2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "utils/net.h"
23 #include "../librpc/gen_ndr/samr.h"
29 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
31 bool (*fn)(struct samu *, const char *,
32 enum pdb_value_state))
34 struct samu *sam_acct = NULL;
36 enum lsa_SidType type;
37 const char *dom, *name;
40 if (argc != 2 || c->display_usage) {
41 d_fprintf(stderr, "%s\n", _("Usage:"));
42 d_fprintf(stderr, _("net sam set %s <user> <value>\n"),
47 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
48 &dom, &name, &sid, &type)) {
49 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
53 if (type != SID_NAME_USER) {
54 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
55 sid_type_lookup(type));
59 if ( !(sam_acct = samu_new( NULL )) ) {
60 d_fprintf(stderr, _("Internal error\n"));
64 if (!pdb_getsampwsid(sam_acct, &sid)) {
65 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
69 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
70 d_fprintf(stderr, _("Internal error\n"));
74 status = pdb_update_sam_account(sam_acct);
75 if (!NT_STATUS_IS_OK(status)) {
76 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
77 argv[0], nt_errstr(status));
81 TALLOC_FREE(sam_acct);
83 d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
87 static int net_sam_set_fullname(struct net_context *c, int argc,
90 return net_sam_userset(c, argc, argv, "fullname",
94 static int net_sam_set_logonscript(struct net_context *c, int argc,
97 return net_sam_userset(c, argc, argv, "logonscript",
98 pdb_set_logon_script);
101 static int net_sam_set_profilepath(struct net_context *c, int argc,
104 return net_sam_userset(c, argc, argv, "profilepath",
105 pdb_set_profile_path);
108 static int net_sam_set_homedrive(struct net_context *c, int argc,
111 return net_sam_userset(c, argc, argv, "homedrive",
115 static int net_sam_set_homedir(struct net_context *c, int argc,
118 return net_sam_userset(c, argc, argv, "homedir",
122 static int net_sam_set_workstations(struct net_context *c, int argc,
125 return net_sam_userset(c, argc, argv, "workstations",
126 pdb_set_workstations);
133 static int net_sam_set_userflag(struct net_context *c, int argc,
134 const char **argv, const char *field,
137 struct samu *sam_acct = NULL;
139 enum lsa_SidType type;
140 const char *dom, *name;
144 if ((argc != 2) || c->display_usage ||
145 (!strequal(argv[1], "yes") &&
146 !strequal(argv[1], "no"))) {
147 d_fprintf(stderr, "%s\n", _("Usage:"));
148 d_fprintf(stderr, _("net sam set %s <user> [yes|no]\n"),
153 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
154 &dom, &name, &sid, &type)) {
155 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
159 if (type != SID_NAME_USER) {
160 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
161 sid_type_lookup(type));
165 if ( !(sam_acct = samu_new( NULL )) ) {
166 d_fprintf(stderr, _("Internal error\n"));
170 if (!pdb_getsampwsid(sam_acct, &sid)) {
171 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
175 acct_flags = pdb_get_acct_ctrl(sam_acct);
177 if (strequal(argv[1], "yes")) {
183 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
185 status = pdb_update_sam_account(sam_acct);
186 if (!NT_STATUS_IS_OK(status)) {
187 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
188 argv[0], nt_errstr(status));
192 TALLOC_FREE(sam_acct);
194 d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
199 static int net_sam_set_disabled(struct net_context *c, int argc,
202 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
205 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
208 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
211 static int net_sam_set_autolock(struct net_context *c, int argc,
214 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
217 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
220 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
224 * Set pass last change time, based on force pass change now
227 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
230 struct samu *sam_acct = NULL;
232 enum lsa_SidType type;
233 const char *dom, *name;
236 if ((argc != 2) || c->display_usage ||
237 (!strequal(argv[1], "yes") &&
238 !strequal(argv[1], "no"))) {
239 d_fprintf(stderr, "%s\n%s",
241 _("net sam set pwdmustchangenow <user> [yes|no]\n"));
245 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
246 &dom, &name, &sid, &type)) {
247 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
251 if (type != SID_NAME_USER) {
252 d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
253 sid_type_lookup(type));
257 if ( !(sam_acct = samu_new( NULL )) ) {
258 d_fprintf(stderr, _("Internal error\n"));
262 if (!pdb_getsampwsid(sam_acct, &sid)) {
263 d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
267 if (strequal(argv[1], "yes")) {
268 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
270 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
273 status = pdb_update_sam_account(sam_acct);
274 if (!NT_STATUS_IS_OK(status)) {
275 d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
276 argv[0], nt_errstr(status));
280 TALLOC_FREE(sam_acct);
282 d_fprintf(stderr, _("Updated 'user must change password at next logon' "
283 "for %s\\%s to %s\n"), dom,
290 * Set a user's or a group's comment
