/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- net_sam_userset
- net_sam_set_fullname
- net_sam_set_logonscript
- net_sam_set_profilepath
- net_sam_set_homedrive
- net_sam_set_homedir
- net_sam_set_workstations
- net_sam_set_userflag
- net_sam_set_disabled
- net_sam_set_pwnotreq
- net_sam_set_autolock
- net_sam_set_pwnoexp
- net_sam_set_pwdmustchangenow
- net_sam_set_comment
- net_sam_set
- net_sam_policy_set
- net_sam_policy_show
- net_sam_policy_list
- net_sam_policy
- net_sam_rights_list
- net_sam_rights_grant
- net_sam_rights_revoke
- net_sam_rights
- map_unix_group
- net_sam_mapunixgroup
- unmap_unix_group
- net_sam_unmapunixgroup
- net_sam_createlocalgroup
- net_sam_deletelocalgroup
- net_sam_createbuiltingroup
- net_sam_addmem
- net_sam_delmem
- net_sam_listmem
- net_sam_do_list
- net_sam_list_users
- net_sam_list_groups
- net_sam_list_localgroups
- net_sam_list_builtin
- net_sam_list_workstations
- net_sam_list
- net_sam_show
- net_sam_provision
- net_sam
1 /*
2 * Unix SMB/CIFS implementation.
3 * Local SAM access routines
4 * Copyright (C) Volker Lendecke 2006
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20
21 #include "includes.h"
22 #include "utils/net.h"
23
24 /*
25 * Set a user's data
26 */
27
28 static int net_sam_userset(struct net_context *c, int argc, const char **argv,
/* [<][>][^][v][top][bottom][index][help] */
29 const char *field,
30 bool (*fn)(struct samu *, const char *,
31 enum pdb_value_state))
32 {
33 struct samu *sam_acct = NULL;
34 DOM_SID sid;
35 enum lsa_SidType type;
36 const char *dom, *name;
37 NTSTATUS status;
38
39 if (argc != 2 || c->display_usage) {
40 d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
41 field);
42 return -1;
43 }
44
45 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
46 &dom, &name, &sid, &type)) {
47 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
48 return -1;
49 }
50
51 if (type != SID_NAME_USER) {
52 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
53 sid_type_lookup(type));
54 return -1;
55 }
56
57 if ( !(sam_acct = samu_new( NULL )) ) {
58 d_fprintf(stderr, "Internal error\n");
59 return -1;
60 }
61
62 if (!pdb_getsampwsid(sam_acct, &sid)) {
63 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
64 return -1;
65 }
66
67 if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
68 d_fprintf(stderr, "Internal error\n");
69 return -1;
70 }
71
72 status = pdb_update_sam_account(sam_acct);
73 if (!NT_STATUS_IS_OK(status)) {
74 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
75 argv[0], nt_errstr(status));
76 return -1;
77 }
78
79 TALLOC_FREE(sam_acct);
80
81 d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
82 return 0;
83 }
84
85 static int net_sam_set_fullname(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
86 const char **argv)
87 {
88 return net_sam_userset(c, argc, argv, "fullname",
89 pdb_set_fullname);
90 }
91
92 static int net_sam_set_logonscript(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
93 const char **argv)
94 {
95 return net_sam_userset(c, argc, argv, "logonscript",
96 pdb_set_logon_script);
97 }
98
99 static int net_sam_set_profilepath(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
100 const char **argv)
101 {
102 return net_sam_userset(c, argc, argv, "profilepath",
103 pdb_set_profile_path);
104 }
105
106 static int net_sam_set_homedrive(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
107 const char **argv)
108 {
109 return net_sam_userset(c, argc, argv, "homedrive",
110 pdb_set_dir_drive);
111 }
112
113 static int net_sam_set_homedir(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
114 const char **argv)
115 {
116 return net_sam_userset(c, argc, argv, "homedir",
117 pdb_set_homedir);
118 }
119
120 static int net_sam_set_workstations(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
121 const char **argv)
122 {
123 return net_sam_userset(c, argc, argv, "workstations",
124 pdb_set_workstations);
125 }
126
127 /*
128 * Set account flags
129 */
130
131 static int net_sam_set_userflag(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
132 const char **argv, const char *field,
133 uint16 flag)
134 {
135 struct samu *sam_acct = NULL;
136 DOM_SID sid;
137 enum lsa_SidType type;
138 const char *dom, *name;
139 NTSTATUS status;
140 uint16 acct_flags;
141
142 if ((argc != 2) || c->display_usage ||
143 (!strequal(argv[1], "yes") &&
144 !strequal(argv[1], "no"))) {
145 d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
146 field);
147 return -1;
148 }
149
150 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
151 &dom, &name, &sid, &type)) {
152 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
153 return -1;
154 }
155
156 if (type != SID_NAME_USER) {
157 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
158 sid_type_lookup(type));
159 return -1;
160 }
161
162 if ( !(sam_acct = samu_new( NULL )) ) {
163 d_fprintf(stderr, "Internal error\n");
164 return -1;
165 }
166
167 if (!pdb_getsampwsid(sam_acct, &sid)) {
168 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
169 return -1;
170 }
171
172 acct_flags = pdb_get_acct_ctrl(sam_acct);
173
174 if (strequal(argv[1], "yes")) {
175 acct_flags |= flag;
176 } else {
177 acct_flags &= ~flag;
178 }
179
180 pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
181
182 status = pdb_update_sam_account(sam_acct);
183 if (!NT_STATUS_IS_OK(status)) {
184 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
185 argv[0], nt_errstr(status));
186 return -1;
187 }
188
189 TALLOC_FREE(sam_acct);
190
191 d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
192 name, argv[1]);
193 return 0;
194 }
195
196 static int net_sam_set_disabled(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
197 const char **argv)
198 {
199 return net_sam_set_userflag(c, argc, argv, "disabled", ACB_DISABLED);
200 }
201
202 static int net_sam_set_pwnotreq(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
203 const char **argv)
204 {
205 return net_sam_set_userflag(c, argc, argv, "pwnotreq", ACB_PWNOTREQ);
206 }
207
208 static int net_sam_set_autolock(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
209 const char **argv)
210 {
211 return net_sam_set_userflag(c, argc, argv, "autolock", ACB_AUTOLOCK);
212 }
213
214 static int net_sam_set_pwnoexp(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
215 const char **argv)
216 {
217 return net_sam_set_userflag(c, argc, argv, "pwnoexp", ACB_PWNOEXP);
218 }
219
220 /*
221 * Set pass last change time, based on force pass change now
222 */
223
224 static int net_sam_set_pwdmustchangenow(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
