Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * Local SAM access routines
4 : * Copyright (C) Volker Lendecke 2006
5 : *
6 : * This program is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * This program is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 :
21 : #include "includes.h"
22 : #include "system/passwd.h"
23 : #include "utils/net.h"
24 : #include "../librpc/gen_ndr/samr.h"
25 : #include "smbldap.h"
26 : #include "../libcli/security/security.h"
27 : #include "lib/winbind_util.h"
28 : #include "passdb.h"
29 : #include "passdb/pdb_ldap_util.h"
30 : #include "passdb/pdb_ldap_schema.h"
31 : #include "lib/privileges.h"
32 : #include "secrets.h"
33 : #include "idmap.h"
34 : #include "lib/util/smb_strtox.h"
35 : #include "lib/util/string_wrappers.h"
36 : #include "source3/lib/substitute.h"
37 :
38 : /*
39 : * Set a user's data
40 : */
41 :
42 0 : static int net_sam_userset(struct net_context *c, int argc, const char **argv,
43 : const char *field,
44 : bool (*fn)(struct samu *, const char *,
45 : enum pdb_value_state))
46 : {
47 0 : struct samu *sam_acct = NULL;
48 0 : struct dom_sid sid;
49 0 : enum lsa_SidType type;
50 0 : const char *dom, *name;
51 0 : NTSTATUS status;
52 :
53 0 : if (argc != 2 || c->display_usage) {
54 0 : d_fprintf(stderr, "%s\n", _("Usage:"));
55 0 : d_fprintf(stderr, _("net sam set %s <user> <value>\n"),
56 : field);
57 0 : return -1;
58 : }
59 :
60 0 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
61 : &dom, &name, &sid, &type)) {
62 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
63 0 : return -1;
64 : }
65 :
66 0 : if (type != SID_NAME_USER) {
67 0 : d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
68 : sid_type_lookup(type));
69 0 : return -1;
70 : }
71 :
72 0 : if ( !(sam_acct = samu_new( NULL )) ) {
73 0 : d_fprintf(stderr, _("Internal error\n"));
74 0 : return -1;
75 : }
76 :
77 0 : if (!pdb_getsampwsid(sam_acct, &sid)) {
78 0 : d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
79 0 : return -1;
80 : }
81 :
82 0 : if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
83 0 : d_fprintf(stderr, _("Internal error\n"));
84 0 : return -1;
85 : }
86 :
87 0 : status = pdb_update_sam_account(sam_acct);
88 0 : if (!NT_STATUS_IS_OK(status)) {
89 0 : d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
90 : argv[0], nt_errstr(status));
91 0 : return -1;
92 : }
93 :
94 0 : TALLOC_FREE(sam_acct);
95 :
96 0 : d_printf(_("Updated %s for %s\\%s to %s\n"), field, dom, name, argv[1]);
97 0 : return 0;
98 : }
99 :
100 0 : static int net_sam_set_fullname(struct net_context *c, int argc,
101 : const char **argv)
102 : {
103 0 : return net_sam_userset(c, argc, argv, "fullname",
104 : pdb_set_fullname);
105 : }
106 :
107 0 : static int net_sam_set_logonscript(struct net_context *c, int argc,
108 : const char **argv)
109 : {
110 0 : return net_sam_userset(c, argc, argv, "logonscript",
111 : pdb_set_logon_script);
112 : }
113 :
114 0 : static int net_sam_set_profilepath(struct net_context *c, int argc,
115 : const char **argv)
116 : {
117 0 : return net_sam_userset(c, argc, argv, "profilepath",
118 : pdb_set_profile_path);
119 : }
120 :
121 0 : static int net_sam_set_homedrive(struct net_context *c, int argc,
122 : const char **argv)
123 : {
124 0 : return net_sam_userset(c, argc, argv, "homedrive",
125 : pdb_set_dir_drive);
126 : }
127 :
128 0 : static int net_sam_set_homedir(struct net_context *c, int argc,
129 : const char **argv)
130 : {
131 0 : return net_sam_userset(c, argc, argv, "homedir",
132 : pdb_set_homedir);
133 : }
134 :
135 0 : static int net_sam_set_workstations(struct net_context *c, int argc,
136 : const char **argv)
137 : {
138 0 : return net_sam_userset(c, argc, argv, "workstations",
139 : pdb_set_workstations);
140 : }
141 :
142 : /*
143 : * Set account flags
144 : */
145 :
146 9 : static int net_sam_set_userflag(struct net_context *c, int argc,
147 : const char **argv, const char *field,
148 : uint16_t flag)
149 : {
150 9 : struct samu *sam_acct = NULL;
151 0 : struct dom_sid sid;
152 0 : enum lsa_SidType type;
153 0 : const char *dom, *name;
154 0 : NTSTATUS status;
155 0 : uint32_t acct_flags;
156 :
157 9 : if ((argc != 2) || c->display_usage ||
158 9 : (!strequal(argv[1], "yes") &&
159 3 : !strequal(argv[1], "no"))) {
160 0 : d_fprintf(stderr, "%s\n", _("Usage:"));
161 0 : d_fprintf(stderr, _("net sam set %s <user> [yes|no]\n"),
162 : field);
163 0 : return -1;
164 : }
165 :
166 9 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
167 : &dom, &name, &sid, &type)) {
168 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
169 0 : return -1;
170 : }
171 :
172 9 : if (type != SID_NAME_USER) {
173 0 : d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
174 : sid_type_lookup(type));
175 0 : return -1;
176 : }
177 :
178 9 : if ( !(sam_acct = samu_new( NULL )) ) {
179 0 : d_fprintf(stderr, _("Internal error\n"));
180 0 : return -1;
181 : }
182 :
183 9 : if (!pdb_getsampwsid(sam_acct, &sid)) {
184 0 : d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
185 0 : return -1;
186 : }
187 :
188 9 : acct_flags = pdb_get_acct_ctrl(sam_acct);
189 :
190 9 : if (strequal(argv[1], "yes")) {
191 6 : acct_flags |= flag;
192 : } else {
193 3 : acct_flags &= ~flag;
194 : }
195 :
196 9 : pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
197 :
198 9 : status = pdb_update_sam_account(sam_acct);
199 9 : if (!NT_STATUS_IS_OK(status)) {
200 0 : d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
201 : argv[0], nt_errstr(status));
202 0 : return -1;
203 : }
204 :
205 9 : TALLOC_FREE(sam_acct);
206 :
207 9 : d_fprintf(stderr, _("Updated flag %s for %s\\%s to %s\n"), field, dom,
208 9 : name, argv[1]);
209 9 : return 0;
210 : }
211 :
212 6 : static int net_sam_set_disabled(struct net_context *c, int argc,
213 : const char **argv)
214 : {
215 6 : return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
216 : }
217 :
218 0 : static int net_sam_set_pwnotreq(struct net_context *c, int argc,
219 : const char **argv)
220 : {
221 0 : return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
222 : }
223 :
224 0 : static int net_sam_set_autolock(struct net_context *c, int argc,
225 : const char **argv)
226 : {
227 0 : return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
228 : }
229 :
230 3 : static int net_sam_set_pwnoexp(struct net_context *c, int argc,
231 : const char **argv)
232 : {
233 3 : return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
234 : }
235 :
236 : /*
237 : * Set pass last change time, based on force pass change now
238 : */
239 :
240 3 : static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
241 : const char **argv)
242 : {
243 3 : struct samu *sam_acct = NULL;
244 0 : struct dom_sid sid;
245 0 : enum lsa_SidType type;
246 0 : const char *dom, *name;
247 0 : NTSTATUS status;
248 :
249 3 : if ((argc != 2) || c->display_usage ||
250 3 : (!strequal(argv[1], "yes") &&
251 0 : !strequal(argv[1], "no"))) {
252 0 : d_fprintf(stderr, "%s\n%s",
253 : _("Usage:"),
254 : _("net sam set pwdmustchangenow <user> [yes|no]\n"));
255 0 : return -1;
256 : }
257 :
258 3 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
259 : &dom, &name, &sid, &type)) {
260 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
261 0 : return -1;
262 : }
263 :
264 3 : if (type != SID_NAME_USER) {
265 0 : d_fprintf(stderr, _("%s is a %s, not a user\n"), argv[0],
266 : sid_type_lookup(type));
267 0 : return -1;
268 : }
269 :
270 3 : if ( !(sam_acct = samu_new( NULL )) ) {
271 0 : d_fprintf(stderr, _("Internal error\n"));
272 0 : return -1;
273 : }
274 :
275 3 : if (!pdb_getsampwsid(sam_acct, &sid)) {
276 0 : d_fprintf(stderr, _("Loading user %s failed\n"), argv[0]);
277 0 : return -1;
278 : }
279 :
280 3 : if (strequal(argv[1], "yes")) {
281 3 : pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
282 : } else {
283 0 : pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
284 : }
285 :
286 3 : status = pdb_update_sam_account(sam_acct);
287 3 : if (!NT_STATUS_IS_OK(status)) {
288 0 : d_fprintf(stderr, _("Updating sam account %s failed with %s\n"),
289 : argv[0], nt_errstr(status));
290 0 : return -1;
291 : }
292 :
293 3 : TALLOC_FREE(sam_acct);
294 :
295 3 : d_fprintf(stderr, _("Updated 'user must change password at next logon' "
296 : "for %s\\%s to %s\n"), dom,
297 3 : name, argv[1]);
298 3 : return 0;
299 : }
300 :
301 :
302 : /*