293 static int net_sam_set_comment(struct net_context *c, int argc,
298 enum lsa_SidType type;
299 const char *dom, *name;
302 if (argc != 2 || c->display_usage) {
303 d_fprintf(stderr, "%s\n%s",
305 _("net sam set comment <name> <comment>\n"));
309 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
310 &dom, &name, &sid, &type)) {
311 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
315 if (type == SID_NAME_USER) {
316 return net_sam_userset(c, argc, argv, "comment",
320 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
321 (type != SID_NAME_WKN_GRP)) {
322 d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
323 sid_type_lookup(type));
327 if (!pdb_getgrsid(&map, sid)) {
328 d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
332 fstrcpy(map.comment, argv[1]);
334 status = pdb_update_group_mapping_entry(&map);
336 if (!NT_STATUS_IS_OK(status)) {
337 d_fprintf(stderr, _("Updating group mapping entry failed with "
338 "%s\n"), nt_errstr(status));
342 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
348 static int net_sam_set(struct net_context *c, int argc, const char **argv)
350 struct functable func[] = {
355 N_("Change a user's home directory"),
356 N_("net sam set homedir\n"
357 " Change a user's home directory")
361 net_sam_set_profilepath,
363 N_("Change a user's profile path"),
364 N_("net sam set profilepath\n"
365 " Change a user's profile path")
371 N_("Change a users or groups description"),
372 N_("net sam set comment\n"
373 " Change a users or groups description")
377 net_sam_set_fullname,
379 N_("Change a user's full name"),
380 N_("net sam set fullname\n"
381 " Change a user's full name")
385 net_sam_set_logonscript,
387 N_("Change a user's logon script"),
388 N_("net sam set logonscript\n"
389 " Change a user's logon script")
393 net_sam_set_homedrive,
395 N_("Change a user's home drive"),
396 N_("net sam set homedrive\n"
397 " Change a user's home drive")
401 net_sam_set_workstations,
403 N_("Change a user's allowed workstations"),
404 N_("net sam set workstations\n"
405 " Change a user's allowed workstations")
409 net_sam_set_disabled,
411 N_("Disable/Enable a user"),
412 N_("net sam set disable\n"
413 " Disable/Enable a user")
417 net_sam_set_pwnotreq,
419 N_("Disable/Enable the password not required flag"),
420 N_("net sam set pwnotreq\n"
421 " Disable/Enable the password not required flag")
425 net_sam_set_autolock,
427 N_("Disable/Enable a user's lockout flag"),
428 N_("net sam set autolock\n"
429 " Disable/Enable a user's lockout flag")
435 N_("Disable/Enable whether a user's pw does not "
437 N_("net sam set pwnoexp\n"
438 " Disable/Enable whether a user's pw does not "
443 net_sam_set_pwdmustchangenow,
445 N_("Force users password must change at next logon"),
446 N_("net sam set pwdmustchangenow\n"
447 " Force users password must change at next logon")
449 {NULL, NULL, 0, NULL, NULL}
452 return net_run_function(c, argc, argv, "net sam set", func);
456 * Manage account policies
459 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
461 const char *account_policy = NULL;
463 uint32 old_value = 0;
464 enum pdb_policy_type field;
467 if (argc != 2 || c->display_usage) {
468 d_fprintf(stderr, "%s\n%s",
470 _("net sam policy set \"<account policy>\" <value>\n"));
474 account_policy = argv[0];
475 field = account_policy_name_to_typenum(account_policy);
477 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
478 || strequal(argv[1], "off")) {
482 value = strtoul(argv[1], &endptr, 10);
484 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
485 d_printf(_("Unable to set policy \"%s\"! Invalid value "
487 account_policy, argv[1]);
496 account_policy_names_list(&names, &count);
497 d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
498 d_fprintf(stderr, _("Valid account policies are:\n"));
500 for (i=0; i<count; i++) {
501 d_fprintf(stderr, "%s\n", names[i]);
508 if (!pdb_get_account_policy(field, &old_value)) {
509 d_fprintf(stderr, _("Valid account policy, but unable to fetch "
512 d_printf(_("Account policy \"%s\" value was: %d\n"),
513 account_policy, old_value);
516 if (!pdb_set_account_policy(field, value)) {
517 d_fprintf(stderr, _("Valid account policy, but unable to "
521 d_printf(_("Account policy \"%s\" value is now: %d\n"),
522 account_policy, value);
528 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
530 const char *account_policy = NULL;
532 enum pdb_policy_type field;
534 if (argc != 1 || c->display_usage) {
535 d_fprintf(stderr, "%s\n%s",
537 _("net sam policy show \"<account policy>\"\n"));
541 account_policy = argv[0];
542 field = account_policy_name_to_typenum(account_policy);
548 account_policy_names_list(&names, &count);
549 d_fprintf(stderr, _("No account policy by that name!\n"));
551 d_fprintf(stderr, _("Valid account policies "
553 for (i=0; i<count; i++) {
554 d_fprintf(stderr, "%s\n", names[i]);
561 if (!pdb_get_account_policy(field, &old_value)) {
562 fprintf(stderr, _("Valid account policy, but unable to "
567 printf(_("Account policy \"%s\" description: %s\n"),
568 account_policy, account_policy_get_desc(field));
569 printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
574 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
580 if (c->display_usage) {
