mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
5f68ea53ff
Karolin
(This used to be commit b865b8a79a
)
1677 lines
41 KiB
C
1677 lines
41 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
* Local SAM access routines
|
|
* Copyright (C) Volker Lendecke 2006
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
|
|
#include "includes.h"
|
|
#include "utils/net.h"
|
|
|
|
/*
|
|
* Set a user's data
|
|
*/
|
|
|
|
static int net_sam_userset(int argc, const char **argv, const char *field,
|
|
bool (*fn)(struct samu *, const char *,
|
|
enum pdb_value_state))
|
|
{
|
|
struct samu *sam_acct = NULL;
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
|
|
field);
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (type != SID_NAME_USER) {
|
|
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
|
|
sid_type_lookup(type));
|
|
return -1;
|
|
}
|
|
|
|
if ( !(sam_acct = samu_new( NULL )) ) {
|
|
d_fprintf(stderr, "Internal error\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_getsampwsid(sam_acct, &sid)) {
|
|
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
|
|
d_fprintf(stderr, "Internal error\n");
|
|
return -1;
|
|
}
|
|
|
|
status = pdb_update_sam_account(sam_acct);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
TALLOC_FREE(sam_acct);
|
|
|
|
d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_set_fullname(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "fullname",
|
|
pdb_set_fullname);
|
|
}
|
|
|
|
static int net_sam_set_logonscript(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "logonscript",
|
|
pdb_set_logon_script);
|
|
}
|
|
|
|
static int net_sam_set_profilepath(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "profilepath",
|
|
pdb_set_profile_path);
|
|
}
|
|
|
|
static int net_sam_set_homedrive(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "homedrive",
|
|
pdb_set_dir_drive);
|
|
}
|
|
|
|
static int net_sam_set_homedir(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "homedir",
|
|
pdb_set_homedir);
|
|
}
|
|
|
|
static int net_sam_set_workstations(int argc, const char **argv)
|
|
{
|
|
return net_sam_userset(argc, argv, "workstations",
|
|
pdb_set_workstations);
|
|
}
|
|
|
|
/*
|
|
* Set account flags
|
|
*/
|
|
|
|
static int net_sam_set_userflag(int argc, const char **argv, const char *field,
|
|
uint16 flag)
|
|
{
|
|
struct samu *sam_acct = NULL;
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
NTSTATUS status;
|
|
uint16 acct_flags;
|
|
|
|
if ((argc != 2) || (!strequal(argv[1], "yes") &&
|
|
!strequal(argv[1], "no"))) {
|
|
d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
|
|
field);
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (type != SID_NAME_USER) {
|
|
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
|
|
sid_type_lookup(type));
|
|
return -1;
|
|
}
|
|
|
|
if ( !(sam_acct = samu_new( NULL )) ) {
|
|
d_fprintf(stderr, "Internal error\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_getsampwsid(sam_acct, &sid)) {
|
|
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
acct_flags = pdb_get_acct_ctrl(sam_acct);
|
|
|
|
if (strequal(argv[1], "yes")) {
|
|
acct_flags |= flag;
|
|
} else {
|
|
acct_flags &= ~flag;
|
|
}
|
|
|
|
pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
|
|
|
|
status = pdb_update_sam_account(sam_acct);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
TALLOC_FREE(sam_acct);
|
|
|
|
d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
|
|
name, argv[1]);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_set_disabled(int argc, const char **argv)
|
|
{
|
|
return net_sam_set_userflag(argc, argv, "disabled", ACB_DISABLED);
|
|
}
|
|
|
|
static int net_sam_set_pwnotreq(int argc, const char **argv)
|
|
{
|
|
return net_sam_set_userflag(argc, argv, "pwnotreq", ACB_PWNOTREQ);
|
|
}
|
|
|
|
static int net_sam_set_autolock(int argc, const char **argv)
|
|
{
|
|
return net_sam_set_userflag(argc, argv, "autolock", ACB_AUTOLOCK);
|
|
}
|
|
|
|
static int net_sam_set_pwnoexp(int argc, const char **argv)
|
|
{
|
|
return net_sam_set_userflag(argc, argv, "pwnoexp", ACB_PWNOEXP);
|
|
}
|
|
|
|
/*
|
|
* Set pass last change time, based on force pass change now
|
|
*/
|
|
|
|
static int net_sam_set_pwdmustchangenow(int argc, const char **argv)
|
|
{
|
|
struct samu *sam_acct = NULL;
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
NTSTATUS status;
|
|
|
|
if ((argc != 2) || (!strequal(argv[1], "yes") &&
|
|
!strequal(argv[1], "no"))) {
|
|
d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (type != SID_NAME_USER) {
|
|
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
|
|
sid_type_lookup(type));
|
|
return -1;
|
|
}
|
|
|
|
if ( !(sam_acct = samu_new( NULL )) ) {
|
|
