sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-06-18 19:17:08 +03:00
Code
samba-mirror/source/utils/net_sam.c
Volker Lendecke 6585ea2cb7 r24809: Consolidate the use of temporary talloc contexts. 
This adds the two functions talloc_stackframe() and talloc_tos().

 * When a new talloc stackframe is allocated with talloc_stackframe(), then
 * the TALLOC_CTX returned with talloc_tos() is reset to that new
 * frame. Whenever that stack frame is TALLOC_FREE()'ed, then the reverse
 * happens: The previous talloc_tos() is restored.
 *
 * This API is designed to be robust in the sense that if someone forgets to
 * TALLOC_FREE() a stackframe, then the next outer one correctly cleans up and
 * resets the talloc_tos().

The original motivation for this patch was to get rid of the
sid_string_static & friends buffers. Explicitly passing talloc context
everywhere clutters code too much for my taste, so an implicit
talloc_tos() is introduced here. Many of these static buffers are
replaced by a single static pointer.

The intended use would thus be that low-level functions can rather
freely push stuff to talloc_tos, the upper layers clean up by freeing
the stackframe. The more of these stackframes are used and correctly
freed the more exact the memory cleanup happens.

This patch removes the main_loop_talloc_ctx, tmp_talloc_ctx and
lp_talloc_ctx (did I forget any?)

So, never do a

tmp_ctx = talloc_init("foo");

anymore, instead, use

tmp_ctx = talloc_stackframe()

:-)

Volker
2007-10-10 12:30:24 -05:00

1539 lines
38 KiB
C
Raw Blame History

/*
* Unix SMB/CIFS implementation.
* Local SAM access routines
* Copyright (C) Volker Lendecke 2006
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "utils/net.h"
/*
* Set a user's data
*/
static int net_sam_userset(int argc, const char **argv, const char *field,
BOOL (*fn)(struct samu *, const char *,
enum pdb_value_state))
{
struct samu *sam_acct = NULL;
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
if (argc != 2) {
d_fprintf(stderr, "usage: net sam set %s <user> <value>\n",
field);
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
}
if (type != SID_NAME_USER) {
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
sid_type_lookup(type));
return -1;
}
if ( !(sam_acct = samu_new( NULL )) ) {
d_fprintf(stderr, "Internal error\n");
return -1;
}
if (!pdb_getsampwsid(sam_acct, &sid)) {
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
return -1;
}
if (!fn(sam_acct, argv[1], PDB_CHANGED)) {
d_fprintf(stderr, "Internal error\n");
return -1;
}
status = pdb_update_sam_account(sam_acct);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
TALLOC_FREE(sam_acct);
d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]);
return 0;
}
static int net_sam_set_fullname(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "fullname",
pdb_set_fullname);
}
static int net_sam_set_logonscript(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "logonscript",
pdb_set_logon_script);
}
static int net_sam_set_profilepath(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "profilepath",
pdb_set_profile_path);
}
static int net_sam_set_homedrive(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "homedrive",
pdb_set_dir_drive);
}
static int net_sam_set_homedir(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "homedir",
pdb_set_homedir);
}
static int net_sam_set_workstations(int argc, const char **argv)
{
return net_sam_userset(argc, argv, "workstations",
pdb_set_workstations);
}
/*
* Set account flags
*/
static int net_sam_set_userflag(int argc, const char **argv, const char *field,
uint16 flag)
{
struct samu *sam_acct = NULL;
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
uint16 acct_flags;
if ((argc != 2) || (!strequal(argv[1], "yes") &&
!strequal(argv[1], "no"))) {
d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n",
field);
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
}
if (type != SID_NAME_USER) {