303 : * Set a user's or a group's comment
304 : */
305 :
306 0 : static int net_sam_set_comment(struct net_context *c, int argc,
307 : const char **argv)
308 : {
309 0 : GROUP_MAP *map;
310 0 : struct dom_sid sid;
311 0 : enum lsa_SidType type;
312 0 : const char *dom, *name;
313 0 : NTSTATUS status;
314 :
315 0 : if (argc != 2 || c->display_usage) {
316 0 : d_fprintf(stderr, "%s\n%s",
317 : _("Usage:"),
318 : _("net sam set comment <name> <comment>\n"));
319 0 : return -1;
320 : }
321 :
322 0 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
323 : &dom, &name, &sid, &type)) {
324 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
325 0 : return -1;
326 : }
327 :
328 0 : if (type == SID_NAME_USER) {
329 0 : return net_sam_userset(c, argc, argv, "comment",
330 : pdb_set_acct_desc);
331 : }
332 :
333 0 : if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
334 0 : (type != SID_NAME_WKN_GRP)) {
335 0 : d_fprintf(stderr, _("%s is a %s, not a group\n"), argv[0],
336 : sid_type_lookup(type));
337 0 : return -1;
338 : }
339 :
340 0 : map = talloc_zero(talloc_tos(), GROUP_MAP);
341 0 : if (!map) {
342 0 : d_fprintf(stderr, _("Out of memory!\n"));
343 0 : return -1;
344 : }
345 :
346 0 : if (!pdb_getgrsid(map, sid)) {
347 0 : d_fprintf(stderr, _("Could not load group %s\n"), argv[0]);
348 0 : return -1;
349 : }
350 :
351 0 : map->comment = talloc_strdup(map, argv[1]);
352 0 : if (!map->comment) {
353 0 : d_fprintf(stderr, _("Out of memory!\n"));
354 0 : return -1;
355 : }
356 :
357 0 : status = pdb_update_group_mapping_entry(map);
358 :
359 0 : if (!NT_STATUS_IS_OK(status)) {
360 0 : d_fprintf(stderr, _("Updating group mapping entry failed with "
361 : "%s\n"), nt_errstr(status));
362 0 : return -1;
363 : }
364 :
365 0 : d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
366 0 : argv[1]);
367 :
368 0 : TALLOC_FREE(map);
369 0 : return 0;
370 : }
371 :
372 12 : static int net_sam_set(struct net_context *c, int argc, const char **argv)
373 : {
374 12 : struct functable func[] = {
375 : {
376 : "homedir",
377 : net_sam_set_homedir,
378 : NET_TRANSPORT_LOCAL,
379 : N_("Change a user's home directory"),
380 : N_("net sam set homedir\n"
381 : " Change a user's home directory")
382 : },
383 : {
384 : "profilepath",
385 : net_sam_set_profilepath,
386 : NET_TRANSPORT_LOCAL,
387 : N_("Change a user's profile path"),
388 : N_("net sam set profilepath\n"
389 : " Change a user's profile path")
390 : },
391 : {
392 : "comment",
393 : net_sam_set_comment,
394 : NET_TRANSPORT_LOCAL,
395 : N_("Change a users or groups description"),
396 : N_("net sam set comment\n"
397 : " Change a users or groups description")
398 : },
399 : {
400 : "fullname",
401 : net_sam_set_fullname,
402 : NET_TRANSPORT_LOCAL,
403 : N_("Change a user's full name"),
404 : N_("net sam set fullname\n"
405 : " Change a user's full name")
406 : },
407 : {
408 : "logonscript",
409 : net_sam_set_logonscript,
410 : NET_TRANSPORT_LOCAL,
411 : N_("Change a user's logon script"),
412 : N_("net sam set logonscript\n"
413 : " Change a user's logon script")
414 : },
415 : {
416 : "homedrive",
417 : net_sam_set_homedrive,
418 : NET_TRANSPORT_LOCAL,
419 : N_("Change a user's home drive"),
420 : N_("net sam set homedrive\n"
421 : " Change a user's home drive")
422 : },
423 : {
424 : "workstations",
425 : net_sam_set_workstations,
426 : NET_TRANSPORT_LOCAL,
427 : N_("Change a user's allowed workstations"),
428 : N_("net sam set workstations\n"
429 : " Change a user's allowed workstations")
430 : },
431 : {
432 : "disabled",
433 : net_sam_set_disabled,
434 : NET_TRANSPORT_LOCAL,
435 : N_("Disable/Enable a user"),
436 : N_("net sam set disable\n"
437 : " Disable/Enable a user")
438 : },
439 : {
440 : "pwnotreq",
441 : net_sam_set_pwnotreq,
442 : NET_TRANSPORT_LOCAL,
443 : N_("Disable/Enable the password not required flag"),
444 : N_("net sam set pwnotreq\n"
445 : " Disable/Enable the password not required flag")
446 : },
447 : {
448 : "autolock",
449 : net_sam_set_autolock,
450 : NET_TRANSPORT_LOCAL,
451 : N_("Disable/Enable a user's lockout flag"),
452 : N_("net sam set autolock\n"
453 : " Disable/Enable a user's lockout flag")
454 : },
455 : {
456 : "pwnoexp",
457 : net_sam_set_pwnoexp,
458 : NET_TRANSPORT_LOCAL,
459 : N_("Disable/Enable whether a user's pw does not "
460 : "expire"),
461 : N_("net sam set pwnoexp\n"
462 : " Disable/Enable whether a user's pw does not "
463 : "expire")
464 : },
465 : {
466 : "pwdmustchangenow",
467 : net_sam_set_pwdmustchangenow,
468 : NET_TRANSPORT_LOCAL,
469 : N_("Force users password must change at next logon"),
470 : N_("net sam set pwdmustchangenow\n"
471 : " Force users password must change at next logon")
472 : },
473 : {NULL, NULL, 0, NULL, NULL}
474 : };
475 :
476 12 : return net_run_function(c, argc, argv, "net sam set", func);
477 : }
478 :
479 : /*
480 : * Manage account policies
481 : */
482 :
483 0 : static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
484 : {
485 0 : const char *account_policy = NULL;
486 0 : uint32_t value = 0;
487 0 : uint32_t old_value = 0;
488 0 : enum pdb_policy_type field;
489 0 : int err = 0;
490 :
491 0 : if (argc != 2 || c->display_usage) {
492 0 : d_fprintf(stderr, "%s\n%s",
493 : _("Usage:"),
494 : _("net sam policy set \"<account policy>\" <value>\n"));
495 0 : return -1;
496 : }
497 :
498 0 : account_policy = argv[0];
499 0 : field = account_policy_name_to_typenum(account_policy);
500 :
501 0 : if (strequal(argv[1], "forever") || strequal(argv[1], "never")
502 0 : || strequal(argv[1], "off")) {
503 0 : value = -1;
504 : }
505 : else {
506 0 : value = smb_strtoul(argv[1],
507 : NULL,
508 : 10,
509 : &err,
510 : SMB_STR_FULL_STR_CONV);
511 :
512 0 : if (err != 0) {
513 0 : d_printf(_("Unable to set policy \"%s\"! Invalid value "
514 : "\"%s\".\n"),
515 0 : account_policy, argv[1]);
516 0 : return -1;
517 : }
518 : }
519 :
520 0 : if (field == 0) {
521 0 : const char **names;
522 0 : int i, count;
523 :
524 0 : account_policy_names_list(talloc_tos(), &names, &count);
525 0 : d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
526 0 : d_fprintf(stderr, _("Valid account policies are:\n"));
527 :
528 0 : for (i=0; i<count; i++) {
529 0 : d_fprintf(stderr, "%s\n", names[i]);
530 : }
531 :
532 0 : TALLOC_FREE(names);
533 :
534 0 : return -1;
535 : }
536 :
537 0 : if (!pdb_get_account_policy(field, &old_value)) {
538 0 : d_fprintf(stderr, _("Valid account policy, but unable to fetch "
539 : "value!\n"));
540 : } else {
541 0 : d_printf(_("Account policy \"%s\" value was: %d\n"),
542 : account_policy, old_value);
543 : }
544 :
545 0 : if (!pdb_set_account_policy(field, value)) {
546 0 : d_fprintf(stderr, _("Valid account policy, but unable to "
547 : "set value!\n"));
548 0 : return -1;
549 : } else {
550 0 : d_printf(_("Account policy \"%s\" value is now: %d\n"),
551 : account_policy, value);
552 : }
553 :
554 0 : return 0;
555 : }
556 :
557 0 : static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
558 : {
559 0 : const char *account_policy = NULL;
560 0 : uint32_t old_value;
561 0 : enum pdb_policy_type field;
562 :
563 0 : if (argc != 1 || c->display_usage) {
564 0 : d_fprintf(stderr, "%s\n%s",
565 : _("Usage:"),
566 : _("net sam policy show \"<account policy>\"\n"));
567 0 : return -1;
568 : }
569 :
570 0 : account_policy = argv[0];
571 0 : field = account_policy_name_to_typenum(account_policy);
572 :
573 0 : if (field == 0) {
574 0 : const char **names;
575 0 : int count;
576 0 : int i;
577 0 : account_policy_names_list(talloc_tos(), &names, &count);
578 0 : d_fprintf(stderr, _("No account policy by that name!\n"));
579 0 : if (count != 0) {
580 0 : d_fprintf(stderr, _("Valid account policies "
581 : "are:\n"));
582 0 : for (i=0; i<count; i++) {
583 0 : d_fprintf(stderr, "%s\n", names[i]);
584 : }
585 : }
586 0 : TALLOC_FREE(names);
587 0 : return -1;
588 : }
589 :
590 0 : if (!pdb_get_account_policy(field, &old_value)) {
591 0 : fprintf(stderr, _("Valid account policy, but unable to "
592 : "fetch value!\n"));
593 0 : return -1;
594 : }
595 :
596 0 : printf(_("Account policy \"%s\" description: %s\n"),
597 : account_policy, account_policy_get_desc(field));
598 0 : printf(_("Account policy \"%s\" value is: %d\n"), account_policy,
599 : old_value);
600 0 : return 0;
601 : }
602 :
603 0 : static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
604 : {
