2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "utils/net.h"
28 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
30 bool (*fn)(struct samu *, const char *,
31 enum pdb_value_state))
33 struct samu *sam_acct = NULL;
35 enum lsa_SidType type;
36 const char *dom, *name;
39 if (argc != 2 || c->display_usage) {
40 d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
45 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
46 &dom, &name, &sid, &type)) {
47 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
51 if (type != SID_NAME_USER) {
52 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
53 sid_type_lookup(type));
57 if ( !(sam_acct = samu_new( NULL )) ) {
58 d_fprintf(stderr, "Internal error\n");
62 if (!pdb_getsampwsid(sam_acct, &sid)) {
63 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
67 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
68 d_fprintf(stderr, "Internal error\n");
72 status = pdb_update_sam_account(sam_acct);
73 if (!NT_STATUS_IS_OK(status)) {
74 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
75 argv[0], nt_errstr(status));
79 TALLOC_FREE(sam_acct);
81 d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
85 static int net_sam_set_fullname(struct net_context *c, int argc,
88 return net_sam_userset(c, argc, argv, "fullname",
92 static int net_sam_set_logonscript(struct net_context *c, int argc,
95 return net_sam_userset(c, argc, argv, "logonscript",
96 pdb_set_logon_script);
99 static int net_sam_set_profilepath(struct net_context *c, int argc,
102 return net_sam_userset(c, argc, argv, "profilepath",
103 pdb_set_profile_path);
106 static int net_sam_set_homedrive(struct net_context *c, int argc,
109 return net_sam_userset(c, argc, argv, "homedrive",
113 static int net_sam_set_homedir(struct net_context *c, int argc,
116 return net_sam_userset(c, argc, argv, "homedir",
120 static int net_sam_set_workstations(struct net_context *c, int argc,
123 return net_sam_userset(c, argc, argv, "workstations",
124 pdb_set_workstations);
131 static int net_sam_set_userflag(struct net_context *c, int argc,
132 const char **argv, const char *field,
135 struct samu *sam_acct = NULL;
137 enum lsa_SidType type;
138 const char *dom, *name;
142 if ((argc != 2) || c->display_usage ||
143 (!strequal(argv[1], "yes") &&
144 !strequal(argv[1], "no"))) {
145 d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
150 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
151 &dom, &name, &sid, &type)) {
152 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
156 if (type != SID_NAME_USER) {
157 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
158 sid_type_lookup(type));
162 if ( !(sam_acct = samu_new( NULL )) ) {
163 d_fprintf(stderr, "Internal error\n");
167 if (!pdb_getsampwsid(sam_acct, &sid)) {
168 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
172 acct_flags = pdb_get_acct_ctrl(sam_acct);
174 if (strequal(argv[1], "yes")) {
180 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
182 status = pdb_update_sam_account(sam_acct);
183 if (!NT_STATUS_IS_OK(status)) {
184 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
185 argv[0], nt_errstr(status));
189 TALLOC_FREE(sam_acct);
191 d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
196 static int net_sam_set_disabled(struct net_context *c, int argc,
199 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
202 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
205 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
208 static int net_sam_set_autolock(struct net_context *c, int argc,
211 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
214 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
217 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
221 * Set pass last change time, based on force pass change now
224 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
227 struct samu *sam_acct = NULL;
229 enum lsa_SidType type;
230 const char *dom, *name;
233 if ((argc != 2) || c->display_usage ||
234 (!strequal(argv[1], "yes") &&
235 !strequal(argv[1], "no"))) {
236 d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
240 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
241 &dom, &name, &sid, &type)) {
242 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
246 if (type != SID_NAME_USER) {
247 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
248 sid_type_lookup(type));
252 if ( !(sam_acct = samu_new( NULL )) ) {
253 d_fprintf(stderr, "Internal error\n");
257 if (!pdb_getsampwsid(sam_acct, &sid)) {
258 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
262 if (strequal(argv[1], "yes")) {
263 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
265 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
268 status = pdb_update_sam_account(sam_acct);
269 if (!NT_STATUS_IS_OK(status)) {
270 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
271 argv[0], nt_errstr(status));
275 TALLOC_FREE(sam_acct);
277 d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
284 * Set a user's or a group's comment