225 const char **argv)
226 {
227 struct samu *sam_acct = NULL;
228 DOM_SID sid;
229 enum lsa_SidType type;
230 const char *dom, *name;
231 NTSTATUS status;
232
233 if ((argc != 2) || c->display_usage ||
234 (!strequal(argv[1], "yes") &&
235 !strequal(argv[1], "no"))) {
236 d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
237 return -1;
238 }
239
240 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
241 &dom, &name, &sid, &type)) {
242 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
243 return -1;
244 }
245
246 if (type != SID_NAME_USER) {
247 d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
248 sid_type_lookup(type));
249 return -1;
250 }
251
252 if ( !(sam_acct = samu_new( NULL )) ) {
253 d_fprintf(stderr, "Internal error\n");
254 return -1;
255 }
256
257 if (!pdb_getsampwsid(sam_acct, &sid)) {
258 d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
259 return -1;
260 }
261
262 if (strequal(argv[1], "yes")) {
263 pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
264 } else {
265 pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
266 }
267
268 status = pdb_update_sam_account(sam_acct);
269 if (!NT_STATUS_IS_OK(status)) {
270 d_fprintf(stderr, "Updating sam account %s failed with %s\n",
271 argv[0], nt_errstr(status));
272 return -1;
273 }
274
275 TALLOC_FREE(sam_acct);
276
277 d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
278 name, argv[1]);
279 return 0;
280 }
281
282
283 /*
284 * Set a user's or a group's comment
285 */
286
287 static int net_sam_set_comment(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
288 const char **argv)
289 {
290 GROUP_MAP map;
291 DOM_SID sid;
292 enum lsa_SidType type;
293 const char *dom, *name;
294 NTSTATUS status;
295
296 if (argc != 2 || c->display_usage) {
297 d_fprintf(stderr, "usage: net sam set comment <name> "
298 "<comment>\n");
299 return -1;
300 }
301
302 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
303 &dom, &name, &sid, &type)) {
304 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
305 return -1;
306 }
307
308 if (type == SID_NAME_USER) {
309 return net_sam_userset(c, argc, argv, "comment",
310 pdb_set_acct_desc);
311 }
312
313 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
314 (type != SID_NAME_WKN_GRP)) {
315 d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
316 sid_type_lookup(type));
317 return -1;
318 }
319
320 if (!pdb_getgrsid(&map, sid)) {
321 d_fprintf(stderr, "Could not load group %s\n", argv[0]);
322 return -1;
323 }
324
325 fstrcpy(map.comment, argv[1]);
326
327 status = pdb_update_group_mapping_entry(&map);
328
329 if (!NT_STATUS_IS_OK(status)) {
330 d_fprintf(stderr, "Updating group mapping entry failed with "
331 "%s\n", nt_errstr(status));
332 return -1;
333 }
334
335 d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
336 argv[1]);
337
338 return 0;
339 }
340
341 static int net_sam_set(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
342 {
343 struct functable func[] = {
344 {
345 "homedir",
346 net_sam_set_homedir,
347 NET_TRANSPORT_LOCAL,
348 "Change a user's home directory",
349 "net sam set homedir\n"
350 " Change a user's home directory"
351 },
352 {
353 "profilepath",
354 net_sam_set_profilepath,
355 NET_TRANSPORT_LOCAL,
356 "Change a user's profile path",
357 "net sam set profilepath\n"
358 " Change a user's profile path"
359 },
360 {
361 "comment",
362 net_sam_set_comment,
363 NET_TRANSPORT_LOCAL,
364 "Change a users or groups description",
365 "net sam set comment\n"
366 " Change a users or groups description"
367 },
368 {
369 "fullname",
370 net_sam_set_fullname,
371 NET_TRANSPORT_LOCAL,
372 "Change a user's full name",
373 "net sam set fullname\n"
374 " Change a user's full name"
375 },
376 {
377 "logonscript",
378 net_sam_set_logonscript,
379 NET_TRANSPORT_LOCAL,
380 "Change a user's logon script",
381 "net sam set logonscript\n"
382 " Change a user's logon script"
383 },
384 {
385 "homedrive",
386 net_sam_set_homedrive,
387 NET_TRANSPORT_LOCAL,
388 "Change a user's home drive",
389 "net sam set homedrive\n"
390 " Change a user's home drive"
391 },
392 {
393 "workstations",
394 net_sam_set_workstations,
395 NET_TRANSPORT_LOCAL,
396 "Change a user's allowed workstations",
397 "net sam set workstations\n"
398 " Change a user's allowed workstations"
399 },
400 {
401 "disabled",
402 net_sam_set_disabled,
403 NET_TRANSPORT_LOCAL,
404 "Disable/Enable a user",
405 "net sam set disable\n"
406 " Disable/Enable a user"
407 },
408 {
409 "pwnotreq",
410 net_sam_set_pwnotreq,
411 NET_TRANSPORT_LOCAL,
412 "Disable/Enable the password not required flag",
413 "net sam set pwnotreq\n"
414 " Disable/Enable the password not required flag"
415 },
416 {
417 "autolock",
418 net_sam_set_autolock,
419 NET_TRANSPORT_LOCAL,
420 "Disable/Enable a user's lockout flag",
421 "net sam set autolock\n"
422 " Disable/Enable a user's lockout flag"
423 },
424 {
425 "pwnoexp",
426 net_sam_set_pwnoexp,
427 NET_TRANSPORT_LOCAL,
428 "Disable/Enable whether a user's pw does not expire",
429 "net sam set pwnoexp\n"
430 " Disable/Enable whether a user's pw does not expire"
431 },
432 {
433 "pwdmustchangenow",
434 net_sam_set_pwdmustchangenow,
435 NET_TRANSPORT_LOCAL,
436 "Force users password must change at next logon",
437 "net sam set pwdmustchangenow\n"
438 " Force users password must change at next logon"
439 },
440 {NULL, NULL, 0, NULL, NULL}
441 };
442
443 return net_run_function(c, argc, argv, "net sam set", func);
444 }
445
446 /*
447 * Manage account policies
448 */
449
450 static int net_sam_policy_set(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
451 {
452 const char *account_policy = NULL;
453 uint32 value = 0;
454 uint32 old_value = 0;
455 int field;
456 char *endptr;
457
458 if (argc != 2 || c->display_usage) {
459 d_fprintf(stderr, "usage: net sam policy set "
460 "\"<account policy>\" <value> \n");
461 return -1;
462 }
463
464 account_policy = argv[0];
465 field = account_policy_name_to_fieldnum(account_policy);
466
467 if (strequal(argv[1], "forever") || strequal(argv[1], "never")
468 || strequal(argv[1], "off")) {
469 value = -1;
470 }
471 else {
472 value = strtoul(argv[1], &endptr, 10);
473
474 if ((endptr == argv[1]) || (endptr[0] != '\0')) {
475 d_printf("Unable to set policy \"%s\"! Invalid value "
476 "\"%s\".\n",
477 account_policy, argv[1]);
478 return -1;
479 }
480 }
481
482 if (field == 0) {
483 const char **names;
484 int i, count;
485
486 account_policy_names_list(&names, &count);
487 d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
488 d_fprintf(stderr, "Valid account policies are:\n");
489
490 for (i=0; i<count; i++) {
