search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Clean up connection tracking functions
[samba4-gss.git] / source3 / utils / net_ads.c
bloba7a9550935473dda6fa8b3118e96097e6172900a
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "utils/net.h"
25 #include "libsmb/namequery.h"
26 #include "rpc_client/cli_pipe.h"
27 #include "librpc/gen_ndr/ndr_krb5pac.h"
28 #include "../librpc/gen_ndr/ndr_spoolss.h"
29 #include "nsswitch/libwbclient/wbclient.h"
30 #include "ads.h"
31 #include "libads/cldap.h"
32 #include "../lib/addns/dnsquery.h"
33 #include "../libds/common/flags.h"
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "libnet/libnet_join.h"
36 #include "smb_krb5.h"
37 #include "secrets.h"
38 #include "../libcli/security/security.h"
39 #include "libsmb/libsmb.h"
40 #include "lib/param/loadparm.h"
41 #include "utils/net_dns.h"
42 #include "auth/kerberos/pac_utils.h"
43 #include "lib/util/string_wrappers.h"
44 #include "lib/util/util_file.h"
45
46 #ifdef HAVE_JANSSON
47 #include <jansson.h>
48 #include "audit_logging.h" /* various JSON helpers */
49 #include "auth/common_auth.h"
50 #endif /* [HAVE_JANSSON] */
51
52 #ifdef HAVE_ADS
53
54 /* when we do not have sufficient input parameters to contact a remote domain
55 * we always fall back to our own realm - Guenther*/
56
57 static const char *assume_own_realm(struct net_context *c)
58 {
59 if (!c->opt_host && strequal(lp_workgroup(), c->opt_target_workgroup)) {
60 return lp_realm();
61 }
62
63 return NULL;
64 }
65
66 #ifdef HAVE_JANSSON
67
68 /*
69 * note: JSON output deliberately bypasses gettext so as to provide the same
70 * output irrespective of the locale.
71 */
72
73 static int output_json(const struct json_object *jsobj)
74 {
75 TALLOC_CTX *ctx = NULL;
76 char *json = NULL;
77
78 if (json_is_invalid(jsobj)) {
79 return -1;
80 }
81
82 ctx = talloc_new(NULL);
83 if (ctx == NULL) {
84 d_fprintf(stderr, _("Out of memory\n"));
85 return -1;
86 }
87
88 json = json_to_string(ctx, jsobj);
89 if (!json) {
90 d_fprintf(stderr, _("error encoding to JSON\n"));
91 return -1;
92 }
93
94 d_printf("%s\n", json);
95 TALLOC_FREE(ctx);
96
97 return 0;
98 }
99
100 static int net_ads_cldap_netlogon_json
101 (ADS_STRUCT *ads,
102 const char *addr,
103 const struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply)
104 {
105 struct json_object jsobj = json_new_object();
106 struct json_object flagsobj = json_new_object();
107 char response_type [32] = { '\0' };
108 int ret = 0;
109
110 if (json_is_invalid(&jsobj) || json_is_invalid(&flagsobj)) {
111 d_fprintf(stderr, _("error setting up JSON value\n"));
112
113 goto failure;
114 }
115
116 switch (reply->command) {
117 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
118 strncpy(response_type,
119 "LOGON_SAM_LOGON_USER_UNKNOWN_EX",
120 sizeof(response_type));
121 break;
122 case LOGON_SAM_LOGON_RESPONSE_EX:
123 strncpy(response_type,
124 "LOGON_SAM_LOGON_RESPONSE_EX",
125 sizeof(response_type));
126 break;
127 default:
128 snprintf(response_type,
129 sizeof(response_type),
130 "0x%x",
131 reply->command);
132 break;
133 }
134
135 ret = json_add_string(&jsobj, "Information for Domain Controller",
136 addr);
137 if (ret != 0) {
138 goto failure;
139 }
140
141 ret = json_add_string(&jsobj, "Response Type", response_type);
142 if (ret != 0) {
143 goto failure;
144 }
145
146 ret = json_add_guid(&jsobj, "GUID", &reply->domain_uuid);
147 if (ret != 0) {
148 goto failure;
149 }
150
151 ret = json_add_bool(&flagsobj, "Is a PDC",
152 reply->server_type & NBT_SERVER_PDC);
153 if (ret != 0) {
154 goto failure;
155 }
156
157 ret = json_add_bool(&flagsobj, "Is a GC of the forest",
158 reply->server_type & NBT_SERVER_GC);
159 if (ret != 0) {
160 goto failure;
161 }
162
163 ret = json_add_bool(&flagsobj, "Is an LDAP server",
164 reply->server_type & NBT_SERVER_LDAP);
165 if (ret != 0) {
166 goto failure;
167 }
168
169 ret = json_add_bool(&flagsobj, "Supports DS",
170 reply->server_type & NBT_SERVER_DS);
171 if (ret != 0) {
172 goto failure;
173 }
174
175 ret = json_add_bool(&flagsobj, "Is running a KDC",
176 reply->server_type & NBT_SERVER_KDC);
177 if (ret != 0) {
178 goto failure;
179 }
180
181 ret = json_add_bool(&flagsobj, "Is running time services",
182 reply->server_type & NBT_SERVER_TIMESERV);
183 if (ret != 0) {
184 goto failure;
185 }
186
187 ret = json_add_bool(&flagsobj, "Is the closest DC",
188 reply->server_type & NBT_SERVER_CLOSEST);
189 if (ret != 0) {
190 goto failure;
191 }
192
193 ret = json_add_bool(&flagsobj, "Is writable",
194 reply->server_type & NBT_SERVER_WRITABLE);
195 if (ret != 0) {
196 goto failure;
197 }
198
199 ret = json_add_bool(&flagsobj, "Has a hardware clock",
200 reply->server_type & NBT_SERVER_GOOD_TIMESERV);
201 if (ret != 0) {
202 goto failure;
203 }
204
205 ret = json_add_bool(&flagsobj,
206 "Is a non-domain NC serviced by LDAP server",
207 reply->server_type & NBT_SERVER_NDNC);
208 if (ret != 0) {
209 goto failure;
210 }
211
212 ret = json_add_bool
213 (&flagsobj, "Is NT6 DC that has some secrets",
214 reply->server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6);
215 if (ret != 0) {
216 goto failure;
217 }
218
219 ret = json_add_bool
220 (&flagsobj, "Is NT6 DC that has all secrets",
221 reply->server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6);
222 if (ret != 0) {
223 goto failure;
224 }
225
226 ret = json_add_bool(&flagsobj, "Runs Active Directory Web Services",
227 reply->server_type & NBT_SERVER_ADS_WEB_SERVICE);
228 if (ret != 0) {
229 goto failure;
230 }
231
232 ret = json_add_bool(&flagsobj, "Runs on Windows 2012 or later",
233 reply->server_type & NBT_SERVER_DS_8);
234 if (ret != 0) {
235 goto failure;
236 }
237
238 ret = json_add_bool(&flagsobj, "Runs on Windows 2012R2 or later",
239 reply->server_type & NBT_SERVER_DS_9);
240 if (ret != 0) {
241 goto failure;
242 }
243
244 ret = json_add_bool(&flagsobj, "Runs on Windows 2016 or later",
245 reply->server_type & NBT_SERVER_DS_10);
246 if (ret != 0) {
247 goto failure;
248 }
249
250 ret = json_add_bool(&flagsobj, "Has a DNS name",
251 reply->server_type & NBT_SERVER_HAS_DNS_NAME);
252 if (ret != 0) {
253 goto failure;
254 }
255
256 ret = json_add_bool(&flagsobj, "Is a default NC",
257 reply->server_type & NBT_SERVER_IS_DEFAULT_NC);
258 if (ret != 0) {
259 goto failure;
260 }
261
262 ret = json_add_bool(&flagsobj, "Is the forest root",
263 reply->server_type & NBT_SERVER_FOREST_ROOT);
264 if (ret != 0) {
265 goto failure;
266 }
267
268 ret = json_add_string(&jsobj, "Forest", reply->forest);
269 if (ret != 0) {
270 goto failure;
271 }
272
273 ret = json_add_string(&jsobj, "Domain", reply->dns_domain);
274 if (ret != 0) {
275 goto failure;
276 }
277
278 ret = json_add_string(&jsobj, "Domain Controller", reply->pdc_dns_name);
279 if (ret != 0) {
280 goto failure;
281 }
282
283
284 ret = json_add_string(&jsobj, "Pre-Win2k Domain", reply->domain_name);
285 if (ret != 0) {
286 goto failure;
287 }
288
289 ret = json_add_string(&jsobj, "Pre-Win2k Hostname", reply->pdc_name);
290 if (ret != 0) {
291 goto failure;
292 }
293
294 if (*reply->user_name) {
295 ret = json_add_string(&jsobj, "User name", reply->user_name);
296 if (ret != 0) {
297 goto failure;
298 }
299 }
300
301 ret = json_add_string(&jsobj, "Server Site Name", reply->server_site);
302 if (ret != 0) {
303 goto failure;
304 }
305
306 ret = json_add_string(&jsobj, "Client Site Name", reply->client_site);
307 if (ret != 0) {
308 goto failure;
309 }
310
311 ret = json_add_int(&jsobj, "NT Version", reply->nt_version);
312 if (ret != 0) {
313 goto failure;
314 }
315
316 ret = json_add_int(&jsobj, "LMNT Token", reply->lmnt_token);
317 if (ret != 0) {
318 goto failure;
319 }
320
321 ret = json_add_int(&jsobj, "LM20 Token", reply->lm20_token);
322 if (ret != 0) {
323 goto failure;
324 }
325
326 ret = json_add_object(&jsobj, "Flags", &flagsobj);
327 if (ret != 0) {
328 goto failure;
329 }
330
331 ret = output_json(&jsobj);
332 json_free(&jsobj); /* frees flagsobj recursively */
333
334 return ret;
335
336 failure:
337 json_free(&flagsobj);
338 json_free(&jsobj);
339
340 return ret;
341 }
342
343 #else /* [HAVE_JANSSON] */
344
345 static int net_ads_cldap_netlogon_json
346 (ADS_STRUCT *ads,
347 const char *addr,
348 const struct NETLOGON_SAM_LOGON_RESPONSE_EX * reply)
349 {
350 d_fprintf(stderr, _("JSON support not available\n"));
351
352 return -1;
353 }
354
355 #endif /* [HAVE_JANSSON] */
356
357 /*
358 do a cldap netlogon query
359 */
360 static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
361 {
362 char addr[INET6_ADDRSTRLEN];
363 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
364
365 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
366
367 if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
368 d_fprintf(stderr, _("CLDAP query failed!\n"));
369 return -1;
370 }
371
372 if (c->opt_json) {
373 return net_ads_cldap_netlogon_json(ads, addr, &reply);
374 }
375
376 d_printf(_("Information for Domain Controller: %s\n\n"),
377 addr);
378
379 d_printf(_("Response Type: "));
380 switch (reply.command) {
381 case LOGON_SAM_LOGON_USER_UNKNOWN_EX:
382 d_printf("LOGON_SAM_LOGON_USER_UNKNOWN_EX\n");
383 break;
384 case LOGON_SAM_LOGON_RESPONSE_EX:
385 d_printf("LOGON_SAM_LOGON_RESPONSE_EX\n");
386 break;
387 default:
388 d_printf("0x%x\n", reply.command);
389 break;
390 }
391
392 d_printf(_("GUID: %s\n"), GUID_string(talloc_tos(),&reply.domain_uuid));
393
394 d_printf(_("Flags:\n"
395 "\tIs a PDC: %s\n"
396 "\tIs a GC of the forest: %s\n"
397 "\tIs an LDAP server: %s\n"
398 "\tSupports DS: %s\n"
399 "\tIs running a KDC: %s\n"
400 "\tIs running time services: %s\n"
401 "\tIs the closest DC: %s\n"
402 "\tIs writable: %s\n"
403 "\tHas a hardware clock: %s\n"
404 "\tIs a non-domain NC serviced by LDAP server: %s\n"
405 "\tIs NT6 DC that has some secrets: %s\n"
406 "\tIs NT6 DC that has all secrets: %s\n"
407 "\tRuns Active Directory Web Services: %s\n"
408 "\tRuns on Windows 2012 or later: %s\n"
409 "\tRuns on Windows 2012R2 or later: %s\n"
410 "\tRuns on Windows 2016 or later: %s\n"
411 "\tHas a DNS name: %s\n"
412 "\tIs a default NC: %s\n"
413 "\tIs the forest root: %s\n"),
414 (reply.server_type & NBT_SERVER_PDC) ? _("yes") : _("no"),
415 (reply.server_type & NBT_SERVER_GC) ? _("yes") : _("no"),
416 (reply.server_type & NBT_SERVER_LDAP) ? _("yes") : _("no"),
417 (reply.server_type & NBT_SERVER_DS) ? _("yes") : _("no"),
418 (reply.server_type & NBT_SERVER_KDC) ? _("yes") : _("no"),
419 (reply.server_type & NBT_SERVER_TIMESERV) ? _("yes") : _("no"),
420 (reply.server_type & NBT_SERVER_CLOSEST) ? _("yes") : _("no"),
421 (reply.server_type & NBT_SERVER_WRITABLE) ? _("yes") : _("no"),
422 (reply.server_type & NBT_SERVER_GOOD_TIMESERV) ? _("yes") : _("no"),
423 (reply.server_type & NBT_SERVER_NDNC) ? _("yes") : _("no"),
424 (reply.server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) ? _("yes") : _("no"),
425 (reply.server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) ? _("yes") : _("no"),
426 (reply.server_type & NBT_SERVER_ADS_WEB_SERVICE) ? _("yes") : _("no"),
427 (reply.server_type & NBT_SERVER_DS_8) ? _("yes") : _("no"),
428 (reply.server_type & NBT_SERVER_DS_9) ? _("yes") : _("no"),
429 (reply.server_type & NBT_SERVER_DS_10) ? _("yes") : _("no"),
430 (reply.server_type & NBT_SERVER_HAS_DNS_NAME) ? _("yes") : _("no"),
431 (reply.server_type & NBT_SERVER_IS_DEFAULT_NC) ? _("yes") : _("no"),
432 (reply.server_type & NBT_SERVER_FOREST_ROOT) ? _("yes") : _("no"));
433
434
435 printf(_("Forest: %s\n"), reply.forest);
436 printf(_("Domain: %s\n"), reply.dns_domain);
437 printf(_("Domain Controller: %s\n"), reply.pdc_dns_name);
438
439 printf(_("Pre-Win2k Domain: %s\n"), reply.domain_name);
440 printf(_("Pre-Win2k Hostname: %s\n"), reply.pdc_name);
441