287 static int net_sam_set_comment(struct net_context *c, int argc,
292 enum lsa_SidType type;
293 const char *dom, *name;
296 if (argc != 2 || c->display_usage) {
297 d_fprintf(stderr, "usage: net sam set comment <name> "
302 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
303 &dom, &name, &sid, &type)) {
304 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
308 if (type == SID_NAME_USER) {
309 return net_sam_userset(c, argc, argv, "comment",
313 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
314 (type != SID_NAME_WKN_GRP)) {
315 d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
316 sid_type_lookup(type));
320 if (!pdb_getgrsid(&map, sid)) {
321 d_fprintf(stderr, "Could not load group %s\n", argv[0]);
325 fstrcpy(map.comment, argv[1]);
327 status = pdb_update_group_mapping_entry(&map);
329 if (!NT_STATUS_IS_OK(status)) {
330 d_fprintf(stderr, "Updating group mapping entry failed with "
331 "%s\n", nt_errstr(status));
335 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
341 static int net_sam_set(struct net_context *c, int argc, const char **argv)
343 struct functable func[] = {
348 "Change a user's home directory",
349 "net sam set homedir\n"
350 " Change a user's home directory"
354 net_sam_set_profilepath,
356 "Change a user's profile path",
357 "net sam set profilepath\n"
358 " Change a user's profile path"
364 "Change a users or groups description",
365 "net sam set comment\n"
366 " Change a users or groups description"
370 net_sam_set_fullname,
372 "Change a user's full name",
373 "net sam set fullname\n"
374 " Change a user's full name"
378 net_sam_set_logonscript,
380 "Change a user's logon script",
381 "net sam set logonscript\n"
382 " Change a user's logon script"
386 net_sam_set_homedrive,
388 "Change a user's home drive",
389 "net sam set homedrive\n"
390 " Change a user's home drive"
394 net_sam_set_workstations,
396 "Change a user's allowed workstations",
397 "net sam set workstations\n"
398 " Change a user's allowed workstations"
402 net_sam_set_disabled,
404 "Disable/Enable a user",
405 "net sam set disable\n"
406 " Disable/Enable a user"
410 net_sam_set_pwnotreq,
412 "Disable/Enable the password not required flag",
413 "net sam set pwnotreq\n"
414 " Disable/Enable the password not required flag"
418 net_sam_set_autolock,
420 "Disable/Enable a user's lockout flag",
421 "net sam set autolock\n"
422 " Disable/Enable a user's lockout flag"
428 "Disable/Enable whether a user's pw does not expire",
429 "net sam set pwnoexp\n"
430 " Disable/Enable whether a user's pw does not expire"
434 net_sam_set_pwdmustchangenow,
436 "Force users password must change at next logon",
437 "net sam set pwdmustchangenow\n"
438 " Force users password must change at next logon"
440 {NULL, NULL, 0, NULL, NULL}
443 return net_run_function(c, argc, argv, "net sam set", func);
447 * Manage account policies
450 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
452 const char *account_policy = NULL;
454 uint32 old_value = 0;
458 if (argc != 2 || c->display_usage) {
459 d_fprintf(stderr, "usage: net sam policy set "
460 "\"<account policy>\" <value> \n");
464 account_policy = argv[0];
465 field = account_policy_name_to_fieldnum(account_policy);
467 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
468 || strequal(argv[1], "off")) {
472 value = strtoul(argv[1], &endptr, 10);
474 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
475 d_printf("Unable to set policy \"%s\"! Invalid value "
477 account_policy, argv[1]);
486 account_policy_names_list(&names, &count);
487 d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
488 d_fprintf(stderr, "Valid account policies are:\n");
490 for (i=0; i<count; i++) {
491 d_fprintf(stderr, "%s\n", names[i]);
498 if (!pdb_get_account_policy(field, &old_value)) {
499 d_fprintf(stderr, "Valid account policy, but unable to fetch "
502 d_printf("Account policy \"%s\" value was: %d\n", account_policy,
506 if (!pdb_set_account_policy(field, value)) {
507 d_fprintf(stderr, "Valid account policy, but unable to "
511 d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
518 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
520 const char *account_policy = NULL;
524 if (argc != 1 || c->display_usage) {
525 d_fprintf(stderr, "usage: net sam policy show"
526 " \"<account policy>\" \n");
530 account_policy = argv[0];
531 field = account_policy_name_to_fieldnum(account_policy);
537 account_policy_names_list(&names, &count);
538 d_fprintf(stderr, "No account policy by that name!\n");
540 d_fprintf(stderr, "Valid account policies "
542 for (i=0; i<count; i++) {
543 d_fprintf(stderr, "%s\n", names[i]);
550 if (!pdb_get_account_policy(field, &old_value)) {
551 fprintf(stderr, "Valid account policy, but unable to "
556 printf("Account policy \"%s\" description: %s\n",
557 account_policy, account_policy_get_desc(field));
558 printf("Account policy \"%s\" value is: %d\n", account_policy,
563 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
569 if (c->display_usage) {
571 "net sam policy list\n"