d_fprintf(stderr, "Internal error\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_getsampwsid(sam_acct, &sid)) {
|
|
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (strequal(argv[1], "yes")) {
|
|
pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
|
|
} else {
|
|
pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
|
|
}
|
|
|
|
status = pdb_update_sam_account(sam_acct);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
TALLOC_FREE(sam_acct);
|
|
|
|
d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
|
|
name, argv[1]);
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* Set a user's or a group's comment
|
|
*/
|
|
|
|
static int net_sam_set_comment(int argc, const char **argv)
|
|
{
|
|
GROUP_MAP map;
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam set comment <name> "
|
|
"<comment>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (type == SID_NAME_USER) {
|
|
return net_sam_userset(argc, argv, "comment",
|
|
pdb_set_acct_desc);
|
|
}
|
|
|
|
if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
|
|
(type != SID_NAME_WKN_GRP)) {
|
|
d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
|
|
sid_type_lookup(type));
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_getgrsid(&map, sid)) {
|
|
d_fprintf(stderr, "Could not load group %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
fstrcpy(map.comment, argv[1]);
|
|
|
|
status = pdb_update_group_mapping_entry(&map);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Updating group mapping entry failed with "
|
|
"%s\n", nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
|
|
argv[1]);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_set(int argc, const char **argv)
|
|
{
|
|
struct functable2 func[] = {
|
|
{ "homedir", net_sam_set_homedir,
|
|
"Change a user's home directory" },
|
|
{ "profilepath", net_sam_set_profilepath,
|
|
"Change a user's profile path" },
|
|
{ "comment", net_sam_set_comment,
|
|
"Change a users or groups description" },
|
|
{ "fullname", net_sam_set_fullname,
|
|
"Change a user's full name" },
|
|
{ "logonscript", net_sam_set_logonscript,
|
|
"Change a user's logon script" },
|
|
{ "homedrive", net_sam_set_homedrive,
|
|
"Change a user's home drive" },
|
|
{ "workstations", net_sam_set_workstations,
|
|
"Change a user's allowed workstations" },
|
|
{ "disabled", net_sam_set_disabled,
|
|
"Disable/Enable a user" },
|
|
{ "pwnotreq", net_sam_set_pwnotreq,
|
|
"Disable/Enable the password not required flag" },
|
|
{ "autolock", net_sam_set_autolock,
|
|
"Disable/Enable a user's lockout flag" },
|
|
{ "pwnoexp", net_sam_set_pwnoexp,
|
|
"Disable/Enable whether a user's pw does not expire" },
|
|
{ "pwdmustchangenow", net_sam_set_pwdmustchangenow,
|
|
"Force users password must change at next logon" },
|
|
{NULL, NULL}
|
|
};
|
|
|
|
return net_run_function2(argc, argv, "net sam set", func);
|
|
}
|
|
|
|
/*
|
|
* Manage account policies
|
|
*/
|
|
|
|
static int net_sam_policy_set(int argc, const char **argv)
|
|
{
|
|
const char *account_policy = NULL;
|
|
uint32 value = 0;
|
|
uint32 old_value = 0;
|
|
int field;
|
|
char *endptr;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam policy set "
|
|
"\"<account policy>\" <value> \n");
|
|
return -1;
|
|
}
|
|
|
|
account_policy = argv[0];
|
|
field = account_policy_name_to_fieldnum(account_policy);
|
|
|
|
if (strequal(argv[1], "forever") || strequal(argv[1], "never")
|
|
|| strequal(argv[1], "off")) {
|
|
value = -1;
|
|
}
|
|
else {
|
|
value = strtoul(argv[1], &endptr, 10);
|
|
|
|
if ((endptr == argv[1]) || (endptr[0] != '\0')) {
|
|
d_printf("Unable to set policy \"%s\"! Invalid value "
|
|
"\"%s\".\n",
|
|
account_policy, argv[1]);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (field == 0) {
|
|
const char **names;
|
|
int i, count;
|
|
|
|
account_policy_names_list(&names, &count);
|
|
d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
|
|
d_fprintf(stderr, "Valid account policies are:\n");
|
|
|
|
for (i=0; i<count; i++) {
|
|
d_fprintf(stderr, "%s\n", names[i]);
|
|
}
|
|
|
|
SAFE_FREE(names);
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_get_account_policy(field, &old_value)) {
|
|
d_fprintf(stderr, "Valid account policy, but unable to fetch "
|
|
"value!\n");
|
|
} else {
|
|
d_printf("Account policy \"%s\" value was: %d\n", account_policy,
|
|
old_value);
|
|
}
|
|
|
|
if (!pdb_set_account_policy(field, value)) {
|
|
d_fprintf(stderr, "Valid account policy, but unable to "
|
|
"set value!\n");
|
|
return -1;
|
|
} else {
|
|
d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
|
|
value);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_policy_show(int argc, const char **argv)
|
|
{
|
|
const char *account_policy = NULL;
