/* * Unix SMB/CIFS implementation. * Local SAM access routines * Copyright (C) Volker Lendecke 2006 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "utils/net.h" /* * Set a user's data */ static int net_sam_userset(int argc, const char **argv, const char *field, bool (*fn)(struct samu *, const char *, enum pdb_value_state)) { struct samu *sam_acct = NULL; DOM_SID sid; enum lsa_SidType type; const char *dom, *name; NTSTATUS status; if (argc != 2) { d_fprintf(stderr, "usage: net sam set %s <user> <value>\n", field); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (type != SID_NAME_USER) { d_fprintf(stderr, "%s is a %s, not a user\n", argv[0], sid_type_lookup(type)); return -1; } if ( !(sam_acct = samu_new( NULL )) ) { d_fprintf(stderr, "Internal error\n"); return -1; } if (!pdb_getsampwsid(sam_acct, &sid)) { d_fprintf(stderr, "Loading user %s failed\n", argv[0]); return -1; } if (!fn(sam_acct, argv[1], PDB_CHANGED)) { d_fprintf(stderr, "Internal error\n"); return -1; } status = pdb_update_sam_account(sam_acct); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Updating sam account %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } TALLOC_FREE(sam_acct); d_printf("Updated %s for %s\\%s to %s\n", field, dom, name, argv[1]); return 0; } static int net_sam_set_fullname(int argc, const char **argv) { return net_sam_userset(argc, argv, "fullname", pdb_set_fullname); } static int net_sam_set_logonscript(int argc, const char **argv) { return net_sam_userset(argc, argv, "logonscript", pdb_set_logon_script); } static int net_sam_set_profilepath(int argc, const char **argv) { return net_sam_userset(argc, argv, "profilepath", pdb_set_profile_path); } static int net_sam_set_homedrive(int argc, const char **argv) { return net_sam_userset(argc, argv, "homedrive", pdb_set_dir_drive); } static int net_sam_set_homedir(int argc, const char **argv) { return net_sam_userset(argc, argv, "homedir", pdb_set_homedir); } static int net_sam_set_workstations(int argc, const char **argv) { return net_sam_userset(argc, argv, "workstations", pdb_set_workstations); } /* * Set account flags */ static int net_sam_set_userflag(int argc, const char **argv, const char *field, uint16 flag) { struct samu *sam_acct = NULL; DOM_SID sid; enum lsa_SidType type; const char *dom, *name; NTSTATUS status; uint16 acct_flags; if ((argc != 2) || (!strequal(argv[1], "yes") && !strequal(argv[1], "no"))) { d_fprintf(stderr, "usage: net sam set %s <user> [yes|no]\n", field); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (type != SID_NAME_USER) { d_fprintf(stderr, "%s is a %s, not a user\n", argv[0], sid_type_lookup(type)); return -1; } if ( !(sam_acct = samu_new( NULL )) ) { d_fprintf(stderr, "Internal error\n"); return -1; } if (!pdb_getsampwsid(sam_acct, &sid)) { d_fprintf(stderr, "Loading user %s failed\n", argv[0]); return -1; } acct_flags = pdb_get_acct_ctrl(sam_acct); if (strequal(argv[1], "yes")) { acct_flags |= flag; } else { acct_flags &= ~flag; } pdb_set_acct_ctrl(sam_acct, acct_flags, PDB_CHANGED); status = pdb_update_sam_account(sam_acct); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Updating sam account %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } TALLOC_FREE(sam_acct); d_fprintf(stderr, "Updated flag %s for %s\\%s to %s\n", field, dom, name, argv[1]); return 0; } static int net_sam_set_disabled(int argc, const char **argv) { return net_sam_set_userflag(argc, argv, "disabled", ACB_DISABLED); } static int net_sam_set_pwnotreq(int argc, const char **argv) { return net_sam_set_userflag(argc, argv, "pwnotreq", ACB_PWNOTREQ); } static int net_sam_set_autolock(int argc, const char **argv) { return net_sam_set_userflag(argc, argv, "autolock", ACB_AUTOLOCK); } static int net_sam_set_pwnoexp(int argc, const char **argv) { return net_sam_set_userflag(argc, argv, "pwnoexp", ACB_PWNOEXP); } /* * Set pass last change time, based on force pass change now */ static int net_sam_set_pwdmustchangenow(int argc, const char **argv) { struct samu *sam_acct = NULL; DOM_SID sid; enum lsa_SidType type; const char *dom, *name; NTSTATUS status; if ((argc != 2) || (!strequal(argv[1], "yes") && !strequal(argv[1], "no"))) { d_fprintf(stderr, "usage: net sam set pwdmustchangenow <user> [yes|no]\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (type != SID_NAME_USER) { d_fprintf(stderr, "%s is a %s, not a user\n", argv[0], sid_type_lookup(type)); return -1; } if ( !