2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
25 #include "librpc/gen_ndr/ndr_krb5pac.h"
26 #include "../librpc/gen_ndr/cli_spoolss.h"
27 #include "nsswitch/libwbclient/wbclient.h"
31 /* when we do not have sufficient input parameters to contact a remote domain
32 * we always fall back to our own realm - Guenther*/
34 static const char *assume_own_realm(struct net_context *c)
36 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
44 do a cldap netlogon query
46 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
48 char addr[INET6_ADDRSTRLEN];
49 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
51 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
52 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
53 d_fprintf(stderr, _("CLDAP query failed!\n"));
57 d_printf(_("Information for Domain Controller: %s\n\n"),
60 d_printf(_("Response Type: "));
61 switch (reply.command) {
62 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
63 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
65 case LOGON_SAM_LOGON_RESPONSE_EX:
66 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
69 d_printf("0x%x\n", reply.command);
73 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
77 "\tIs a GC of the forest: %s\n"
78 "\tIs an LDAP server: %s\n"
80 "\tIs running a KDC: %s\n"
81 "\tIs running time services: %s\n"
82 "\tIs the closest DC: %s\n"
84 "\tHas a hardware clock: %s\n"
85 "\tIs a non-domain NC serviced by LDAP server: %s\n"
86 "\tIs NT6 DC that has some secrets: %s\n"
87 "\tIs NT6 DC that has all secrets: %s\n"),
88 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
89 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
90 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
91 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
92 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
93 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
94 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
95 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
96 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
97 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
98 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
99 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"));
102 printf(_("Forest:\t\t\t%s\n"), reply.forest);
103 printf(_("Domain:\t\t\t%s\n"), reply.dns_domain);
104 printf(_("Domain Controller:\t%s\n"), reply.pdc_dns_name);
106 printf(_("Pre-Win2k Domain:\t%s\n"), reply.domain);
107 printf(_("Pre-Win2k Hostname:\t%s\n"), reply.pdc_name);
109 if (*reply.user_name) printf(_("User name:\t%s\n"), reply.user_name);
111 printf(_("Server Site Name :\t\t%s\n"), reply.server_site);
112 printf(_("Client Site Name :\t\t%s\n"), reply.client_site);
114 d_printf(_("NT Version: %d\n"), reply.nt_version);
115 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
116 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
122 this implements the CLDAP based netlogon lookup requests
123 for finding the domain controller of a ADS domain
125 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
130 if (c->display_usage) {
135 _("Find the ADS DC using CLDAP lookup.\n"));
139 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
140 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
145 if (!ads->config.realm) {
146 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
147 ads->ldap.port = 389;
150 ret = net_ads_cldap_netlogon(c, ads);
157 static int net_ads_info(struct net_context *c, int argc, const char **argv)
160 char addr[INET6_ADDRSTRLEN];
162 if (c->display_usage) {
167 _("Display information about an Active Directory "
172 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
173 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
177 if (!ads || !ads->config.realm) {
178 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
183 /* Try to set the server's current time since we didn't do a full
184 TCP LDAP session initially */
186 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
187 d_fprintf( stderr, _("Failed to get server's current time!\n"));
190 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
192 d_printf(_("LDAP server: %s\n"), addr);
193 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
194 d_printf(_("Realm: %s\n"), ads->config.realm);
195 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
196 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
197 d_printf(_("Server time: %s\n"),
198 http_timestring(talloc_tos(), ads->config.current_time));
200 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
201 d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
207 static void use_in_memory_ccache(void) {
208 /* Use in-memory credentials cache so we do not interfere with
209 * existing credentials */
210 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
213 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
214 uint32 auth_flags, ADS_STRUCT **ads_ret)
216 ADS_STRUCT *ads = NULL;
218 bool need_password = false;
219 bool second_time = false;
221 const char *realm = NULL;
222 bool tried_closest_dc = false;
224 /* lp_realm() should be handled by a command line param,
225 However, the join requires that realm be set in smb.conf
226 and compares our realm with the remote server's so this is
227 ok until someone needs more flexibility */
232 if (only_own_domain) {
235 realm = assume_own_realm(c);
238 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
240 if (!c->opt_user_name) {
241 c->opt_user_name = "administrator";
244 if (c->opt_user_specified) {
245 need_password = true;
249 if (!c->opt_password && need_password && !c->opt_machine_pass) {
250 c->opt_password = net_prompt_pass(c, c->opt_user_name);
251 if (!c->opt_password) {
253 return ADS_ERROR(LDAP_NO_MEMORY);
257 if (c->opt_password) {
258 use_in_memory_ccache();
259 SAFE_FREE(ads->auth.password);
260 ads->auth.password = smb_xstrdup(c->opt_password);
263 ads->auth.flags |= auth_flags;
264 SAFE_FREE(ads->auth.user_name);
265 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
268 * If the username is of the form "name@realm",
269 * extract the realm and convert to upper case.
270 * This is only used to establish the connection.
272 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
274 SAFE_FREE(ads->auth.realm);
275 ads->auth.realm = smb_xstrdup(cp);
276 strupper_m(ads->auth.realm);
279 status = ads_connect(ads);
281 if (!ADS_ERR_OK(status)) {
283 if (NT_STATUS_EQUAL(ads_ntstatus(status),
284 NT_STATUS_NO_LOGON_SERVERS)) {
285 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
290 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
291 need_password = true;
300 /* when contacting our own domain, make sure we use the closest DC.
301 * This is done by reconnecting to ADS because only the first call to
302 * ads_connect will give us our own sitename */
304 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
306 tried_closest_dc = true; /* avoid loop */
308 if (!ads_closest_dc(ads)) {
310 namecache_delete(ads->server.realm, 0x1C);
311 namecache_delete(ads->server.workgroup, 0x1C);
324 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
326 return ads_startup_int(c, only_own_domain, 0, ads);
329 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
331 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
335 Check to see if connection can be made via ads.
336 ads_startup() stores the password in opt_password if it needs to so
337 that rpc or rap can use it without re-prompting.