605 0 : const char **names;
606 0 : int count;
607 0 : int i;
608 :
609 0 : if (c->display_usage) {
610 0 : d_printf( "%s\n"
611 : "net sam policy list\n"
612 : " %s\n",
613 : _("Usage:"),
614 : _("List account policies"));
615 0 : return 0;
616 : }
617 :
618 0 : account_policy_names_list(talloc_tos(), &names, &count);
619 0 : if (count != 0) {
620 0 : d_fprintf(stderr, _("Valid account policies "
621 : "are:\n"));
622 0 : for (i = 0; i < count ; i++) {
623 0 : d_fprintf(stderr, "%s\n", names[i]);
624 : }
625 : }
626 0 : TALLOC_FREE(names);
627 0 : return -1;
628 : }
629 :
630 0 : static int net_sam_policy(struct net_context *c, int argc, const char **argv)
631 : {
632 0 : struct functable func[] = {
633 : {
634 : "list",
635 : net_sam_policy_list,
636 : NET_TRANSPORT_LOCAL,
637 : N_("List account policies"),
638 : N_("net sam policy list\n"
639 : " List account policies")
640 : },
641 : {
642 : "show",
643 : net_sam_policy_show,
644 : NET_TRANSPORT_LOCAL,
645 : N_("Show account policies"),
646 : N_("net sam policy show\n"
647 : " Show account policies")
648 : },
649 : {
650 : "set",
651 : net_sam_policy_set,
652 : NET_TRANSPORT_LOCAL,
653 : N_("Change account policies"),
654 : N_("net sam policy set\n"
655 : " Change account policies")
656 : },
657 : {NULL, NULL, 0, NULL, NULL}
658 : };
659 :
660 0 : return net_run_function(c, argc, argv, "net sam policy", func);
661 : }
662 :
663 0 : static int net_sam_rights_list(struct net_context *c, int argc,
664 : const char **argv)
665 : {
666 0 : enum sec_privilege privilege;
667 :
668 0 : if (argc > 1 || c->display_usage) {
669 0 : d_fprintf(stderr, "%s\n%s",
670 : _("Usage:"),
671 : _("net sam rights list [privilege name]\n"));
672 0 : return -1;
673 : }
674 :
675 0 : if (argc == 0) {
676 0 : int i;
677 0 : int num = num_privileges_in_short_list();
678 :
679 0 : for (i=0; i<num; i++) {
680 0 : d_printf("%s\n", sec_privilege_name_from_index(i));
681 : }
682 0 : return 0;
683 : }
684 :
685 0 : privilege = sec_privilege_id(argv[0]);
686 :
687 0 : if (privilege != SEC_PRIV_INVALID) {
688 0 : struct dom_sid *sids;
689 0 : int i, num_sids;
690 0 : NTSTATUS status;
691 :
692 0 : status = privilege_enum_sids(privilege, talloc_tos(),
693 : &sids, &num_sids);
694 0 : if (!NT_STATUS_IS_OK(status)) {
695 0 : d_fprintf(stderr, _("Could not list rights: %s\n"),
696 : nt_errstr(status));
697 0 : return -1;
698 : }
699 :
700 0 : for (i=0; i<num_sids; i++) {
701 0 : const char *dom, *name;
702 0 : enum lsa_SidType type;
703 0 : struct dom_sid_buf buf;
704 :
705 0 : if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
706 : &type)) {
707 0 : d_printf("%s\\%s\n", dom, name);
708 : }
709 : else {
710 0 : d_printf("%s\n",
711 0 : dom_sid_str_buf(&sids[i], &buf));
712 : }
713 : }
714 0 : return 0;
715 : }
716 :
717 0 : return -1;
718 : }
719 :
720 28 : static int net_sam_rights_grant(struct net_context *c, int argc,
721 : const char **argv)
722 : {
723 0 : struct dom_sid sid;
724 0 : enum lsa_SidType type;
725 0 : const char *dom, *name;
726 0 : int i;
727 :
728 28 : if (argc < 2 || c->display_usage) {
729 0 : d_fprintf(stderr, "%s\n%s",
730 : _("Usage:"),
731 : _("net sam rights grant <name> <rights> ...\n"));
732 0 : return -1;
733 : }
734 :
735 28 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
736 : &dom, &name, &sid, &type)) {
737 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
738 0 : return -1;
739 : }
740 :
741 56 : for (i=1; i < argc; i++) {
742 28 : enum sec_privilege privilege = sec_privilege_id(argv[i]);
743 28 : if (privilege == SEC_PRIV_INVALID) {
744 0 : d_fprintf(stderr, _("%s unknown\n"), argv[i]);
745 0 : return -1;
746 : }
747 :
748 28 : if (!grant_privilege_by_name(&sid, argv[i])) {
749 0 : d_fprintf(stderr, _("Could not grant privilege\n"));
750 0 : return -1;
751 : }
752 :
753 28 : d_printf(_("Granted %s to %s\\%s\n"), argv[i], dom, name);
754 : }
755 :
756 28 : return 0;
757 : }
758 :
759 20 : static int net_sam_rights_revoke(struct net_context *c, int argc,
760 : const char **argv)
761 : {
762 0 : struct dom_sid sid;
763 0 : enum lsa_SidType type;
764 0 : const char *dom, *name;
765 0 : int i;
766 :
767 20 : if (argc < 2 || c->display_usage) {
768 0 : d_fprintf(stderr, "%s\n%s",
769 : _("Usage:"),
770 : _("net sam rights revoke <name> <rights>\n"));
771 0 : return -1;
772 : }
773 :
774 20 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
775 : &dom, &name, &sid, &type)) {
776 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
777 0 : return -1;
778 : }
779 :
780 40 : for (i=1; i < argc; i++) {
781 20 : enum sec_privilege privilege = sec_privilege_id(argv[i]);
782 20 : if (privilege == SEC_PRIV_INVALID) {
783 0 : d_fprintf(stderr, _("%s unknown\n"), argv[i]);
784 0 : return -1;
785 : }
786 :
787 20 : if (!revoke_privilege_by_name(&sid, argv[i])) {
788 0 : d_fprintf(stderr, _("Could not revoke privilege\n"));
789 0 : return -1;
790 : }
791 :
792 20 : d_printf(_("Revoked %s from %s\\%s\n"), argv[i], dom, name);
793 : }
794 :
795 20 : return 0;
796 : }
797 :
798 48 : static int net_sam_rights(struct net_context *c, int argc, const char **argv)
799 : {
800 48 : struct functable func[] = {
801 : {
802 : "list",
803 : net_sam_rights_list,
804 : NET_TRANSPORT_LOCAL,
805 : N_("List possible user rights"),
806 : N_("net sam rights list\n"
807 : " List possible user rights")
808 : },
809 : {
810 : "grant",
811 : net_sam_rights_grant,
812 : NET_TRANSPORT_LOCAL,
813 : N_("Grant right(s)"),
814 : N_("net sam rights grant\n"
815 : " Grant right(s)")
816 : },
817 : {
818 : "revoke",
819 : net_sam_rights_revoke,
820 : NET_TRANSPORT_LOCAL,
821 : N_("Revoke right(s)"),
822 : N_("net sam rights revoke\n"
823 : " Revoke right(s)")
824 : },
825 : {NULL, NULL, 0, NULL, NULL}
826 : };
827 48 : return net_run_function(c, argc, argv, "net sam rights", func);
828 : }
829 :
830 : /*
831 : * Map a unix group to a domain group
832 : */
833 :
834 0 : static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *map)
835 : {
836 0 : const char *dom, *name;
837 0 : uint32_t rid;
838 :
839 0 : if (pdb_getgrgid(map, grp->gr_gid)) {
840 0 : return NT_STATUS_GROUP_EXISTS;
841 : }
842 :
843 0 : map->gid = grp->gr_gid;
844 :
845 0 : if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
846 : &dom, &name, NULL, NULL)) {
847 :
848 0 : map->nt_name = talloc_asprintf(map, "Unix Group %s",
849 0 : grp->gr_name);
850 :
851 0 : DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
852 : grp->gr_name, dom, name, map->nt_name));
853 : }
854 :
855 0 : if (lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
856 : NULL, NULL, NULL, NULL)) {
857 0 : DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
858 0 : return NT_STATUS_GROUP_EXISTS;
859 : }
860 :
861 0 : if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
862 0 : if (!pdb_new_rid(&rid)) {
863 0 : DEBUG(3, ("Could not get a new RID for %s\n",
864 : grp->gr_name));
865 0 : return NT_STATUS_ACCESS_DENIED;
866 : }
867 : } else {
868 0 : rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
869 : }
870 :
871 0 : sid_compose(&map->sid, get_global_sam_sid(), rid);
872 0 : map->sid_name_use = SID_NAME_DOM_GRP;
873 0 : map->comment = talloc_asprintf(map, "Unix Group %s", grp->gr_name);
874 :
875 0 : return pdb_add_group_mapping_entry(map);
876 : }
877 :
878 0 : static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
879 : {
880 0 : NTSTATUS status;
881 0 : GROUP_MAP *map;
882 0 : struct group *grp;
883 0 : struct dom_sid_buf buf;
884 :
885 0 : if (argc != 1 || c->display_usage) {
886 0 : d_fprintf(stderr, "%s\n%s",
887 : _("Usage:"),
888 : _("net sam mapunixgroup <name>\n"));
889 0 : return -1;
890 : }
891 :
892 0 : grp = getgrnam(argv[0]);
893 0 : if (grp == NULL) {
894 0 : d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
895 0 : return -1;
896 : }
897 :
898 0 : map = talloc_zero(talloc_tos(), GROUP_MAP);
899 0 : if (!map) {
900 0 : d_fprintf(stderr, _("Out of memory!\n"));
901 0 : return -1;
902 : }
903 :
904 0 : status = map_unix_group(grp, map);
905 :
906 0 : if (!NT_STATUS_IS_OK(status)) {
907 0 : d_fprintf(stderr, _("Mapping group %s failed with %s\n"),
908 : argv[0], nt_errstr(status));
909 0 : return -1;
910 : }
911 :
912 0 : d_printf(_("Mapped unix group %s to SID %s\n"), argv[0],
913 0 : dom_sid_str_buf(&map->sid, &buf));
914 :
915 0 : TALLOC_FREE(map);
916 0 : return 0;
917 : }
918 :
919 : /*