442 if (*reply.user_name) printf(_("User name: %s\n"), reply.user_name);
443
444 printf(_("Server Site Name: %s\n"), reply.server_site);
445 printf(_("Client Site Name: %s\n"), reply.client_site);
446
447 d_printf(_("NT Version: %d\n"), reply.nt_version);
448 d_printf(_("LMNT Token: %.2x\n"), reply.lmnt_token);
449 d_printf(_("LM20 Token: %.2x\n"), reply.lm20_token);
450
451 return 0;
452 }
453
454 /*
455 this implements the CLDAP based netlogon lookup requests
456 for finding the domain controller of a ADS domain
457 */
458 static int net_ads_lookup(struct net_context *c, int argc, const char **argv)
459 {
460 TALLOC_CTX *tmp_ctx = talloc_stackframe();
461 ADS_STRUCT *ads = NULL;
462 ADS_STATUS status;
463 int ret = -1;
464
465 if (c->display_usage) {
466 d_printf("%s\n"
467 "net ads lookup\n"
468 " %s",
469 _("Usage:"),
470 _("Find the ADS DC using CLDAP lookup.\n"));
471 TALLOC_FREE(tmp_ctx);
472 return -1;
473 }
474
475 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
476 if (!ADS_ERR_OK(status)) {
477 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
478 goto out;
479 }
480
481 if (!ads->config.realm) {
482 ads->config.realm = talloc_strdup(ads, c->opt_target_workgroup);
483 if (ads->config.realm == NULL) {
484 d_fprintf(stderr, _("Out of memory\n"));
485 goto out;
486 }
487 ads->ldap.port = 389;
488 }
489
490 ret = net_ads_cldap_netlogon(c, ads);
491 out:
492 TALLOC_FREE(tmp_ctx);
493 return ret;
494 }
495
496
497 #ifdef HAVE_JANSSON
498
499 static int net_ads_info_json(ADS_STRUCT *ads)
500 {
501 int ret = 0;
502 char addr[INET6_ADDRSTRLEN];
503 time_t pass_time;
504 struct json_object jsobj = json_new_object();
505
506 if (json_is_invalid(&jsobj)) {
507 d_fprintf(stderr, _("error setting up JSON value\n"));
508
509 goto failure;
510 }
511
512 pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
513
514 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
515
516 ret = json_add_string (&jsobj, "LDAP server", addr);
517 if (ret != 0) {
518 goto failure;
519 }
520
521 ret = json_add_string (&jsobj, "LDAP server name",
522 ads->config.ldap_server_name);
523 if (ret != 0) {
524 goto failure;
525 }
526
527 ret = json_add_string (&jsobj, "Workgroup", ads->config.workgroup);
528 if (ret != 0) {
529 goto failure;
530 }
531
532 ret = json_add_string (&jsobj, "Realm", ads->config.realm);
533 if (ret != 0) {
534 goto failure;
535 }
536
537 ret = json_add_string (&jsobj, "Bind Path", ads->config.bind_path);
538 if (ret != 0) {
539 goto failure;
540 }
541
542 ret = json_add_int (&jsobj, "LDAP port", ads->ldap.port);
543 if (ret != 0) {
544 goto failure;
545 }
546
547 ret = json_add_int (&jsobj, "Server time", ads->config.current_time);
548 if (ret != 0) {
549 goto failure;
550 }
551
552 ret = json_add_string (&jsobj, "KDC server", ads->auth.kdc_server);
553 if (ret != 0) {
554 goto failure;
555 }
556
557 ret = json_add_int (&jsobj, "Server time offset",
558 ads->config.time_offset);
559 if (ret != 0) {
560 goto failure;
561 }
562
563 ret = json_add_int (&jsobj, "Last machine account password change",
564 pass_time);
565 if (ret != 0) {
566 goto failure;
567 }
568
569 ret = output_json(&jsobj);
570 failure:
571 json_free(&jsobj);
572
573 return ret;
574 }
575
576 #else /* [HAVE_JANSSON] */
577
578 static int net_ads_info_json(ADS_STRUCT *ads)
579 {
580 d_fprintf(stderr, _("JSON support not available\n"));
581
582 return -1;
583 }
584
585 #endif /* [HAVE_JANSSON] */
586
587
588
589 static int net_ads_info(struct net_context *c, int argc, const char **argv)
590 {
591 TALLOC_CTX *tmp_ctx = talloc_stackframe();
592 ADS_STRUCT *ads = NULL;
593 ADS_STATUS status;
594 char addr[INET6_ADDRSTRLEN];
595 time_t pass_time;
596 int ret = -1;
597
598 if (c->display_usage) {
599 d_printf("%s\n"
600 "net ads info\n"
601 " %s",
602 _("Usage:"),
603 _("Display information about an Active Directory "
604 "server.\n"));
605 TALLOC_FREE(tmp_ctx);
606 return -1;
607 }
608
609 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
610 if (!ADS_ERR_OK(status)) {
611 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
612 goto out;
613 }
614
615 if (!ads || !ads->config.realm) {
616 d_fprintf(stderr, _("Didn't find the ldap server!\n"));
617 goto out;
618 }
619
620 /* Try to set the server's current time since we didn't do a full
621 TCP LDAP session initially */
622
623 if ( !ADS_ERR_OK(ads_current_time( ads )) ) {
624 d_fprintf( stderr, _("Failed to get server's current time!\n"));
625 }
626
627 if (c->opt_json) {
628 ret = net_ads_info_json(ads);
629 goto out;
630 }
631
632 pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
633
634 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
635
636 d_printf(_("LDAP server: %s\n"), addr);
637 d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
638 d_printf(_("Workgroup: %s\n"), ads->config.workgroup);
639 d_printf(_("Realm: %s\n"), ads->config.realm);
640 d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
641 d_printf(_("LDAP port: %d\n"), ads->ldap.port);
642 d_printf(_("Server time: %s\n"),
643 http_timestring(tmp_ctx, ads->config.current_time));
644
645 d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
646 d_printf(_("Server time offset: %d\n"), ads->config.time_offset );
647
648 d_printf(_("Last machine account password change: %s\n"),
649 http_timestring(tmp_ctx, pass_time));
650
651 ret = 0;
652 out:
653 TALLOC_FREE(tmp_ctx);
654 return ret;
655 }
656
657 static ADS_STATUS ads_startup_int(struct net_context *c,
658 bool only_own_domain,
659 uint32_t auth_flags,
660 TALLOC_CTX *mem_ctx,
661 ADS_STRUCT **ads_ret)
662 {
663 ADS_STRUCT *ads = NULL;
664 ADS_STATUS status;
665 const char *realm = NULL;
666 const char *workgroup = NULL;
667 bool tried_closest_dc = false;
668
669 /* lp_realm() should be handled by a command line param,
670 However, the join requires that realm be set in smb.conf
671 and compares our realm with the remote server's so this is
672 ok until someone needs more flexibility */
673
674 *ads_ret = NULL;
675
676 retry_connect:
677 if (only_own_domain) {
678 realm = lp_realm();
679 workgroup = lp_workgroup();
680 } else {
681 realm = assume_own_realm(c);
682 workgroup = c->opt_target_workgroup;
683 }
684
685 ads = ads_init(mem_ctx,
686 realm,
687 workgroup,
688 c->opt_host,
689 ADS_SASL_SEAL);
690 if (ads == NULL) {
691 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
692 }
693
694 ads->auth.flags |= auth_flags;
695
696 if (auth_flags & ADS_AUTH_NO_BIND) {
697 status = ads_connect_cldap_only(ads);
698 if (!ADS_ERR_OK(status)) {
699 DBG_ERR("ads_connect_cldap_only: %s\n",
700 ads_errstr(status));
701 TALLOC_FREE(ads);
702 return status;
703 }
704 } else {
705 status = ads_connect_creds(ads, c->creds);
706 if (!ADS_ERR_OK(status)) {
707 DBG_ERR("ads_connect_creds: %s\n",
708 ads_errstr(status));
709 TALLOC_FREE(ads);
710 return status;
711 }
712 }
713
714 /* when contacting our own domain, make sure we use the closest DC.
715 * This is done by reconnecting to ADS because only the first call to
716 * ads_connect will give us our own sitename */
717
718 if ((only_own_domain || !c->opt_host) && !tried_closest_dc) {
719
720 tried_closest_dc = true; /* avoid loop */
721
722 if (!ads_closest_dc(ads)) {
723
724 namecache_delete(ads->server.realm, 0x1C);
725 namecache_delete(ads->server.workgroup, 0x1C);
726
727 TALLOC_FREE(ads);
728
729 goto retry_connect;
730 }
731 }
732
733 *ads_ret = talloc_move(mem_ctx, &ads);
734 return status;
735 }
736
737 ADS_STATUS ads_startup(struct net_context *c,
738 bool only_own_domain,
739 TALLOC_CTX *mem_ctx,
740 ADS_STRUCT **ads)
741 {
742 return ads_startup_int(c, only_own_domain, 0, mem_ctx, ads);
743 }
744
745 ADS_STATUS ads_startup_nobind(struct net_context *c,
746 bool only_own_domain,
747 TALLOC_CTX *mem_ctx,
748 ADS_STRUCT **ads)
749 {
750 return ads_startup_int(c,
751 only_own_domain,
752 ADS_AUTH_NO_BIND,
753 mem_ctx,
754 ads);
755 }
756
757 /*
758 Check to see if connection can be made via ads.
759 ads_startup() stores the password in opt_password if it needs to so
760 that rpc or rap can use it without re-prompting.
761 */
762 static int net_ads_check_int(struct net_context *c,
763 const char *realm,
764 const char *workgroup,
765 const char *host)
766 {
767 TALLOC_CTX *tmp_ctx = talloc_stackframe();
768 ADS_STRUCT *ads;
769 ADS_STATUS status;
770 int ret = -1;
771
772 ads = ads_init(tmp_ctx, realm, workgroup, host, ADS_SASL_PLAIN);
773 if (ads == NULL) {
774 goto out;
775 }
776
777 status = ads_connect_cldap_only(ads);
778 if (!ADS_ERR_OK(status)) {
779 goto out;
780 }
781
782 ret = 0;
783 out:
784 TALLOC_FREE(tmp_ctx);
785 return ret;
786 }
787
788 int net_ads_check_our_domain(struct net_context *c)
789 {
790 return net_ads_check_int(c, lp_realm(), lp_workgroup(), NULL);
791 }
792
793 int net_ads_check(struct net_context *c)
794 {
795 return net_ads_check_int(c, NULL, c->opt_workgroup, c->opt_host);
796 }
797
798 /*
799 determine the netbios workgroup name for a domain
800 */
801 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
802 {
803 TALLOC_CTX *tmp_ctx = talloc_stackframe();
804 ADS_STRUCT *ads = NULL;
805 ADS_STATUS status;
806 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
807 bool ok = false;
808 int ret = -1;
809
810 if (c->display_usage) {
811 d_printf ("%s\n"
812 "net ads workgroup\n"
813 " %s\n",
814 _("Usage:"),
815 _("Print the workgroup name"));
816 TALLOC_FREE(tmp_ctx);
817 return -1;
818 }
819
820 status = ads_startup_nobind(c, false, tmp_ctx, &ads);
821 if (!ADS_ERR_OK(status)) {
822 d_fprintf(stderr, _("Didn't find the cldap server!\n"));
823 goto out;
824 }
825
826 if (!ads->config.realm) {
827 ads->config.realm = talloc_strdup(ads, c->opt_target_workgroup);
828 if (ads->config.realm == NULL) {
829 d_fprintf(stderr, _("Out of memory\n"));
830 goto out;
831 }
832 ads->ldap.port = 389;
833 }
834
835 ok = ads_cldap_netlogon_5(tmp_ctx,
836 &ads->ldap.ss, ads->server.realm, &reply);
837 if (!ok) {
838 d_fprintf(stderr, _("CLDAP query failed!\n"));
839 goto out;
840 }
841
842 d_printf(_("Workgroup: %s\n"), reply.domain_name);
843
844 ret = 0;
845 out:
846 TALLOC_FREE(tmp_ctx);
847
848 return ret;
849 }
850
851
852
853 static bool usergrp_display(ADS_STRUCT *ads, char *field, void **values, void *data_area)
854 {
855 char **disp_fields = (char **) data_area;
856
857 if (!field) { /* must be end of record */
858 if (disp_fields[0]) {
859 if (!strchr_m(disp_fields[0], '$')) {
860 if (disp_fields[1])
861 d_printf("%-21.21s %s\n",
862 disp_fields[0], disp_fields[1]);
863 else
864 d_printf("%s\n", disp_fields[0]);
865 }
866 }
867 SAFE_FREE(disp_fields[0]);
868 SAFE_FREE(disp_fields[1]);
869 return true;
870 }
871 if (!values) /* must be new field, indicate string field */
872 return true;
873 if (strcasecmp_m(field, "sAMAccountName") == 0) {
874 disp_fields[0] = SMB_STRDUP((char *) values[0]);
875 }
876 if (strcasecmp_m(field, "description") == 0)
877 disp_fields[1] = SMB_STRDUP((char *) values[0]);
878 return true;
879 }
880
881 static int net_ads_user_usage(struct net_context *c, int argc, const char **argv)
882 {
883 return net_user_usage(c, argc, argv);
884 }
885
886 static int ads_user_add(struct net_context *c, int argc, const char **argv)
887 {
888 TALLOC_CTX *tmp_ctx = talloc_stackframe();
889 ADS_STRUCT *ads = NULL;
890 ADS_STATUS status;
891 char *upn, *userdn;
892 LDAPMessage *res=NULL;
893 char *creds_ccname = NULL;
894 int rc = -1;
895 char *ou_str = NULL;
896 bool ok;
897
898 if (argc < 1 || c->display_usage) {
899 TALLOC_FREE(tmp_ctx);
900 return net_ads_user_usage(c, argc, argv);
901 }
902
903 if (argc > 1) {
904 /*
905 * We rely on ads_krb5_set_password() to
906 * set the password below.
907 *
908 * We could pass the password to
909 * ads_add_user_acct()
910 * and set the unicodePwd attribute there...
