c, argc, argv);
691 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
695 status = ads_find_user_acct(ads, &res, argv[0]);
697 if (!ADS_ERR_OK(status)) {
698 d_fprintf(stderr, "ads_group_add: %s\n", ads_errstr(status));
702 if (ads_count_replies(ads, res)) {
703 d_fprintf(stderr, "ads_group_add: Group %s already exists\n", argv[0]);
707 if (c->opt_container) {
708 ou_str = SMB_STRDUP(c->opt_container);
710 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
713 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
715 if (ADS_ERR_OK(status)) {
716 d_printf("Group %s added\n", argv[0]);
719 d_fprintf(stderr, "Could not add group %s: %s\n", argv[0],
725 ads_msgfree(ads, res);
731 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
735 LDAPMessage *res = NULL;
738 if (argc < 1 || c->display_usage) {
739 return net_ads_group_usage(c, argc, argv);
742 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
746 rc = ads_find_user_acct(ads, &res, argv[0]);
747 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
748 d_printf("Group %s does not exist.\n", argv[0]);
749 ads_msgfree(ads, res);
753 groupdn = ads_get_dn(ads, res);
754 ads_msgfree(ads, res);
755 rc = ads_del_dn(ads, groupdn);
756 ads_memfree(ads, groupdn);
757 if (ADS_ERR_OK(rc)) {
758 d_printf("Group %s deleted\n", argv[0]);
762 d_fprintf(stderr, "Error deleting group %s: %s\n", argv[0],
768 int net_ads_group(struct net_context *c, int argc, const char **argv)
770 struct functable func[] = {
776 "net ads group add\n"
783 "Delete an AD group",
784 "net ads group delete\n"
785 " Delete an AD group"
787 {NULL, NULL, 0, NULL, NULL}
791 const char *shortattrs[] = {"sAMAccountName", NULL};
792 const char *longattrs[] = {"sAMAccountName", "description", NULL};
793 char *disp_fields[2] = {NULL, NULL};
796 if (c->display_usage) {
797 d_printf("Usage:\n");
798 d_printf("net ads group\n"
799 " List AD groups\n");
800 net_display_usage_from_functable(func);
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
808 if (c->opt_long_list_entries)
809 d_printf("\nGroup name Comment"
810 "\n-----------------------------\n");
811 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
813 "(objectCategory=group)",
814 c->opt_long_list_entries ? longattrs :
815 shortattrs, usergrp_display,
819 return ADS_ERR_OK(rc) ? 0 : -1;
821 return net_run_function(c, argc, argv, "net ads group", func);
824 static int net_ads_status(struct net_context *c, int argc, const char **argv)
830 if (c->display_usage) {
833 " Display machine account details\n");
837 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
841 rc = ads_find_machine_acct(ads, &res, global_myname());
842 if (!ADS_ERR_OK(rc)) {
843 d_fprintf(stderr, "ads_find_machine_acct: %s\n", ads_errstr(rc));
848 if (ads_count_replies(ads, res) == 0) {
849 d_fprintf(stderr, "No machine account for '%s' found\n", global_myname());
859 /*******************************************************************
860 Leave an AD domain. Windows XP disables the machine account.
861 We'll try the same. The old code would do an LDAP delete.
862 That only worked using the machine creds because added the machine
863 with full control to the computer object's ACL.