491 d_fprintf(stderr, "%s\n", names[i]);
492 }
493
494 SAFE_FREE(names);
495 return -1;
496 }
497
498 if (!pdb_get_account_policy(field, &old_value)) {
499 d_fprintf(stderr, "Valid account policy, but unable to fetch "
500 "value!\n");
501 } else {
502 d_printf("Account policy \"%s\" value was: %d\n", account_policy,
503 old_value);
504 }
505
506 if (!pdb_set_account_policy(field, value)) {
507 d_fprintf(stderr, "Valid account policy, but unable to "
508 "set value!\n");
509 return -1;
510 } else {
511 d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
512 value);
513 }
514
515 return 0;
516 }
517
518 static int net_sam_policy_show(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
519 {
520 const char *account_policy = NULL;
521 uint32 old_value;
522 int field;
523
524 if (argc != 1 || c->display_usage) {
525 d_fprintf(stderr, "usage: net sam policy show"
526 " \"<account policy>\" \n");
527 return -1;
528 }
529
530 account_policy = argv[0];
531 field = account_policy_name_to_fieldnum(account_policy);
532
533 if (field == 0) {
534 const char **names;
535 int count;
536 int i;
537 account_policy_names_list(&names, &count);
538 d_fprintf(stderr, "No account policy by that name!\n");
539 if (count != 0) {
540 d_fprintf(stderr, "Valid account policies "
541 "are:\n");
542 for (i=0; i<count; i++) {
543 d_fprintf(stderr, "%s\n", names[i]);
544 }
545 }
546 SAFE_FREE(names);
547 return -1;
548 }
549
550 if (!pdb_get_account_policy(field, &old_value)) {
551 fprintf(stderr, "Valid account policy, but unable to "
552 "fetch value!\n");
553 return -1;
554 }
555
556 printf("Account policy \"%s\" description: %s\n",
557 account_policy, account_policy_get_desc(field));
558 printf("Account policy \"%s\" value is: %d\n", account_policy,
559 old_value);
560 return 0;
561 }
562
563 static int net_sam_policy_list(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
564 {
565 const char **names;
566 int count;
567 int i;
568
569 if (c->display_usage) {
570 d_printf("Usage:\n"
571 "net sam policy list\n"
572 " List account policies\n");
573 return 0;
574 }
575
576 account_policy_names_list(&names, &count);
577 if (count != 0) {
578 d_fprintf(stderr, "Valid account policies "
579 "are:\n");
580 for (i = 0; i < count ; i++) {
581 d_fprintf(stderr, "%s\n", names[i]);
582 }
583 }
584 SAFE_FREE(names);
585 return -1;
586 }
587
588 static int net_sam_policy(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
589 {
590 struct functable func[] = {
591 {
592 "list",
593 net_sam_policy_list,
594 NET_TRANSPORT_LOCAL,
595 "List account policies",
596 "net sam policy list\n"
597 " List account policies"
598 },
599 {
600 "show",
601 net_sam_policy_show,
602 NET_TRANSPORT_LOCAL,
603 "Show account policies",
604 "net sam policy show\n"
605 " Show account policies"
606 },
607 {
608 "set",
609 net_sam_policy_set,
610 NET_TRANSPORT_LOCAL,
611 "Change account policies",
612 "net sam policy set\n"
613 " Change account policies"
614 },
615 {NULL, NULL, 0, NULL, NULL}
616 };
617
618 return net_run_function(c, argc, argv, "net sam policy", func);
619 }
620
621 extern PRIVS privs[];
622
623 static int net_sam_rights_list(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
624 const char **argv)
625 {
626 SE_PRIV mask;
627
628 if (argc > 1 || c->display_usage) {
629 d_fprintf(stderr, "usage: net sam rights list [privilege name]\n");
630 return -1;
631 }
632
633 if (argc == 0) {
634 int i;
635 int num = count_all_privileges();
636
637 for (i=0; i<num; i++) {
638 d_printf("%s\n", privs[i].name);
639 }
640 return 0;
641 }
642
643 if (se_priv_from_name(argv[0], &mask)) {
644 DOM_SID *sids;
645 int i, num_sids;
646 NTSTATUS status;
647
648 status = privilege_enum_sids(&mask, talloc_tos(),
649 &sids, &num_sids);
650 if (!NT_STATUS_IS_OK(status)) {
651 d_fprintf(stderr, "Could not list rights: %s\n",
652 nt_errstr(status));
653 return -1;
654 }
655
656 for (i=0; i<num_sids; i++) {
657 const char *dom, *name;
658 enum lsa_SidType type;
659
660 if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
661 &type)) {
662 d_printf("%s\\%s\n", dom, name);
663 }
664 else {
665 d_printf("%s\n", sid_string_tos(&sids[i]));
666 }
667 }
668 return 0;
669 }
670
671 return -1;
672 }
673
674 static int net_sam_rights_grant(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
675 const char **argv)
676 {
677 DOM_SID sid;
678 enum lsa_SidType type;
679 const char *dom, *name;
680 SE_PRIV mask;
681 int i;
682
683 if (argc < 2 || c->display_usage) {
684 d_fprintf(stderr, "usage: net sam rights grant <name> "
685 "<rights> ...\n");
686 return -1;
687 }
688
689 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
690 &dom, &name, &sid, &type)) {
691 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
692 return -1;
693 }
694
695 for (i=1; i < argc; i++) {
696 if (!se_priv_from_name(argv[i], &mask)) {
697 d_fprintf(stderr, "%s unknown\n", argv[i]);
698 return -1;
699 }
700
701 if (!grant_privilege(&sid, &mask)) {
702 d_fprintf(stderr, "Could not grant privilege\n");
703 return -1;
704 }
705
706 d_printf("Granted %s to %s\\%s\n", argv[i], dom, name);
707 }
708
709 return 0;
710 }
711
712 static int net_sam_rights_revoke(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
713 const char **argv)
714 {
715 DOM_SID sid;
716 enum lsa_SidType type;
717 const char *dom, *name;
718 SE_PRIV mask;
719 int i;
720
721 if (argc < 2 || c->display_usage) {
722 d_fprintf(stderr, "usage: net sam rights revoke <name> "
723 "<rights>\n");
724 return -1;
725 }
726
727 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
728 &dom, &name, &sid, &type)) {
729 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
730 return -1;
731 }
732
733 for (i=1; i < argc; i++) {
734
735 if (!se_priv_from_name(argv[i], &mask)) {
736 d_fprintf(stderr, "%s unknown\n", argv[i]);
737 return -1;
738 }
739
740 if (!revoke_privilege(&sid, &mask)) {
741 d_fprintf(stderr, "Could not revoke privilege\n");
742 return -1;
743 }
744
745 d_printf("Revoked %s from %s\\%s\n", argv[i], dom, name);
746 }
747
748 return 0;
749 }
750
751 static int net_sam_rights(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
752 {
753 struct functable func[] = {
754 {
755 "list",
756 net_sam_rights_list,
757 NET_TRANSPORT_LOCAL,
758 "List possible user rights",
759 "net sam rights list\n"
760 " List possible user rights"
761 },
762 {
763 "grant",
764 net_sam_rights_grant,
765 NET_TRANSPORT_LOCAL,
766 "Grant right(s)",
767 "net sam rights grant\n"
768 " Grant right(s)"
769 },
770 {
771 "revoke",
772 net_sam_rights_revoke,
773 NET_TRANSPORT_LOCAL,
774 "Revoke right(s)",
775 "net sam rights revoke\n"