572 " List account policies\n");
576 account_policy_names_list(&names, &count);
578 d_fprintf(stderr, "Valid account policies "
580 for (i = 0; i < count ; i++) {
581 d_fprintf(stderr, "%s\n", names[i]);
588 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
590 struct functable func[] = {
595 "List account policies",
596 "net sam policy list\n"
597 " List account policies"
603 "Show account policies",
604 "net sam policy show\n"
605 " Show account policies"
611 "Change account policies",
612 "net sam policy set\n"
613 " Change account policies"
615 {NULL, NULL, 0, NULL, NULL}
618 return net_run_function(c, argc, argv, "net sam policy", func);
621 extern PRIVS privs[];
623 static int net_sam_rights_list(struct net_context *c, int argc,
628 if (argc > 1 || c->display_usage) {
629 d_fprintf(stderr, "usage: net sam rights list [privilege name]\n");
635 int num = count_all_privileges();
637 for (i=0; i<num; i++) {
638 d_printf("%s\n", privs[i].name);
643 if (se_priv_from_name(argv[0], &mask)) {
648 status = privilege_enum_sids(&mask, talloc_tos(),
650 if (!NT_STATUS_IS_OK(status)) {
651 d_fprintf(stderr, "Could not list rights: %s\n",
656 for (i=0; i<num_sids; i++) {
657 const char *dom, *name;
658 enum lsa_SidType type;
660 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
662 d_printf("%s\\%s\n", dom, name);
665 d_printf("%s\n", sid_string_tos(&sids[i]));
674 static int net_sam_rights_grant(struct net_context *c, int argc,
678 enum lsa_SidType type;
679 const char *dom, *name;
683 if (argc < 2 || c->display_usage) {
684 d_fprintf(stderr, "usage: net sam rights grant <name> "
689 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
690 &dom, &name, &sid, &type)) {
691 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
695 for (i=1; i < argc; i++) {
696 if (!se_priv_from_name(argv[i], &mask)) {
697 d_fprintf(stderr, "%s unknown\n", argv[i]);
701 if (!grant_privilege(&sid, &mask)) {
702 d_fprintf(stderr, "Could not grant privilege\n");
706 d_printf("Granted %s to %s\\%s\n", argv[i], dom, name);
712 static int net_sam_rights_revoke(struct net_context *c, int argc, const char **argv)
715 enum lsa_SidType type;
716 const char *dom, *name;
719 if (argc != 2 || c->display_usage) {
720 d_fprintf(stderr, "usage: net sam rights revoke <name> "
725 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
726 &dom, &name, &sid, &type)) {
727 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
731 if (!se_priv_from_name(argv[1], &mask)) {
732 d_fprintf(stderr, "%s unknown\n", argv[1]);
736 if (!revoke_privilege(&sid, &mask)) {
737 d_fprintf(stderr, "Could not revoke privilege\n");
741 d_printf("Revoked %s from %s\\%s\n", argv[1], dom, name);
745 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
747 struct functable func[] = {
752 "List possible user rights",
753 "net sam rights list\n"
754 " List possible user rights"
758 net_sam_rights_grant,
761 "net sam rights grant\n"
766 net_sam_rights_revoke,
769 "net sam rights revoke\n"
772 {NULL, NULL, 0, NULL, NULL}
774 return net_run_function(c, argc, argv, "net sam rights", func);
778 * Map a unix group to a domain group
781 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
785 const char *grpname, *dom, *name;
788 if (pdb_getgrgid(&map, grp->gr_gid)) {
789 return NT_STATUS_GROUP_EXISTS;
792 map.gid = grp->gr_gid;
793 grpname = grp->gr_name;
795 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
796 &dom, &name, NULL, NULL)) {
798 const char *tmp = talloc_asprintf(
799 talloc_tos(), "Unix Group %s", grp->gr_name);
801 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
802 grpname, dom, name, tmp));
806 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
807 NULL, NULL, NULL, NULL)) {
808 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
809 return NT_STATUS_GROUP_EXISTS;
812 fstrcpy(map.nt_name, grpname);
814 if (pdb_rid_algorithm()) {
815 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
817 if (!pdb_new_rid(&rid)) {
818 DEBUG(3, ("Could not get a new RID for %s\n",
820 return NT_STATUS_ACCESS_DENIED;
824 sid_compose(&map.sid, get_global_sam_sid(), rid);
825 map.sid_name_use = SID_NAME_DOM_GRP;
826 fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
829 status = pdb_add_group_mapping_entry(&map);
830 if (NT_STATUS_IS_OK(status)) {
836 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
842 if (argc != 1 || c->display_usage) {
843 d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
847 grp = getgrnam(argv[0]);
849 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
853 status = map_unix_group(grp, &map);
855 if (!NT_STATUS_IS_OK(status)) {
856 d_fprintf(stderr, "Mapping group %s failed with %s\n",
857 argv[0], nt_errstr(status));
861 d_printf("Mapped unix group %s to SID %s\n", argv[0],
862 sid_string_tos(&map.sid));
868 * Remove a group mapping
871 static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
878 map.gid = grp->gr_gid;
879 grpname = grp->gr_name;
881 if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
882 NULL, NULL, NULL, NULL)) {