920 : * Remove a group mapping
921 : */
922 :
923 0 : static NTSTATUS unmap_unix_group(const struct group *grp)
924 : {
925 0 : struct dom_sid dom_sid;
926 0 : struct unixid id;
927 :
928 0 : if (!lookup_name(talloc_tos(), grp->gr_name, LOOKUP_NAME_LOCAL,
929 : NULL, NULL, NULL, NULL)) {
930 0 : DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
931 0 : return NT_STATUS_NO_SUCH_GROUP;
932 : }
933 :
934 0 : id.id = grp->gr_gid;
935 0 : id.type = ID_TYPE_GID;
936 0 : if (!pdb_id_to_sid(&id, &dom_sid)) {
937 0 : return NT_STATUS_UNSUCCESSFUL;
938 : }
939 :
940 0 : return pdb_delete_group_mapping_entry(dom_sid);
941 : }
942 :
943 0 : static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
944 : {
945 0 : NTSTATUS status;
946 0 : struct group *grp;
947 :
948 0 : if (argc != 1 || c->display_usage) {
949 0 : d_fprintf(stderr, "%s\n%s",
950 : _("Usage:"),
951 : _("net sam unmapunixgroup <name>\n"));
952 0 : return -1;
953 : }
954 :
955 0 : grp = getgrnam(argv[0]);
956 0 : if (grp == NULL) {
957 0 : d_fprintf(stderr, _("Could not find mapping for group %s.\n"),
958 : argv[0]);
959 0 : return -1;
960 : }
961 :
962 0 : status = unmap_unix_group(grp);
963 :
964 0 : if (!NT_STATUS_IS_OK(status)) {
965 0 : d_fprintf(stderr, _("Unmapping group %s failed with %s.\n"),
966 : argv[0], nt_errstr(status));
967 0 : return -1;
968 : }
969 :
970 0 : d_printf(_("Unmapped unix group %s.\n"), argv[0]);
971 :
972 0 : return 0;
973 : }
974 :
975 : /*
976 : * Create a domain group
977 : */
978 :
979 2 : static int net_sam_createdomaingroup(struct net_context *c, int argc,
980 : const char **argv)
981 : {
982 0 : NTSTATUS status;
983 0 : uint32_t rid;
984 :
985 2 : if (argc != 1 || c->display_usage) {
986 0 : d_fprintf(stderr, "%s\n%s",
987 : _("Usage:"),
988 : _("net sam createdomaingroup <name>\n"));
989 0 : return -1;
990 : }
991 :
992 2 : status = pdb_create_dom_group(talloc_tos(), argv[0], &rid);
993 :
994 2 : if (!NT_STATUS_IS_OK(status)) {
995 0 : d_fprintf(stderr, _("Creating %s failed with %s\n"),
996 : argv[0], nt_errstr(status));
997 0 : return -1;
998 : }
999 :
1000 2 : d_printf(_("Created domain group %s with RID %d\n"), argv[0], rid);
1001 :
1002 2 : return 0;
1003 : }
1004 :
1005 : /*
1006 : * Delete a domain group
1007 : */
1008 :
1009 2 : static int net_sam_deletedomaingroup(struct net_context *c, int argc,
1010 : const char **argv)
1011 : {
1012 0 : struct dom_sid sid;
1013 0 : uint32_t rid;
1014 0 : enum lsa_SidType type;
1015 0 : const char *dom, *name;
1016 0 : NTSTATUS status;
1017 :
1018 2 : if (argc != 1 || c->display_usage) {
1019 0 : d_fprintf(stderr, "%s\n%s",
1020 : _("Usage:"),
1021 : _("net sam deletelocalgroup <name>\n"));
1022 0 : return -1;
1023 : }
1024 :
1025 2 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1026 : &dom, &name, &sid, &type)) {
1027 0 : d_fprintf(stderr, _("Could not find %s.\n"), argv[0]);
1028 0 : return -1;
1029 : }
1030 :
1031 2 : if (type != SID_NAME_DOM_GRP) {
1032 0 : d_fprintf(stderr, _("%s is a %s, not a domain group.\n"),
1033 : argv[0], sid_type_lookup(type));
1034 0 : return -1;
1035 : }
1036 :
1037 2 : sid_peek_rid(&sid, &rid);
1038 :
1039 2 : status = pdb_delete_dom_group(talloc_tos(), rid);
1040 :
1041 2 : if (!NT_STATUS_IS_OK(status)) {
1042 0 : d_fprintf(stderr,_("Deleting domain group %s failed with %s\n"),
1043 : argv[0], nt_errstr(status));
1044 0 : return -1;
1045 : }
1046 :
1047 2 : d_printf(_("Deleted domain group %s.\n"), argv[0]);
1048 :
1049 2 : return 0;
1050 : }
1051 :
1052 : /*
1053 : * Create a local group
1054 : */
1055 :
1056 2 : static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
1057 : {
1058 0 : NTSTATUS status;
1059 0 : uint32_t rid;
1060 :
1061 2 : if (argc != 1 || c->display_usage) {
1062 0 : d_fprintf(stderr, "%s\n%s",
1063 : _("Usage:"),
1064 : _("net sam createlocalgroup <name>\n"));
1065 0 : return -1;
1066 : }
1067 :
1068 2 : if (!winbind_ping()) {
1069 0 : d_fprintf(stderr, _("winbind seems not to run. "
1070 : "createlocalgroup only works when winbind runs.\n"));
1071 0 : return -1;
1072 : }
1073 :
1074 2 : status = pdb_create_alias(argv[0], &rid);
1075 :
1076 2 : if (!NT_STATUS_IS_OK(status)) {
1077 0 : d_fprintf(stderr, _("Creating %s failed with %s\n"),
1078 : argv[0], nt_errstr(status));
1079 0 : return -1;
1080 : }
1081 :
1082 2 : d_printf(_("Created local group %s with RID %d\n"), argv[0], rid);
1083 :
1084 2 : return 0;
1085 : }
1086 :
1087 : /*
1088 : * Delete a local group
1089 : */
1090 :
1091 2 : static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
1092 : {
1093 0 : struct dom_sid sid;
1094 0 : enum lsa_SidType type;
1095 0 : const char *dom, *name;
1096 0 : NTSTATUS status;
1097 :
1098 2 : if (argc != 1 || c->display_usage) {
1099 0 : d_fprintf(stderr, "%s\n%s",
1100 : _("Usage:"),
1101 : _("net sam deletelocalgroup <name>\n"));
1102 0 : return -1;
1103 : }
1104 :
1105 2 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1106 : &dom, &name, &sid, &type)) {
1107 0 : d_fprintf(stderr,_("Could not find %s.\n"), argv[0]);
1108 0 : return -1;
1109 : }
1110 :
1111 2 : if (type != SID_NAME_ALIAS) {
1112 0 : d_fprintf(stderr, _("%s is a %s, not a local group.\n"),argv[0],
1113 : sid_type_lookup(type));
1114 0 : return -1;
1115 : }
1116 :
1117 2 : status = pdb_delete_alias(&sid);
1118 :
1119 2 : if (!NT_STATUS_IS_OK(status)) {
1120 0 : d_fprintf(stderr, _("Deleting local group %s failed with %s\n"),
1121 : argv[0], nt_errstr(status));
1122 0 : return -1;
1123 : }
1124 :
1125 2 : d_printf(_("Deleted local group %s.\n"), argv[0]);
1126 :
1127 2 : return 0;
1128 : }
1129 :
1130 : /*
1131 : * Create a builtin group
1132 : */
1133 :
1134 17 : static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
1135 : {
1136 0 : NTSTATUS status;
1137 0 : uint32_t rid;
1138 0 : enum lsa_SidType type;
1139 0 : fstring groupname;
1140 0 : struct dom_sid sid;
1141 :
1142 17 : if (argc != 1 || c->display_usage) {
1143 0 : d_fprintf(stderr, "%s\n%s",
1144 : _("Usage:"),
1145 : _("net sam createbuiltingroup <name>\n"));
1146 0 : return -1;
1147 : }
1148 :
1149 17 : if (!winbind_ping()) {
1150 0 : d_fprintf(stderr, _("winbind seems not to run. "
1151 : "createbuiltingroup only works when winbind "
1152 : "runs.\n"));
1153 0 : return -1;
1154 : }
1155 :
1156 : /* validate the name and get the group */
1157 :
1158 17 : fstrcpy( groupname, "BUILTIN\\" );
1159 17 : fstrcat( groupname, argv[0] );
1160 :
1161 17 : if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1162 : NULL, &sid, &type)) {
1163 0 : d_fprintf(stderr, _("%s is not a BUILTIN group\n"), argv[0]);
1164 0 : return -1;
1165 : }
1166 :
1167 17 : if ( !sid_peek_rid( &sid, &rid ) ) {
1168 0 : d_fprintf(stderr, _("Failed to get RID for %s\n"), argv[0]);
1169 0 : return -1;
1170 : }
1171 :
1172 17 : status = pdb_create_builtin(rid);
1173 :
1174 17 : if (!NT_STATUS_IS_OK(status)) {
1175 0 : d_fprintf(stderr, _("Creating %s failed with %s\n"),
1176 : argv[0], nt_errstr(status));
1177 0 : return -1;
1178 : }
1179 :
1180 17 : d_printf(_("Created BUILTIN group %s with RID %d\n"), argv[0], rid);
1181 :
1182 17 : return 0;
1183 : }
1184 :
1185 : /*
1186 : * Add a group member
1187 : */
1188 :
1189 12 : static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
1190 : {
1191 0 : const char *groupdomain, *groupname, *memberdomain, *membername;
1192 0 : struct dom_sid group, member;
1193 0 : enum lsa_SidType grouptype, membertype;
1194 0 : NTSTATUS status;
1195 :
1196 12 : if (argc != 2 || c->display_usage) {
1197 0 : d_fprintf(stderr, "%s\n%s",
1198 : _("Usage:"),
1199 : _("net sam addmem <group> <member>\n"));
1200 0 : return -1;
1201 : }
1202 :
1203 12 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1204 : &groupdomain, &groupname, &group, &grouptype)) {
1205 0 : d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1206 0 : return -1;
1207 : }
1208 :
1209 : /* check to see if the member to be added is a name or a SID */
1210 :
1211 12 : if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1212 : &memberdomain, &membername, &member, &membertype))
1213 : {
1214 : /* try it as a SID */
1215 :
1216 0 : if ( !string_to_sid( &member, argv[1] ) ) {
1217 0 : d_fprintf(stderr, _("Could not find member %s\n"),
1218 0 : argv[1]);
1219 0 : return -1;
1220 : }
1221 :
1222 0 : if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1223 : &membername, &membertype) )
1224 : {