|
|
uint32 old_value;
|
|
int field;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam policy show"
|
|
" \"<account policy>\" \n");
|
|
return -1;
|
|
}
|
|
|
|
account_policy = argv[0];
|
|
field = account_policy_name_to_fieldnum(account_policy);
|
|
|
|
if (field == 0) {
|
|
const char **names;
|
|
int count;
|
|
int i;
|
|
account_policy_names_list(&names, &count);
|
|
d_fprintf(stderr, "No account policy by that name!\n");
|
|
if (count != 0) {
|
|
d_fprintf(stderr, "Valid account policies "
|
|
"are:\n");
|
|
for (i=0; i<count; i++) {
|
|
d_fprintf(stderr, "%s\n", names[i]);
|
|
}
|
|
}
|
|
SAFE_FREE(names);
|
|
return -1;
|
|
}
|
|
|
|
if (!pdb_get_account_policy(field, &old_value)) {
|
|
fprintf(stderr, "Valid account policy, but unable to "
|
|
"fetch value!\n");
|
|
return -1;
|
|
}
|
|
|
|
printf("Account policy \"%s\" description: %s\n",
|
|
account_policy, account_policy_get_desc(field));
|
|
printf("Account policy \"%s\" value is: %d\n", account_policy,
|
|
old_value);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_policy_list(int argc, const char **argv)
|
|
{
|
|
const char **names;
|
|
int count;
|
|
int i;
|
|
account_policy_names_list(&names, &count);
|
|
if (count != 0) {
|
|
d_fprintf(stderr, "Valid account policies "
|
|
"are:\n");
|
|
for (i = 0; i < count ; i++) {
|
|
d_fprintf(stderr, "%s\n", names[i]);
|
|
}
|
|
}
|
|
SAFE_FREE(names);
|
|
return -1;
|
|
}
|
|
|
|
static int net_sam_policy(int argc, const char **argv)
|
|
{
|
|
struct functable2 func[] = {
|
|
{ "list", net_sam_policy_list,
|
|
"List account policies" },
|
|
{ "show", net_sam_policy_show,
|
|
"Show account policies" },
|
|
{ "set", net_sam_policy_set,
|
|
"Change account policies" },
|
|
{NULL, NULL}
|
|
};
|
|
|
|
return net_run_function2(argc, argv, "net sam policy", func);
|
|
}
|
|
|
|
extern PRIVS privs[];
|
|
|
|
static int net_sam_rights_list(int argc, const char **argv)
|
|
{
|
|
SE_PRIV mask;
|
|
|
|
if (argc > 1) {
|
|
d_fprintf(stderr, "usage: net sam rights list [privilege name]\n");
|
|
return -1;
|
|
}
|
|
|
|
if (argc == 0) {
|
|
int i;
|
|
int num = count_all_privileges();
|
|
|
|
for (i=0; i<num; i++) {
|
|
d_printf("%s\n", privs[i].name);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
if (se_priv_from_name(argv[0], &mask)) {
|
|
DOM_SID *sids;
|
|
int i, num_sids;
|
|
NTSTATUS status;
|
|
|
|
status = privilege_enum_sids(&mask, talloc_tos(),
|
|
&sids, &num_sids);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Could not list rights: %s\n",
|
|
nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
for (i=0; i<num_sids; i++) {
|
|
const char *dom, *name;
|
|
enum lsa_SidType type;
|
|
|
|
if (lookup_sid(talloc_tos(), &sids[i], &dom, &name,
|
|
&type)) {
|
|
d_printf("%s\\%s\n", dom, name);
|
|
}
|
|
else {
|
|
d_printf("%s\n", sid_string_tos(&sids[i]));
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
static int net_sam_rights_grant(int argc, const char **argv)
|
|
{
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
SE_PRIV mask;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam rights grant <name> "
|
|
"<right>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (!se_priv_from_name(argv[1], &mask)) {
|
|
d_fprintf(stderr, "%s unknown\n", argv[1]);
|
|
return -1;
|
|
}
|
|
|
|
if (!grant_privilege(&sid, &mask)) {
|
|
d_fprintf(stderr, "Could not grant privilege\n");
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Granted %s to %s\\%s\n", argv[1], dom, name);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_rights_revoke(int argc, const char **argv)
|
|
{
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
SE_PRIV mask;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam rights revoke <name> "
|
|
"<right>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (!se_priv_from_name(argv[1], &mask)) {
|
|
d_fprintf(stderr, "%s unknown\n", argv[1]);
|
|
return -1;
|
|
}
|
|
|
|
if (!revoke_privilege(&sid, &mask)) {
|
|
d_fprintf(stderr, "Could not revoke privilege\n");
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Revoked %s from %s\\%s\n", argv[1], dom, name);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_rights(int argc, const char **argv)
|
|
{
|
|
struct functable2 func[] = {
|
|
{ "list", net_sam_rights_list,
|
|
"List possible user rights" },
|
|
{ "grant", net_sam_rights_grant,
|
|
"Grant a right" },
|
|
{ "revoke", net_sam_rights_revoke,
|
|
"Revoke a right" },
|
|
{ NULL }
|
|
};
|
|
return net_run_function2(argc, argv, "net sam rights", func);
|
|
}
|
|
|
|
/*
|
|
* Map a unix group to a domain group
|
|
*/
|
|
|
|
static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
|
|
{
|
|
NTSTATUS status;
|
|
GROUP_MAP map;
|
|