339 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
344 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
348 ads->auth.flags |= ADS_AUTH_NO_BIND;
350 status = ads_connect(ads);
351 if ( !ADS_ERR_OK(status) ) {
359 int net_ads_check_our_domain(struct net_context *c)
361 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
364 int net_ads_check(struct net_context *c)
366 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
370 determine the netbios workgroup name for a domain
372 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
375 char addr[INET6_ADDRSTRLEN];
376 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
378 if (c->display_usage) {
380 "net ads workgroup\n"
383 _("Print the workgroup name"));
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, _("CLDAP query failed!\n"));
404 d_printf(_("Workgroup: %s\n"), reply.domain);
413 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
415 char **disp_fields = (char **) data_area;
417 if (!field) { /* must be end of record */
418 if (disp_fields[0]) {
419 if (!strchr_m(disp_fields[0], '$')) {
421 d_printf("%-21.21s %s\n",
422 disp_fields[0], disp_fields[1]);
424 d_printf("%s\n", disp_fields[0]);
427 SAFE_FREE(disp_fields[0]);
428 SAFE_FREE(disp_fields[1]);
431 if (!values) /* must be new field, indicate string field */
433 if (StrCaseCmp(field, "sAMAccountName") == 0) {
434 disp_fields[0] = SMB_STRDUP((char *) values[0]);
436 if (StrCaseCmp(field, "description") == 0)
437 disp_fields[1] = SMB_STRDUP((char *) values[0]);
441 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
443 return net_user_usage(c, argc, argv);
446 static int ads_user_add(struct net_context *c, int argc, const char **argv)
451 LDAPMessage *res=NULL;
455 if (argc < 1 || c->display_usage)
456 return net_ads_user_usage(c, argc, argv);
458 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
462 status = ads_find_user_acct(ads, &res, argv[0]);
464 if (!ADS_ERR_OK(status)) {
465 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
469 if (ads_count_replies(ads, res)) {
470 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
475 if (c->opt_container) {
476 ou_str = SMB_STRDUP(c->opt_container);
478 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
481 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
483 if (!ADS_ERR_OK(status)) {
484 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
489 /* if no password is to be set, we're done */
491 d_printf(_("User %s added\n"), argv[0]);
496 /* try setting the password */
497 if (asprintf(&upn, "%s@%s", argv[0], ads->config.realm) == -1) {
500 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
501 ads->auth.time_offset);
503 if (ADS_ERR_OK(status)) {
504 d_printf(_("User %s added\n"), argv[0]);
509 /* password didn't set, delete account */
510 d_fprintf(stderr, _("Could not add user %s. "
511 "Error setting password %s\n"),
512 argv[0], ads_errstr(status));
513 ads_msgfree(ads, res);
514 status=ads_find_user_acct(ads, &res, argv[0]);
515 if (ADS_ERR_OK(status)) {
516 userdn = ads_get_dn(ads, talloc_tos(), res);
517 ads_del_dn(ads, userdn);
523 ads_msgfree(ads, res);
529 static int ads_user_info(struct net_context *c, int argc, const char **argv)
531 ADS_STRUCT *ads = NULL;
533 LDAPMessage *res = NULL;
537 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
538 char *searchstring=NULL;
542 DOM_SID primary_group_sid;
544 enum SID_NAME_USE type;
546 if (argc < 1 || c->display_usage) {
547 return net_ads_user_usage(c, argc, argv);
550 frame = talloc_new(talloc_tos());
555 escaped_user = escape_ldap_string(frame, argv[0]);
558 _("ads_user_info: failed to escape user %s\n"),
563 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
568 if (asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user) == -1) {
572 rc = ads_search(ads, &res, searchstring, attrs);
573 SAFE_FREE(searchstring);
575 if (!ADS_ERR_OK(rc)) {
576 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(rc));
581 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
582 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
587 rc = ads_domain_sid(ads, &primary_group_sid);
588 if (!ADS_ERR_OK(rc)) {
589 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(rc));
594 sid_append_rid(&primary_group_sid, group_rid);
596 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
597 NULL, /* don't look up domain */
599 (enum wbcSidType *) &type);
600 if (!WBC_ERROR_IS_OK(wbc_status)) {
601 d_fprintf(stderr, "wbcLookupSid: %s\n",
602 wbcErrorString(wbc_status));
607 d_printf("%s\n", primary_group);
609 wbcFreeMemory(primary_group);
611 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
612 (LDAPMessage *)res, "memberOf");
617 for (i=0;grouplist[i];i++) {
618 groupname = ldap_explode_dn(grouplist[i], 1);
619 d_printf("%s\n", groupname[0]);
620 ldap_value_free(groupname);
622 ldap_value_free(grouplist);
626 if (res) ads_msgfree(ads, res);
627 if (ads) ads_destroy(&ads);
632 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
636 LDAPMessage *res = NULL;
640 return net_ads_user_usage(c, argc, argv);
643 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
647 rc = ads_find_user_acct(ads, &res, argv[0]);
648 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
649 d_printf(_("User %s does not exist.\n"), argv[0]);
650 ads_msgfree(ads, res);
654 userdn = ads_get_dn(ads, talloc_tos(), res);
655 ads_msgfree(ads, res);
656 rc = ads_del_dn(ads, userdn);
658 if (ADS_ERR_OK(rc)) {
659 d_printf(_("User %s deleted\n"), argv[0]);
663 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
669 int net_ads_user(struct net_context *c, int argc, const char **argv)
671 struct functable func[] = {
676 N_("Add an AD user"),
677 N_("net ads user add\n"
684 N_("Display information about an AD user"),
685 N_("net ads user info\n"
686 " Display information about an AD user")
692 N_("Delete an AD user"),
693 N_("net ads user delete\n"
694 " Delete an AD user")
696 {NULL, NULL, 0, NULL, NULL}
700 const char *shortattrs[] = {"sAMAccountName", NULL};
701 const char *longattrs[] = {"sAMAccountName", "description", NULL};
702 char *disp_fields[2] = {NULL, NULL};
705 if (c->display_usage) {
711 net_display_usage_from_functable(func);
715 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
719 if (c->opt_long_list_entries)
720 d_printf(_("\nUser name Comment"