776 " Revoke right(s)"
777 },
778 {NULL, NULL, 0, NULL, NULL}
779 };
780 return net_run_function(c, argc, argv, "net sam rights", func);
781 }
782
783 /*
784 * Map a unix group to a domain group
785 */
786
787 static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
/* [<][>][^][v][top][bottom][index][help] */
788 {
789 NTSTATUS status;
790 GROUP_MAP map;
791 const char *grpname, *dom, *name;
792 uint32 rid;
793
794 if (pdb_getgrgid(&map, grp->gr_gid)) {
795 return NT_STATUS_GROUP_EXISTS;
796 }
797
798 map.gid = grp->gr_gid;
799 grpname = grp->gr_name;
800
801 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
802 &dom, &name, NULL, NULL)) {
803
804 const char *tmp = talloc_asprintf(
805 talloc_tos(), "Unix Group %s", grp->gr_name);
806
807 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
808 grpname, dom, name, tmp));
809 grpname = tmp;
810 }
811
812 if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
813 NULL, NULL, NULL, NULL)) {
814 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
815 return NT_STATUS_GROUP_EXISTS;
816 }
817
818 fstrcpy(map.nt_name, grpname);
819
820 if (pdb_rid_algorithm()) {
821 rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
822 } else {
823 if (!pdb_new_rid(&rid)) {
824 DEBUG(3, ("Could not get a new RID for %s\n",
825 grp->gr_name));
826 return NT_STATUS_ACCESS_DENIED;
827 }
828 }
829
830 sid_compose(&map.sid, get_global_sam_sid(), rid);
831 map.sid_name_use = SID_NAME_DOM_GRP;
832 fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
833 grp->gr_name));
834
835 status = pdb_add_group_mapping_entry(&map);
836 if (NT_STATUS_IS_OK(status)) {
837 *pmap = map;
838 }
839 return status;
840 }
841
842 static int net_sam_mapunixgroup(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
843 {
844 NTSTATUS status;
845 GROUP_MAP map;
846 struct group *grp;
847
848 if (argc != 1 || c->display_usage) {
849 d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
850 return -1;
851 }
852
853 grp = getgrnam(argv[0]);
854 if (grp == NULL) {
855 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
856 return -1;
857 }
858
859 status = map_unix_group(grp, &map);
860
861 if (!NT_STATUS_IS_OK(status)) {
862 d_fprintf(stderr, "Mapping group %s failed with %s\n",
863 argv[0], nt_errstr(status));
864 return -1;
865 }
866
867 d_printf("Mapped unix group %s to SID %s\n", argv[0],
868 sid_string_tos(&map.sid));
869
870 return 0;
871 }
872
873 /*
874 * Remove a group mapping
875 */
876
877 static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
/* [<][>][^][v][top][bottom][index][help] */
878 {
879 NTSTATUS status;
880 GROUP_MAP map;
881 const char *grpname;
882 DOM_SID dom_sid;
883
884 map.gid = grp->gr_gid;
885 grpname = grp->gr_name;
886
887 if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
888 NULL, NULL, NULL, NULL)) {
889 DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
890 return NT_STATUS_NO_SUCH_GROUP;
891 }
892
893 fstrcpy(map.nt_name, grpname);
894
895 if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
896 return NT_STATUS_UNSUCCESSFUL;
897 }
898
899 status = pdb_delete_group_mapping_entry(dom_sid);
900
901 return status;
902 }
903
904 static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
905 {
906 NTSTATUS status;
907 GROUP_MAP map;
908 struct group *grp;
909
910 if (argc != 1 || c->display_usage) {
911 d_fprintf(stderr, "usage: net sam unmapunixgroup <name>\n");
912 return -1;
913 }
914
915 grp = getgrnam(argv[0]);
916 if (grp == NULL) {
917 d_fprintf(stderr, "Could not find mapping for group %s.\n", argv[0]);
918 return -1;
919 }
920
921 status = unmap_unix_group(grp, &map);
922
923 if (!NT_STATUS_IS_OK(status)) {
924 d_fprintf(stderr, "Unmapping group %s failed with %s.\n",
925 argv[0], nt_errstr(status));
926 return -1;
927 }
928
929 d_printf("Unmapped unix group %s.\n", argv[0]);
930
931 return 0;
932 }
933
934 /*
935 * Create a local group
936 */
937
938 static int net_sam_createlocalgroup(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
939 {
940 NTSTATUS status;
941 uint32 rid;
942
943 if (argc != 1 || c->display_usage) {
944 d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
945 return -1;
946 }
947
948 if (!winbind_ping()) {
949 d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
950 "only works when winbind runs.\n");
951 return -1;
952 }
953
954 status = pdb_create_alias(argv[0], &rid);
955
956 if (!NT_STATUS_IS_OK(status)) {
957 d_fprintf(stderr, "Creating %s failed with %s\n",
958 argv[0], nt_errstr(status));
959 return -1;
960 }
961
962 d_printf("Created local group %s with RID %d\n", argv[0], rid);
963
964 return 0;
965 }
966
967 /*
968 * Delete a local group
969 */
970
971 static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
972 {
973 DOM_SID sid;
974 enum lsa_SidType type;
975 const char *dom, *name;
976 NTSTATUS status;
977
978 if (argc != 1 || c->display_usage) {
979 d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
980 return -1;
981 }
982
983 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
984 &dom, &name, &sid, &type)) {
985 d_fprintf(stderr, "Could not find %s.\n", argv[0]);
986 return -1;
987 }
988
989 if (type != SID_NAME_ALIAS) {
990 d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0],
991 sid_type_lookup(type));
992 return -1;
993 }
994
995 status = pdb_delete_alias(&sid);
996
997 if (!NT_STATUS_IS_OK(status)) {
998 d_fprintf(stderr, "Deleting local group %s failed with %s\n",
999 argv[0], nt_errstr(status));
1000 return -1;
1001 }
1002
1003 d_printf("Deleted local group %s.\n", argv[0]);
1004
1005 return 0;
1006 }
1007
1008 /*
1009 * Create a builtin group
1010 */
1011
1012 static int net_sam_createbuiltingroup(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1013 {
1014 NTSTATUS status;
1015 uint32 rid;
1016 enum lsa_SidType type;
1017 fstring groupname;
1018 DOM_SID sid;
1019
1020 if (argc != 1 || c->display_usage) {
1021 d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
1022 return -1;
1023 }
1024
1025 if (!winbind_ping()) {
1026 d_fprintf(stderr, "winbind seems not to run. createbuiltingroup "
1027 "only works when winbind runs.\n");
1028 return -1;
1029 }
1030
1031 /* validate the name and get the group */
1032
1033 fstrcpy( groupname, "BUILTIN\\" );
1034 fstrcat( groupname, argv[0] );
1035
1036 if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
1037 NULL, &sid, &type)) {
1038 d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
1039 return -1;
1040 }
1041
1042 if ( !sid_peek_rid( &sid, &rid ) ) {
1043 d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
1044 return -1;
1045 }
1046
1047 status = pdb_create_builtin_alias( rid );
