/*
determine the netbios workgroup name for a domain
*/
static int net_ads_workgroup(int argc, const char **argv)
{
ADS_STRUCT *ads;
TALLOC_CTX *ctx;
const char *workgroup;
if (!(ads = ads_startup())) return -1;
if (!(ctx = talloc_init("net_ads_workgroup"))) {
ads_destroy(&ads);
return -1;
}
if (!ADS_ERR_OK(ads_workgroup_name(ads, ctx, &workgroup))) {
d_printf("Failed to find workgroup for realm '%s'\n",
ads->config.realm);
talloc_destroy(ctx);
ads_destroy(&ads);
return -1;
}
d_printf("Workgroup: %s\n", workgroup);
talloc_destroy(ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_leave(int argc, const char **argv)
{
ADS_STRUCT *ads = NULL;
ADS_STATUS rc;
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
if (!opt_password) {
net_use_machine_password();
}
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_leave_realm(ads, global_myname());
if (!ADS_ERR_OK(rc)) {
d_printf("Failed to delete host '%s' from the '%s' realm.\n",
global_myname(), ads->config.realm);
ads_destroy(&ads);
return -1;
}
d_printf("Removed '%s' from realm '%s'\n", global_myname(), ads->config.realm);
ads_destroy(&ads);
return 0;
}
static int net_ads_printer_search(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_printers(ads, &res);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_printer: %s\n", ads_errstr(rc));
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("No results found\n");
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
ads_dump(ads, res);
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
static int ads_group_delete(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
char *groupdn;
if (argc < 1) {
return net_ads_group_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_user_acct(ads, &res, argv[0]);
if (!ADS_ERR_OK(rc)) {
DEBUG(0, ("Group %s does not exist\n", argv[0]));
ads_destroy(&ads);
return -1;
}
groupdn = ads_get_dn(ads, res);
ads_msgfree(ads, res);
rc = ads_del_dn(ads, groupdn);
ads_memfree(ads, groupdn);
if (!ADS_ERR_OK(rc)) {
d_printf("Group %s deleted\n", argv[0]);
ads_destroy(&ads);
return 0;
}
d_printf("Error deleting group %s: %s\n", argv[0],
ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
static int net_ads_status(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_machine_acct(ads, &res, global_myname());
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_machine_acct: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("No machine account for '%s' found\n", global_myname());
ads_destroy(&ads);
return -1;
}
ads_dump(ads, res);
ads_destroy(&ads);
return 0;
}
static int net_ads_printer_remove(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *servername;
char *prt_dn;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
if (argc < 1) {
return net_ads_printer_usage(argc, argv);
}
if (argc > 1) {
servername = argv[1];
} else {
servername = global_myname();
}
rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_printer_on_server: %s\n", ads_errstr(rc));
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("Printer '%s' not found\n", argv[1]);
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
prt_dn = ads_get_dn(ads, res);
ads_msgfree(ads, res);
rc = ads_del_dn(ads, prt_dn);
ads_memfree(ads, prt_dn);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_del_dn: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
ads_destroy(&ads);
return 0;
}
static int ads_user_info(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
const char *attrs[] = {"memberOf", NULL};
char *searchstring=NULL;
char **grouplist;
char *escaped_user = escape_ldap_string_alloc(argv[0]);
if (argc < 1) {
return net_ads_user_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
if (!escaped_user) {
d_printf("ads_user_info: failed to escape user %s\n", argv[0]);
ads_destroy(&ads);
return -1;
}
asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user);
rc = ads_search(ads, &res, searchstring, attrs);
safe_free(searchstring);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_search: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
grouplist = ldap_get_values(ads->ld, res, "memberOf");
if (grouplist) {
int i;
char **groupname;
for (i=0;grouplist[i];i++) {
groupname = ldap_explode_dn(grouplist[i], 1);
d_printf("%s\n", groupname[0]);
ldap_value_free(groupname);
}
ldap_value_free(grouplist);
}
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
int net_ads_changetrustpw(int argc, const char **argv)
{
ADS_STRUCT *ads;
char *host_principal;
fstring my_name;
ADS_STATUS ret;
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
net_use_machine_password();
use_in_memory_ccache();
if (!(ads = ads_startup())) {
return -1;
}
fstrcpy(my_name, global_myname());
strlower_m(my_name);
asprintf(&host_principal, "%s@%s", my_name, ads->config.realm);
d_printf("Changing password for principal: HOST/%s\n", host_principal);
ret = ads_change_trust_account_password(ads, host_principal);
if (!ADS_ERR_OK(ret)) {
d_printf("Password change failed :-( ...\n");
ads_destroy(&ads);
SAFE_FREE(host_principal);
return -1;
}
d_printf("Password change for principal HOST/%s succeeded.\n", host_principal);
if (lp_use_kerberos_keytab()) {
d_printf("Attempting to update system keytab with new password.\n");
if (ads_keytab_create_default(ads)) {
d_printf("Failed to update system keytab.\n");
}
}
ads_destroy(&ads);
SAFE_FREE(host_principal);
return 0;
}
/**
* Check if cached connection can be reused. If the connection cannot
* be reused the ADS_STRUCT is freed and the pointer is set to NULL.