864 *******************************************************************/
866 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
869 struct libnet_UnjoinCtx *r = NULL;
872 if (c->display_usage) {
875 " Leave an AD domain\n");
880 d_fprintf(stderr, "No realm set, are we joined ?\n");
884 if (!(ctx = talloc_init("net_ads_leave"))) {
885 d_fprintf(stderr, "Could not initialise talloc context.\n");
889 if (!c->opt_kerberos) {
890 use_in_memory_ccache();
893 werr = libnet_init_UnjoinCtx(ctx, &r);
894 if (!W_ERROR_IS_OK(werr)) {
895 d_fprintf(stderr, "Could not initialise unjoin context.\n");
900 r->in.use_kerberos = c->opt_kerberos;
901 r->in.dc_name = c->opt_host;
902 r->in.domain_name = lp_realm();
903 r->in.admin_account = c->opt_user_name;
904 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
905 r->in.modify_config = lp_config_backend_is_registry();
906 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
907 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
909 werr = libnet_Unjoin(ctx, r);
910 if (!W_ERROR_IS_OK(werr)) {
911 d_printf("Failed to leave domain: %s\n",
912 r->out.error_string ? r->out.error_string :
913 get_friendly_werror_msg(werr));
917 if (W_ERROR_IS_OK(werr)) {
918 d_printf("Deleted account for '%s' in realm '%s'\n",
919 r->in.machine_name, r->out.dns_domain_name);
923 /* We couldn't delete it - see if the disable succeeded. */
924 if (r->out.disabled_machine_account) {
925 d_printf("Disabled account for '%s' in realm '%s'\n",
926 r->in.machine_name, r->out.dns_domain_name);
931 d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
932 r->in.machine_name, r->out.dns_domain_name);
938 if (W_ERROR_IS_OK(werr)) {
945 static NTSTATUS net_ads_join_ok(struct net_context *c)
947 ADS_STRUCT *ads = NULL;
950 if (!secrets_init()) {
951 DEBUG(1,("Failed to initialise secrets database\n"));
952 return NT_STATUS_ACCESS_DENIED;
955 net_use_krb_machine_account(c);
957 status = ads_startup(c, true, &ads);
958 if (!ADS_ERR_OK(status)) {
959 return ads_ntstatus(status);
967 check that an existing join is OK
969 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
972 use_in_memory_ccache();
974 if (c->display_usage) {
977 " Test if the existing join is ok\n");
981 /* Display success or failure */
982 status = net_ads_join_ok(c);
983 if (!NT_STATUS_IS_OK(status)) {
984 fprintf(stderr,"Join to domain is not valid: %s\n",
985 get_friendly_nt_error_msg(status));
989 printf("Join is OK\n");
993 /*******************************************************************
994 Simple configu checks before beginning the join
995 ********************************************************************/
997 static WERROR check_ads_config( void )
999 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1000 d_printf("Host is not configured as a member server.\n");
1001 return WERR_INVALID_DOMAIN_ROLE;
1004 if (strlen(global_myname()) > 15) {
1005 d_printf("Our netbios name can be at most 15 chars long, "
1006 "\"%s\" is %u chars long\n", global_myname(),
1007 (unsigned int)strlen(global_myname()));
1008 return WERR_INVALID_COMPUTERNAME;
1011 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1012 d_fprintf(stderr, "realm must be set in in %s for ADS "
1013 "join to succeed.\n", get_dyn_CONFIGFILE());
1014 return WERR_INVALID_PARAM;
1020 /*******************************************************************
1021 Send a DNS update request
1022 *******************************************************************/
1024 #if defined(WITH_DNS_UPDATES)
1026 DNS_ERROR DoDNSUpdate(char *pszServerName,
1027 const char *pszDomainName, const char *pszHostName,
1028 const struct sockaddr_storage *sslist,
1031 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1032 const char *machine_name,
1033 const struct sockaddr_storage *addrs,
1036 struct dns_rr_ns *nameservers = NULL;
1038 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1041 const char *dnsdomain = NULL;
1042 char *root_domain = NULL;
1044 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1045 d_printf("No DNS domain configured for %s. "
1046 "Unable to perform DNS Update.\n", machine_name);
1047 status = NT_STATUS_INVALID_PARAMETER;
1052 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1053 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1054 /* Child domains often do not have NS records. Look
1055 for the NS record for the forest root domain
1056 (rootDomainNamingContext in therootDSE) */
1058 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1059 LDAPMessage *msg = NULL;
1061 ADS_STATUS ads_status;
1063 if ( !ads->ldap.ld ) {
1064 ads_status = ads_connect( ads );
1065 if ( !ADS_ERR_OK(ads_status) ) {