1048
1049 if (!NT_STATUS_IS_OK(status)) {
1050 d_fprintf(stderr, "Creating %s failed with %s\n",
1051 argv[0], nt_errstr(status));
1052 return -1;
1053 }
1054
1055 d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
1056
1057 return 0;
1058 }
1059
1060 /*
1061 * Add a group member
1062 */
1063
1064 static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1065 {
1066 const char *groupdomain, *groupname, *memberdomain, *membername;
1067 DOM_SID group, member;
1068 enum lsa_SidType grouptype, membertype;
1069 NTSTATUS status;
1070
1071 if (argc != 2 || c->display_usage) {
1072 d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
1073 return -1;
1074 }
1075
1076 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1077 &groupdomain, &groupname, &group, &grouptype)) {
1078 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1079 return -1;
1080 }
1081
1082 /* check to see if the member to be added is a name or a SID */
1083
1084 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1085 &memberdomain, &membername, &member, &membertype))
1086 {
1087 /* try it as a SID */
1088
1089 if ( !string_to_sid( &member, argv[1] ) ) {
1090 d_fprintf(stderr, "Could not find member %s\n", argv[1]);
1091 return -1;
1092 }
1093
1094 if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
1095 &membername, &membertype) )
1096 {
1097 d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
1098 return -1;
1099 }
1100 }
1101
1102 if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
1103 if ((membertype != SID_NAME_USER) &&
1104 (membertype != SID_NAME_DOM_GRP)) {
1105 d_fprintf(stderr, "%s is a local group, only users "
1106 "and domain groups can be added.\n"
1107 "%s is a %s\n", argv[0], argv[1],
1108 sid_type_lookup(membertype));
1109 return -1;
1110 }
1111 status = pdb_add_aliasmem(&group, &member);
1112
1113 if (!NT_STATUS_IS_OK(status)) {
1114 d_fprintf(stderr, "Adding local group member failed "
1115 "with %s\n", nt_errstr(status));
1116 return -1;
1117 }
1118 } else {
1119 d_fprintf(stderr, "Can only add members to local groups so "
1120 "far, %s is a %s\n", argv[0],
1121 sid_type_lookup(grouptype));
1122 return -1;
1123 }
1124
1125 d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
1126 groupdomain, groupname);
1127
1128 return 0;
1129 }
1130
1131 /*
1132 * Delete a group member
1133 */
1134
1135 static int net_sam_delmem(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1136 {
1137 const char *groupdomain, *groupname;
1138 const char *memberdomain = NULL;
1139 const char *membername = NULL;
1140 DOM_SID group, member;
1141 enum lsa_SidType grouptype;
1142 NTSTATUS status;
1143
1144 if (argc != 2 || c->display_usage) {
1145 d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
1146 return -1;
1147 }
1148
1149 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1150 &groupdomain, &groupname, &group, &grouptype)) {
1151 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1152 return -1;
1153 }
1154
1155 if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
1156 &memberdomain, &membername, &member, NULL)) {
1157 if (!string_to_sid(&member, argv[1])) {
1158 d_fprintf(stderr, "Could not find member %s\n",
1159 argv[1]);
1160 return -1;
1161 }
1162 }
1163
1164 if ((grouptype == SID_NAME_ALIAS) ||
1165 (grouptype == SID_NAME_WKN_GRP)) {
1166 status = pdb_del_aliasmem(&group, &member);
1167
1168 if (!NT_STATUS_IS_OK(status)) {
1169 d_fprintf(stderr, "Deleting local group member failed "
1170 "with %s\n", nt_errstr(status));
1171 return -1;
1172 }
1173 } else {
1174 d_fprintf(stderr, "Can only delete members from local groups "
1175 "so far, %s is a %s\n", argv[0],
1176 sid_type_lookup(grouptype));
1177 return -1;
1178 }
1179
1180 if (membername != NULL) {
1181 d_printf("Deleted %s\\%s from %s\\%s\n",
1182 memberdomain, membername, groupdomain, groupname);
1183 } else {
1184 d_printf("Deleted %s from %s\\%s\n",
1185 sid_string_tos(&member), groupdomain, groupname);
1186 }
1187
1188 return 0;
1189 }
1190
1191 /*
1192 * List group members
1193 */
1194
1195 static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1196 {
1197 const char *groupdomain, *groupname;
1198 DOM_SID group;
1199 enum lsa_SidType grouptype;
1200 NTSTATUS status;
1201
1202 if (argc != 1 || c->display_usage) {
1203 d_fprintf(stderr, "usage: net sam listmem <group>\n");
1204 return -1;
1205 }
1206
1207 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1208 &groupdomain, &groupname, &group, &grouptype)) {
1209 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
1210 return -1;
1211 }
1212
1213 if ((grouptype == SID_NAME_ALIAS) ||
1214 (grouptype == SID_NAME_WKN_GRP)) {
1215 DOM_SID *members = NULL;
1216 size_t i, num_members = 0;
1217
1218 status = pdb_enum_aliasmem(&group, &members, &num_members);
1219
1220 if (!NT_STATUS_IS_OK(status)) {
1221 d_fprintf(stderr, "Listing group members failed with "
1222 "%s\n", nt_errstr(status));
1223 return -1;
1224 }
1225
1226 d_printf("%s\\%s has %u members\n", groupdomain, groupname,
1227 (unsigned int)num_members);
1228 for (i=0; i<num_members; i++) {
1229 const char *dom, *name;
1230 if (lookup_sid(talloc_tos(), &members[i],
1231 &dom, &name, NULL)) {
1232 d_printf(" %s\\%s\n", dom, name);
1233 } else {
1234 d_printf(" %s\n", sid_string_tos(&members[i]));
1235 }
1236 }
1237
1238 TALLOC_FREE(members);
1239 } else {
1240 d_fprintf(stderr, "Can only list local group members so far.\n"
1241 "%s is a %s\n", argv[0], sid_type_lookup(grouptype));
1242 return -1;
1243 }
1244
1245 return 0;
1246 }
1247
1248 /*
1249 * Do the listing
1250 */
1251 static int net_sam_do_list(struct net_context *c, int argc, const char **argv,
/* [<][>][^][v][top][bottom][index][help] */
1252 struct pdb_search *search, const char *what)
1253 {
1254 bool verbose = (argc == 1);
1255
1256 if ((argc > 1) || c->display_usage ||
1257 ((argc == 1) && !strequal(argv[0], "verbose"))) {
1258 d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
1259 return -1;
1260 }
1261
1262 if (search == NULL) {
1263 d_fprintf(stderr, "Could not start search\n");
1264 return -1;
1265 }
1266
1267 while (true) {
1268 struct samr_displayentry entry;
1269 if (!search->next_entry(search, &entry)) {
1270 break;
1271 }
1272 if (verbose) {
1273 d_printf("%s:%d:%s\n",
1274 entry.account_name,
1275 entry.rid,
1276 entry.description);
1277 } else {
1278 d_printf("%s\n", entry.account_name);
1279 }
1280 }
1281
1282 TALLOC_FREE(search);
1283 return 0;
1284 }
1285
1286 static int net_sam_list_users(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
1287 const char **argv)
1288 {
1289 return net_sam_do_list(c, argc, argv,