1225 0 : d_fprintf(stderr, _("Could not resolve SID %s\n"),
1226 0 : argv[1]);
1227 0 : return -1;
1228 : }
1229 : }
1230 :
1231 12 : if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1232 10 : if ((membertype != SID_NAME_USER) &&
1233 6 : (membertype != SID_NAME_ALIAS) &&
1234 6 : (membertype != SID_NAME_DOM_GRP)) {
1235 0 : d_fprintf(stderr, _("Can't add %s: only users, domain "
1236 : "groups and domain local groups "
1237 : "can be added. %s is a %s\n"),
1238 0 : argv[0], argv[1],
1239 : sid_type_lookup(membertype));
1240 0 : return -1;
1241 : }
1242 10 : status = pdb_add_aliasmem(&group, &member);
1243 :
1244 10 : if (!NT_STATUS_IS_OK(status)) {
1245 0 : d_fprintf(stderr, _("Adding local group member failed "
1246 : "with %s\n"), nt_errstr(status));
1247 0 : return -1;
1248 : }
1249 2 : } else if (grouptype == SID_NAME_DOM_GRP) {
1250 0 : uint32_t grouprid, memberrid;
1251 :
1252 2 : sid_peek_rid(&group, &grouprid);
1253 2 : sid_peek_rid(&member, &memberrid);
1254 :
1255 2 : status = pdb_add_groupmem(talloc_tos(), grouprid, memberrid);
1256 2 : if (!NT_STATUS_IS_OK(status)) {
1257 0 : d_fprintf(stderr, _("Adding domain group member failed "
1258 : "with %s\n"), nt_errstr(status));
1259 0 : return -1;
1260 : }
1261 : } else {
1262 0 : d_fprintf(stderr, _("Can only add members to local groups so "
1263 : "far, %s is a %s\n"), argv[0],
1264 : sid_type_lookup(grouptype));
1265 0 : return -1;
1266 : }
1267 :
1268 12 : d_printf(_("Added %s\\%s to %s\\%s\n"), memberdomain, membername,
1269 : groupdomain, groupname);
1270 :
1271 12 : return 0;
1272 : }
1273 :
1274 : /*
1275 : * Delete a group member
1276 : */
1277 :
1278 12 : static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
1279 : {
1280 0 : const char *groupdomain, *groupname;
1281 12 : const char *memberdomain = NULL;
1282 12 : const char *membername = NULL;
1283 0 : struct dom_sid group, member;
1284 0 : enum lsa_SidType grouptype;
1285 0 : NTSTATUS status;
1286 :
1287 12 : if (argc != 2 || c->display_usage) {
1288 0 : d_fprintf(stderr,"%s\n%s",
1289 : _("Usage:"),
1290 : _("net sam delmem <group> <member>\n"));
1291 0 : return -1;
1292 : }
1293 :
1294 12 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1295 : &groupdomain, &groupname, &group, &grouptype)) {
1296 0 : d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1297 0 : return -1;
1298 : }
1299 :
1300 12 : if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1301 : &memberdomain, &membername, &member, NULL)) {
1302 0 : if (!string_to_sid(&member, argv[1])) {
1303 0 : d_fprintf(stderr, _("Could not find member %s\n"),
1304 0 : argv[1]);
1305 0 : return -1;
1306 : }
1307 : }
1308 :
1309 12 : if ((grouptype == SID_NAME_ALIAS) ||
1310 2 : (grouptype == SID_NAME_WKN_GRP)) {
1311 10 : status = pdb_del_aliasmem(&group, &member);
1312 :
1313 10 : if (!NT_STATUS_IS_OK(status)) {
1314 0 : d_fprintf(stderr,_("Deleting local group member failed "
1315 : "with %s\n"), nt_errstr(status));
1316 0 : return -1;
1317 : }
1318 2 : } else if (grouptype == SID_NAME_DOM_GRP) {
1319 0 : uint32_t grouprid, memberrid;
1320 :
1321 2 : sid_peek_rid(&group, &grouprid);
1322 2 : sid_peek_rid(&member, &memberrid);
1323 :
1324 2 : status = pdb_del_groupmem(talloc_tos(), grouprid, memberrid);
1325 2 : if (!NT_STATUS_IS_OK(status)) {
1326 0 : d_fprintf(stderr, _("Deleting domain group member "
1327 : "failed with %s\n"), nt_errstr(status));
1328 0 : return -1;
1329 : }
1330 : } else {
1331 0 : d_fprintf(stderr, _("Can only delete members from local groups "
1332 : "so far, %s is a %s\n"), argv[0],
1333 : sid_type_lookup(grouptype));
1334 0 : return -1;
1335 : }
1336 :
1337 12 : if (membername != NULL) {
1338 12 : d_printf(_("Deleted %s\\%s from %s\\%s\n"),
1339 : memberdomain, membername, groupdomain, groupname);
1340 : } else {
1341 0 : struct dom_sid_buf buf;
1342 0 : d_printf(_("Deleted %s from %s\\%s\n"),
1343 : dom_sid_str_buf(&member, &buf),
1344 : groupdomain,
1345 : groupname);
1346 : }
1347 :
1348 12 : return 0;
1349 : }
1350 :
1351 : /*
1352 : * List group members
1353 : */
1354 :
1355 0 : static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
1356 : {
1357 0 : const char *groupdomain, *groupname;
1358 0 : struct dom_sid group;
1359 0 : struct dom_sid *members = NULL;
1360 0 : size_t i, num_members = 0;
1361 0 : enum lsa_SidType grouptype;
1362 0 : NTSTATUS status;
1363 :
1364 0 : if (argc != 1 || c->display_usage) {
1365 0 : d_fprintf(stderr, "%s\n%s",
1366 : _("Usage:"),
1367 : _("net sam listmem <group>\n"));
1368 0 : return -1;
1369 : }
1370 :
1371 0 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1372 : &groupdomain, &groupname, &group, &grouptype)) {
1373 0 : d_fprintf(stderr, _("Could not find group %s\n"), argv[0]);
1374 0 : return -1;
1375 : }
1376 :
1377 0 : if ((grouptype == SID_NAME_ALIAS) ||
1378 0 : (grouptype == SID_NAME_WKN_GRP)) {
1379 0 : status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
1380 : &num_members);
1381 0 : if (!NT_STATUS_IS_OK(status)) {
1382 0 : d_fprintf(stderr, _("Listing group members failed with "
1383 : "%s\n"), nt_errstr(status));
1384 0 : return -1;
1385 : }
1386 0 : } else if (grouptype == SID_NAME_DOM_GRP) {
1387 0 : uint32_t *rids;
1388 :
1389 0 : status = pdb_enum_group_members(talloc_tos(), &group,
1390 : &rids, &num_members);
1391 0 : if (!NT_STATUS_IS_OK(status)) {
1392 0 : d_fprintf(stderr, _("Listing group members failed with "
1393 : "%s\n"), nt_errstr(status));
1394 0 : return -1;
1395 : }
1396 :
1397 0 : members = talloc_array(talloc_tos(), struct dom_sid,
1398 : num_members);
1399 0 : if (members == NULL) {
1400 0 : TALLOC_FREE(rids);
1401 0 : return -1;
1402 : }
1403 :
1404 0 : for (i=0; i<num_members; i++) {
1405 0 : sid_compose(&members[i], get_global_sam_sid(),
1406 0 : rids[i]);
1407 : }
1408 0 : TALLOC_FREE(rids);
1409 : } else {
1410 0 : d_fprintf(stderr,_("Can only list local group members so far.\n"
1411 : "%s is a %s\n"), argv[0], sid_type_lookup(grouptype));
1412 0 : return -1;
1413 : }
1414 :
1415 0 : d_printf(_("%s\\%s has %u members\n"), groupdomain, groupname,
1416 : (unsigned int)num_members);
1417 0 : for (i=0; i<num_members; i++) {
1418 0 : const char *dom, *name;
1419 0 : if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) {
1420 0 : d_printf(" %s\\%s\n", dom, name);
1421 : } else {
1422 0 : struct dom_sid_buf buf;
1423 0 : d_printf(" %s\n",
1424 0 : dom_sid_str_buf(&members[i], &buf));
1425 : }
1426 : }
1427 :
1428 0 : TALLOC_FREE(members);
1429 :
1430 0 : return 0;
1431 : }
1432 :
1433 : /*
1434 : * Do the listing
1435 : */
1436 0 : static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
1437 : struct pdb_search *search, const char *what)
1438 : {
1439 0 : bool verbose = (argc == 1);
1440 :
1441 0 : if ((argc > 1) || c->display_usage ||
1442 0 : ((argc == 1) && !strequal(argv[0], "verbose"))) {
1443 0 : d_fprintf(stderr, "%s\n", _("Usage:"));
1444 0 : d_fprintf(stderr, _("net sam list %s [verbose]\n"), what);
1445 0 : return -1;
1446 : }
1447 :
1448 0 : if (search == NULL) {
1449 0 : d_fprintf(stderr, _("Could not start search\n"));
1450 0 : return -1;
1451 : }
1452 :
1453 0 : while (true) {
1454 0 : struct samr_displayentry entry;
1455 0 : if (!search->next_entry(search, &entry)) {
1456 0 : break;
1457 : }
1458 0 : if (verbose) {
1459 0 : d_printf("%s:%d:%s\n",
1460 : entry.account_name,
1461 : entry.rid,
1462 : entry.description);
1463 : } else {
1464 0 : d_printf("%s\n", entry.account_name);
1465 : }
1466 : }
1467 :
1468 0 : TALLOC_FREE(search);
1469 0 : return 0;
1470 : }
1471 :
1472 0 : static int net_sam_list_users(struct net_context *c, int argc,
1473 : const char **argv)
1474 : {
1475 0 : return net_sam_do_list(c, argc, argv,
1476 : pdb_search_users(talloc_tos(), ACB_NORMAL),
1477 : "users");
1478 : }
1479 :
1480 0 : static int net_sam_list_groups(struct net_context *c, int argc,
1481 : const char **argv)
1482 : {
1483 0 : return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1484 : "groups");
1485 : }
1486 :
1487 0 : static int net_sam_list_localgroups(struct net_context *c, int argc,
1488 : const char **argv)
1489 : {
1490 0 : return net_sam_do_list(c, argc, argv,
1491 : pdb_search_aliases(talloc_tos(),
1492 0 : get_global_sam_sid()),
1493 : "localgroups");
1494 : }
1495 :
1496 0 : static int net_sam_list_builtin(struct net_context *c, int argc,
1497 : const char **argv)