883 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
884 return NT_STATUS_NO_SUCH_GROUP;
887 fstrcpy(map.nt_name, grpname);
889 if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
890 return NT_STATUS_UNSUCCESSFUL;
893 status = pdb_delete_group_mapping_entry(dom_sid);
898 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
904 if (argc != 1 || c->display_usage) {
905 d_fprintf(stderr, "usage: net sam unmapunixgroup <name>\n");
909 grp = getgrnam(argv[0]);
911 d_fprintf(stderr, "Could not find mapping for group %s.\n", argv[0]);
915 status = unmap_unix_group(grp, &map);
917 if (!NT_STATUS_IS_OK(status)) {
918 d_fprintf(stderr, "Unmapping group %s failed with %s.\n",
919 argv[0], nt_errstr(status));
923 d_printf("Unmapped unix group %s.\n", argv[0]);
929 * Create a domain group
932 static int net_sam_createdomaingroup(struct net_context *c, int argc,
938 if (argc != 1 || c->display_usage) {
939 d_fprintf(stderr, "usage: net sam createdomaingroup <name>\n");
943 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
945 if (!NT_STATUS_IS_OK(status)) {
946 d_fprintf(stderr, "Creating %s failed with %s\n",
947 argv[0], nt_errstr(status));
951 d_printf("Created domain group %s with RID %d\n", argv[0], rid);
957 * Delete a domain group
960 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
965 enum lsa_SidType type;
966 const char *dom, *name;
969 if (argc != 1 || c->display_usage) {
970 d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
974 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
975 &dom, &name, &sid, &type)) {
976 d_fprintf(stderr, "Could not find %s.\n", argv[0]);
980 if (type != SID_NAME_DOM_GRP) {
981 d_fprintf(stderr, "%s is a %s, not a domain group.\n", argv[0],
982 sid_type_lookup(type));
986 sid_peek_rid(&sid, &rid);
988 status = pdb_delete_dom_group(talloc_tos(), rid);
990 if (!NT_STATUS_IS_OK(status)) {
991 d_fprintf(stderr, "Deleting domain group %s failed with %s\n",
992 argv[0], nt_errstr(status));
996 d_printf("Deleted domain group %s.\n", argv[0]);
1002 * Create a local group
1005 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1010 if (argc != 1 || c->display_usage) {
1011 d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
1015 if (!winbind_ping()) {
1016 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
1017 "only works when winbind runs.\n");
1021 status = pdb_create_alias(argv[0], &rid);
1023 if (!NT_STATUS_IS_OK(status)) {
1024 d_fprintf(stderr, "Creating %s failed with %s\n",
1025 argv[0], nt_errstr(status));
1029 d_printf("Created local group %s with RID %d\n", argv[0], rid);
1035 * Delete a local group
1038 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1041 enum lsa_SidType type;
1042 const char *dom, *name;
1045 if (argc != 1 || c->display_usage) {
1046 d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
1050 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1051 &dom, &name, &sid, &type)) {
1052 d_fprintf(stderr, "Could not find %s.\n", argv[0]);
1056 if (type != SID_NAME_ALIAS) {
1057 d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0],
1058 sid_type_lookup(type));
1062 status = pdb_delete_alias(&sid);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 d_fprintf(stderr, "Deleting local group %s failed with %s\n",
1066 argv[0], nt_errstr(status));
1070 d_printf("Deleted local group %s.\n", argv[0]);
1076 * Create a builtin group
1079 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1083 enum lsa_SidType type;
1087 if (argc != 1 || c->display_usage) {
1088 d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
1092 if (!winbind_ping()) {
1093 d_fprintf(stderr, "winbind seems not to run. createbuiltingroup "
1094 "only works when winbind runs.\n");
1098 /* validate the name and get the group */
1100 fstrcpy( groupname, "BUILTIN\\" );
1101 fstrcat( groupname, argv[0] );
1103 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1104 NULL, &sid, &type)) {
1105 d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
1109 if ( !sid_peek_rid( &sid, &rid ) ) {
1110 d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
1114 status = pdb_create_builtin_alias( rid );
1116 if (!NT_STATUS_IS_OK(status)) {
1117 d_fprintf(stderr, "Creating %s failed with %s\n",
1118 argv[0], nt_errstr(status));
1122 d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
1128 * Add a group member
1131 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1133 const char *groupdomain, *groupname, *memberdomain, *membername;
1134 DOM_SID group, member;
1135 enum lsa_SidType grouptype, membertype;
1138 if (argc != 2 || c->display_usage) {
1139 d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
1143 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1144 &groupdomain, &groupname, &group, &grouptype)) {
1145 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1149 /* check to see if the member to be added is a name or a SID */
1151 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1152 &memberdomain, &membername, &member, &membertype))
1154 /* try it as a SID */