1290 pdb_search_users(talloc_tos(), ACB_NORMAL),
1291 "users");
1292 }
1293
1294 static int net_sam_list_groups(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
1295 const char **argv)
1296 {
1297 return net_sam_do_list(c, argc, argv, pdb_search_groups(talloc_tos()),
1298 "groups");
1299 }
1300
1301 static int net_sam_list_localgroups(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
1302 const char **argv)
1303 {
1304 return net_sam_do_list(c, argc, argv,
1305 pdb_search_aliases(talloc_tos(),
1306 get_global_sam_sid()),
1307 "localgroups");
1308 }
1309
1310 static int net_sam_list_builtin(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
1311 const char **argv)
1312 {
1313 return net_sam_do_list(c, argc, argv,
1314 pdb_search_aliases(talloc_tos(),
1315 &global_sid_Builtin),
1316 "builtin");
1317 }
1318
1319 static int net_sam_list_workstations(struct net_context *c, int argc,
/* [<][>][^][v][top][bottom][index][help] */
1320 const char **argv)
1321 {
1322 return net_sam_do_list(c, argc, argv,
1323 pdb_search_users(talloc_tos(), ACB_WSTRUST),
1324 "workstations");
1325 }
1326
1327 /*
1328 * List stuff
1329 */
1330
1331 static int net_sam_list(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1332 {
1333 struct functable func[] = {
1334 {
1335 "users",
1336 net_sam_list_users,
1337 NET_TRANSPORT_LOCAL,
1338 "List SAM users",
1339 "net sam list users\n"
1340 " List SAM users"
1341 },
1342 {
1343 "groups",
1344 net_sam_list_groups,
1345 NET_TRANSPORT_LOCAL,
1346 "List SAM groups",
1347 "net sam list groups\n"
1348 " List SAM groups"
1349 },
1350 {
1351 "localgroups",
1352 net_sam_list_localgroups,
1353 NET_TRANSPORT_LOCAL,
1354 "List SAM local groups",
1355 "net sam list localgroups\n"
1356 " List SAM local groups"
1357 },
1358 {
1359 "builtin",
1360 net_sam_list_builtin,
1361 NET_TRANSPORT_LOCAL,
1362 "List builtin groups",
1363 "net sam list builtin\n"
1364 " List builtin groups"
1365 },
1366 {
1367 "workstations",
1368 net_sam_list_workstations,
1369 NET_TRANSPORT_LOCAL,
1370 "List domain member workstations",
1371 "net sam list workstations\n"
1372 " List domain member workstations"
1373 },
1374 {NULL, NULL, 0, NULL, NULL}
1375 };
1376
1377 return net_run_function(c, argc, argv, "net sam list", func);
1378 }
1379
1380 /*
1381 * Show details of SAM entries
1382 */
1383
1384 static int net_sam_show(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1385 {
1386 DOM_SID sid;
1387 enum lsa_SidType type;
1388 const char *dom, *name;
1389
1390 if (argc != 1 || c->display_usage) {
1391 d_fprintf(stderr, "usage: net sam show <name>\n");
1392 return -1;
1393 }
1394
1395 if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
1396 &dom, &name, &sid, &type)) {
1397 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
1398 return -1;
1399 }
1400
1401 d_printf("%s\\%s is a %s with SID %s\n", dom, name,
1402 sid_type_lookup(type), sid_string_tos(&sid));
1403
1404 return 0;
1405 }
1406
1407 #ifdef HAVE_LDAP
1408
1409 /*
1410 * Init an LDAP tree with default users and Groups
1411 * if ldapsam:editposix is enabled
1412 */
1413
1414 static int net_sam_provision(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1415 {
1416 TALLOC_CTX *tc;
1417 char *ldap_bk;
1418 char *ldap_uri = NULL;
1419 char *p;
1420 struct smbldap_state *ls;
1421 GROUP_MAP gmap;
1422 DOM_SID gsid;
1423 gid_t domusers_gid = -1;
1424 gid_t domadmins_gid = -1;
1425 struct samu *samuser;
1426 struct passwd *pwd;
1427 const char *rfc2307bis_str = NULL; /* for lp_parm_string return value */
1428
1429 if (c->display_usage) {
1430 d_printf("Usage:\n"
1431 "net sam provision\n"
1432 " Init an LDAP tree with default users/groups\n");
1433 return 0;
1434 }
1435
1436 tc = talloc_new(NULL);
1437 if (!tc) {
1438 d_fprintf(stderr, "Out of Memory!\n");
1439 return -1;
1440 }
1441
1442 if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
1443 d_fprintf(stderr, "talloc failed\n");
1444 talloc_free(tc);
1445 return -1;
1446 }
1447 p = strchr(ldap_bk, ':');
1448 if (p) {
1449 *p = 0;
1450 ldap_uri = talloc_strdup(tc, p+1);
1451 trim_char(ldap_uri, ' ', ' ');
1452 }
1453
1454 trim_char(ldap_bk, ' ', ' ');
1455
1456 if (strcmp(ldap_bk, "ldapsam") != 0) {
1457 d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
1458 goto failed;
1459 }
1460
1461 if (!lp_parm_bool(-1, "ldapsam", "trusted", false) ||
1462 !lp_parm_bool(-1, "ldapsam", "editposix", false)) {
1463
1464 d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
1465 " and ldapsam:editposix are enabled.\n");
1466 goto failed;
1467 }
1468
1469 if (!winbind_ping()) {
1470 d_fprintf(stderr, "winbind seems not to run. Provisioning "
1471 "LDAP only works when winbind runs.\n");
1472 goto failed;
1473 }
1474
1475 if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
1476 d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
1477 goto failed;
1478 }
1479
1480 d_printf("Checking for Domain Users group.\n");
1481
1482 rfc2307bis_str = lp_parm_const_string(-1,"ldapsam","editposix_rfc2307bis",NULL); /* get option */
1483 d_printf("ldapsam:editposix_rfc2307bis = %s\n",rfc2307bis_str);
1484
1485 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
1486
1487 if (!pdb_getgrsid(&gmap, gsid)) {
1488 LDAPMod **mods = NULL;
1489 char *dn;
1490 char *uname;
1491 char *wname;
1492 char *gidstr;
1493 char *gtype;
1494 int rc;
1495
1496 d_printf("Adding the Domain Users group.\n");
1497
1498 /* lets allocate a new groupid for this group */
1499 if (!winbind_allocate_gid(&domusers_gid)) {
1500 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
1501 goto domu_done;
1502 }
1503
1504 uname = talloc_strdup(tc, "domusers");
1505 wname = talloc_strdup(tc, "Domain Users");
1506 dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
1507 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domusers_gid);
1508 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1509
1510 if (!uname || !wname || !dn || !gidstr || !gtype) {
1511 d_fprintf(stderr, "Out of Memory!\n");
1512 goto failed;
1513 }
1514
1515 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1516 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1517
1518 if (rfc2307bis_str && strequal(rfc2307bis_str, "namedObject")) {
1519 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_NAMEDOBJECT);
1520 } else if (strequal(rfc2307bis_str, "groupOfNames")) {
1521 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPOFNAMES);
1522 smbldap_set_mod(&mods, LDAP_MOD_ADD, "member", dn);
1523 }
1524
1525 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1526 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1527 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1528 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1529 sid_string_talloc(tc, &gsid));