1498 : {
1499 0 : return net_sam_do_list(c, argc, argv,
1500 : pdb_search_aliases(talloc_tos(),
1501 : &global_sid_Builtin),
1502 : "builtin");
1503 : }
1504 :
1505 0 : static int net_sam_list_workstations(struct net_context *c, int argc,
1506 : const char **argv)
1507 : {
1508 0 : return net_sam_do_list(c, argc, argv,
1509 : pdb_search_users(talloc_tos(), ACB_WSTRUST),
1510 : "workstations");
1511 : }
1512 :
1513 : /*
1514 : * List stuff
1515 : */
1516 :
1517 0 : static int net_sam_list(struct net_context *c, int argc, const char **argv)
1518 : {
1519 0 : struct functable func[] = {
1520 : {
1521 : "users",
1522 : net_sam_list_users,
1523 : NET_TRANSPORT_LOCAL,
1524 : N_("List SAM users"),
1525 : N_("net sam list users\n"
1526 : " List SAM users")
1527 : },
1528 : {
1529 : "groups",
1530 : net_sam_list_groups,
1531 : NET_TRANSPORT_LOCAL,
1532 : N_("List SAM groups"),
1533 : N_("net sam list groups\n"
1534 : " List SAM groups")
1535 : },
1536 : {
1537 : "localgroups",
1538 : net_sam_list_localgroups,
1539 : NET_TRANSPORT_LOCAL,
1540 : N_("List SAM local groups"),
1541 : N_("net sam list localgroups\n"
1542 : " List SAM local groups")
1543 : },
1544 : {
1545 : "builtin",
1546 : net_sam_list_builtin,
1547 : NET_TRANSPORT_LOCAL,
1548 : N_("List builtin groups"),
1549 : N_("net sam list builtin\n"
1550 : " List builtin groups")
1551 : },
1552 : {
1553 : "workstations",
1554 : net_sam_list_workstations,
1555 : NET_TRANSPORT_LOCAL,
1556 : N_("List domain member workstations"),
1557 : N_("net sam list workstations\n"
1558 : " List domain member workstations")
1559 : },
1560 : {NULL, NULL, 0, NULL, NULL}
1561 : };
1562 :
1563 0 : return net_run_function(c, argc, argv, "net sam list", func);
1564 : }
1565 :
1566 : /*
1567 : * Show details of SAM entries
1568 : */
1569 :
1570 0 : static int net_sam_show(struct net_context *c, int argc, const char **argv)
1571 : {
1572 0 : struct dom_sid sid;
1573 0 : struct dom_sid_buf buf;
1574 0 : enum lsa_SidType type;
1575 0 : const char *dom, *name;
1576 :
1577 0 : if (argc != 1 || c->display_usage) {
1578 0 : d_fprintf(stderr, "%s\n%s",
1579 : _("Usage:"),
1580 : _("net sam show <name>\n"));
1581 0 : return -1;
1582 : }
1583 :
1584 0 : if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1585 : &dom, &name, &sid, &type)) {
1586 0 : d_fprintf(stderr, _("Could not find name %s\n"), argv[0]);
1587 0 : return -1;
1588 : }
1589 :
1590 0 : d_printf(_("%s\\%s is a %s with SID %s\n"), dom, name,
1591 : sid_type_lookup(type), dom_sid_str_buf(&sid, &buf));
1592 :
1593 0 : return 0;
1594 : }
1595 :
1596 : #ifdef HAVE_LDAP
1597 :
1598 : /*
1599 : * Init an LDAP tree with default users and Groups
1600 : * if ldapsam:editposix is enabled
1601 : */
1602 :
1603 0 : static int net_sam_provision(struct net_context *c, int argc, const char **argv)
1604 : {
1605 0 : TALLOC_CTX *tc;
1606 0 : char *ldap_bk;
1607 0 : char *ldap_uri = NULL;
1608 0 : char *p;
1609 0 : struct smbldap_state *state = NULL;
1610 0 : GROUP_MAP *gmap = NULL;
1611 0 : struct dom_sid gsid;
1612 0 : gid_t domusers_gid = -1;
1613 0 : gid_t domadmins_gid = -1;
1614 0 : struct samu *samuser;
1615 0 : struct passwd *pwd;
1616 0 : bool is_ipa = false;
1617 0 : char *bind_dn = NULL;
1618 0 : char *bind_secret = NULL;
1619 0 : NTSTATUS status;
1620 :
1621 0 : if (c->display_usage) {
1622 0 : d_printf( "%s\n"
1623 : "net sam provision\n"
1624 : " %s\n",
1625 : _("Usage:"),
1626 : _("Init an LDAP tree with default users/groups"));
1627 0 : return 0;
1628 : }
1629 :
1630 0 : tc = talloc_new(NULL);
1631 0 : if (!tc) {
1632 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1633 0 : return -1;
1634 : }
1635 :
1636 0 : if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1637 0 : d_fprintf(stderr, _("talloc failed\n"));
1638 0 : talloc_free(tc);
1639 0 : return -1;
1640 : }
1641 0 : p = strchr(ldap_bk, ':');
1642 0 : if (p) {
1643 0 : *p = 0;
1644 0 : ldap_uri = talloc_strdup(tc, p+1);
1645 0 : trim_char(ldap_uri, ' ', ' ');
1646 : }
1647 :
1648 0 : trim_char(ldap_bk, ' ', ' ');
1649 :
1650 0 : if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
1651 0 : is_ipa = true;
1652 : }
1653 :
1654 0 : if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
1655 0 : d_fprintf(stderr,
1656 0 : _("Provisioning works only with ldapsam backend\n"));
1657 0 : goto failed;
1658 : }
1659 :
1660 0 : if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1661 0 : !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1662 :
1663 0 : d_fprintf(stderr, _("Provisioning works only if ldapsam:trusted"
1664 : " and ldapsam:editposix are enabled.\n"));
1665 0 : goto failed;
1666 : }
1667 :
1668 0 : if (!is_ipa && !winbind_ping()) {
1669 0 : d_fprintf(stderr, _("winbind seems not to run. Provisioning "
1670 : "LDAP only works when winbind runs.\n"));
1671 0 : goto failed;
1672 : }
1673 :
1674 0 : if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1675 0 : d_fprintf(stderr, _("Failed to retrieve LDAP password from secrets.tdb\n"));
1676 0 : goto failed;
1677 : }
1678 :
1679 0 : status = smbldap_init(tc, NULL, ldap_uri, false, bind_dn, bind_secret, &state);
1680 :
1681 0 : BURN_FREE_STR(bind_secret);
1682 0 : SAFE_FREE(bind_dn);
1683 :
1684 0 : if (!NT_STATUS_IS_OK(status)) {
1685 0 : d_fprintf(stderr, _("Unable to connect to the LDAP server.\n"));
1686 0 : goto failed;
1687 : }
1688 :
1689 0 : d_printf(_("Checking for Domain Users group.\n"));
1690 :
1691 0 : sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
1692 :
1693 0 : gmap = talloc_zero(tc, GROUP_MAP);
1694 0 : if (!gmap) {
1695 0 : d_printf(_("Out of memory!\n"));
1696 0 : goto failed;
1697 : }
1698 :
1699 0 : if (!pdb_getgrsid(gmap, gsid)) {
1700 0 : struct dom_sid_buf gsid_str;
1701 0 : LDAPMod **mods = NULL;
1702 0 : char *dn;
1703 0 : char *uname;
1704 0 : char *wname;
1705 0 : char *gidstr;
1706 0 : char *gtype;
1707 0 : int rc;
1708 :
1709 0 : d_printf(_("Adding the Domain Users group.\n"));
1710 :
1711 : /* lets allocate a new groupid for this group */
1712 0 : if (is_ipa) {
1713 0 : domusers_gid = 999;
1714 : } else {
1715 0 : if (!winbind_allocate_gid(&domusers_gid)) {
1716 0 : d_fprintf(stderr, _("Unable to allocate a new gid to "
1717 : "create Domain Users group!\n"));
1718 0 : goto domu_done;
1719 : }
1720 : }
1721 :
1722 0 : uname = talloc_strdup(tc, "domusers");
1723 0 : wname = talloc_strdup(tc, "Domain Users");
1724 0 : dn = talloc_asprintf(tc, "cn=%s,%s", "domusers",
1725 : lp_ldap_group_suffix(talloc_tos()));
1726 0 : gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1727 0 : gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1728 :
1729 0 : if (!uname || !wname || !dn || !gidstr || !gtype) {
1730 0 : d_fprintf(stderr, "Out of Memory!\n");
1731 0 : goto failed;
1732 : }
1733 :
1734 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1735 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1736 0 : if (is_ipa) {
1737 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1738 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1739 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1740 : }
1741 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1742 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1743 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1744 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1745 0 : dom_sid_str_buf(&gsid, &gsid_str));
1746 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1747 :
1748 0 : smbldap_talloc_autofree_ldapmod(tc, mods);
1749 :
1750 0 : rc = smbldap_add(state, dn, mods);
1751 :
1752 0 : if (rc != LDAP_SUCCESS) {
1753 0 : d_fprintf(stderr, _("Failed to add Domain Users group "
1754 : "to ldap directory\n"));
1755 : }
1756 :
1757 0 : if (is_ipa) {
1758 0 : if (!pdb_getgrsid(gmap, gsid)) {
1759 0 : d_fprintf(stderr, _("Failed to read just "
1760 : "created domain group.\n"));
1761 0 : goto failed;
1762 : } else {
1763 0 : domusers_gid = gmap->gid;
1764 : }
1765 : }
1766 : } else {
1767 0 : domusers_gid = gmap->gid;
1768 0 : d_printf(_("found!\n"));
1769 : }
1770 :
1771 0 : domu_done:
1772 :
1773 0 : d_printf(_("Checking for Domain Admins group.\n"));
1774 :
1775 0 : sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
1776 :
1777 0 : if (!pdb_getgrsid(gmap, gsid)) {
1778 0 : struct dom_sid_buf gsid_str;
1779 0 : LDAPMod **mods = NULL;
1780 0 : char *dn;
1781 0 : char *uname;
1782 0 : char *wname;
