xref: /illumos-gate/usr/src/cmd/smbsrv/smbadm/smbadm.c (revision 959eaf32)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
24  */
25 
26 /*
27  * This module contains smbadm CLI which offers smb configuration
28  * functionalities.
29  */
30 #include <errno.h>
31 #include <err.h>
32 #include <ctype.h>
33 #include <stdlib.h>
34 #include <unistd.h>
35 #include <stdio.h>
36 #include <syslog.h>
37 #include <strings.h>
38 #include <limits.h>
39 #include <getopt.h>
40 #include <libintl.h>
41 #include <zone.h>
42 #include <pwd.h>
43 #include <grp.h>
44 #include <libgen.h>
45 #include <netinet/in.h>
46 #include <auth_attr.h>
47 #include <locale.h>
48 #include <smbsrv/libsmb.h>
49 #include <smbsrv/libsmbns.h>
50 
51 #if !defined(TEXT_DOMAIN)
52 #define	TEXT_DOMAIN "SYS_TEST"
53 #endif
54 
55 typedef enum {
56 	HELP_ADD_MEMBER,
57 	HELP_CREATE,
58 	HELP_DELETE,
59 	HELP_DEL_MEMBER,
60 	HELP_GET,
61 	HELP_JOIN,
62 	HELP_LIST,
63 	HELP_LOOKUP,
64 	HELP_RENAME,
65 	HELP_SET,
66 	HELP_SHOW,
67 	HELP_USER_DISABLE,
68 	HELP_USER_ENABLE,
69 	HELP_USER_DELETE
70 } smbadm_help_t;
71 
72 #define	SMBADM_CMDF_NONE	0x00
73 #define	SMBADM_CMDF_USER	0x01
74 #define	SMBADM_CMDF_GROUP	0x02
75 #define	SMBADM_CMDF_TYPEMASK	0x0F
76 
77 typedef enum {
78 	SMBADM_GRP_ADDMEMBER = 0,
79 	SMBADM_GRP_DELMEMBER,
80 } smbadm_grp_action_t;
81 
82 #define	SMBADM_ANSBUFSIZ	64
83 
84 typedef struct smbadm_cmdinfo {
85 	char *name;
86 	int (*func)(int, char **);
87 	smbadm_help_t usage;
88 	uint32_t flags;
89 	char *auth;
90 } smbadm_cmdinfo_t;
91 
92 smbadm_cmdinfo_t *curcmd;
93 static char *progname;
94 
95 #define	SMBADM_ACTION_AUTH	"solaris.smf.manage.smb"
96 #define	SMBADM_VALUE_AUTH	"solaris.smf.value.smb"
97 #define	SMBADM_BASIC_AUTH	"solaris.network.hosts.read"
98 
99 static boolean_t smbadm_checkauth(const char *);
100 
101 static void smbadm_usage(boolean_t);
102 static int smbadm_join_workgroup(const char *, boolean_t);
103 static int smbadm_join_domain(const char *, const char *, boolean_t);
104 static void smbadm_extract_domain(char *, char **, char **);
105 
106 static int smbadm_join(int, char **);
107 static int smbadm_list(int, char **);
108 static int smbadm_lookup(int, char **);
109 static void smbadm_lookup_name(char *);
110 static void smbadm_lookup_sid(char *);
111 static int smbadm_group_create(int, char **);
112 static int smbadm_group_delete(int, char **);
113 static int smbadm_group_rename(int, char **);
114 static int smbadm_group_show(int, char **);
115 static void smbadm_group_show_name(const char *, const char *);
116 static int smbadm_group_getprop(int, char **);
117 static int smbadm_group_setprop(int, char **);
118 static int smbadm_group_addmember(int, char **);
119 static int smbadm_group_delmember(int, char **);
120 static int smbadm_group_add_del_member(char *, char *, smbadm_grp_action_t);
121 
122 static int smbadm_user_delete(int, char **);
123 static int smbadm_user_disable(int, char **);
124 static int smbadm_user_enable(int, char **);
125 
126 /* Please keep the order consistent with smbadm(1M) man page */
127 static smbadm_cmdinfo_t smbadm_cmdtable[] =
128 {
129 	{ "create",		smbadm_group_create,	HELP_CREATE,
130 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
131 	{ "delete",		smbadm_group_delete,	HELP_DELETE,
132 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
133 	{ "rename",		smbadm_group_rename,	HELP_RENAME,
134 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
135 	{ "show",		smbadm_group_show,	HELP_SHOW,
136 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
137 	{ "get",		smbadm_group_getprop,	HELP_GET,
138 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
139 	{ "set",		smbadm_group_setprop,	HELP_SET,
140 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
141 	{ "add-member",		smbadm_group_addmember,	HELP_ADD_MEMBER,
142 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
