1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 24 * Copyright 2022 RackTop Systems, Inc. 25 */ 26 27 /* 28 * This module contains smbadm CLI which offers smb configuration 29 * functionalities. 30 */ 31 #include <errno.h> 32 #include <err.h> 33 #include <ctype.h> 34 #include <stdlib.h> 35 #include <unistd.h> 36 #include <stdio.h> 37 #include <syslog.h> 38 #include <strings.h> 39 #include <limits.h> 40 #include <getopt.h> 41 #include <libintl.h> 42 #include <zone.h> 43 #include <pwd.h> 44 #include <grp.h> 45 #include <libgen.h> 46 #include <netinet/in.h> 47 #include <auth_attr.h> 48 #include <locale.h> 49 #include <smbsrv/libsmb.h> 50 #include <smbsrv/libsmbns.h> 51 52 #if !defined(TEXT_DOMAIN) 53 #define TEXT_DOMAIN "SYS_TEST" 54 #endif 55 56 typedef enum { 57 HELP_ADD_MEMBER, 58 HELP_CREATE, 59 HELP_DELETE, 60 HELP_DEL_MEMBER, 61 HELP_GET, 62 HELP_JOIN, 63 HELP_LIST, 64 HELP_LOOKUP, 65 HELP_RENAME, 66 HELP_SET, 67 HELP_SHOW, 68 HELP_USER_DISABLE, 69 HELP_USER_ENABLE, 70 HELP_USER_DELETE 71 } smbadm_help_t; 72 73 #define SMBADM_CMDF_NONE 0x00 74 #define SMBADM_CMDF_USER 0x01 75 #define SMBADM_CMDF_GROUP 0x02 76 #define SMBADM_CMDF_TYPEMASK 0x0F 77 78 typedef enum { 79 SMBADM_GRP_ADDMEMBER = 0, 80 SMBADM_GRP_DELMEMBER, 81 } smbadm_grp_action_t; 82 83 #define SMBADM_ANSBUFSIZ 64 84 85 typedef struct smbadm_cmdinfo { 86 char *name; 87 int (*func)(int, char **); 88 smbadm_help_t usage; 89 uint32_t flags; 90 char *auth; 91 } smbadm_cmdinfo_t; 92 93 smbadm_cmdinfo_t *curcmd; 94 static char *progname; 95 96 #define SMBADM_ACTION_AUTH "solaris.smf.manage.smb" 97 #define SMBADM_VALUE_AUTH "solaris.smf.value.smb" 98 #define SMBADM_BASIC_AUTH "solaris.network.hosts.read" 99 100 static boolean_t smbadm_checkauth(const char *); 101 102 static void smbadm_usage(boolean_t); 103 static int smbadm_join_workgroup(const char *, boolean_t); 104 static int smbadm_join_domain(const char *, const char *, 105 const char *, boolean_t); 106 static void smbadm_extract_domain(char *, char **, char **); 107 static void smbadm_update_groups(smbadm_grp_action_t); 108 109 static int smbadm_join(int, char **); 110 static int smbadm_list(int, char **); 111 static int smbadm_lookup(int, char **); 112 static void smbadm_lookup_name(char *); 113 static void smbadm_lookup_sid(char *); 114 static int smbadm_group_create(int, char **); 115 static int smbadm_group_delete(int, char **); 116 static int smbadm_group_rename(int, char **); 117 static int smbadm_group_show(int, char **); 118 static void smbadm_group_show_name(const char *, const char *); 119 static int smbadm_group_getprop(int, char **); 120 static int smbadm_group_setprop(int, char **); 121 static int smbadm_group_addmember(int, char **); 122 static int smbadm_group_delmember(int, char **); 123 static int smbadm_group_add_del_member(char *, char *, smbadm_grp_action_t); 124 125 static int smbadm_user_delete(int, char **); 126 static int smbadm_user_disable(int, char **); 127 static int smbadm_user_enable(int, char **); 128 129 /* Please keep the order consistent with smbadm(8) man page */ 130 static smbadm_cmdinfo_t smbadm_cmdtable[] = 131 { 132 { "create", smbadm_group_create, HELP_CREATE, 133 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 134 { "delete", smbadm_group_delete, HELP_DELETE, 135 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 136 { "rename", smbadm_group_rename, HELP_RENAME, 137 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 138 { "show", smbadm_group_show, HELP_SHOW, 139 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 140 { "get", smbadm_group_getprop, HELP_GET, 141 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 142 { "set", smbadm_group_setprop, HELP_SET, 143 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 144 { "add-member", smbadm_group_addmember, HELP_ADD_MEMBER, 145 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 146 { "remove-member", smbadm_group_delmember, HELP_DEL_MEMBER, 147 SMBADM_CMDF_GROUP, SMBADM_ACTION_AUTH }, 148 { "delete-user", smbadm_user_delete, HELP_USER_DELETE, 149 SMBADM_CMDF_USER, SMBADM_ACTION_AUTH }, 150 { "disable-user", smbadm_user_disable, HELP_USER_DISABLE, 151 SMBADM_CMDF_USER, SMBADM_ACTION_AUTH }, 152 { "enable-user", smbadm_user_enable, HELP_USER_ENABLE, 153 SMBADM_CMDF_USER, SMBADM_ACTION_AUTH }, 154 { "join", smbadm_join, HELP_JOIN, 155 SMBADM_CMDF_GROUP, SMBADM_VALUE_AUTH }, 156 { "list", smbadm_list, HELP_LIST, 157 SMBADM_CMDF_NONE, SMBADM_BASIC_AUTH }, 158 { "lookup", smbadm_lookup, HELP_LOOKUP, 159 SMBADM_CMDF_NONE, SMBADM_BASIC_AUTH }, 160 }; 161 162 #define SMBADM_NCMD (sizeof (smbadm_cmdtable) / sizeof (smbadm_cmdtable[0])) 163 164 typedef struct smbadm_prop { 165 char *p_name; 166 char *p_value; 167 } smbadm_prop_t; 168 169 typedef struct smbadm_prop_handle { 170 char *p_name; 171 char *p_dispvalue; 172 int (*p_setfn)(char *, smbadm_prop_t *); 173 int (*p_getfn)(char *, smbadm_prop_t *); 174 boolean_t (*p_chkfn)(smbadm_prop_t *); 175 } smbadm_prop_handle_t; 176 177 static boolean_t smbadm_prop_validate(smbadm_prop_t *prop, boolean_t chkval); 178 static int smbadm_prop_parse(char *arg, smbadm_prop_t *prop); 179 static smbadm_prop_handle_t *smbadm_prop_gethandle(char *pname); 180 181 static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop); 182 static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop); 183 static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop); 184 static int smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop); 185 static int smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop); 186 static int smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop); 187 static int smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop); 188 static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop); 189 static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop); 190 static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop); 191 static int smbadm_getprop_restore(char *gname, smbadm_prop_t *prop); 192 static int smbadm_setprop_desc(char *gname, smbadm_prop_t *prop); 193 static int smbadm_getprop_desc(char *gname, smbadm_prop_t *prop); 194 195 static smbadm_prop_handle_t smbadm_ptable[] = { 196 {"backup", "on|off", smbadm_setprop_backup, 197 smbadm_getprop_backup, smbadm_chkprop_priv }, 198 {"restore", "on|off", smbadm_setprop_restore, 199 smbadm_getprop_restore, smbadm_chkprop_priv }, 200 {"take-ownership", "on|off", smbadm_setprop_tkowner, 201 smbadm_getprop_tkowner, smbadm_chkprop_priv }, 202 {"bypass-read", "on|off", smbadm_setprop_readfile, 203 smbadm_getprop_readfile, smbadm_chkprop_priv }, 204 {"bypass-write", "on|off", smbadm_setprop_writefile, 205 smbadm_getprop_writefile, smbadm_chkprop_priv }, 206 {"description", "<string>", smbadm_setprop_desc, 207 smbadm_getprop_desc, NULL }, 208 }; 209 210 static int smbadm_init(void); 211 static void smbadm_fini(void); 212 static const char *smbadm_pwd_strerror(int error); 213 214 /* 215 * Number of supported properties 216 */ 217 #define SMBADM_NPROP (sizeof (smbadm_ptable) / sizeof (smbadm_ptable[0])) 218 219 static void 220 smbadm_cmdusage(FILE *fp, smbadm_cmdinfo_t *cmd) 221 { 222 switch (cmd->usage) { 223 case HELP_ADD_MEMBER: 224 (void) fprintf(fp, 225 gettext("\t%s -m <member> [-m <member>]... <group>\n"), 226 cmd->name); 227 return; 228 229 case HELP_CREATE: 230 (void) fprintf(fp, gettext("\t%s [-d <description>] <group>\n"), 231 cmd->name); 232 return; 233 234 case HELP_DELETE: 235 (void) fprintf(fp, gettext("\t%s <group>\n"), cmd->name); 236 return; 237 238 case HELP_USER_DELETE: 239 case HELP_USER_DISABLE: 240 case HELP_USER_ENABLE: 241 (void) fprintf(fp, gettext("\t%s <username>\n"), cmd->name); 242 return; 243 244 case HELP_GET: 245 (void) fprintf(fp, gettext("\t%s [-p <property>]... <group>\n"), 246 cmd->name); 247 return; 248 249 case HELP_JOIN: 250 #if 0 /* Don't document "-p" yet, still needs work (NEX-11960) */ 251 (void) fprintf(fp, gettext("\t%s [-y] -p <domain>\n" 252 "\t%s [-y] [-c container] -u <username domain>\n" 253 "\t%s [-y] -w <workgroup>\n"), 254 cmd->name, cmd->name, cmd->name); 255 #else 256 (void) fprintf(fp, gettext( 257 "\t%s [-y] [-c container] -u <username> <domain>\n" 258 "\t%s [-y] -w <workgroup>\n"), cmd->name, cmd->name); 259 #endif 260 return; 261 262 case HELP_LIST: 263 (void) fprintf(fp, gettext("\t%s\n"), cmd->name); 264 return; 265 266 case HELP_LOOKUP: 267 (void) fprintf(fp, 268 gettext("\t%s <account-name>\n"), 269 cmd->name); 270 return; 271 272 case HELP_DEL_MEMBER: 273 (void) fprintf(fp, 274 gettext("\t%s -m <member> [-m <member>]... <group>\n"), 275 cmd->name); 276 return; 277 278 case HELP_RENAME: 279 (void) fprintf(fp, gettext("\t%s <group> <new-group>\n"), 280 cmd->name); 281 return; 282 283 case HELP_SET: 284 (void) fprintf(fp, gettext("\t%s -p <property>=<value> " 285 "[-p <property>=<value>]... <group>\n"), cmd->name); 286 return; 287 288 case HELP_SHOW: 289 (void) fprintf(fp, gettext("\t%s [-mp] [<group>]\n"), 290 cmd->name); 291 return; 292 293 default: 294 break; 295 } 296 297 abort(); 298 /* NOTREACHED */ 299 } 300 301 static void 302 smbadm_usage(boolean_t requested) 303 { 304 FILE *fp = requested ? stdout : stderr; 305 boolean_t show_props = B_FALSE; 306 int i; 307 308 if (curcmd == NULL) { 309 (void) fprintf(fp, 310 gettext("usage: %s <subcommand> <args> ...\n"), 311 progname); 312 313 for (i = 0; i < SMBADM_NCMD; i++) 314 smbadm_cmdusage(fp, &smbadm_cmdtable[i]); 315 316 (void) fprintf(fp, 317 gettext("\nFor property list, run %s %s|%s\n"), 318 progname, "get", "set"); 319 320 exit(requested ? 0 : 2); 321 } 322 323 (void) fprintf(fp, gettext("usage:\n")); 324 smbadm_cmdusage(fp, curcmd); 325 326 if (strcmp(curcmd->name, "get") == 0 || 327 strcmp(curcmd->name, "set") == 0) 328 show_props = B_TRUE; 329 330 if (show_props) { 331 (void) fprintf(fp, 332 gettext("\nThe following properties are supported:\n")); 333 334 (void) fprintf(fp, "\n\t%-16s %s\n\n", 335 "PROPERTY", "VALUES"); 336 337 for (i = 0; i < SMBADM_NPROP; i++) { 338 (void) fprintf(fp, "\t%-16s %s\n", 339 smbadm_ptable[i].p_name, 340 smbadm_ptable[i].p_dispvalue); 341 } 342 } 343 344 exit(requested ? 0 : 2); 345 } 346 347 /* 348 * smbadm_strcasecmplist 349 * 350 * Find a string 's' within a list of strings. 351 * 352 * Returns the index of the matching string or -1 if there is no match. 353 */ 354 static int 355 smbadm_strcasecmplist(const char *s, ...) 356 { 357 va_list ap; 358 char *p; 359 int ndx; 360 361 va_start(ap, s); 362 363 for (ndx = 0; ((p = va_arg(ap, char *)) != NULL); ++ndx) { 364 if (strcasecmp(s, p) == 0) { 365 va_end(ap); 366 return (ndx); 367 } 368 } 369 370 va_end(ap); 371 return (-1); 372 } 373 374 /* 375 * smbadm_answer_prompt 376 * 377 * Prompt for the answer to a question. A default response must be 378 * specified, which will be used if the user presses <enter> without 379 * answering the question. 380 */ 381 static int 382 smbadm_answer_prompt(const char *prompt, char *answer, const char *dflt) 383 { 384 char buf[SMBADM_ANSBUFSIZ]; 385 char *p; 386 387 (void) printf(gettext("%s [%s]: "), prompt, dflt); 388 389 if (fgets(buf, SMBADM_ANSBUFSIZ, stdin) == NULL) 390 return (-1); 391 392 if ((p = strchr(buf, '\n')) != NULL) 393 *p = '\0'; 394 395 if (*buf == '\0') 396 (void) strlcpy(answer, dflt, SMBADM_ANSBUFSIZ); 397 else 398 (void) strlcpy(answer, buf, SMBADM_ANSBUFSIZ); 399 400 return (0); 401 } 402 403 /* 404 * smbadm_confirm 405 * 406 * Ask a question that requires a yes/no answer. 407 * A default response must be specified. 408 */ 409 static boolean_t 410 smbadm_confirm(const char *prompt, const char *dflt) 411 { 412 char buf[SMBADM_ANSBUFSIZ]; 413 414 for (;;) { 415 if (smbadm_answer_prompt(prompt, buf, dflt) < 0) 416 return (B_FALSE); 417 418 if (smbadm_strcasecmplist(buf, "n", "no", 0) >= 0) 419 return (B_FALSE); 420 421 if (smbadm_strcasecmplist(buf, "y", "yes", 0) >= 0) 422 return (B_TRUE); 423 424 (void) printf(gettext("Please answer yes or no.\n")); 425 } 426 } 427 428 static boolean_t 429 smbadm_join_confirm(const char *domain) 430 { 431 (void) printf(gettext("After joining %s the smb service will be " 432 "restarted automatically.\n"), domain); 433 434 return (smbadm_confirm("Would you like to continue?", "no")); 435 } 436 437 static void 438 smbadm_restart_service(void) 439 { 440 if (smb_smf_restart_service() != 0) { 441 (void) fprintf(stderr, 442 gettext("Unable to restart smb service. " 443 "Run 'svcs -xv smb/server' for more information.")); 444 } 445 } 446 447 /* 448 * smbadm_join 449 * 450 * Join a domain or workgroup. 451 * 452 * When joining a domain, we may receive the username, password and 453 * domain name in any of the following combinations. Note that the 454 * password is optional on the command line: if it is not provided, 455 * we will prompt for it later. 456 * 457 * username+password domain 458 * domain\username+password 459 * domain/username+password 460 * username@domain 461 * 462 * We allow domain\name+password or domain/name+password but not 463 * name+password@domain because @ is a valid password character. 464 * 465 * If the username and domain name are passed as separate command 466 * line arguments, we process them directly. Otherwise we separate 467 * them and continue as if they were separate command line arguments. 