721 "\n-----------------------------\n"));
723 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
725 "(objectCategory=user)",
726 c->opt_long_list_entries ? longattrs :
727 shortattrs, usergrp_display,
730 return ADS_ERR_OK(rc) ? 0 : -1;
733 return net_run_function(c, argc, argv, "net ads user", func);
736 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
738 return net_group_usage(c, argc, argv);
741 static int ads_group_add(struct net_context *c, int argc, const char **argv)
745 LDAPMessage *res=NULL;
749 if (argc < 1 || c->display_usage) {
750 return net_ads_group_usage(c, argc, argv);
753 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
757 status = ads_find_user_acct(ads, &res, argv[0]);
759 if (!ADS_ERR_OK(status)) {
760 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
764 if (ads_count_replies(ads, res)) {
765 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
769 if (c->opt_container) {
770 ou_str = SMB_STRDUP(c->opt_container);
772 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
775 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
777 if (ADS_ERR_OK(status)) {
778 d_printf(_("Group %s added\n"), argv[0]);
781 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
787 ads_msgfree(ads, res);
793 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
797 LDAPMessage *res = NULL;
800 if (argc < 1 || c->display_usage) {
801 return net_ads_group_usage(c, argc, argv);
804 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
808 rc = ads_find_user_acct(ads, &res, argv[0]);
809 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
810 d_printf(_("Group %s does not exist.\n"), argv[0]);
811 ads_msgfree(ads, res);
815 groupdn = ads_get_dn(ads, talloc_tos(), res);
816 ads_msgfree(ads, res);
817 rc = ads_del_dn(ads, groupdn);
818 TALLOC_FREE(groupdn);
819 if (ADS_ERR_OK(rc)) {
820 d_printf(_("Group %s deleted\n"), argv[0]);
824 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
830 int net_ads_group(struct net_context *c, int argc, const char **argv)
832 struct functable func[] = {
837 N_("Add an AD group"),
838 N_("net ads group add\n"
845 N_("Delete an AD group"),
846 N_("net ads group delete\n"
847 " Delete an AD group")
849 {NULL, NULL, 0, NULL, NULL}
853 const char *shortattrs[] = {"sAMAccountName", NULL};
854 const char *longattrs[] = {"sAMAccountName", "description", NULL};
855 char *disp_fields[2] = {NULL, NULL};
858 if (c->display_usage) {
863 _("List AD groups"));
864 net_display_usage_from_functable(func);
868 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
872 if (c->opt_long_list_entries)
873 d_printf(_("\nGroup name Comment"
874 "\n-----------------------------\n"));
875 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
877 "(objectCategory=group)",
878 c->opt_long_list_entries ? longattrs :
879 shortattrs, usergrp_display,
883 return ADS_ERR_OK(rc) ? 0 : -1;
885 return net_run_function(c, argc, argv, "net ads group", func);
888 static int net_ads_status(struct net_context *c, int argc, const char **argv)
894 if (c->display_usage) {
899 _("Display machine account details"));
903 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
907 rc = ads_find_machine_acct(ads, &res, global_myname());
908 if (!ADS_ERR_OK(rc)) {
909 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"), ads_errstr(rc));
914 if (ads_count_replies(ads, res) == 0) {
915 d_fprintf(stderr, _("No machine account for '%s' found\n"), global_myname());
925 /*******************************************************************
926 Leave an AD domain. Windows XP disables the machine account.
927 We'll try the same. The old code would do an LDAP delete.
928 That only worked using the machine creds because added the machine
929 with full control to the computer object's ACL.
930 *******************************************************************/
932 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
935 struct libnet_UnjoinCtx *r = NULL;
938 if (c->display_usage) {
943 _("Leave an AD domain"));
948 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
952 if (!(ctx = talloc_init("net_ads_leave"))) {
953 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
957 if (!c->opt_kerberos) {
958 use_in_memory_ccache();
961 werr = libnet_init_UnjoinCtx(ctx, &r);
962 if (!W_ERROR_IS_OK(werr)) {
963 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
968 r->in.use_kerberos = c->opt_kerberos;
969 r->in.dc_name = c->opt_host;
970 r->in.domain_name = lp_realm();
971 r->in.admin_account = c->opt_user_name;
972 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
973 r->in.modify_config = lp_config_backend_is_registry();
975 /* Try to delete it, but if that fails, disable it. The
976 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
977 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
978 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
979 r->in.delete_machine_account = true;
981 werr = libnet_Unjoin(ctx, r);
982 if (!W_ERROR_IS_OK(werr)) {
983 d_printf(_("Failed to leave domain: %s\n"),
984 r->out.error_string ? r->out.error_string :
985 get_friendly_werror_msg(werr));
989 if (r->out.deleted_machine_account) {
990 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
991 r->in.machine_name, r->out.dns_domain_name);
995 /* We couldn't delete it - see if the disable succeeded. */
996 if (r->out.disabled_machine_account) {
997 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
998 r->in.machine_name, r->out.dns_domain_name);
1003 /* Based on what we requseted, we shouldn't get here, but if
1004 we did, it means the secrets were removed, and therefore
1005 we have left the domain */
1006 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1007 r->in.machine_name, r->out.dns_domain_name);
1013 if (W_ERROR_IS_OK(werr)) {
1020 static NTSTATUS net_ads_join_ok(struct net_context *c)
1022 ADS_STRUCT *ads = NULL;
1025 struct sockaddr_storage dcip;
1027 if (!secrets_init()) {
1028 DEBUG(1,("Failed to initialise secrets database\n"));
1029 return NT_STATUS_ACCESS_DENIED;
1032 net_use_krb_machine_account(c);
1034 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1036 status = ads_startup(c, true, &ads);
1037 if (!ADS_ERR_OK(status)) {
1038 return ads_ntstatus(status);
1042 return NT_STATUS_OK;
1046 check that an existing join is OK
