path: root/source3/utils/net.c

/*
   Samba Unix/Linux SMB client library
   Distributed SMB/CIFS Server Management Utility
   Copyright (C) 2001 Steve French  (sfrench@us.ibm.com)
   Copyright (C) 2001 Jim McDonough (jmcd@us.ibm.com)
   Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
   Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org)
   Copyright (C) 2008 Kai Blin (kai@samba.org)

   Originally written by Steve and Jim. Largely rewritten by tridge in
   November 2001.

   Reworked again by abartlet in December 2001

   Another overhaul, moving functionality into plug-ins loaded on demand by Kai
   in May 2008.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */

/*****************************************************/
/*                                                   */
/*   Distributed SMB/CIFS Server Management Utility  */
/*                                                   */
/*   The intent was to make the syntax similar       */
/*   to the NET utility (first developed in DOS      */
/*   with additional interesting & useful functions  */
/*   added in later SMB server network operating     */
/*   systems).                                       */
/*                                                   */
/*****************************************************/

#include "includes.h"
#include "lib/cmdline/cmdline.h"
#include "utils/net.h"
#include "secrets.h"
#include "lib/netapi/netapi.h"
#include "../libcli/security/security.h"
#include "passdb.h"
#include "messages.h"
#include "cmdline_contexts.h"
#include "lib/gencache.h"
#include "auth/credentials/credentials.h"
#include "source3/utils/passwd_proto.h"
#include "auth/gensec/gensec.h"
#include "lib/param/param.h"
#include "lib/krb5_wrap/krb5_samba.h"

#ifdef WITH_FAKE_KASERVER
#include "utils/net_afs.h"
#endif

/***********************************************************************/
/* end of internationalization section                                 */
/***********************************************************************/

enum netr_SchannelType get_sec_channel_type(const char *param)
{
	if (!(param && *param)) {
		return get_default_sec_channel();
	} else {
		if (strequal(param, "PDC")) {
			return SEC_CHAN_BDC;
		} else if (strequal(param, "BDC")) {
			return SEC_CHAN_BDC;
		} else if (strequal(param, "MEMBER")) {
			return SEC_CHAN_WKSTA;
#if 0
		} else if (strequal(param, "DOMAIN")) {
			return SEC_CHAN_DOMAIN;
#endif
		} else {
			return get_default_sec_channel();
		}
	}
}

static int net_changetrustpw(struct net_context *c, int argc, const char **argv)
{
	net_warn_member_options();

	if (net_ads_check_our_domain(c) == 0)
		return net_ads_changetrustpw(c, argc, argv);

	return net_rpc_changetrustpw(c, argc, argv);
}

static void set_line_buffering(FILE *f)
{
	setvbuf(f, NULL, _IOLBF, 0);
}

static int net_primarytrust_dumpinfo(struct net_context *c, int argc,
				     const char **argv)
{
	int role = lp_server_role();
	const char *domain = lp_workgroup();
	struct secrets_domain_info1 *info = NULL;
	bool include_secrets = c->opt_force;
	char *str = NULL;
	NTSTATUS status;

	if (role >= ROLE_ACTIVE_DIRECTORY_DC) {
		d_printf(_("net primarytrust dumpinfo is only supported "
			 "on a DOMAIN_MEMBER for now.\n"));
		return 1;
	}

	net_warn_member_options();

	if (c->opt_stdin) {
		set_line_buffering(stdin);
		set_line_buffering(stdout);
		set_line_buffering(stderr);
	}

	status = secrets_fetch_or_upgrade_domain_info(domain,
						      talloc_tos(),
						      &info);
	if (!NT_STATUS_IS_OK(status)) {
		d_fprintf(stderr,
			  _("Unable to fetch the information for domain[%s] "
			  "in the secrets database.\n"),
			  domain);
		return 1;
	}

	str = secrets_domain_info_string(info, info, domain, include_secrets);
	if (str == NULL) {
		d_fprintf(stderr, "secrets_domain_info_string() failed.\n");
		return 1;
	}

	d_printf("%s", str);
	if (!c->opt_force) {
		d_printf(_("The password values are only included using "
			 "-f flag.\n"));
	}

	TALLOC_FREE(info);
	return 0;
}

/**
 * Entrypoint for 'net primarytrust' code.
 *
 * @param argc Standard argc.
 * @param argv Standard argv without initial components.
 *
 * @return Integer status (0 means success).
 */

static int net_primarytrust(struct net_context *c, int argc, const char **argv)
{
	struct functable func[] = {
		{
			.funcname         = "dumpinfo",
			.fn               = net_primarytrust_dumpinfo,
			.valid_transports = NET_TRANSPORT_LOCAL,
			.description      = N_("Dump the details of the "
					       "workstation trust"),
			.usage            = N_("  net [options] primarytrust "
					       "dumpinfo'\n"
					       "    Dump the details of the "
					       "workstation trust in "
					       "secrets.tdb.\n"
					       "    Requires the -f flag to "
					       "include the password values."),
		},
		{
			.funcname = NULL,
		},
	};

	return net_run_function(c, argc, argv, "net primarytrust", func);
}

static int net_changesecretpw(struct net_context *c, int argc,
			      const char **argv)
{
        char *trust_pw;
	int role = lp_server_role();

	if (role != ROLE_DOMAIN_MEMBER) {
		d_printf(_("Machine account password change only supported on a DOMAIN_MEMBER.\n"
			   "Do NOT use this function unless you know what it does!\n"
		           "This function will change the ADS Domain member "
			   "machine account password in the secrets.tdb file!\n"));
		return 1;
	}

	net_warn_member_options();

	if(c->opt_force) {
		struct secrets_domain_info1 *info = NULL;
		struct secrets_domain_info1_change *prev = NULL;
		NTSTATUS status;
		struct timeval tv = timeval_current();
		NTTIME now = timeval_to_nttime(&tv);

#ifdef HAVE_ADS
		if (USE_KERBEROS_KEYTAB) {
		   if (lp_sync_machine_password_to_keytab() == NULL) {
			lp_do_parameter(-1, "sync machine password to keytab", "disabled");
		   }
		}
#endif

		if (c->opt_stdin) {
			set_line_buffering(stdin);
			set_line_buffering(stdout);
			set_line_buffering(stderr);
		}

		trust_pw = get_pass(_("Enter machine password: "), c->opt_stdin);
		if (trust_pw == NULL) {
			    d_fprintf(stderr,
				      _("Error in reading machine password\n"));
			    return 1;
		}

		status = secrets_prepare_password_change(lp_workgroup(),
							 "localhost",
							 trust_pw,
							 talloc_tos(),
							 &info,
							 &prev,
#ifdef HAVE_ADS
							 sync_pw2keytabs,
#else
							 NULL,
#endif
							 c->opt_host);
		if (!NT_STATUS_IS_OK(status)) {
			d_fprintf(stderr,
			        _("Unable to write the machine account password in the secrets database"));
			return 1;
		}
		if (prev != NULL) {
			d_fprintf(stderr,
			        _("Pending machine account password change found - aborting."));
			status = secrets_failed_password_c