2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "utils/net.h"
26 #include "libnet/libnet.h"
30 int net_ads_help(struct net_context *c, int argc, const char **argv)
32 d_printf("join [createupn[=principal]] [createcomputer=<org_unit>]\n");
33 d_printf(" Join the local machine to a ADS realm\n");
35 d_printf(" Remove the local machine from a ADS realm\n");
36 d_printf("testjoin\n");
37 d_printf(" Validates the machine account in the domain\n");
39 d_printf(" List, add, or delete users in the realm\n");
41 d_printf(" List, add, or delete groups in the realm\n");
43 d_printf(" Displays details regarding a specific AD server\n");
45 d_printf(" Display details regarding the machine's account in AD\n");
47 d_printf(" Performs CLDAP query of AD domain controllers\n");
48 d_printf("password <username@realm> <password> -Uadmin_username@realm%%admin_pass\n");
49 d_printf(" Change a user's password using an admin account\n");
50 d_printf(" (note: use realm in UPPERCASE, prompts if password is obmitted)\n");
51 d_printf("changetrustpw\n");
52 d_printf(" Change the trust account password of this machine in the AD tree\n");
53 d_printf("printer [info | publish | remove] <printername> <servername>\n");
54 d_printf(" Lookup, add, or remove directory entry for a printer\n");
55 d_printf("{search,dn,sid}\n");
56 d_printf(" Issue LDAP search queries using a general filter, by DN, or by SID\n");
58 d_printf(" Manage a local keytab file based on the machine account in AD\n");
60 d_printf(" Issue a dynamic DNS update request the server's hostname\n");
61 d_printf(" (using the machine credentials)\n");
66 /* when we do not have sufficient input parameters to contact a remote domain
67 * we always fall back to our own realm - Guenther*/
69 static const char *assume_own_realm(struct net_context *c)
71 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
79 do a cldap netlogon query
81 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
83 char addr[INET6_ADDRSTRLEN];
84 struct nbt_cldap_netlogon_5 reply;
86 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
87 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
88 d_fprintf(stderr, "CLDAP query failed!\n");
92 d_printf("Information for Domain Controller: %s\n\n",
95 d_printf("Response Type: ");
97 case SAMLOGON_AD_UNK_R:
98 d_printf("SAMLOGON\n");
101 d_printf("SAMLOGON_USER\n");
104 d_printf("0x%x\n", reply.type);
108 d_printf("GUID: %s\n", smb_uuid_string(talloc_tos(), reply.domain_uuid));
112 "\tIs a GC of the forest: %s\n"
113 "\tIs an LDAP server: %s\n"
114 "\tSupports DS: %s\n"
115 "\tIs running a KDC: %s\n"
116 "\tIs running time services: %s\n"
117 "\tIs the closest DC: %s\n"
118 "\tIs writable: %s\n"
119 "\tHas a hardware clock: %s\n"
120 "\tIs a non-domain NC serviced by LDAP server: %s\n"
121 "\tIs NT6 DC that has some secrets: %s\n"
122 "\tIs NT6 DC that has all secrets: %s\n",
123 (reply.server_type & NBT_SERVER_PDC) ? "yes" : "no",
124 (reply.server_type & NBT_SERVER_GC) ? "yes" : "no",
125 (reply.server_type & NBT_SERVER_LDAP) ? "yes" : "no",
126 (reply.server_type & NBT_SERVER_DS) ? "yes" : "no",
127 (reply.server_type & NBT_SERVER_KDC) ? "yes" : "no",
128 (reply.server_type & NBT_SERVER_TIMESERV) ? "yes" : "no",
129 (reply.server_type & NBT_SERVER_CLOSEST) ? "yes" : "no",
130 (reply.server_type & NBT_SERVER_WRITABLE) ? "yes" : "no",
131 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? "yes" : "no",
132 (reply.server_type & NBT_SERVER_NDNC) ? "yes" : "no",
133 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? "yes" : "no",
134 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? "yes" : "no");
137 printf("Forest:\t\t\t%s\n", reply.forest);
138 printf("Domain:\t\t\t%s\n", reply.dns_domain);
139 printf("Domain Controller:\t%s\n", reply.pdc_dns_name);
141 printf("Pre-Win2k Domain:\t%s\n", reply.domain);
142 printf("Pre-Win2k Hostname:\t%s\n", reply.pdc_name);
144 if (*reply.user_name) printf("User name:\t%s\n", reply.user_name);
146 printf("Server Site Name :\t\t%s\n", reply.server_site);
147 printf("Client Site Name :\t\t%s\n", reply.client_site);
149 d_printf("NT Version: %d\n", reply.nt_version);
150 d_printf("LMNT Token: %.2x\n", reply.lmnt_token);
151 d_printf("LM20 Token: %.2x\n", reply.lm20_token);
157 this implements the CLDAP based netlogon lookup requests
158 for finding the domain controller of a ADS domain
160 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
164 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
165 d_fprintf(stderr, "Didn't find the cldap server!\n");
169 if (!ads->config.realm) {
170 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
171 ads->ldap.port = 389;
174 return net_ads_cldap_netlogon(c, ads);
179 static int net_ads_info(struct net_context *c, int argc, const char **argv)
182 char addr[INET6_ADDRSTRLEN];
184 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
185 d_fprintf(stderr, "Didn't find the ldap server!\n");
189 if (!ads || !ads->config.realm) {
190 d_fprintf(stderr, "Didn't find the ldap server!\n");
194 /* Try to set the server's current time since we didn't do a full
195 TCP LDAP session initially */
197 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
198 d_fprintf( stderr, "Failed to get server's current time!\n");
201 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
203 d_printf("LDAP server: %s\n", addr);
204 d_printf("LDAP server name: %s\n", ads->config.ldap_server_name);
205 d_printf("Realm: %s\n", ads->config.realm);
206 d_printf("Bind Path: %s\n", ads->config.bind_path);
207 d_printf("LDAP port: %d\n", ads->ldap.port);
208 d_printf("Server time: %s\n", http_timestring(ads->config.current_time));
210 d_printf("KDC server: %s\n", ads->auth.kdc_server );
211 d_printf("Server time offset: %d\n", ads->auth.time_offset );
216 static void use_in_memory_ccache(void) {
217 /* Use in-memory credentials cache so we do not interfere with
218 * existing credentials */
219 setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
222 static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
223 uint32 auth_flags, ADS_STRUCT **ads_ret)
225 ADS_STRUCT *ads = NULL;
227 bool need_password = false;
228 bool second_time = false;
230 const char *realm = NULL;
231 bool tried_closest_dc = false;
233 /* lp_realm() should be handled by a command line param,
234 However, the join requires that realm be set in smb.conf
235 and compares our realm with the remote server's so this is
236 ok until someone needs more flexibility */
241 if (only_own_domain) {
244 realm = assume_own_realm(c);
247 ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
249 if (!c->opt_user_name) {
250 c->opt_user_name = "administrator";
253 if (c->opt_user_specified) {
254 need_password = true;
258 if (!c->opt_password && need_password && !c->opt_machine_pass) {
259 c->opt_password = net_prompt_pass(c, c->opt_user_name);
260 if (!c->opt_password) {
262 return ADS_ERROR(LDAP_NO_MEMORY);
266 if (c->opt_password) {
267 use_in_memory_ccache();
268 SAFE_FREE(ads->auth.password);
269 ads->auth.password = smb_xstrdup(c->opt_password);
272 ads->auth.flags |= auth_flags;
273 SAFE_FREE(ads->auth.user_name);
274 ads->auth.user_name = smb_xstrdup(c->opt_user_name);
277 * If the username is of the form "name@realm",
278 * extract the realm and convert to upper case.