1066 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1071 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1072 "(objectclass=*)", rootname_attrs, &msg);
1073 if (!ADS_ERR_OK(ads_status)) {
1077 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1079 ads_msgfree( ads, msg );
1083 root_domain = ads_build_domain( root_dn );
1086 ads_msgfree( ads, msg );
1088 /* try again for NS servers */
1090 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1092 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1093 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1094 "realm\n", ads->config.realm));
1098 dnsdomain = root_domain;
1102 /* Now perform the dns update - we'll try non-secure and if we fail,
1103 we'll follow it up with a secure update */
1105 fstrcpy( dns_server, nameservers[0].hostname );
1107 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1108 if (!ERR_DNS_IS_OK(dns_err)) {
1109 status = NT_STATUS_UNSUCCESSFUL;
1114 SAFE_FREE( root_domain );
1119 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1122 struct sockaddr_storage *iplist = NULL;
1123 fstring machine_name;
1126 name_to_fqdn( machine_name, global_myname() );
1127 strlower_m( machine_name );
1129 /* Get our ip address (not the 127.0.0.x address but a real ip
1132 num_addrs = get_my_ip_address( &iplist );
1133 if ( num_addrs <= 0 ) {
1134 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1136 return NT_STATUS_INVALID_PARAMETER;
1139 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1141 SAFE_FREE( iplist );
1147 /*******************************************************************
1148 ********************************************************************/
1150 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1152 d_printf("net ads join [options]\n");
1153 d_printf("Valid options:\n");
1154 d_printf(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n");
1155 d_printf(" The deault UPN is in the form host/netbiosname@REALM.\n");
1156 d_printf(" createcomputer=OU Precreate the computer account in a specific OU.\n");
1157 d_printf(" The OU string read from top to bottom without RDNs and delimited by a '/'.\n");
1158 d_printf(" E.g. \"createcomputer=Computers/Servers/Unix\"\n");
1159 d_printf(" NB: A backslash '\\' is used as escape at multiple levels and may\n");
1160 d_printf(" need to be doubled or even quadrupled. It is not used as a separator.\n");
1161 d_printf(" osName=string Set the operatingSystem attribute during the join.\n");
1162 d_printf(" osVer=string Set the operatingSystemVersion attribute during the join.\n");
1163 d_printf(" NB: osName and osVer must be specified together for either to take effect.\n");
1164 d_printf(" Also, the operatingSystemService attribute is also set when along with\n");
1165 d_printf(" the two other attributes.\n");
1170 /*******************************************************************
1171 ********************************************************************/
1173 int net_ads_join(struct net_context *c, int argc, const char **argv)
1175 TALLOC_CTX *ctx = NULL;
1176 struct libnet_JoinCtx *r = NULL;
1177 const char *domain = lp_realm();
1178 WERROR werr = WERR_SETUP_NOT_JOINED;
1179 bool createupn = false;
1180 const char *machineupn = NULL;
1181 const char *create_in_ou = NULL;
1183 const char *os_name = NULL;
1184 const char *os_version = NULL;
1185 bool modify_config = lp_config_backend_is_registry();
1187 if (c->display_usage)
1188 return net_ads_join_usage(c, argc, argv);
1190 if (!modify_config) {
1192 werr = check_ads_config();
1193 if (!W_ERROR_IS_OK(werr)) {
1194 d_fprintf(stderr, "Invalid configuration. Exiting....\n");
1199 if (!(ctx = talloc_init("net_ads_join"))) {
1200 d_fprintf(stderr, "Could not initialise talloc context.\n");
1205 if (!c->opt_kerberos) {
1206 use_in_memory_ccache();
1209 werr = libnet_init_JoinCtx(ctx, &r);
1210 if (!W_ERROR_IS_OK(werr)) {
1214 /* process additional command line args */
1216 for ( i=0; i<argc; i++ ) {
1217 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1219 machineupn = get_string_param(argv[i]);
1221 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1222 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1223 d_fprintf(stderr, "Please supply a valid OU path.\n");
1224 werr = WERR_INVALID_PARAM;
1228 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1229 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1230 d_fprintf(stderr, "Please supply a operating system name.\n");
1231 werr = WERR_INVALID_PARAM;
1235 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1236 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1237 d_fprintf(stderr, "Please supply a valid operating system version.\n");
1238 werr = WERR_INVALID_PARAM;
1248 d_fprintf(stderr, "Please supply a valid domain name\n");