const char *grpname, *dom, *name;
|
|
uint32 rid;
|
|
|
|
if (pdb_getgrgid(&map, grp->gr_gid)) {
|
|
return NT_STATUS_GROUP_EXISTS;
|
|
}
|
|
|
|
map.gid = grp->gr_gid;
|
|
grpname = grp->gr_name;
|
|
|
|
if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
|
|
&dom, &name, NULL, NULL)) {
|
|
|
|
const char *tmp = talloc_asprintf(
|
|
talloc_tos(), "Unix Group %s", grp->gr_name);
|
|
|
|
DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
|
|
grpname, dom, name, tmp));
|
|
grpname = tmp;
|
|
}
|
|
|
|
if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
|
|
NULL, NULL, NULL, NULL)) {
|
|
DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
|
|
return NT_STATUS_GROUP_EXISTS;
|
|
}
|
|
|
|
fstrcpy(map.nt_name, grpname);
|
|
|
|
if (pdb_rid_algorithm()) {
|
|
rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
|
|
} else {
|
|
if (!pdb_new_rid(&rid)) {
|
|
DEBUG(3, ("Could not get a new RID for %s\n",
|
|
grp->gr_name));
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
}
|
|
}
|
|
|
|
sid_compose(&map.sid, get_global_sam_sid(), rid);
|
|
map.sid_name_use = SID_NAME_DOM_GRP;
|
|
fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
|
|
grp->gr_name));
|
|
|
|
status = pdb_add_group_mapping_entry(&map);
|
|
if (NT_STATUS_IS_OK(status)) {
|
|
*pmap = map;
|
|
}
|
|
return status;
|
|
}
|
|
|
|
static int net_sam_mapunixgroup(int argc, const char **argv)
|
|
{
|
|
NTSTATUS status;
|
|
GROUP_MAP map;
|
|
struct group *grp;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
grp = getgrnam(argv[0]);
|
|
if (grp == NULL) {
|
|
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
status = map_unix_group(grp, &map);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Mapping group %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Mapped unix group %s to SID %s\n", argv[0],
|
|
sid_string_tos(&map.sid));
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Remove a group mapping
|
|
*/
|
|
|
|
static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
|
|
{
|
|
NTSTATUS status;
|
|
GROUP_MAP map;
|
|
const char *grpname;
|
|
DOM_SID dom_sid;
|
|
|
|
map.gid = grp->gr_gid;
|
|
grpname = grp->gr_name;
|
|
|
|
if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
|
|
NULL, NULL, NULL, NULL)) {
|
|
DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
|
|
return NT_STATUS_NO_SUCH_GROUP;
|
|
}
|
|
|
|
fstrcpy(map.nt_name, grpname);
|
|
|
|
if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
status = pdb_delete_group_mapping_entry(dom_sid);
|
|
|
|
return status;
|
|
}
|
|
|
|
static int net_sam_unmapunixgroup(int argc, const char **argv)
|
|
{
|
|
NTSTATUS status;
|
|
GROUP_MAP map;
|
|
struct group *grp;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam unmapunixgroup <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
grp = getgrnam(argv[0]);
|
|
if (grp == NULL) {
|
|
d_fprintf(stderr, "Could not find mapping for group %s.\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
status = unmap_unix_group(grp, &map);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Unmapping group %s failed with %s.\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Unmapped unix group %s.\n", argv[0]);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Create a local group
|
|
*/
|
|
|
|
static int net_sam_createlocalgroup(int argc, const char **argv)
|
|
{
|
|
NTSTATUS status;
|
|
uint32 rid;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!winbind_ping()) {
|
|
d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
|
|
"only works when winbind runs.\n");
|
|
return -1;
|
|
}
|
|
|
|
status = pdb_create_alias(argv[0], &rid);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Creating %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Created local group %s with RID %d\n", argv[0], rid);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Delete a local group
|
|
*/
|
|
|
|
static int net_sam_deletelocalgroup(int argc, const char **argv)
|
|
{
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find %s.\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (type != SID_NAME_ALIAS) {
|
|
d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0],
|
|
sid_type_lookup(type));
|
|
return -1;
|
|
}
|
|
|
|
status = pdb_delete_alias(&sid);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Deleting local group %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Deleted local group %s.\n", argv[0]);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Create a local group
|
|
*/
|
|
|
|
static int net_sam_createbuiltingroup(int argc, const char **argv)
|
|
{
|
|
NTSTATUS status;
|
|
uint32 rid;
|
|
enum lsa_SidType type;
|
|
fstring groupname;
|
|
DOM_SID sid;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!winbind_ping()) {