*/
static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
{
ADS_STRUCT *ads = *adsp;
if (ads != NULL) {
time_t expire;
time_t now = time(NULL);
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
"is now %d)\n", (uint32_t)expire - (uint32_t)now,
(uint32_t) expire, (uint32_t) now));
if ( ads->config.realm && (expire > now)) {
return;
} else {
/* we own this ADS_STRUCT so make sure it goes away */
DEBUG(7,("Deleting expired krb5 credential cache\n"));
ads->is_mine = True;
ads_destroy( &ads );
ads_kdestroy(WINBIND_CCACHE_NAME);
*adsp = NULL;
}
}
}
int net_ads_group(int argc, const char **argv)
{
struct functable func[] = {
{"ADD", ads_group_add},
{"DELETE", ads_group_delete},
{NULL, NULL}
};
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *shortattrs[] = {"sAMAccountName", NULL};
const char *longattrs[] = {"sAMAccountName", "description", NULL};
char *disp_fields[2] = {NULL, NULL};
if (argc == 0) {
if (!(ads = ads_startup())) {
return -1;
}
if (opt_long_list_entries)
d_printf("\nGroup name Comment"\
"\n-----------------------------\n");
rc = ads_do_search_all_fn(ads, ads->config.bind_path,
LDAP_SCOPE_SUBTREE,
"(objectclass=group)",
opt_long_list_entries ? longattrs :
shortattrs, usergrp_display,
disp_fields);
ads_destroy(&ads);
return 0;
}
return net_run_function(argc, argv, func, net_ads_group_usage);
}
static int net_ads_printer_info(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *servername, *printername;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
if (argc > 0) {
printername = argv[0];
} else {
printername = "*";
}
if (argc > 1) {
servername = argv[1];
} else {
servername = global_myname();
}
rc = ads_find_printer_on_server(ads, &res, printername, servername);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_printer_on_server: %s\n", ads_errstr(rc));
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("Printer '%s' not found\n", printername);
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
ads_dump(ads, res);
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
void cell_destroy(struct likewise_cell *c)
{
if (!c)
return;
if (c->conn)
ads_destroy(&c->conn);
talloc_destroy(c);
}
/*
Check to see if connection can be made via ads.
ads_startup() stores the password in opt_password if it needs to so
that rpc or rap can use it without re-prompting.
*/
int net_ads_check(void)
{
ADS_STRUCT *ads;
ads = ads_startup();
if (!ads)
return -1;
ads_destroy(&ads);
return 0;
}
static int net_ads_keytab_flush(int argc, const char **argv)
{
int ret;
ADS_STRUCT *ads;
if (!(ads = ads_startup())) {
return -1;
}
ret = ads_keytab_flush(ads);
ads_destroy(&ads);
return ret;
}
static int net_ads_keytab_create(int argc, const char **argv)
{
ADS_STRUCT *ads;
int ret;
if (!(ads = ads_startup())) {
return -1;
}
ret = ads_keytab_create_default(ads);
ads_destroy(&ads);
return ret;
}
static BOOL ads_dc_name(const char *domain, const char *realm, struct in_addr *dc_ip, fstring srv_name)
{
#if 1 /* AR7 */
return False;
#else
ADS_STRUCT *ads;
if (!realm && strequal(domain, lp_workgroup()))
realm = lp_realm();
ads = ads_init(realm, domain, NULL);
if (!ads)
return False;
DEBUG(4,("ads_dc_name: domain=%s\n", domain));
#ifdef HAVE_ADS
/* we don't need to bind, just connect */
ads->auth.flags |= ADS_AUTH_NO_BIND;
ads_connect(ads);
#endif
if (!ads->config.realm) {
ads_destroy(&ads);
return False;
}
fstrcpy(srv_name, ads->config.ldap_server_name);
strupper_m(srv_name);
*dc_ip = ads->ldap_ip;
ads_destroy(&ads);
DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n",
srv_name, inet_ntoa(*dc_ip)));
return True;
#endif /* AR7 */
}
WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
struct GUID *pguid)
{
ADS_STRUCT *ads = NULL;
char *old_krb5ccname = NULL;
char *printer_dn;
WERROR result;
ADS_STATUS ads_status;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return WERR_NOMEM;
}
ads = ads_init(lp_realm(), lp_workgroup(), NULL);
if (ads == NULL) {
result = WERR_SERVER_UNAVAILABLE;
goto out;
}
old_krb5ccname = getenv(KRB5_ENV_CCNAME);
setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1);
SAFE_FREE(ads->auth.password);
ads->auth.password = secrets_fetch_machine_password(lp_workgroup(),
NULL, NULL);