1048 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1051 use_in_memory_ccache();
1053 if (c->display_usage) {
1055 "net ads testjoin\n"
1058 _("Test if the existing join is ok"));
1062 /* Display success or failure */
1063 status = net_ads_join_ok(c);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1066 get_friendly_nt_error_msg(status));
1070 printf(_("Join is OK\n"));
1074 /*******************************************************************
1075 Simple configu checks before beginning the join
1076 ********************************************************************/
1078 static WERROR check_ads_config( void )
1080 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1081 d_printf(_("Host is not configured as a member server.\n"));
1082 return WERR_INVALID_DOMAIN_ROLE;
1085 if (strlen(global_myname()) > 15) {
1086 d_printf(_("Our netbios name can be at most 15 chars long, "
1087 "\"%s\" is %u chars long\n"), global_myname(),
1088 (unsigned int)strlen(global_myname()));
1089 return WERR_INVALID_COMPUTERNAME;
1092 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1093 d_fprintf(stderr, _("realm must be set in in %s for ADS "
1094 "join to succeed.\n"), get_dyn_CONFIGFILE());
1095 return WERR_INVALID_PARAM;
1101 /*******************************************************************
1102 Send a DNS update request
1103 *******************************************************************/
1105 #if defined(WITH_DNS_UPDATES)
1107 DNS_ERROR DoDNSUpdate(char *pszServerName,
1108 const char *pszDomainName, const char *pszHostName,
1109 const struct sockaddr_storage *sslist,
1112 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
1113 const char *machine_name,
1114 const struct sockaddr_storage *addrs,
1117 struct dns_rr_ns *nameservers = NULL;
1119 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1122 const char *dnsdomain = NULL;
1123 char *root_domain = NULL;
1125 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
1126 d_printf(_("No DNS domain configured for %s. "
1127 "Unable to perform DNS Update.\n"), machine_name);
1128 status = NT_STATUS_INVALID_PARAMETER;
1133 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
1134 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1135 /* Child domains often do not have NS records. Look
1136 for the NS record for the forest root domain
1137 (rootDomainNamingContext in therootDSE) */
1139 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
1140 LDAPMessage *msg = NULL;
1142 ADS_STATUS ads_status;
1144 if ( !ads->ldap.ld ) {
1145 ads_status = ads_connect( ads );
1146 if ( !ADS_ERR_OK(ads_status) ) {
1147 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1152 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1153 "(objectclass=*)", rootname_attrs, &msg);
1154 if (!ADS_ERR_OK(ads_status)) {
1158 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1160 ads_msgfree( ads, msg );
1164 root_domain = ads_build_domain( root_dn );
1167 ads_msgfree( ads, msg );
1169 /* try again for NS servers */
1171 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1173 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1174 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1175 "realm\n", ads->config.realm));
1179 dnsdomain = root_domain;
1183 /* Now perform the dns update - we'll try non-secure and if we fail,
1184 we'll follow it up with a secure update */
1186 fstrcpy( dns_server, nameservers[0].hostname );
1188 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1189 if (!ERR_DNS_IS_OK(dns_err)) {
1190 status = NT_STATUS_UNSUCCESSFUL;
1195 SAFE_FREE( root_domain );
1200 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1203 struct sockaddr_storage *iplist = NULL;
1204 fstring machine_name;
1207 name_to_fqdn( machine_name, global_myname() );
1208 strlower_m( machine_name );
1210 /* Get our ip address (not the 127.0.0.x address but a real ip
1213 num_addrs = get_my_ip_address( &iplist );
1214 if ( num_addrs <= 0 ) {
1215 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1217 return NT_STATUS_INVALID_PARAMETER;
1220 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1222 SAFE_FREE( iplist );
1228 /*******************************************************************
1229 ********************************************************************/
1231 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1233 d_printf(_("net ads join [options]\n"
1234 "Valid options:\n"));
1235 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1236 " The deault UPN is in the form host/netbiosname@REALM.\n"));
1237 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1238 " The OU string read from top to bottom without RDNs and delimited by a '/'.\n"
1239 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1240 " NB: A backslash '\\' is used as escape at multiple levels and may\n"
1241 " need to be doubled or even quadrupled. It is not used as a separator.\n"));
1242 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1243 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during the join.\n"
1244 " NB: osName and osVer must be specified together for either to take effect.\n"
1245 " Also, the operatingSystemService attribute is also set when along with\n"
1246 " the two other attributes.\n"));
1251 /*******************************************************************
1252 ********************************************************************/
1254 int net_ads_join(struct net_context *c, int argc, const char **argv)
1256 TALLOC_CTX *ctx = NULL;
1257 struct libnet_JoinCtx *r = NULL;
1258 const char *domain = lp_realm();
1259 WERROR werr = WERR_SETUP_NOT_JOINED;
1260 bool createupn = false;
1261 const char *machineupn = NULL;
1262 const char *create_in_ou = NULL;
1264 const char *os_name = NULL;
1265 const char *os_version = NULL;
1266 bool modify_config = lp_config_backend_is_registry();
1268 if (c->display_usage)
1269 return net_ads_join_usage(c, argc, argv);
1271 if (!modify_config) {
1273 werr = check_ads_config();
1274 if (!W_ERROR_IS_OK(werr)) {
1275 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1280 if (!(ctx = talloc_init("net_ads_join"))) {
1281 d_fprintf(stderr, _("Could not initialise talloc context.\n"));
1286 if (!c->opt_kerberos) {
1287 use_in_memory_ccache();
1290 werr = libnet_init_JoinCtx(ctx, &r);
1291 if (!W_ERROR_IS_OK(werr)) {