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
sid_type_lookup(type));
return -1;
}
if ( !(sam_acct = samu_new( NULL )) ) {
d_fprintf(stderr, "Internal error\n");
return -1;
}
if (!pdb_getsampwsid(sam_acct, &sid)) {
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
return -1;
}
acct_flags = pdb_get_acct_ctrl(sam_acct);
if (strequal(argv[1], "yes")) {
acct_flags |= flag;
} else {
acct_flags &= ~flag;
}
pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED);
status = pdb_update_sam_account(sam_acct);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
TALLOC_FREE(sam_acct);
d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom,
name, argv[1]);
return 0;
}
static int net_sam_set_disabled(int argc, const char **argv)
{
return net_sam_set_userflag(argc, argv, "disabled", ACB_DISABLED);
}
static int net_sam_set_pwnotreq(int argc, const char **argv)
{
return net_sam_set_userflag(argc, argv, "pwnotreq", ACB_PWNOTREQ);
}
static int net_sam_set_autolock(int argc, const char **argv)
{
return net_sam_set_userflag(argc, argv, "autolock", ACB_AUTOLOCK);
}
static int net_sam_set_pwnoexp(int argc, const char **argv)
{
return net_sam_set_userflag(argc, argv, "pwnoexp", ACB_PWNOEXP);
}
/*
* Set pass last change time, based on force pass change now
*/
static int net_sam_set_pwdmustchangenow(int argc, const char **argv)
{
struct samu *sam_acct = NULL;
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
if ((argc != 2) || (!strequal(argv[1], "yes") &&
!strequal(argv[1], "no"))) {
d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
}
if (type != SID_NAME_USER) {
d_fprintf(stderr, "%s is a %s, not a user\n", argv[0],
sid_type_lookup(type));
return -1;
}
if ( !(sam_acct = samu_new( NULL )) ) {
d_fprintf(stderr, "Internal error\n");
return -1;
}
if (!pdb_getsampwsid(sam_acct, &sid)) {
d_fprintf(stderr, "Loading user %s failed\n", argv[0]);
return -1;
}
if (strequal(argv[1], "yes")) {
pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED);
} else {
pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED);
}
status = pdb_update_sam_account(sam_acct);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Updating sam account %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
TALLOC_FREE(sam_acct);
d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom,
name, argv[1]);
return 0;
}
/*
* Set a user's or a group's comment
*/
static int net_sam_set_comment(int argc, const char **argv)
{
GROUP_MAP map;
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
if (argc != 2) {
d_fprintf(stderr, "usage: net sam set comment <name> "
"<comment>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
}
if (type == SID_NAME_USER) {
return net_sam_userset(argc, argv, "comment",
pdb_set_acct_desc);
}
if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
(type != SID_NAME_WKN_GRP)) {
d_fprintf(stderr, "%s is a %s, not a group\n", argv[0],
sid_type_lookup(type));
return -1;
}
if (!pdb_getgrsid(&map, sid)) {
d_fprintf(stderr, "Could not load group %s\n", argv[0]);
return -1;
}
fstrcpy(map.comment, argv[1]);
status = pdb_update_group_mapping_entry(&map);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Updating group mapping entry failed with "
"%s\n", nt_errstr(status));
return -1;
}
d_printf("Updated comment of group %s\\%s to %s\n", dom, name,
argv[1]);
return 0;
}
static int net_sam_set(int argc, const char **argv)
{
struct functable2 func[] = {
{ "homedir", net_sam_set_homedir,
"Change a user's home directory" },
{ "profilepath", net_sam_set_profilepath,
"Change a user's profile path" },
{ "comment", net_sam_set_comment,
"Change a users or groups description" },
{ "fullname", net_sam_set_fullname,
"Change a user's full name" },
{ "logonscript", net_sam_set_logonscript,
"Change a user's logon script" },
{ "homedrive", net_sam_set_homedrive,
"Change a user's home drive" },
{ "workstations", net_sam_set_workstations,
"Change a user's allowed workstations" },
{ "disabled", net_sam_set_disabled,