ads_status = ads_connect(ads);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_status)));
result = WERR_ACCESS_DENIED;
goto out;
}
result = nt_printer_dn_lookup(tmp_ctx, ads, printer, &printer_dn);
if (!W_ERROR_IS_OK(result)) {
goto out;
}
result = nt_printer_guid_retrieve_internal(ads, printer_dn, pguid);
out:
TALLOC_FREE(tmp_ctx);
ads_destroy(&ads);
ads_kdestroy("MEMORY:prtpub_cache");
unsetenv(KRB5_ENV_CCNAME);
if (old_krb5ccname != NULL) {
setenv(KRB5_ENV_CCNAME, old_krb5ccname, 0);
}
return result;
}
/*
general ADS search function. Useful in diagnosing problems in ADS
*/
static int net_ads_dn(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *dn;
const char **attrs;
void *res = NULL;
if (argc < 1) {
return net_ads_dn_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
dn = argv[0];
attrs = (argv + 1);
rc = ads_do_search_all(ads, dn,
LDAP_SCOPE_BASE,
"(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(rc)) {
d_printf("search failed: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
/* dump the results */
ads_dump(ads, res);
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
/*
general ADS search function. Useful in diagnosing problems in ADS
*/
static int net_ads_search(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *ldap_exp;
const char **attrs;
void *res = NULL;
if (argc < 1) {
return net_ads_search_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
ldap_exp = argv[0];
attrs = (argv + 1);
rc = ads_do_search_all(ads, ads->config.bind_path,
LDAP_SCOPE_SUBTREE,
ldap_exp, attrs, &res);
if (!ADS_ERR_OK(rc)) {
d_printf("search failed: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
d_printf("Got %d replies\n\n", ads_count_replies(ads, res));
/* dump the results */
ads_dump(ads, res);
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
static int net_ads_keytab_add(int argc, const char **argv)
{
int i;
int ret = 0;
ADS_STRUCT *ads;
d_printf("Processing principals to add...\n");
if (!(ads = ads_startup())) {
return -1;
}
for (i = 0; i < argc; i++) {
ret |= ads_keytab_add_entry(ads, argv[i]);
}
ads_destroy(&ads);
return ret;
}
static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
struct GROUP_POLICY_OBJECT gpo;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo getgpo <gpo>\n"
" List speciefied GPO\n"
" gpo\t\tGPO to list\n");
return -1;
}
mem_ctx = talloc_init("ads_gpo_get_gpo");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (strnequal(argv[0], "CN={", strlen("CN={"))) {
status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
} else {
status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
}
if (!ADS_ERR_OK(status)) {
d_printf("get gpo for [%s] failed: %s\n", argv[0],
ads_errstr(status));
goto out;
}
dump_gpo(ads, mem_ctx, &gpo, 1);
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_join_ok(void)
{
ADS_STRUCT *ads = NULL;
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
net_use_machine_password();
if (!(ads = ads_startup())) {
return -1;
}
ads_destroy(&ads);
return 0;
}
static int ads_group_add(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
void *res=NULL;
int rc = -1;
if (argc < 1) {
return net_ads_group_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
status = ads_find_user_acct(ads, &res, argv[0]);
if (!ADS_ERR_OK(status)) {
d_printf("ads_group_add: %s\n", ads_errstr(status));
goto done;
}
if (ads_count_replies(ads, res)) {
d_printf("ads_group_add: Group %s already exists\n", argv[0]);
ads_msgfree(ads, res);
goto done;
}
status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
if (ADS_ERR_OK(status)) {
d_printf("Group %s added\n", argv[0]);
rc = 0;
} else {
d_printf("Could not add group %s: %s\n", argv[0],
ads_errstr(status));
}
done:
if (res)
ads_msgfree(ads, res);
ads_destroy(&ads);
return rc;
}
static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
uint32 gpo_opt = 0;
TALLOC_CTX *mem_ctx;
if (argc < 2 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkadd <linkdn> <gpodn> [options]\n"
" Link a container to a GPO\n"
" linkdn\tContainer to link to a GPO\n"
" gpodn\tGPO to link container to\n");
d_printf("note: DNs must be provided properly escaped.\n");
d_printf("See RFC 4514 for details\n");
return -1;
}
mem_ctx = talloc_init("add_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