911 */
912 cli_credentials_set_kerberos_state(c->creds,
913 CRED_USE_KERBEROS_REQUIRED,
914 CRED_SPECIFIED);
915 }
916
917 status = ads_startup(c, false, tmp_ctx, &ads);
918 if (!ADS_ERR_OK(status)) {
919 goto done;
920 }
921
922 status = ads_find_user_acct(ads, &res, argv[0]);
923 if (!ADS_ERR_OK(status)) {
924 d_fprintf(stderr, _("ads_user_add: %s\n"), ads_errstr(status));
925 goto done;
926 }
927
928 if (ads_count_replies(ads, res)) {
929 d_fprintf(stderr, _("ads_user_add: User %s already exists\n"),
930 argv[0]);
931 goto done;
932 }
933
934 if (c->opt_container) {
935 ou_str = SMB_STRDUP(c->opt_container);
936 } else {
937 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
938 }
939
940 status = ads_add_user_acct(ads, argv[0], ou_str, c->opt_comment);
941 if (!ADS_ERR_OK(status)) {
942 d_fprintf(stderr, _("Could not add user %s: %s\n"), argv[0],
943 ads_errstr(status));
944 goto done;
945 }
946
947 /* if no password is to be set, we're done */
948 if (argc == 1) {
949 d_printf(_("User %s added\n"), argv[0]);
950 rc = 0;
951 goto done;
952 }
953
954 /* try setting the password */
955 upn = talloc_asprintf(tmp_ctx,
956 "%s@%s",
957 argv[0],
958 ads->config.realm);
959 if (upn == NULL) {
960 goto done;
961 }
962
963 ok = cli_credentials_get_ccache_name_obtained(c->creds,
964 tmp_ctx,
965 &creds_ccname,
966 NULL);
967 if (!ok) {
968 d_printf(_("No valid krb5 ccache for: %s\n"),
969 cli_credentials_get_unparsed_name(c->creds, tmp_ctx));
970 goto done;
971 }
972
973 status = ads_krb5_set_password(upn, argv[1], creds_ccname);
974 if (ADS_ERR_OK(status)) {
975 d_printf(_("User %s added\n"), argv[0]);
976 rc = 0;
977 goto done;
978 }
979 TALLOC_FREE(upn);
980
981 /* password didn't set, delete account */
982 d_fprintf(stderr, _("Could not add user %s. "
983 "Error setting password %s\n"),
984 argv[0], ads_errstr(status));
985
986 ads_msgfree(ads, res);
987 res = NULL;
988
989 status=ads_find_user_acct(ads, &res, argv[0]);
990 if (ADS_ERR_OK(status)) {
991 userdn = ads_get_dn(ads, tmp_ctx, res);
992 ads_del_dn(ads, userdn);
993 TALLOC_FREE(userdn);
994 }
995
996 done:
997 ads_msgfree(ads, res);
998 SAFE_FREE(ou_str);
999 TALLOC_FREE(tmp_ctx);
1000 return rc;
1001 }
1002
1003 static int ads_user_info(struct net_context *c, int argc, const char **argv)
1004 {
1005 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1006 ADS_STRUCT *ads = NULL;
1007 ADS_STATUS status;
1008 LDAPMessage *res = NULL;
1009 int ret = -1;
1010 wbcErr wbc_status;
1011 const char *attrs[] = {"memberOf", "primaryGroupID", NULL};
1012 char *searchstring = NULL;
1013 char **grouplist = NULL;
1014 char *primary_group = NULL;
1015 char *escaped_user = NULL;
1016 struct dom_sid primary_group_sid;
1017 uint32_t group_rid;
1018 enum wbcSidType type;
1019
1020 if (argc < 1 || c->display_usage) {
1021 TALLOC_FREE(tmp_ctx);
1022 return net_ads_user_usage(c, argc, argv);
1023 }
1024
1025 escaped_user = escape_ldap_string(tmp_ctx, argv[0]);
1026 if (!escaped_user) {
1027 d_fprintf(stderr,
1028 _("ads_user_info: failed to escape user %s\n"),
1029 argv[0]);
1030 goto out;
1031 }
1032
1033 status = ads_startup(c, false, tmp_ctx, &ads);
1034 if (!ADS_ERR_OK(status)) {
1035 goto out;
1036 }
1037
1038 searchstring = talloc_asprintf(tmp_ctx,
1039 "(sAMAccountName=%s)",
1040 escaped_user);
1041 if (searchstring == NULL) {
1042 goto out;
1043 }
1044
1045 status = ads_search(ads, &res, searchstring, attrs);
1046 if (!ADS_ERR_OK(status)) {
1047 d_fprintf(stderr, _("ads_search: %s\n"), ads_errstr(status));
1048 goto out;
1049 }
1050
1051 if (!ads_pull_uint32(ads, res, "primaryGroupID", &group_rid)) {
1052 d_fprintf(stderr, _("ads_pull_uint32 failed\n"));
1053 goto out;
1054 }
1055
1056 status = ads_domain_sid(ads, &primary_group_sid);
1057 if (!ADS_ERR_OK(status)) {
1058 d_fprintf(stderr, _("ads_domain_sid: %s\n"), ads_errstr(status));
1059 goto out;
1060 }
1061
1062 sid_append_rid(&primary_group_sid, group_rid);
1063
1064 wbc_status = wbcLookupSid((struct wbcDomainSid *)&primary_group_sid,
1065 NULL, /* don't look up domain */
1066 &primary_group,
1067 &type);
1068 if (!WBC_ERROR_IS_OK(wbc_status)) {
1069 d_fprintf(stderr, "wbcLookupSid: %s\n",
1070 wbcErrorString(wbc_status));
1071 goto out;
1072 }
1073
1074 d_printf("%s\n", primary_group);
1075
1076 wbcFreeMemory(primary_group);
1077
1078 grouplist = ldap_get_values((LDAP *)ads->ldap.ld,
1079 (LDAPMessage *)res, "memberOf");
1080
1081 if (grouplist) {
1082 int i;
1083 char **groupname;
1084 for (i=0;grouplist[i];i++) {
1085 groupname = ldap_explode_dn(grouplist[i], 1);
1086 d_printf("%s\n", groupname[0]);
1087 ldap_value_free(groupname);
1088 }
1089 ldap_value_free(grouplist);
1090 }
1091
1092 ret = 0;
1093 out:
1094 TALLOC_FREE(escaped_user);
1095 TALLOC_FREE(searchstring);
1096 ads_msgfree(ads, res);
1097 TALLOC_FREE(tmp_ctx);
1098 return ret;
1099 }
1100
1101 static int ads_user_delete(struct net_context *c, int argc, const char **argv)
1102 {
1103 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1104 ADS_STRUCT *ads = NULL;
1105 ADS_STATUS status;
1106 LDAPMessage *res = NULL;
1107 char *userdn = NULL;
1108 int ret = -1;
1109
1110 if (argc < 1) {
1111 TALLOC_FREE(tmp_ctx);
1112 return net_ads_user_usage(c, argc, argv);
1113 }
1114
1115 status = ads_startup(c, false, tmp_ctx, &ads);
1116 if (!ADS_ERR_OK(status)) {
1117 goto out;
1118 }
1119
1120 status = ads_find_user_acct(ads, &res, argv[0]);
1121 if (!ADS_ERR_OK(status) || ads_count_replies(ads, res) != 1) {
1122 d_printf(_("User %s does not exist.\n"), argv[0]);
1123 goto out;
1124 }
1125
1126 userdn = ads_get_dn(ads, tmp_ctx, res);
1127 if (userdn == NULL) {
1128 goto out;
1129 }
1130
1131 status = ads_del_dn(ads, userdn);
1132 if (!ADS_ERR_OK(status)) {
1133 d_fprintf(stderr, _("Error deleting user %s: %s\n"), argv[0],
1134 ads_errstr(status));
1135 goto out;
1136 }
1137
1138 d_printf(_("User %s deleted\n"), argv[0]);
1139
1140 ret = 0;
1141 out:
1142 ads_msgfree(ads, res);
1143 TALLOC_FREE(tmp_ctx);
1144 return ret;
1145 }
1146
1147 int net_ads_user(struct net_context *c, int argc, const char **argv)
1148 {
1149 struct functable func[] = {
1150 {
1151 "add",
1152 ads_user_add,
1153 NET_TRANSPORT_ADS,
1154 N_("Add an AD user"),
1155 N_("net ads user add\n"
1156 " Add an AD user")
1157 },
1158 {
1159 "info",
1160 ads_user_info,
1161 NET_TRANSPORT_ADS,
1162 N_("Display information about an AD user"),
1163 N_("net ads user info\n"
1164 " Display information about an AD user")
1165 },
1166 {
1167 "delete",
1168 ads_user_delete,
1169 NET_TRANSPORT_ADS,
1170 N_("Delete an AD user"),
1171 N_("net ads user delete\n"
1172 " Delete an AD user")
1173 },
1174 {NULL, NULL, 0, NULL, NULL}
1175 };
1176 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1177 ADS_STRUCT *ads = NULL;
1178 ADS_STATUS status;
1179 const char *shortattrs[] = {"sAMAccountName", NULL};
1180 const char *longattrs[] = {"sAMAccountName", "description", NULL};
1181 char *disp_fields[2] = {NULL, NULL};
1182 int ret = -1;
1183
1184 if (argc > 0) {
1185 TALLOC_FREE(tmp_ctx);
1186 return net_run_function(c, argc, argv, "net ads user", func);
1187 }
1188
1189 if (c->display_usage) {
1190 d_printf( "%s\n"
1191 "net ads user\n"
1192 " %s\n",
1193 _("Usage:"),
1194 _("List AD users"));
1195 net_display_usage_from_functable(func);
1196 TALLOC_FREE(tmp_ctx);
1197 return -1;
1198 }
1199
1200 status = ads_startup(c, false, tmp_ctx, &ads);
1201 if (!ADS_ERR_OK(status)) {
1202 goto out;
1203 }
1204
1205 if (c->opt_long_list_entries)
1206 d_printf(_("\nUser name Comment"
1207 "\n-----------------------------\n"));
1208
1209 status = ads_do_search_all_fn(ads,
1210 ads->config.bind_path,
1211 LDAP_SCOPE_SUBTREE,
1212 "(objectCategory=user)",
1213 c->opt_long_list_entries ?
1214 longattrs : shortattrs,
1215 usergrp_display,
1216 disp_fields);
1217 if (!ADS_ERR_OK(status)) {
1218 goto out;
1219 }
1220
1221 ret = 0;
1222 out:
1223 TALLOC_FREE(tmp_ctx);
1224 return ret;
1225 }
1226
1227 static int net_ads_group_usage(struct net_context *c, int argc, const char **argv)
1228 {
1229 return net_group_usage(c, argc, argv);
1230 }
1231
1232 static int ads_group_add(struct net_context *c, int argc, const char **argv)
1233 {
1234 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1235 ADS_STRUCT *ads = NULL;
1236 ADS_STATUS status;
1237 LDAPMessage *res = NULL;
1238 int ret = -1;
1239 char *ou_str = NULL;
1240
1241 if (argc < 1 || c->display_usage) {
1242 TALLOC_FREE(tmp_ctx);
1243 return net_ads_group_usage(c, argc, argv);
1244 }
1245
1246 status = ads_startup(c, false, tmp_ctx, &ads);
1247 if (!ADS_ERR_OK(status)) {
1248 goto out;
1249 }
1250
1251 status = ads_find_user_acct(ads, &res, argv[0]);
1252 if (!ADS_ERR_OK(status)) {
1253 d_fprintf(stderr, _("ads_group_add: %s\n"), ads_errstr(status));
1254 goto out;
1255 }
1256
1257 if (ads_count_replies(ads, res)) {
1258 d_fprintf(stderr, _("ads_group_add: Group %s already exists\n"), argv[0]);
1259 goto out;
1260 }
1261
1262 if (c->opt_container) {
1263 ou_str = SMB_STRDUP(c->opt_container);
1264 } else {
1265 ou_str = ads_default_ou_string(ads, DS_GUID_USERS_CONTAINER);
1266 }
1267
1268 status = ads_add_group_acct(ads, argv[0], ou_str, c->opt_comment);
1269 if (!ADS_ERR_OK(status)) {
1270 d_fprintf(stderr, _("Could not add group %s: %s\n"), argv[0],
1271 ads_errstr(status));
1272 goto out;
1273 }
1274
1275 d_printf(_("Group %s added\n"), argv[0]);
1276
1277 ret = 0;
1278 out:
1279 ads_msgfree(ads, res);
1280 SAFE_FREE(ou_str);
1281 TALLOC_FREE(tmp_ctx);
1282 return ret;
1283 }
1284
1285 static int ads_group_delete(struct net_context *c, int argc, const char **argv)
1286 {
1287 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1288 ADS_STRUCT *ads = NULL;
1289 ADS_STATUS status;
1290 LDAPMessage *res = NULL;
1291 char *groupdn = NULL;
1292 int ret = -1;
1293
1294 if (argc < 1 || c->display_usage) {
1295 TALLOC_FREE(tmp_ctx);
1296 return net_ads_group_usage(c, argc, argv);
1297 }
1298
1299 status = ads_startup(c, false, tmp_ctx, &ads);
1300 if (!ADS_ERR_OK(status)) {
1301 goto out;
1302 }
1303
1304 status = ads_find_user_acct(ads, &res, argv[0]);
1305 if (!ADS_ERR_OK(status) || ads_count_replies(ads, res) != 1) {
1306 d_printf(_("Group %s does not exist.\n"), argv[0]);
1307 goto out;
1308 }
1309
1310 groupdn = ads_get_dn(ads, tmp_ctx, res);
1311 if (groupdn == NULL) {
1312 goto out;
1313 }
1314
1315 status = ads_del_dn(ads, groupdn);
1316 if (!ADS_ERR_OK(status)) {
1317 d_fprintf(stderr, _("Error deleting group %s: %s\n"), argv[0],
1318 ads_errstr(status));
1319 goto out;
1320 }
1321 d_printf(_("Group %s deleted\n"), argv[0]);
1322
1323 ret = 0;
1324 out:
1325 ads_msgfree(ads, res);
1326 TALLOC_FREE(tmp_ctx);
1327 return ret;
1328 }
1329
1330 int net_ads_group(struct net_context *c, int argc, const char **argv)
1331 {
1332 struct functable func[] = {
1333 {
1334 "add",
1335 ads_group_add,
1336 NET_TRANSPORT_ADS,
1337 N_("Add an AD group"),
1338 N_("net ads group add\n"
1339 " Add an AD group")
1340 },
1341 {
1342 "delete",
1343 ads_group_delete,
1344 NET_TRANSPORT_ADS,
1345 N_("Delete an AD group"),
1346 N_("net ads group delete\n"
1347 " Delete an AD group")
1348 },
1349 {NULL, NULL, 0, NULL, NULL}
1350 };
1351 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1352 ADS_STRUCT *ads = NULL;
1353 ADS_STATUS status;
1354 const char *shortattrs[] = {"sAMAccountName", NULL};
1355 const char *longattrs[] = {"sAMAccountName", "description", NULL};
1356 char *disp_fields[2] = {NULL, NULL};
1357 int ret = -1;
1358
1359 if (argc >= 0) {
1360 TALLOC_FREE(tmp_ctx);
1361 return net_run_function(c, argc, argv, "net ads group", func);
1362 }
1363
1364 if (c->display_usage) {
1365 d_printf( "%s\n"
1366 "net ads group\n"
1367 " %s\n",
1368 _("Usage:"),
1369 _("List AD groups"));
1370 net_display_usage_from_functable(func);
1371 TALLOC_FREE(tmp_ctx);
1372 return -1;
1373 }
1374
1375 status = ads_startup(c, false, tmp_ctx, &ads);
1376 if (!ADS_ERR_OK(status)) {
1377 goto out;
1378 }
1379
1380 if (c->opt_long_list_entries)
1381 d_printf(_("\nGroup name Comment"
1382 "\n-----------------------------\n"));
1383
1384 status = ads_do_search_all_fn(ads,
1385 ads->config.bind_path,
1386 LDAP_SCOPE_SUBTREE,
1387 "(objectCategory=group)",
1388 c->opt_long_list_entries ?
1389 longattrs : shortattrs,
1390 usergrp_display,
1391 disp_fields);
1392 if (!ADS_ERR_OK(status)) {
1393 goto out;
1394 }
1395
1396 ret = 0;
1397 out:
1398 TALLOC_FREE(tmp_ctx);
1399 return ret;
1400 }
1401
1402 static int net_ads_status(struct net_context *c, int argc, const char **argv)
1403 {
1404 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1405 ADS_STRUCT *ads = NULL;
1406 ADS_STATUS status;
1407 LDAPMessage *res = NULL;
1408 int ret = -1;
1409
1410 if (c->display_usage) {
1411 d_printf( "%s\n"
1412 "net ads status\n"
1413 " %s\n",
1414 _("Usage:"),
1415 _("Display machine account details"));
1416 TALLOC_FREE(tmp_ctx);
1417 return -1;
1418 }
1419
1420 net_warn_member_options();
1421
1422 status = ads_startup(c, true, tmp_ctx, &ads);
1423 if (!ADS_ERR_OK(status)) {
1424 goto out;
1425 }
1426
1427 status = ads_find_machine_acct(ads, &res, lp_netbios_name());
1428 if (!ADS_ERR_OK(status)) {
1429 d_fprintf(stderr, _("ads_find_machine_acct: %s\n"),
1430 ads_errstr(status));
1431 goto out;
1432 }
1433
1434 if (ads_count_replies(ads, res) == 0) {
1435 d_fprintf(stderr, _("No machine account for '%s' found\n"),
1436 lp_netbios_name());
1437 goto out;
1438 }
1439
1440 ads_dump(ads, res);
1441
1442 ret = 0;
1443 out:
1444 ads_msgfree(ads, res);
1445 TALLOC_FREE(tmp_ctx);
1446 return ret;
1447 }
1448
1449 /*******************************************************************
1450 Leave an AD domain. Windows XP disables the machine account.
1451 We'll try the same. The old code would do an LDAP delete.
1452 That only worked using the machine creds because added the machine
1453 with full control to the computer object's ACL.