582 "net sam policy list\n"
585 _("List account policies"));
589 account_policy_names_list(&names, &count);
591 d_fprintf(stderr, _("Valid account policies "
593 for (i = 0; i < count ; i++) {
594 d_fprintf(stderr, "%s\n", names[i]);
601 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
603 struct functable func[] = {
608 N_("List account policies"),
609 N_("net sam policy list\n"
610 " List account policies")
616 N_("Show account policies"),
617 N_("net sam policy show\n"
618 " Show account policies")
624 N_("Change account policies"),
625 N_("net sam policy set\n"
626 " Change account policies")
628 {NULL, NULL, 0, NULL, NULL}
631 return net_run_function(c, argc, argv, "net sam policy", func);
634 static int net_sam_rights_list(struct net_context *c, int argc,
639 if (argc > 1 || c->display_usage) {
640 d_fprintf(stderr, "%s\n%s",
642 _("net sam rights list [privilege name]\n"));
648 int num = num_privileges_in_short_list();
650 for (i=0; i<num; i++) {
651 d_printf("%s\n", sec_privilege_name_from_index(i));
656 if (se_priv_from_name(argv[0], &mask)) {
657 struct dom_sid *sids;
661 status = privilege_enum_sids(&mask, talloc_tos(),
663 if (!NT_STATUS_IS_OK(status)) {
664 d_fprintf(stderr, _("Could not list rights: %s\n"),
669 for (i=0; i<num_sids; i++) {
670 const char *dom, *name;
671 enum lsa_SidType type;
673 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
675 d_printf("%s\\%s\n", dom, name);
678 d_printf("%s\n", sid_string_tos(&sids[i]));
687 static int net_sam_rights_grant(struct net_context *c, int argc,
691 enum lsa_SidType type;
692 const char *dom, *name;
696 if (argc < 2 || c->display_usage) {
697 d_fprintf(stderr, "%s\n%s",
699 _("net sam rights grant <name> <rights> ...\n"));
703 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
704 &dom, &name, &sid, &type)) {
705 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
709 for (i=1; i < argc; i++) {
710 if (!se_priv_from_name(argv[i], &mask)) {
711 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
715 if (!grant_privilege(&sid, &mask)) {
716 d_fprintf(stderr, _("Could not grant privilege\n"));
720 d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
726 static int net_sam_rights_revoke(struct net_context *c, int argc,
730 enum lsa_SidType type;
731 const char *dom, *name;
735 if (argc < 2 || c->display_usage) {
736 d_fprintf(stderr, "%s\n%s",
738 _("net sam rights revoke <name> <rights>\n"));
742 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
743 &dom, &name, &sid, &type)) {
744 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
748 for (i=1; i < argc; i++) {
750 if (!se_priv_from_name(argv[i], &mask)) {
751 d_fprintf(stderr, _("%s unknown\n"), argv[i]);
755 if (!revoke_privilege(&sid, mask)) {
756 d_fprintf(stderr, _("Could not revoke privilege\n"));
760 d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
766 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
768 struct functable func[] = {
773 N_("List possible user rights"),
774 N_("net sam rights list\n"
775 " List possible user rights")
779 net_sam_rights_grant,
781 N_("Grant right(s)"),
782 N_("net sam rights grant\n"
787 net_sam_rights_revoke,
789 N_("Revoke right(s)"),
790 N_("net sam rights revoke\n"
793 {NULL, NULL, 0, NULL, NULL}
795 return net_run_function(c, argc, argv, "net sam rights", func);
799 * Map a unix group to a domain group
802 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
806 const char *grpname, *dom, *name;
809 if (pdb_getgrgid(&map, grp->gr_gid)) {
810 return NT_STATUS_GROUP_EXISTS;
813 map.gid = grp->gr_gid;
814 grpname = grp->gr_name;
816 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
817 &dom, &name, NULL, NULL)) {
819 const char *tmp = talloc_asprintf(
820 talloc_tos(), "Unix Group %s", grp->gr_name);
822 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
823 grpname, dom, name, tmp));
827 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
828 NULL, NULL, NULL, NULL)) {
829 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
830 return NT_STATUS_GROUP_EXISTS;
833 fstrcpy(map.nt_name, grpname);
835 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
836 if (!pdb_new_rid(&rid)) {
837 DEBUG(3, ("Could not get a new RID for %s\n",
839 return NT_STATUS_ACCESS_DENIED;
842 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
845 sid_compose(&map.sid, get_global_sam_sid(), rid);
846 map.sid_name_use = SID_NAME_DOM_GRP;
847 fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
850 status = pdb_add_group_mapping_entry(&map);
851 if (NT_STATUS_IS_OK(status)) {
857 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
863 if (argc != 1 || c->display_usage) {
864 d_fprintf(stderr, "%s\n%s",
866 _("net sam mapunixgroup <name>\n"));
870 grp = getgrnam(argv[0]);
872 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
876 status = map_unix_group(grp, &map);
878 if (!NT_STATUS_IS_OK(status)) {
879 d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
880 argv[0], nt_errstr(status));
884 d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
885 sid_string_tos(&map.sid));
891 * Remove a group mapping
894 static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
898 struct dom_sid dom_sid;
900 map.gid = grp->gr_gid;
901 grpname = grp->gr_name;