1530 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1531
1532 talloc_autofree_ldapmod(tc, mods);
1533
1534 rc = smbldap_add(ls, dn, mods);
1535
1536 if (rc != LDAP_SUCCESS) {
1537 d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
1538 }
1539 } else {
1540 domusers_gid = gmap.gid;
1541 d_printf("found!\n");
1542 }
1543
1544 domu_done:
1545
1546 d_printf("Checking for Domain Admins group.\n");
1547
1548 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
1549
1550 if (!pdb_getgrsid(&gmap, gsid)) {
1551 LDAPMod **mods = NULL;
1552 char *dn;
1553 char *uname;
1554 char *wname;
1555 char *gidstr;
1556 char *gtype;
1557 int rc;
1558
1559 d_printf("Adding the Domain Admins group.\n");
1560
1561 /* lets allocate a new groupid for this group */
1562 if (!winbind_allocate_gid(&domadmins_gid)) {
1563 d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
1564 goto doma_done;
1565 }
1566
1567 uname = talloc_strdup(tc, "domadmins");
1568 wname = talloc_strdup(tc, "Domain Admins");
1569 dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
1570 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1571 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1572
1573 if (!uname || !wname || !dn || !gidstr || !gtype) {
1574 d_fprintf(stderr, "Out of Memory!\n");
1575 goto failed;
1576 }
1577
1578 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1579 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1580
1581 if (rfc2307bis_str && strequal(rfc2307bis_str, "namedObject")) {
1582 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_NAMEDOBJECT);
1583 } else if (strequal(rfc2307bis_str, "groupOfNames")) {
1584 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPOFNAMES);
1585 smbldap_set_mod(&mods, LDAP_MOD_ADD, "member", dn);
1586 }
1587
1588 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1589 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1590 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1591 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1592 sid_string_talloc(tc, &gsid));
1593 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1594
1595 talloc_autofree_ldapmod(tc, mods);
1596
1597 rc = smbldap_add(ls, dn, mods);
1598
1599 if (rc != LDAP_SUCCESS) {
1600 d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
1601 }
1602 } else {
1603 domadmins_gid = gmap.gid;
1604 d_printf("found!\n");
1605 }
1606
1607 doma_done:
1608
1609 d_printf("Check for Administrator account.\n");
1610
1611 samuser = samu_new(tc);
1612 if (!samuser) {
1613 d_fprintf(stderr, "Out of Memory!\n");
1614 goto failed;
1615 }
1616
1617 if (!pdb_getsampwnam(samuser, "Administrator")) {
1618 LDAPMod **mods = NULL;
1619 DOM_SID sid;
1620 char *dn;
1621 char *name;
1622 char *uidstr;
1623 char *gidstr;
1624 char *shell;
1625 char *dir;
1626 uid_t uid;
1627 int rc;
1628
1629 d_printf("Adding the Administrator user.\n");
1630
1631 if (domadmins_gid == -1) {
1632 d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
1633 goto done;
1634 }
1635 if (!winbind_allocate_uid(&uid)) {
1636 d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
1637 goto done;
1638 }
1639 name = talloc_strdup(tc, "Administrator");
1640 dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
1641 uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
1642 gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
1643 dir = talloc_sub_specified(tc, lp_template_homedir(),
1644 "Administrator",
1645 get_global_sam_name(),
1646 uid, domadmins_gid);
1647 shell = talloc_sub_specified(tc, lp_template_shell(),
1648 "Administrator",
1649 get_global_sam_name(),
1650 uid, domadmins_gid);
1651
1652 if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
1653 d_fprintf(stderr, "Out of Memory!\n");
1654 goto failed;
1655 }
1656
1657 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
1658
1659 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1660 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1661 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1662 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
1663 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1664 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
1665 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1666 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1667 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
1668 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
1669 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1670 sid_string_talloc(tc, &sid));
1671 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1672 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1673 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1674
1675 talloc_autofree_ldapmod(tc, mods);
1676
1677 rc = smbldap_add(ls, dn, mods);
1678
1679 if (rc != LDAP_SUCCESS) {
1680 d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
1681 }
1682 } else {
1683 d_printf("found!\n");
1684 }
1685
1686 d_printf("Checking for Guest user.\n");
1687
1688 samuser = samu_new(tc);
1689 if (!samuser) {
1690 d_fprintf(stderr, "Out of Memory!\n");
1691 goto failed;
1692 }
1693
1694 if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
1695 LDAPMod **mods = NULL;
1696 DOM_SID sid;
1697 char *dn;
1698 char *uidstr;
1699 char *gidstr;
1700 int rc;
1701
1702 d_printf("Adding the Guest user.\n");
1703
1704 pwd = getpwnam_alloc(tc, lp_guestaccount());
1705
1706 if (!pwd) {
1707 if (domusers_gid == -1) {
1708 d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
1709 goto done;
1710 }
1711 if ((pwd = talloc(tc, struct passwd)) == NULL) {
1712 d_fprintf(stderr, "talloc failed\n");
1713 goto done;
1714 }
1715 pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
1716 if (!winbind_allocate_uid(&(pwd->pw_uid))) {
1717 d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
1718 goto done;
1719 }
1720 pwd->pw_gid = domusers_gid;
1721 pwd->pw_dir = talloc_strdup(tc, "/");
1722 pwd->pw_shell = talloc_strdup(tc, "/bin/false");
1723 if (!pwd->pw_dir || !pwd->pw_shell) {
1724 d_fprintf(stderr, "Out of Memory!\n");
1725 goto failed;
1726 }
1727 }
1728
1729 sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
1730
1731 dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
1732 uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
1733 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1734 if (!dn || !uidstr || !gidstr) {
1735 d_fprintf(stderr, "Out of Memory!\n");
1736 goto failed;
1737 }
1738
1739 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