1249 werr = WERR_INVALID_PARAM;
1253 /* Do the domain join here */
1255 r->in.domain_name = domain;
1256 r->in.create_upn = createupn;
1257 r->in.upn = machineupn;
1258 r->in.account_ou = create_in_ou;
1259 r->in.os_name = os_name;
1260 r->in.os_version = os_version;
1261 r->in.dc_name = c->opt_host;
1262 r->in.admin_account = c->opt_user_name;
1263 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1265 r->in.use_kerberos = c->opt_kerberos;
1266 r->in.modify_config = modify_config;
1267 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1268 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1269 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1271 werr = libnet_Join(ctx, r);
1272 if (!W_ERROR_IS_OK(werr)) {
1276 /* Check the short name of the domain */
1278 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1279 d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
1280 d_printf("domain name obtained from the server.\n");
1281 d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
1282 d_printf("You should set \"workgroup = %s\" in %s.\n",
1283 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1286 d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
1288 if (r->out.dns_domain_name) {
1289 d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
1290 r->out.dns_domain_name);
1292 d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
1293 r->out.netbios_domain_name);
1296 #if defined(WITH_DNS_UPDATES)
1297 if (r->out.domain_is_ad) {
1298 /* We enter this block with user creds */
1299 ADS_STRUCT *ads_dns = NULL;
1301 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1302 /* kinit with the machine password */
1304 use_in_memory_ccache();
1305 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1308 ads_dns->auth.password = secrets_fetch_machine_password(
1309 r->out.netbios_domain_name, NULL, NULL );
1310 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1311 strupper_m(ads_dns->auth.realm );
1312 ads_kinit_password( ads_dns );
1315 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1316 d_fprintf( stderr, "DNS update failed!\n" );
1319 /* exit from this block using machine creds */
1320 ads_destroy(&ads_dns);
1329 /* issue an overall failure message at the end. */
1330 d_printf("Failed to join domain: %s\n",
1331 r && r->out.error_string ? r->out.error_string :
1332 get_friendly_werror_msg(werr));
1338 /*******************************************************************
1339 ********************************************************************/
1341 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1343 #if defined(WITH_DNS_UPDATES)
1349 talloc_enable_leak_report();
1352 if (argc > 0 || c->display_usage) {
1354 "net ads dns register\n"
1355 " Register hostname with DNS\n");
1359 if (!(ctx = talloc_init("net_ads_dns"))) {
1360 d_fprintf(stderr, "Could not initialise talloc context\n");
1364 status = ads_startup(c, true, &ads);
1365 if ( !ADS_ERR_OK(status) ) {
1366 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1371 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1372 d_fprintf( stderr, "DNS update failed!\n" );
1373 ads_destroy( &ads );
1378 d_fprintf( stderr, "Successfully registered hostname with DNS\n" );
1385 d_fprintf(stderr, "DNS update support not enabled at compile time!\n");
1390 #if defined(WITH_DNS_UPDATES)
1391 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1394 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1396 #if defined(WITH_DNS_UPDATES)
1400 talloc_enable_leak_report();
1403 if (argc != 2 || c->display_usage) {
1405 "net ads dns gethostbyname <server> <name>\n"
1406 " Look up hostname from the AD\n"
1407 " server\tName server to use\n"
1408 " name\tName to look up\n");
1412 err = do_gethostbyname(argv[0], argv[1]);
1414 d_printf("do_gethostbyname returned %d\n", ERROR_DNS_V(err));
1419 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1421 struct functable func[] = {
1424 net_ads_dns_register,
1426 "Add host dns entry to AD",
1427 "net ads dns register\n"
1428 " Add host dns entry to AD"
1432 net_ads_dns_gethostbyname,
1435 "net ads dns gethostbyname\n"
1438 {NULL, NULL, 0, NULL, NULL}
1441 return net_run_function(c, argc, argv, "net ads dns", func);
1444 /*******************************************************************
1445 ********************************************************************/
1447 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1450 "\nnet ads printer search <printer>"
1451 "\n\tsearch for a printer in the directory\n"
1452 "\nnet ads printer info <printer> <server>"
1453 "\n\tlookup info in directory for printer on server"
1454 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1455 "\nnet ads printer publish <printername>"