903 if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
904 NULL, NULL, NULL, NULL)) {
905 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
906 return NT_STATUS_NO_SUCH_GROUP;
909 fstrcpy(map.nt_name, grpname);
911 if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
912 return NT_STATUS_UNSUCCESSFUL;
915 return pdb_delete_group_mapping_entry(dom_sid);
918 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
924 if (argc != 1 || c->display_usage) {
925 d_fprintf(stderr, "%s\n%s",
927 _("net sam unmapunixgroup <name>\n"));
931 grp = getgrnam(argv[0]);
933 d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
938 status = unmap_unix_group(grp, &map);
940 if (!NT_STATUS_IS_OK(status)) {
941 d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
942 argv[0], nt_errstr(status));
946 d_printf(_("Unmapped unix group %s.\n"), argv[0]);
952 * Create a domain group
955 static int net_sam_createdomaingroup(struct net_context *c, int argc,
961 if (argc != 1 || c->display_usage) {
962 d_fprintf(stderr, "%s\n%s",
964 _("net sam createdomaingroup <name>\n"));
968 status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
970 if (!NT_STATUS_IS_OK(status)) {
971 d_fprintf(stderr, _("Creating %s failed with %s\n"),
972 argv[0], nt_errstr(status));
976 d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
982 * Delete a domain group
985 static int net_sam_deletedomaingroup(struct net_context *c, int argc,
990 enum lsa_SidType type;
991 const char *dom, *name;
994 if (argc != 1 || c->display_usage) {
995 d_fprintf(stderr, "%s\n%s",
997 _("net sam deletelocalgroup <name>\n"));
1001 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1002 &dom, &name, &sid, &type)) {
1003 d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
1007 if (type != SID_NAME_DOM_GRP) {
1008 d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
1009 argv[0], sid_type_lookup(type));
1013 sid_peek_rid(&sid, &rid);
1015 status = pdb_delete_dom_group(talloc_tos(), rid);
1017 if (!NT_STATUS_IS_OK(status)) {
1018 d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1019 argv[0], nt_errstr(status));
1023 d_printf(_("Deleted domain group %s.\n"), argv[0]);
1029 * Create a local group
1032 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1037 if (argc != 1 || c->display_usage) {
1038 d_fprintf(stderr, "%s\n%s",
1040 _("net sam createlocalgroup <name>\n"));
1044 if (!winbind_ping()) {
1045 d_fprintf(stderr, _("winbind seems not to run. "
1046 "createlocalgroup only works when winbind runs.\n"));
1050 status = pdb_create_alias(argv[0], &rid);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1054 argv[0], nt_errstr(status));
1058 d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1064 * Delete a local group
1067 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1070 enum lsa_SidType type;
1071 const char *dom, *name;
1074 if (argc != 1 || c->display_usage) {
1075 d_fprintf(stderr, "%s\n%s",
1077 _("net sam deletelocalgroup <name>\n"));
1081 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1082 &dom, &name, &sid, &type)) {
1083 d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1087 if (type != SID_NAME_ALIAS) {
1088 d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1089 sid_type_lookup(type));
1093 status = pdb_delete_alias(&sid);
1095 if (!NT_STATUS_IS_OK(status)) {
1096 d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1097 argv[0], nt_errstr(status));
1101 d_printf(_("Deleted local group %s.\n"), argv[0]);
1107 * Create a builtin group
1110 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1114 enum lsa_SidType type;
1118 if (argc != 1 || c->display_usage) {
1119 d_fprintf(stderr, "%s\n%s",
1121 _("net sam createbuiltingroup <name>\n"));
1125 if (!winbind_ping()) {
1126 d_fprintf(stderr, _("winbind seems not to run. "
1127 "createbuiltingroup only works when winbind "
1132 /* validate the name and get the group */
1134 fstrcpy( groupname, "BUILTIN\\" );
1135 fstrcat( groupname, argv[0] );
1137 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1138 NULL, &sid, &type)) {
1139 d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1143 if ( !sid_peek_rid( &sid, &rid ) ) {
1144 d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1148 status = pdb_create_builtin_alias( rid );
1150 if (!NT_STATUS_IS_OK(status)) {
1151 d_fprintf(stderr, _("Creating %s failed with %s\n"),
1152 argv[0], nt_errstr(status));
1156 d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1162 * Add a group member
1165 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1167 const char *groupdomain, *groupname, *memberdomain, *membername;
1168 struct dom_sid group, member;
1169 enum lsa_SidType grouptype, membertype;
1172 if (argc != 2 || c->display_usage) {
1173 d_fprintf(stderr, "%s\n%s",
1175 _("net sam addmem <group> <member>\n"));
1179 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1180 &groupdomain, &groupname, &group, &grouptype)) {
1181 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1185 /* check to see if the member to be added is a name or a SID */
1187 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1188 &memberdomain, &membername, &member, &membertype))
1190 /* try it as a SID */
1192 if ( !string_to_sid( &member, argv[1] ) ) {