|
|
d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
|
|
"only works when winbind runs.\n");
|
|
return -1;
|
|
}
|
|
|
|
/* validate the name and get the group */
|
|
|
|
fstrcpy( groupname, "BUILTIN\\" );
|
|
fstrcat( groupname, argv[0] );
|
|
|
|
if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
|
|
NULL, &sid, &type)) {
|
|
d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if ( !sid_peek_rid( &sid, &rid ) ) {
|
|
d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
status = pdb_create_builtin_alias( rid );
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Creating %s failed with %s\n",
|
|
argv[0], nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Add a group member
|
|
*/
|
|
|
|
static int net_sam_addmem(int argc, const char **argv)
|
|
{
|
|
const char *groupdomain, *groupname, *memberdomain, *membername;
|
|
DOM_SID group, member;
|
|
enum lsa_SidType grouptype, membertype;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&groupdomain, &groupname, &group, &grouptype)) {
|
|
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
/* check to see if the member to be added is a name or a SID */
|
|
|
|
if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
|
|
&memberdomain, &membername, &member, &membertype))
|
|
{
|
|
/* try it as a SID */
|
|
|
|
if ( !string_to_sid( &member, argv[1] ) ) {
|
|
d_fprintf(stderr, "Could not find member %s\n", argv[1]);
|
|
return -1;
|
|
}
|
|
|
|
if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
|
|
&membername, &membertype) )
|
|
{
|
|
d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
|
|
if ((membertype != SID_NAME_USER) &&
|
|
(membertype != SID_NAME_DOM_GRP)) {
|
|
d_fprintf(stderr, "%s is a local group, only users "
|
|
"and domain groups can be added.\n"
|
|
"%s is a %s\n", argv[0], argv[1],
|
|
sid_type_lookup(membertype));
|
|
return -1;
|
|
}
|
|
status = pdb_add_aliasmem(&group, &member);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Adding local group member failed "
|
|
"with %s\n", nt_errstr(status));
|
|
return -1;
|
|
}
|
|
} else {
|
|
d_fprintf(stderr, "Can only add members to local groups so "
|
|
"far, %s is a %s\n", argv[0],
|
|
sid_type_lookup(grouptype));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
|
|
groupdomain, groupname);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Delete a group member
|
|
*/
|
|
|
|
static int net_sam_delmem(int argc, const char **argv)
|
|
{
|
|
const char *groupdomain, *groupname;
|
|
const char *memberdomain = NULL;
|
|
const char *membername = NULL;
|
|
DOM_SID group, member;
|
|
enum lsa_SidType grouptype;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 2) {
|
|
d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&groupdomain, &groupname, &group, &grouptype)) {
|
|
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
|
|
&memberdomain, &membername, &member, NULL)) {
|
|
if (!string_to_sid(&member, argv[1])) {
|
|
d_fprintf(stderr, "Could not find member %s\n",
|
|
argv[1]);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if ((grouptype == SID_NAME_ALIAS) ||
|
|
(grouptype == SID_NAME_WKN_GRP)) {
|
|
status = pdb_del_aliasmem(&group, &member);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Deleting local group member failed "
|
|
"with %s\n", nt_errstr(status));
|
|
return -1;
|
|
}
|
|
} else {
|
|
d_fprintf(stderr, "Can only delete members from local groups "
|
|
"so far, %s is a %s\n", argv[0],
|
|
sid_type_lookup(grouptype));
|
|
return -1;
|
|
}
|
|
|
|
if (membername != NULL) {
|
|
d_printf("Deleted %s\\%s from %s\\%s\n",
|
|
memberdomain, membername, groupdomain, groupname);
|
|
} else {
|
|
d_printf("Deleted %s from %s\\%s\n",
|
|
sid_string_tos(&member), groupdomain, groupname);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* List group members
|
|
*/
|
|
|
|
static int net_sam_listmem(int argc, const char **argv)
|
|
{
|
|
const char *groupdomain, *groupname;
|
|
DOM_SID group;
|
|
enum lsa_SidType grouptype;
|
|
NTSTATUS status;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam listmem <group>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&groupdomain, &groupname, &group, &grouptype)) {
|
|
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if ((grouptype == SID_NAME_ALIAS) ||
|
|
(grouptype == SID_NAME_WKN_GRP)) {
|
|
DOM_SID *members = NULL;
|
|
size_t i, num_members = 0;
|
|
|
|
status = pdb_enum_aliasmem(&group, &members, &num_members);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_fprintf(stderr, "Listing group members failed with "
|
|
"%s\n", nt_errstr(status));
|
|
return -1;
|
|
}
|
|
|
|
d_printf("%s\\%s has %u members\n", groupdomain, groupname,
|
|
(unsigned int)num_members);