279 * This is only used to establish the connection.
281 if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {
283 SAFE_FREE(ads->auth.realm);
284 ads->auth.realm = smb_xstrdup(cp);
285 strupper_m(ads->auth.realm);
288 status = ads_connect(ads);
290 if (!ADS_ERR_OK(status)) {
292 if (NT_STATUS_EQUAL(ads_ntstatus(status),
293 NT_STATUS_NO_LOGON_SERVERS)) {
294 DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));
299 if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
300 need_password = true;
309 /* when contacting our own domain, make sure we use the closest DC.
310 * This is done by reconnecting to ADS because only the first call to
311 * ads_connect will give us our own sitename */
313 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
315 tried_closest_dc = true; /* avoid loop */
317 if (!ads->config.tried_closest_dc) {
319 namecache_delete(ads->server.realm, 0x1C);
320 namecache_delete(ads->server.workgroup, 0x1C);
333 ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
335 return ads_startup_int(c, only_own_domain, 0, ads);
338 ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads)
340 return ads_startup_int(c, only_own_domain, ADS_AUTH_NO_BIND, ads);
344 Check to see if connection can be made via ads.
345 ads_startup() stores the password in opt_password if it needs to so
346 that rpc or rap can use it without re-prompting.
348 static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
353 if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
357 ads->auth.flags |= ADS_AUTH_NO_BIND;
359 status = ads_connect(ads);
360 if ( !ADS_ERR_OK(status) ) {
368 int net_ads_check_our_domain(struct net_context *c)
370 return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
373 int net_ads_check(struct net_context *c)
375 return net_ads_check_int(NULL, c->opt_workgroup, c->opt_host);
379 determine the netbios workgroup name for a domain
381 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
384 char addr[INET6_ADDRSTRLEN];
385 struct nbt_cldap_netlogon_5 reply;
387 if (!ADS_ERR_OK(ads_startup_nobind(c, false, &ads))) {
388 d_fprintf(stderr, "Didn't find the cldap server!\n");
392 if (!ads->config.realm) {
393 ads->config.realm = CONST_DISCARD(char *, c->opt_target_workgroup);
394 ads->ldap.port = 389;
397 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
398 if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
399 d_fprintf(stderr, "CLDAP query failed!\n");
403 d_printf("Workgroup: %s\n", reply.domain);
412 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
414 char **disp_fields = (char **) data_area;
416 if (!field) { /* must be end of record */
417 if (disp_fields[0]) {
418 if (!strchr_m(disp_fields[0], '$')) {
420 d_printf("%-21.21s %s\n",
421 disp_fields[0], disp_fields[1]);
423 d_printf("%s\n", disp_fields[0]);
426 SAFE_FREE(disp_fields[0]);
427 SAFE_FREE(disp_fields[1]);
430 if (!values) /* must be new field, indicate string field */
432 if (StrCaseCmp(field, "sAMAccountName") == 0) {
433 disp_fields[0] = SMB_STRDUP((char *) values[0]);
435 if (StrCaseCmp(field, "description") == 0)
436 disp_fields[1] = SMB_STRDUP((char *) values[0]);
440 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
442 return net_user_usage(c, argc, argv);
445 static int ads_user_add(struct net_context *c, int argc, const char **argv)
450 LDAPMessage *res=NULL;
454 if (argc < 1) return net_ads_user_usage(c, argc, argv);
456 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
460 status = ads_find_user_acct(ads, &res, argv[0]);
462 if (!ADS_ERR_OK(status)) {
463 d_fprintf(stderr, "ads_user_add: %s\n", ads_errstr(status));
467 if (ads_count_replies(ads, res)) {
468 d_fprintf(stderr, "ads_user_add: User %s already exists\n", argv[0]);
472 if (c->opt_container) {
473 ou_str = SMB_STRDUP(c->opt_container);
475 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
478 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
480 if (!ADS_ERR_OK(status)) {
481 d_fprintf(stderr, "Could not add user %s: %s\n", argv[0],
486 /* if no password is to be set, we're done */
488 d_printf("User %s added\n", argv[0]);
493 /* try setting the password */
494 asprintf(&upn, "%s@%s", argv[0], ads->config.realm);
495 status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
496 ads->auth.time_offset);
498 if (ADS_ERR_OK(status)) {
499 d_printf("User %s added\n", argv[0]);
504 /* password didn't set, delete account */
505 d_fprintf(stderr, "Could not add user %s. Error setting password %s\n",
506 argv[0], ads_errstr(status));
507 ads_msgfree(ads, res);
508 status=ads_find_user_acct(ads, &res, argv[0]);
509 if (ADS_ERR_OK(status)) {
510 userdn = ads_get_dn(ads, res);
511 ads_del_dn(ads, userdn);
512 ads_memfree(ads, userdn);
517 ads_msgfree(ads, res);
523 static int ads_user_info(struct net_context *c, int argc, const char **argv)
528 const char *attrs[] = {"memberOf", NULL};
529 char *searchstring=NULL;
534 return net_ads_user_usage(c, argc, argv);
537 escaped_user = escape_ldap_string_alloc(argv[0]);
540 d_fprintf(stderr, "ads_user_info: failed to escape user %s\n", argv[0]);
544 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
545 SAFE_FREE(escaped_user);