468 */ 469 static int 470 smbadm_join(int argc, char **argv) 471 { 472 char buf[MAXHOSTNAMELEN * 2]; 473 char *domain = NULL; 474 char *username = NULL; 475 char *container = NULL; 476 uint32_t mode = 0; 477 boolean_t confirm = B_TRUE; 478 char option; 479 480 while ((option = getopt(argc, argv, "c:pu:wy")) != -1) { 481 if (mode != 0) { 482 (void) fprintf(stderr, gettext( 483 "join options are mutually exclusive\n")); 484 smbadm_usage(B_FALSE); 485 } 486 switch (option) { 487 case 'c': 488 container = optarg; 489 break; 490 case 'p': 491 mode = SMB_SECMODE_DOMAIN; 492 /* leave username = NULL */ 493 break; 494 495 case 'u': 496 mode = SMB_SECMODE_DOMAIN; 497 username = optarg; 498 break; 499 500 case 'w': 501 mode = SMB_SECMODE_WORKGRP; 502 break; 503 504 case 'y': 505 confirm = B_FALSE; 506 break; 507 508 default: 509 smbadm_usage(B_FALSE); 510 break; 511 } 512 } 513 514 if (optind < argc) 515 domain = argv[optind]; 516 517 if (username != NULL && domain == NULL) { 518 /* 519 * The domain was not specified as a separate 520 * argument, check for the combination forms. 521 */ 522 (void) strlcpy(buf, username, sizeof (buf)); 523 smbadm_extract_domain(buf, &username, &domain); 524 } 525 526 if ((domain == NULL) || (*domain == '\0')) { 527 (void) fprintf(stderr, gettext("missing %s name\n"), 528 (mode == SMB_SECMODE_WORKGRP) ? "workgroup" : "domain"); 529 smbadm_usage(B_FALSE); 530 } 531 532 if (mode == SMB_SECMODE_WORKGRP) { 533 return (smbadm_join_workgroup(domain, confirm)); 534 } 535 return (smbadm_join_domain(domain, container, username, confirm)); 536 } 537 538 /* 539 * Workgroups comprise a collection of standalone, independently administered 540 * computers that use a common workgroup name. This is a peer-to-peer model 541 * with no formal membership mechanism. 542 */ 543 static int 544 smbadm_join_workgroup(const char *workgroup, boolean_t confirm) 545 { 546 smb_joininfo_t jdi; 547 smb_joinres_t jdres; 548 uint32_t status; 549 550 bzero(&jdres, sizeof (jdres)); 551 bzero(&jdi, sizeof (jdi)); 552 jdi.mode = SMB_SECMODE_WORKGRP; 553 (void) strlcpy(jdi.domain_name, workgroup, sizeof (jdi.domain_name)); 554 (void) strtrim(jdi.domain_name, " \t\n"); 555 556 if (smb_name_validate_workgroup(jdi.domain_name) != ERROR_SUCCESS) { 557 (void) fprintf(stderr, gettext("workgroup name is invalid\n")); 558 smbadm_usage(B_FALSE); 559 } 560 561 if (confirm && !smbadm_join_confirm(jdi.domain_name)) 562 return (0); 563 564 smbadm_update_groups(SMBADM_GRP_DELMEMBER); // before "un-join" 565 if ((status = smb_join(&jdi, &jdres)) != NT_STATUS_SUCCESS) { 566 (void) fprintf(stderr, gettext("failed to join %s: %s\n"), 567 jdi.domain_name, xlate_nt_status(status)); 568 return (1); 569 } 570 571 (void) printf(gettext("Successfully joined %s\n"), jdi.domain_name); 572 smbadm_restart_service(); 573 return (0); 574 } 575 576 /* 577 * Domains comprise a centrally administered group of computers and accounts 578 * that share a common security and administration policy and database. 579 * Computers must join a domain and become domain members, which requires 580 * an administrator level account name. 581 * 582 * The '+' character is invalid within a username. We allow the password 583 * to be appended to the username using '+' as a scripting convenience. 584 * See details above smbadm_join() 585 */ 586 static int 587 smbadm_join_domain(const char *domain, const char *container, 588 const char *username, boolean_t confirm) 589 { 590 smb_joininfo_t jdi; 591 smb_joinres_t jdres; 592 char *passwd_prompt; 593 char *p; 594 int len, rc; 595 596 bzero(&jdres, sizeof (jdres)); 597 bzero(&jdi, sizeof (jdi)); 598 jdi.mode = SMB_SECMODE_DOMAIN; 599 (void) strlcpy(jdi.domain_name, domain, sizeof (jdi.domain_name)); 600 (void) strtrim(jdi.domain_name, " \t\n"); 601 if (container != NULL) { 602 if (strlcpy(jdi.container_name, container, 603 sizeof (jdi.container_name)) >= 604 sizeof (jdi.container_name)) { 605 (void) fprintf(stderr, gettext("container name is " 606 "too long\n")); 607 smbadm_usage(B_FALSE); 608 } 609 } 610 611 if (smb_name_validate_domain(jdi.domain_name) != ERROR_SUCCESS) { 612 (void) fprintf(stderr, gettext("domain name is invalid\n")); 613 smbadm_usage(B_FALSE); 614 } 615 616 if (confirm && !smbadm_join_confirm(jdi.domain_name)) 617 return (0); 618 619 /* 620 * Note: username is null for "unsecure join" 621 * (join using a pre-created computer account) 622 * Not implemented. 623 */ 624 if (username == NULL) { 625 (void) fprintf(stderr, 626 gettext("username missing\n")); 627 smbadm_usage(B_FALSE); 628 } 629 630 /* 631 * Check for "username+password" as described above. 632 */ 633 if ((p = strchr(username, '+')) != NULL) { 634 ++p; 635 636 len = (int)(p - username); 637 if (len > sizeof (jdi.domain_name)) 638 len = sizeof (jdi.domain_name); 639 640 (void) strlcpy(jdi.domain_username, username, len); 641 (void) strlcpy(jdi.domain_passwd, p, 642 sizeof (jdi.domain_passwd)); 643 } else { 644 (void) strlcpy(jdi.domain_username, username, 645 sizeof (jdi.domain_username)); 646 } 647 648 if (smb_name_validate_account(jdi.domain_username) 649 != ERROR_SUCCESS) { 650 (void) fprintf(stderr, 651 gettext("username contains invalid characters\n")); 652 smbadm_usage(B_FALSE); 653 } 654 655 if (*jdi.domain_passwd == '\0') { 656 if (isatty(fileno(stdin))) { 657 passwd_prompt = gettext("Enter domain password: "); 658 if ((p = getpassphrase(passwd_prompt)) == NULL) { 659 (void) fprintf(stderr, gettext( 660 "missing password\n")); 661 smbadm_usage(B_FALSE); 662 } 663 664 (void) strlcpy(jdi.domain_passwd, p, 665 sizeof (jdi.domain_passwd)); 666 } else { 667 /* Just read from stdin, no prompt. */ 668 char *pbuf = NULL; 669 size_t pblen = 0; 670 len = getline(&pbuf, &pblen, stdin); 671 672 /* trim the ending newline if it exists */ 673 if (len > 0 && pbuf[len - 1] == '\n') { 674 pbuf[len - 1] = '\0'; 675 len--; 676 } 677 if (len <= 0) { 678 (void) fprintf(stderr, gettext( 679 "missing password\n")); 680 smbadm_usage(B_FALSE); 681 } 682 (void) strlcpy(jdi.domain_passwd, pbuf, 683 sizeof (jdi.domain_passwd)); 684 } 685 } 686 687 (void) printf(gettext("Joining %s ... this may take a minute ...