1156 if ( !string_to_sid( &member, argv[1] ) ) {
1157 d_fprintf(stderr, "Could not find member %s\n", argv[1]);
1161 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1162 &membername, &membertype) )
1164 d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
1169 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1170 if ((membertype != SID_NAME_USER) &&
1171 (membertype != SID_NAME_DOM_GRP)) {
1172 d_fprintf(stderr, "%s is a local group, only users "
1173 "and domain groups can be added.\n"
1174 "%s is a %s\n", argv[0], argv[1],
1175 sid_type_lookup(membertype));
1178 status = pdb_add_aliasmem(&group, &member);
1180 if (!NT_STATUS_IS_OK(status)) {
1181 d_fprintf(stderr, "Adding local group member failed "
1182 "with %s\n", nt_errstr(status));
1185 } else if (grouptype == SID_NAME_DOM_GRP) {
1186 uint32_t grouprid, memberrid;
1188 sid_peek_rid(&group, &grouprid);
1189 sid_peek_rid(&member, &memberrid);
1191 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1192 if (!NT_STATUS_IS_OK(status)) {
1193 d_fprintf(stderr, "Adding domain group member failed "
1194 "with %s\n", nt_errstr(status));
1198 d_fprintf(stderr, "Can only add members to local groups so "
1199 "far, %s is a %s\n", argv[0],
1200 sid_type_lookup(grouptype));
1204 d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
1205 groupdomain, groupname);
1211 * Delete a group member
1214 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1216 const char *groupdomain, *groupname;
1217 const char *memberdomain = NULL;
1218 const char *membername = NULL;
1219 DOM_SID group, member;
1220 enum lsa_SidType grouptype;
1223 if (argc != 2 || c->display_usage) {
1224 d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
1228 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1229 &groupdomain, &groupname, &group, &grouptype)) {
1230 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1234 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1235 &memberdomain, &membername, &member, NULL)) {
1236 if (!string_to_sid(&member, argv[1])) {
1237 d_fprintf(stderr, "Could not find member %s\n",
1243 if ((grouptype == SID_NAME_ALIAS) ||
1244 (grouptype == SID_NAME_WKN_GRP)) {
1245 status = pdb_del_aliasmem(&group, &member);
1247 if (!NT_STATUS_IS_OK(status)) {
1248 d_fprintf(stderr, "Deleting local group member failed "
1249 "with %s\n", nt_errstr(status));
1252 } else if (grouptype == SID_NAME_DOM_GRP) {
1253 uint32_t grouprid, memberrid;
1255 sid_peek_rid(&group, &grouprid);
1256 sid_peek_rid(&member, &memberrid);
1258 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1259 if (!NT_STATUS_IS_OK(status)) {
1260 d_fprintf(stderr, "Deleting domain group member "
1261 "failed with %s\n", nt_errstr(status));
1265 d_fprintf(stderr, "Can only delete members from local groups "
1266 "so far, %s is a %s\n", argv[0],
1267 sid_type_lookup(grouptype));
1271 if (membername != NULL) {
1272 d_printf("Deleted %s\\%s from %s\\%s\n",
1273 memberdomain, membername, groupdomain, groupname);
1275 d_printf("Deleted %s from %s\\%s\n",
1276 sid_string_tos(&member), groupdomain, groupname);
1283 * List group members
1286 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1288 const char *groupdomain, *groupname;
1290 DOM_SID *members = NULL;
1291 size_t i, num_members = 0;
1292 enum lsa_SidType grouptype;
1295 if (argc != 1 || c->display_usage) {
1296 d_fprintf(stderr, "usage: net sam listmem <group>\n");
1300 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1301 &groupdomain, &groupname, &group, &grouptype)) {
1302 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1306 if ((grouptype == SID_NAME_ALIAS) ||
1307 (grouptype == SID_NAME_WKN_GRP)) {
1308 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1310 if (!NT_STATUS_IS_OK(status)) {
1311 d_fprintf(stderr, "Listing group members failed with "
1312 "%s\n", nt_errstr(status));
1315 } else if (grouptype == SID_NAME_DOM_GRP) {
1318 status = pdb_enum_group_members(talloc_tos(), &group,
1319 &rids, &num_members);
1320 if (!NT_STATUS_IS_OK(status)) {
1321 d_fprintf(stderr, "Listing group members failed with "
1322 "%s\n", nt_errstr(status));
1326 members = talloc_array(talloc_tos(), struct dom_sid,
1328 if (members == NULL) {
1333 for (i=0; i<num_members; i++) {
1334 sid_compose(&members[i], get_global_sam_sid(),
1339 d_fprintf(stderr, "Can only list local group members so far.\n"
1340 "%s is a %s\n", argv[0], sid_type_lookup(grouptype));
1344 d_printf("%s\\%s has %u members\n", groupdomain, groupname,
1345 (unsigned int)num_members);
1346 for (i=0; i<num_members; i++) {
1347 const char *dom, *name;
1348 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1349 d_printf(" %s\\%s\n", dom, name);
1351 d_printf(" %s\n", sid_string_tos(&members[i]));
1355 TALLOC_FREE(members);
1363 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1364 struct pdb_search *search, const char *what)
1366 bool verbose = (argc == 1);
1368 if ((argc > 1) || c->display_usage ||
1369 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1370 d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