"Disable/Enable a user" },
{ "pwnotreq", net_sam_set_pwnotreq,
"Disable/Enable the password not required flag" },
{ "autolock", net_sam_set_autolock,
"Disable/Enable a user's lockout flag" },
{ "pwnoexp", net_sam_set_pwnoexp,
"Disable/Enable whether a user's pw does not expire" },
{ "pwdmustchangenow", net_sam_set_pwdmustchangenow,
"Force users password must change at next logon" },
{NULL, NULL}
};
return net_run_function2(argc, argv, "net sam set", func);
}
/*
* Manage account policies
*/
static int net_sam_policy_set(int argc, const char **argv)
{
const char *account_policy = NULL;
uint32 value, old_value;
int field;
char *endptr;
if (argc != 2) {
d_fprintf(stderr, "usage: net sam policy set "
"\"<account policy>\" <value> \n");
return -1;
}
account_policy = argv[0];
field = account_policy_name_to_fieldnum(account_policy);
if (strequal(argv[1], "forever") || strequal(argv[1], "never")
|| strequal(argv[1], "off")) {
value = -1;
}
else {
value = strtoul(argv[1], &endptr, 10);
if ((endptr == argv[1]) || (endptr[0] != '\0')) {
d_printf("Unable to set policy \"%s\"! Invalid value "
"\"%s\".\n",
account_policy, argv[1]);
return -1;
}
}
if (field == 0) {
const char **names;
int i, count;
account_policy_names_list(&names, &count);
d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]);
d_fprintf(stderr, "Valid account policies are:\n");
for (i=0; i<count; i++) {
d_fprintf(stderr, "%s\n", names[i]);
}
SAFE_FREE(names);
return -1;
}
if (!pdb_get_account_policy(field, &old_value)) {
d_fprintf(stderr, "Valid account policy, but unable to fetch "
"value!\n");
}
if (!pdb_set_account_policy(field, value)) {
d_fprintf(stderr, "Valid account policy, but unable to "
"set value!\n");
return -1;
}
d_printf("Account policy \"%s\" value was: %d\n", account_policy,
old_value);
d_printf("Account policy \"%s\" value is now: %d\n", account_policy,
value);
return 0;
}
static int net_sam_policy_show(int argc, const char **argv)
{
const char *account_policy = NULL;
uint32 old_value;
int field;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam policy show"
" \"<account policy>\" \n");
return -1;
}
account_policy = argv[0];
field = account_policy_name_to_fieldnum(account_policy);
if (field == 0) {
const char **names;
int count;
int i;
account_policy_names_list(&names, &count);
d_fprintf(stderr, "No account policy by that name!\n");
if (count != 0) {
d_fprintf(stderr, "Valid account policies "
"are:\n");
for (i=0; i<count; i++) {
d_fprintf(stderr, "%s\n", names[i]);
}
}
SAFE_FREE(names);
return -1;
}
if (!pdb_get_account_policy(field, &old_value)) {
fprintf(stderr, "Valid account policy, but unable to "
"fetch value!\n");
return -1;
}
printf("Account policy \"%s\" description: %s\n",
account_policy, account_policy_get_desc(field));
printf("Account policy \"%s\" value is: %d\n", account_policy,
old_value);
return 0;
}
static int net_sam_policy_list(int argc, const char **argv)
{
const char **names;
int count;
int i;
account_policy_names_list(&names, &count);
if (count != 0) {
d_fprintf(stderr, "Valid account policies "
"are:\n");
for (i = 0; i < count ; i++) {
d_fprintf(stderr, "%s\n", names[i]);
}
}
SAFE_FREE(names);
return -1;
}
static int net_sam_policy(int argc, const char **argv)
{
struct functable2 func[] = {
{ "list", net_sam_policy_list,
"List account policies" },
{ "show", net_sam_policy_show,
"Show account policies" },
{ "set", net_sam_policy_set,
"Change account policies" },
{NULL, NULL}
};
return net_run_function2(argc, argv, "net sam policy", func);
}
/*
* Map a unix group to a domain group
*/
static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
{
NTSTATUS status;
GROUP_MAP map;
const char *grpname, *dom, *name;
uint32 rid;
if (pdb_getgrgid(&map, grp->gr_gid)) {
return NT_STATUS_GROUP_EXISTS;
}
map.gid = grp->gr_gid;
grpname = grp->gr_name;
if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
&dom, &name, NULL, NULL)) {
const char *tmp = talloc_asprintf(