if (argc == 3) {
gpo_opt = atoi(argv[2]);
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
if (!ADS_ERR_OK(status)) {
d_printf("link add failed: %s\n", ads_errstr(status));
goto out;
}
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
struct GP_LINK gp_link;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkget <container>\n"
" Lists gPLink of a containter\n"
" container\tContainer to get link for\n");
return -1;
}
mem_ctx = talloc_init("add_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
if (!ADS_ERR_OK(status)) {
d_printf("get link for %s failed: %s\n", argv[0],
ads_errstr(status));
goto out;
}
dump_gplink(ads, mem_ctx, &gp_link);
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int keytab_close(struct libnet_keytab_context *ctx)
{
if (!ctx) {
return 0;
}
if (ctx->keytab && ctx->context) {
krb5_kt_close(ctx->context, ctx->keytab);
}
if (ctx->context) {
krb5_free_context(ctx->context);
}
if (ctx->ads) {
ads_destroy(&ctx->ads);
}
TALLOC_FREE(ctx);
return 0;
}
static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
if (argc < 2 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkdelete <linkdn> <gpodn>\n"
" Delete a GPO link\n"
" <linkdn>\tContainer to delete GPO from\n"
" <gpodn>\tGPO to delete from container\n");
return -1;
}
mem_ctx = talloc_init("delete_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
if (!ADS_ERR_OK(status)) {
d_printf("delete link failed: %s\n", ads_errstr(status));
goto out;
}
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_printer_publish(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *servername, *printername;
struct cli_state *cli;
struct in_addr server_ip;
NTSTATUS nt_status;
TALLOC_CTX *mem_ctx = talloc_init("net_ads_printer_publish");
ADS_MODLIST mods = ads_init_mods(mem_ctx);
char *prt_dn, *srv_dn, **srv_cn;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
if (argc < 1) {
return net_ads_printer_usage(argc, argv);
}
printername = argv[0];
if (argc == 2) {
servername = argv[1];
} else {
servername = global_myname();
}
/* Get printer data from SPOOLSS */
resolve_name(servername, &server_ip, 0x20);
nt_status = cli_full_connection(&cli, global_myname(), servername,
&server_ip, 0,
"IPC$", "IPC",
opt_user_name, opt_workgroup,
opt_password ? opt_password : "",
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
if (NT_STATUS_IS_ERR(nt_status)) {
d_printf("Unable to open a connnection to %s to obtain data "
"for %s\n", servername, printername);
ads_destroy(&ads);
return -1;
}
/* Publish on AD server */
ads_find_machine_acct(ads, &res, servername);
if (ads_count_replies(ads, res) == 0) {
d_printf("Could not find machine account for server %s\n",
servername);
ads_destroy(&ads);
return -1;
}
srv_dn = ldap_get_dn(ads->ld, res);
srv_cn = ldap_explode_dn(srv_dn, 1);
asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn[0], printername, srv_dn);
cli_nt_session_open(cli, PI_SPOOLSS);
get_remote_printer_publishing_data(cli, mem_ctx, &mods, printername);
rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_publish_printer: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
d_printf("published printer\n");
ads_destroy(&ads);
return 0;
}
/*
join a domain using ADS
*/
int net_ads_join(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
char *password;
char *machine_account = NULL;
char *tmp_password;
const char *org_unit = "Computers";
char *dn;
void *res;
DOM_SID dom_sid;
char *ou_str;
uint32 sec_channel_type = SEC_CHAN_WKSTA;
uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT;
const char *short_domain_name = NULL;
TALLOC_CTX *ctx = NULL;
if (argc > 0) {
org_unit = argv[0];
}
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
password = strdup(tmp_password);
if (!(ads = ads_startup())) {
return -1;
}
if (!*lp_realm()) {
d_printf("realm must be set in in smb.conf for ADS join to succeed.\n");
ads_destroy(&ads);
return -1;
}
if (strcmp(ads->config.realm, lp_realm()) != 0) {
d_printf("realm of remote server (%s) and realm in smb.conf (%s) DO NOT match. Aborting join\n", ads->config.realm, lp_realm());
ads_destroy(&ads);
return -1;
}
ou_str = ads_ou_string(org_unit);
asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path);