|
|
for (i=0; i<num_members; i++) {
|
|
const char *dom, *name;
|
|
if (lookup_sid(talloc_tos(), &members[i],
|
|
&dom, &name, NULL)) {
|
|
d_printf(" %s\\%s\n", dom, name);
|
|
} else {
|
|
d_printf(" %s\n", sid_string_tos(&members[i]));
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(members);
|
|
} else {
|
|
d_fprintf(stderr, "Can only list local group members so far.\n"
|
|
"%s is a %s\n", argv[0], sid_type_lookup(grouptype));
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Do the listing
|
|
*/
|
|
static int net_sam_do_list(int argc, const char **argv,
|
|
struct pdb_search *search, const char *what)
|
|
{
|
|
bool verbose = (argc == 1);
|
|
|
|
if ((argc > 1) ||
|
|
((argc == 1) && !strequal(argv[0], "verbose"))) {
|
|
d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
|
|
return -1;
|
|
}
|
|
|
|
if (search == NULL) {
|
|
d_fprintf(stderr, "Could not start search\n");
|
|
return -1;
|
|
}
|
|
|
|
while (True) {
|
|
struct samr_displayentry entry;
|
|
if (!search->next_entry(search, &entry)) {
|
|
break;
|
|
}
|
|
if (verbose) {
|
|
d_printf("%s:%d:%s\n",
|
|
entry.account_name,
|
|
entry.rid,
|
|
entry.description);
|
|
} else {
|
|
d_printf("%s\n", entry.account_name);
|
|
}
|
|
}
|
|
|
|
pdb_search_destroy(search);
|
|
return 0;
|
|
}
|
|
|
|
static int net_sam_list_users(int argc, const char **argv)
|
|
{
|
|
return net_sam_do_list(argc, argv, pdb_search_users(ACB_NORMAL),
|
|
"users");
|
|
}
|
|
|
|
static int net_sam_list_groups(int argc, const char **argv)
|
|
{
|
|
return net_sam_do_list(argc, argv, pdb_search_groups(), "groups");
|
|
}
|
|
|
|
static int net_sam_list_localgroups(int argc, const char **argv)
|
|
{
|
|
return net_sam_do_list(argc, argv,
|
|
pdb_search_aliases(get_global_sam_sid()),
|
|
"localgroups");
|
|
}
|
|
|
|
static int net_sam_list_builtin(int argc, const char **argv)
|
|
{
|
|
return net_sam_do_list(argc, argv,
|
|
pdb_search_aliases(&global_sid_Builtin),
|
|
"builtin");
|
|
}
|
|
|
|
static int net_sam_list_workstations(int argc, const char **argv)
|
|
{
|
|
return net_sam_do_list(argc, argv,
|
|
pdb_search_users(ACB_WSTRUST),
|
|
"workstations");
|
|
}
|
|
|
|
/*
|
|
* List stuff
|
|
*/
|
|
|
|
static int net_sam_list(int argc, const char **argv)
|
|
{
|
|
struct functable2 func[] = {
|
|
{ "users", net_sam_list_users,
|
|
"List SAM users" },
|
|
{ "groups", net_sam_list_groups,
|
|
"List SAM groups" },
|
|
{ "localgroups", net_sam_list_localgroups,
|
|
"List SAM local groups" },
|
|
{ "builtin", net_sam_list_builtin,
|
|
"List builtin groups" },
|
|
{ "workstations", net_sam_list_workstations,
|
|
"List domain member workstations" },
|
|
{NULL, NULL}
|
|
};
|
|
|
|
return net_run_function2(argc, argv, "net sam list", func);
|
|
}
|
|
|
|
/*
|
|
* Show details of SAM entries
|
|
*/
|
|
|
|
static int net_sam_show(int argc, const char **argv)
|
|
{
|
|
DOM_SID sid;
|
|
enum lsa_SidType type;
|
|
const char *dom, *name;
|
|
|
|
if (argc != 1) {
|
|
d_fprintf(stderr, "usage: net sam show <name>\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
|
|
&dom, &name, &sid, &type)) {
|
|
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
d_printf("%s\\%s is a %s with SID %s\n", dom, name,
|
|
sid_type_lookup(type), sid_string_tos(&sid));
|
|
|
|
return 0;
|
|
}
|
|
|
|
#ifdef HAVE_LDAP
|
|
|
|
/*
|
|
* Init an LDAP tree with default users and Groups
|
|
* if ldapsam:editposix is enabled
|
|
*/
|
|
|
|
static int net_sam_provision(int argc, const char **argv)
|
|
{
|
|
TALLOC_CTX *tc;
|
|
char *ldap_bk;
|
|
char *ldap_uri = NULL;
|
|
char *p;
|
|
struct smbldap_state *ls;
|
|
GROUP_MAP gmap;
|
|
DOM_SID gsid;
|
|
gid_t domusers_gid = -1;
|
|
gid_t domadmins_gid = -1;
|
|
struct samu *samuser;
|
|
struct passwd *pwd;
|
|
|
|
tc = talloc_new(NULL);
|
|
if (!tc) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
return -1;
|
|
}
|
|
|
|
if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
|
|
d_fprintf(stderr, "talloc failed\n");
|
|
talloc_free(tc);
|
|
return -1;
|
|
}
|
|
p = strchr(ldap_bk, ':');
|
|
if (p) {
|
|
*p = 0;
|
|
ldap_uri = talloc_strdup(tc, p+1);
|
|
trim_char(ldap_uri, ' ', ' ');
|
|
}
|
|
|
|
trim_char(ldap_bk, ' ', ' ');
|
|
|
|
if (strcmp(ldap_bk, "ldapsam") != 0) {
|
|
d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (!lp_parm_bool(-1, "ldapsam", "trusted", False) ||
|
|
!lp_parm_bool(-1, "ldapsam", "editposix", False)) {
|
|
|
|
d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
|
|
" and ldapsam:editposix are enabled.\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (!winbind_ping()) {
|
|
d_fprintf(stderr, "winbind seems not to run. Provisioning "
|
|
"LDAP only works when winbind runs.\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