(sam_acct = samu_new( NULL )) ) { d_fprintf(stderr, "Internal error\n"); return -1; } if (!pdb_getsampwsid(sam_acct, &sid)) { d_fprintf(stderr, "Loading user %s failed\n", argv[0]); return -1; } if (strequal(argv[1], "yes")) { pdb_set_pass_last_set_time(sam_acct, 0, PDB_CHANGED); } else { pdb_set_pass_last_set_time(sam_acct, time(NULL), PDB_CHANGED); } status = pdb_update_sam_account(sam_acct); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Updating sam account %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } TALLOC_FREE(sam_acct); d_fprintf(stderr, "Updated 'user must change password at next logon' for %s\\%s to %s\n", dom, name, argv[1]); return 0; } /* * Set a user's or a group's comment */ static int net_sam_set_comment(int argc, const char **argv) { GROUP_MAP map; DOM_SID sid; enum lsa_SidType type; const char *dom, *name; NTSTATUS status; if (argc != 2) { d_fprintf(stderr, "usage: net sam set comment <name> " "<comment>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (type == SID_NAME_USER) { return net_sam_userset(argc, argv, "comment", pdb_set_acct_desc); } if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) { d_fprintf(stderr, "%s is a %s, not a group\n", argv[0], sid_type_lookup(type)); return -1; } if (!pdb_getgrsid(&map, sid)) { d_fprintf(stderr, "Could not load group %s\n", argv[0]); return -1; } fstrcpy(map.comment, argv[1]); status = pdb_update_group_mapping_entry(&map); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Updating group mapping entry failed with " "%s\n", nt_errstr(status)); return -1; } d_printf("Updated comment of group %s\\%s to %s\n", dom, name, argv[1]); return 0; } static int net_sam_set(int argc, const char **argv) { struct functable2 func[] = { { "homedir", net_sam_set_homedir, "Change a user's home directory" }, { "profilepath", net_sam_set_profilepath, "Change a user's profile path" }, { "comment", net_sam_set_comment, "Change a users or groups description" }, { "fullname", net_sam_set_fullname, "Change a user's full name" }, { "logonscript", net_sam_set_logonscript, "Change a user's logon script" }, { "homedrive", net_sam_set_homedrive, "Change a user's home drive" }, { "workstations", net_sam_set_workstations, "Change a user's allowed workstations" }, { "disabled", net_sam_set_disabled, "Disable/Enable a user" }, { "pwnotreq", net_sam_set_pwnotreq, "Disable/Enable the password not required flag" }, { "autolock", net_sam_set_autolock, "Disable/Enable a user's lockout flag" }, { "pwnoexp", net_sam_set_pwnoexp, "Disable/Enable whether a user's pw does not expire" }, { "pwdmustchangenow", net_sam_set_pwdmustchangenow, "Force users password must change at next logon" }, {NULL, NULL} }; return net_run_function2(argc, argv, "net sam set", func); } /* * Manage account policies */ static int net_sam_policy_set(int argc, const char **argv) { const char *account_policy = NULL; uint32 value = 0; uint32 old_value = 0; int field; char *endptr; if (argc != 2) { d_fprintf(stderr, "usage: net sam policy set " "\"<account policy>\" <value> \n"); return -1; } account_policy = argv[0]; field = account_policy_name_to_fieldnum(account_policy); if (strequal(argv[1], "forever") || strequal(argv[1], "never") || strequal(argv[1], "off")) { value = -1; } else { value = strtoul(argv[1], &endptr, 10); if ((endptr == argv[1]) || (endptr[0] != '\0')) { d_printf("Unable to set policy \"%s\"! Invalid value " "\"%s\".\n", account_policy, argv[1]); return -1; } } if (field == 0) { const char **names; int i, count; account_policy_names_list(&names, &count); d_fprintf(stderr, "No account policy \"%s\"!\n\n", argv[0]); d_fprintf(stderr, "Valid account policies are:\n"); for (i=0; i<count; i++) { d_fprintf(stderr, "%s\n", names[i]); } SAFE_FREE(names); return -1; } if (!pdb_get_account_policy(field, &old_value)) { d_fprintf(stderr, "Valid account policy, but unable to fetch " "value!\n"); } else { d_printf("Account policy \"%s\" value was: %d\n", account_policy, old_value); } if (!pdb_set_account_policy(field, value)) { d_fprintf(stderr, "Valid account policy, but unable to " "set value!