143 	{ "remove-member",	smbadm_group_delmember,	HELP_DEL_MEMBER,
144 		SMBADM_CMDF_GROUP,	SMBADM_ACTION_AUTH },
145 	{ "delete-user",	smbadm_user_delete,	HELP_USER_DELETE,
146 		SMBADM_CMDF_USER,	SMBADM_ACTION_AUTH },
147 	{ "disable-user",	smbadm_user_disable,	HELP_USER_DISABLE,
148 		SMBADM_CMDF_USER,	SMBADM_ACTION_AUTH },
149 	{ "enable-user",	smbadm_user_enable,	HELP_USER_ENABLE,
150 		SMBADM_CMDF_USER,	SMBADM_ACTION_AUTH },
151 	{ "join",		smbadm_join,		HELP_JOIN,
152 		SMBADM_CMDF_NONE,	SMBADM_VALUE_AUTH },
153 	{ "list",		smbadm_list,		HELP_LIST,
154 		SMBADM_CMDF_NONE,	SMBADM_BASIC_AUTH },
155 	{ "lookup",		smbadm_lookup,		HELP_LOOKUP,
156 		SMBADM_CMDF_NONE,	SMBADM_BASIC_AUTH },
157 };
158 
159 #define	SMBADM_NCMD	(sizeof (smbadm_cmdtable) / sizeof (smbadm_cmdtable[0]))
160 
161 typedef struct smbadm_prop {
162 	char *p_name;
163 	char *p_value;
164 } smbadm_prop_t;
165 
166 typedef struct smbadm_prop_handle {
167 	char *p_name;
168 	char *p_dispvalue;
169 	int (*p_setfn)(char *, smbadm_prop_t *);
170 	int (*p_getfn)(char *, smbadm_prop_t *);
171 	boolean_t (*p_chkfn)(smbadm_prop_t *);
172 } smbadm_prop_handle_t;
173 
174 static boolean_t smbadm_prop_validate(smbadm_prop_t *prop, boolean_t chkval);
175 static int smbadm_prop_parse(char *arg, smbadm_prop_t *prop);
176 static smbadm_prop_handle_t *smbadm_prop_gethandle(char *pname);
177 
178 static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop);
179 static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop);
180 static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop);
181 static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop);
182 static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop);
183 static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop);
184 static int smbadm_getprop_restore(char *gname, smbadm_prop_t *prop);
185 static int smbadm_setprop_desc(char *gname, smbadm_prop_t *prop);
186 static int smbadm_getprop_desc(char *gname, smbadm_prop_t *prop);
187 
188 static smbadm_prop_handle_t smbadm_ptable[] = {
189 	{"backup",	"on|off",	smbadm_setprop_backup,
190 	smbadm_getprop_backup,	smbadm_chkprop_priv	},
191 	{"restore",	"on|off",	smbadm_setprop_restore,
192 	smbadm_getprop_restore,	smbadm_chkprop_priv	},
193 	{"take-ownership", "on|off",	smbadm_setprop_tkowner,
194 	smbadm_getprop_tkowner,	smbadm_chkprop_priv	},
195 	{"description",	"<string>",	smbadm_setprop_desc,
196 	smbadm_getprop_desc,	NULL			},
197 };
198 
199 static int smbadm_init(void);
200 static void smbadm_fini(void);
201 static const char *smbadm_pwd_strerror(int error);
202 
203 /*
204  * Number of supported properties
205  */
206 #define	SMBADM_NPROP	(sizeof (smbadm_ptable) / sizeof (smbadm_ptable[0]))
207 
208 static void
209 smbadm_cmdusage(FILE *fp, smbadm_cmdinfo_t *cmd)
210 {
211 	switch (cmd->usage) {
212 	case HELP_ADD_MEMBER:
213 		(void) fprintf(fp,
214 		    gettext("\t%s -m <member> [-m <member>]... <group>\n"),
215 		    cmd->name);
216 		return;
217 
218 	case HELP_CREATE:
219 		(void) fprintf(fp, gettext("\t%s [-d <description>] <group>\n"),
220 		    cmd->name);
221 		return;
222 
223 	case HELP_DELETE:
224 		(void) fprintf(fp, gettext("\t%s <group>\n"), cmd->name);
225 		return;
226 
227 	case HELP_USER_DELETE:
228 	case HELP_USER_DISABLE:
229 	case HELP_USER_ENABLE:
230 		(void) fprintf(fp, gettext("\t%s <username>\n"), cmd->name);
231 		return;
232 
233 	case HELP_GET:
234 		(void) fprintf(fp, gettext("\t%s [-p <property>]... <group>\n"),
235 		    cmd->name);
236 		return;
237 
238 	case HELP_JOIN:
239 #if 0	/* Don't document "-p" yet, still needs work (NEX-11960) */
240 		(void) fprintf(fp, gettext("\t%s [-y] -p <domain>\n"
241 		    "\t%s [-y] -u <username domain>\n"
242 		    "\t%s [-y] -w <workgroup>\n"),
243 		    cmd->name, cmd->name, cmd->name);
244 #else