\n"), 688 jdi.domain_name); 689 690 rc = smb_join(&jdi, &jdres); 691 if (rc != 0) { 692 (void) printf(gettext("Cannot call the SMB service. " 693 " (error %d: %s) " 694 "Please check the service status " 695 "(svcs -vx network/smb/server)\n"), 696 rc, strerror(rc)); 697 bzero(&jdi, sizeof (jdi)); 698 return (1); 699 } 700 701 switch (jdres.status) { 702 case NT_STATUS_SUCCESS: 703 (void) printf(gettext( 704 "Successfully joined domain %s using AD server %s\n"), 705 jdi.domain_name, jdres.dc_name); 706 bzero(&jdi, sizeof (jdi)); 707 smbadm_update_groups(SMBADM_GRP_ADDMEMBER); // after join 708 smbadm_restart_service(); 709 return (0); 710 711 case NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND: 712 /* See: smb_ads_lookup_msdcs */ 713 (void) fprintf(stderr, gettext( 714 "failed to find any AD servers for domain: %s\n"), 715 jdi.domain_name); 716 goto common; 717 718 case NT_STATUS_BAD_NETWORK_PATH: 719 /* See: smbrdr_ctx_new / smb_ctx_resolve */ 720 (void) fprintf(stderr, gettext( 721 "failed to resolve address of AD server: %s\n"), 722 jdres.dc_name); 723 goto common; 724 725 case NT_STATUS_NETWORK_ACCESS_DENIED: 726 /* See: smbrdr_ctx_new / smb_ctx_get_ssn */ 727 (void) fprintf(stderr, gettext( 728 "failed to authenticate with AD server: %s\n"), 729 jdres.dc_name); 730 goto common; 731 732 case NT_STATUS_BAD_NETWORK_NAME: 733 /* 734 * See: smbrdr_ctx_new / smb_ctx_get_tree 735 * and: ndr_rpc_bind / smb_fh_open 736 */ 737 (void) fprintf(stderr, gettext( 738 "failed connecting to services on AD server: %s\n"), 739 jdres.dc_name); 740 goto common; 741 742 default: 743 (void) fprintf(stderr, gettext( 744 "failed to join domain %s\n"), 745 jdi.domain_name); 746 if (jdres.dc_name[0] != '\0') { 747 (void) fprintf(stderr, gettext( 748 "using AD server: %s\n"), 749 jdres.dc_name); 750 } 751 /* FALLTHROUGH */ 752 common: 753 if (jdres.join_err != 0) { 754 (void) fprintf(stderr, "%s\n", 755 smb_ads_strerror(jdres.join_err)); 756 } else if (jdres.status != 0) { 757 (void) fprintf(stderr, "(%s)\n", 758 xlate_nt_status(jdres.status)); 759 } 760 (void) fprintf(stderr, gettext("Please refer to the " 761 "service log for more information.\n")); 762 bzero(&jdi, sizeof (jdi)); 763 return (1); 764 } 765 } 766 767 /* 768 * We want to process the user and domain names as separate strings. 769 * Check for names of the forms below and separate the components as 770 * required. 771 * 772 * name@domain 773 * domain\name 774 * domain/name 775 * 776 * If we encounter any of the forms above in arg, the @, / or \ 777 * separator is replaced by \0 and the username and domain pointers 778 * are changed to point to the appropriate components (in arg). 779 * 780 * If none of the separators are encountered, the username and domain 781 * pointers remain unchanged. 782 */ 783 static void 784 smbadm_extract_domain(char *arg, char **username, char **domain) 785 { 786 char *p; 787 788 if ((p = strpbrk(arg, "/\\@")) != NULL) { 789 if (*p == '@') { 790 *p = '\0'; 791 ++p; 792 793 if (strchr(arg, '+') != NULL) 794 return; 795 796 *domain = p; 797 *username = arg; 798 } else { 799 *p = '\0'; 800 ++p; 801 *username = p; 802 *domain = arg; 803 } 804 } 805 } 806 807 /* 808 * smbadm_update_groups 809 * Add or remove "Domain Admins@mydomain" to/from the 810 * local administrators group. 811 * 812 * Similar to: smbadm_group_add_del_member 813 */ 814 static void 815 smbadm_update_groups(smbadm_grp_action_t act) 816 { 817 char sidstr[SMB_SID_STRSZ]; 818 char gname[] = "administrators"; // must be writable 819 smb_gsid_t msid; 820 int rc; 821 822 /* 823 * Compose the (well-known) SID for "Domain Admins" 824 * which is {domain-SID}-512 825 */ 826 rc = smb_config_getstr(SMB_CI_DOMAIN_SID, sidstr, sizeof (sidstr)); 827 if (rc != 0) { 828 (void) fprintf(stderr, 829 gettext("Update local groups: no domain SID\n")); 830 return; 831 } 832 (void) strlcat(sidstr, "-512", sizeof (sidstr)); 833 834 msid.gs_type = SidTypeGroup; 835 msid.gs_sid = smb_sid_fromstr(sidstr); 836 if (msid.gs_sid == NULL) { 837 (void) fprintf(stderr, 838 gettext("Update local groups: no memory for SID\n")); 839 return; 840 } 841 842 switch (act) { 843 case SMBADM_GRP_ADDMEMBER: 844 rc = smb_lgrp_add_member(gname, 845 msid.gs_sid, msid.gs_type); 846 // suppress "already in group" 847 if (rc == SMB_LGRP_MEMBER_IN_GROUP) 848 rc = 0; 849 break; 850 case SMBADM_GRP_DELMEMBER: 851 rc = smb_lgrp_del_member(gname, 852 msid.gs_sid, msid.gs_type); 853 // supress "not in group" 854 if (rc == SMB_LGRP_MEMBER_NOT_IN_GROUP) 855 rc = 0; 856 break; 857 default: 858 rc = SMB_LGRP_INTERNAL_ERROR; 859 break; 860 } 861 862 smb_sid_free(msid.gs_sid); 863 864 if (rc != SMB_LGRP_SUCCESS) { 865 (void) fprintf(stderr, 866 gettext("Update local groups: can't update DB, %s\n"), 867 smb_lgrp_strerror(rc)); 868 } 869 } 870 871 /* 872 * smbadm_list 873 * 874 * Displays current security mode and domain/workgroup name. 875 */ 876 /*ARGSUSED*/ 877 static int 878 smbadm_list(int argc, char **argv) 879 { 880 char domain[MAXHOSTNAMELEN]; 881 char fqdn[MAXHOSTNAMELEN]; 882 char srvname[MAXHOSTNAMELEN]; 883 char modename[16]; 884 int rc; 885 smb_inaddr_t srvipaddr; 886 char ipstr[INET6_ADDRSTRLEN]; 887 888 rc = smb_config_getstr(SMB_CI_SECURITY, modename, sizeof (modename)); 889 if (rc != SMBD_SMF_OK) { 890 (void) fprintf(stderr, 891 gettext("cannot determine the operational mode\n")); 892 return (1); 893 } 894 895 if (smb_getdomainname(domain, sizeof (domain)) != 0) { 896 (void) fprintf(stderr, gettext("failed to get the %s name\n"), 897 modename); 898 return (1); 899 } 900 901 if (strcmp(modename, "workgroup") == 0) { 902 (void) printf(gettext("[*] [%s]\n"), domain); 903 return (0); 904 } 905 906 (void) printf(gettext("[*] [%s]\n"), domain); 907 if ((smb_getfqdomainname(fqdn, sizeof (fqdn)) == 0) && (*fqdn != '\0')) 908 (void) printf(gettext("[*] [%s]\n"), fqdn); 909 910 if ((smb_get_dcinfo(srvname, MAXHOSTNAMELEN, &srvipaddr) 911 == NT_STATUS_SUCCESS) && (*srvname != '\0') && 912 (!smb_inet_iszero(&srvipaddr))) { 913 (void) smb_inet_ntop(&srvipaddr, ipstr, 914 SMB_IPSTRLEN(srvipaddr.a_family)); 915 (void) printf(gettext("\t[+%s] [%s]\n"), 916 srvname, ipstr); 917 } 918 919 /* Print the local and domain SID. */ 920 smb_domain_show(); 921 return (0); 922 } 923 924 /* 925 * smbadm_lookup 926 * 927 * Lookup the SID for a given account (user or group) 928 */ 929 static int 930 smbadm_lookup(int argc, char **argv) 931 { 932 int i; 933 934 if (argc < 2) { 935 (void) fprintf(stderr, gettext("missing account name\n")); 936 smbadm_usage(B_FALSE); 937 } 938 939 for (i = 1; i < argc; i++) { 940 if (strncmp(argv[i], "S-1-", 4) == 0) 941 smbadm_lookup_sid(argv[i]); 942 else 943 smbadm_lookup_name(argv[i]); 944 } 945 return (0); 946 } 947 948 static void 949 smbadm_lookup_name(char *name) 950 { 951 lsa_account_t acct; 952 int rc; 953 954 if ((rc = smb_lookup_name(name, SidTypeUnknown, &acct)) != 0) { 955 (void) fprintf(stderr, gettext( 956 "\t\t%s: lookup name failed, rc=%d\n"), 957 name, rc); 958 return; 959 } 960 if (acct.a_status != NT_STATUS_SUCCESS) { 961 (void) fprintf(stderr, gettext("\t\t%s [%s]\n"), 962 name, xlate_nt_status(acct.a_status)); 963 return; 964 } 965 (void) printf("\t%s\n", acct.a_sid); 966 } 967 968 static void 969 smbadm_lookup_sid(char *sidstr) 970 { 971 lsa_account_t acct; 972 int rc; 973 974 if ((rc = smb_lookup_sid(sidstr, &acct)) != 0) { 975 (void) fprintf(stderr, gettext( 976 "\t\t%s: lookup SID failed, rc=%d\n"), 977 sidstr, rc); 978 return; 979 } 980 if (acct.a_status != NT_STATUS_SUCCESS) { 981 (void) fprintf(stderr, gettext("\t\t%s [%s]\n"), 982 sidstr, xlate_nt_status(acct.a_status)); 983 return; 984 } 985 (void) printf("\t%s\\%s\n", acct.a_domain, acct.a_name); 986 } 987 988 /* 989 * smbadm_group_create 990 * 991 * Creates a local SMB group 992 */ 993 static int 994 smbadm_group_create(int argc, char **argv) 995 { 996 char *gname = NULL; 997 char *desc = NULL; 998 char option; 999 int status; 1000 1001 while ((option = getopt(argc, argv, "d:")) != -1) { 1002 switch (option) { 1003 case 'd': 1004 desc = optarg; 1005 break; 1006 1007 default: 1008 smbadm_usage(B_FALSE); 1009 } 1010 } 1011 1012 gname = argv[optind]; 1013 if (optind >= argc || gname == NULL || *gname == '\0') { 1014 (void) fprintf(stderr, gettext("missing group name\n")); 1015 smbadm_usage(B_FALSE); 1016 } 1017 1018 status = smb_lgrp_add(gname, desc); 1019 if (status != SMB_LGRP_SUCCESS) { 1020 (void) fprintf(stderr, 1021 gettext("failed to create %s (%s)\n"), gname, 1022 smb_lgrp_strerror(status)); 1023 } else { 1024 (void) printf(gettext("%s created\n"), gname); 1025 } 1026 1027 return (status); 1028 } 1029 1030 /* 1031 * smbadm_group_dump_members 1032 * 1033 * Dump group members details. 1034 */ 1035 static void 1036 smbadm_group_dump_members(smb_gsid_t *members, int num) 1037 { 1038 char sidstr[SMB_SID_STRSZ]; 1039 lsa_account_t acct; 1040 int i; 1041 1042 if (num == 0) { 1043 (void) printf(gettext("\tNo members\n")); 1044 return; 1045 } 1046 1047 (void) printf(gettext("\tMembers:\n")); 1048 for (i = 0; i < num; i++) { 1049 smb_sid_tostr(members[i].gs_sid, sidstr); 1050 1051 if (smb_lookup_sid(sidstr, &acct) == 0) { 1052 if (acct.a_status == NT_STATUS_SUCCESS) 1053 smbadm_group_show_name(acct.a_domain, 1054 acct.a_name); 1055 else 1056 (void) printf(gettext("\t\t%s [%s]\n"), 1057 sidstr, xlate_nt_status(acct.a_status)); 1058 } else { 1059 (void) printf(gettext("\t\t%s\n"), sidstr); 1060 } 1061 } 1062 } 1063 1064 static void 1065 smbadm_group_show_name(const char *domain, const char *name) 1066 { 1067 if (strchr(domain, '.') != NULL) 1068 (void) printf("\t\t%s@%s\n", name, domain); 1069 else 1070 (void) printf("\t\t%s\\%s\n", domain, name); 1071 } 1072 1073 /* 1074 * smbadm_group_dump_privs 1075 * 1076 * Dump group privilege details. 1077 */ 1078 static void 1079 smbadm_group_dump_privs(smb_privset_t *privs) 1080 { 1081 smb_privinfo_t *pinfo; 1082 char *pstatus; 1083 int i; 1084 1085 (void) printf(gettext("\tPrivileges: \n")); 1086 1087 for (i = 0; i < privs->priv_cnt; i++) { 1088 pinfo = smb_priv_getbyvalue(privs->priv[i].luid.lo_part); 1089 if ((pinfo == NULL) || (pinfo->flags & PF_PRESENTABLE) == 0) 1090 continue; 1091 1092 switch (privs->priv[i].attrs) { 1093 case SE_PRIVILEGE_ENABLED: 1094 pstatus = "On"; 1095 break; 1096 case SE_PRIVILEGE_DISABLED: 1097 pstatus = "Off"; 1098 break; 1099 default: 1100 pstatus = "Unknown"; 1101 break; 1102 } 1103 (void) printf(gettext("\t\t%s: %s\n"), pinfo->name, pstatus); 1104 } 1105 1106 if (privs->priv_cnt == 0) 1107 (void) printf(gettext("\t\tNo privileges\n")); 1108 } 1109 1110 /* 1111 * smbadm_group_dump 1112 * 1113 * Dump group details. 1114 */ 1115 static void 1116 smbadm_group_dump(smb_group_t *grp, boolean_t show_mem, boolean_t show_privs) 1117 { 1118 char sidstr[SMB_SID_STRSZ]; 1119 1120 (void) printf(gettext("%s (%s)\n"), grp->sg_name, grp->sg_cmnt); 1121 1122 smb_sid_tostr(grp->sg_id.gs_sid, sidstr); 1123 (void) printf(gettext("\tSID: %s\n"), sidstr); 1124 1125 if (show_privs) 1126 smbadm_group_dump_privs(grp->sg_privs); 1127 1128 if (show_mem) 1129 smbadm_group_dump_members(grp->sg_members, grp->sg_nmembers); 1130 } 1131 1132 /* 1133 * smbadm_group_show 1134 * 1135 */ 1136 static int 1137 smbadm_group_show(int argc, char **argv) 1138 { 1139 char *gname = NULL; 1140 boolean_t show_privs; 1141 boolean_t show_members; 1142 char option; 1143 int status; 1144 smb_group_t grp; 1145 smb_giter_t gi; 1146 1147 show_privs = show_members = B_FALSE; 1148 1149 while ((option = getopt(argc, argv, "mp")) != -1) { 1150 switch (option) { 1151 case 'm': 1152 show_members = B_TRUE; 1153 break; 1154 case 'p': 1155 show_privs = B_TRUE; 1156 break; 1157 1158 default: 1159 smbadm_usage(B_FALSE); 1160 } 1161 } 1162 1163 gname = argv[optind]; 1164 if (optind >= argc || gname == NULL || *gname == '\0') 1165 gname = "*"; 1166 1167 if (strcmp(gname, "*")) { 1168 status = smb_lgrp_getbyname(gname, &grp); 1169 if (status == SMB_LGRP_SUCCESS) { 1170 smbadm_group_dump(&grp, show_members, show_privs); 1171 smb_lgrp_free(&grp); 1172 } else { 1173 (void) fprintf(stderr, 1174 gettext("failed to find %s (%s)\n"), 1175 gname, smb_lgrp_strerror(status)); 1176 } 1177 return (status); 1178 } 1179 1180 if ((status = smb_lgrp_iteropen(&gi)) != SMB_LGRP_SUCCESS) { 1181 (void) fprintf(stderr, gettext("failed to list groups (%s)\n"), 1182 smb_lgrp_strerror(status)); 1183 return (status); 1184 } 1185 1186 while ((status = smb_lgrp_iterate(&gi, &grp)) == SMB_LGRP_SUCCESS) { 1187 smbadm_group_dump(&grp, show_members, show_privs); 1188 smb_lgrp_free(&grp); 1189 } 1190 1191 smb_lgrp_iterclose(&gi); 1192 1193 if ((status != SMB_LGRP_NO_MORE) || smb_lgrp_itererror(&gi)) { 1194 if (status != SMB_LGRP_NO_MORE) 1195 smb_syslog(LOG_ERR, "smb_lgrp_iterate: %s", 1196 smb_lgrp_strerror(status)); 1197 1198 (void) fprintf(stderr, 1199 gettext("\nAn error occurred while retrieving group data.\n" 1200 "Check the system log for more information.