1374 if (search == NULL) {
1375 d_fprintf(stderr, "Could not start search\n");
1380 struct samr_displayentry entry;
1381 if (!search->next_entry(search, &entry)) {
1385 d_printf("%s:%d:%s\n",
1390 d_printf("%s\n", entry.account_name);
1394 TALLOC_FREE(search);
1398 static int net_sam_list_users(struct net_context *c, int argc,
1401 return net_sam_do_list(c, argc, argv,
1402 pdb_search_users(talloc_tos(), ACB_NORMAL),
1406 static int net_sam_list_groups(struct net_context *c, int argc,
1409 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1413 static int net_sam_list_localgroups(struct net_context *c, int argc,
1416 return net_sam_do_list(c, argc, argv,
1417 pdb_search_aliases(talloc_tos(),
1418 get_global_sam_sid()),
1422 static int net_sam_list_builtin(struct net_context *c, int argc,
1425 return net_sam_do_list(c, argc, argv,
1426 pdb_search_aliases(talloc_tos(),
1427 &global_sid_Builtin),
1431 static int net_sam_list_workstations(struct net_context *c, int argc,
1434 return net_sam_do_list(c, argc, argv,
1435 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1443 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1445 struct functable func[] = {
1449 NET_TRANSPORT_LOCAL,
1451 "net sam list users\n"
1456 net_sam_list_groups,
1457 NET_TRANSPORT_LOCAL,
1459 "net sam list groups\n"
1464 net_sam_list_localgroups,
1465 NET_TRANSPORT_LOCAL,
1466 "List SAM local groups",
1467 "net sam list localgroups\n"
1468 " List SAM local groups"
1472 net_sam_list_builtin,
1473 NET_TRANSPORT_LOCAL,
1474 "List builtin groups",
1475 "net sam list builtin\n"
1476 " List builtin groups"
1480 net_sam_list_workstations,
1481 NET_TRANSPORT_LOCAL,
1482 "List domain member workstations",
1483 "net sam list workstations\n"
1484 " List domain member workstations"
1486 {NULL, NULL, 0, NULL, NULL}
1489 return net_run_function(c, argc, argv, "net sam list", func);
1493 * Show details of SAM entries
1496 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1499 enum lsa_SidType type;
1500 const char *dom, *name;
1502 if (argc != 1 || c->display_usage) {
1503 d_fprintf(stderr, "usage: net sam show <name>\n");
1507 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1508 &dom, &name, &sid, &type)) {
1509 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
1513 d_printf("%s\\%s is a %s with SID %s\n", dom, name,
1514 sid_type_lookup(type), sid_string_tos(&sid));
1522 * Init an LDAP tree with default users and Groups
1523 * if ldapsam:editposix is enabled
1526 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1530 char *ldap_uri = NULL;
1532 struct smbldap_state *ls;
1535 gid_t domusers_gid = -1;
1536 gid_t domadmins_gid = -1;
1537 struct samu *samuser;
1540 if (c->display_usage) {
1542 "net sam provision\n"
1543 " Init an LDAP tree with default users/groups\n");
1547 tc = talloc_new(NULL);
1549 d_fprintf(stderr, "Out of Memory!\n");
1553 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1554 d_fprintf(stderr, "talloc failed\n");
1558 p = strchr(ldap_bk, ':');
1561 ldap_uri = talloc_strdup(tc, p+1);
1562 trim_char(ldap_uri, ' ', ' ');
1565 trim_char(ldap_bk, ' ', ' ');
1567 if (strcmp(ldap_bk, "ldapsam") != 0) {
1568 d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
1572 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1573 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1575 d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
1576 " and ldapsam:editposix are enabled.\n");
1580 if (!winbind_ping()) {
1581 d_fprintf(stderr, "winbind seems not to run. Provisioning "
1582 "LDAP only works when winbind runs.\n");
1586 if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
1587 d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
1591 d_printf("Checking for Domain Users group.\n");
1593 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
1595 if (!pdb_getgrsid(&gmap, gsid)) {
1596 LDAPMod **mods = NULL;
1604 d_printf("Adding the Domain Users group.\n");
1606 /* lets allocate a new groupid for this group */
1607 if (!winbind_allocate_gid(&domusers_gid)) {
1608 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
1612 uname = talloc_strdup(tc, "domusers");
1613 wname = talloc_strdup(tc, "Domain Users");
1614 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1615 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1616 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1618 if (!uname || !wname || !dn || !gidstr || !gtype) {
1619 d_fprintf(stderr, "Out of Memory!\n");
1623 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1624 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1625 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1626 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1627 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1628 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1629 sid_string_talloc(tc, &gsid));
1630 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1632 talloc_autofree_ldapmod(tc, mods);
1634 rc = smbldap_add(ls, dn, mods);
1636 if (rc != LDAP_SUCCESS) {