\n"); return -1; } else { d_printf("Account policy \"%s\" value is now: %d\n", account_policy, value); } return 0; } static int net_sam_policy_show(int argc, const char **argv) { const char *account_policy = NULL; uint32 old_value; int field; if (argc != 1) { d_fprintf(stderr, "usage: net sam policy show" " \"<account policy>\" \n"); return -1; } account_policy = argv[0]; field = account_policy_name_to_fieldnum(account_policy); if (field == 0) { const char **names; int count; int i; account_policy_names_list(&names, &count); d_fprintf(stderr, "No account policy by that name!\n"); if (count != 0) { d_fprintf(stderr, "Valid account policies " "are:\n"); for (i=0; i<count; i++) { d_fprintf(stderr, "%s\n", names[i]); } } SAFE_FREE(names); return -1; } if (!pdb_get_account_policy(field, &old_value)) { fprintf(stderr, "Valid account policy, but unable to " "fetch value!\n"); return -1; } printf("Account policy \"%s\" description: %s\n", account_policy, account_policy_get_desc(field)); printf("Account policy \"%s\" value is: %d\n", account_policy, old_value); return 0; } static int net_sam_policy_list(int argc, const char **argv) { const char **names; int count; int i; account_policy_names_list(&names, &count); if (count != 0) { d_fprintf(stderr, "Valid account policies " "are:\n"); for (i = 0; i < count ; i++) { d_fprintf(stderr, "%s\n", names[i]); } } SAFE_FREE(names); return -1; } static int net_sam_policy(int argc, const char **argv) { struct functable2 func[] = { { "list", net_sam_policy_list, "List account policies" }, { "show", net_sam_policy_show, "Show account policies" }, { "set", net_sam_policy_set, "Change account policies" }, {NULL, NULL} }; return net_run_function2(argc, argv, "net sam policy", func); } extern PRIVS privs[]; static int net_sam_rights_list(int argc, const char **argv) { SE_PRIV mask; if (argc > 1) { d_fprintf(stderr, "usage: net sam rights list [privilege name]\n"); return -1; } if (argc == 0) { int i; int num = count_all_privileges(); for (i=0; i<num; i++) { d_printf("%s\n", privs[i].name); } return 0; } if (se_priv_from_name(argv[0], &mask)) { DOM_SID *sids; int i, num_sids; NTSTATUS status; status = privilege_enum_sids(&mask, talloc_tos(), &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Could not list rights: %s\n", nt_errstr(status)); return -1; } for (i=0; i<num_sids; i++) { const char *dom, *name; enum lsa_SidType type; if (lookup_sid(talloc_tos(), &sids[i], &dom, &name, &type)) { d_printf("%s\\%s\n", dom, name); } else { d_printf("%s\n", sid_string_tos(&sids[i])); } } return 0; } return -1; } static int net_sam_rights_grant(int argc, const char **argv) { DOM_SID sid; enum lsa_SidType type; const char *dom, *name; SE_PRIV mask; if (argc != 2) { d_fprintf(stderr, "usage: net sam rights grant <name> " "<right>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (!se_priv_from_name(argv[1], &mask)) { d_fprintf(stderr, "%s unknown\n", argv[1]); return -1; } if (!grant_privilege(&sid, &mask)) { d_fprintf(stderr, "Could not grant privilege\n"); return -1; } d_printf("Granted %s to %s\\%s\n", argv[1], dom, name); return 0; } static int net_sam_rights_revoke(int argc, const char **argv) { DOM_SID sid; enum lsa_SidType type; const char *dom, *name; SE_PRIV mask; if (argc != 2) { d_fprintf(stderr, "usage: net sam rights revoke <name> " "<right>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } if (!se_priv_from_name(argv[1], &mask)) { d_fprintf(stderr, "%s unknown\n", argv[1]); return -1; } if (!revoke_privilege(&sid, &mask)) { d_fprintf(stderr, "Could not revoke privilege\n"); return -1; } d_printf("Revoked %s from %s\\%s\n", argv[1], dom, name); return 0; } static int net_sam_rights(int argc, const char **argv) { struct functable2 func[] = { { "list", net_sam_rights_list, "List possible user rights" }, { "grant", net_sam_rights_grant, "Grant a right" }, { "revoke", net_sam_rights_revoke, "Revoke a right" }, { NULL } }; return net_run_function2(argc, argv, "net sam rights", func); } /* * Map a unix group to a domain group */ static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap) { NTSTATUS status; GROUP_MAP map; const char *grpname, *dom, *name; uint32 rid; if (pdb_getgrgid(&map, grp->gr_gid)) { return NT_STATUS_GROUP_EXISTS; } map.gid = grp->gr_gid; grpname = grp->gr_name; if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL, &dom, &name, NULL, NULL)) { const char *tmp = talloc_asprintf( talloc_tos(), "Unix Group %s", grp->gr_name); DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n", grpname, dom, name, tmp)); grpname = tmp; } if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL, NULL, NULL, NULL, NULL)) { DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name)); return NT_STATUS_GROUP_EXISTS; } fstrcpy(map.nt_name, grpname); if (pdb_rid_algorithm()) { rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(&rid)) { DEBUG(3, ("Could not get a new RID for %s\n", grp->gr_name)); return NT_STATUS_ACCESS_DENIED; } } sid_compose(&map.sid, get_global_sam_sid(), rid); map.sid_name_use = SID_NAME_DOM_GRP; fstrcpy(map.comment, talloc_asprintf(talloc_tos(), "Unix Group %s", grp->gr_name)); status = pdb_add_group_mapping_entry(&map); if (NT_STATUS_IS_OK(status)) { *pmap = map; } return status; } static int net_sam_mapunixgroup(int argc, const char **argv) { NTSTATUS status; GROUP_MAP map; struct group *grp; if (argc != 1) { d_fprintf(stderr, "usage: net sam mapunixgroup <name>\n"); return -1; } grp = getgrnam(argv[0]); if (grp == NULL) { d_fprintf(stderr, "Could not find group %s\n", argv[0]); return -1; } status = map_unix_group(grp, &map); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Mapping group %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } d_printf("Mapped unix group %s to SID %s\n", argv[0], sid_string_tos(&map.sid)); return 0; } /* * Remove a group mapping */ static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap) { NTSTATUS status; GROUP_MAP map; const char *grpname; DOM_SID dom_sid; map.gid = grp->gr_gid; grpname = grp->gr_name; if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL, NULL, NULL, NULL, NULL)) { DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name)); return NT_STATUS_NO_SUCH_GROUP; } fstrcpy(map.nt_name, grpname); if (!pdb_gid_to_sid(map.gid, &dom_sid)) { return NT_STATUS_UNSUCCESSFUL; } status = pdb_delete_group_mapping_entry(dom_sid); return status; } static int net_sam_unmapunixgroup(int argc, const char **argv) { NTSTATUS status; GROUP_MAP map; struct group *grp; if (argc != 1) { d_fprintf(stderr, "usage: net sam unmapunixgroup <name>\n"); return -1; } grp = getgrnam(argv[0]); if (grp == NULL) { d_fprintf(stderr, "Could not find mapping for group %s.\n", argv[0]); return -1; } status = unmap_unix_group(grp, &map); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Unmapping group %s failed with %s.\n", argv[0], nt_errstr(status)); return -1; } d_printf("Unmapped unix group %s.\n", argv[0]); return 0; } /* * Create a local group */ static int net_sam_createlocalgroup(int argc, const char **argv) { NTSTATUS status; uint32 rid; if (argc != 1) { d_fprintf(stderr, "usage: net sam createlocalgroup <name>\n"); return -1; } if (!winbind_ping()) { d_fprintf(stderr, "winbind seems not to run. createlocalgroup " "only works when winbind runs.\n"); return -1; } status = pdb_create_alias(argv[0], &rid); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Creating %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } d_printf("Created local group %s with RID %d\n", argv[0], rid); return 0; } /* * Delete a local group */ static int net_sam_deletelocalgroup(int argc, const char **argv) { DOM_SID sid; enum lsa_SidType type; const char *dom, *name; NTSTATUS status; if (argc != 1) { d_fprintf(stderr, "usage: net sam deletelocalgroup <name>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find %s.\n", argv[0]); return -1; } if (type != SID_NAME_ALIAS) { d_fprintf(stderr, "%s is a %s, not a local group.\n", argv[0], sid_type_lookup(type)); return -1; } status = pdb_delete_alias(&sid); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Deleting local group %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } d_printf("Deleted local group %s.\n", argv[0]); return 0; } /* * Create a local group */ static int net_sam_createbuiltingroup(int argc, const char **argv) { NTSTATUS status; uint32 rid; enum lsa_SidType type; fstring groupname; DOM_SID sid; if (argc != 1) { d_fprintf(stderr, "usage: net sam createbuiltingroup <name>\n"); return -1; } if (!winbind_ping()) { d_fprintf(stderr, "winbind seems not to run. createlocalgroup " "only works when winbind runs.