\n")); 1201 return (status); 1202 } 1203 1204 return (0); 1205 } 1206 1207 /* 1208 * smbadm_group_delete 1209 */ 1210 static int 1211 smbadm_group_delete(int argc, char **argv) 1212 { 1213 char *gname = NULL; 1214 int status; 1215 1216 gname = argv[optind]; 1217 if (optind >= argc || gname == NULL || *gname == '\0') { 1218 (void) fprintf(stderr, gettext("missing group name\n")); 1219 smbadm_usage(B_FALSE); 1220 } 1221 1222 status = smb_lgrp_delete(gname); 1223 if (status != SMB_LGRP_SUCCESS) { 1224 (void) fprintf(stderr, 1225 gettext("failed to delete %s (%s)\n"), gname, 1226 smb_lgrp_strerror(status)); 1227 } else { 1228 (void) printf(gettext("%s deleted\n"), gname); 1229 } 1230 1231 return (status); 1232 } 1233 1234 /* 1235 * smbadm_group_rename 1236 */ 1237 static int 1238 smbadm_group_rename(int argc, char **argv) 1239 { 1240 char *gname = NULL; 1241 char *ngname = NULL; 1242 int status; 1243 1244 gname = argv[optind]; 1245 if (optind++ >= argc || gname == NULL || *gname == '\0') { 1246 (void) fprintf(stderr, gettext("missing group name\n")); 1247 smbadm_usage(B_FALSE); 1248 } 1249 1250 ngname = argv[optind]; 1251 if (optind >= argc || ngname == NULL || *ngname == '\0') { 1252 (void) fprintf(stderr, gettext("missing new group name\n")); 1253 smbadm_usage(B_FALSE); 1254 } 1255 1256 status = smb_lgrp_rename(gname, ngname); 1257 if (status != SMB_LGRP_SUCCESS) { 1258 if (status == SMB_LGRP_EXISTS) 1259 (void) fprintf(stderr, 1260 gettext("failed to rename '%s' (%s already " 1261 "exists)\n"), gname, ngname); 1262 else 1263 (void) fprintf(stderr, 1264 gettext("failed to rename '%s' (%s)\n"), gname, 1265 smb_lgrp_strerror(status)); 1266 } else { 1267 (void) printf(gettext("'%s' renamed to '%s'\n"), gname, ngname); 1268 } 1269 1270 return (status); 1271 } 1272 1273 /* 1274 * smbadm_group_setprop 1275 * 1276 * Set the group properties. 1277 */ 1278 static int 1279 smbadm_group_setprop(int argc, char **argv) 1280 { 1281 char *gname = NULL; 1282 smbadm_prop_t props[SMBADM_NPROP]; 1283 smbadm_prop_handle_t *phandle; 1284 char option; 1285 int pcnt = 0; 1286 int ret = 0; 1287 int p; 1288 1289 bzero(props, SMBADM_NPROP * sizeof (smbadm_prop_t)); 1290 1291 while ((option = getopt(argc, argv, "p:")) != -1) { 1292 switch (option) { 1293 case 'p': 1294 if (pcnt >= SMBADM_NPROP) { 1295 (void) fprintf(stderr, 1296 gettext("exceeded number of supported" 1297 " properties\n")); 1298 smbadm_usage(B_FALSE); 1299 } 1300 1301 if (smbadm_prop_parse(optarg, &props[pcnt++]) != 0) 1302 smbadm_usage(B_FALSE); 1303 break; 1304 1305 default: 1306 smbadm_usage(B_FALSE); 1307 } 1308 } 1309 1310 if (pcnt == 0) { 1311 (void) fprintf(stderr, 1312 gettext("missing property=value argument\n")); 1313 smbadm_usage(B_FALSE); 1314 } 1315 1316 gname = argv[optind]; 1317 if (optind >= argc || gname == NULL || *gname == '\0') { 1318 (void) fprintf(stderr, gettext("missing group name\n")); 1319 smbadm_usage(B_FALSE); 1320 } 1321 1322 for (p = 0; p < pcnt; p++) { 1323 phandle = smbadm_prop_gethandle(props[p].p_name); 1324 if (phandle) { 1325 if (phandle->p_setfn(gname, &props[p]) != 0) 1326 ret = 1; 1327 } 1328 } 1329 1330 return (ret); 1331 } 1332 1333 /* 1334 * smbadm_group_getprop 1335 * 1336 * Get the group properties. 1337 */ 1338 static int 1339 smbadm_group_getprop(int argc, char **argv) 1340 { 1341 char *gname = NULL; 1342 smbadm_prop_t props[SMBADM_NPROP]; 1343 smbadm_prop_handle_t *phandle; 1344 char option; 1345 int pcnt = 0; 1346 int ret = 0; 1347 int p; 1348 1349 bzero(props, SMBADM_NPROP * sizeof (smbadm_prop_t)); 1350 1351 while ((option = getopt(argc, argv, "p:")) != -1) { 1352 switch (option) { 1353 case 'p': 1354 if (pcnt >= SMBADM_NPROP) { 1355 (void) fprintf(stderr, 1356 gettext("exceeded number of supported" 1357 " properties\n")); 1358 smbadm_usage(B_FALSE); 1359 } 1360 1361 if (smbadm_prop_parse(optarg, &props[pcnt++]) != 0) 1362 smbadm_usage(B_FALSE); 1363 break; 1364 1365 default: 1366 smbadm_usage(B_FALSE); 1367 } 1368 } 1369 1370 gname = argv[optind]; 1371 if (optind >= argc || gname == NULL || *gname == '\0') { 1372 (void) fprintf(stderr, gettext("missing group name\n")); 1373 smbadm_usage(B_FALSE); 1374 } 1375 1376 if (pcnt == 0) { 1377 /* 1378 * If no property has be specified then get 1379 * all the properties. 1380 */ 1381 pcnt = SMBADM_NPROP; 1382 for (p = 0; p < pcnt; p++) 1383 props[p].p_name = smbadm_ptable[p].p_name; 1384 } 1385 1386 for (p = 0; p < pcnt; p++) { 1387 phandle = smbadm_prop_gethandle(props[p].p_name); 1388 if (phandle) { 1389 if (phandle->p_getfn(gname, &props[p]) != 0) 1390 ret = 1; 1391 } 1392 } 1393 1394 return (ret); 1395 } 1396 1397 /* 1398 * smbadm_group_addmember 1399 * 1400 */ 1401 static int 1402 smbadm_group_addmember(int argc, char **argv) 1403 { 1404 char *gname = NULL; 1405 char **mname; 1406 char option; 1407 int mcnt = 0; 1408 int ret = 0; 1409 int i; 1410 1411 1412 mname = (char **)malloc(argc * sizeof (char *)); 1413 if (mname == NULL) { 1414 warn(gettext("failed to add group member")); 1415 return (1); 1416 } 1417 bzero(mname, argc * sizeof (char *)); 1418 1419 while ((option = getopt(argc, argv, "m:")) != -1) { 1420 switch (option) { 1421 case 'm': 1422 mname[mcnt++] = optarg; 1423 break; 1424 1425 default: 1426 free(mname); 1427 smbadm_usage(B_FALSE); 1428 } 1429 } 1430 1431 if (mcnt == 0) { 1432 (void) fprintf(stderr, gettext("missing member name\n")); 1433 free(mname); 1434 smbadm_usage(B_FALSE); 1435 } 1436 1437 gname = argv[optind]; 1438 if (optind >= argc || gname == NULL || *gname == 0) { 1439 (void) fprintf(stderr, gettext("missing group name\n")); 1440 free(mname); 1441 smbadm_usage(B_FALSE); 1442 } 1443 1444 for (i = 0; i < mcnt; i++) { 1445 if (mname[i] == NULL) 1446 continue; 1447 ret |= smbadm_group_add_del_member( 1448 gname, mname[i], SMBADM_GRP_ADDMEMBER); 1449 } 1450 1451 free(mname); 1452 return (ret); 1453 } 1454 1455 /* 1456 * smbadm_group_delmember 1457 */ 1458 static int 1459 smbadm_group_delmember(int argc, char **argv) 1460 { 1461 char *gname = NULL; 1462 char **mname; 1463 char option; 1464 int mcnt = 0; 1465 int ret = 0; 1466 int i; 1467 1468 mname = (char **)malloc(argc * sizeof (char *)); 1469 if (mname == NULL) { 1470 warn(gettext("failed to delete group member")); 1471 return (1); 1472 } 1473 bzero(mname, argc * sizeof (char *)); 1474 1475 while ((option = getopt(argc, argv, "m:")) != -1) { 1476 switch (option) { 1477 case 'm': 1478 mname[mcnt++] = optarg; 1479 break; 1480 1481 default: 1482 free(mname); 1483 smbadm_usage(B_FALSE); 1484 } 1485 } 1486 1487 if (mcnt == 0) { 1488 (void) fprintf(stderr, gettext("missing member name\n")); 1489 free(mname); 1490 smbadm_usage(B_FALSE); 1491 } 1492 1493 gname = argv[optind]; 1494 if (optind >= argc || gname == NULL || *gname == 0) { 1495 (void) fprintf(stderr, gettext("missing group name\n")); 1496 free(mname); 1497 smbadm_usage(B_FALSE); 1498 } 1499 1500 1501 for (i = 0; i < mcnt; i++) { 1502 ret = 0; 1503 if (mname[i] == NULL) 1504 continue; 1505 ret |= smbadm_group_add_del_member( 1506 gname, mname[i], SMBADM_GRP_DELMEMBER); 1507 } 1508 1509 free(mname); 1510 return (ret); 1511 } 1512 1513 static int 1514 smbadm_group_add_del_member(char *gname, char *mname, 1515 smbadm_grp_action_t act) 1516 { 1517 lsa_account_t acct; 1518 smb_gsid_t msid; 1519 char *sidstr; 1520 char *act_str = NULL; 1521 int rc; 1522 1523 if (strncmp(mname, "S-1-", 4) == 0) { 1524 /* 1525 * We are given a SID. Just use it. 1526 * 1527 * We'd like the real account type if we can get it, 1528 * but don't want to error out if we can't get it. 1529 * Lacking other info, assume it's a group. 