1193 d_fprintf(stderr, _("Could not find member %s\n"),
1198 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1199 &membername, &membertype) )
1201 d_fprintf(stderr, _("Could not resolve SID %s\n"),
1207 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1208 if ((membertype != SID_NAME_USER) &&
1209 (membertype != SID_NAME_DOM_GRP)) {
1210 d_fprintf(stderr, _("%s is a local group, only users "
1211 "and domain groups can be added.\n"
1212 "%s is a %s\n"), argv[0], argv[1],
1213 sid_type_lookup(membertype));
1216 status = pdb_add_aliasmem(&group, &member);
1218 if (!NT_STATUS_IS_OK(status)) {
1219 d_fprintf(stderr, _("Adding local group member failed "
1220 "with %s\n"), nt_errstr(status));
1223 } else if (grouptype == SID_NAME_DOM_GRP) {
1224 uint32_t grouprid, memberrid;
1226 sid_peek_rid(&group, &grouprid);
1227 sid_peek_rid(&member, &memberrid);
1229 status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1230 if (!NT_STATUS_IS_OK(status)) {
1231 d_fprintf(stderr, _("Adding domain group member failed "
1232 "with %s\n"), nt_errstr(status));
1236 d_fprintf(stderr, _("Can only add members to local groups so "
1237 "far, %s is a %s\n"), argv[0],
1238 sid_type_lookup(grouptype));
1242 d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1243 groupdomain, groupname);
1249 * Delete a group member
1252 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1254 const char *groupdomain, *groupname;
1255 const char *memberdomain = NULL;
1256 const char *membername = NULL;
1257 struct dom_sid group, member;
1258 enum lsa_SidType grouptype;
1261 if (argc != 2 || c->display_usage) {
1262 d_fprintf(stderr,"%s\n%s",
1264 _("net sam delmem <group> <member>\n"));
1268 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1269 &groupdomain, &groupname, &group, &grouptype)) {
1270 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1274 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1275 &memberdomain, &membername, &member, NULL)) {
1276 if (!string_to_sid(&member, argv[1])) {
1277 d_fprintf(stderr, _("Could not find member %s\n"),
1283 if ((grouptype == SID_NAME_ALIAS) ||
1284 (grouptype == SID_NAME_WKN_GRP)) {
1285 status = pdb_del_aliasmem(&group, &member);
1287 if (!NT_STATUS_IS_OK(status)) {
1288 d_fprintf(stderr,_("Deleting local group member failed "
1289 "with %s\n"), nt_errstr(status));
1292 } else if (grouptype == SID_NAME_DOM_GRP) {
1293 uint32_t grouprid, memberrid;
1295 sid_peek_rid(&group, &grouprid);
1296 sid_peek_rid(&member, &memberrid);
1298 status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1299 if (!NT_STATUS_IS_OK(status)) {
1300 d_fprintf(stderr, _("Deleting domain group member "
1301 "failed with %s\n"), nt_errstr(status));
1305 d_fprintf(stderr, _("Can only delete members from local groups "
1306 "so far, %s is a %s\n"), argv[0],
1307 sid_type_lookup(grouptype));
1311 if (membername != NULL) {
1312 d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1313 memberdomain, membername, groupdomain, groupname);
1315 d_printf(_("Deleted %s from %s\\%s\n"),
1316 sid_string_tos(&member), groupdomain, groupname);
1323 * List group members
1326 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1328 const char *groupdomain, *groupname;
1329 struct dom_sid group;
1330 struct dom_sid *members = NULL;
1331 size_t i, num_members = 0;
1332 enum lsa_SidType grouptype;
1335 if (argc != 1 || c->display_usage) {
1336 d_fprintf(stderr, "%s\n%s",
1338 _("net sam listmem <group>\n"));
1342 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1343 &groupdomain, &groupname, &group, &grouptype)) {
1344 d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1348 if ((grouptype == SID_NAME_ALIAS) ||
1349 (grouptype == SID_NAME_WKN_GRP)) {
1350 status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1352 if (!NT_STATUS_IS_OK(status)) {
1353 d_fprintf(stderr, _("Listing group members failed with "
1354 "%s\n"), nt_errstr(status));
1357 } else if (grouptype == SID_NAME_DOM_GRP) {
1360 status = pdb_enum_group_members(talloc_tos(), &group,
1361 &rids, &num_members);
1362 if (!NT_STATUS_IS_OK(status)) {
1363 d_fprintf(stderr, _("Listing group members failed with "
1364 "%s\n"), nt_errstr(status));
1368 members = talloc_array(talloc_tos(), struct dom_sid,
1370 if (members == NULL) {
1375 for (i=0; i<num_members; i++) {
1376 sid_compose(&members[i], get_global_sam_sid(),
1381 d_fprintf(stderr,_("Can only list local group members so far.\n"
1382 "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1386 d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1387 (unsigned int)num_members);
1388 for (i=0; i<num_members; i++) {
1389 const char *dom, *name;
1390 if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1391 d_printf(" %s\\%s\n", dom, name);
1393 d_printf(" %s\n", sid_string_tos(&members[i]));
1397 TALLOC_FREE(members);
1405 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1406 struct pdb_search *search, const char *what)
1408 bool verbose = (argc == 1);
1410 if ((argc > 1) || c->display_usage ||
1411 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1412 d_fprintf(stderr, "%s\n", _("Usage:"));
1413 d_fprintf(stderr, _("net sam list %s [verbose]\n"), what);
1417 if (search == NULL) {
1418 d_fprintf(stderr, _("Could not start search\n"));