1456 "\n\tpublish printer in directory"
1457 "\n\t(note: printer name is required)\n"
1458 "\nnet ads printer remove <printername>"
1459 "\n\tremove printer from directory"
1460 "\n\t(note: printer name is required)\n");
1464 /*******************************************************************
1465 ********************************************************************/
1467 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1471 LDAPMessage *res = NULL;
1473 if (c->display_usage) {
1475 "net ads printer search\n"
1476 " List printers in the AD\n");
1480 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1484 rc = ads_find_printers(ads, &res);
1486 if (!ADS_ERR_OK(rc)) {
1487 d_fprintf(stderr, "ads_find_printer: %s\n", ads_errstr(rc));
1488 ads_msgfree(ads, res);
1493 if (ads_count_replies(ads, res) == 0) {
1494 d_fprintf(stderr, "No results found\n");
1495 ads_msgfree(ads, res);
1501 ads_msgfree(ads, res);
1506 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1510 const char *servername, *printername;
1511 LDAPMessage *res = NULL;
1513 if (c->display_usage) {
1515 "net ads printer info [printername [servername]]\n"
1516 " Display printer info from AD\n"
1517 " printername\tPrinter name or wildcard\n"
1518 " servername\tName of the print server\n");
1522 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1527 printername = argv[0];
1533 servername = argv[1];
1535 servername = global_myname();
1538 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1540 if (!ADS_ERR_OK(rc)) {
1541 d_fprintf(stderr, "Server '%s' not found: %s\n",
1542 servername, ads_errstr(rc));
1543 ads_msgfree(ads, res);
1548 if (ads_count_replies(ads, res) == 0) {
1549 d_fprintf(stderr, "Printer '%s' not found\n", printername);
1550 ads_msgfree(ads, res);
1556 ads_msgfree(ads, res);
1562 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1566 const char *servername, *printername;
1567 struct cli_state *cli;
1568 struct rpc_pipe_client *pipe_hnd;
1569 struct sockaddr_storage server_ss;
1571 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1572 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1573 char *prt_dn, *srv_dn, **srv_cn;
1574 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1575 LDAPMessage *res = NULL;
1577 if (argc < 1 || c->display_usage) {
1579 "net ads printer publish <printername> [servername]\n"
1580 " Publish printer in AD\n"
1581 " printername\tName of the printer\n"
1582 " servername\tName of the print server\n");
1583 talloc_destroy(mem_ctx);
1587 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1588 talloc_destroy(mem_ctx);
1592 printername = argv[0];
1595 servername = argv[1];
1597 servername = global_myname();
1600 /* Get printer data from SPOOLSS */
1602 resolve_name(servername, &server_ss, 0x20);
1604 nt_status = cli_full_connection(&cli, global_myname(), servername,
1607 c->opt_user_name, c->opt_workgroup,
1608 c->opt_password ? c->opt_password : "",
1609 CLI_FULL_CONNECTION_USE_KERBEROS,
1612 if (NT_STATUS_IS_ERR(nt_status)) {
1613 d_fprintf(stderr, "Unable to open a connnection to %s to obtain data "
1614 "for %s\n", servername, printername);
1616 talloc_destroy(mem_ctx);
1620 /* Publish on AD server */
1622 ads_find_machine_acct(ads, &res, servername);
1624 if (ads_count_replies(ads, res) == 0) {
1625 d_fprintf(stderr, "Could not find machine account for server %s\n",
1628 talloc_destroy(mem_ctx);
1632 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1633 srv_cn = ldap_explode_dn(srv_dn, 1);
1635 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1636 printername_escaped = escape_rdn_val_string_alloc(printername);
1637 if (!srv_cn_escaped || !printername_escaped) {
1638 SAFE_FREE(srv_cn_escaped);
1639 SAFE_FREE(printername_escaped);
1640 d_fprintf(stderr, "Internal error, out of memory!");
1642 talloc_destroy(mem_ctx);
1646 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1647 SAFE_FREE(srv_cn_escaped);
1648 SAFE_FREE(printername_escaped);
1649 d_fprintf(stderr, "Internal error, out of memory!");
1651 talloc_destroy(mem_ctx);
1655 SAFE_FREE(srv_cn_escaped);
1656 SAFE_FREE(printername_escaped);
1658 nt_status = cli_rpc_pipe_open_noauth(cli, &syntax_spoolss, &pipe_hnd);
1659 if (!NT_STATUS_IS_OK(nt_status)) {
1660 d_fprintf(stderr, "Unable to open a connnection to the spoolss pipe on %s\n",
1664 talloc_destroy(mem_ctx);
1668 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1672 talloc_destroy(mem_ctx);
1676 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1677 if (!ADS_ERR_OK(rc)) {
1678 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1681 talloc_destroy(mem_ctx);
1685 d_printf("published printer\n");
1688 talloc_destroy(mem_ctx);