1740 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
1741 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
1742 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
1743 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
1744 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
1745 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
1746 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1747 if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
1748 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
1749 }
1750 if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
1751 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
1752 }
1753 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
1754 sid_string_talloc(tc, &sid));
1755 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
1756 pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
1757 NEW_PW_FORMAT_SPACE_PADDED_LEN));
1758
1759 talloc_autofree_ldapmod(tc, mods);
1760
1761 rc = smbldap_add(ls, dn, mods);
1762
1763 if (rc != LDAP_SUCCESS) {
1764 d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
1765 }
1766 } else {
1767 d_printf("found!\n");
1768 }
1769
1770 d_printf("Checking Guest's group.\n");
1771
1772 pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
1773 if (!pwd) {
1774 d_fprintf(stderr, "Failed to find just created Guest account!\n"
1775 " Is nss properly configured?!\n");
1776 goto failed;
1777 }
1778
1779 if (pwd->pw_gid == domusers_gid) {
1780 d_printf("found!\n");
1781 goto done;
1782 }
1783
1784 if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
1785 LDAPMod **mods = NULL;
1786 char *dn;
1787 char *uname;
1788 char *wname;
1789 char *gidstr;
1790 char *gtype;
1791 int rc;
1792
1793 d_printf("Adding the Domain Guests group.\n");
1794
1795 uname = talloc_strdup(tc, "domguests");
1796 wname = talloc_strdup(tc, "Domain Guests");
1797 dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
1798 gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
1799 gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
1800
1801 if (!uname || !wname || !dn || !gidstr || !gtype) {
1802 d_fprintf(stderr, "Out of Memory!\n");
1803 goto failed;
1804 }
1805
1806 sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
1807
1808 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
1809 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
1810
1811 if (rfc2307bis_str && strequal(rfc2307bis_str, "namedObject")) {
1812 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_NAMEDOBJECT);
1813 } else if (strequal(rfc2307bis_str, "groupOfNames")) {
1814 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPOFNAMES);
1815 smbldap_set_mod(&mods, LDAP_MOD_ADD, "member", dn);
1816 }
1817
1818 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
1819 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
1820 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
1821 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
1822 sid_string_talloc(tc, &gsid));
1823 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
1824
1825 talloc_autofree_ldapmod(tc, mods);
1826
1827 rc = smbldap_add(ls, dn, mods);
1828
1829 if (rc != LDAP_SUCCESS) {
1830 d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
1831 }
1832 } else {
1833 d_printf("found!\n");
1834 }
1835
1836
1837 done:
1838 talloc_free(tc);
1839 return 0;
1840
1841 failed:
1842 talloc_free(tc);
1843 return -1;
1844 }
1845
1846 #endif
1847
1848 /***********************************************************
1849 migrated functionality from smbgroupedit
1850 **********************************************************/
1851 int net_sam(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
1852 {
1853 struct functable func[] = {
1854 {
1855 "createbuiltingroup",
1856 net_sam_createbuiltingroup,
1857 NET_TRANSPORT_LOCAL,
1858 "Create a new BUILTIN group",
1859 "net sam createbuiltingroup\n"
1860 " Create a new BUILTIN group"
1861 },
1862 {
1863 "createlocalgroup",
1864 net_sam_createlocalgroup,
1865 NET_TRANSPORT_LOCAL,
1866 "Create a new local group",
1867 "net sam createlocalgroup\n"
1868 " Create a new local group"
1869 },
1870 {
1871 "deletelocalgroup",
1872 net_sam_deletelocalgroup,
1873 NET_TRANSPORT_LOCAL,
1874 "Delete an existing local group",
1875 "net sam deletelocalgroup\n"
1876 " Delete an existing local group"
1877 },
1878 {
1879 "mapunixgroup",
1880 net_sam_mapunixgroup,
1881 NET_TRANSPORT_LOCAL,
1882 "Map a unix group to a domain group",
1883 "net sam mapunixgroup\n"
1884 " Map a unix group to a domain group"
1885 },
1886 {
1887 "unmapunixgroup",
1888 net_sam_unmapunixgroup,
1889 NET_TRANSPORT_LOCAL,
1890 "Remove a group mapping of an unix group to a domain "
1891 "group",
1892 "net sam unmapunixgroup\n"
1893 " Remove a group mapping of an unix group to a "
1894 "domain group"
1895 },
1896 {
1897 "addmem",
1898 net_sam_addmem,
1899 NET_TRANSPORT_LOCAL,
1900 "Add a member to a group",
1901 "net sam addmem\n"
1902 " Add a member to a group"
1903 },
1904 {
1905 "delmem",
1906 net_sam_delmem,
1907 NET_TRANSPORT_LOCAL,
1908 "Delete a member from a group",
1909 "net sam delmem\n"
1910 " Delete a member from a group"
1911 },
1912 {
1913 "listmem",
1914 net_sam_listmem,
1915 NET_TRANSPORT_LOCAL,
1916 "List group members",
1917 "net sam listmem\n"
1918 " List group members"
1919 },
1920 {
1921 "list",
1922 net_sam_list,
1923 NET_TRANSPORT_LOCAL,
1924 "List users, groups and local groups",
1925 "net sam list\n"
1926 " List users, groups and local groups"
1927 },
1928 {
1929 "show",
1930 net_sam_show,
1931 NET_TRANSPORT_LOCAL,
1932 "Show details of a SAM entry",
1933 "net sam show\n"
1934 " Show details of a SAM entry"
1935 },
1936 {
1937 "set",
1938 net_sam_set,
1939 NET_TRANSPORT_LOCAL,
1940 "Set details of a SAM account",
1941 "net sam set\n"
1942 " Set details of a SAM account"
1943 },
1944 {
1945 "policy",
1946 net_sam_policy,
1947 NET_TRANSPORT_LOCAL,
1948 "Set account policies",
1949 "net sam policy\n"
1950 " Set account policies"
1951 },
1952 {
1953 "rights",
1954 net_sam_rights,
1955 NET_TRANSPORT_LOCAL,
1956 "Manipulate user privileges",
1957 "net sam rights\n"
1958 " Manipulate user privileges"
1959 },
1960 #ifdef HAVE_LDAP
1961 {
1962 "provision",
1963 net_sam_provision,
1964 NET_TRANSPORT_LOCAL,
1965 "Provision a clean user database",
1966 "net sam privison\n"
1967 " Provision a clear user database"
1968 },
1969 #endif
1970 {NULL, NULL, 0, NULL, NULL}
1971 };
1972
1973 if (getuid() != 0) {
1974 d_fprintf(stderr, "You are not root, most things won't "
1975 "work\n");
1976 }
1977
1978 return net_run_function(c, argc, argv, "net sam", func);
1979 }
1980