1637 d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
1640 domusers_gid = gmap.gid;
1641 d_printf("found!\n");
1646 d_printf("Checking for Domain Admins group.\n");
1648 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
1650 if (!pdb_getgrsid(&gmap, gsid)) {
1651 LDAPMod **mods = NULL;
1659 d_printf("Adding the Domain Admins group.\n");
1661 /* lets allocate a new groupid for this group */
1662 if (!winbind_allocate_gid(&domadmins_gid)) {
1663 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
1667 uname = talloc_strdup(tc, "domadmins");
1668 wname = talloc_strdup(tc, "Domain Admins");
1669 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1670 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1671 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1673 if (!uname || !wname || !dn || !gidstr || !gtype) {
1674 d_fprintf(stderr, "Out of Memory!\n");
1678 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1679 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1680 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1681 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1682 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1683 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1684 sid_string_talloc(tc, &gsid));
1685 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1687 talloc_autofree_ldapmod(tc, mods);
1689 rc = smbldap_add(ls, dn, mods);
1691 if (rc != LDAP_SUCCESS) {
1692 d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
1695 domadmins_gid = gmap.gid;
1696 d_printf("found!\n");
1701 d_printf("Check for Administrator account.\n");
1703 samuser = samu_new(tc);
1705 d_fprintf(stderr, "Out of Memory!\n");
1709 if (!pdb_getsampwnam(samuser, "Administrator")) {
1710 LDAPMod **mods = NULL;
1721 d_printf("Adding the Administrator user.\n");
1723 if (domadmins_gid == -1) {
1724 d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
1727 if (!winbind_allocate_uid(&uid)) {
1728 d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
1731 name = talloc_strdup(tc, "Administrator");
1732 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1733 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1734 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1735 dir = talloc_sub_specified(tc, lp_template_homedir(),
1737 get_global_sam_name(),
1738 uid, domadmins_gid);
1739 shell = talloc_sub_specified(tc, lp_template_shell(),
1741 get_global_sam_name(),
1742 uid, domadmins_gid);
1744 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1745 d_fprintf(stderr, "Out of Memory!\n");
1749 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
1751 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1752 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1753 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1754 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1755 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1756 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1757 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1758 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1759 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1760 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1761 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1762 sid_string_talloc(tc, &sid));
1763 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1764 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1765 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1767 talloc_autofree_ldapmod(tc, mods);
1769 rc = smbldap_add(ls, dn, mods);
1771 if (rc != LDAP_SUCCESS) {
1772 d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
1775 d_printf("found!\n");
1778 d_printf("Checking for Guest user.\n");
1780 samuser = samu_new(tc);
1782 d_fprintf(stderr, "Out of Memory!\n");
1786 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1787 LDAPMod **mods = NULL;
1794 d_printf("Adding the Guest user.\n");
1796 pwd = getpwnam_alloc(tc, lp_guestaccount());
1799 if (domusers_gid == -1) {
1800 d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
1803 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1804 d_fprintf(stderr, "talloc failed\n");
1807 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1808 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1809 d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
1812 pwd->pw_gid = domusers_gid;
1813 pwd->pw_dir = talloc_strdup(tc, "/");
1814 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1815 if (!pwd->pw_dir || !pwd->pw_shell) {
1816 d_fprintf(stderr, "Out of Memory!\n");
1821 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
1823 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1824 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
1825 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1826 if (!dn || !uidstr || !gidstr) {
1827 d_fprintf(stderr, "Out of Memory!\n");