talloc_tos(), "Unix Group %s", grp->gr_name);
DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
grpname, dom, name, tmp));
grpname = tmp;
}
if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
NULL, NULL, NULL, NULL)) {
DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
return NT_STATUS_GROUP_EXISTS;
}
fstrcpy(map.nt_name, grpname);
if (pdb_rid_algorithm()) {
rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
} else {
if (!pdb_new_rid(&rid)) {
DEBUG(3, ("Could not get a new RID for %s\n",
grp->gr_name));
return NT_STATUS_ACCESS_DENIED;
}
}
sid_compose(&map.sid, get_global_sam_sid(), rid);
map.sid_name_use = SID_NAME_DOM_GRP;
fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s",
grp->gr_name));
status = pdb_add_group_mapping_entry(&map);
if (NT_STATUS_IS_OK(status)) {
*pmap = map;
}
return status;
}
static int net_sam_mapunixgroup(int argc, const char **argv)
{
NTSTATUS status;
GROUP_MAP map;
struct group *grp;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n");
return -1;
}
grp = getgrnam(argv[0]);
if (grp == NULL) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
}
status = map_unix_group(grp, &map);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Mapping group %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
d_printf("Mapped unix group %s to SID %s\n", argv[0],
sid_string_static(&map.sid));
return 0;
}
/*
* Remove a group mapping
*/
static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
{
NTSTATUS status;
GROUP_MAP map;
const char *grpname;
DOM_SID dom_sid;
map.gid = grp->gr_gid;
grpname = grp->gr_name;
if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
NULL, NULL, NULL, NULL)) {
DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
return NT_STATUS_NO_SUCH_GROUP;
}
fstrcpy(map.nt_name, grpname);
if (!pdb_gid_to_sid(map.gid, &dom_sid)) {
return NT_STATUS_UNSUCCESSFUL;
}
status = pdb_delete_group_mapping_entry(dom_sid);
return status;
}
static int net_sam_unmapunixgroup(int argc, const char **argv)
{
NTSTATUS status;
GROUP_MAP map;
struct group *grp;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam unmapunixgroup <name>\n");
return -1;
}
grp = getgrnam(argv[0]);
if (grp == NULL) {
d_fprintf(stderr, "Could not find mapping for group %s.\n", argv[0]);
return -1;
}
status = unmap_unix_group(grp, &map);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Unmapping group %s failed with %s.\n",
argv[0], nt_errstr(status));
return -1;
}
d_printf("Unmapped unix group %s.\n", argv[0]);
return 0;
}
/*
* Create a local group
*/
static int net_sam_createlocalgroup(int argc, const char **argv)
{
NTSTATUS status;
uint32 rid;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n");
return -1;
}
if (!winbind_ping()) {
d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
"only works when winbind runs.\n");
return -1;
}
status = pdb_create_alias(argv[0], &rid);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Creating %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
d_printf("Created local group %s with RID %d\n", argv[0], rid);
return 0;
}
/*
* Delete a local group
*/
static int net_sam_deletelocalgroup(int argc, const char **argv)
{
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find %s.\n", argv[0]);
return -1;
}
if (type != SID_NAME_ALIAS) {
d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0],
sid_type_lookup(type));
return -1;
}
status = pdb_delete_alias(&sid);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Deleting local group %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
d_printf("Deleted local group %s.\n", argv[0]);
return 0;
}
/*
* Create a local group
*/
static int net_sam_createbuiltingroup(int argc, const char **argv)
{
NTSTATUS status;
uint32 rid;
enum lsa_SidType type;
fstring groupname;
DOM_SID sid;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n");
return -1;
}
if (!winbind_ping()) {
d_fprintf(stderr, "winbind seems not to run. createlocalgroup "
"only works when winbind runs.\n");