1783 0 : char *gidstr;
1784 0 : char *gtype;
1785 0 : int rc;
1786 :
1787 0 : d_printf(_("Adding the Domain Admins group.\n"));
1788 :
1789 : /* lets allocate a new groupid for this group */
1790 0 : if (is_ipa) {
1791 0 : domadmins_gid = 999;
1792 : } else {
1793 0 : if (!winbind_allocate_gid(&domadmins_gid)) {
1794 0 : d_fprintf(stderr, _("Unable to allocate a new gid to "
1795 : "create Domain Admins group!\n"));
1796 0 : goto doma_done;
1797 : }
1798 : }
1799 :
1800 0 : uname = talloc_strdup(tc, "domadmins");
1801 0 : wname = talloc_strdup(tc, "Domain Admins");
1802 0 : dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins",
1803 : lp_ldap_group_suffix(talloc_tos()));
1804 0 : gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1805 0 : gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1806 :
1807 0 : if (!uname || !wname || !dn || !gidstr || !gtype) {
1808 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1809 0 : goto failed;
1810 : }
1811 :
1812 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1813 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1814 0 : if (is_ipa) {
1815 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
1816 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
1817 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
1818 : }
1819 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1820 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1821 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1822 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1823 0 : dom_sid_str_buf(&gsid, &gsid_str));
1824 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1825 :
1826 0 : smbldap_talloc_autofree_ldapmod(tc, mods);
1827 :
1828 0 : rc = smbldap_add(state, dn, mods);
1829 :
1830 0 : if (rc != LDAP_SUCCESS) {
1831 0 : d_fprintf(stderr, _("Failed to add Domain Admins group "
1832 : "to ldap directory\n"));
1833 : }
1834 :
1835 0 : if (is_ipa) {
1836 0 : if (!pdb_getgrsid(gmap, gsid)) {
1837 0 : d_fprintf(stderr, _("Failed to read just "
1838 : "created domain group.\n"));
1839 0 : goto failed;
1840 : } else {
1841 0 : domadmins_gid = gmap->gid;
1842 : }
1843 : }
1844 : } else {
1845 0 : domadmins_gid = gmap->gid;
1846 0 : d_printf(_("found!\n"));
1847 : }
1848 :
1849 0 : doma_done:
1850 :
1851 0 : d_printf(_("Check for Administrator account.\n"));
1852 :
1853 0 : samuser = samu_new(tc);
1854 0 : if (!samuser) {
1855 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1856 0 : goto failed;
1857 : }
1858 :
1859 0 : if (!pdb_getsampwnam(samuser, "Administrator")) {
1860 0 : LDAPMod **mods = NULL;
1861 0 : struct dom_sid sid;
1862 0 : struct dom_sid_buf sid_str;
1863 0 : char *dn;
1864 0 : char *name;
1865 0 : char *uidstr;
1866 0 : char *gidstr;
1867 0 : char *shell;
1868 0 : char *dir;
1869 0 : char *princ;
1870 0 : uid_t uid;
1871 0 : int rc;
1872 :
1873 0 : d_printf(_("Adding the Administrator user.\n"));
1874 :
1875 0 : if (domadmins_gid == -1) {
1876 0 : d_fprintf(stderr,
1877 0 : _("Can't create Administrator user, Domain "
1878 : "Admins group not available!\n"));
1879 0 : goto done;
1880 : }
1881 :
1882 0 : if (is_ipa) {
1883 0 : uid = 999;
1884 : } else {
1885 0 : if (!winbind_allocate_uid(&uid)) {
1886 0 : d_fprintf(stderr,
1887 0 : _("Unable to allocate a new uid to create "
1888 : "the Administrator user!\n"));
1889 0 : goto done;
1890 : }
1891 : }
1892 :
1893 0 : name = talloc_strdup(tc, "Administrator");
1894 0 : dn = talloc_asprintf(tc, "uid=Administrator,%s",
1895 : lp_ldap_user_suffix(talloc_tos()));
1896 0 : uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1897 0 : gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1898 0 : dir = talloc_sub_specified(tc, lp_template_homedir(),
1899 : "Administrator",
1900 : NULL,
1901 : get_global_sam_name(),
1902 : uid, domadmins_gid);
1903 0 : shell = talloc_sub_specified(tc, lp_template_shell(),
1904 : "Administrator",
1905 : NULL,
1906 : get_global_sam_name(),
1907 : uid, domadmins_gid);
1908 :
1909 0 : if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1910 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1911 0 : goto failed;
1912 : }
1913 :
1914 0 : sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
1915 :
1916 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1917 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1918 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1919 0 : if (is_ipa) {
1920 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
1921 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
1922 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
1923 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
1924 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
1925 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
1926 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
1927 0 : princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
1928 0 : if (!princ) {
1929 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1930 0 : goto failed;
1931 : }
1932 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
1933 : }
1934 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1935 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1936 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1937 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1938 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1939 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1940 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1941 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1942 0 : dom_sid_str_buf(&sid, &sid_str));
1943 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1944 0 : pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1945 : NEW_PW_FORMAT_SPACE_PADDED_LEN));
1946 :
1947 0 : smbldap_talloc_autofree_ldapmod(tc, mods);
1948 :
1949 0 : rc = smbldap_add(state, dn, mods);
1950 :
1951 0 : if (rc != LDAP_SUCCESS) {
1952 0 : d_fprintf(stderr, _("Failed to add Administrator user "
1953 : "to ldap directory\n"));
1954 : }
1955 :
1956 0 : if (is_ipa) {
1957 0 : if (!pdb_getsampwnam(samuser, "Administrator")) {
1958 0 : d_fprintf(stderr, _("Failed to read just "
1959 : "created user.\n"));
1960 0 : goto failed;
1961 : }
1962 : }
1963 : } else {
1964 0 : d_printf(_("found!\n"));
1965 : }
1966 :
1967 0 : d_printf(_("Checking for Guest user.\n"));
1968 :
1969 0 : samuser = samu_new(tc);
1970 0 : if (!samuser) {
1971 0 : d_fprintf(stderr, _("Out of Memory!\n"));
1972 0 : goto failed;
1973 : }
1974 :
1975 0 : if (!pdb_getsampwnam(samuser, lp_guest_account())) {
1976 0 : LDAPMod **mods = NULL;
1977 0 : struct dom_sid sid;
1978 0 : struct dom_sid_buf sid_str;
1979 0 : char *dn;
1980 0 : char *uidstr;
1981 0 : char *gidstr;
1982 0 : int rc;
1983 :
1984 0 : d_printf(_("Adding the Guest user.\n"));
1985 :
1986 0 : sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
1987 :
1988 0 : pwd = Get_Pwnam_alloc(tc, lp_guest_account());
1989 :
1990 0 : if (!pwd) {
1991 0 : if (domusers_gid == -1) {
1992 0 : d_fprintf(stderr,
1993 0 : _("Can't create Guest user, Domain "
1994 : "Users group not available!\n"));
1995 0 : goto done;
1996 : }
1997 0 : if ((pwd = talloc(tc, struct passwd)) == NULL) {
1998 0 : d_fprintf(stderr, _("talloc failed\n"));
1999 0 : goto done;
2000 : }
2001 0 : pwd->pw_name = talloc_strdup(pwd, lp_guest_account());
2002 :
2003 0 : if (is_ipa) {
2004 0 : pwd->pw_uid = 999;
2005 : } else {
2006 0 : if (!winbind_allocate_uid(&(pwd->pw_uid))) {
2007 0 : d_fprintf(stderr,
2008 0 : _("Unable to allocate a new uid to "
2009 : "create the Guest user!\n"));
2010 0 : goto done;
2011 : }
2012 : }
2013 0 : pwd->pw_gid = domusers_gid;
2014 0 : pwd->pw_dir = talloc_strdup(tc, "/");
2015 0 : pwd->pw_shell = talloc_strdup(tc, "/bin/false");
2016 0 : if (!pwd->pw_dir || !pwd->pw_shell) {
2017 0 : d_fprintf(stderr, _("Out of Memory!\n"));
2018 0 : goto failed;
2019 : }
2020 : }
2021 :
2022 0 : dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name,
2023 : lp_ldap_user_suffix (talloc_tos()));
2024 0 : uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
2025 0 : gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2026 0 : if (!dn || !uidstr || !gidstr) {
2027 0 : d_fprintf(stderr, _("Out of Memory!\n"));
2028 0 : goto failed;
2029 : }
2030 :
2031 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
2032 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