1530 */ 1531 sidstr = mname; 1532 rc = smb_lookup_sid(sidstr, &acct); 1533 if ((rc != 0) || (acct.a_status != NT_STATUS_SUCCESS)) 1534 acct.a_sidtype = SidTypeGroup; 1535 } else { 1536 rc = smb_lookup_name(mname, SidTypeUnknown, &acct); 1537 if ((rc != 0) || (acct.a_status != NT_STATUS_SUCCESS)) { 1538 (void) fprintf(stderr, 1539 gettext("%s: name lookup failed\n"), mname); 1540 return (1); 1541 } 1542 sidstr = acct.a_sid; 1543 } 1544 1545 msid.gs_type = acct.a_sidtype; 1546 if ((msid.gs_sid = smb_sid_fromstr(sidstr)) == NULL) { 1547 (void) fprintf(stderr, 1548 gettext("%s: no memory for SID\n"), sidstr); 1549 return (1); 1550 } 1551 1552 switch (act) { 1553 case SMBADM_GRP_ADDMEMBER: 1554 act_str = gettext("add"); 1555 rc = smb_lgrp_add_member(gname, 1556 msid.gs_sid, msid.gs_type); 1557 break; 1558 case SMBADM_GRP_DELMEMBER: 1559 act_str = gettext("remove"); 1560 rc = smb_lgrp_del_member(gname, 1561 msid.gs_sid, msid.gs_type); 1562 break; 1563 default: 1564 rc = SMB_LGRP_INTERNAL_ERROR; 1565 break; 1566 } 1567 1568 smb_sid_free(msid.gs_sid); 1569 1570 if (rc != SMB_LGRP_SUCCESS) { 1571 (void) fprintf(stderr, 1572 gettext("failed to %s %s (%s)\n"), 1573 act_str, mname, smb_lgrp_strerror(rc)); 1574 return (1); 1575 } 1576 return (0); 1577 } 1578 1579 static int 1580 smbadm_user_delete(int argc, char **argv) 1581 { 1582 int error; 1583 char *user = NULL; 1584 1585 user = argv[optind]; 1586 if (optind >= argc || user == NULL || *user == '\0') { 1587 (void) fprintf(stderr, gettext("missing user name\n")); 1588 smbadm_usage(B_FALSE); 1589 } 1590 1591 error = smb_pwd_setcntl(user, SMB_PWC_DELETE); 1592 if (error == SMB_PWE_SUCCESS) 1593 (void) printf(gettext("%s has been deleted.\n"), user); 1594 else 1595 (void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error)); 1596 1597 return (error); 1598 } 1599 1600 static int 1601 smbadm_user_disable(int argc, char **argv) 1602 { 1603 int error; 1604 char *user = NULL; 1605 1606 user = argv[optind]; 1607 if (optind >= argc || user == NULL || *user == '\0') { 1608 (void) fprintf(stderr, gettext("missing user name\n")); 1609 smbadm_usage(B_FALSE); 1610 } 1611 1612 error = smb_pwd_setcntl(user, SMB_PWC_DISABLE); 1613 if (error == SMB_PWE_SUCCESS) 1614 (void) printf(gettext("%s is disabled.\n"), user); 1615 else 1616 (void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error)); 1617 1618 return (error); 1619 } 1620 1621 static int 1622 smbadm_user_enable(int argc, char **argv) 1623 { 1624 int error; 1625 char *user = NULL; 1626 1627 user = argv[optind]; 1628 if (optind >= argc || user == NULL || *user == '\0') { 1629 (void) fprintf(stderr, gettext("missing user name\n")); 1630 smbadm_usage(B_FALSE); 1631 } 1632 1633 error = smb_pwd_setcntl(user, SMB_PWC_ENABLE); 1634 if (error == SMB_PWE_SUCCESS) 1635 (void) printf(gettext("%s is enabled.\n"), user); 1636 else 1637 (void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error)); 1638 1639 return (error); 1640 } 1641 1642 1643 int 1644 main(int argc, char **argv) 1645 { 1646 int ret; 1647 int i; 1648 1649 (void) setlocale(LC_ALL, ""); 1650 (void) textdomain(TEXT_DOMAIN); 1651 1652 (void) malloc(0); /* satisfy libumem dependency */ 1653 1654 progname = basename(argv[0]); 1655 1656 if (is_system_labeled()) { 1657 (void) fprintf(stderr, 1658 gettext("Trusted Extensions not supported\n")); 1659 return (1); 1660 } 1661 1662 if (argc < 2) { 1663 (void) fprintf(stderr, gettext("missing command\n")); 1664 smbadm_usage(B_FALSE); 1665 } 1666 1667 /* 1668 * Special case "cmd --help/-?" 1669 */ 1670 if (strcmp(argv[1], "-?") == 0 || 1671 strcmp(argv[1], "--help") == 0 || 1672 strcmp(argv[1], "-h") == 0) 1673 smbadm_usage(B_TRUE); 1674 1675 for (i = 0; i < SMBADM_NCMD; ++i) { 1676 curcmd = &smbadm_cmdtable[i]; 1677 if (strcasecmp(argv[1], curcmd->name) == 0) { 1678 if (argc > 2) { 1679 /* cmd subcmd --help/-? */ 1680 if (strcmp(argv[2], "-?") == 0 || 1681 strcmp(argv[2], "--help") == 0 || 1682 strcmp(argv[2], "-h") == 0) 1683 smbadm_usage(B_TRUE); 1684 } 1685 1686 if (!smbadm_checkauth(curcmd->auth)) { 1687 (void) fprintf(stderr, 1688 gettext("%s: %s: authorization denied\n"), 1689 progname, curcmd->name); 1690 return (1); 1691 } 1692 1693 if ((ret = smbadm_init()) != 0) 1694 return (ret); 1695 1696 ret = curcmd->func(argc - 1, &argv[1]); 1697 1698 smbadm_fini(); 1699 return (ret); 1700 } 1701 } 1702 1703 curcmd = NULL; 1704 (void) fprintf(stderr, gettext("unknown subcommand (%s)\n"), argv[1]); 1705 smbadm_usage(B_FALSE); 1706 return (2); 1707 } 1708 1709 static int 1710 smbadm_init(void) 1711 { 1712 int rc; 1713 1714 switch (curcmd->flags & SMBADM_CMDF_TYPEMASK) { 1715 case SMBADM_CMDF_GROUP: 1716 if ((rc = smb_lgrp_start()) != SMB_LGRP_SUCCESS) { 1717 (void) fprintf(stderr, 1718 gettext("failed to initialize (%s)\n"), 1719 smb_lgrp_strerror(rc)); 1720 return (1); 1721 } 1722 break; 1723 1724 case SMBADM_CMDF_USER: 1725 smb_pwd_init(B_FALSE); 1726 break; 1727 1728 default: 1729 break; 1730 } 1731 1732 return (0); 1733 } 1734 1735 static void 1736 smbadm_fini(void) 1737 { 1738 switch (curcmd->flags & SMBADM_CMDF_TYPEMASK) { 1739 case SMBADM_CMDF_GROUP: 1740 smb_lgrp_stop(); 1741 break; 1742 1743 case SMBADM_CMDF_USER: 1744 smb_pwd_fini(); 1745 break; 1746 1747 default: 1748 break; 1749 } 1750 } 1751 1752 static boolean_t 1753 smbadm_checkauth(const char *auth) 1754 { 1755 struct passwd *pw; 1756 1757 if ((pw = getpwuid(getuid())) == NULL) 1758 return (B_FALSE); 1759 1760 if (chkauthattr(auth, pw->pw_name) == 0) 1761 return (B_FALSE); 1762 1763 return (B_TRUE); 1764 } 1765 1766 static boolean_t 1767 smbadm_prop_validate(smbadm_prop_t *prop, boolean_t chkval) 1768 { 1769 smbadm_prop_handle_t *pinfo; 1770 int i; 1771 1772 for (i = 0; i < SMBADM_NPROP; i++) { 1773 pinfo = &smbadm_ptable[i]; 1774 if (strcmp(pinfo->p_name, prop->p_name) == 0) { 1775 if (pinfo->p_chkfn && chkval) 1776 return (pinfo->p_chkfn(prop)); 1777 1778 return (B_TRUE); 1779 } 1780 } 1781 1782 (void) fprintf(stderr, gettext("unrecognized property '%s'\n"), 1783 prop->p_name); 1784 1785 return (B_FALSE); 1786 } 1787 1788 static int 1789 smbadm_prop_parse(char *arg, smbadm_prop_t *prop) 1790 { 1791 boolean_t parse_value; 1792 char *equal; 1793 1794 if (arg == NULL) 1795 return (2); 1796 1797 prop->p_name = prop->p_value = NULL; 1798 1799 if (strcmp(curcmd->name, "set") == 0) 1800 parse_value = B_TRUE; 1801 else 1802 parse_value = B_FALSE; 1803 1804 prop->p_name = arg; 1805 1806 if (parse_value) { 1807 equal = strchr(arg, '='); 1808 if (equal == NULL) 1809 return (2); 1810 1811 *equal++ = '\0'; 1812 prop->p_value = equal; 1813 } 1814 1815 if (smbadm_prop_validate(prop, parse_value) == B_FALSE) 1816 return (2); 1817 1818 return (0); 1819 } 1820 1821 static smbadm_prop_handle_t * 1822 smbadm_prop_gethandle(char *pname) 1823 { 1824 int i; 1825 1826 for (i = 0; i < SMBADM_NPROP; i++) 1827 if (strcmp(pname, smbadm_ptable[i].p_name) == 0) 1828 return (&smbadm_ptable[i]); 1829 1830 return (NULL); 1831 } 1832 1833 static int 1834 smbadm_setprop_desc(char *gname, smbadm_prop_t *prop) 1835 { 1836 int status; 1837 1838 status = smb_lgrp_setcmnt(gname, prop->p_value); 1839 if (status != SMB_LGRP_SUCCESS) { 1840 (void) fprintf(stderr, 1841 gettext("failed to modify the group description (%s)\n"), 1842 smb_lgrp_strerror(status)); 1843 return (1); 1844 } 1845 1846 (void) printf(gettext("%s: description modified\n"), gname); 1847 return (0); 1848 } 1849 1850 static int 1851 smbadm_getprop_desc(char *gname, smbadm_prop_t *prop) 1852 { 1853 char *cmnt = NULL; 1854 int status; 1855 1856 status = smb_lgrp_getcmnt(gname, &cmnt); 1857 if (status != SMB_LGRP_SUCCESS) { 1858 (void) fprintf(stderr, 1859 gettext("failed to get the group description (%s)\n"), 1860 smb_lgrp_strerror(status)); 1861 return (1); 1862 } 1863 1864 (void) printf(gettext("\t%s: %s\n"), prop->p_name, cmnt); 1865 free(cmnt); 1866 return (0); 1867 } 1868 1869 static int 1870 smbadm_group_setpriv(char *gname, uint8_t priv_id, smbadm_prop_t *prop) 1871 { 1872 boolean_t enable; 1873 int status; 1874 int ret; 1875 1876 if (strcasecmp(prop->p_value, "on") == 0) { 1877 (void) printf(gettext("Enabling %s privilege "), prop->p_name); 1878 enable = B_TRUE; 1879 } else { 1880 (void) printf(gettext("Disabling %s privilege "), prop->p_name); 1881 enable = B_FALSE; 1882 } 1883 1884 status = smb_lgrp_setpriv(gname, priv_id, enable); 1885 if (status == SMB_LGRP_SUCCESS) { 1886 (void) printf(gettext("succeeded\n")); 1887 ret = 0; 1888 } else { 1889 (void) printf(gettext("failed: %s\n"), 1890 smb_lgrp_strerror(status)); 1891 ret = 1; 1892 } 1893 1894 return (ret); 1895 } 1896 1897 static int 1898 smbadm_group_getpriv(char *gname, uint8_t priv_id, smbadm_prop_t *prop) 1899 { 1900 boolean_t enable; 1901 int status; 1902 1903 status = smb_lgrp_getpriv(gname, priv_id, &enable); 1904 if (status != SMB_LGRP_SUCCESS) { 1905 (void) fprintf(stderr, gettext("failed to get %s (%s)\n"), 1906 prop->p_name, smb_lgrp_strerror(status)); 1907 return (1); 1908 } 1909 1910 (void) printf(gettext("\t%s: %s\n"), prop->p_name, 1911 (enable) ? "On" : "Off"); 1912 1913 return (0); 1914 } 1915 1916 static int 1917 smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop) 1918 { 1919 return (smbadm_group_setpriv(gname, SE_TAKE_OWNERSHIP_LUID, prop)); 1920 } 1921 1922 static int 1923 smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop) 1924 { 1925 return (smbadm_group_getpriv(gname, SE_TAKE_OWNERSHIP_LUID, prop)); 1926 } 1927 1928 static int 1929 smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop) 1930 { 1931 return (smbadm_group_setpriv(gname, SE_READ_FILE_LUID, prop)); 1932 } 1933 1934 static int 1935 smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop) 1936 { 1937 return (smbadm_group_getpriv(gname, SE_READ_FILE_LUID, prop)); 1938 } 1939 1940 static int 1941 smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop) 1942 { 1943 return (smbadm_group_setpriv(gname, SE_WRITE_FILE_LUID, prop)); 1944 } 1945 1946 static int 1947 smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop) 1948 { 1949 return (smbadm_group_getpriv(gname, SE_WRITE_FILE_LUID, prop)); 1950 } 1951 1952 static int 1953 smbadm_setprop_backup(char *gname, smbadm_prop_t *prop) 1954 { 1955 return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop)); 1956 } 1957 1958 static int 1959 smbadm_getprop_backup(char *gname, smbadm_prop_t *prop) 1960 { 1961 return (smbadm_group_getpriv(gname, SE_BACKUP_LUID, prop)); 1962 } 1963 1964 static int 1965 smbadm_setprop_restore(char *gname, smbadm_prop_t *prop) 1966 { 1967 return (smbadm_group_setpriv(gname, SE_RESTORE_LUID, prop)); 1968 } 1969 1970 static int 1971 smbadm_getprop_restore(char *gname, smbadm_prop_t *prop) 1972 { 1973 return (smbadm_group_getpriv(gname, SE_RESTORE_LUID, prop)); 1974 } 1975 1976 static boolean_t 1977 smbadm_chkprop_priv(smbadm_prop_t *prop) 1978 { 1979 if (prop->p_value == NULL || *prop->p_value == '\0') { 1980 (void) fprintf(stderr, 1981 gettext("missing value for '%s'\n"), prop->p_name); 1982 return (B_FALSE); 1983 } 1984 1985 if (strcasecmp(prop->p_value, "on") == 0) 1986 return (B_TRUE); 1987 1988 if (strcasecmp(prop->p_value, "off") == 0) 1989 return (B_TRUE); 1990 1991 (void) fprintf(stderr, 1992 gettext("%s: unrecognized value for '%s' property\n"), 1993 prop->p_value, prop->p_name); 1994 1995 return (B_FALSE); 1996 } 1997 1998 static const char * 1999 smbadm_pwd_strerror(int error) 2000 { 2001 switch (error) { 2002 case SMB_PWE_SUCCESS: 2003 return (gettext("Success.")); 2004 2005 case SMB_PWE_USER_UNKNOWN: 2006 return (gettext("User does not exist.")); 2007 2008 case SMB_PWE_USER_DISABLE: 2009 return (gettext("User is disabled.")); 2010 2011 case SMB_PWE_CLOSE_FAILED: 2012 case SMB_PWE_OPEN_FAILED: 2013 case SMB_PWE_WRITE_FAILED: 2014 case SMB_PWE_UPDATE_FAILED: 2015 return (gettext("Unexpected failure. " 2016 "SMB password database unchanged.")); 2017 2018 case SMB_PWE_STAT_FAILED: 2019 return (gettext("stat of SMB password file failed.")); 2020 2021 case SMB_PWE_BUSY: 2022 return (gettext("SMB password database busy. " 2023 "Try again later.")); 2024 2025 case SMB_PWE_DENIED: 2026 return (gettext("Operation not permitted.")); 2027 2028 case SMB_PWE_SYSTEM_ERROR: 2029 return (gettext("System error.")); 2030 2031 default: 2032 break; 2033 } 2034 2035 return (gettext("Unknown error code.")); 2036 } 2037 2038 /* 2039 * Enable libumem debugging by default on DEBUG builds. 2040 */ 2041 #ifdef DEBUG 2042 const char * 2043 _umem_debug_init(void) 2044 { 2045 return ("default,verbose"); /* $UMEM_DEBUG setting */ 2046 } 2047 2048 const char * 2049 _umem_logging_init(void) 2050 { 2051 return ("fail,contents"); /* $UMEM_LOGGING setting */ 2052 } 2053 #endif 2054