1693 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1697 const char *servername;
1699 LDAPMessage *res = NULL;
1701 if (argc < 1 || c->display_usage) {
1703 "net ads printer remove <printername> [servername]\n"
1704 " Remove a printer from the AD\n"
1705 " printername\tName of the printer\n"
1706 " servername\tName of the print server\n");
1710 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1715 servername = argv[1];
1717 servername = global_myname();
1720 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1722 if (!ADS_ERR_OK(rc)) {
1723 d_fprintf(stderr, "ads_find_printer_on_server: %s\n", ads_errstr(rc));
1724 ads_msgfree(ads, res);
1729 if (ads_count_replies(ads, res) == 0) {
1730 d_fprintf(stderr, "Printer '%s' not found\n", argv[1]);
1731 ads_msgfree(ads, res);
1736 prt_dn = ads_get_dn(ads, res);
1737 ads_msgfree(ads, res);
1738 rc = ads_del_dn(ads, prt_dn);
1739 ads_memfree(ads, prt_dn);
1741 if (!ADS_ERR_OK(rc)) {
1742 d_fprintf(stderr, "ads_del_dn: %s\n", ads_errstr(rc));
1751 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1753 struct functable func[] = {
1756 net_ads_printer_search,
1758 "Search for a printer",
1759 "net ads printer search\n"
1760 " Search for a printer"
1764 net_ads_printer_info,
1766 "Display printer information",
1767 "net ads printer info\n"
1768 " Display printer information"
1772 net_ads_printer_publish,
1774 "Publish a printer",
1775 "net ads printer publish\n"
1776 " Publish a printer"
1780 net_ads_printer_remove,
1783 "net ads printer remove\n"
1786 {NULL, NULL, 0, NULL, NULL}
1789 return net_run_function(c, argc, argv, "net ads printer", func);
1793 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1796 const char *auth_principal = c->opt_user_name;
1797 const char *auth_password = c->opt_password;
1799 char *new_password = NULL;
1804 if (c->display_usage) {
1806 "net ads password <username>\n"
1807 " Change password for user\n"
1808 " username\tName of user to change password for\n");
1812 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1813 d_fprintf(stderr, "You must supply an administrator username/password\n");
1818 d_fprintf(stderr, "ERROR: You must say which username to change password for\n");
1823 if (!strchr_m(user, '@')) {
1824 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1830 use_in_memory_ccache();
1831 chr = strchr_m(auth_principal, '@');
1838 /* use the realm so we can eventually change passwords for users
1839 in realms other than default */
1840 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1844 /* we don't actually need a full connect, but it's the easy way to
1845 fill in the KDC's addresss */
1848 if (!ads->config.realm) {
1849 d_fprintf(stderr, "Didn't find the kerberos server!\n");
1854 new_password = (char *)argv[1];
1856 if (asprintf(&prompt, "Enter new password for %s:", user) == -1) {
1859 new_password = getpass(prompt);
1863 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1864 auth_password, user, new_password, ads->auth.time_offset);
1865 if (!ADS_ERR_OK(ret)) {
1866 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1871 d_printf("Password change for %s completed.\n", user);
1877 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1880 char *host_principal;
1884 if (c->display_usage) {
1886 "net ads changetrustpw\n"
1887 " Change the machine account's trust password\n");
1891 if (!secrets_init()) {
1892 DEBUG(1,("Failed to initialise secrets database\n"));
1896 net_use_krb_machine_account(c);
1898 use_in_memory_ccache();
1900 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1904 fstrcpy(my_name, global_myname());
1905 strlower_m(my_name);
1906 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
1910 d_printf("Changing password for principal: %s\n", host_principal);
1912 ret = ads_change_trust_account_password(ads, host_principal);
1914 if (!ADS_ERR_OK(ret)) {
1915 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1917 SAFE_FREE(host_principal);
1921 d_printf("Password change for principal %s succeeded.\n", host_principal);
1923 if (USE_SYSTEM_KEYTAB) {
1924 d_printf("Attempting to update system keytab with new password.\n");
1925 if (ads_keytab_create_default(ads)) {
1926 d_printf("Failed to update system keytab.\n");
1931 SAFE_FREE(host_principal);
1937 help for net ads search
1939 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
1942 "\nnet ads search <expression> <attributes...>\n"
1943 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
1944 "The expression is a standard LDAP search expression, and the\n"
1945 "attributes are a list of LDAP fields to show in the results.\n\n"
1946 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
1948 net_common_flags_usage(c, argc, argv);