\n"); return -1; } /* validate the name and get the group */ fstrcpy( groupname, "BUILTIN\\" ); fstrcat( groupname, argv[0] ); if ( !lookup_name(talloc_tos(), groupname, LOOKUP_NAME_ALL, NULL, NULL, &sid, &type)) { d_fprintf(stderr, "%s is not a BUILTIN group\n", argv[0]); return -1; } if ( !sid_peek_rid( &sid, &rid ) ) { d_fprintf(stderr, "Failed to get RID for %s\n", argv[0]); return -1; } status = pdb_create_builtin_alias( rid ); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Creating %s failed with %s\n", argv[0], nt_errstr(status)); return -1; } d_printf("Created BUILTIN group %s with RID %d\n", argv[0], rid); return 0; } /* * Add a group member */ static int net_sam_addmem(int argc, const char **argv) { const char *groupdomain, *groupname, *memberdomain, *membername; DOM_SID group, member; enum lsa_SidType grouptype, membertype; NTSTATUS status; if (argc != 2) { d_fprintf(stderr, "usage: net sam addmem <group> <member>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &groupdomain, &groupname, &group, &grouptype)) { d_fprintf(stderr, "Could not find group %s\n", argv[0]); return -1; } /* check to see if the member to be added is a name or a SID */ if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL, &memberdomain, &membername, &member, &membertype)) { /* try it as a SID */ if ( !string_to_sid( &member, argv[1] ) ) { d_fprintf(stderr, "Could not find member %s\n", argv[1]); return -1; } if ( !lookup_sid(talloc_tos(), &member, &memberdomain, &membername, &membertype) ) { d_fprintf(stderr, "Could not resolve SID %s\n", argv[1]); return -1; } } if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) { if ((membertype != SID_NAME_USER) && (membertype != SID_NAME_DOM_GRP)) { d_fprintf(stderr, "%s is a local group, only users " "and domain groups can be added.\n" "%s is a %s\n", argv[0], argv[1], sid_type_lookup(membertype)); return -1; } status = pdb_add_aliasmem(&group, &member); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Adding local group member failed " "with %s\n", nt_errstr(status)); return -1; } } else { d_fprintf(stderr, "Can only add members to local groups so " "far, %s is a %s\n", argv[0], sid_type_lookup(grouptype)); return -1; } d_printf("Added %s\\%s to %s\\%s\n", memberdomain, membername, groupdomain, groupname); return 0; } /* * Delete a group member */ static int net_sam_delmem(int argc, const char **argv) { const char *groupdomain, *groupname; const char *memberdomain = NULL; const char *membername = NULL; DOM_SID group, member; enum lsa_SidType grouptype; NTSTATUS status; if (argc != 2) { d_fprintf(stderr, "usage: net sam delmem <group> <member>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &groupdomain, &groupname, &group, &grouptype)) { d_fprintf(stderr, "Could not find group %s\n", argv[0]); return -1; } if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL, &memberdomain, &membername, &member, NULL)) { if (!string_to_sid(&member, argv[1])) { d_fprintf(stderr, "Could not find member %s\n", argv[1]); return -1; } } if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) { status = pdb_del_aliasmem(&group, &member); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Deleting local group member failed " "with %s\n", nt_errstr(status)); return -1; } } else { d_fprintf(stderr, "Can only delete members from local groups " "so far, %s is a %s\n", argv[0], sid_type_lookup(grouptype)); return -1; } if (membername != NULL) { d_printf("Deleted %s\\%s from %s\\%s\n", memberdomain, membername, groupdomain, groupname); } else { d_printf("Deleted %s from %s\\%s\n", sid_string_tos(&member), groupdomain, groupname); } return 0; } /* * List group members */ static int net_sam_listmem(int argc, const char **argv) { const char *groupdomain, *groupname; DOM_SID group; enum lsa_SidType grouptype; NTSTATUS status; if (argc != 1) { d_fprintf(stderr, "usage: net sam listmem <group>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &groupdomain, &groupname, &group, &grouptype)) { d_fprintf(stderr, "Could not find group %s\n", argv[0]); return -1; } if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) { DOM_SID *members = NULL; size_t i, num_members = 0; status = pdb_enum_aliasmem(&group, &members, &num_members); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "Listing group members failed with " "%s\n", nt_errstr(status)); return -1; } d_printf("%s\\%s has %u members\n", groupdomain, groupname, (unsigned int)num_members); for (i=0; i<num_members; i++) { const char *dom, *name; if (lookup_sid(talloc_tos(), &members[i], &dom, &name, NULL)) { d_printf(" %s\\%s\n", dom, name); } else { d_printf(" %s\n", sid_string_tos(&members[i])); } } TALLOC_FREE(members); } else { d_fprintf(stderr, "Can only list local group members so far.