|
|
d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
|
|
goto failed;
|
|
}
|
|
|
|
d_printf("Checking for Domain Users group.\n");
|
|
|
|
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
|
|
|
|
if (!pdb_getgrsid(&gmap, gsid)) {
|
|
LDAPMod **mods = NULL;
|
|
char *dn;
|
|
char *uname;
|
|
char *wname;
|
|
char *gidstr;
|
|
char *gtype;
|
|
int rc;
|
|
|
|
d_printf("Adding the Domain Users group.\n");
|
|
|
|
/* lets allocate a new groupid for this group */
|
|
if (!winbind_allocate_gid(&domusers_gid)) {
|
|
d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
|
|
goto domu_done;
|
|
}
|
|
|
|
uname = talloc_strdup(tc, "domusers");
|
|
wname = talloc_strdup(tc, "Domain Users");
|
|
dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
|
|
gidstr = talloc_asprintf(tc, "%d", domusers_gid);
|
|
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
|
|
|
|
if (!uname || !wname || !dn || !gidstr || !gtype) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
|
|
sid_string_talloc(tc, &gsid));
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
|
|
|
|
talloc_autofree_ldapmod(tc, mods);
|
|
|
|
rc = smbldap_add(ls, dn, mods);
|
|
|
|
if (rc != LDAP_SUCCESS) {
|
|
d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
|
|
}
|
|
} else {
|
|
domusers_gid = gmap.gid;
|
|
d_printf("found!\n");
|
|
}
|
|
|
|
domu_done:
|
|
|
|
d_printf("Checking for Domain Admins group.\n");
|
|
|
|
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
|
|
|
|
if (!pdb_getgrsid(&gmap, gsid)) {
|
|
LDAPMod **mods = NULL;
|
|
char *dn;
|
|
char *uname;
|
|
char *wname;
|
|
char *gidstr;
|
|
char *gtype;
|
|
int rc;
|
|
|
|
d_printf("Adding the Domain Admins group.\n");
|
|
|
|
/* lets allocate a new groupid for this group */
|
|
if (!winbind_allocate_gid(&domadmins_gid)) {
|
|
d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
|
|
goto doma_done;
|
|
}
|
|
|
|
uname = talloc_strdup(tc, "domadmins");
|
|
wname = talloc_strdup(tc, "Domain Admins");
|
|
dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
|
|
gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
|
|
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
|
|
|
|
if (!uname || !wname || !dn || !gidstr || !gtype) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
|
|
sid_string_talloc(tc, &gsid));
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
|
|
|
|
talloc_autofree_ldapmod(tc, mods);
|
|
|
|
rc = smbldap_add(ls, dn, mods);
|
|
|
|
if (rc != LDAP_SUCCESS) {
|
|
d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
|
|
}
|
|
} else {
|
|
domadmins_gid = gmap.gid;
|
|
d_printf("found!\n");
|
|
}
|
|
|
|
doma_done:
|
|
|
|
d_printf("Check for Administrator account.\n");
|
|
|
|
samuser = samu_new(tc);
|
|
if (!samuser) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (!pdb_getsampwnam(samuser, "Administrator")) {
|
|
LDAPMod **mods = NULL;
|
|
DOM_SID sid;
|
|
char *dn;
|
|
char *name;
|
|
char *uidstr;
|
|
char *gidstr;
|
|
char *shell;
|
|
char *dir;
|
|
uid_t uid;
|
|
int rc;
|
|
|
|
d_printf("Adding the Administrator user.\n");
|
|
|
|
if (domadmins_gid == -1) {
|
|
d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
|
|
goto done;
|
|
}
|
|
if (!winbind_allocate_uid(&uid)) {
|
|
d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
|
|
goto done;
|
|
}
|
|
name = talloc_strdup(tc, "Administrator");
|
|
dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
|
|
uidstr = talloc_asprintf(tc, "%d", uid);
|
|
gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
|
|
dir = talloc_sub_specified(tc, lp_template_homedir(),
|
|
"Administrator",
|
|
get_global_sam_name(),
|
|
uid, domadmins_gid);
|
|
shell = talloc_sub_specified(tc, lp_template_shell(),
|
|
"Administrator",
|
|
get_global_sam_name(),
|
|
uid, domadmins_gid);
|
|
|
|
if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
|
|
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
|
|
sid_string_talloc(tc, &sid));
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
|
|
pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
|
|
NEW_PW_FORMAT_SPACE_PADDED_LEN));
|
|
|
|
talloc_autofree_ldapmod(tc, mods);
|
|
|
|
rc = smbldap_add(ls, dn, mods);
|
|
|
|
if (rc != LDAP_SUCCESS) {
|
|
d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
|
|
}
|
|
} else {
|
|
d_printf("found!\n");
|
|
}
|
|
|
|
d_printf("Checking for Guest user.\n");
|
|
|
|
samuser = samu_new(tc);
|
|
if (!samuser) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
|
|
LDAPMod **mods = NULL;
|
|
DOM_SID sid;
|
|
char *dn;
|
|
char *uidstr;
|
|
char *gidstr;
|
|
int rc;
|
|
|
|
d_printf("Adding the Guest user.\n");
|
|
|
|
pwd = getpwnam_alloc(tc, lp_guestaccount());
|
|
|
|
if (!pwd) {
|
|