1454 *******************************************************************/
1455
1456 static int net_ads_leave(struct net_context *c, int argc, const char **argv)
1457 {
1458 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1459 struct libnet_UnjoinCtx *r = NULL;
1460 WERROR werr;
1461 int ret = -1;
1462
1463 if (c->display_usage) {
1464 d_printf( "%s\n"
1465 "net ads leave [--keep-account]\n"
1466 " %s\n",
1467 _("Usage:"),
1468 _("Leave an AD domain"));
1469 TALLOC_FREE(tmp_ctx);
1470 return -1;
1471 }
1472
1473 if (!*lp_realm()) {
1474 d_fprintf(stderr, _("No realm set, are we joined ?\n"));
1475 TALLOC_FREE(tmp_ctx);
1476 return -1;
1477 }
1478
1479 if (!c->msg_ctx) {
1480 d_fprintf(stderr, _("Could not initialise message context. "
1481 "Try running as root\n"));
1482 goto done;
1483 }
1484
1485 werr = libnet_init_UnjoinCtx(tmp_ctx, &r);
1486 if (!W_ERROR_IS_OK(werr)) {
1487 d_fprintf(stderr, _("Could not initialise unjoin context.\n"));
1488 goto done;
1489 }
1490
1491 r->in.debug = true;
1492 r->in.dc_name = c->opt_host;
1493 r->in.domain_name = lp_dnsdomain();
1494 r->in.admin_credentials = c->creds;
1495 r->in.modify_config = lp_config_backend_is_registry();
1496
1497 /* Try to delete it, but if that fails, disable it. The
1498 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
1499 r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1500 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
1501 if (c->opt_keep_account) {
1502 r->in.delete_machine_account = false;
1503 } else {
1504 r->in.delete_machine_account = true;
1505 }
1506
1507 r->in.msg_ctx = c->msg_ctx;
1508
1509 werr = libnet_Unjoin(tmp_ctx, r);
1510 if (!W_ERROR_IS_OK(werr)) {
1511 d_printf(_("Failed to leave domain: %s\n"),
1512 r->out.error_string ? r->out.error_string :
1513 get_friendly_werror_msg(werr));
1514 goto done;
1515 }
1516
1517 if (r->out.deleted_machine_account) {
1518 d_printf(_("Deleted account for '%s' in realm '%s'\n"),
1519 r->in.machine_name, r->out.dns_domain_name);
1520 ret = 0;
1521 goto done;
1522 }
1523
1524 /* We couldn't delete it - see if the disable succeeded. */
1525 if (r->out.disabled_machine_account) {
1526 d_printf(_("Disabled account for '%s' in realm '%s'\n"),
1527 r->in.machine_name, r->out.dns_domain_name);
1528 ret = 0;
1529 goto done;
1530 }
1531
1532 /* Based on what we requested, we shouldn't get here, but if
1533 we did, it means the secrets were removed, and therefore
1534 we have left the domain */
1535 d_fprintf(stderr, _("Machine '%s' Left domain '%s'\n"),
1536 r->in.machine_name, r->out.dns_domain_name);
1537
1538 ret = 0;
1539 done:
1540 TALLOC_FREE(tmp_ctx);
1541 return ret;
1542 }
1543
1544 static ADS_STATUS net_ads_join_ok(struct net_context *c)
1545 {
1546 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1547 ADS_STRUCT *ads = NULL;
1548 ADS_STATUS status;
1549 fstring dc_name;
1550 struct sockaddr_storage dcip;
1551
1552 if (!secrets_init()) {
1553 DEBUG(1,("Failed to initialise secrets database\n"));
1554 TALLOC_FREE(tmp_ctx);
1555 return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
1556 }
1557
1558 net_warn_member_options();
1559
1560 net_use_krb_machine_account(c);
1561
1562 if (!cli_credentials_authentication_requested(c->creds)) {
1563 DBG_ERR("Failed to get machine credentials\n");
1564 TALLOC_FREE(tmp_ctx);
1565 return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
1566 }
1567
1568 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
1569
1570 status = ads_startup(c, true, tmp_ctx, &ads);
1571 if (!ADS_ERR_OK(status)) {
1572 goto out;
1573 }
1574
1575 status = ADS_ERROR_NT(NT_STATUS_OK);
1576 out:
1577 TALLOC_FREE(tmp_ctx);
1578 return status;
1579 }
1580
1581 /*
1582 check that an existing join is OK
1583 */
1584 int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
1585 {
1586 ADS_STATUS status;
1587
1588 if (c->display_usage) {
1589 d_printf( "%s\n"
1590 "net ads testjoin\n"
1591 " %s\n",
1592 _("Usage:"),
1593 _("Test if the existing join is ok"));
1594 return -1;
1595 }
1596
1597 net_warn_member_options();
1598
1599 /* Display success or failure */
1600 status = net_ads_join_ok(c);
1601 if (!ADS_ERR_OK(status)) {
1602 fprintf(stderr, _("Join to domain is not valid: %s\n"),
1603 get_friendly_nt_error_msg(ads_ntstatus(status)));
1604 return -1;
1605 }
1606
1607 printf(_("Join is OK\n"));
1608 return 0;
1609 }
1610
1611 /*******************************************************************
1612 Simple config checks before beginning the join
1613 ********************************************************************/
1614
1615 static WERROR check_ads_config( void )
1616 {
1617 if (lp_server_role() != ROLE_DOMAIN_MEMBER ) {
1618 d_printf(_("Host is not configured as a member server.\n"));
1619 return WERR_INVALID_DOMAIN_ROLE;
1620 }
1621
1622 if (strlen(lp_netbios_name()) > 15) {
1623 d_printf(_("Our netbios name can be at most 15 chars long, "
1624 "\"%s\" is %u chars long\n"), lp_netbios_name(),
1625 (unsigned int)strlen(lp_netbios_name()));
1626 return WERR_INVALID_COMPUTERNAME;
1627 }
1628
1629 if ( lp_security() == SEC_ADS && !*lp_realm()) {
1630 d_fprintf(stderr, _("realm must be set in %s for ADS "
1631 "join to succeed.\n"), get_dyn_CONFIGFILE());
1632 return WERR_INVALID_PARAMETER;
1633 }
1634
1635 return WERR_OK;
1636 }
1637
1638 /*******************************************************************
1639 ********************************************************************/
1640
1641 static int net_ads_join_usage(struct net_context *c, int argc, const char **argv)
1642 {
1643 d_printf(_("net ads join [--no-dns-updates] [options]\n"
1644 "Valid options:\n"));
1645 d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
1646 " The default is in the form netbiosname.dnsdomain\n"));
1647 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
1648 " The default UPN is in the form host/netbiosname@REALM.\n"));
1649 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
1650 " The OU string read from top to bottom without RDNs\n"
1651 " and delimited by a '/'.\n"
1652 " E.g. \"createcomputer=Computers/Servers/Unix\"\n"
1653 " NB: A backslash '\\' is used as escape at multiple\n"
1654 " levels and may need to be doubled or even\n"
1655 " quadrupled. It is not used as a separator.\n"));
1656 d_printf(_(" machinepass=PASS Set the machine password to a specific value during\n"
1657 " the join. The default password is random.\n"));
1658 d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
1659 d_printf(_(" osVer=string Set the operatingSystemVersion attribute during join.\n"
1660 " NB: osName and osVer must be specified together for\n"
1661 " either to take effect. The operatingSystemService\n"
1662 " attribute is then also set along with the two\n"
1663 " other attributes.\n"));
1664 d_printf(_(" osServicePack=string Set the operatingSystemServicePack attribute\n"
1665 " during the join.\n"
1666 " NB: If not specified then by default the samba\n"
1667 " version string is used instead.\n"));
1668 return -1;
1669 }
1670
1671
1672 int net_ads_join(struct net_context *c, int argc, const char **argv)
1673 {
1674 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1675 struct libnet_JoinCtx *r = NULL;
1676 const char *domain = lp_realm();
1677 WERROR werr = WERR_NERR_SETUPNOTJOINED;
1678 bool createupn = false;
1679 const char *dnshostname = NULL;
1680 const char *machineupn = NULL;
1681 const char *machine_password = NULL;
1682 const char *create_in_ou = NULL;
1683 int i;
1684 const char *os_name = NULL;
1685 const char *os_version = NULL;
1686 const char *os_servicepack = NULL;
1687 bool modify_config = lp_config_backend_is_registry();
1688 enum libnetjoin_JoinDomNameType domain_name_type = JoinDomNameTypeDNS;
1689 int ret = -1;
1690
1691 if (c->display_usage) {
1692 TALLOC_FREE(tmp_ctx);
1693 return net_ads_join_usage(c, argc, argv);
1694 }
1695
1696 net_warn_member_options();
1697
1698 if (!modify_config) {
1699 werr = check_ads_config();
1700 if (!W_ERROR_IS_OK(werr)) {
1701 d_fprintf(stderr, _("Invalid configuration. Exiting....\n"));
1702 goto fail;
1703 }
1704 }
1705
1706 werr = libnet_init_JoinCtx(tmp_ctx, &r);
1707 if (!W_ERROR_IS_OK(werr)) {
1708 goto fail;
1709 }
1710
1711 /* process additional command line args */
1712
1713 for ( i=0; i<argc; i++ ) {
1714 if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
1715 dnshostname = get_string_param(argv[i]);
1716 }
1717 else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
1718 createupn = true;
1719 machineupn = get_string_param(argv[i]);
1720 }
1721 else if ( !strncasecmp_m(argv[i], "createcomputer", strlen("createcomputer")) ) {
1722 if ( (create_in_ou = get_string_param(argv[i])) == NULL ) {
1723 d_fprintf(stderr, _("Please supply a valid OU path.\n"));
1724 werr = WERR_INVALID_PARAMETER;
1725 goto fail;
1726 }
1727 }
1728 else if ( !strncasecmp_m(argv[i], "osName", strlen("osName")) ) {
1729 if ( (os_name = get_string_param(argv[i])) == NULL ) {
1730 d_fprintf(stderr, _("Please supply a operating system name.\n"));
1731 werr = WERR_INVALID_PARAMETER;
1732 goto fail;
1733 }
1734 }
1735 else if ( !strncasecmp_m(argv[i], "osVer", strlen("osVer")) ) {
1736 if ( (os_version = get_string_param(argv[i])) == NULL ) {
1737 d_fprintf(stderr, _("Please supply a valid operating system version.\n"));
1738 werr = WERR_INVALID_PARAMETER;
1739 goto fail;
1740 }
1741 }
1742 else if ( !strncasecmp_m(argv[i], "osServicePack", strlen("osServicePack")) ) {
1743 if ( (os_servicepack = get_string_param(argv[i])) == NULL ) {
1744 d_fprintf(stderr, _("Please supply a valid servicepack identifier.\n"));
1745 werr = WERR_INVALID_PARAMETER;
1746 goto fail;
1747 }
1748 }
1749 else if ( !strncasecmp_m(argv[i], "machinepass", strlen("machinepass")) ) {
1750 if ( (machine_password = get_string_param(argv[i])) == NULL ) {
1751 d_fprintf(stderr, _("Please supply a valid password to set as trust account password.\n"));
1752 werr = WERR_INVALID_PARAMETER;
1753 goto fail;
1754 }
1755 } else {
1756 domain = argv[i];
1757 if (strchr(domain, '.') == NULL) {
1758 domain_name_type = JoinDomNameTypeUnknown;
1759 } else {
1760 domain_name_type = JoinDomNameTypeDNS;
1761 }
1762 }
1763 }
1764
1765 if (!*domain) {
1766 d_fprintf(stderr, _("Please supply a valid domain name\n"));
1767 werr = WERR_INVALID_PARAMETER;
1768 goto fail;
1769 }
1770
1771 if (!c->msg_ctx) {
1772 d_fprintf(stderr, _("Could not initialise message context. "
1773 "Try running as root\n"));
1774 werr = WERR_ACCESS_DENIED;
1775 goto fail;
1776 }
1777
1778 /* Do the domain join here */
1779
1780 r->in.domain_name = domain;
1781 r->in.domain_name_type = domain_name_type;
1782 r->in.create_upn = createupn;
1783 r->in.upn = machineupn;
1784 r->in.dnshostname = dnshostname;
1785 r->in.account_ou = create_in_ou;
1786 r->in.os_name = os_name;
1787 r->in.os_version = os_version;
1788 r->in.os_servicepack = os_servicepack;
1789 r->in.dc_name = c->opt_host;
1790 r->in.admin_credentials = c->creds;
1791 r->in.machine_password = machine_password;
1792 r->in.debug = true;
1793 r->in.modify_config = modify_config;
1794 r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1795 WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
1796 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
1797 r->in.msg_ctx = c->msg_ctx;
1798
1799 werr = libnet_Join(tmp_ctx, r);
1800 if (W_ERROR_EQUAL(werr, WERR_NERR_DCNOTFOUND) &&
1801 strequal(domain, lp_realm())) {
1802 r->in.domain_name = lp_workgroup();
1803 r->in.domain_name_type = JoinDomNameTypeNBT;
1804 werr = libnet_Join(tmp_ctx, r);
1805 }
1806 if (!W_ERROR_IS_OK(werr)) {
1807 goto fail;
1808 }
1809
1810 /* Check the short name of the domain */
1811
1812 if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
1813 d_printf(_("The workgroup in %s does not match the short\n"
1814 "domain name obtained from the server.\n"
1815 "Using the name [%s] from the server.\n"
1816 "You should set \"workgroup = %s\" in %s.\n"),
1817 get_dyn_CONFIGFILE(), r->out.netbios_domain_name,
1818 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
1819 }
1820
1821 d_printf(_("Using short domain name -- %s\n"), r->out.netbios_domain_name);
1822
1823 if (r->out.dns_domain_name) {
1824 d_printf(_("Joined '%s' to dns domain '%s'\n"), r->in.machine_name,
1825 r->out.dns_domain_name);
1826 } else {
1827 d_printf(_("Joined '%s' to domain '%s'\n"), r->in.machine_name,
1828 r->out.netbios_domain_name);
1829 }
1830
1831 /* print out informative error string in case there is one */
1832 if (r->out.error_string != NULL) {
1833 d_printf("%s\n", r->out.error_string);
1834 }
1835
1836 /*
1837 * We try doing the dns update (if it was compiled in
1838 * and if it was not disabled on the command line).
1839 * If the dns update fails, we still consider the join
1840 * operation as succeeded if we came this far.