1295 /* process additional command line args */
1297 for ( i=0; i<argc; i++ ) {
1298 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1300 machineupn = get_string_param(argv[i]);
1302 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1303 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1304 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1305 werr = WERR_INVALID_PARAM;
1309 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1310 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1311 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1312 werr = WERR_INVALID_PARAM;
1316 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1317 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1318 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1319 werr = WERR_INVALID_PARAM;
1329 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1330 werr = WERR_INVALID_PARAM;
1334 /* Do the domain join here */
1336 r->in.domain_name = domain;
1337 r->in.create_upn = createupn;
1338 r->in.upn = machineupn;
1339 r->in.account_ou = create_in_ou;
1340 r->in.os_name = os_name;
1341 r->in.os_version = os_version;
1342 r->in.dc_name = c->opt_host;
1343 r->in.admin_account = c->opt_user_name;
1344 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1346 r->in.use_kerberos = c->opt_kerberos;
1347 r->in.modify_config = modify_config;
1348 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1349 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1350 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1352 werr = libnet_Join(ctx, r);
1353 if (!W_ERROR_IS_OK(werr)) {
1357 /* Check the short name of the domain */
1359 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1360 d_printf(_("The workgroup in %s does not match the short\n"
1361 "domain name obtained from the server.\n"
1362 "Using the name [%s] from the server.\n"
1363 "You should set \"workgroup = %s\" in %s.\n"),
1364 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1365 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1368 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1370 if (r->out.dns_domain_name) {
1371 d_printf(_("Joined '%s' to realm '%s'\n"), r->in.machine_name,
1372 r->out.dns_domain_name);
1374 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1375 r->out.netbios_domain_name);
1378 #if defined(WITH_DNS_UPDATES)
1379 if (r->out.domain_is_ad) {
1380 /* We enter this block with user creds */
1381 ADS_STRUCT *ads_dns = NULL;
1383 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1384 /* kinit with the machine password */
1386 use_in_memory_ccache();
1387 if (asprintf( &ads_dns->auth.user_name, "%s$", global_myname()) == -1) {
1390 ads_dns->auth.password = secrets_fetch_machine_password(
1391 r->out.netbios_domain_name, NULL, NULL );
1392 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1393 strupper_m(ads_dns->auth.realm );
1394 ads_kinit_password( ads_dns );
1397 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1398 d_fprintf( stderr, _("DNS update failed!\n") );
1401 /* exit from this block using machine creds */
1402 ads_destroy(&ads_dns);
1411 /* issue an overall failure message at the end. */
1412 d_printf(_("Failed to join domain: %s\n"),
1413 r && r->out.error_string ? r->out.error_string :
1414 get_friendly_werror_msg(werr));
1420 /*******************************************************************
1421 ********************************************************************/
1423 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1425 #if defined(WITH_DNS_UPDATES)
1431 talloc_enable_leak_report();
1434 if (argc > 0 || c->display_usage) {
1435 d_printf(_("Usage:\n"),
1436 "net ads dns register\n"
1437 " ", _("Register hostname with DNS\n"));
1441 if (!(ctx = talloc_init("net_ads_dns"))) {
1442 d_fprintf(stderr, _("Could not initialise talloc context\n"));
1446 status = ads_startup(c, true, &ads);
1447 if ( !ADS_ERR_OK(status) ) {
1448 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1453 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1454 d_fprintf( stderr, _("DNS update failed!\n") );
1455 ads_destroy( &ads );
1460 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1468 _("DNS update support not enabled at compile time!\n"));
1473 #if defined(WITH_DNS_UPDATES)
1474 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1477 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1479 #if defined(WITH_DNS_UPDATES)
1483 talloc_enable_leak_report();
1486 if (argc != 2 || c->display_usage) {
1487 d_printf(_("Usage:\n"),
1488 _("net ads dns gethostbyname <server> <name>\n"),
1489 _(" Look up hostname from the AD\n"
1490 " server\tName server to use\n"
1491 " name\tName to look up\n"));
1495 err = do_gethostbyname(argv[0], argv[1]);
1497 d_printf(_("do_gethostbyname returned %d\n"), ERROR_DNS_V(err));
1502 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1504 struct functable func[] = {
1507 net_ads_dns_register,
1509 N_("Add host dns entry to AD"),
1510 N_("net ads dns register\n"
1511 " Add host dns entry to AD")
1515 net_ads_dns_gethostbyname,
1518 N_("net ads dns gethostbyname\n"
1521 {NULL, NULL, 0, NULL, NULL}
1524 return net_run_function(c, argc, argv, "net ads dns", func);
1527 /*******************************************************************
1528 ********************************************************************/
1530 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1533 "\nnet ads printer search <printer>"
1534 "\n\tsearch for a printer in the directory\n"
1535 "\nnet ads printer info <printer> <server>"
1536 "\n\tlookup info in directory for printer on server"
1537 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1538 "\nnet ads printer publish <printername>"
1539 "\n\tpublish printer in directory"
1540 "\n\t(note: printer name is required)\n"
1541 "\nnet ads printer remove <printername>"
1542 "\n\tremove printer from directory"
1543 "\n\t(note: printer name is required)\n"));
1547 /*******************************************************************
1548 ********************************************************************/
1550 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1554 LDAPMessage *res = NULL;
1556 if (c->display_usage) {
1558 "net ads printer search\n"
1561 _("List printers in the AD"));