1954 general ADS search function. Useful in diagnosing problems in ADS
1956 static int net_ads_search(struct net_context *c, int argc, const char **argv)
1960 const char *ldap_exp;
1962 LDAPMessage *res = NULL;
1964 if (argc < 1 || c->display_usage) {
1965 return net_ads_search_usage(c, argc, argv);
1968 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1975 rc = ads_do_search_all(ads, ads->config.bind_path,
1977 ldap_exp, attrs, &res);
1978 if (!ADS_ERR_OK(rc)) {
1979 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1984 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1986 /* dump the results */
1989 ads_msgfree(ads, res);
1997 help for net ads search
1999 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2002 "\nnet ads dn <dn> <attributes...>\n"
2003 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2004 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2005 "to show in the results\n\n"
2006 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2007 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2009 net_common_flags_usage(c, argc, argv);
2015 general ADS search function. Useful in diagnosing problems in ADS
2017 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2023 LDAPMessage *res = NULL;
2025 if (argc < 1 || c->display_usage) {
2026 return net_ads_dn_usage(c, argc, argv);
2029 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2036 rc = ads_do_search_all(ads, dn,
2038 "(objectclass=*)", attrs, &res);
2039 if (!ADS_ERR_OK(rc)) {
2040 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2045 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2047 /* dump the results */
2050 ads_msgfree(ads, res);
2057 help for net ads sid search
2059 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2062 "\nnet ads sid <sid> <attributes...>\n"
2063 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2064 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2065 "to show in the results\n\n"
2066 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2068 net_common_flags_usage(c, argc, argv);
2074 general ADS search function. Useful in diagnosing problems in ADS
2076 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2080 const char *sid_string;
2082 LDAPMessage *res = NULL;
2085 if (argc < 1 || c->display_usage) {
2086 return net_ads_sid_usage(c, argc, argv);
2089 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2093 sid_string = argv[0];
2096 if (!string_to_sid(&sid, sid_string)) {
2097 d_fprintf(stderr, "could not convert sid\n");
2102 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2103 if (!ADS_ERR_OK(rc)) {
2104 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
2109 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2111 /* dump the results */
2114 ads_msgfree(ads, res);
2120 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2125 if (c->display_usage) {
2127 "net ads keytab flush\n"
2128 " Delete the whole keytab\n");
2132 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2135 ret = ads_keytab_flush(ads);
2140 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2146 if (c->display_usage) {
2148 "net ads keytab add <principal> [principal ...]\n"
2149 " Add principals to local keytab\n"
2150 " principal\tKerberos principal to add to "
2155 d_printf("Processing principals to add...\n");
2156 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2159 for (i = 0; i < argc; i++) {
2160 ret |= ads_keytab_add_entry(ads, argv[i]);
2166 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2171 if (c->display_usage) {
2173 "net ads keytab create\n"
2174 " Create new default keytab\n");
2178 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2181 ret = ads_keytab_create_default(ads);
2186 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2188 const char *keytab = NULL;
2190 if (c->display_usage) {
2192 "net ads keytab list [keytab]\n"
2193 " List a local keytab\n"
2194 " keytab\tKeytab to list\n");
2202 return ads_keytab_list(keytab);
2206 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2208 struct functable func[] = {
2213 "Add a service principal",
2214 "net ads keytab add\n"
2215 " Add a service principal"
2219 net_ads_keytab_create,
2221 "Create a fresh keytab",
2222 "net ads keytab create\n"
2223 " Create a fresh keytab"
2227 net_ads_keytab_flush,
2229 "Remove all keytab entries",
2230 "net ads keytab flush\n"
2231 " Remove all keytab entries"
2235 net_ads_keytab_list,
2238 "net ads keytab list\n"
2241 {NULL, NULL, 0, NULL, NULL}
2244 if (!USE_KERBEROS_KEYTAB) {
2245 d_printf("\nWarning: \"kerberos method\" must be set to a \
2246 keytab method to use keytab functions.\n");
2249 return net_run_function(c, argc, argv, "net ads keytab", func);