1841 */
1842 if (!c->opt_no_dns_updates) {
1843 net_ads_join_dns_updates(c, tmp_ctx, r);
1844 }
1845
1846 ret = 0;
1847
1848 fail:
1849 if (ret != 0) {
1850 /* issue an overall failure message at the end. */
1851 d_printf(_("Failed to join domain: %s\n"),
1852 r && r->out.error_string ? r->out.error_string :
1853 get_friendly_werror_msg(werr));
1854 }
1855
1856 TALLOC_FREE(tmp_ctx);
1857
1858 return ret;
1859 }
1860
1861 /*******************************************************************
1862 ********************************************************************/
1863
1864 static int net_ads_dns_register(struct net_context *c, int argc, const char **argv)
1865 {
1866 #if defined(HAVE_KRB5)
1867 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1868 ADS_STRUCT *ads = NULL;
1869 ADS_STATUS status;
1870 NTSTATUS ntstatus;
1871 const char *hostname = NULL;
1872 const char **addrs_list = NULL;
1873 struct sockaddr_storage *addrs = NULL;
1874 int num_addrs = 0;
1875 int count;
1876 int ret = -1;
1877
1878 #ifdef DEVELOPER
1879 talloc_enable_leak_report();
1880 #endif
1881
1882 if (argc <= 1 && lp_clustering() && lp_cluster_addresses() == NULL) {
1883 d_fprintf(stderr, _("Refusing DNS updates with automatic "
1884 "detection of addresses in a clustered "
1885 "setup.\n"));
1886 c->display_usage = true;
1887 }
1888
1889 if (c->display_usage) {
1890 d_printf( "%s\n"
1891 "net ads dns register [hostname [IP [IP...]]] "
1892 "[--force] [--dns-ttl TTL]\n"
1893 " %s\n",
1894 _("Usage:"),
1895 _("Register hostname with DNS\n"));
1896 TALLOC_FREE(tmp_ctx);
1897 return -1;
1898 }
1899
1900 if (argc >= 1) {
1901 hostname = argv[0];
1902 }
1903
1904 if (argc > 1) {
1905 num_addrs = argc - 1;
1906 addrs_list = &argv[1];
1907 } else if (lp_clustering()) {
1908 addrs_list = lp_cluster_addresses();
1909 num_addrs = str_list_length(addrs_list);
1910 }
1911
1912 if (num_addrs > 0) {
1913 addrs = talloc_zero_array(tmp_ctx,
1914 struct sockaddr_storage,
1915 num_addrs);
1916 if (addrs == NULL) {
1917 d_fprintf(stderr, _("Error allocating memory!\n"));
1918 goto out;
1919 }
1920 }
1921
1922 for (count = 0; count < num_addrs; count++) {
1923 if (!interpret_string_addr(&addrs[count], addrs_list[count], 0)) {
1924 d_fprintf(stderr, "%s '%s'.\n",
1925 _("Cannot interpret address"),
1926 addrs_list[count]);
1927 goto out;
1928 }
1929 }
1930
1931 status = ads_startup(c, true, tmp_ctx, &ads);
1932 if ( !ADS_ERR_OK(status) ) {
1933 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
1934 goto out;
1935 }
1936
1937 ntstatus = net_update_dns_ext(c,
1938 tmp_ctx,
1939 ads,
1940 c->creds,
1941 hostname,
1942 addrs,
1943 num_addrs,
1944 false);
1945 if (!NT_STATUS_IS_OK(ntstatus)) {
1946 d_fprintf( stderr, _("DNS update failed!\n") );
1947 goto out;
1948 }
1949
1950 d_fprintf( stderr, _("Successfully registered hostname with DNS\n") );
1951
1952 ret = 0;
1953 out:
1954 TALLOC_FREE(tmp_ctx);
1955
1956 return ret;
1957 #else
1958 d_fprintf(stderr,
1959 _("DNS update support not enabled at compile time!\n"));
1960 return -1;
1961 #endif
1962 }
1963
1964 static int net_ads_dns_unregister(struct net_context *c,
1965 int argc,
1966 const char **argv)
1967 {
1968 #if defined(HAVE_KRB5)
1969 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1970 ADS_STRUCT *ads = NULL;
1971 ADS_STATUS status;
1972 NTSTATUS ntstatus;
1973 const char *hostname = NULL;
1974 int ret = -1;
1975
1976 #ifdef DEVELOPER
1977 talloc_enable_leak_report();
1978 #endif
1979
1980 if (argc != 1) {
1981 c->display_usage = true;
1982 }
1983
1984 if (c->display_usage) {
1985 d_printf( "%s\n"
1986 "net ads dns unregister [hostname]\n"
1987 " %s\n",
1988 _("Usage:"),
1989 _("Remove all IP Address entries for a given\n"
1990 " hostname from the Active Directory server.\n"));
1991 TALLOC_FREE(tmp_ctx);
1992 return -1;
1993 }
1994
1995 /* Get the hostname for un-registering */
1996 hostname = argv[0];
1997
1998 status = ads_startup(c, true, tmp_ctx, &ads);
1999 if ( !ADS_ERR_OK(status) ) {
2000 DEBUG(1, ("error on ads_startup: %s\n", ads_errstr(status)));
2001 goto out;
2002 }
2003
2004 ntstatus = net_update_dns_ext(c,
2005 tmp_ctx,
2006 ads,
2007 c->creds,
2008 hostname,
2009 NULL,
2010 0,
2011 true);
2012 if (!NT_STATUS_IS_OK(ntstatus)) {
2013 d_fprintf( stderr, _("DNS update failed!\n") );
2014 goto out;
2015 }
2016
2017 d_fprintf( stderr, _("Successfully un-registered hostname from DNS\n"));
2018
2019 ret = 0;
2020 out:
2021 TALLOC_FREE(tmp_ctx);
2022
2023 return ret;
2024 #else
2025 d_fprintf(stderr,
2026 _("DNS update support not enabled at compile time!\n"));
2027 return -1;
2028 #endif
2029 }
2030
2031
2032 static int net_ads_dns_async(struct net_context *c, int argc, const char **argv)
2033 {
2034 size_t num_names = 0;
2035 char **hostnames = NULL;
2036 size_t i = 0;
2037 struct samba_sockaddr *addrs = NULL;
2038 NTSTATUS status;
2039
2040 if (argc != 1 || c->display_usage) {
2041 d_printf( "%s\n"
2042 " %s\n"
2043 " %s\n",
2044 _("Usage:"),
2045 _("net ads dns async <name>\n"),
2046 _(" Async look up hostname from the DNS server\n"
2047 " hostname\tName to look up\n"));
2048 return -1;
2049 }
2050
2051 status = ads_dns_lookup_a(talloc_tos(),
2052 argv[0],
2053 &num_names,
2054 &hostnames,
2055 &addrs);
2056 if (!NT_STATUS_IS_OK(status)) {
2057 d_printf("Looking up A record for %s got error %s\n",
2058 argv[0],
2059 nt_errstr(status));
2060 return -1;
2061 }
2062 d_printf("Async A record lookup - got %u names for %s\n",
2063 (unsigned int)num_names,
2064 argv[0]);
2065 for (i = 0; i < num_names; i++) {
2066 char addr_buf[INET6_ADDRSTRLEN];
2067 print_sockaddr(addr_buf,
2068 sizeof(addr_buf),
2069 &addrs[i].u.ss);
2070 d_printf("hostname[%u] = %s, IPv4addr = %s\n",
2071 (unsigned int)i,
2072 hostnames[i],
2073 addr_buf);
2074 }
2075
2076 #if defined(HAVE_IPV6)
2077 status = ads_dns_lookup_aaaa(talloc_tos(),
2078 argv[0],
2079 &num_names,
2080 &hostnames,
2081 &addrs);
2082 if (!NT_STATUS_IS_OK(status)) {
2083 d_printf("Looking up AAAA record for %s got error %s\n",
2084 argv[0],
2085 nt_errstr(status));
2086 return -1;
2087 }
2088 d_printf("Async AAAA record lookup - got %u names for %s\n",
2089 (unsigned int)num_names,
2090 argv[0]);
2091 for (i = 0; i < num_names; i++) {
2092 char addr_buf[INET6_ADDRSTRLEN];
2093 print_sockaddr(addr_buf,
2094 sizeof(addr_buf),
2095 &addrs[i].u.ss);
2096 d_printf("hostname[%u] = %s, IPv6addr = %s\n",
2097 (unsigned int)i,
2098 hostnames[i],
2099 addr_buf);
2100 }
2101 #endif
2102 return 0;
2103 }
2104
2105
2106 static int net_ads_dns(struct net_context *c, int argc, const char *argv[])
2107 {
2108 struct functable func[] = {
2109 {
2110 "register",
2111 net_ads_dns_register,
2112 NET_TRANSPORT_ADS,
2113 N_("Add host dns entry to AD"),
2114 N_("net ads dns register\n"
2115 " Add host dns entry to AD")
2116 },
2117 {
2118 "unregister",
2119 net_ads_dns_unregister,
2120 NET_TRANSPORT_ADS,
2121 N_("Remove host dns entry from AD"),
2122 N_("net ads dns unregister\n"
2123 " Remove host dns entry from AD")
2124 },
2125 {
2126 "async",
2127 net_ads_dns_async,
2128 NET_TRANSPORT_ADS,
2129 N_("Look up host"),
2130 N_("net ads dns async\n"
2131 " Look up host using async DNS")
2132 },
2133 {NULL, NULL, 0, NULL, NULL}
2134 };
2135
2136 return net_run_function(c, argc, argv, "net ads dns", func);
2137 }
2138
2139 /*******************************************************************
2140 ********************************************************************/
2141
2142 int net_ads_printer_usage(struct net_context *c, int argc, const char **argv)
2143 {
2144 d_printf(_(
2145 "\nnet ads printer search <printer>"
2146 "\n\tsearch for a printer in the directory\n"
2147 "\nnet ads printer info <printer> <server>"
2148 "\n\tlookup info in directory for printer on server"
2149 "\n\t(note: printer defaults to \"*\", server defaults to local)\n"
2150 "\nnet ads printer publish <printername>"
2151 "\n\tpublish printer in directory"
2152 "\n\t(note: printer name is required)\n"
2153 "\nnet ads printer remove <printername>"
2154 "\n\tremove printer from directory"
2155 "\n\t(note: printer name is required)\n"));
2156 return -1;
2157 }
2158
2159 /*******************************************************************
2160 ********************************************************************/
2161
2162 static int net_ads_printer_search(struct net_context *c,
2163 int argc,
2164 const char **argv)
2165 {
2166 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2167 ADS_STRUCT *ads = NULL;
2168 ADS_STATUS status;
2169 LDAPMessage *res = NULL;
2170 int ret = -1;
2171
2172 if (c->display_usage) {
2173 d_printf( "%s\n"
2174 "net ads printer search\n"
2175 " %s\n",
2176 _("Usage:"),
2177 _("List printers in the AD"));
2178 TALLOC_FREE(tmp_ctx);
2179 return -1;
2180 }
2181
2182 status = ads_startup(c, false, tmp_ctx, &ads);
2183 if (!ADS_ERR_OK(status)) {
2184 goto out;
2185 }
2186
2187 status = ads_find_printers(ads, &res);
2188 if (!ADS_ERR_OK(status)) {
2189 d_fprintf(stderr, _("ads_find_printer: %s\n"),
2190 ads_errstr(status));
2191 goto out;
2192 }
2193
2194 if (ads_count_replies(ads, res) == 0) {
2195 d_fprintf(stderr, _("No results found\n"));
2196 goto out;
2197 }
2198
2199 ads_dump(ads, res);
2200
2201 ret = 0;
2202 out:
2203 ads_msgfree(ads, res);
2204 TALLOC_FREE(tmp_ctx);
2205 return ret;
2206 }
2207
2208 static int net_ads_printer_info(struct net_context *c,
2209 int argc,
2210 const char **argv)
2211 {
2212 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2213 ADS_STRUCT *ads = NULL;
2214 ADS_STATUS status;
2215 const char *servername = NULL;
2216 const char *printername = NULL;
2217 LDAPMessage *res = NULL;
2218 int ret = -1;
2219
2220 if (c->display_usage) {
2221 d_printf("%s\n%s",
2222 _("Usage:"),
2223 _("net ads printer info [printername [servername]]\n"
2224 " Display printer info from AD\n"
2225 " printername\tPrinter name or wildcard\n"
2226 " servername\tName of the print server\n"));
2227 TALLOC_FREE(tmp_ctx);
2228 return -1;
2229 }
2230
2231 status = ads_startup(c, false, tmp_ctx, &ads);
2232 if (!ADS_ERR_OK(status)) {
2233 goto out;
2234 }
2235
2236 if (argc > 0) {
2237 printername = argv[0];
2238 } else {
2239 printername = "*";
2240 }
2241
2242 if (argc > 1) {
2243 servername = argv[1];
2244 } else {
2245 servername = lp_netbios_name();
2246 }
2247
2248 status = ads_find_printer_on_server(ads, &res, printername, servername);
2249 if (!ADS_ERR_OK(status)) {
2250 d_fprintf(stderr, _("Server '%s' not found: %s\n"),
2251 servername, ads_errstr(status));
2252 goto out;
2253 }
2254
2255 if (ads_count_replies(ads, res) == 0) {
2256 d_fprintf(stderr, _("Printer '%s' not found\n"), printername);
2257 goto out;
2258 }
2259
2260 ads_dump(ads, res);
2261
2262 ret = 0;
2263 out:
2264 ads_msgfree(ads, res);
2265 TALLOC_FREE(tmp_ctx);
2266 return ret;
2267 }
2268
2269 static int net_ads_printer_publish(struct net_context *c,
2270 int argc,
2271 const char **argv)
2272 {
2273 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2274 ADS_STRUCT *ads = NULL;
2275 ADS_STATUS status;
2276 const char *servername = NULL;
2277 const char *printername = NULL;
2278 struct cli_state *cli = NULL;
2279 struct rpc_pipe_client *pipe_hnd = NULL;
2280 struct sockaddr_storage server_ss = { 0 };
2281 NTSTATUS nt_status;
2282 ADS_MODLIST mods = NULL;
2283 char *prt_dn = NULL;
2284 char *srv_dn = NULL;
2285 char **srv_cn = NULL;
2286 char *srv_cn_escaped = NULL;
2287 char *printername_escaped = NULL;
2288 LDAPMessage *res = NULL;
2289 bool ok;
2290 int ret = -1;
2291
2292 if (argc < 1 || c->display_usage) {
2293 d_printf("%s\n%s",
2294 _("Usage:"),
2295 _("net ads printer publish <printername> [servername]\n"
2296 " Publish printer in AD\n"
2297 " printername\tName of the printer\n"
2298 " servername\tName of the print server\n"));
2299 TALLOC_FREE(tmp_ctx);
2300 return -1;
2301 }
2302
2303 mods = ads_init_mods(tmp_ctx);
2304 if (mods == NULL) {
2305 d_fprintf(stderr, _("Out of memory\n"));
2306 goto out;
2307 }
2308
2309 status = ads_startup(c, true, tmp_ctx, &ads);
2310 if (!ADS_ERR_OK(status)) {
2311 goto out;
2312 }
2313
2314 printername = argv[0];
2315
2316 if (argc == 2) {
2317 servername = argv[1];
2318 } else {
2319 servername = lp_netbios_name();
2320 }
2321
2322 /* Get printer data from SPOOLSS */
2323
2324 ok = resolve_name(servername, &server_ss, 0x20, false);
2325 if (!ok) {
2326 d_fprintf(stderr, _("Could not find server %s\n"),
2327 servername);
2328 goto out;
2329 }
2330
2331 cli_credentials_set_kerberos_state(c->creds,
2332 CRED_USE_KERBEROS_REQUIRED,
2333 CRED_SPECIFIED);
2334
2335 nt_status = cli_full_connection_creds(c,
2336 &cli,
2337 lp_netbios_name(),
2338 servername,
2339 &server_ss,
2340 0,
2341 "IPC$",
2342 "IPC",
2343 c->creds,
2344 CLI_FULL_CONNECTION_IPC);
2345
2346 if (NT_STATUS_IS_ERR(nt_status)) {
2347 d_fprintf(stderr, _("Unable to open a connection to %s to "
2348 "obtain data for %s\n"),
2349 servername, printername);
2350 goto out;
2351 }
2352
2353 /* Publish on AD server */
2354
2355 ads_find_machine_acct(ads, &res, servername);
2356
2357 if (ads_count_replies(ads, res) == 0) {
2358 d_fprintf(stderr, _("Could not find machine account for server "
2359 "%s\n"),
2360 servername);
2361 goto out;
2362 }
2363
2364 srv_dn = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res);
2365 srv_cn = ldap_explode_dn(srv_dn, 1);
2366
2367 srv_cn_escaped = escape_rdn_val_string_alloc(srv_cn[0]);
2368 printername_escaped = escape_rdn_val_string_alloc(printername);
2369 if (!srv_cn_escaped || !printername_escaped) {
2370 SAFE_FREE(srv_cn_escaped);
2371 SAFE_FREE(printername_escaped);
2372 d_fprintf(stderr, _("Internal error, out of memory!"));
2373 goto out;
2374 }
2375
2376 prt_dn = talloc_asprintf(tmp_ctx,
2377 "cn=%s-%s,%s",
2378 srv_cn_escaped,
2379 printername_escaped,
2380 srv_dn);
2381 if (prt_dn == NULL) {
2382 SAFE_FREE(srv_cn_escaped);
2383 SAFE_FREE(printername_escaped);
2384 d_fprintf(stderr, _("Internal error, out of memory!"));
2385 goto out;
2386 }
2387
2388 SAFE_FREE(srv_cn_escaped);
2389 SAFE_FREE(printername_escaped);
2390
2391 nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
2392 if (!NT_STATUS_IS_OK(nt_status)) {
2393 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
2394 servername);
2395 goto out;
2396 }
2397
2398 if (!W_ERROR_IS_OK(get_remote_printer_publishing_data(pipe_hnd,
2399 tmp_ctx,
2400 &mods,
2401 printername))) {
2402 goto out;
2403 }
2404
2405 status = ads_add_printer_entry(ads, prt_dn, tmp_ctx, &mods);
2406 if (!ADS_ERR_OK(status)) {
2407 d_fprintf(stderr, "ads_publish_printer: %s\n",
2408 ads_errstr(status));
2409 goto out;
2410 }
2411
2412 d_printf("published printer\n");
2413
2414 ret = 0;
2415 out:
2416 talloc_destroy(tmp_ctx);
2417
2418 return ret;
2419 }
2420
2421 static int net_ads_printer_remove(struct net_context *c,
2422 int argc,
2423 const char **argv)
2424 {
2425 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2426 ADS_STRUCT *ads = NULL;
2427 ADS_STATUS status;
2428 const char *servername = NULL;