549 asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user);
550 rc = ads_search(ads, &res, searchstring, attrs);
551 safe_free(searchstring);
553 if (!ADS_ERR_OK(rc)) {
554 d_fprintf(stderr, "ads_search: %s\n", ads_errstr(rc));
556 SAFE_FREE(escaped_user);
560 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
561 (LDAPMessage *)res, "memberOf");
566 for (i=0;grouplist[i];i++) {
567 groupname = ldap_explode_dn(grouplist[i], 1);
568 d_printf("%s\n", groupname[0]);
569 ldap_value_free(groupname);
571 ldap_value_free(grouplist);
574 ads_msgfree(ads, res);
576 SAFE_FREE(escaped_user);
580 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
584 LDAPMessage *res = NULL;
588 return net_ads_user_usage(c, argc, argv);
591 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
595 rc = ads_find_user_acct(ads, &res, argv[0]);
596 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
597 d_printf("User %s does not exist.\n", argv[0]);
598 ads_msgfree(ads, res);
602 userdn = ads_get_dn(ads, res);
603 ads_msgfree(ads, res);
604 rc = ads_del_dn(ads, userdn);
605 ads_memfree(ads, userdn);
606 if (ADS_ERR_OK(rc)) {
607 d_printf("User %s deleted\n", argv[0]);
611 d_fprintf(stderr, "Error deleting user %s: %s\n", argv[0],
617 int net_ads_user(struct net_context *c, int argc, const char **argv)
619 struct functable func[] = {
620 {"ADD", ads_user_add},
621 {"INFO", ads_user_info},
622 {"DELETE", ads_user_delete},
627 const char *shortattrs[] = {"sAMAccountName", NULL};
628 const char *longattrs[] = {"sAMAccountName", "description", NULL};
629 char *disp_fields[2] = {NULL, NULL};
632 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
636 if (c->opt_long_list_entries)
637 d_printf("\nUser name Comment"\
638 "\n-----------------------------\n");
640 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
642 "(objectCategory=user)",
643 c->opt_long_list_entries ? longattrs :
644 shortattrs, usergrp_display,
647 return ADS_ERR_OK(rc) ? 0 : -1;
650 return net_run_function(c, argc, argv, func, net_ads_user_usage);
653 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
655 return net_group_usage(c, argc, argv);
658 static int ads_group_add(struct net_context *c, int argc, const char **argv)
662 LDAPMessage *res=NULL;
667 return net_ads_group_usage(c, argc, argv);
670 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
674 status = ads_find_user_acct(ads, &res, argv[0]);
676 if (!ADS_ERR_OK(status)) {
677 d_fprintf(stderr, "ads_group_add: %s\n", ads_errstr(status));
681 if (ads_count_replies(ads, res)) {
682 d_fprintf(stderr, "ads_group_add: Group %s already exists\n", argv[0]);
686 if (c->opt_container) {
687 ou_str = SMB_STRDUP(c->opt_container);
689 ou_str = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
692 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
694 if (ADS_ERR_OK(status)) {
695 d_printf("Group %s added\n", argv[0]);
698 d_fprintf(stderr, "Could not add group %s: %s\n", argv[0],
704 ads_msgfree(ads, res);
710 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
714 LDAPMessage *res = NULL;
718 return net_ads_group_usage(c, argc, argv);
721 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
725 rc = ads_find_user_acct(ads, &res, argv[0]);
726 if (!ADS_ERR_OK(rc) || ads_count_replies(ads, res) != 1) {
727 d_printf("Group %s does not exist.\n", argv[0]);
728 ads_msgfree(ads, res);
732 groupdn = ads_get_dn(ads, res);
733 ads_msgfree(ads, res);
734 rc = ads_del_dn(ads, groupdn);
735 ads_memfree(ads, groupdn);
736 if (ADS_ERR_OK(rc)) {
737 d_printf("Group %s deleted\n", argv[0]);
741 d_fprintf(stderr, "Error deleting group %s: %s\n", argv[0],
747 int net_ads_group(struct net_context *c, int argc, const char **argv)
749 struct functable func[] = {
750 {"ADD", ads_group_add},
751 {"DELETE", ads_group_delete},
756 const char *shortattrs[] = {"sAMAccountName", NULL};
757 const char *longattrs[] = {"sAMAccountName", "description", NULL};
758 char *disp_fields[2] = {NULL, NULL};
761 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
765 if (c->opt_long_list_entries)
766 d_printf("\nGroup name Comment"\
767 "\n-----------------------------\n");
768 rc = ads_do_search_all_fn(ads, ads->config.bind_path,
770 "(objectCategory=group)",
771 c->opt_long_list_entries ? longattrs :
772 shortattrs, usergrp_display,
776 return ADS_ERR_OK(rc) ? 0 : -1;
778 return net_run_function(c, argc, argv, func, net_ads_group_usage);
781 static int net_ads_status(struct net_context *c, int argc, const char **argv)
787 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
791 rc = ads_find_machine_acct(ads, &res, global_myname());
792 if (!ADS_ERR_OK(rc)) {
793 d_fprintf(stderr, "ads_find_machine_acct: %s\n", ads_errstr(rc));
798 if (ads_count_replies(ads, res) == 0) {
799 d_fprintf(stderr, "No machine account for '%s' found\n", global_myname());
809 /*******************************************************************
810 Leave an AD domain. Windows XP disables the machine account.
811 We'll try the same. The old code would do an LDAP delete.
812 That only worked using the machine creds because added the machine
813 with full control to the computer object's ACL.