2033 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
2034 0 : if (is_ipa) {
2035 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
2036 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
2037 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
2038 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
2039 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
2040 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
2041 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
2042 : }
2043 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
2044 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
2045 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
2046 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
2047 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2048 0 : if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
2049 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
2050 : }
2051 0 : if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
2052 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
2053 : }
2054 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
2055 0 : dom_sid_str_buf(&sid, &sid_str));
2056 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
2057 0 : pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
2058 : NEW_PW_FORMAT_SPACE_PADDED_LEN));
2059 :
2060 0 : smbldap_talloc_autofree_ldapmod(tc, mods);
2061 :
2062 0 : rc = smbldap_add(state, dn, mods);
2063 :
2064 0 : if (rc != LDAP_SUCCESS) {
2065 0 : d_fprintf(stderr, _("Failed to add Guest user to "
2066 : "ldap directory\n"));
2067 : }
2068 :
2069 0 : if (is_ipa) {
2070 0 : if (!pdb_getsampwnam(samuser, lp_guest_account())) {
2071 0 : d_fprintf(stderr, _("Failed to read just "
2072 : "created user.\n"));
2073 0 : goto failed;
2074 : }
2075 : }
2076 : } else {
2077 0 : d_printf(_("found!\n"));
2078 : }
2079 :
2080 0 : d_printf(_("Checking Guest's group.\n"));
2081 :
2082 0 : pwd = Get_Pwnam_alloc(tc, lp_guest_account());
2083 0 : if (!pwd) {
2084 0 : d_fprintf(stderr,
2085 0 : _("Failed to find just created Guest account!\n"
2086 : " Is nss properly configured?!\n"));
2087 0 : goto failed;
2088 : }
2089 :
2090 0 : if (pwd->pw_gid == domusers_gid) {
2091 0 : d_printf(_("found!\n"));
2092 0 : goto done;
2093 : }
2094 :
2095 0 : if (!pdb_getgrgid(gmap, pwd->pw_gid)) {
2096 0 : struct dom_sid_buf gsid_str;
2097 0 : LDAPMod **mods = NULL;
2098 0 : char *dn;
2099 0 : char *uname;
2100 0 : char *wname;
2101 0 : char *gidstr;
2102 0 : char *gtype;
2103 0 : int rc;
2104 :
2105 0 : d_printf(_("Adding the Domain Guests group.\n"));
2106 :
2107 0 : uname = talloc_strdup(tc, "domguests");
2108 0 : wname = talloc_strdup(tc, "Domain Guests");
2109 0 : dn = talloc_asprintf(tc, "cn=%s,%s", "domguests",
2110 : lp_ldap_group_suffix(talloc_tos()));
2111 0 : gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
2112 0 : gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
2113 :
2114 0 : if (!uname || !wname || !dn || !gidstr || !gtype) {
2115 0 : d_fprintf(stderr, _("Out of Memory!\n"));
2116 0 : goto failed;
2117 : }
2118 :
2119 0 : sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
2120 :
2121 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
2122 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
2123 0 : if (is_ipa) {
2124 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
2125 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
2126 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
2127 : }
2128 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
2129 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
2130 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
2131 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
2132 0 : dom_sid_str_buf(&gsid, &gsid_str));
2133 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
2134 :
2135 0 : smbldap_talloc_autofree_ldapmod(tc, mods);
2136 :
2137 0 : rc = smbldap_add(state, dn, mods);
2138 :
2139 0 : if (rc != LDAP_SUCCESS) {
2140 0 : d_fprintf(stderr,
2141 0 : _("Failed to add Domain Guests group to ldap "
2142 : "directory\n"));
2143 : }
2144 : } else {
2145 0 : d_printf(_("found!\n"));
2146 : }
2147 :
2148 :
2149 0 : done:
2150 0 : talloc_free(state);
2151 0 : return 0;
2152 :
2153 0 : failed:
2154 0 : talloc_free(state);
2155 0 : return -1;
2156 : }
2157 :
2158 : #endif
2159 :
2160 : /***********************************************************
2161 : migrated functionality from smbgroupedit
2162 : **********************************************************/
2163 109 : int net_sam(struct net_context *c, int argc, const char **argv)
2164 : {
2165 109 : struct functable func[] = {
2166 : {
2167 : "createbuiltingroup",
2168 : net_sam_createbuiltingroup,
2169 : NET_TRANSPORT_LOCAL,
2170 : N_("Create a new BUILTIN group"),
2171 : N_("net sam createbuiltingroup\n"
2172 : " Create a new BUILTIN group")
2173 : },
2174 : {
2175 : "createlocalgroup",
2176 : net_sam_createlocalgroup,
2177 : NET_TRANSPORT_LOCAL,
2178 : N_("Create a new local group"),
2179 : N_("net sam createlocalgroup\n"
2180 : " Create a new local group")
2181 : },
2182 : {
2183 : "createdomaingroup",
2184 : net_sam_createdomaingroup,
2185 : NET_TRANSPORT_LOCAL,
2186 : N_("Create a new group"),
2187 : N_("net sam createdomaingroup\n"
2188 : " Create a new group")
2189 : },
2190 : {
2191 : "deletelocalgroup",
2192 : net_sam_deletelocalgroup,
2193 : NET_TRANSPORT_LOCAL,
2194 : N_("Delete an existing local group"),
2195 : N_("net sam deletelocalgroup\n"
2196 : " Delete an existing local group")
2197 : },
2198 : {
2199 : "deletedomaingroup",
2200 : net_sam_deletedomaingroup,
2201 : NET_TRANSPORT_LOCAL,
2202 : N_("Delete a domain group"),
2203 : N_("net sam deletedomaingroup\n"
2204 : " Delete a group")
2205 : },
2206 : {
2207 : "mapunixgroup",
2208 : net_sam_mapunixgroup,
2209 : NET_TRANSPORT_LOCAL,
2210 : N_("Map a unix group to a domain group"),
2211 : N_("net sam mapunixgroup\n"
2212 : " Map a unix group to a domain group")
2213 : },
2214 : {
2215 : "unmapunixgroup",
2216 : net_sam_unmapunixgroup,
2217 : NET_TRANSPORT_LOCAL,
2218 : N_("Remove a group mapping of an unix group to a "
2219 : "domain group"),
2220 : N_("net sam unmapunixgroup\n"
2221 : " Remove a group mapping of an unix group to a "
2222 : "domain group")
2223 : },
2224 : {
2225 : "addmem",
2226 : net_sam_addmem,
2227 : NET_TRANSPORT_LOCAL,
2228 : N_("Add a member to a group"),
2229 : N_("net sam addmem\n"
2230 : " Add a member to a group")
2231 : },
2232 : {
2233 : "delmem",
2234 : net_sam_delmem,
2235 : NET_TRANSPORT_LOCAL,
2236 : N_("Delete a member from a group"),
2237 : N_("net sam delmem\n"
2238 : " Delete a member from a group")
2239 : },
2240 : {
2241 : "listmem",
2242 : net_sam_listmem,
2243 : NET_TRANSPORT_LOCAL,
2244 : N_("List group members"),
2245 : N_("net sam listmem\n"
2246 : " List group members")
2247 : },
2248 : {
2249 : "list",
2250 : net_sam_list,
2251 : NET_TRANSPORT_LOCAL,
2252 : N_("List users, groups and local groups"),
2253 : N_("net sam list\n"
2254 : " List users, groups and local groups")
2255 : },
2256 : {
2257 : "show",
2258 : net_sam_show,
2259 : NET_TRANSPORT_LOCAL,
2260 : N_("Show details of a SAM entry"),
2261 : N_("net sam show\n"
2262 : " Show details of a SAM entry")
2263 : },
2264 : {
2265 : "set",
2266 : net_sam_set,
2267 : NET_TRANSPORT_LOCAL,
2268 : N_("Set details of a SAM account"),
2269 : N_("net sam set\n"
2270 : " Set details of a SAM account")
2271 : },
2272 : {
2273 : "policy",
2274 : net_sam_policy,
2275 : NET_TRANSPORT_LOCAL,
2276 : N_("Set account policies"),
2277 : N_("net sam policy\n"
2278 : " Set account policies")
2279 : },
2280 : {
2281 : "rights",
2282 : net_sam_rights,
2283 : NET_TRANSPORT_LOCAL,
2284 : N_("Manipulate user privileges"),
2285 : N_("net sam rights\n"
2286 : " Manipulate user privileges")
2287 : },
2288 : #ifdef HAVE_LDAP
2289 : {
2290 : "provision",
2291 : net_sam_provision,
2292 : NET_TRANSPORT_LOCAL,
2293 : N_("Provision a clean user database"),
2294 : N_("net sam privison\n"
2295 : " Provision a clear user database")
2296 : },
2297 : #endif
2298 : {NULL, NULL, 0, NULL, NULL}
2299 : };
2300 :
2301 109 : if (getuid() != 0) {
2302 109 : d_fprintf(stderr, _("You are not root, most things won't "
2303 : "work\n"));
2304 : }
2305 :
2306 109 : return net_run_function(c, argc, argv, "net sam", func);
2307 : }
2308 :
|