1565 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1569 rc = ads_find_printers(ads, &res);
1571 if (!ADS_ERR_OK(rc)) {
1572 d_fprintf(stderr, _("ads_find_printer: %s\n"), ads_errstr(rc));
1573 ads_msgfree(ads, res);
1578 if (ads_count_replies(ads, res) == 0) {
1579 d_fprintf(stderr, _("No results found\n"));
1580 ads_msgfree(ads, res);
1586 ads_msgfree(ads, res);
1591 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1595 const char *servername, *printername;
1596 LDAPMessage *res = NULL;
1598 if (c->display_usage) {
1601 _("net ads printer info [printername [servername]]\n"
1602 " Display printer info from AD\n"
1603 " printername\tPrinter name or wildcard\n"
1604 " servername\tName of the print server\n"));
1608 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1613 printername = argv[0];
1619 servername = argv[1];
1621 servername = global_myname();
1624 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1626 if (!ADS_ERR_OK(rc)) {
1627 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
1628 servername, ads_errstr(rc));
1629 ads_msgfree(ads, res);
1634 if (ads_count_replies(ads, res) == 0) {
1635 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
1636 ads_msgfree(ads, res);
1642 ads_msgfree(ads, res);
1648 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1652 const char *servername, *printername;
1653 struct cli_state *cli = NULL;
1654 struct rpc_pipe_client *pipe_hnd = NULL;
1655 struct sockaddr_storage server_ss;
1657 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1658 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1659 char *prt_dn, *srv_dn, **srv_cn;
1660 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1661 LDAPMessage *res = NULL;
1663 if (argc < 1 || c->display_usage) {
1666 _("net ads printer publish <printername> [servername]\n"
1667 " Publish printer in AD\n"
1668 " printername\tName of the printer\n"
1669 " servername\tName of the print server\n"));
1670 talloc_destroy(mem_ctx);
1674 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1675 talloc_destroy(mem_ctx);
1679 printername = argv[0];
1682 servername = argv[1];
1684 servername = global_myname();
1687 /* Get printer data from SPOOLSS */
1689 resolve_name(servername, &server_ss, 0x20, false);
1691 nt_status = cli_full_connection(&cli, global_myname(), servername,
1694 c->opt_user_name, c->opt_workgroup,
1695 c->opt_password ? c->opt_password : "",
1696 CLI_FULL_CONNECTION_USE_KERBEROS,
1699 if (NT_STATUS_IS_ERR(nt_status)) {
1700 d_fprintf(stderr, _("Unable to open a connnection to %s to "
1701 "obtain data for %s\n"),
1702 servername, printername);
1704 talloc_destroy(mem_ctx);
1708 /* Publish on AD server */
1710 ads_find_machine_acct(ads, &res, servername);
1712 if (ads_count_replies(ads, res) == 0) {
1713 d_fprintf(stderr, _("Could not find machine account for server "
1717 talloc_destroy(mem_ctx);
1721 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1722 srv_cn = ldap_explode_dn(srv_dn, 1);
1724 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1725 printername_escaped = escape_rdn_val_string_alloc(printername);
1726 if (!srv_cn_escaped || !printername_escaped) {
1727 SAFE_FREE(srv_cn_escaped);
1728 SAFE_FREE(printername_escaped);
1729 d_fprintf(stderr, _("Internal error, out of memory!"));
1731 talloc_destroy(mem_ctx);
1735 if (asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn) == -1) {
1736 SAFE_FREE(srv_cn_escaped);
1737 SAFE_FREE(printername_escaped);
1738 d_fprintf(stderr, _("Internal error, out of memory!"));
1740 talloc_destroy(mem_ctx);
1744 SAFE_FREE(srv_cn_escaped);
1745 SAFE_FREE(printername_escaped);
1747 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
1748 if (!NT_STATUS_IS_OK(nt_status)) {
1749 d_fprintf(stderr, _("Unable to open a connnection to the spoolss pipe on %s\n"),
1753 talloc_destroy(mem_ctx);
1757 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1761 talloc_destroy(mem_ctx);
1765 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1766 if (!ADS_ERR_OK(rc)) {
1767 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1770 talloc_destroy(mem_ctx);
1774 d_printf("published printer\n");
1777 talloc_destroy(mem_ctx);
1782 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1786 const char *servername;
1788 LDAPMessage *res = NULL;
1790 if (argc < 1 || c->display_usage) {
1793 _("net ads printer remove <printername> [servername]\n"
1794 " Remove a printer from the AD\n"
1795 " printername\tName of the printer\n"
1796 " servername\tName of the print server\n"));
1800 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1805 servername = argv[1];
1807 servername = global_myname();
1810 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1812 if (!ADS_ERR_OK(rc)) {
1813 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"), ads_errstr(rc));
1814 ads_msgfree(ads, res);
1819 if (ads_count_replies(ads, res) == 0) {
1820 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
1821 ads_msgfree(ads, res);
1826 prt_dn = ads_get_dn(ads, talloc_tos(), res);
1827 ads_msgfree(ads, res);
1828 rc = ads_del_dn(ads, prt_dn);
1829 TALLOC_FREE(prt_dn);
1831 if (!ADS_ERR_OK(rc)) {
1832 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(rc));
1841 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1843 struct functable func[] = {
1846 net_ads_printer_search,
1848 N_("Search for a printer"),
1849 N_("net ads printer search\n"
1850 " Search for a printer")
1854 net_ads_printer_info,
1856 N_("Display printer information"),
1857 N_("net ads printer info\n"
1858 " Display printer information")
1862 net_ads_printer_publish,
1864 N_("Publish a printer"),
1865 N_("net ads printer publish\n"
1866 " Publish a printer")
1870 net_ads_printer_remove,
1872 N_("Delete a printer"),
1873 N_("net ads printer remove\n"
1874 " Delete a printer")
1876 {NULL, NULL, 0, NULL, NULL}
1879 return net_run_function(c, argc, argv, "net ads printer", func);
1883 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1886 const char *auth_principal = c->opt_user_name;
1887 const char *auth_password = c->opt_password;
1889 char *new_password = NULL;
1894 if (c->display_usage) {
1897 _("net ads password <username>\n"
1898 " Change password for user\n"
1899 " username\tName of user to change password for\n"));
1903 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1904 d_fprintf(stderr, _("You must supply an administrator "