814 *******************************************************************/
816 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
819 struct libnet_UnjoinCtx *r = NULL;
823 d_fprintf(stderr, "No realm set, are we joined ?\n");
827 if (!(ctx = talloc_init("net_ads_leave"))) {
828 d_fprintf(stderr, "Could not initialise talloc context.\n");
832 use_in_memory_ccache();
834 werr = libnet_init_UnjoinCtx(ctx, &r);
835 if (!W_ERROR_IS_OK(werr)) {
836 d_fprintf(stderr, "Could not initialise unjoin context.\n");
841 r->in.dc_name = c->opt_host;
842 r->in.domain_name = lp_realm();
843 r->in.admin_account = c->opt_user_name;
844 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
845 r->in.modify_config = lp_config_backend_is_registry();
846 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
847 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
849 werr = libnet_Unjoin(ctx, r);
850 if (!W_ERROR_IS_OK(werr)) {
851 d_printf("Failed to leave domain: %s\n",
852 r->out.error_string ? r->out.error_string :
853 get_friendly_werror_msg(werr));
857 if (W_ERROR_IS_OK(werr)) {
858 d_printf("Deleted account for '%s' in realm '%s'\n",
859 r->in.machine_name, r->out.dns_domain_name);
863 /* We couldn't delete it - see if the disable succeeded. */
864 if (r->out.disabled_machine_account) {
865 d_printf("Disabled account for '%s' in realm '%s'\n",
866 r->in.machine_name, r->out.dns_domain_name);
871 d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
872 r->in.machine_name, r->out.dns_domain_name);
878 if (W_ERROR_IS_OK(werr)) {
885 static NTSTATUS net_ads_join_ok(struct net_context *c)
887 ADS_STRUCT *ads = NULL;
890 if (!secrets_init()) {
891 DEBUG(1,("Failed to initialise secrets database\n"));
892 return NT_STATUS_ACCESS_DENIED;
895 net_use_krb_machine_account(c);
897 status = ads_startup(c, true, &ads);
898 if (!ADS_ERR_OK(status)) {
899 return ads_ntstatus(status);
907 check that an existing join is OK
909 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
912 use_in_memory_ccache();
914 /* Display success or failure */
915 status = net_ads_join_ok(c);
916 if (!NT_STATUS_IS_OK(status)) {
917 fprintf(stderr,"Join to domain is not valid: %s\n",
918 get_friendly_nt_error_msg(status));
922 printf("Join is OK\n");
926 /*******************************************************************
927 Simple configu checks before beginning the join
928 ********************************************************************/
930 static WERROR check_ads_config( void )
932 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
933 d_printf("Host is not configured as a member server.\n");
934 return WERR_INVALID_DOMAIN_ROLE;
937 if (strlen(global_myname()) > 15) {
938 d_printf("Our netbios name can be at most 15 chars long, "
939 "\"%s\" is %u chars long\n", global_myname(),
940 (unsigned int)strlen(global_myname()));
941 return WERR_INVALID_COMPUTER_NAME;
944 if ( lp_security() == SEC_ADS && !*lp_realm()) {
945 d_fprintf(stderr, "realm must be set in in %s for ADS "
946 "join to succeed.\n", get_dyn_CONFIGFILE());
947 return WERR_INVALID_PARAM;
953 /*******************************************************************
954 Send a DNS update request
955 *******************************************************************/
957 #if defined(WITH_DNS_UPDATES)
959 DNS_ERROR DoDNSUpdate(char *pszServerName,
960 const char *pszDomainName, const char *pszHostName,
961 const struct sockaddr_storage *sslist,
964 static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
965 const char *machine_name,
966 const struct sockaddr_storage *addrs,
969 struct dns_rr_ns *nameservers = NULL;
971 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
974 const char *dnsdomain = NULL;
975 char *root_domain = NULL;
977 if ( (dnsdomain = strchr_m( machine_name, '.')) == NULL ) {
978 d_printf("No DNS domain configured for %s. "
979 "Unable to perform DNS Update.\n", machine_name);
980 status = NT_STATUS_INVALID_PARAMETER;
985 status = ads_dns_lookup_ns( ctx, dnsdomain, &nameservers, &ns_count );
986 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
987 /* Child domains often do not have NS records. Look
988 for the NS record for the forest root domain
989 (rootDomainNamingContext in therootDSE) */
991 const char *rootname_attrs[] = { "rootDomainNamingContext", NULL };
992 LDAPMessage *msg = NULL;
994 ADS_STATUS ads_status;
996 if ( !ads->ldap.ld ) {
997 ads_status = ads_connect( ads );
998 if ( !ADS_ERR_OK(ads_status) ) {
999 DEBUG(0,("net_update_dns_internal: Failed to connect to our DC!\n"));
1004 ads_status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
1005 "(objectclass=*)", rootname_attrs, &msg);
1006 if (!ADS_ERR_OK(ads_status)) {
1010 root_dn = ads_pull_string(ads, ctx, msg, "rootDomainNamingContext");
1012 ads_msgfree( ads, msg );
1016 root_domain = ads_build_domain( root_dn );
1019 ads_msgfree( ads, msg );
1021 /* try again for NS servers */
1023 status = ads_dns_lookup_ns( ctx, root_domain, &nameservers, &ns_count );
1025 if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
1026 DEBUG(3,("net_ads_join: Failed to find name server for the %s "
1027 "realm\n", ads->config.realm));
1031 dnsdomain = root_domain;
1035 /* Now perform the dns update - we'll try non-secure and if we fail,
1036 we'll follow it up with a secure update */
1038 fstrcpy( dns_server, nameservers[0].hostname );
1040 dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
1041 if (!ERR_DNS_IS_OK(dns_err)) {
1042 status = NT_STATUS_UNSUCCESSFUL;
1047 SAFE_FREE( root_domain );
1052 static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
1055 struct sockaddr_storage *iplist = NULL;
1056 fstring machine_name;
1059 name_to_fqdn( machine_name, global_myname() );
1060 strlower_m( machine_name );
1062 /* Get our ip address (not the 127.0.0.x address but a real ip
1065 num_addrs = get_my_ip_address( &iplist );
1066 if ( num_addrs <= 0 ) {
1067 DEBUG(4,("net_update_dns: Failed to find my non-loopback IP "
1069 return NT_STATUS_INVALID_PARAMETER;
1072 status = net_update_dns_internal(mem_ctx, ads, machine_name,
1074 SAFE_FREE( iplist );
1080 /*******************************************************************
1081 ********************************************************************/
1083 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1085 d_printf("net ads join [options]\n");