1831 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1832 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1833 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1834 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1835 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1836 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1837 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1838 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1839 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1840 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1842 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1843 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1845 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1846 sid_string_talloc(tc, &sid));
1847 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1848 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1849 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1851 talloc_autofree_ldapmod(tc, mods);
1853 rc = smbldap_add(ls, dn, mods);
1855 if (rc != LDAP_SUCCESS) {
1856 d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
1859 d_printf("found!\n");
1862 d_printf("Checking Guest's group.\n");
1864 pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
1866 d_fprintf(stderr, "Failed to find just created Guest account!\n"
1867 " Is nss properly configured?!\n");
1871 if (pwd->pw_gid == domusers_gid) {
1872 d_printf("found!\n");
1876 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1877 LDAPMod **mods = NULL;
1885 d_printf("Adding the Domain Guests group.\n");
1887 uname = talloc_strdup(tc, "domguests");
1888 wname = talloc_strdup(tc, "Domain Guests");
1889 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1890 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1891 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1893 if (!uname || !wname || !dn || !gidstr || !gtype) {
1894 d_fprintf(stderr, "Out of Memory!\n");
1898 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
1900 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1901 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1902 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1903 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1904 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1905 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1906 sid_string_talloc(tc, &gsid));
1907 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1909 talloc_autofree_ldapmod(tc, mods);
1911 rc = smbldap_add(ls, dn, mods);
1913 if (rc != LDAP_SUCCESS) {
1914 d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
1917 d_printf("found!\n");
1932 /***********************************************************
1933 migrated functionality from smbgroupedit
1934 **********************************************************/
1935 int net_sam(struct net_context *c, int argc, const char **argv)
1937 struct functable func[] = {
1939 "createbuiltingroup",
1940 net_sam_createbuiltingroup,
1941 NET_TRANSPORT_LOCAL,
1942 "Create a new BUILTIN group",
1943 "net sam createbuiltingroup\n"
1944 " Create a new BUILTIN group"
1948 net_sam_createlocalgroup,
1949 NET_TRANSPORT_LOCAL,
1950 "Create a new local group",
1951 "net sam createlocalgroup\n"
1952 " Create a new local group"
1955 "createdomaingroup",
1956 net_sam_createdomaingroup,
1957 NET_TRANSPORT_LOCAL,
1958 "Create a new group",
1959 "net sam createdomaingroup\n"
1960 " Create a new group"
1964 net_sam_deletelocalgroup,
1965 NET_TRANSPORT_LOCAL,
1966 "Delete an existing local group",
1967 "net sam deletelocalgroup\n"
1968 " Delete an existing local group"
1971 "deletedomaingroup",
1972 net_sam_deletedomaingroup,
1973 NET_TRANSPORT_LOCAL,
1974 "Delete a domain group",
1975 "net sam deletedomaingroup\n"
1980 net_sam_mapunixgroup,
1981 NET_TRANSPORT_LOCAL,
1982 "Map a unix group to a domain group",
1983 "net sam mapunixgroup\n"
1984 " Map a unix group to a domain group"
1988 net_sam_unmapunixgroup,
1989 NET_TRANSPORT_LOCAL,
1990 "Remove a group mapping of an unix group to a domain "
1992 "net sam unmapunixgroup\n"
1993 " Remove a group mapping of an unix group to a "
1999 NET_TRANSPORT_LOCAL,
2000 "Add a member to a group",
2002 " Add a member to a group"
2007 NET_TRANSPORT_LOCAL,
2008 "Delete a member from a group",
2010 " Delete a member from a group"
2015 NET_TRANSPORT_LOCAL,
2016 "List group members",
2018 " List group members"
2023 NET_TRANSPORT_LOCAL,
2024 "List users, groups and local groups",
2026 " List users, groups and local groups"
2031 NET_TRANSPORT_LOCAL,
2032 "Show details of a SAM entry",
2034 " Show details of a SAM entry"
2039 NET_TRANSPORT_LOCAL,
2040 "Set details of a SAM account",
2042 " Set details of a SAM account"
2047 NET_TRANSPORT_LOCAL,
2048 "Set account policies",
2050 " Set account policies"
2055 NET_TRANSPORT_LOCAL,
2056 "Manipulate user privileges",
2058 " Manipulate user privileges"
2064 NET_TRANSPORT_LOCAL,
2065 "Provision a clean user database",
2066 "net sam privison\n"
2067 " Provision a clear user database"
2070 {NULL, NULL, 0, NULL, NULL}
2073 if (getuid() != 0) {
2074 d_fprintf(stderr, "You are not root, most things won't "
2078 return net_run_function(c, argc, argv, "net sam", func);