2252 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2256 if (c->display_usage) {
2258 "net ads kerberos renew\n"
2259 " Renew TGT from existing credential cache\n");
2263 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2265 d_printf("failed to renew kerberos ticket: %s\n",
2266 error_message(ret));
2271 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2273 struct PAC_DATA *pac = NULL;
2274 struct PAC_LOGON_INFO *info = NULL;
2275 TALLOC_CTX *mem_ctx = NULL;
2279 if (c->display_usage) {
2281 "net ads kerberos pac\n"
2282 " Dump the Kerberos PAC\n");
2286 mem_ctx = talloc_init("net_ads_kerberos_pac");
2291 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2293 status = kerberos_return_pac(mem_ctx,
2302 2592000, /* one month */
2304 if (!NT_STATUS_IS_OK(status)) {
2305 d_printf("failed to query kerberos PAC: %s\n",
2310 info = get_logon_info_from_pac(pac);
2313 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2314 d_printf("The Pac: %s\n", s);
2319 TALLOC_FREE(mem_ctx);
2323 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2325 TALLOC_CTX *mem_ctx = NULL;
2329 if (c->display_usage) {
2331 "net ads kerberos kinit\n"
2332 " Get Ticket Granting Ticket (TGT) for the user\n");
2336 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2341 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2343 ret = kerberos_kinit_password_ext(c->opt_user_name,
2351 2592000, /* one month */
2354 d_printf("failed to kinit password: %s\n",
2361 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2363 struct functable func[] = {
2366 net_ads_kerberos_kinit,
2368 "Retrieve Ticket Granting Ticket (TGT)",
2369 "net ads kerberos kinit\n"
2370 " Receive Ticket Granting Ticket (TGT)"
2374 net_ads_kerberos_renew,
2376 "Renew Ticket Granting Ticket from credential cache"
2377 "net ads kerberos renew\n"
2378 " Renew Ticket Granting Ticket from credential cache"
2382 net_ads_kerberos_pac,
2384 "Dump Kerberos PAC",
2385 "net ads kerberos pac\n"
2386 " Dump Kerberos PAC"
2388 {NULL, NULL, 0, NULL, NULL}
2391 return net_run_function(c, argc, argv, "net ads kerberos", func);
2394 int net_ads(struct net_context *c, int argc, const char **argv)
2396 struct functable func[] = {
2401 "Display details on remote ADS server",
2403 " Display details on remote ADS server"
2409 "Join the local machine to ADS realm",
2411 " Join the local machine to ADS realm"
2417 "Validate machine account",
2418 "net ads testjoin\n"
2419 " Validate machine account"
2425 "Remove the local machine from ADS",
2427 " Remove the local machine from ADS"
2433 "Display machine account details",
2435 " Display machine account details"
2441 "List/modify users",
2443 " List/modify users"
2449 "List/modify groups",
2451 " List/modify groups"
2457 "Issue dynamic DNS update",
2459 " Issue dynamic DNS update"
2465 "Change user passwords",
2466 "net ads password\n"
2467 " Change user passwords"
2471 net_ads_changetrustpw,
2473 "Change trust account password",
2474 "net ads changetrustpw\n"
2475 " Change trust account password"
2481 "List/modify printer entries",
2483 " List/modify printer entries"
2489 "Issue LDAP search using filter",
2491 " Issue LDAP search using filter"
2497 "Issue LDAP search by DN",
2499 " Issue LDAP search by DN"
2505 "Issue LDAP search by SID",
2507 " Issue LDAP search by SID"
2513 "Display workgroup name",
2514 "net ads workgroup\n"
2515 " Display the workgroup name"
2521 "Perfom CLDAP query on DC",
2523 " Find the ADS DC using CLDAP lookups"
2529 "Manage local keytab file",
2531 " Manage local keytab file"
2537 "Manage group policy objects",
2539 " Manage group policy objects"
2545 "Manage kerberos keytab",
2546 "net ads kerberos\n"
2547 " Manage kerberos keytab"
2549 {NULL, NULL, 0, NULL, NULL}
2552 return net_run_function(c, argc, argv, "net ads", func);
2557 static int net_ads_noads(void)
2559 d_fprintf(stderr, "ADS support not compiled in\n");
2563 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2565 return net_ads_noads();
2568 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2570 return net_ads_noads();
2573 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2575 return net_ads_noads();
2578 int net_ads_join(struct net_context *c, int argc, const char **argv)
2580 return net_ads_noads();
2583 int net_ads_user(struct net_context *c, int argc, const char **argv)
2585 return net_ads_noads();
2588 int net_ads_group(struct net_context *c, int argc, const char **argv)
2590 return net_ads_noads();
2593 /* this one shouldn't display a message */
2594 int net_ads_check(struct net_context *c)
2599 int net_ads_check_our_domain(struct net_context *c)
2604 int net_ads(struct net_context *c, int argc, const char **argv)
2606 return net_ads_noads();
2609 #endif /* WITH_ADS */