1086 d_printf("Valid options:\n");
1087 d_printf(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n");
1088 d_printf(" The deault UPN is in the form host/netbiosname@REALM.\n");
1089 d_printf(" createcomputer=OU Precreate the computer account in a specific OU.\n");
1090 d_printf(" The OU string read from top to bottom without RDNs and delimited by a '/'.\n");
1091 d_printf(" E.g. \"createcomputer=Computers/Servers/Unix\"\n");
1092 d_printf(" NB: A backslash '\\' is used as escape at multiple levels and may\n");
1093 d_printf(" need to be doubled or even quadrupled. It is not used as a separator.\n");
1094 d_printf(" osName=string Set the operatingSystem attribute during the join.\n");
1095 d_printf(" osVer=string Set the operatingSystemVersion attribute during the join.\n");
1096 d_printf(" NB: osName and osVer must be specified together for either to take effect.\n");
1097 d_printf(" Also, the operatingSystemService attribute is also set when along with\n");
1098 d_printf(" the two other attributes.\n");
1103 /*******************************************************************
1104 ********************************************************************/
1106 int net_ads_join(struct net_context *c, int argc, const char **argv)
1108 TALLOC_CTX *ctx = NULL;
1109 struct libnet_JoinCtx *r = NULL;
1110 const char *domain = lp_realm();
1111 WERROR werr = WERR_SETUP_NOT_JOINED;
1112 bool createupn = false;
1113 const char *machineupn = NULL;
1114 const char *create_in_ou = NULL;
1116 const char *os_name = NULL;
1117 const char *os_version = NULL;
1118 bool modify_config = lp_config_backend_is_registry();
1120 if (!modify_config) {
1122 werr = check_ads_config();
1123 if (!W_ERROR_IS_OK(werr)) {
1124 d_fprintf(stderr, "Invalid configuration. Exiting....\n");
1129 if (!(ctx = talloc_init("net_ads_join"))) {
1130 d_fprintf(stderr, "Could not initialise talloc context.\n");
1135 use_in_memory_ccache();
1137 werr = libnet_init_JoinCtx(ctx, &r);
1138 if (!W_ERROR_IS_OK(werr)) {
1142 /* process additional command line args */
1144 for ( i=0; i<argc; i++ ) {
1145 if ( !StrnCaseCmp(argv[i], "createupn", strlen("createupn")) ) {
1147 machineupn = get_string_param(argv[i]);
1149 else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) {
1150 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1151 d_fprintf(stderr, "Please supply a valid OU path.\n");
1152 werr = WERR_INVALID_PARAM;
1156 else if ( !StrnCaseCmp(argv[i], "osName", strlen("osName")) ) {
1157 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1158 d_fprintf(stderr, "Please supply a operating system name.\n");
1159 werr = WERR_INVALID_PARAM;
1163 else if ( !StrnCaseCmp(argv[i], "osVer", strlen("osVer")) ) {
1164 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1165 d_fprintf(stderr, "Please supply a valid operating system version.\n");
1166 werr = WERR_INVALID_PARAM;
1176 d_fprintf(stderr, "Please supply a valid domain name\n");
1177 werr = WERR_INVALID_PARAM;
1181 /* Do the domain join here */
1183 r->in.domain_name = domain;
1184 r->in.create_upn = createupn;
1185 r->in.upn = machineupn;
1186 r->in.account_ou = create_in_ou;
1187 r->in.os_name = os_name;
1188 r->in.os_version = os_version;
1189 r->in.dc_name = c->opt_host;
1190 r->in.admin_account = c->opt_user_name;
1191 r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
1193 r->in.modify_config = modify_config;
1194 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1195 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1196 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1198 werr = libnet_Join(ctx, r);
1199 if (!W_ERROR_IS_OK(werr)) {
1203 /* Check the short name of the domain */
1205 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1206 d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
1207 d_printf("domain name obtained from the server.\n");
1208 d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
1209 d_printf("You should set \"workgroup = %s\" in %s.\n",
1210 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1213 d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
1215 if (r->out.dns_domain_name) {
1216 d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
1217 r->out.dns_domain_name);
1219 d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
1220 r->out.netbios_domain_name);
1223 #if defined(WITH_DNS_UPDATES)
1224 if (r->out.domain_is_ad) {
1225 /* We enter this block with user creds */
1226 ADS_STRUCT *ads_dns = NULL;
1228 if ( (ads_dns = ads_init( lp_realm(), NULL, NULL )) != NULL ) {
1229 /* kinit with the machine password */
1231 use_in_memory_ccache();
1232 asprintf( &ads_dns->auth.user_name, "%s$", global_myname() );
1233 ads_dns->auth.password = secrets_fetch_machine_password(
1234 r->out.netbios_domain_name, NULL, NULL );
1235 ads_dns->auth.realm = SMB_STRDUP( r->out.dns_domain_name );
1236 strupper_m(ads_dns->auth.realm );
1237 ads_kinit_password( ads_dns );
1240 if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
1241 d_fprintf( stderr, "DNS update failed!\n" );
1244 /* exit from this block using machine creds */
1245 ads_destroy(&ads_dns);
1254 /* issue an overall failure message at the end. */
1255 d_printf("Failed to join domain: %s\n",
1256 r && r->out.error_string ? r->out.error_string :
1257 get_friendly_werror_msg(werr));
1263 /*******************************************************************
1264 ********************************************************************/
1266 static int net_ads_dns_usage(struct net_context *c, int argc, const char **argv)
1268 #if defined(WITH_DNS_UPDATES)
1269 d_printf("net ads dns <command>\n");
1270 d_printf("Valid commands:\n");
1271 d_printf(" register Issue a dynamic DNS update request for our hostname\n");
1275 d_fprintf(stderr, "DNS update support not enabled at compile time!\n");
1280 /*******************************************************************
1281 ********************************************************************/
1283 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1285 #if defined(WITH_DNS_UPDATES)
1291 talloc_enable_leak_report();
1295 d_fprintf(stderr, "net ads dns register\n");
1299 if (!(ctx = talloc_init("net_ads_dns"))) {
1300 d_fprintf(stderr, "Could not initialise talloc context\n");