return -1;
}
/* validate the name and get the group */
fstrcpy( groupname, "BUILTIN\\" );
fstrcat( groupname, argv[0] );
if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL,
NULL, &sid, &type)) {
d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]);
return -1;
}
if ( !sid_peek_rid( &sid, &rid ) ) {
d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]);
return -1;
}
status = pdb_create_builtin_alias( rid );
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Creating %s failed with %s\n",
argv[0], nt_errstr(status));
return -1;
}
d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid);
return 0;
}
/*
* Add a group member
*/
static int net_sam_addmem(int argc, const char **argv)
{
const char *groupdomain, *groupname, *memberdomain, *membername;
DOM_SID group, member;
enum lsa_SidType grouptype, membertype;
NTSTATUS status;
if (argc != 2) {
d_fprintf(stderr, "usage: net sam addmem <group> <member>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
}
/* check to see if the member to be added is a name or a SID */
if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_ISOLATED,
&memberdomain, &membername, &member, &membertype))
{
/* try it as a SID */
if ( !string_to_sid( &member, argv[1] ) ) {
d_fprintf(stderr, "Could not find member %s\n", argv[1]);
return -1;
}
if ( !lookup_sid(talloc_tos(), &member, &memberdomain,
&membername, &membertype) )
{
d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]);
return -1;
}
}
if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) {
if ((membertype != SID_NAME_USER) &&
(membertype != SID_NAME_DOM_GRP)) {
d_fprintf(stderr, "%s is a local group, only users "
"and domain groups can be added.\n"
"%s is a %s\n", argv[0], argv[1],
sid_type_lookup(membertype));
return -1;
}
status = pdb_add_aliasmem(&group, &member);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Adding local group member failed "
"with %s\n", nt_errstr(status));
return -1;
}
} else {
d_fprintf(stderr, "Can only add members to local groups so "
"far, %s is a %s\n", argv[0],
sid_type_lookup(grouptype));
return -1;
}
d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername,
groupdomain, groupname);
return 0;
}
/*
* Delete a group member
*/
static int net_sam_delmem(int argc, const char **argv)
{
const char *groupdomain, *groupname;
const char *memberdomain = NULL;
const char *membername = NULL;
DOM_SID group, member;
enum lsa_SidType grouptype;
NTSTATUS status;
if (argc != 2) {
d_fprintf(stderr, "usage: net sam delmem <group> <member>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
}
if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_ISOLATED,
&memberdomain, &membername, &member, NULL)) {
if (!string_to_sid(&member, argv[1])) {
d_fprintf(stderr, "Could not find member %s\n",
argv[1]);
return -1;
}
}
if ((grouptype == SID_NAME_ALIAS) ||
(grouptype == SID_NAME_WKN_GRP)) {
status = pdb_del_aliasmem(&group, &member);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Deleting local group member failed "
"with %s\n", nt_errstr(status));
return -1;
}
} else {
d_fprintf(stderr, "Can only delete members from local groups "
"so far, %s is a %s\n", argv[0],
sid_type_lookup(grouptype));
return -1;
}
if (membername != NULL) {
d_printf("Deleted %s\\%s from %s\\%s\n",
memberdomain, membername, groupdomain, groupname);
} else {
d_printf("Deleted %s from %s\\%s\n",
sid_string_static(&member), groupdomain, groupname);
}
return 0;
}
/*
* List group members
*/
static int net_sam_listmem(int argc, const char **argv)
{
const char *groupdomain, *groupname;
DOM_SID group;
enum lsa_SidType grouptype;
NTSTATUS status;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam listmem <group>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
}
if ((grouptype == SID_NAME_ALIAS) ||
(grouptype == SID_NAME_WKN_GRP)) {
DOM_SID *members = NULL;
size_t i, num_members = 0;
status = pdb_enum_aliasmem(&group, &members, &num_members);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "Listing group members failed with "