\n" "%s is a %s\n", argv[0], sid_type_lookup(grouptype)); return -1; } return 0; } /* * Do the listing */ static int net_sam_do_list(int argc, const char **argv, struct pdb_search *search, const char *what) { bool verbose = (argc == 1); if ((argc > 1) || ((argc == 1) && !strequal(argv[0], "verbose"))) { d_fprintf(stderr, "usage: net sam list %s [verbose]\n", what); return -1; } if (search == NULL) { d_fprintf(stderr, "Could not start search\n"); return -1; } while (True) { struct samr_displayentry entry; if (!search->next_entry(search, &entry)) { break; } if (verbose) { d_printf("%s:%d:%s\n", entry.account_name, entry.rid, entry.description); } else { d_printf("%s\n", entry.account_name); } } pdb_search_destroy(search); return 0; } static int net_sam_list_users(int argc, const char **argv) { return net_sam_do_list(argc, argv, pdb_search_users(ACB_NORMAL), "users"); } static int net_sam_list_groups(int argc, const char **argv) { return net_sam_do_list(argc, argv, pdb_search_groups(), "groups"); } static int net_sam_list_localgroups(int argc, const char **argv) { return net_sam_do_list(argc, argv, pdb_search_aliases(get_global_sam_sid()), "localgroups"); } static int net_sam_list_builtin(int argc, const char **argv) { return net_sam_do_list(argc, argv, pdb_search_aliases(&global_sid_Builtin), "builtin"); } static int net_sam_list_workstations(int argc, const char **argv) { return net_sam_do_list(argc, argv, pdb_search_users(ACB_WSTRUST), "workstations"); } /* * List stuff */ static int net_sam_list(int argc, const char **argv) { struct functable2 func[] = { { "users", net_sam_list_users, "List SAM users" }, { "groups", net_sam_list_groups, "List SAM groups" }, { "localgroups", net_sam_list_localgroups, "List SAM local groups" }, { "builtin", net_sam_list_builtin, "List builtin groups" }, { "workstations", net_sam_list_workstations, "List domain member workstations" }, {NULL, NULL} }; return net_run_function2(argc, argv, "net sam list", func); } /* * Show details of SAM entries */ static int net_sam_show(int argc, const char **argv) { DOM_SID sid; enum lsa_SidType type; const char *dom, *name; if (argc != 1) { d_fprintf(stderr, "usage: net sam show <name>\n"); return -1; } if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL, &dom, &name, &sid, &type)) { d_fprintf(stderr, "Could not find name %s\n", argv[0]); return -1; } d_printf("%s\\%s is a %s with SID %s\n", dom, name, sid_type_lookup(type), sid_string_tos(&sid)); return 0; } #ifdef HAVE_LDAP /* * Init an LDAP tree with default users and Groups * if ldapsam:editposix is enabled */ static int net_sam_provision(int argc, const char **argv) { TALLOC_CTX *tc; char *ldap_bk; char *ldap_uri = NULL; char *p; struct smbldap_state *ls; GROUP_MAP gmap; DOM_SID gsid; gid_t domusers_gid = -1; gid_t domadmins_gid = -1; struct samu *samuser; struct passwd *pwd; tc = talloc_new(NULL); if (!tc) { d_fprintf(stderr, "Out of Memory!\n"); return -1; } if ((ldap_bk = talloc_strdup(tc, lp_passdb_backend())) == NULL) { d_fprintf(stderr, "talloc failed\n"); talloc_free(tc); return -1; } p = strchr(ldap_bk, ':'); if (p) { *p = 0; ldap_uri = talloc_strdup(tc, p+1); trim_char(ldap_uri, ' ', ' '); } trim_char(ldap_bk, ' ', ' '); if (strcmp(ldap_bk, "ldapsam") != 0) { d_fprintf(stderr, "Provisioning works only with ldapsam backend\n"); goto failed; } if (!lp_parm_bool(-1, "ldapsam", "trusted", False) || !lp_parm_bool(-1, "ldapsam", "editposix", False)) { d_fprintf(stderr, "Provisioning works only if ldapsam:trusted" " and ldapsam:editposix are enabled.\n"); goto failed; } if (!winbind_ping()) { d_fprintf(stderr, "winbind seems not to run. Provisioning " "LDAP only works when winbind runs.\n"); goto failed; } if (!NT_STATUS_IS_OK(smbldap_init(tc, NULL, ldap_uri, &ls))) { d_fprintf(stderr, "Unable to connect to the LDAP server.\n"); goto failed; } d_printf("Checking for Domain Users group.\n"); sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS); if (!pdb_getgrsid(&gmap, gsid)) { LDAPMod **mods = NULL; char *dn; char *uname; char *wname; char *gidstr; char *gtype; int rc; d_printf("Adding the Domain Users group.