1304 status = ads_startup(c, true, &ads);
1305 if ( !ADS_ERR_OK(status) ) {
1306 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1311 if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
1312 d_fprintf( stderr, "DNS update failed!\n" );
1313 ads_destroy( &ads );
1318 d_fprintf( stderr, "Successfully registered hostname with DNS\n" );
1325 d_fprintf(stderr, "DNS update support not enabled at compile time!\n");
1330 #if defined(WITH_DNS_UPDATES)
1331 DNS_ERROR do_gethostbyname(const char *server, const char *host);
1334 static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const char **argv)
1336 #if defined(WITH_DNS_UPDATES)
1340 talloc_enable_leak_report();
1344 d_fprintf(stderr, "net ads dns gethostbyname <server> "
1349 err = do_gethostbyname(argv[0], argv[1]);
1351 d_printf("do_gethostbyname returned %d\n", ERROR_DNS_V(err));
1356 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
1358 struct functable func[] = {
1359 {"REGISTER", net_ads_dns_register},
1360 {"GETHOSTBYNAME", net_ads_dns_gethostbyname},
1364 return net_run_function(c, argc, argv, func, net_ads_dns_usage);
1367 /*******************************************************************
1368 ********************************************************************/
1370 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
1373 "\nnet ads printer search <printer>"
1374 "\n\tsearch for a printer in the directory\n"
1375 "\nnet ads printer info <printer> <server>"
1376 "\n\tlookup info in directory for printer on server"
1377 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
1378 "\nnet ads printer publish <printername>"
1379 "\n\tpublish printer in directory"
1380 "\n\t(note: printer name is required)\n"
1381 "\nnet ads printer remove <printername>"
1382 "\n\tremove printer from directory"
1383 "\n\t(note: printer name is required)\n");
1387 /*******************************************************************
1388 ********************************************************************/
1390 static int net_ads_printer_search(struct net_context *c, int argc, const char **argv)
1394 LDAPMessage *res = NULL;
1396 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1400 rc = ads_find_printers(ads, &res);
1402 if (!ADS_ERR_OK(rc)) {
1403 d_fprintf(stderr, "ads_find_printer: %s\n", ads_errstr(rc));
1404 ads_msgfree(ads, res);
1409 if (ads_count_replies(ads, res) == 0) {
1410 d_fprintf(stderr, "No results found\n");
1411 ads_msgfree(ads, res);
1417 ads_msgfree(ads, res);
1422 static int net_ads_printer_info(struct net_context *c, int argc, const char **argv)
1426 const char *servername, *printername;
1427 LDAPMessage *res = NULL;
1429 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1434 printername = argv[0];
1440 servername = argv[1];
1442 servername = global_myname();
1445 rc = ads_find_printer_on_server(ads, &res, printername, servername);
1447 if (!ADS_ERR_OK(rc)) {
1448 d_fprintf(stderr, "Server '%s' not found: %s\n",
1449 servername, ads_errstr(rc));
1450 ads_msgfree(ads, res);
1455 if (ads_count_replies(ads, res) == 0) {
1456 d_fprintf(stderr, "Printer '%s' not found\n", printername);
1457 ads_msgfree(ads, res);
1463 ads_msgfree(ads, res);
1469 static int net_ads_printer_publish(struct net_context *c, int argc, const char **argv)
1473 const char *servername, *printername;
1474 struct cli_state *cli;
1475 struct rpc_pipe_client *pipe_hnd;
1476 struct sockaddr_storage server_ss;
1478 TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
1479 ADS_MODLIST mods = ads_init_mods(mem_ctx);
1480 char *prt_dn, *srv_dn, **srv_cn;
1481 char *srv_cn_escaped = NULL, *printername_escaped = NULL;
1482 LDAPMessage *res = NULL;
1484 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1485 talloc_destroy(mem_ctx);
1490 talloc_destroy(mem_ctx);
1491 return net_ads_printer_usage(c, argc, argv);
1494 printername = argv[0];
1497 servername = argv[1];
1499 servername = global_myname();
1502 /* Get printer data from SPOOLSS */
1504 resolve_name(servername, &server_ss, 0x20);
1506 nt_status = cli_full_connection(&cli, global_myname(), servername,
1509 c->opt_user_name, c->opt_workgroup,
1510 c->opt_password ? c->opt_password : "",
1511 CLI_FULL_CONNECTION_USE_KERBEROS,
1514 if (NT_STATUS_IS_ERR(nt_status)) {
1515 d_fprintf(stderr, "Unable to open a connnection to %s to obtain data "
1516 "for %s\n", servername, printername);
1518 talloc_destroy(mem_ctx);
1522 /* Publish on AD server */
1524 ads_find_machine_acct(ads, &res, servername);
1526 if (ads_count_replies(ads, res) == 0) {
1527 d_fprintf(stderr, "Could not find machine account for server %s\n",
1530 talloc_destroy(mem_ctx);
1534 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
1535 srv_cn = ldap_explode_dn(srv_dn, 1);
1537 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
1538 printername_escaped = escape_rdn_val_string_alloc(printername);
1539 if (!srv_cn_escaped || !printername_escaped) {
1540 SAFE_FREE(srv_cn_escaped);
1541 SAFE_FREE(printername_escaped);
1542 d_fprintf(stderr, "Internal error, out of memory!");
1544 talloc_destroy(mem_ctx);
1548 asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn_escaped, printername_escaped, srv_dn);
1550 SAFE_FREE(srv_cn_escaped);
1551 SAFE_FREE(printername_escaped);
1553 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SPOOLSS, &nt_status);
1555 d_fprintf(stderr, "Unable to open a connnection to the spoolss pipe on %s\n",
1559 talloc_destroy(mem_ctx);
1563 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd, mem_ctx, &mods,
1567 talloc_destroy(mem_ctx);
1571 rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
1572 if (!ADS_ERR_OK(rc)) {
1573 d_fprintf(stderr, "ads_publish_printer: %s\n", ads_errstr(rc));
1576 talloc_destroy(mem_ctx);
1580 d_printf("published printer\n");
1583 talloc_destroy(mem_ctx);
1588 static int net_ads_printer_remove(struct net_context *c, int argc, const char **argv)
1592 const char *servername;
1594 LDAPMessage *res = NULL;
1596 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1601 return net_ads_printer_usage(c, argc, argv);
1605 servername = argv[1];
1607 servername = global_myname();
1610 rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
1612 if (!ADS_ERR_OK(rc)) {
1613 d_fprintf(stderr, "ads_find_printer_on_server: %s\n", ads_errstr(rc));