"%s\n", nt_errstr(status));
return -1;
}
d_printf("%s\\%s has %u members\n", groupdomain, groupname,
(unsigned int)num_members);
for (i=0; i<num_members; i++) {
const char *dom, *name;
if (lookup_sid(talloc_tos(), &members[i],
&dom, &name, NULL)) {
d_printf(" %s\\%s\n", dom, name);
} else {
d_printf(" %s\n",
sid_string_static(&members[i]));
}
}
TALLOC_FREE(members);
} else {
d_fprintf(stderr, "Can only list local group members so far.\n"
"%s is a %s\n", argv[0], sid_type_lookup(grouptype));
return -1;
}
return 0;
}
/*
* Do the listing
*/
static int net_sam_do_list(int argc, const char **argv,
struct pdb_search *search, const char *what)
{
BOOL verbose = (argc == 1);
if ((argc > 1) ||
((argc == 1) && !strequal(argv[0], "verbose"))) {
d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what);
return -1;
}
if (search == NULL) {
d_fprintf(stderr, "Could not start search\n");
return -1;
}
while (True) {
struct samr_displayentry entry;
if (!search->next_entry(search, &entry)) {
break;
}
if (verbose) {
d_printf("%s:%d:%s\n",
entry.account_name,
entry.rid,
entry.description);
} else {
d_printf("%s\n", entry.account_name);
}
}
search->search_end(search);
return 0;
}
static int net_sam_list_users(int argc, const char **argv)
{
return net_sam_do_list(argc, argv, pdb_search_users(ACB_NORMAL),
"users");
}
static int net_sam_list_groups(int argc, const char **argv)
{
return net_sam_do_list(argc, argv, pdb_search_groups(), "groups");
}
static int net_sam_list_localgroups(int argc, const char **argv)
{
return net_sam_do_list(argc, argv,
pdb_search_aliases(get_global_sam_sid()),
"localgroups");
}
static int net_sam_list_builtin(int argc, const char **argv)
{
return net_sam_do_list(argc, argv,
pdb_search_aliases(&global_sid_Builtin),
"builtin");
}
static int net_sam_list_workstations(int argc, const char **argv)
{
return net_sam_do_list(argc, argv,
pdb_search_users(ACB_WSTRUST),
"workstations");
}
/*
* List stuff
*/
static int net_sam_list(int argc, const char **argv)
{
struct functable2 func[] = {
{ "users", net_sam_list_users,
"List SAM users" },
{ "groups", net_sam_list_groups,
"List SAM groups" },
{ "localgroups", net_sam_list_localgroups,
"List SAM local groups" },
{ "builtin", net_sam_list_builtin,
"List builtin groups" },
{ "workstations", net_sam_list_workstations,
"List domain member workstations" },
{NULL, NULL}
};
return net_run_function2(argc, argv, "net sam list", func);
}
/*
* Show details of SAM entries
*/
static int net_sam_show(int argc, const char **argv)
{
DOM_SID sid;
enum lsa_SidType type;
const char *dom, *name;
if (argc != 1) {
d_fprintf(stderr, "usage: net sam show <name>\n");
return -1;
}
if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
}
d_printf("%s\\%s is a %s with SID %s\n", dom, name,
sid_type_lookup(type), sid_string_static(&sid));
return 0;
}
#ifdef HAVE_LDAP
/*
* Init an LDAP tree with default users and Groups
* if ldapsam:editposix is enabled
*/
static int net_sam_provision(int argc, const char **argv)
{
TALLOC_CTX *tc;
char *ldap_bk;
char *ldap_uri = NULL;
char *p;
struct smbldap_state *ls;
GROUP_MAP gmap;
DOM_SID gsid;
gid_t domusers_gid = -1;
gid_t domadmins_gid = -1;
struct samu *samuser;
struct passwd *pwd;
tc = talloc_new(NULL);
if (!tc) {
d_fprintf(stderr, "Out of Memory!\n");
return -1;
}
if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) {
d_fprintf(stderr, "talloc failed\n");
talloc_free(tc);
return -1;
}
p = strchr(ldap_bk, ':');
if (p) {
*p = 0;
ldap_uri = talloc_strdup(tc, p+1);
trim_char(ldap_uri, ' ', ' ');
}
trim_char(ldap_bk, ' ', ' ');
if (strcmp(ldap_bk, "ldapsam") != 0) {
d_fprintf(stderr, "Provisioning works only with ldapsam backend\n");
goto failed;
}
if (!lp_parm_bool(-1, "ldapsam", "trusted", False) ||
!lp_parm_bool(-1, "ldapsam", "editposix", False)) {
d_fprintf(stderr, "Provisioning works only if ldapsam:trusted"
" and ldapsam:editposix are enabled.\n");