1423 struct samr_displayentry entry;
1424 if (!search->next_entry(search, &entry)) {
1428 d_printf("%s:%d:%s\n",
1433 d_printf("%s\n", entry.account_name);
1437 TALLOC_FREE(search);
1441 static int net_sam_list_users(struct net_context *c, int argc,
1444 return net_sam_do_list(c, argc, argv,
1445 pdb_search_users(talloc_tos(), ACB_NORMAL),
1449 static int net_sam_list_groups(struct net_context *c, int argc,
1452 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1456 static int net_sam_list_localgroups(struct net_context *c, int argc,
1459 return net_sam_do_list(c, argc, argv,
1460 pdb_search_aliases(talloc_tos(),
1461 get_global_sam_sid()),
1465 static int net_sam_list_builtin(struct net_context *c, int argc,
1468 return net_sam_do_list(c, argc, argv,
1469 pdb_search_aliases(talloc_tos(),
1470 &global_sid_Builtin),
1474 static int net_sam_list_workstations(struct net_context *c, int argc,
1477 return net_sam_do_list(c, argc, argv,
1478 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1486 static int net_sam_list(struct net_context *c, int argc, const char **argv)
1488 struct functable func[] = {
1492 NET_TRANSPORT_LOCAL,
1493 N_("List SAM users"),
1494 N_("net sam list users\n"
1499 net_sam_list_groups,
1500 NET_TRANSPORT_LOCAL,
1501 N_("List SAM groups"),
1502 N_("net sam list groups\n"
1507 net_sam_list_localgroups,
1508 NET_TRANSPORT_LOCAL,
1509 N_("List SAM local groups"),
1510 N_("net sam list localgroups\n"
1511 " List SAM local groups")
1515 net_sam_list_builtin,
1516 NET_TRANSPORT_LOCAL,
1517 N_("List builtin groups"),
1518 N_("net sam list builtin\n"
1519 " List builtin groups")
1523 net_sam_list_workstations,
1524 NET_TRANSPORT_LOCAL,
1525 N_("List domain member workstations"),
1526 N_("net sam list workstations\n"
1527 " List domain member workstations")
1529 {NULL, NULL, 0, NULL, NULL}
1532 return net_run_function(c, argc, argv, "net sam list", func);
1536 * Show details of SAM entries
1539 static int net_sam_show(struct net_context *c, int argc, const char **argv)
1542 enum lsa_SidType type;
1543 const char *dom, *name;
1545 if (argc != 1 || c->display_usage) {
1546 d_fprintf(stderr, "%s\n%s",
1548 _("net sam show <name>\n"));
1552 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1553 &dom, &name, &sid, &type)) {
1554 d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1558 d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1559 sid_type_lookup(type), sid_string_tos(&sid));
1567 * Init an LDAP tree with default users and Groups
1568 * if ldapsam:editposix is enabled
1571 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1575 char *ldap_uri = NULL;
1577 struct smbldap_state *ls;
1579 struct dom_sid gsid;
1580 gid_t domusers_gid = -1;
1581 gid_t domadmins_gid = -1;
1582 struct samu *samuser;
1585 if (c->display_usage) {
1587 "net sam provision\n"
1590 _("Init an LDAP tree with default users/groups"));
1594 tc = talloc_new(NULL);
1596 d_fprintf(stderr, _("Out of Memory!\n"));
1600 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1601 d_fprintf(stderr, _("talloc failed\n"));
1605 p = strchr(ldap_bk, ':');
1608 ldap_uri = talloc_strdup(tc, p+1);
1609 trim_char(ldap_uri, ' ', ' ');
1612 trim_char(ldap_bk, ' ', ' ');
1614 if (strcmp(ldap_bk, "ldapsam") != 0) {
1616 _("Provisioning works only with ldapsam backend\n"));
1620 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1621 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1623 d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1624 " and ldapsam:editposix are enabled.\n"));
1628 if (!winbind_ping()) {
1629 d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1630 "LDAP only works when winbind runs.\n"));
1634 if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
1635 d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1639 d_printf(_("Checking for Domain Users group.\n"));
1641 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
1643 if (!pdb_getgrsid(&gmap, gsid)) {
1644 LDAPMod **mods = NULL;
1652 d_printf(_("Adding the Domain Users group.\n"));
1654 /* lets allocate a new groupid for this group */
1655 if (!winbind_allocate_gid(&domusers_gid)) {
1656 d_fprintf(stderr, _("Unable to allocate a new gid to "
1657 "create Domain Users group!\n"));
1661 uname = talloc_strdup(tc, "domusers");
1662 wname = talloc_strdup(tc, "Domain Users");
1663 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1664 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1665 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1667 if (!uname || !wname || !dn || !gidstr || !gtype) {
1668 d_fprintf(stderr, "Out of Memory!\n");
1672 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1673 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1674 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1675 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1676 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1677 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1678 sid_string_talloc(tc, &gsid));
1679 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1681 talloc_autofree_ldapmod(tc, mods);
1683 rc = smbldap_add(ls, dn, mods);
1685 if (rc != LDAP_SUCCESS) {
1686 d_fprintf(stderr, _("Failed to add Domain Users group "
1687 "to ldap directory\n"));
1690 domusers_gid = gmap.gid;
