/*    Samba Unix/Linux SMB client library    net ads commands   Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)   Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)   Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)   This program is free software; you can redistribute it and/or modify   it under the terms of the GNU General Public License as published by   the Free Software Foundation; either version 2 of the License, or   (at your option) any later version.      This program is distributed in the hope that it will be useful,   but WITHOUT ANY WARRANTY; without even the implied warranty of   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the   GNU General Public License for more details.      You should have received a copy of the GNU General Public License   along with this program; if not, write to the Free Software   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */#include "includes.h"#include "utils/net.h"#ifdef HAVE_ADSint net_ads_usage(int argc, const char **argv){	d_printf("\nnet ads join <org_unit>"\"\n\tjoins the local machine to a ADS realm\n"\"\nnet ads leave"\"\n\tremoves the local machine from a ADS realm\n"\"\nnet ads testjoin"\"\n\ttests that an exiting join is OK\n"\"\nnet ads user"\"\n\tlist, add, or delete users in the realm\n"\"\nnet ads group"\"\n\tlist, add, or delete groups in the realm\n"\"\nnet ads info"\"\n\tshows some info on the server\n"\"\nnet ads status"\"\n\tdump the machine account details to stdout\n""\nnet ads lookup"\"\n\tperform a CLDAP search on the server\n""\nnet ads password <username@realm> <password> -Uadmin_username@realm%%admin_pass"\"\n\tchange a user's password using an admin account"\"\n\t(note: use realm in UPPERCASE, prompts if password is obmitted)\n"\"\nnet ads changetrustpw"\"\n\tchange the trust account password of this machine in the AD tree\n"\"\nnet ads printer [info | publish | remove] <printername> <servername>"\"\n\t lookup, add, or remove directory entry for a printer\n"\"\nnet ads search"\"\n\tperform a raw LDAP search and dump the results\n""\nnet ads dn"\"\n\tperform a raw LDAP search and dump attributes of a particular DN\n""\nnet ads keytab"\"\n\tcreates and updates the kerberos system keytab file\n"		);	return -1;}/*  this implements the CLDAP based netlogon lookup requests  for finding the domain controller of a ADS domain*/static int net_ads_lookup(int argc, const char **argv){	ADS_STRUCT *ads;	ads = ads_init(NULL, opt_target_workgroup, opt_host);	if (ads) {		ads->auth.flags |= ADS_AUTH_NO_BIND;	}	ads_connect(ads);	if (!ads) {		d_fprintf(stderr, "Didn't find the cldap server!\n");		return -1;	} if (!ads->config.realm) {		ads->config.realm = CONST_DISCARD(char *, opt_target_workgroup);		ads->ldap_port = 389;	}	return ads_cldap_netlogon(ads);}static int net_ads_info(int argc, const char **argv){	ADS_STRUCT *ads;	/* if netbios is disabled we have to default to the realm from smb.conf */	if ( lp_disable_netbios() && *lp_realm() )		ads = ads_init(lp_realm(), opt_target_workgroup, opt_host);	else		ads = ads_init(NULL, opt_target_workgroup, opt_host);	if (ads) {		ads->auth.flags |= ADS_AUTH_NO_BIND;	}	ads_connect(ads);	if (!ads || !ads->config.realm) {		d_fprintf(stderr, "Didn't find the ldap server!\n");		return -1;	}	d_printf("LDAP server: %s\n", inet_ntoa(ads->ldap_ip));	d_printf("LDAP server name: %s\n", ads->config.ldap_server_name);	d_printf("Realm: %s\n", ads->config.realm);	d_printf("Bind Path: %s\n", ads->config.bind_path);	d_printf("LDAP port: %d\n", ads->ldap_port);	d_printf("Server time: %s\n", http_timestring(ads->config.current_time));	d_printf("KDC server: %s\n", ads->auth.kdc_server );	d_printf("Server time offset: %d\n", ads->auth.time_offset );	return 0;}static void use_in_memory_ccache(void) {	/* Use in-memory credentials cache so we do not interfere with	 * existing credentials */	setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);}static ADS_STRUCT *ads_startup(void){	ADS_STRUCT *ads;	ADS_STATUS status;	BOOL need_password = False;	BOOL second_time = False;	char *cp;		/* lp_realm() should be handled by a command line param, 	   However, the join requires that realm be set in smb.conf	   and compares our realm with the remote server's so this is	   ok until someone needs more flexibility */	   	ads = ads_init(lp_realm(), opt_target_workgroup, opt_host);	if (!opt_user_name) {		opt_user_name = "administrator";	}	if (opt_user_specified) {		need_password = True;	}retry:	if (!opt_password && need_password && !opt_machine_pass) {		char *prompt;		asprintf(&prompt,"%s's password: ", opt_user_name);		opt_password = getpass(prompt);		free(prompt);	}	if (opt_password) {		use_in_memory_ccache();		ads->auth.password = smb_xstrdup(opt_password);	}	ads->auth.user_name = smb_xstrdup(opt_user_name);       /*        * If the username is of the form "name@realm",         * extract the realm and convert to upper case.        * This is only used to establish the connection.        */       if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) {               *cp++ = '\0';               ads->auth.realm = smb_xstrdup(cp);               strupper_m(ads->auth.realm);       }	status = ads_connect(ads);	if (!ADS_ERR_OK(status)) {		if (!need_password && !second_time) {			need_password = True;			second_time = True;			goto retry;		} else {			DEBUG(0,("ads_connect: %s\n", ads_errstr(status)));			return NULL;		}	}	return ads;}/*  Check to see if connection can be made via ads.  ads_startup() stores the password in opt_password if it needs to so  that rpc or rap can use it without re-prompting.*/int net_ads_check(void){	ADS_STRUCT *ads;	ads = ads_startup();	if (!ads)		return -1;	ads_destroy(&ads);	return 0;}/*    determine the netbios workgroup name for a domain */static int net_ads_workgroup(int argc, const char **argv){	ADS_STRUCT *ads;	TALLOC_CTX *ctx;	const char *workgroup;	if (!(ads = ads_startup())) return -1;	if (!(ctx = talloc_init("net_ads_workgroup"))) {		ads_destroy(&ads);		return -1;	}	if (!ADS_ERR_OK(ads_workgroup_name(ads, ctx, &workgroup))) {		d_fprintf(stderr, "Failed to find workgroup for realm '%s'\n", 			 ads->config.realm);		talloc_destroy(ctx);		ads_destroy(&ads);		return -1;	}	d_printf("Workgroup: %s\n", workgroup);	talloc_destroy(ctx);	ads_destroy(&ads);	return 0;}static BOOL usergrp_display(char *field, void **values, void *data_area){	char **disp_fields = (char **) data_area;	if (!field) { /* must be end of record */		if (disp_fields[0]) {			if (!strchr_m(disp_fields[0], '$')) {				if (disp_fields[1])					d_printf("%-21.21s %s\n", 					       disp_fields[0], disp_fields[1]);				else					d_printf("%s\n", disp_fields[0]);			}		}		SAFE_FREE(disp_fields[0]);		SAFE_FREE(disp_fields[1]);		return True;	}	if (!values) /* must be new field, indicate string field */		return True;	if (StrCaseCmp(field, "sAMAccountName") == 0) {		disp_fields[0] = SMB_STRDUP((char *) values[0]);	}	if (StrCaseCmp(field, "description") == 0)		disp_fields[1] = SMB_STRDUP((char *) values[0]);	return True;}static int net_ads_user_usage(int argc, const char **argv){	return net_help_user(argc, argv);} static int ads_user_add(int argc, const char **argv){	ADS_STRUCT *ads;	ADS_STATUS status;	char *upn, *userdn;	void *res=NULL;	int rc = -1;	if (argc < 1) return net_ads_user_usage(argc, argv);		if (!(ads = ads_startup())) {		return -1;	}	status = ads_find_user_acct(ads, &res, argv[0]);	if (!ADS_ERR_OK(status)) {		d_fprintf(stderr, "ads_user_add: %s\n", ads_errstr(status));		goto done;	}		if (ads_count_replies(ads, res)) {		d_fprintf(stderr, "ads_user_add: User %s already exists\n", argv[0]);		goto done;	}	if (opt_container == NULL) {		opt_container = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);	}	status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);	if (!ADS_ERR_OK(status)) {		d_fprintf(stderr, "Could not add user %s: %s\n", argv[0],			 ads_errstr(status));		goto done;	}	/* if no password is to be set, we're done */	if (argc == 1) { 		d_printf("User %s added\n", argv[0]);		rc = 0;		goto done;	}	/* try setting the password */	asprintf(&upn, "%s@%s", argv[0], ads->config.realm);	status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1], 				       ads->auth.time_offset);	safe_free(upn);	if (ADS_ERR_OK(status)) {		d_printf("User %s added\n", argv[0]);		rc = 0;		goto done;	}	/* password didn't set, delete account */	d_fprintf(stderr, "Could not add user %s.  