1905 "username/password\n"));
1910 d_fprintf(stderr, _("ERROR: You must say which username to "
1911 "change password for\n"));
1916 if (!strchr_m(user, '@')) {
1917 if (asprintf(&chr, "%s@%s", argv[0], lp_realm()) == -1) {
1923 use_in_memory_ccache();
1924 chr = strchr_m(auth_principal, '@');
1931 /* use the realm so we can eventually change passwords for users
1932 in realms other than default */
1933 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1937 /* we don't actually need a full connect, but it's the easy way to
1938 fill in the KDC's addresss */
1941 if (!ads->config.realm) {
1942 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
1948 new_password = (char *)argv[1];
1950 if (asprintf(&prompt, _("Enter new password for %s:"), user) == -1) {
1953 new_password = getpass(prompt);
1957 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1958 auth_password, user, new_password, ads->auth.time_offset);
1959 if (!ADS_ERR_OK(ret)) {
1960 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
1965 d_printf(_("Password change for %s completed.\n"), user);
1971 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1974 char *host_principal;
1978 if (c->display_usage) {
1980 "net ads changetrustpw\n"
1983 _("Change the machine account's trust password"));
1987 if (!secrets_init()) {
1988 DEBUG(1,("Failed to initialise secrets database\n"));
1992 net_use_krb_machine_account(c);
1994 use_in_memory_ccache();
1996 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2000 fstrcpy(my_name, global_myname());
2001 strlower_m(my_name);
2002 if (asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm) == -1) {
2006 d_printf(_("Changing password for principal: %s\n"), host_principal);
2008 ret = ads_change_trust_account_password(ads, host_principal);
2010 if (!ADS_ERR_OK(ret)) {
2011 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(ret));
2013 SAFE_FREE(host_principal);
2017 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2019 if (USE_SYSTEM_KEYTAB) {
2020 d_printf(_("Attempting to update system keytab with new password.\n"));
2021 if (ads_keytab_create_default(ads)) {
2022 d_printf(_("Failed to update system keytab.\n"));
2027 SAFE_FREE(host_principal);
2033 help for net ads search
2035 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2038 "\nnet ads search <expression> <attributes...>\n"
2039 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2040 "The expression is a standard LDAP search expression, and the\n"
2041 "attributes are a list of LDAP fields to show in the results.\n\n"
2042 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2044 net_common_flags_usage(c, argc, argv);
2050 general ADS search function. Useful in diagnosing problems in ADS
2052 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2056 const char *ldap_exp;
2058 LDAPMessage *res = NULL;
2060 if (argc < 1 || c->display_usage) {
2061 return net_ads_search_usage(c, argc, argv);
2064 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2071 rc = ads_do_search_all(ads, ads->config.bind_path,
2073 ldap_exp, attrs, &res);
2074 if (!ADS_ERR_OK(rc)) {
2075 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2080 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2082 /* dump the results */
2085 ads_msgfree(ads, res);
2093 help for net ads search
2095 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2098 "\nnet ads dn <dn> <attributes...>\n"
2099 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2100 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2101 "to show in the results\n\n"
2102 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2103 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2105 net_common_flags_usage(c, argc, argv);
2111 general ADS search function. Useful in diagnosing problems in ADS
2113 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2119 LDAPMessage *res = NULL;
2121 if (argc < 1 || c->display_usage) {
2122 return net_ads_dn_usage(c, argc, argv);
2125 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2132 rc = ads_do_search_all(ads, dn,
2134 "(objectclass=*)", attrs, &res);
2135 if (!ADS_ERR_OK(rc)) {
2136 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2141 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2143 /* dump the results */
2146 ads_msgfree(ads, res);
2153 help for net ads sid search
2155 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2158 "\nnet ads sid <sid> <attributes...>\n"
2159 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2160 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2161 "to show in the results\n\n"
2162 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2164 net_common_flags_usage(c, argc, argv);
2170 general ADS search function. Useful in diagnosing problems in ADS
2172 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2176 const char *sid_string;
2178 LDAPMessage *res = NULL;
2181 if (argc < 1 || c->display_usage) {
2182 return net_ads_sid_usage(c, argc, argv);
2185 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
2189 sid_string = argv[0];
2192 if (!string_to_sid(&sid, sid_string)) {
2193 d_fprintf(stderr, _("could not convert sid\n"));
2198 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
2199 if (!ADS_ERR_OK(rc)) {
2200 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(rc));
2205 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2207 /* dump the results */
2210 ads_msgfree(ads, res);
2216 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
2221 if (c->display_usage) {
2223 "net ads keytab flush\n"
2226 _("Delete the whole keytab"));
2230 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2233 ret = ads_keytab_flush(ads);
2238 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2244 if (c->display_usage) {
2247 _("net ads keytab add <principal> [principal ...]\n"
2248 " Add principals to local keytab\n"
2249 " principal\tKerberos principal to add to "
2254 d_printf(_("Processing principals to add...\n"));
2255 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2258 for (i = 0; i < argc; i++) {
2259 ret |= ads_keytab_add_entry(ads, argv[i]);
2265 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2270 if (c->display_usage) {
2272 "net ads keytab create\n"
2275 _("Create new default keytab"));