1691 d_printf(_("found!\n"));
1696 d_printf(_("Checking for Domain Admins group.\n"));
1698 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
1700 if (!pdb_getgrsid(&gmap, gsid)) {
1701 LDAPMod **mods = NULL;
1709 d_printf(_("Adding the Domain Admins group.\n"));
1711 /* lets allocate a new groupid for this group */
1712 if (!winbind_allocate_gid(&domadmins_gid)) {
1713 d_fprintf(stderr, _("Unable to allocate a new gid to "
1714 "create Domain Admins group!\n"));
1718 uname = talloc_strdup(tc, "domadmins");
1719 wname = talloc_strdup(tc, "Domain Admins");
1720 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1721 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1722 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1724 if (!uname || !wname || !dn || !gidstr || !gtype) {
1725 d_fprintf(stderr, _("Out of Memory!\n"));
1729 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1730 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1731 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1732 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1733 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1734 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1735 sid_string_talloc(tc, &gsid));
1736 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1738 talloc_autofree_ldapmod(tc, mods);
1740 rc = smbldap_add(ls, dn, mods);
1742 if (rc != LDAP_SUCCESS) {
1743 d_fprintf(stderr, _("Failed to add Domain Admins group "
1744 "to ldap directory\n"));
1747 domadmins_gid = gmap.gid;
1748 d_printf(_("found!\n"));
1753 d_printf(_("Check for Administrator account.\n"));
1755 samuser = samu_new(tc);
1757 d_fprintf(stderr, _("Out of Memory!\n"));
1761 if (!pdb_getsampwnam(samuser, "Administrator")) {
1762 LDAPMod **mods = NULL;
1773 d_printf(_("Adding the Administrator user.\n"));
1775 if (domadmins_gid == -1) {
1777 _("Can't create Administrator user, Domain "
1778 "Admins group not available!\n"));
1781 name = talloc_strdup(tc, "Administrator");
1782 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1783 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1784 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1785 dir = talloc_sub_specified(tc, lp_template_homedir(),
1787 get_global_sam_name(),
1788 uid, domadmins_gid);
1789 shell = talloc_sub_specified(tc, lp_template_shell(),
1791 get_global_sam_name(),
1792 uid, domadmins_gid);
1794 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1795 d_fprintf(stderr, _("Out of Memory!\n"));
1799 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
1801 if (!winbind_allocate_uid(&uid)) {
1803 _("Unable to allocate a new uid to create "
1804 "the Administrator user!\n"));
1808 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1809 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1810 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1811 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1812 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1813 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1814 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1815 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1816 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1817 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1818 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1819 sid_string_talloc(tc, &sid));
1820 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1821 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1822 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1824 talloc_autofree_ldapmod(tc, mods);
1826 rc = smbldap_add(ls, dn, mods);
1828 if (rc != LDAP_SUCCESS) {
1829 d_fprintf(stderr, _("Failed to add Administrator user "
1830 "to ldap directory\n"));
1833 d_printf(_("found!\n"));
1836 d_printf(_("Checking for Guest user.\n"));
1838 samuser = samu_new(tc);
1840 d_fprintf(stderr, _("Out of Memory!\n"));
1844 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1845 LDAPMod **mods = NULL;
1852 d_printf(_("Adding the Guest user.\n"));
1854 sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
1856 pwd = getpwnam_alloc(tc, lp_guestaccount());
1859 if (domusers_gid == -1) {
1861 _("Can't create Guest user, Domain "
1862 "Users group not available!\n"));
1865 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1866 d_fprintf(stderr, _("talloc failed\n"));
1869 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1870 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1872 _("Unable to allocate a new uid to "
1873 "create the Guest user!\n"));
1876 pwd->pw_gid = domusers_gid;
1877 pwd->pw_dir = talloc_strdup(tc, "/");
1878 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1879 if (!pwd->pw_dir || !pwd->pw_shell) {
1880 d_fprintf(stderr, _("Out of Memory!\n"));
1885 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1886 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
1887 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1888 if (!dn || !uidstr || !gidstr) {
1889 d_fprintf(stderr, _("Out of Memory!\n"));