\n"); /* lets allocate a new groupid for this group */ if (!winbind_allocate_gid(&domusers_gid)) { d_fprintf(stderr, "Unable to allocate a new gid to create Domain Users group!\n"); goto domu_done; } uname = talloc_strdup(tc, "domusers"); wname = talloc_strdup(tc, "Domain Users"); dn = talloc_asprintf(tc, "cn=%s,%s", "domusers", lp_ldap_group_suffix()); gidstr = talloc_asprintf(tc, "%d", domusers_gid); gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP); if (!uname || !wname || !dn || !gidstr || !gtype) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_talloc(tc, &gsid)); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype); talloc_autofree_ldapmod(tc, mods); rc = smbldap_add(ls, dn, mods); if (rc != LDAP_SUCCESS) { d_fprintf(stderr, "Failed to add Domain Users group to ldap directory\n"); } } else { domusers_gid = gmap.gid; d_printf("found!\n"); } domu_done: d_printf("Checking for Domain Admins group.\n"); sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS); if (!pdb_getgrsid(&gmap, gsid)) { LDAPMod **mods = NULL; char *dn; char *uname; char *wname; char *gidstr; char *gtype; int rc; d_printf("Adding the Domain Admins group.\n"); /* lets allocate a new groupid for this group */ if (!winbind_allocate_gid(&domadmins_gid)) { d_fprintf(stderr, "Unable to allocate a new gid to create Domain Admins group!\n"); goto doma_done; } uname = talloc_strdup(tc, "domadmins"); wname = talloc_strdup(tc, "Domain Admins"); dn = talloc_asprintf(tc, "cn=%s,%s", "domadmins", lp_ldap_group_suffix()); gidstr = talloc_asprintf(tc, "%d", domadmins_gid); gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP); if (!uname || !wname || !dn || !gidstr || !gtype) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_talloc(tc, &gsid)); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype); talloc_autofree_ldapmod(tc, mods); rc = smbldap_add(ls, dn, mods); if (rc != LDAP_SUCCESS) { d_fprintf(stderr, "Failed to add Domain Admins group to ldap directory\n"); } } else { domadmins_gid = gmap.gid; d_printf("found!\n"); } doma_done: d_printf("Check for Administrator account.\n"); samuser = samu_new(tc); if (!samuser) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } if (!pdb_getsampwnam(samuser, "Administrator")) { LDAPMod **mods = NULL; DOM_SID sid; char *dn; char *name; char *uidstr; char *gidstr; char *shell; char *dir; uid_t uid; int rc; d_printf("Adding the Administrator user.\n"); if (domadmins_gid == -1) { d_fprintf(stderr, "Can't create Administrator user, Domain Admins group not available!\n"); goto done; } if (!winbind_allocate_uid(&uid)) { d_fprintf(stderr, "Unable to allocate a new uid to create the Administrator user!\n"); goto done; } name = talloc_strdup(tc, "Administrator"); dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix()); uidstr = talloc_asprintf(tc, "%d", uid); gidstr = talloc_asprintf(tc, "%d", domadmins_gid); dir = talloc_sub_specified(tc, lp_template_homedir(), "Administrator", get_global_sam_name(), uid, domadmins_gid); shell = talloc_sub_specified(tc, lp_template_shell(), "Administrator", get_global_sam_name(), uid, domadmins_gid); if (!name || !dn || !uidstr || !gidstr || !dir || !shell) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", dir); smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_talloc(tc, &sid)); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags", pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED, NEW_PW_FORMAT_SPACE_PADDED_LEN)); talloc_autofree_ldapmod(tc, mods); rc = smbldap_add(ls, dn, mods); if (rc != LDAP_SUCCESS) { d_fprintf(stderr, "Failed to add Administrator user to ldap directory\n"); } } else { d_printf("found!\n"); } d_printf("Checking for Guest user.\n"); samuser = samu_new(tc); if (!samuser) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } if (!pdb_getsampwnam(samuser, lp_guestaccount())) { LDAPMod **mods = NULL; DOM_SID sid; char *dn; char *uidstr; char *gidstr; int rc; d_printf("Adding the Guest user.\n"); pwd = getpwnam_alloc(tc, lp_guestaccount()); if (!pwd) { if (domusers_gid == -1) { d_fprintf(stderr, "Can't create Guest user, Domain Users group not available!