2279 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2282 ret = ads_keytab_create_default(ads);
2287 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2289 const char *keytab = NULL;
2291 if (c->display_usage) {
2294 _("net ads keytab list [keytab]\n"
2295 " List a local keytab\n"
2296 " keytab\tKeytab to list\n"));
2304 return ads_keytab_list(keytab);
2308 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2310 struct functable func[] = {
2315 N_("Add a service principal"),
2316 N_("net ads keytab add\n"
2317 " Add a service principal")
2321 net_ads_keytab_create,
2323 N_("Create a fresh keytab"),
2324 N_("net ads keytab create\n"
2325 " Create a fresh keytab")
2329 net_ads_keytab_flush,
2331 N_("Remove all keytab entries"),
2332 N_("net ads keytab flush\n"
2333 " Remove all keytab entries")
2337 net_ads_keytab_list,
2339 N_("List a keytab"),
2340 N_("net ads keytab list\n"
2343 {NULL, NULL, 0, NULL, NULL}
2346 if (!USE_KERBEROS_KEYTAB) {
2347 d_printf(_("\nWarning: \"kerberos method\" must be set to a "
2348 "keytab method to use keytab functions.\n"));
2351 return net_run_function(c, argc, argv, "net ads keytab", func);
2354 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2358 if (c->display_usage) {
2360 "net ads kerberos renew\n"
2363 _("Renew TGT from existing credential cache"));
2367 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2369 d_printf(_("failed to renew kerberos ticket: %s\n"),
2370 error_message(ret));
2375 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2377 struct PAC_DATA *pac = NULL;
2378 struct PAC_LOGON_INFO *info = NULL;
2379 TALLOC_CTX *mem_ctx = NULL;
2382 const char *impersonate_princ_s = NULL;
2384 if (c->display_usage) {
2386 "net ads kerberos pac\n"
2389 _("Dump the Kerberos PAC"));
2393 mem_ctx = talloc_init("net_ads_kerberos_pac");
2399 impersonate_princ_s = argv[0];
2402 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2404 status = kerberos_return_pac(mem_ctx,
2413 2592000, /* one month */
2414 impersonate_princ_s,
2416 if (!NT_STATUS_IS_OK(status)) {
2417 d_printf(_("failed to query kerberos PAC: %s\n"),
2422 info = get_logon_info_from_pac(pac);
2425 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2426 d_printf(_("The Pac: %s\n"), s);
2431 TALLOC_FREE(mem_ctx);
2435 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2437 TALLOC_CTX *mem_ctx = NULL;
2441 if (c->display_usage) {
2443 "net ads kerberos kinit\n"
2446 _("Get Ticket Granting Ticket (TGT) for the user"));
2450 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2455 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2457 ret = kerberos_kinit_password_ext(c->opt_user_name,
2465 2592000, /* one month */
2468 d_printf(_("failed to kinit password: %s\n"),
2475 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2477 struct functable func[] = {
2480 net_ads_kerberos_kinit,
2482 N_("Retrieve Ticket Granting Ticket (TGT)"),
2483 N_("net ads kerberos kinit\n"
2484 " Receive Ticket Granting Ticket (TGT)")
2488 net_ads_kerberos_renew,
2490 N_("Renew Ticket Granting Ticket from credential cache"),
2491 N_("net ads kerberos renew\n"
2492 " Renew Ticket Granting Ticket (TGT) from "
2497 net_ads_kerberos_pac,
2499 N_("Dump Kerberos PAC"),
2500 N_("net ads kerberos pac\n"
2501 " Dump Kerberos PAC")
2503 {NULL, NULL, 0, NULL, NULL}
2506 return net_run_function(c, argc, argv, "net ads kerberos", func);
2509 int net_ads(struct net_context *c, int argc, const char **argv)
2511 struct functable func[] = {
2516 N_("Display details on remote ADS server"),
2518 " Display details on remote ADS server")
2524 N_("Join the local machine to ADS realm"),
2526 " Join the local machine to ADS realm")
2532 N_("Validate machine account"),
2533 N_("net ads testjoin\n"
2534 " Validate machine account")
2540 N_("Remove the local machine from ADS"),
2541 N_("net ads leave\n"
2542 " Remove the local machine from ADS")
2548 N_("Display machine account details"),
2549 N_("net ads status\n"
2550 " Display machine account details")
2556 N_("List/modify users"),
2558 " List/modify users")
2564 N_("List/modify groups"),
2565 N_("net ads group\n"
2566 " List/modify groups")
2572 N_("Issue dynamic DNS update"),
2574 " Issue dynamic DNS update")
2580 N_("Change user passwords"),
2581 N_("net ads password\n"
2582 " Change user passwords")
2586 net_ads_changetrustpw,
2588 N_("Change trust account password"),
2589 N_("net ads changetrustpw\n"
2590 " Change trust account password")
2596 N_("List/modify printer entries"),
2597 N_("net ads printer\n"
2598 " List/modify printer entries")
2604 N_("Issue LDAP search using filter"),
2605 N_("net ads search\n"
2606 " Issue LDAP search using filter")
2612 N_("Issue LDAP search by DN"),
2614 " Issue LDAP search by DN")
2620 N_("Issue LDAP search by SID"),
2622 " Issue LDAP search by SID")
2628 N_("Display workgroup name"),
2629 N_("net ads workgroup\n"
2630 " Display the workgroup name")
2636 N_("Perfom CLDAP query on DC"),
2637 N_("net ads lookup\n"
2638 " Find the ADS DC using CLDAP lookups")
2644 N_("Manage local keytab file"),
2645 N_("net ads keytab\n"
2646 " Manage local keytab file")
2652 N_("Manage group policy objects"),
2654 " Manage group policy objects")
2660 N_("Manage kerberos keytab"),
2661 N_("net ads kerberos\n"
2662 " Manage kerberos keytab")
2664 {NULL, NULL, 0, NULL, NULL}
2667 return net_run_function(c, argc, argv, "net ads", func);
2672 static int net_ads_noads(void)
2674 d_fprintf(stderr, _("ADS support not compiled in\n"));
2678 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2680 return net_ads_noads();
2683 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2685 return net_ads_noads();
2688 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2690 return net_ads_noads();
2693 int net_ads_join(struct net_context *c, int argc, const char **argv)
2695 return net_ads_noads();
2698 int net_ads_user(struct net_context *c, int argc, const char **argv)
2700 return net_ads_noads();
2703 int net_ads_group(struct net_context *c, int argc, const char **argv)
2705 return net_ads_noads();
2708 /* this one shouldn't display a message */
2709 int net_ads_check(struct net_context *c)
2714 int net_ads_check_our_domain(struct net_context *c)
2719 int net_ads(struct net_context *c, int argc, const char **argv)
2721 return net_ads_noads();
2724 #endif /* WITH_ADS */