goto failed;
}
if (!winbind_ping()) {
d_fprintf(stderr, "winbind seems not to run. Provisioning "
"LDAP only works when winbind runs.\n");
goto failed;
}
if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) {
d_fprintf(stderr, "Unable to connect to the LDAP server.\n");
goto failed;
}
d_printf("Checking for Domain Users group.\n");
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
char *dn;
char *uname;
char *wname;
char *gidstr;
char *gtype;
int rc;
d_printf("Adding the Domain Users group.\n");
/* lets allocate a new groupid for this group */
if (!winbind_allocate_gid(&domusers_gid)) {
d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n");
goto domu_done;
}
uname = talloc_strdup(tc, "domusers");
wname = talloc_strdup(tc, "Domain Users");
dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix());
gidstr = talloc_asprintf(tc, "%d", domusers_gid);
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
if (!uname || !wname || !dn || !gidstr || !gtype) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
talloc_autofree_ldapmod(tc, mods);
rc = smbldap_add(ls, dn, mods);
if (rc != LDAP_SUCCESS) {
d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n");
}
} else {
domusers_gid = gmap.gid;
d_printf("found!\n");
}
domu_done:
d_printf("Checking for Domain Admins group.\n");
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
char *dn;
char *uname;
char *wname;
char *gidstr;
char *gtype;
int rc;
d_printf("Adding the Domain Admins group.\n");
/* lets allocate a new groupid for this group */
if (!winbind_allocate_gid(&domadmins_gid)) {
d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n");
goto doma_done;
}
uname = talloc_strdup(tc, "domadmins");
wname = talloc_strdup(tc, "Domain Admins");
dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix());
gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
if (!uname || !wname || !dn || !gidstr || !gtype) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
talloc_autofree_ldapmod(tc, mods);
rc = smbldap_add(ls, dn, mods);
if (rc != LDAP_SUCCESS) {
d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n");
}
} else {
domadmins_gid = gmap.gid;
d_printf("found!\n");
}
doma_done:
d_printf("Check for Administrator account.\n");
samuser = samu_new(tc);
if (!samuser) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
if (!pdb_getsampwnam(samuser, "Administrator")) {
LDAPMod **mods = NULL;
DOM_SID sid;
char *dn;
char *name;
char *uidstr;
char *gidstr;
char *shell;
char *dir;
uid_t uid;
int rc;
d_printf("Adding the Administrator user.\n");
if (domadmins_gid == -1) {
d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n");
goto done;
}
if (!winbind_allocate_uid(&uid)) {
d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n");
goto done;
}
name = talloc_strdup(tc, "Administrator");
dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
uidstr = talloc_asprintf(tc, "%d", uid);
gidstr = talloc_asprintf(tc, "%d", domadmins_gid);
dir = talloc_sub_specified(tc, lp_template_homedir(),
"Administrator",
get_global_sam_name(),
uid, domadmins_gid);
shell = talloc_sub_specified(tc, lp_template_shell(),
"Administrator",
get_global_sam_name(),
uid, domadmins_gid);
if (!name || !dn || !uidstr || !gidstr || !dir || !shell) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
NEW_PW_FORMAT_SPACE_PADDED_LEN));
talloc_autofree_ldapmod(tc, mods);
rc = smbldap_add(ls, dn, mods);
if (rc != LDAP_SUCCESS) {
d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n");
}
} else {
d_printf("found!\n");
}
d_printf("Checking for Guest user.\n");
samuser = samu_new(tc);
if (!samuser) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
LDAPMod **mods = NULL;
DOM_SID sid;
char *dn;
char *uidstr;
char *gidstr;
int rc;
d_printf("Adding the Guest user.\n");
pwd = getpwnam_alloc(tc, lp_guestaccount());
if (!pwd) {
if (domusers_gid == -1) {
d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n");
goto done;
}
if ((pwd = talloc(tc, struct passwd)) == NULL) {