\n"); goto done; } if ((pwd = talloc(tc, struct passwd)) == NULL) { d_fprintf(stderr, "talloc failed\n"); goto done; } pwd->pw_name = talloc_strdup(pwd, lp_guestaccount()); if (!winbind_allocate_uid(&(pwd->pw_uid))) { d_fprintf(stderr, "Unable to allocate a new uid to create the Guest user!\n"); goto done; } pwd->pw_gid = domusers_gid; pwd->pw_dir = talloc_strdup(tc, "/"); pwd->pw_shell = talloc_strdup(tc, "/bin/false"); if (!pwd->pw_dir || !pwd->pw_shell) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } } sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST); dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ()); uidstr = talloc_asprintf(tc, "%d", pwd->pw_uid); gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid); if (!dn || !uidstr || !gidstr) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT); smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name); smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); if ((pwd->pw_dir != NULL) && (pwd->pw_dir[0] != '\0')) { smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", pwd->pw_dir); } if ((pwd->pw_shell != NULL) && (pwd->pw_shell[0] != '\0')) { smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", pwd->pw_shell); } smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSID", sid_string_talloc(tc, &sid)); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaAcctFlags", pdb_encode_acct_ctrl(ACB_NORMAL|ACB_DISABLED, NEW_PW_FORMAT_SPACE_PADDED_LEN)); talloc_autofree_ldapmod(tc, mods); rc = smbldap_add(ls, dn, mods); if (rc != LDAP_SUCCESS) { d_fprintf(stderr, "Failed to add Guest user to ldap directory\n"); } } else { d_printf("found!\n"); } d_printf("Checking Guest's group.\n"); pwd = getpwnam_alloc(NULL, lp_guestaccount()); if (!pwd) { d_fprintf(stderr, "Failed to find just created Guest account!\n" " Is nss properly configured?!\n"); goto failed; } if (pwd->pw_gid == domusers_gid) { d_printf("found!\n"); goto done; } if (!pdb_getgrgid(&gmap, pwd->pw_gid)) { LDAPMod **mods = NULL; char *dn; char *uname; char *wname; char *gidstr; char *gtype; int rc; d_printf("Adding the Domain Guests group.\n"); uname = talloc_strdup(tc, "domguests"); wname = talloc_strdup(tc, "Domain Guests"); dn = talloc_asprintf(tc, "cn=%s,%s", "domguests", lp_ldap_group_suffix()); gidstr = talloc_asprintf(tc, "%d", pwd->pw_gid); gtype = talloc_asprintf(tc, "%d", SID_NAME_DOM_GRP); if (!uname || !wname || !dn || !gidstr || !gtype) { d_fprintf(stderr, "Out of Memory!\n"); goto failed; } sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP); smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname); smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", sid_string_talloc(tc, &gsid)); smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", gtype); talloc_autofree_ldapmod(tc, mods); rc = smbldap_add(ls, dn, mods); if (rc != LDAP_SUCCESS) { d_fprintf(stderr, "Failed to add Domain Guests group to ldap directory\n"); } } else { d_printf("found!\n"); } done: talloc_free(tc); return 0; failed: talloc_free(tc); return -1; } #endif /*********************************************************** migrated functionality from smbgroupedit **********************************************************/ int net_sam(int argc, const char **argv) { struct functable2 func[] = { { "createbuiltingroup", net_sam_createbuiltingroup, "Create a new BUILTIN group" }, { "createlocalgroup", net_sam_createlocalgroup, "Create a new local group" }, { "deletelocalgroup", net_sam_deletelocalgroup, "Delete an existing local group" }, { "mapunixgroup", net_sam_mapunixgroup, "Map a unix group to a domain group" }, { "unmapunixgroup", net_sam_unmapunixgroup, "Remove a group mapping of an unix group to a domain group" }, { "addmem", net_sam_addmem, "Add a member to a group" }, { "delmem", net_sam_delmem, "Delete a member from a group" }, { "listmem", net_sam_listmem, "List group members" }, { "list", net_sam_list, "List users, groups and local groups" }, { "show", net_sam_show, "Show details of a SAM entry" }, { "set", net_sam_set, "Set details of a SAM account" }, { "policy", net_sam_policy, "Set account policies" }, { "rights", net_sam_rights, "Manipulate user privileges" }, #ifdef HAVE_LDAP { "provision", net_sam_provision, "Provision a clean User Database" }, #endif { NULL, NULL, NULL } }; if (getuid() != 0) { d_fprintf(stderr, "You are not root, most things won't " "work\n"); } return net_run_function2(argc, argv, "net sam", func); }