1893 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1894 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1895 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1896 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1897 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1898 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1899 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1900 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1901 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1902 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1904 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1905 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1907 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1908 sid_string_talloc(tc, &sid));
1909 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1910 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1911 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1913 talloc_autofree_ldapmod(tc, mods);
1915 rc = smbldap_add(ls, dn, mods);
1917 if (rc != LDAP_SUCCESS) {
1918 d_fprintf(stderr, _("Failed to add Guest user to "
1919 "ldap directory\n"));
1922 d_printf(_("found!\n"));
1925 d_printf(_("Checking Guest's group.\n"));
1927 pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
1930 _("Failed to find just created Guest account!\n"
1931 " Is nss properly configured?!\n"));
1935 if (pwd->pw_gid == domusers_gid) {
1936 d_printf(_("found!\n"));
1940 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1941 LDAPMod **mods = NULL;
1949 d_printf(_("Adding the Domain Guests group.\n"));
1951 uname = talloc_strdup(tc, "domguests");
1952 wname = talloc_strdup(tc, "Domain Guests");
1953 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1954 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1955 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1957 if (!uname || !wname || !dn || !gidstr || !gtype) {
1958 d_fprintf(stderr, _("Out of Memory!\n"));
1962 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
1964 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1965 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1966 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1967 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1968 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1969 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1970 sid_string_talloc(tc, &gsid));
1971 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1973 talloc_autofree_ldapmod(tc, mods);
1975 rc = smbldap_add(ls, dn, mods);
1977 if (rc != LDAP_SUCCESS) {
1979 _("Failed to add Domain Guests group to ldap "
1983 d_printf(_("found!\n"));
1998 /***********************************************************
1999 migrated functionality from smbgroupedit
2000 **********************************************************/
2001 int net_sam(struct net_context *c, int argc, const char **argv)
2003 struct functable func[] = {
2005 "createbuiltingroup",
2006 net_sam_createbuiltingroup,
2007 NET_TRANSPORT_LOCAL,
2008 N_("Create a new BUILTIN group"),
2009 N_("net sam createbuiltingroup\n"
2010 " Create a new BUILTIN group")
2014 net_sam_createlocalgroup,
2015 NET_TRANSPORT_LOCAL,
2016 N_("Create a new local group"),
2017 N_("net sam createlocalgroup\n"
2018 " Create a new local group")
2021 "createdomaingroup",
2022 net_sam_createdomaingroup,
2023 NET_TRANSPORT_LOCAL,
2024 N_("Create a new group"),
2025 N_("net sam createdomaingroup\n"
2026 " Create a new group")
2030 net_sam_deletelocalgroup,
2031 NET_TRANSPORT_LOCAL,
2032 N_("Delete an existing local group"),
2033 N_("net sam deletelocalgroup\n"
2034 " Delete an existing local group")
2037 "deletedomaingroup",
2038 net_sam_deletedomaingroup,
2039 NET_TRANSPORT_LOCAL,
2040 N_("Delete a domain group"),
2041 N_("net sam deletedomaingroup\n"
2046 net_sam_mapunixgroup,
2047 NET_TRANSPORT_LOCAL,
2048 N_("Map a unix group to a domain group"),
2049 N_("net sam mapunixgroup\n"
2050 " Map a unix group to a domain group")
2054 net_sam_unmapunixgroup,
2055 NET_TRANSPORT_LOCAL,
2056 N_("Remove a group mapping of an unix group to a "
2058 N_("net sam unmapunixgroup\n"
2059 " Remove a group mapping of an unix group to a "
2065 NET_TRANSPORT_LOCAL,
2066 N_("Add a member to a group"),
2067 N_("net sam addmem\n"
2068 " Add a member to a group")
2073 NET_TRANSPORT_LOCAL,
2074 N_("Delete a member from a group"),
2075 N_("net sam delmem\n"
2076 " Delete a member from a group")
2081 NET_TRANSPORT_LOCAL,
2082 N_("List group members"),
2083 N_("net sam listmem\n"
2084 " List group members")
2089 NET_TRANSPORT_LOCAL,
2090 N_("List users, groups and local groups"),
2092 " List users, groups and local groups")
2097 NET_TRANSPORT_LOCAL,
2098 N_("Show details of a SAM entry"),
2100 " Show details of a SAM entry")
2105 NET_TRANSPORT_LOCAL,
2106 N_("Set details of a SAM account"),
2108 " Set details of a SAM account")
2113 NET_TRANSPORT_LOCAL,
2114 N_("Set account policies"),
2115 N_("net sam policy\n"
2116 " Set account policies")
2121 NET_TRANSPORT_LOCAL,
2122 N_("Manipulate user privileges"),
2123 N_("net sam rights\n"
2124 " Manipulate user privileges")
2130 NET_TRANSPORT_LOCAL,
2131 N_("Provision a clean user database"),
2132 N_("net sam privison\n"
2133 " Provision a clear user database")
2136 {NULL, NULL, 0, NULL, NULL}
2139 if (getuid() != 0) {
2140 d_fprintf(stderr, _("You are not root, most things won't "
2144 return net_run_function(c, argc, argv, "net sam", func);