2429 char *prt_dn = NULL;
2430 LDAPMessage *res = NULL;
2431 int ret = -1;
2432
2433 if (argc < 1 || c->display_usage) {
2434 d_printf("%s\n%s",
2435 _("Usage:"),
2436 _("net ads printer remove <printername> [servername]\n"
2437 " Remove a printer from the AD\n"
2438 " printername\tName of the printer\n"
2439 " servername\tName of the print server\n"));
2440 TALLOC_FREE(tmp_ctx);
2441 return -1;
2442 }
2443
2444 status = ads_startup(c, true, tmp_ctx, &ads);
2445 if (!ADS_ERR_OK(status)) {
2446 goto out;
2447 }
2448
2449 if (argc > 1) {
2450 servername = argv[1];
2451 } else {
2452 servername = lp_netbios_name();
2453 }
2454
2455 status = ads_find_printer_on_server(ads, &res, argv[0], servername);
2456 if (!ADS_ERR_OK(status)) {
2457 d_fprintf(stderr, _("ads_find_printer_on_server: %s\n"),
2458 ads_errstr(status));
2459 goto out;
2460 }
2461
2462 if (ads_count_replies(ads, res) == 0) {
2463 d_fprintf(stderr, _("Printer '%s' not found\n"), argv[1]);
2464 goto out;
2465 }
2466
2467 prt_dn = ads_get_dn(ads, tmp_ctx, res);
2468 if (prt_dn == NULL) {
2469 d_fprintf(stderr, _("Out of memory\n"));
2470 goto out;
2471 }
2472
2473 status = ads_del_dn(ads, prt_dn);
2474 if (!ADS_ERR_OK(status)) {
2475 d_fprintf(stderr, _("ads_del_dn: %s\n"), ads_errstr(status));
2476 goto out;
2477 }
2478
2479 ret = 0;
2480 out:
2481 ads_msgfree(ads, res);
2482 TALLOC_FREE(tmp_ctx);
2483 return ret;
2484 }
2485
2486 static int net_ads_printer(struct net_context *c, int argc, const char **argv)
2487 {
2488 struct functable func[] = {
2489 {
2490 "search",
2491 net_ads_printer_search,
2492 NET_TRANSPORT_ADS,
2493 N_("Search for a printer"),
2494 N_("net ads printer search\n"
2495 " Search for a printer")
2496 },
2497 {
2498 "info",
2499 net_ads_printer_info,
2500 NET_TRANSPORT_ADS,
2501 N_("Display printer information"),
2502 N_("net ads printer info\n"
2503 " Display printer information")
2504 },
2505 {
2506 "publish",
2507 net_ads_printer_publish,
2508 NET_TRANSPORT_ADS,
2509 N_("Publish a printer"),
2510 N_("net ads printer publish\n"
2511 " Publish a printer")
2512 },
2513 {
2514 "remove",
2515 net_ads_printer_remove,
2516 NET_TRANSPORT_ADS,
2517 N_("Delete a printer"),
2518 N_("net ads printer remove\n"
2519 " Delete a printer")
2520 },
2521 {NULL, NULL, 0, NULL, NULL}
2522 };
2523
2524 return net_run_function(c, argc, argv, "net ads printer", func);
2525 }
2526
2527
2528 static int net_ads_password(struct net_context *c, int argc, const char **argv)
2529 {
2530 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2531 ADS_STRUCT *ads = NULL;
2532 const char *auth_principal = cli_credentials_get_username(c->creds);
2533 const char *auth_password = cli_credentials_get_password(c->creds);
2534 const char *realm = NULL;
2535 char *new_password = NULL;
2536 char *chr = NULL;
2537 char *prompt = NULL;
2538 const char *user = NULL;
2539 char pwd[256] = {0};
2540 ADS_STATUS status;
2541 int ret = 0;
2542
2543 if (c->display_usage) {
2544 d_printf("%s\n%s",
2545 _("Usage:"),
2546 _("net ads password <username>\n"
2547 " Change password for user\n"
2548 " username\tName of user to change password for\n"));
2549 TALLOC_FREE(tmp_ctx);
2550 return -1;
2551 }
2552
2553 if (auth_principal == NULL || auth_password == NULL) {
2554 d_fprintf(stderr, _("You must supply an administrator "
2555 "username/password\n"));
2556 TALLOC_FREE(tmp_ctx);
2557 return -1;
2558 }
2559
2560 if (argc < 1) {
2561 d_fprintf(stderr, _("ERROR: You must say which username to "
2562 "change password for\n"));
2563 TALLOC_FREE(tmp_ctx);
2564 return -1;
2565 }
2566
2567 if (strchr_m(argv[0], '@')) {
2568 user = talloc_strdup(tmp_ctx, argv[0]);
2569 } else {
2570 user = talloc_asprintf(tmp_ctx, "%s@%s", argv[0], lp_realm());
2571 }
2572 if (user == NULL) {
2573 d_fprintf(stderr, _("Out of memory\n"));
2574 goto out;
2575 }
2576
2577 chr = strchr_m(auth_principal, '@');
2578 if (chr) {
2579 realm = ++chr;
2580 } else {
2581 realm = lp_realm();
2582 }
2583
2584 /* use the realm so we can eventually change passwords for users
2585 in realms other than default */
2586 ads = ads_init(tmp_ctx,
2587 realm,
2588 c->opt_workgroup,
2589 c->opt_host,
2590 ADS_SASL_PLAIN);
2591 if (ads == NULL) {
2592 goto out;
2593 }
2594
2595 /* we don't actually need a full connect, but it's the easy way to
2596 fill in the KDC's address */
2597 ads->auth.flags |= ADS_AUTH_GENERATE_KRB5_CONFIG;
2598 ads_connect_cldap_only(ads);
2599
2600 if (!ads->config.realm) {
2601 d_fprintf(stderr, _("Didn't find the kerberos server!\n"));
2602 goto out;
2603 }
2604
2605 if (argv[1] != NULL) {
2606 new_password = talloc_strdup(tmp_ctx, argv[1]);
2607 } else {
2608 int rc;
2609
2610 prompt = talloc_asprintf(tmp_ctx, _("Enter new password for %s:"), user);
2611 if (prompt == NULL) {
2612 d_fprintf(stderr, _("Out of memory\n"));
2613 goto out;
2614 }
2615
2616 rc = samba_getpass(prompt, pwd, sizeof(pwd), false, true);
2617 if (rc < 0) {
2618 goto out;
2619 }
2620 new_password = talloc_strdup(tmp_ctx, pwd);
2621 memset(pwd, '\0', sizeof(pwd));
2622 }
2623
2624 if (new_password == NULL) {
2625 d_fprintf(stderr, _("Out of memory\n"));
2626 goto out;
2627 }
2628
2629 status = kerberos_set_password(auth_principal,
2630 auth_password,
2631 user,
2632 new_password);
2633 memset(new_password, '\0', strlen(new_password));
2634 if (!ADS_ERR_OK(status)) {
2635 d_fprintf(stderr, _("Password change failed: %s\n"),
2636 ads_errstr(status));
2637 goto out;
2638 }
2639
2640 d_printf(_("Password change for %s completed.\n"), user);
2641
2642 ret = 0;
2643 out:
2644 TALLOC_FREE(tmp_ctx);
2645 return ret;
2646 }
2647
2648 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
2649 {
2650 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2651 ADS_STRUCT *ads = NULL;
2652 char *host_principal = NULL;
2653 char *my_name = NULL;
2654 ADS_STATUS status;
2655 int ret = -1;
2656
2657 if (c->display_usage) {
2658 d_printf( "%s\n"
2659 "net ads changetrustpw\n"
2660 " %s\n",
2661 _("Usage:"),
2662 _("Change the machine account's trust password"));
2663 TALLOC_FREE(tmp_ctx);
2664 return -1;
2665 }
2666
2667 if (!secrets_init()) {
2668 DEBUG(1,("Failed to initialise secrets database\n"));
2669 goto out;
2670 }
2671
2672 net_warn_member_options();
2673
2674 net_use_krb_machine_account(c);
2675
2676 status = ads_startup(c, true, tmp_ctx, &ads);
2677 if (!ADS_ERR_OK(status)) {
2678 goto out;
2679 }
2680
2681 my_name = talloc_asprintf_strlower_m(tmp_ctx, "%s", lp_netbios_name());
2682 if (my_name == NULL) {
2683 d_fprintf(stderr, _("Out of memory\n"));
2684 goto out;
2685 }
2686
2687 host_principal = talloc_asprintf(tmp_ctx, "%s$@%s", my_name, ads->config.realm);
2688 if (host_principal == NULL) {
2689 d_fprintf(stderr, _("Out of memory\n"));
2690 goto out;
2691 }
2692
2693 d_printf(_("Changing password for principal: %s\n"), host_principal);
2694
2695 status = ads_change_trust_account_password(ads, host_principal);
2696 if (!ADS_ERR_OK(status)) {
2697 d_fprintf(stderr, _("Password change failed: %s\n"), ads_errstr(status));
2698 goto out;
2699 }
2700
2701 d_printf(_("Password change for principal %s succeeded.\n"), host_principal);
2702
2703 ret = 0;
2704 out:
2705 TALLOC_FREE(tmp_ctx);
2706
2707 return ret;
2708 }
2709
2710 /*
2711 help for net ads search
2712 */
2713 static int net_ads_search_usage(struct net_context *c, int argc, const char **argv)
2714 {
2715 d_printf(_(
2716 "\nnet ads search <expression> <attributes...>\n"
2717 "\nPerform a raw LDAP search on a ADS server and dump the results.\n"
2718 "The expression is a standard LDAP search expression, and the\n"
2719 "attributes are a list of LDAP fields to show in the results.\n\n"
2720 "Example: net ads search '(objectCategory=group)' sAMAccountName\n\n"
2721 ));
2722 net_common_flags_usage(c, argc, argv);
2723 return -1;
2724 }
2725
2726
2727 /*
2728 general ADS search function. Useful in diagnosing problems in ADS
2729 */
2730 static int net_ads_search(struct net_context *c, int argc, const char **argv)
2731 {
2732 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2733 ADS_STRUCT *ads = NULL;
2734 ADS_STATUS status;
2735 const char *ldap_exp = NULL;
2736 const char **attrs = NULL;
2737 LDAPMessage *res = NULL;
2738 int ret = -1;
2739
2740 if (argc < 1 || c->display_usage) {
2741 TALLOC_FREE(tmp_ctx);
2742 return net_ads_search_usage(c, argc, argv);
2743 }
2744
2745 status = ads_startup(c, false, tmp_ctx, &ads);
2746 if (!ADS_ERR_OK(status)) {
2747 goto out;
2748 }
2749
2750 ldap_exp = argv[0];
2751 attrs = (argv + 1);
2752
2753 status = ads_do_search_retry(ads,
2754 ads->config.bind_path,
2755 LDAP_SCOPE_SUBTREE,
2756 ldap_exp,
2757 attrs,
2758 &res);
2759 if (!ADS_ERR_OK(status)) {
2760 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2761 goto out;
2762 }
2763
2764 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2765
2766 /* dump the results */
2767 ads_dump(ads, res);
2768
2769 ret = 0;
2770 out:
2771 ads_msgfree(ads, res);
2772 TALLOC_FREE(tmp_ctx);
2773 return ret;
2774 }
2775
2776
2777 /*
2778 help for net ads search
2779 */
2780 static int net_ads_dn_usage(struct net_context *c, int argc, const char **argv)
2781 {
2782 d_printf(_(
2783 "\nnet ads dn <dn> <attributes...>\n"
2784 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2785 "The DN standard LDAP DN, and the attributes are a list of LDAP fields \n"
2786 "to show in the results\n\n"
2787 "Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' sAMAccountName\n\n"
2788 "Note: the DN must be provided properly escaped. See RFC 4514 for details\n\n"
2789 ));
2790 net_common_flags_usage(c, argc, argv);
2791 return -1;
2792 }
2793
2794
2795 /*
2796 general ADS search function. Useful in diagnosing problems in ADS
2797 */
2798 static int net_ads_dn(struct net_context *c, int argc, const char **argv)
2799 {
2800 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2801 ADS_STRUCT *ads = NULL;
2802 ADS_STATUS status;
2803 const char *dn = NULL;
2804 const char **attrs = NULL;
2805 LDAPMessage *res = NULL;
2806 int ret = -1;
2807
2808 if (argc < 1 || c->display_usage) {
2809 TALLOC_FREE(tmp_ctx);
2810 return net_ads_dn_usage(c, argc, argv);
2811 }
2812
2813 status = ads_startup(c, false, tmp_ctx, &ads);
2814 if (!ADS_ERR_OK(status)) {
2815 goto out;
2816 }
2817
2818 dn = argv[0];
2819 attrs = (argv + 1);
2820
2821 status = ads_do_search_all(ads,
2822 dn,
2823 LDAP_SCOPE_BASE,
2824 "(objectclass=*)",
2825 attrs,
2826 &res);
2827 if (!ADS_ERR_OK(status)) {
2828 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2829 goto out;
2830 }
2831
2832 d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
2833
2834 /* dump the results */
2835 ads_dump(ads, res);
2836
2837 ret = 0;
2838 out:
2839 ads_msgfree(ads, res);
2840 TALLOC_FREE(tmp_ctx);
2841 return ret;
2842 }
2843
2844 /*
2845 help for net ads sid search
2846 */
2847 static int net_ads_sid_usage(struct net_context *c, int argc, const char **argv)
2848 {
2849 d_printf(_(
2850 "\nnet ads sid <sid> <attributes...>\n"
2851 "\nperform a raw LDAP search on a ADS server and dump the results\n"
2852 "The SID is in string format, and the attributes are a list of LDAP fields \n"
2853 "to show in the results\n\n"
2854 "Example: net ads sid 'S-1-5-32' distinguishedName\n\n"
2855 ));
2856 net_common_flags_usage(c, argc, argv);
2857 return -1;
2858 }
2859
2860
2861 /*
2862 general ADS search function. Useful in diagnosing problems in ADS
2863 */
2864 static int net_ads_sid(struct net_context *c, int argc, const char **argv)
2865 {
2866 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2867 ADS_STRUCT *ads = NULL;
2868 ADS_STATUS status;
2869 const char *sid_string = NULL;
2870 const char **attrs = NULL;
2871 LDAPMessage *res = NULL;
2872 struct dom_sid sid = { 0 };
2873 int ret = -1;
2874
2875 if (argc < 1 || c->display_usage) {
2876 TALLOC_FREE(tmp_ctx);
2877 return net_ads_sid_usage(c, argc, argv);
2878 }
2879
2880 status = ads_startup(c, false, tmp_ctx, &ads);
2881 if (!ADS_ERR_OK(status)) {
2882 goto out;
2883 }
2884
2885 sid_string = argv[0];
2886 attrs = (argv + 1);
2887
2888 if (!string_to_sid(&sid, sid_string)) {
2889 d_fprintf(stderr, _("could not convert sid\n"));
2890 goto out;
2891 }
2892
2893 status = ads_search_retry_sid(ads, &res, &sid, attrs);
2894 if (!ADS_ERR_OK(status)) {
2895 d_fprintf(stderr, _("search failed: %s\n"), ads_errstr(status));
2896 goto out;
2897 }
2898
2899 d_printf(_("Got %d replies\n\n"), ads_count_replies(ads, res));
2900
2901 /* dump the results */
2902 ads_dump(ads, res);
2903
2904 ret = 0;
2905 out:
2906 ads_msgfree(ads, res);
2907 TALLOC_FREE(tmp_ctx);
2908 return ret;
2909 }
2910
2911 static int net_ads_keytab_flush(struct net_context *c,
2912 int argc,
2913 const char **argv)
2914 {
2915 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2916 ADS_STRUCT *ads = NULL;
2917 ADS_STATUS status;
2918 int ret = -1;
2919
2920 if (c->display_usage) {
2921 d_printf( "%s\n"
2922 "net ads keytab flush\n"
2923 " %s\n",
2924 _("Usage:"),
2925 _("Delete the whole keytab"));
2926 TALLOC_FREE(tmp_ctx);
2927 return -1;
2928 }
2929
2930 if (!c->explicit_credentials) {
2931 net_use_krb_machine_account(c);
2932 }
2933
2934 status = ads_startup(c, true, tmp_ctx, &ads);
2935 if (!ADS_ERR_OK(status)) {
2936 goto out;
2937 }
2938
2939 ret = ads_keytab_flush(ads);
2940 out:
2941 TALLOC_FREE(tmp_ctx);
2942 return ret;
2943 }
2944
2945 static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv)
2946 {
2947 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2948 ADS_STRUCT *ads = NULL;
2949 ADS_STATUS status;
2950 NTSTATUS ntstatus;
2951 int ret = -1;
2952
2953 if (c->display_usage) {
2954 d_printf( "%s\n"
2955 "net ads keytab create\n"
2956 " %s\n",
2957 _("Usage:"),
2958 _("Create (sync) new default keytab"));
2959 TALLOC_FREE(tmp_ctx);
2960 return -1;
2961 }
2962
2963 net_warn_member_options();
2964
2965 if (!c->explicit_credentials) {
2966 net_use_krb_machine_account(c);
2967 }
2968
2969 status = ads_startup(c, true, tmp_ctx, &ads);
2970 if (!ADS_ERR_OK(status)) {
2971 goto out;
2972 }
2973
2974 ntstatus = sync_pw2keytabs();
2975 ret = NT_STATUS_IS_OK(ntstatus) ? 0 : 1;
2976 out:
2977 TALLOC_FREE(tmp_ctx);
2978 return ret;
2979 }
2980
2981 static int net_ads_keytab_list(struct net_context *c, int argc, const char **argv)
2982 {
2983 const char *keytab = NULL;
2984
2985 if (c->display_usage) {
2986 d_printf("%s\n%s",
2987 _("Usage:"),
2988 _("net ads keytab list [keytab]\n"
2989 " List a local keytab\n"
2990 " keytab\tKeytab to list\n"));
2991 return -1;
2992 }
2993
2994 if (argc >= 1) {
2995 keytab = argv[0];
2996 }
2997
2998 return ads_keytab_list(keytab);
2999 }
3000
3001 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
3002 {
3003 struct functable func[] = {
3004 {
3005 "create",
3006 net_ads_keytab_create,
3007 NET_TRANSPORT_ADS,
3008 N_("Create (sync) a fresh keytab"),
3009 N_("net ads keytab create\n"
3010 " Create (sync) a fresh keytab or update existing one (see also smb.conf 'sync machine password to keytab'.")