d_fprintf(stderr, "talloc failed\n");
goto done;
}
pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
if (!winbind_allocate_uid(&(pwd->pw_uid))) {
d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n");
goto done;
}
pwd->pw_gid = domusers_gid;
pwd->pw_dir = talloc_strdup(tc, "/");
pwd->pw_shell = talloc_strdup(tc, "/bin/false");
if (!pwd->pw_dir || !pwd->pw_shell) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
}
sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
uidstr = talloc_asprintf(tc, "%d", pwd->pw_uid);
gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
if (!dn || !uidstr || !gidstr) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) {
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir);
}
if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) {
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell);
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_static(&sid));
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags",
pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED,
NEW_PW_FORMAT_SPACE_PADDED_LEN));
talloc_autofree_ldapmod(tc, mods);
rc = smbldap_add(ls, dn, mods);
if (rc != LDAP_SUCCESS) {
d_fprintf(stderr, "Failed to add Guest user to ldap directory\n");
}
} else {
d_printf("found!\n");
}
d_printf("Checking Guest's group.\n");
pwd = getpwnam_alloc(NULL, lp_guestaccount());
if (!pwd) {
d_fprintf(stderr, "Failed to find just created Guest account!\n"
" Is nss properly configured?!\n");
goto failed;
}
if (pwd->pw_gid == domusers_gid) {
d_printf("found!\n");
goto done;
}
if (!pdb_getgrgid(&gmap, pwd->pw_gid)) {
LDAPMod **mods = NULL;
char *dn;
char *uname;
char *wname;
char *gidstr;
char *gtype;
int rc;
d_printf("Adding the Domain Guests group.\n");
uname = talloc_strdup(tc, "domguests");
wname = talloc_strdup(tc, "Domain Guests");
dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix());
gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid);
gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP);
if (!uname || !wname || !dn || !gidstr || !gtype) {
d_fprintf(stderr, "Out of Memory!\n");
goto failed;
}
sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_static(&gsid));
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype);
talloc_autofree_ldapmod(tc, mods);
rc = smbldap_add(ls, dn, mods);
if (rc != LDAP_SUCCESS) {
d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n");
}
} else {
d_printf("found!\n");
}
done:
talloc_free(tc);
return 0;
failed:
talloc_free(tc);
return -1;
}
#endif
/***********************************************************
migrated functionality from smbgroupedit
**********************************************************/
int net_sam(int argc, const char **argv)
{
struct functable2 func[] = {
{ "createbuiltingroup", net_sam_createbuiltingroup,
"Create a new BUILTIN group" },
{ "createlocalgroup", net_sam_createlocalgroup,
"Create a new local group" },
{ "deletelocalgroup", net_sam_deletelocalgroup,
"Delete an existing local group" },
{ "mapunixgroup", net_sam_mapunixgroup,
"Map a unix group to a domain group" },
{ "unmapunixgroup", net_sam_unmapunixgroup,
"Remove a group mapping of an unix group to a domain group" },
{ "addmem", net_sam_addmem,
"Add a member to a group" },
{ "delmem", net_sam_delmem,
"Delete a member from a group" },
{ "listmem", net_sam_listmem,
"List group members" },
{ "list", net_sam_list,
"List users, groups and local groups" },
{ "show", net_sam_show,
"Show details of a SAM entry" },
{ "set", net_sam_set,
"Set details of a SAM account" },
{ "policy", net_sam_policy,
"Set account policies" },
#ifdef HAVE_LDAP
{ "provision", net_sam_provision,
"Provision a clean User Database" },
#endif
{ NULL, NULL, NULL }
};
/* we shouldn't have silly checks like this */
if (getuid() != 0) {
d_fprintf(stderr, "You must be root to edit the SAM "
"directly.\n");
return -1;
}
return net_run_function2(argc, argv, "net sam", func);
}
View Git Blame Copy Permalink