Error setting password %s\n",		 argv[0], ads_errstr(status));	ads_msgfree(ads, res);	status=ads_find_user_acct(ads, &res, argv[0]);	if (ADS_ERR_OK(status)) {		userdn = ads_get_dn(ads, res);		ads_del_dn(ads, userdn);		ads_memfree(ads, userdn);	} done:	if (res)		ads_msgfree(ads, res);	ads_destroy(&ads);	return rc;}static int ads_user_info(int argc, const char **argv){	ADS_STRUCT *ads;	ADS_STATUS rc;	void *res;	const char *attrs[] = {"memberOf", NULL};	char *searchstring=NULL;	char **grouplist;	char *escaped_user;	if (argc < 1) {		return net_ads_user_usage(argc, argv);	}	escaped_user = escape_ldap_string_alloc(argv[0]);		if (!(ads = ads_startup())) {		return -1;	}	if (!escaped_user) {		d_fprintf(stderr, "ads_user_info: failed to escape user %s\n", argv[0]);		ads_destroy(&ads);	 	return -1;	}	asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user);	rc = ads_search(ads, &res, searchstring, attrs);	safe_free(searchstring);	if (!ADS_ERR_OK(rc)) {		d_fprintf(stderr, "ads_search: %s\n", ads_errstr(rc));		ads_destroy(&ads);		return -1;	}		grouplist = ldap_get_values(ads->ld, res, "memberOf");	if (grouplist) {		int i;		char **groupname;		for (i=0;grouplist[i];i++) {			groupname = ldap_explode_dn(grouplist[i], 1);			d_printf("%s\n", groupname[0]);			ldap_value_free(groupname);		}		ldap_value_free(grouplist);	}		ads_msgfree(ads, res);	ads_destroy(&ads);	return 0;}static int ads_user_delete(int argc, const char **argv){	ADS_STRUCT *ads;	ADS_STATUS rc;	void *res;	char *userdn;	if (argc < 1) {		return net_ads_user_usage(argc, argv);	}		if (!(ads = ads_startup())) {		return -1;	}	rc = ads_find_user_acct(ads, &res, argv[0]);	if (!ADS_ERR_OK(rc)) {		DEBUG(0, ("User %s does not exist\n", argv[0]));		ads_destroy(&ads);		return -1;	}	userdn = ads_get_dn(ads, res);	ads_msgfree(ads, res);	rc = ads_del_dn(ads, userdn);	ads_memfree(ads, userdn);	if (!ADS_ERR_OK(rc)) {		d_printf("User %s deleted\n", argv[0]);		ads_destroy(&ads);		return 0;	}	d_fprintf(stderr, "Error deleting user %s: %s\n", argv[0], 		 ads_errstr(rc));	ads_destroy(&ads);	return -1;}int net_ads_user(int argc, const char **argv){	struct functable func[] = {		{"ADD", ads_user_add},		{"INFO", ads_user_info},		{"DELETE", ads_user_delete},		{NULL, NULL}	};	ADS_STRUCT *ads;	ADS_STATUS rc;	const char *shortattrs[] = {"sAMAccountName", NULL};	const char *longattrs[] = {"sAMAccountName", "description", NULL};	char *disp_fields[2] = {NULL, NULL};		if (argc == 0) {		if (!(ads = ads_startup())) {			return -1;		}		if (opt_long_list_entries)			d_printf("\nUser name             Comment"\				 "\n-----------------------------\n");		rc = ads_do_search_all_fn(ads, ads->config.bind_path, 					  LDAP_SCOPE_SUBTREE,					  "(objectclass=user)", 					  opt_long_list_entries ? longattrs :					  shortattrs, usergrp_display, 					  disp_fields);		ads_destroy(&ads);		return 0;	}	return net_run_function(argc, argv, func, net_ads_user_usage);}static int net_ads_group_usage(int argc, const char **argv){	return net_help_group(argc, argv);} static int ads_group_add(int argc, const char **argv){	ADS_STRUCT *ads;	ADS_STATUS status;	void *res=NULL;	int rc = -1;	if (argc < 1) {		return net_ads_group_usage(argc, argv);	}		if (!(ads = ads_startup())) {		return -1;	}	status = ads_find_user_acct(ads, &res, argv[0]);	if (!ADS_ERR_OK(status)) {		d_fprintf(stderr, "ads_group_add: %s\n", ads_errstr(status));		goto done;	}		if (ads_count_replies(ads, res)) {		d_fprintf(stderr, "ads_group_add: Group %s already exists\n", argv[0]);		ads_msgfree(ads, res);		goto done;	}	if (opt_container == NULL) {		opt_container = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);	}