3011 },
3012 {
3013 "flush",
3014 net_ads_keytab_flush,
3015 NET_TRANSPORT_ADS,
3016 N_("Remove all keytab entries"),
3017 N_("net ads keytab flush\n"
3018 " Remove all keytab entries")
3019 },
3020 {
3021 "list",
3022 net_ads_keytab_list,
3023 NET_TRANSPORT_ADS,
3024 N_("List a keytab"),
3025 N_("net ads keytab list\n"
3026 " List a keytab")
3027 },
3028 {NULL, NULL, 0, NULL, NULL}
3029 };
3030
3031 return net_run_function(c, argc, argv, "net ads keytab", func);
3032 }
3033
3034 static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **argv)
3035 {
3036 int ret = -1;
3037
3038 if (c->display_usage) {
3039 d_printf( "%s\n"
3040 "net ads kerberos renew\n"
3041 " %s\n",
3042 _("Usage:"),
3043 _("Renew TGT from existing credential cache"));
3044 return -1;
3045 }
3046
3047 ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
3048 if (ret) {
3049 d_printf(_("failed to renew kerberos ticket: %s\n"),
3050 error_message(ret));
3051 }
3052 return ret;
3053 }
3054
3055 static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
3056 struct PAC_DATA_CTR **pac_data_ctr)
3057 {
3058 NTSTATUS status;
3059 int ret = -1;
3060 const char *impersonate_princ_s = NULL;
3061 const char *local_service = NULL;
3062 const char *principal = NULL;
3063 const char *password = NULL;
3064 int i;
3065
3066 for (i=0; i<argc; i++) {
3067 if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
3068 impersonate_princ_s = get_string_param(argv[i]);
3069 if (impersonate_princ_s == NULL) {
3070 return -1;
3071 }
3072 }
3073 if (strnequal(argv[i], "local_service", strlen("local_service"))) {
3074 local_service = get_string_param(argv[i]);
3075 if (local_service == NULL) {
3076 return -1;
3077 }
3078 }
3079 }
3080
3081 if (local_service == NULL) {
3082 local_service = talloc_asprintf(c, "%s$@%s",
3083 lp_netbios_name(), lp_realm());
3084 if (local_service == NULL) {
3085 goto out;
3086 }
3087 }
3088
3089 principal = cli_credentials_get_principal(c->creds, c);
3090 if (principal == NULL) {
3091 d_printf("cli_credentials_get_principal() failed\n");
3092 goto out;
3093 }
3094 password = cli_credentials_get_password(c->creds);
3095
3096 status = kerberos_return_pac(c,
3097 principal,
3098 password,
3099 0,
3100 NULL,
3101 NULL,
3102 NULL,
3103 true,
3104 true,
3105 2592000, /* one month */
3106 impersonate_princ_s,
3107 local_service,
3108 NULL,
3109 NULL,
3110 pac_data_ctr);
3111 if (!NT_STATUS_IS_OK(status)) {
3112 d_printf(_("failed to query kerberos PAC: %s\n"),
3113 nt_errstr(status));
3114 goto out;
3115 }
3116
3117 ret = 0;
3118 out:
3119 return ret;
3120 }
3121
3122 static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
3123 {
3124 struct PAC_DATA_CTR *pac_data_ctr = NULL;
3125 int i, num_buffers;
3126 int ret = -1;
3127 enum PAC_TYPE type = 0;
3128
3129 if (c->display_usage) {
3130 d_printf( "%s\n"
3131 "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
3132 " %s\n",
3133 _("Usage:"),
3134 _("Dump the Kerberos PAC"));
3135 return -1;
3136 }
3137
3138 for (i=0; i<argc; i++) {
3139 if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
3140 type = get_int_param(argv[i]);
3141 }
3142 }
3143
3144 ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
3145 if (ret) {
3146 return ret;
3147 }
3148
3149 if (type == 0) {
3150
3151 char *s = NULL;
3152
3153 s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
3154 pac_data_ctr->pac_data);
3155 if (s != NULL) {
3156 d_printf(_("The Pac: %s\n"), s);
3157 talloc_free(s);
3158 }
3159
3160 return 0;
3161 }
3162
3163 num_buffers = pac_data_ctr->pac_data->num_buffers;
3164
3165 for (i=0; i<num_buffers; i++) {
3166
3167 char *s = NULL;
3168
3169 if (pac_data_ctr->pac_data->buffers[i].type != type) {
3170 continue;
3171 }
3172
3173 s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
3174 pac_data_ctr->pac_data->buffers[i].info);
3175 if (s != NULL) {
3176 d_printf(_("The Pac: %s\n"), s);
3177 talloc_free(s);
3178 }
3179 break;
3180 }
3181
3182 return 0;
3183 }
3184
3185 static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
3186 {
3187 struct PAC_DATA_CTR *pac_data_ctr = NULL;
3188 char *filename = NULL;
3189 int ret = -1;
3190 int i;
3191
3192 if (c->display_usage) {
3193 d_printf( "%s\n"
3194 "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
3195 " %s\n",
3196 _("Usage:"),
3197 _("Save the Kerberos PAC"));
3198 return -1;
3199 }
3200
3201 for (i=0; i<argc; i++) {
3202 if (strnequal(argv[i], "filename", strlen("filename"))) {
3203 filename = get_string_param(argv[i]);
3204 if (filename == NULL) {
3205 return -1;
3206 }
3207 }
3208 }
3209
3210 ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
3211 if (ret) {
3212 return ret;
3213 }
3214
3215 if (filename == NULL) {
3216 d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
3217 return -1;
3218 }
3219
3220 /* save the raw format */
3221 if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
3222 d_printf(_("failed to save PAC in %s\n"), filename);
3223 return -1;
3224 }
3225
3226 return 0;
3227 }
3228
3229 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
3230 {
3231 struct functable func[] = {
3232 {
3233 "dump",
3234 net_ads_kerberos_pac_dump,
3235 NET_TRANSPORT_ADS,
3236 N_("Dump Kerberos PAC"),
3237 N_("net ads kerberos pac dump\n"
3238 " Dump a Kerberos PAC to stdout")
3239 },
3240 {
3241 "save",
3242 net_ads_kerberos_pac_save,
3243 NET_TRANSPORT_ADS,
3244 N_("Save Kerberos PAC"),
3245 N_("net ads kerberos pac save\n"
3246 " Save a Kerberos PAC in a file")
3247 },
3248
3249 {NULL, NULL, 0, NULL, NULL}
3250 };
3251
3252 return net_run_function(c, argc, argv, "net ads kerberos pac", func);
3253 }
3254
3255 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
3256 {
3257 int ret = -1;
3258 NTSTATUS status;
3259 const char *principal = NULL;
3260 const char *password = NULL;
3261
3262 if (c->display_usage) {
3263 d_printf( "%s\n"
3264 "net ads kerberos kinit\n"
3265 " %s\n",
3266 _("Usage:"),
3267 _("Get Ticket Granting Ticket (TGT) for the user"));
3268 return -1;
3269 }
3270
3271 principal = cli_credentials_get_principal(c->creds, c);
3272 if (principal == NULL) {
3273 d_printf("cli_credentials_get_principal() failed\n");
3274 return -1;
3275 }
3276 password = cli_credentials_get_password(c->creds);
3277
3278 ret = kerberos_kinit_password_ext(principal,
3279 password,
3280 0,
3281 NULL,
3282 NULL,
3283 NULL,
3284 true,
3285 true,
3286 2592000, /* one month */
3287 NULL,
3288 NULL,
3289 NULL,
3290 &status);
3291 if (ret) {
3292 d_printf(_("failed to kinit password: %s\n"),
3293 nt_errstr(status));
3294 }
3295 return ret;
3296 }
3297
3298 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
3299 {
3300 struct functable func[] = {
3301 {
3302 "kinit",
3303 net_ads_kerberos_kinit,
3304 NET_TRANSPORT_ADS,
3305 N_("Retrieve Ticket Granting Ticket (TGT)"),
3306 N_("net ads kerberos kinit\n"
3307 " Receive Ticket Granting Ticket (TGT)")
3308 },
3309 {
3310 "renew",
3311 net_ads_kerberos_renew,
3312 NET_TRANSPORT_ADS,
3313 N_("Renew Ticket Granting Ticket from credential cache"),
3314 N_("net ads kerberos renew\n"
3315 " Renew Ticket Granting Ticket (TGT) from "
3316 "credential cache")
3317 },
3318 {
3319 "pac",
3320 net_ads_kerberos_pac,
3321 NET_TRANSPORT_ADS,
3322 N_("Dump Kerberos PAC"),
3323 N_("net ads kerberos pac\n"
3324 " Dump Kerberos PAC")
3325 },
3326 {NULL, NULL, 0, NULL, NULL}
3327 };
3328
3329 return net_run_function(c, argc, argv, "net ads kerberos", func);
3330 }
3331
3332 static int net_ads_setspn_list(struct net_context *c,
3333 int argc,
3334 const char **argv)
3335 {
3336 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3337 ADS_STRUCT *ads = NULL;
3338 ADS_STATUS status;
3339 bool ok = false;
3340 int ret = -1;
3341
3342 if (c->display_usage) {
3343 d_printf("%s\n%s",
3344 _("Usage:"),
3345 _("net ads setspn list <machinename>\n"));
3346 TALLOC_FREE(tmp_ctx);
3347 return -1;
3348 }
3349
3350 status = ads_startup(c, true, tmp_ctx, &ads);
3351 if (!ADS_ERR_OK(status)) {
3352 goto out;
3353 }
3354
3355 if (argc) {
3356 ok = ads_setspn_list(ads, argv[0]);
3357 } else {
3358 ok = ads_setspn_list(ads, lp_netbios_name());
3359 }
3360
3361 ret = ok ? 0 : -1;
3362 out:
3363 TALLOC_FREE(tmp_ctx);
3364 return ret;
3365 }
3366
3367 static int net_ads_setspn_add(struct net_context *c, int argc, const char **argv)
3368 {
3369 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3370 ADS_STRUCT *ads = NULL;
3371 ADS_STATUS status;
3372 bool ok = false;
3373 int ret = -1;
3374
3375 if (c->display_usage || argc < 1) {
3376 d_printf("%s\n%s",
3377 _("Usage:"),
3378 _("net ads setspn add <machinename> SPN\n"));
3379 TALLOC_FREE(tmp_ctx);
3380 return -1;
3381 }
3382
3383 status = ads_startup(c, true, tmp_ctx, &ads);
3384 if (!ADS_ERR_OK(status)) {
3385 goto out;
3386 }
3387
3388 if (argc > 1) {
3389 ok = ads_setspn_add(ads, argv[0], argv[1]);
3390 } else {
3391 ok = ads_setspn_add(ads, lp_netbios_name(), argv[0]);
3392 }
3393
3394 ret = ok ? 0 : -1;
3395 out:
3396 TALLOC_FREE(tmp_ctx);
3397 return ret;
3398 }
3399
3400 static int net_ads_setspn_delete(struct net_context *c, int argc, const char **argv)
3401 {
3402 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3403 ADS_STRUCT *ads = NULL;
3404 ADS_STATUS status;
3405 bool ok = false;
3406 int ret = -1;
3407
3408 if (c->display_usage || argc < 1) {
3409 d_printf("%s\n%s",
3410 _("Usage:"),
3411 _("net ads setspn delete <machinename> SPN\n"));
3412 TALLOC_FREE(tmp_ctx);
3413 return -1;
3414 }
3415
3416 status = ads_startup(c, true, tmp_ctx, &ads);
3417 if (!ADS_ERR_OK(status)) {
3418 goto out;
3419 }
3420
3421 if (argc > 1) {
3422 ok = ads_setspn_delete(ads, argv[0], argv[1]);
3423 } else {
3424 ok = ads_setspn_delete(ads, lp_netbios_name(), argv[0]);
3425 }
3426
3427 ret = ok ? 0 : -1;
3428 out:
3429 TALLOC_FREE(tmp_ctx);
3430 return ret;
3431 }
3432
3433 int net_ads_setspn(struct net_context *c, int argc, const char **argv)
3434 {
3435 struct functable func[] = {
3436 {
3437 "list",
3438 net_ads_setspn_list,
3439 NET_TRANSPORT_ADS,
3440 N_("List Service Principal Names (SPN)"),
3441 N_("net ads setspn list machine\n"
3442 " List Service Principal Names (SPN)")
3443 },
3444 {
3445 "add",
3446 net_ads_setspn_add,
3447 NET_TRANSPORT_ADS,
3448 N_("Add Service Principal Names (SPN)"),
3449 N_("net ads setspn add machine spn\n"
3450 " Add Service Principal Names (SPN)")
3451 },
3452 {
3453 "delete",
3454 net_ads_setspn_delete,
3455 NET_TRANSPORT_ADS,
3456 N_("Delete Service Principal Names (SPN)"),
3457 N_("net ads setspn delete machine spn\n"
3458 " Delete Service Principal Names (SPN)")
3459 },
3460 {NULL, NULL, 0, NULL, NULL}
3461 };
3462
3463 return net_run_function(c, argc, argv, "net ads setspn", func);
3464 }
3465
3466 static int net_ads_enctype_lookup_account(struct net_context *c,
3467 ADS_STRUCT *ads,
3468 const char *account,
3469 LDAPMessage **res,
3470 const char **enctype_str)
3471 {
3472 const char *filter;
3473 const char *attrs[] = {
3474 "msDS-SupportedEncryptionTypes",
3475 NULL
3476 };
3477 int count;
3478 int ret = -1;
3479 ADS_STATUS status;
3480
3481 filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
3482 account);
3483 if (filter == NULL) {
3484 goto done;
3485 }
3486
3487 status = ads_search(ads, res, filter, attrs);
3488 if (!ADS_ERR_OK(status)) {
3489 d_printf(_("no account found with filter: %s\n"), filter);
3490 goto done;
3491 }
3492
3493 count = ads_count_replies(ads, *res);
3494 switch (count) {
3495 case 1:
3496 break;
3497 case 0:
3498 d_printf(_("no account found with filter: %s\n"), filter);
3499 goto done;
3500 default:
3501 d_printf(_("multiple accounts found with filter: %s\n"), filter);
3502 goto done;
3503 }
3504
3505 if (enctype_str) {
3506 *enctype_str = ads_pull_string(ads, c, *res,
3507 "msDS-SupportedEncryptionTypes");
3508 if (*enctype_str == NULL) {
3509 d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
3510 goto done;
3511 }
3512 }
3513
3514 ret = 0;
3515 done:
3516 return ret;
3517 }
3518
3519 static void net_ads_enctype_dump_enctypes(const char *username,
3520 const char *enctype_str)
3521 {
3522 int enctypes = atoi(enctype_str);
3523
3524 d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\": %d (0x%08x)\n"),
3525 username, enctypes, enctypes);
3526
3527 printf("[%s] 0x%08x DES-CBC-CRC\n",
3528 enctypes & ENC_CRC32 ? "X" : " ",
3529 ENC_CRC32);
3530 printf("[%s] 0x%08x DES-CBC-MD5\n",
3531 enctypes & ENC_RSA_MD5 ? "X" : " ",
3532 ENC_RSA_MD5);
3533 printf("[%s] 0x%08x RC4-HMAC\n",
3534 enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
3535 ENC_RC4_HMAC_MD5);
3536 printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
3537 enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
3538 ENC_HMAC_SHA1_96_AES128);
3539 printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
3540 enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
3541 ENC_HMAC_SHA1_96_AES256);
3542 printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96-SK\n",
3543 enctypes & ENC_HMAC_SHA1_96_AES256_SK ? "X" : " ",
3544 ENC_HMAC_SHA1_96_AES256_SK);
3545 printf("[%s] 0x%08x RESOURCE-SID-COMPRESSION-DISABLED\n",
3546 enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED ? "X" : " ",
3547 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED);
3548 }
3549
3550 static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
3551 {
3552 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3553 ADS_STATUS status;
3554 ADS_STRUCT *ads = NULL;
3555 LDAPMessage *res = NULL;
3556 const char *str = NULL;
3557 int ret = -1;
3558
3559 if (c->display_usage || (argc < 1)) {
3560 d_printf( "%s\n"
3561 "net ads enctypes list\n"
3562 " %s\n",
3563 _("Usage:"),
3564 _("List supported enctypes"));
3565 TALLOC_FREE(tmp_ctx);
3566 return -1;
3567 }
3568
3569 status = ads_startup(c, false, tmp_ctx, &ads);
3570 if (!ADS_ERR_OK(status)) {
3571 goto out;
3572 }
3573
3574 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
3575 if (ret) {
3576 goto out;
3577 }
3578
3579 net_ads_enctype_dump_enctypes(argv[0], str);
3580
3581 ret = 0;
3582 out:
3583 ads_msgfree(ads, res);
3584 TALLOC_FREE(tmp_ctx);
3585 return ret;
3586 }
3587
3588 static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
3589 {
3590 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3591 int ret = -1;
3592 ADS_STATUS status;
3593 ADS_STRUCT *ads = NULL;
3594 LDAPMessage *res = NULL;
3595 const char *etype_list_str = NULL;
3596 const char *dn = NULL;
3597 ADS_MODLIST mods = NULL;
3598 uint32_t etype_list;
3599 const char *str = NULL;
3600
3601 if (c->display_usage || argc < 1) {
3602 d_printf( "%s\n"
3603 "net ads enctypes set <sAMAccountName> [enctypes]\n"
3604 " %s\n",
3605 _("Usage:"),
3606 _("Set supported enctypes"));
3607 TALLOC_FREE(tmp_ctx);
3608 return -1;
3609 }
3610
3611 status = ads_startup(c, false, tmp_ctx, &ads);
3612 if (!ADS_ERR_OK(status)) {
3613 goto done;
3614 }
3615
3616 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
3617 if (ret) {
3618 goto done;
3619 }
3620
3621 dn = ads_get_dn(ads, tmp_ctx, res);
3622 if (dn == NULL) {
3623 goto done;
3624 }
3625
3626 etype_list = 0;
3627 etype_list |= ENC_RC4_HMAC_MD5;
3628 etype_list |= ENC_HMAC_SHA1_96_AES128;
3629 etype_list |= ENC_HMAC_SHA1_96_AES256;
3630
3631 if (argv[1] != NULL) {
3632 sscanf(argv[1], "%i", &etype_list);
3633 }
3634
3635 etype_list_str = talloc_asprintf(tmp_ctx, "%d", etype_list);
3636 if (!etype_list_str) {
3637 goto done;
3638 }
3639
3640 mods = ads_init_mods(tmp_ctx);
3641 if (!mods) {
3642 goto done;
3643 }
3644
3645 status = ads_mod_str(tmp_ctx, &mods, "msDS-SupportedEncryptionTypes",
3646 etype_list_str);
3647 if (!ADS_ERR_OK(status)) {
3648 goto done;
3649 }
3650
3651 status = ads_gen_mod(ads, dn, mods);
3652 if (!ADS_ERR_OK(status)) {
3653 d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
3654 ads_errstr(status));
3655 goto done;
3656 }
3657
3658 ads_msgfree(ads, res);
3659 res = NULL;
3660
3661 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
3662 if (ret) {
3663 goto done;
3664 }
3665
3666 net_ads_enctype_dump_enctypes(argv[0], str);
3667
3668 ret = 0;
3669 done:
3670 ads_msgfree(ads, res);
3671 TALLOC_FREE(tmp_ctx);
3672 return ret;
3673 }
3674
3675 static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
3676 {
3677 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3678 int ret = -1;
3679 ADS_STATUS status;
3680 ADS_STRUCT *ads = NULL;
3681 LDAPMessage *res = NULL;
3682 const char *dn = NULL;
3683 ADS_MODLIST mods = NULL;
3684
3685 if (c->display_usage || argc < 1) {
3686 d_printf( "%s\n"
3687 "net ads enctypes delete <sAMAccountName>\n"
3688 " %s\n",
3689 _("Usage:"),
3690 _("Delete supported enctypes"));
3691 TALLOC_FREE(tmp_ctx);
3692 return -1;
3693 }
3694
3695 status = ads_startup(c, false, tmp_ctx, &ads);
3696 if (!ADS_ERR_OK(status)) {
3697 goto done;
3698 }
3699
3700 ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
3701 if (ret) {
3702 goto done;
3703 }
3704
3705 dn = ads_get_dn(ads, tmp_ctx, res);
3706 if (dn == NULL) {
3707 goto done;
3708 }
3709
3710 mods = ads_init_mods(tmp_ctx);
3711 if (!mods) {
3712 goto done;
3713 }
3714
3715 status = ads_mod_str(tmp_ctx, &mods, "msDS-SupportedEncryptionTypes", NULL);
3716 if (!ADS_ERR_OK(status)) {
3717 goto done;
3718 }
3719
3720 status = ads_gen_mod(ads, dn, mods);
3721 if (!ADS_ERR_OK(status)) {
3722 d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
3723 ads_errstr(status));
3724 goto done;
3725 }
3726
3727 ret = 0;
3728
3729 done:
3730 ads_msgfree(ads, res);
3731 TALLOC_FREE(tmp_ctx);
3732 return ret;
3733 }
3734
3735 static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
3736 {
3737 struct functable func[] = {
3738 {
3739 "list",
3740 net_ads_enctypes_list,
3741 NET_TRANSPORT_ADS,
3742 N_("List the supported encryption types"),
3743 N_("net ads enctypes list\n"
3744 " List the supported encryption types")
3745 },
3746 {
3747 "set",
3748 net_ads_enctypes_set,
3749 NET_TRANSPORT_ADS,
3750 N_("Set the supported encryption types"),
3751 N_("net ads enctypes set\n"
3752 " Set the supported encryption types")
3753 },
3754 {
3755 "delete",
3756 net_ads_enctypes_delete,
3757 NET_TRANSPORT_ADS,
3758 N_("Delete the supported encryption types"),
3759 N_("net ads enctypes delete\n"
3760 " Delete the supported encryption types")
3761 },
3762
3763 {NULL, NULL, 0, NULL, NULL}
3764 };
3765
3766 return net_run_function(c, argc, argv, "net ads enctypes", func);
3767 }
3768
3769
3770 int net_ads(struct net_context *c, int argc, const char **argv)
3771 {
3772 struct functable func[] = {
3773 {
3774 "info",
3775 net_ads_info,
3776 NET_TRANSPORT_ADS,
3777 N_("Display details on remote ADS server"),
3778 N_("net ads info\n"
3779 " Display details on remote ADS server")
3780 },
3781 {
3782 "join",
3783 net_ads_join,
3784 NET_TRANSPORT_ADS,
3785 N_("Join the local machine to ADS realm"),
3786 N_("net ads join\n"
3787 " Join the local machine to ADS realm")
3788 },
3789 {
3790 "testjoin",
3791 net_ads_testjoin,
3792 NET_TRANSPORT_ADS,
3793 N_("Validate machine account"),
3794 N_("net ads testjoin\n"
3795 " Validate machine account")
3796 },
3797 {
3798 "leave",
3799 net_ads_leave,
3800 NET_TRANSPORT_ADS,
3801 N_("Remove the local machine from ADS"),
3802 N_("net ads leave\n"
3803 " Remove the local machine from ADS")
3804 },
3805 {
3806 "status",
3807 net_ads_status,
3808 NET_TRANSPORT_ADS,
3809 N_("Display machine account details"),
3810 N_("net ads status\n"
3811 " Display machine account details")
3812 },
3813 {
3814 "user",
3815 net_ads_user,
3816 NET_TRANSPORT_ADS,
3817 N_("List/modify users"),
3818 N_("net ads user\n"
3819 " List/modify users")
3820 },
3821 {
3822 "group",
3823 net_ads_group,
3824 NET_TRANSPORT_ADS,
3825 N_("List/modify groups"),
3826 N_("net ads group\n"
3827 " List/modify groups")
3828 },
3829 {
3830 "dns",
3831 net_ads_dns,
3832 NET_TRANSPORT_ADS,
3833 N_("Issue dynamic DNS update"),
3834 N_("net ads dns\n"
3835 " Issue dynamic DNS update")
3836 },
3837 {
3838 "password",
3839 net_ads_password,
3840 NET_TRANSPORT_ADS,
3841 N_("Change user passwords"),
3842 N_("net ads password\n"
3843 " Change user passwords")
3844 },
3845 {
3846 "changetrustpw",
3847 net_ads_changetrustpw,
3848 NET_TRANSPORT_ADS,
3849 N_("Change trust account password"),
3850 N_("net ads changetrustpw\n"
3851 " Change trust account password")
3852 },
3853 {
3854 "printer",
3855 net_ads_printer,
3856 NET_TRANSPORT_ADS,
3857 N_("List/modify printer entries"),
3858 N_("net ads printer\n"
3859 " List/modify printer entries")
3860 },
3861 {
3862 "search",
3863 net_ads_search,
3864 NET_TRANSPORT_ADS,
3865 N_("Issue LDAP search using filter"),
3866 N_("net ads search\n"
3867 " Issue LDAP search using filter")
3868 },
3869 {
3870 "dn",
3871 net_ads_dn,
3872 NET_TRANSPORT_ADS,
3873 N_("Issue LDAP search by DN"),
3874 N_("net ads dn\n"
3875 " Issue LDAP search by DN")
3876 },
3877 {
3878 "sid",
3879 net_ads_sid,
3880 NET_TRANSPORT_ADS,
3881 N_("Issue LDAP search by SID"),
3882 N_("net ads sid\n"
3883 " Issue LDAP search by SID")
3884 },
3885 {
3886 "workgroup",
3887 net_ads_workgroup,
3888 NET_TRANSPORT_ADS,
3889 N_("Display workgroup name"),
3890 N_("net ads workgroup\n"
3891 " Display the workgroup name")
3892 },
3893 {
3894 "lookup",
3895 net_ads_lookup,
3896 NET_TRANSPORT_ADS,
3897 N_("Perform CLDAP query on DC"),
3898 N_("net ads lookup\n"
3899 " Find the ADS DC using CLDAP lookups")
3900 },
3901 {
3902 "keytab",
3903 net_ads_keytab,
3904 NET_TRANSPORT_ADS,
3905 N_("Manage local keytab file"),
3906 N_("net ads keytab\n"
3907 " Manage local keytab file")
3908 },
3909 {
3910 "setspn",
3911 net_ads_setspn,
3912 NET_TRANSPORT_ADS,
3913 N_("Manage Service Principal Names (SPN)s"),
3914 N_("net ads spnset\n"
3915 " Manage Service Principal Names (SPN)s")
3916 },
3917 {
3918 "gpo",
3919 net_ads_gpo,
3920 NET_TRANSPORT_ADS,
3921 N_("Manage group policy objects"),
3922 N_("net ads gpo\n"
3923 " Manage group policy objects")
3924 },
3925 {
3926 "kerberos",
3927 net_ads_kerberos,
3928 NET_TRANSPORT_ADS,
3929 N_("Manage kerberos keytab"),
3930 N_("net ads kerberos\n"
3931 " Manage kerberos keytab")
3932 },
3933 {
3934 "enctypes",
3935 net_ads_enctypes,
3936 NET_TRANSPORT_ADS,
3937 N_("List/modify supported encryption types"),
3938 N_("net ads enctypes\n"
3939 " List/modify enctypes")
3940 },
3941 {NULL, NULL, 0, NULL, NULL}
3942 };
3943
3944 return net_run_function(c, argc, argv, "net ads", func);
3945 }
3946
3947 #else
3948
3949 static int net_ads_noads(void)
3950 {
3951 d_fprintf(stderr, _("ADS support not compiled in\n"));
3952 return -1;
3953 }
3954
3955 int net_ads_keytab(struct net_context *c, int argc, const char **argv)
3956 {
3957 return net_ads_noads();
3958 }
3959
3960 int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
3961 {
3962 return net_ads_noads();
3963 }
3964
3965 int net_ads_setspn(struct net_context *c, int argc, const char **argv)
3966 {
3967 return net_ads_noads();
3968 }
3969
3970 int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
3971 {
3972 return net_ads_noads();
3973 }
3974
3975 int net_ads_join(struct net_context *c, int argc, const char **argv)
3976 {
3977 return net_ads_noads();
3978 }
3979
3980 int net_ads_user(struct net_context *c, int argc, const char **argv)
3981 {
3982 return net_ads_noads();
3983 }
3984
3985 int net_ads_group(struct net_context *c, int argc, const char **argv)
3986 {
3987 return net_ads_noads();
3988 }
3989
3990 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
3991 {
3992 return net_ads_noads();
3993 }
3994
3995 /* this one shouldn't display a message */
3996 int net_ads_check(struct net_context *c)
3997 {
3998 return -1;
3999 }
4000
4001 int net_ads_check_our_domain(struct net_context *c)
4002 {
4003 return -1;
4004 }
4005
4006 int net_ads(struct net_context *c, int argc, const char **argv)
4007 {
4008 return net_ads_noads();
4009 }
4010
4011 #endif /* HAVE_ADS */
GSS-enabled samba4