free(ou_str);
rc = ads_search_dn(ads, &res, dn, NULL);
ads_msgfree(ads, res);
if (rc.error_type == ENUM_ADS_ERROR_LDAP && rc.err.rc == LDAP_NO_SUCH_OBJECT) {
d_printf("ads_join_realm: organizational unit %s does not exist (dn:%s)\n",
org_unit, dn);
ads_destroy(&ads);
return -1;
}
free(dn);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_join_realm: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
rc = ads_join_realm(ads, global_myname(), account_type, org_unit);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_join_realm: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
rc = ads_domain_sid(ads, &dom_sid);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_domain_sid: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
d_printf("asprintf failed\n");
ads_destroy(&ads);
return -1;
}
rc = ads_set_machine_password(ads, machine_account, password);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_set_machine_password: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
/* make sure we get the right workgroup */
if ( !(ctx = talloc_init("net ads join")) ) {
d_printf("talloc_init() failed!\n");
ads_destroy(&ads);
return -1;
}
rc = ads_workgroup_name(ads, ctx, &short_domain_name);
if ( ADS_ERR_OK(rc) ) {
if ( !strequal(lp_workgroup(), short_domain_name) ) {
d_printf("The workgroup in smb.conf does not match the short\n");
d_printf("domain name obtained from the server.\n");
d_printf("Using the name [%s] from the server.\n", short_domain_name);
d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name);
}
} else {
short_domain_name = lp_workgroup();
}
d_printf("Using short domain name -- %s\n", short_domain_name);
/* HACK ALRET! Store the sid and password under bother the lp_workgroup()
value from smb.conf and the string returned from the server. The former is
neede to bootstrap winbindd's first connection to the DC to get the real
short domain name --jerry */
if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
ads_destroy(&ads);
return -1;
}
if (!secrets_store_machine_password(password, lp_workgroup(), sec_channel_type)) {
DEBUG(1,("Failed to save machine password\n"));
ads_destroy(&ads);
return -1;
}
if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
ads_destroy(&ads);
return -1;
}
if (!secrets_store_machine_password(password, short_domain_name, sec_channel_type)) {
DEBUG(1,("Failed to save machine password\n"));
ads_destroy(&ads);
return -1;
}
/* Now build the keytab, using the same ADS connection */
if (lp_use_kerberos_keytab() && ads_keytab_create_default(ads)) {
DEBUG(1,("Error creating host keytab!\n"));
}
d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
SAFE_FREE(password);
SAFE_FREE(machine_account);
if ( ctx ) {
talloc_destroy(ctx);
}
ads_destroy(&ads);
return 0;
}
static int ads_user_add(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
char *upn, *userdn;
void *res=NULL;
int rc = -1;
if (argc < 1) return net_ads_user_usage(argc, argv);
if (!(ads = ads_startup())) {
return -1;
}
status = ads_find_user_acct(ads, &res, argv[0]);
if (!ADS_ERR_OK(status)) {
d_printf("ads_user_add: %s\n", ads_errstr(status));
goto done;
}
if (ads_count_replies(ads, res)) {
d_printf("ads_user_add: User %s already exists\n", argv[0]);
goto done;
}
status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);
if (!ADS_ERR_OK(status)) {
d_printf("Could not add user %s: %s\n", argv[0],
ads_errstr(status));
goto done;
}
/* if no password is to be set, we're done */
if (argc == 1) {
d_printf("User %s added\n", argv[0]);
rc = 0;
goto done;
}
/* try setting the password */
asprintf(&upn, "%s@%s", argv[0], ads->config.realm);
status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
ads->auth.time_offset);
safe_free(upn);
if (ADS_ERR_OK(status)) {
d_printf("User %s added\n", argv[0]);
rc = 0;
goto done;
}
/* password didn't set, delete account */
d_printf("Could not add user %s. Error setting password %s\n",
argv[0], ads_errstr(status));
ads_msgfree(ads, res);
status=ads_find_user_acct(ads, &res, argv[0]);
if (ADS_ERR_OK(status)) {
userdn = ads_get_dn(ads, res);
ads_del_dn(ads, userdn);
ads_memfree(ads, userdn);
}
done:
if (res)
ads_msgfree(ads, res);
ads_destroy(&ads);
return rc;
}