1614 ads_msgfree(ads, res);
1619 if (ads_count_replies(ads, res) == 0) {
1620 d_fprintf(stderr, "Printer '%s' not found\n", argv[1]);
1621 ads_msgfree(ads, res);
1626 prt_dn = ads_get_dn(ads, res);
1627 ads_msgfree(ads, res);
1628 rc = ads_del_dn(ads, prt_dn);
1629 ads_memfree(ads, prt_dn);
1631 if (!ADS_ERR_OK(rc)) {
1632 d_fprintf(stderr, "ads_del_dn: %s\n", ads_errstr(rc));
1641 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
1643 struct functable func[] = {
1644 {"SEARCH", net_ads_printer_search},
1645 {"INFO", net_ads_printer_info},
1646 {"PUBLISH", net_ads_printer_publish},
1647 {"REMOVE", net_ads_printer_remove},
1651 return net_run_function(c, argc, argv, func, net_ads_printer_usage);
1655 static int net_ads_password(struct net_context *c, int argc, const char **argv)
1658 const char *auth_principal = c->opt_user_name;
1659 const char *auth_password = c->opt_password;
1661 char *new_password = NULL;
1666 if (c->opt_user_name == NULL || c->opt_password == NULL) {
1667 d_fprintf(stderr, "You must supply an administrator username/password\n");
1672 d_fprintf(stderr, "ERROR: You must say which username to change password for\n");
1677 if (!strchr_m(user, '@')) {
1678 asprintf(&chr, "%s@%s", argv[0], lp_realm());
1682 use_in_memory_ccache();
1683 chr = strchr_m(auth_principal, '@');
1690 /* use the realm so we can eventually change passwords for users
1691 in realms other than default */
1692 if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
1696 /* we don't actually need a full connect, but it's the easy way to
1697 fill in the KDC's addresss */
1700 if (!ads->config.realm) {
1701 d_fprintf(stderr, "Didn't find the kerberos server!\n");
1706 new_password = (char *)argv[1];
1708 asprintf(&prompt, "Enter new password for %s:", user);
1709 new_password = getpass(prompt);
1713 ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
1714 auth_password, user, new_password, ads->auth.time_offset);
1715 if (!ADS_ERR_OK(ret)) {
1716 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1721 d_printf("Password change for %s completed.\n", user);
1727 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
1730 char *host_principal;
1734 if (!secrets_init()) {
1735 DEBUG(1,("Failed to initialise secrets database\n"));
1739 net_use_krb_machine_account(c);
1741 use_in_memory_ccache();
1743 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1747 fstrcpy(my_name, global_myname());
1748 strlower_m(my_name);
1749 asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm);
1750 d_printf("Changing password for principal: %s\n", host_principal);
1752 ret = ads_change_trust_account_password(ads, host_principal);
1754 if (!ADS_ERR_OK(ret)) {
1755 d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
1757 SAFE_FREE(host_principal);
1761 d_printf("Password change for principal %s succeeded.\n", host_principal);
1763 if (lp_use_kerberos_keytab()) {
1764 d_printf("Attempting to update system keytab with new password.\n");
1765 if (ads_keytab_create_default(ads)) {
1766 d_printf("Failed to update system keytab.\n");
1771 SAFE_FREE(host_principal);
1777 help for net ads search
1779 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
1782 "\nnet ads search <expression> <attributes...>\n"\
1783 "\nperform a raw LDAP search on a ADS server and dump the results\n"\
1784 "The expression is a standard LDAP search expression, and the\n"\
1785 "attributes are a list of LDAP fields to show in the results\n\n"\
1786 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
1788 net_common_flags_usage(c, argc, argv);
1794 general ADS search function. Useful in diagnosing problems in ADS
1796 static int net_ads_search(struct net_context *c, int argc, const char **argv)
1800 const char *ldap_exp;
1802 LDAPMessage *res = NULL;
1805 return net_ads_search_usage(c, argc, argv);
1808 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1815 rc = ads_do_search_all(ads, ads->config.bind_path,
1817 ldap_exp, attrs, &res);
1818 if (!ADS_ERR_OK(rc)) {
1819 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1824 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1826 /* dump the results */
1829 ads_msgfree(ads, res);
1837 help for net ads search
1839 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
1842 "\nnet ads dn <dn> <attributes...>\n"\
1843 "\nperform a raw LDAP search on a ADS server and dump the results\n"\
1844 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"\
1845 "to show in the results\n\n"\
1846 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
1847 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
1849 net_common_flags_usage(c, argc, argv);
1855 general ADS search function. Useful in diagnosing problems in ADS
1857 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
1863 LDAPMessage *res = NULL;
1866 return net_ads_dn_usage(c, argc, argv);
1869 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1876 rc = ads_do_search_all(ads, dn,
1878 "(objectclass=*)", attrs, &res);
1879 if (!ADS_ERR_OK(rc)) {
1880 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1885 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1887 /* dump the results */
1890 ads_msgfree(ads, res);
1897 help for net ads sid search
1899 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
1902 "\nnet ads sid <sid> <attributes...>\n"\
1903 "\nperform a raw LDAP search on a ADS server and dump the results\n"\
1904 "The SID is in string format, and the attributes are a list of LDAP fields \n"\
1905 "to show in the results\n\n"\
1906 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
1908 net_common_flags_usage(c, argc, argv);
1914 general ADS search function. Useful in diagnosing problems in ADS
1916 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
1920 const char *sid_string;
1922 LDAPMessage *res = NULL;
1926 return net_ads_sid_usage(c, argc, argv);
1929 if (!ADS_ERR_OK(ads_startup(c, false, &ads))) {
1933 sid_string = argv[0];
1936 if (!string_to_sid(&sid, sid_string)) {
1937 d_fprintf(stderr, "could not convert sid\n");
1942 rc = ads_search_retry_sid(ads, &res, &sid, attrs);
1943 if (!ADS_ERR_OK(rc)) {
1944 d_fprintf(stderr, "search failed: %s\n", ads_errstr(rc));
1949 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
1951 /* dump the results */
1954 ads_msgfree(ads, res);