if (domusers_gid == -1) {
|
|
d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
|
|
goto done;
|
|
}
|
|
if ((pwd = talloc(tc, struct passwd)) == NULL) {
|
|
d_fprintf(stderr, "talloc failed\n");
|
|
goto done;
|
|
}
|
|
pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
|
|
if (!winbind_allocate_uid(&(pwd->pw_uid))) {
|
|
d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
|
|
goto done;
|
|
}
|
|
pwd->pw_gid = domusers_gid;
|
|
pwd->pw_dir = talloc_strdup(tc, "/");
|
|
pwd->pw_shell = talloc_strdup(tc, "/bin/false");
|
|
if (!pwd->pw_dir || !pwd->pw_shell) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
}
|
|
|
|
sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
|
|
|
|
dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
|
|
uidstr = talloc_asprintf(tc, "%d", pwd->pw_uid);
|
|
gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
|
|
if (!dn || !uidstr || !gidstr) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
|
|
if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
|
|
}
|
|
if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
|
|
}
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID",
|
|
sid_string_talloc(tc, &sid));
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
|
|
pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
|
|
NEW_PW_FORMAT_SPACE_PADDED_LEN));
|
|
|
|
talloc_autofree_ldapmod(tc, mods);
|
|
|
|
rc = smbldap_add(ls, dn, mods);
|
|
|
|
if (rc != LDAP_SUCCESS) {
|
|
d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
|
|
}
|
|
} else {
|
|
d_printf("found!\n");
|
|
}
|
|
|
|
d_printf("Checking Guest's group.\n");
|
|
|
|
pwd = getpwnam_alloc(NULL, lp_guestaccount());
|
|
if (!pwd) {
|
|
d_fprintf(stderr, "Failed to find just created Guest account!\n"
|
|
" Is nss properly configured?!\n");
|
|
goto failed;
|
|
}
|
|
|
|
if (pwd->pw_gid == domusers_gid) {
|
|
d_printf("found!\n");
|
|
goto done;
|
|
}
|
|
|
|
if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
|
|
LDAPMod **mods = NULL;
|
|
char *dn;
|
|
char *uname;
|
|
char *wname;
|
|
char *gidstr;
|
|
char *gtype;
|
|
int rc;
|
|
|
|
d_printf("Adding the Domain Guests group.\n");
|
|
|
|
uname = talloc_strdup(tc, "domguests");
|
|
wname = talloc_strdup(tc, "Domain Guests");
|
|
dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
|
|
gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
|
|
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
|
|
|
|
if (!uname || !wname || !dn || !gidstr || !gtype) {
|
|
d_fprintf(stderr, "Out of Memory!\n");
|
|
goto failed;
|
|
}
|
|
|
|
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
|
|
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid",
|
|
sid_string_talloc(tc, &gsid));
|
|
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
|
|
|
|
talloc_autofree_ldapmod(tc, mods);
|
|
|
|
rc = smbldap_add(ls, dn, mods);
|
|
|
|
if (rc != LDAP_SUCCESS) {
|
|
d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
|
|
}
|
|
} else {
|
|
d_printf("found!\n");
|
|
}
|
|
|
|
|
|
done:
|
|
talloc_free(tc);
|
|
return 0;
|
|
|
|
failed:
|
|
talloc_free(tc);
|
|
return -1;
|
|
}
|
|
|
|
#endif
|
|
|
|
/***********************************************************
|
|
migrated functionality from smbgroupedit
|
|
**********************************************************/
|
|
int net_sam(int argc, const char **argv)
|
|
{
|
|
struct functable2 func[] = {
|
|
{ "createbuiltingroup", net_sam_createbuiltingroup,
|
|
"Create a new BUILTIN group" },
|
|
{ "createlocalgroup", net_sam_createlocalgroup,
|
|
"Create a new local group" },
|
|
{ "deletelocalgroup", net_sam_deletelocalgroup,
|
|
"Delete an existing local group" },
|
|
{ "mapunixgroup", net_sam_mapunixgroup,
|
|
"Map a unix group to a domain group" },
|
|
{ "unmapunixgroup", net_sam_unmapunixgroup,
|
|
"Remove a group mapping of an unix group to a domain group" },
|
|
{ "addmem", net_sam_addmem,
|
|
"Add a member to a group" },
|
|
{ "delmem", net_sam_delmem,
|
|
"Delete a member from a group" },
|
|
{ "listmem", net_sam_listmem,
|
|
"List group members" },
|
|
{ "list", net_sam_list,
|
|
"List users, groups and local groups" },
|
|
{ "show", net_sam_show,
|
|
"Show details of a SAM entry" },
|
|
{ "set", net_sam_set,
|
|
"Set details of a SAM account" },
|
|
{ "policy", net_sam_policy,
|
|
"Set account policies" },
|
|
{ "rights", net_sam_rights,
|
|
"Manipulate user privileges" },
|
|
#ifdef HAVE_LDAP
|
|
{ "provision", net_sam_provision,
|
|
"Provision a clean User Database" },
|
|
#endif
|
|
{ NULL, NULL, NULL }
|
|
};
|
|
|
|
if (getuid() != 0) {
|
|
d_fprintf(stderr, "You are not root, most things won't "
|
|
"work\n");
|
|
}
|
|
|
|
return net_run_function2(argc, argv, "net sam", func);
|
|
}
|
|
|