1961 static int net_ads_keytab_usage(struct net_context *c, int argc, const char **argv)
1964 "net ads keytab <COMMAND>\n"\
1965 "<COMMAND> can be either:\n"\
1966 " ADD Adds new service principal\n"\
1967 " CREATE Creates a fresh keytab\n"\
1968 " FLUSH Flushes out all keytab entries\n"\
1969 " HELP Prints this help message\n"\
1970 " LIST List the keytab\n"\
1971 "The ADD and LIST command will take arguments, the other commands\n"\
1972 "will not take any arguments. The arguments given to ADD\n"\
1973 "should be a list of principals to add. For example, \n"\
1974 " net ads keytab add srv1 srv2\n"\
1975 "will add principals for the services srv1 and srv2 to the\n"\
1976 "system's keytab.\n"\
1977 "The LIST command takes a keytabname.\n"\
1983 static int net_ads_keytab_flush(struct net_context *c, int argc, const char **argv)
1988 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
1991 ret = ads_keytab_flush(ads);
1996 static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv)
2002 d_printf("Processing principals to add...\n");
2003 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2006 for (i = 0; i < argc; i++) {
2007 ret |= ads_keytab_add_entry(ads, argv[i]);
2013 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2018 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
2021 ret = ads_keytab_create_default(ads);
2026 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2028 const char *keytab = NULL;
2034 return ads_keytab_list(keytab);
2038 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2040 struct functable func[] = {
2041 {"ADD", net_ads_keytab_add},
2042 {"CREATE", net_ads_keytab_create},
2043 {"FLUSH", net_ads_keytab_flush},
2044 {"HELP", net_ads_keytab_usage},
2045 {"LIST", net_ads_keytab_list},
2049 if (!lp_use_kerberos_keytab()) {
2050 d_printf("\nWarning: \"use kerberos keytab\" must be set to \"true\" in order to \
2051 use keytab functions.\n");
2054 return net_run_function(c, argc, argv, func, net_ads_keytab_usage);
2057 static int net_ads_kerberos_usage(struct net_context *c, int argc, const char **argv)
2060 "net ads kerberos <COMMAND>\n"\
2061 "<COMMAND> can be either:\n"\
2062 " RENEW Renew TGT from existing credential cache\n"\
2063 " PAC Dumps the Kerberos PAC\n"\
2064 " KINIT Retrieve Ticket Granting Ticket (TGT)\n"\
2071 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
2073 int ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
2075 d_printf("failed to renew kerberos ticket: %s\n",
2076 error_message(ret));
2081 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
2083 struct PAC_DATA *pac = NULL;
2084 struct PAC_LOGON_INFO *info = NULL;
2085 TALLOC_CTX *mem_ctx = NULL;
2089 mem_ctx = talloc_init("net_ads_kerberos_pac");
2094 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2096 status = kerberos_return_pac(mem_ctx,
2105 2592000, /* one month */
2107 if (!NT_STATUS_IS_OK(status)) {
2108 d_printf("failed to query kerberos PAC: %s\n",
2113 info = get_logon_info_from_pac(pac);
2116 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
2117 d_printf("The Pac: %s\n", s);
2122 TALLOC_FREE(mem_ctx);
2126 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
2128 TALLOC_CTX *mem_ctx = NULL;
2132 mem_ctx = talloc_init("net_ads_kerberos_kinit");
2137 c->opt_password = net_prompt_pass(c, c->opt_user_name);
2139 ret = kerberos_kinit_password_ext(c->opt_user_name,
2147 2592000, /* one month */
2150 d_printf("failed to kinit password: %s\n",
2157 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2159 struct functable func[] = {
2160 {"KINIT", net_ads_kerberos_kinit},
2161 {"RENEW", net_ads_kerberos_renew},
2162 {"PAC", net_ads_kerberos_pac},
2163 {"HELP", net_ads_kerberos_usage},
2167 return net_run_function(c, argc, argv, func, net_ads_kerberos_usage);
2171 int net_ads_usage(struct net_context *c, int argc, const char **argv)
2173 struct functable func[] = {
2174 {"USER", net_ads_user_usage},
2175 {"GROUP", net_ads_group_usage},
2176 {"PRINTER", net_ads_printer_usage},
2177 {"SEARCH", net_ads_search_usage},
2178 {"INFO", net_ads_info},
2179 {"JOIN", net_ads_join_usage},
2180 {"DNS", net_ads_dns_usage},
2181 {"LEAVE", net_ads_leave},
2182 {"STATUS", net_ads_status},
2183 {"PASSWORD", net_ads_password},
2184 {"CHANGETRUSTPW", net_ads_changetrustpw},
2188 return net_run_function(c, argc, argv, func, net_ads_help);
2191 int net_ads(struct net_context *c, int argc, const char **argv)
2193 struct functable func[] = {
2194 {"INFO", net_ads_info},
2195 {"JOIN", net_ads_join},
2196 {"TESTJOIN", net_ads_testjoin},
2197 {"LEAVE", net_ads_leave},
2198 {"STATUS", net_ads_status},
2199 {"USER", net_ads_user},
2200 {"GROUP", net_ads_group},
2201 {"DNS", net_ads_dns},
2202 {"PASSWORD", net_ads_password},
2203 {"CHANGETRUSTPW", net_ads_changetrustpw},
2204 {"PRINTER", net_ads_printer},
2205 {"SEARCH", net_ads_search},
2207 {"SID", net_ads_sid},
2208 {"WORKGROUP", net_ads_workgroup},
2209 {"LOOKUP", net_ads_lookup},
2210 {"KEYTAB", net_ads_keytab},
2211 {"GPO", net_ads_gpo},
2212 {"KERBEROS", net_ads_kerberos},
2213 {"HELP", net_ads_help},
2217 return net_run_function(c, argc, argv, func, net_ads_help);
2222 static int net_ads_noads(void)
2224 d_fprintf(stderr, "ADS support not compiled in\n");
2228 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
2230 return net_ads_noads();
2233 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
2235 return net_ads_noads();
2238 int net_ads_usage(struct net_context *c, int argc, const char **argv)
2240 return net_ads_noads();
2243 int net_ads_help(struct net_context *c, int argc, const char **argv)
2245 return net_ads_noads();
2248 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2250 return net_ads_noads();
2253 int net_ads_join(struct net_context *c, int argc, const char **argv)
2255 return net_ads_noads();
2258 int net_ads_user(struct net_context *c, int argc, const char **argv)
2260 return net_ads_noads();
2263 int net_ads_group(struct net_context *c, int argc, const char **argv)
2265 return net_ads_noads();
2268 /* this one shouldn't display a message */
2269 int net_ads_check(struct net_context *c)
2274 int net_ads_check_our_domain(struct net_context *c)
2279 int net_ads(struct net_context *c, int argc, const char **argv)
2281 return net_ads_usage(c, argc, argv);
2284 #endif /* WITH_ADS */