245 		(void) fprintf(fp, gettext("\t%s [-y] -u <username> <domain>\n"
246 		    "\t%s [-y] -w <workgroup>\n"), cmd->name, cmd->name);
247 #endif
248 		return;
249 
250 	case HELP_LIST:
251 		(void) fprintf(fp, gettext("\t%s\n"), cmd->name);
252 		return;
253 
254 	case HELP_LOOKUP:
255 		(void) fprintf(fp,
256 		    gettext("\t%s <account-name>\n"),
257 		    cmd->name);
258 		return;
259 
260 	case HELP_DEL_MEMBER:
261 		(void) fprintf(fp,
262 		    gettext("\t%s -m <member> [-m <member>]... <group>\n"),
263 		    cmd->name);
264 		return;
265 
266 	case HELP_RENAME:
267 		(void) fprintf(fp, gettext("\t%s <group> <new-group>\n"),
268 		    cmd->name);
269 		return;
270 
271 	case HELP_SET:
272 		(void) fprintf(fp, gettext("\t%s -p <property>=<value> "
273 		    "[-p <property>=<value>]... <group>\n"), cmd->name);
274 		return;
275 
276 	case HELP_SHOW:
277 		(void) fprintf(fp, gettext("\t%s [-mp] [<group>]\n"),
278 		    cmd->name);
279 		return;
280 
281 	default:
282 		break;
283 	}
284 
285 	abort();
286 	/* NOTREACHED */
287 }
288 
289 static void
290 smbadm_usage(boolean_t requested)
291 {
292 	FILE *fp = requested ? stdout : stderr;
293 	boolean_t show_props = B_FALSE;
294 	int i;
295 
296 	if (curcmd == NULL) {
297 		(void) fprintf(fp,
298 		    gettext("usage: %s <subcommand> <args> ...\n"),
299 		    progname);
300 
301 		for (i = 0; i < SMBADM_NCMD; i++)
302 			smbadm_cmdusage(fp, &smbadm_cmdtable[i]);
303 
304 		(void) fprintf(fp,
305 		    gettext("\nFor property list, run %s %s|%s\n"),
306 		    progname, "get", "set");
307 
308 		exit(requested ? 0 : 2);
309 	}
310 
311 	(void) fprintf(fp, gettext("usage:\n"));
312 	smbadm_cmdusage(fp, curcmd);
313 
314 	if (strcmp(curcmd->name, "get") == 0 ||
315 	    strcmp(curcmd->name, "set") == 0)
316 		show_props = B_TRUE;
317 
318 	if (show_props) {
319 		(void) fprintf(fp,
320 		    gettext("\nThe following properties are supported:\n"));
321 
322 		(void) fprintf(fp, "\n\t%-16s   %s\n\n",
323 		    "PROPERTY", "VALUES");
324 
325 		for (i = 0; i < SMBADM_NPROP; i++) {
326 			(void) fprintf(fp, "\t%-16s   %s\n",
327 			    smbadm_ptable[i].p_name,
328 			    smbadm_ptable[i].p_dispvalue);
329 		}
330 	}
331 
332 	exit(requested ? 0 : 2);
333 }
334 
335 /*
336  * smbadm_strcasecmplist
337  *
338  * Find a string 's' within a list of strings.
339  *
340  * Returns the index of the matching string or -1 if there is no match.
341  */
342 static int
343 smbadm_strcasecmplist(const char *s, ...)
344 {
345 	va_list ap;
346 	char *p;
347 	int ndx;
348 
349 	va_start(ap, s);
350 
351 	for (ndx = 0; ((p = va_arg(ap, char *)) != NULL); ++ndx) {
352 		if (strcasecmp(s, p) == 0) {
353 			va_end(ap);
354 			return (ndx);
355 		}
356 	}
357 
358 	va_end(ap);
359 	return (-1);
360 }
361 
362 /*
363  * smbadm_answer_prompt
364  *
365  * Prompt for the answer to a question.  A default response must be
366  * specified, which will be used if the user presses <enter> without
367  * answering the question.
368  */
369 static int
370 smbadm_answer_prompt(const char *prompt, char *answer, const char *dflt)
371 {
372 	char buf[SMBADM_ANSBUFSIZ];
373 	char *p;
374 
375 	(void) printf(gettext("%s [%s]: "), prompt, dflt);
376 
377 	if (fgets(buf, SMBADM_ANSBUFSIZ, stdin) == NULL)
378 		return (-1);
379 
380 	if ((p = strchr(buf, '\n')) != NULL)
381 		*p = '\0';
382 
383 	if (*buf == '\0')
384 		(void) strlcpy(answer, dflt, SMBADM_ANSBUFSIZ);
385 	else
386 		(void) strlcpy(answer, buf, SMBADM_ANSBUFSIZ);
387 
388 	return (0);
389 }
390 
391 /*
392  * smbadm_confirm
393  *
394  * Ask a question that requires a yes/no answer.
395  * A default response must be specified.
396  */
397 static boolean_t
398 smbadm_confirm(const char *prompt, const char *dflt)
399 {
400 	char buf[SMBADM_ANSBUFSIZ];
401 
402 	for (;;) {
403 		if (smbadm_answer_prompt(prompt, buf, dflt) < 0)
404 			return (B_FALSE);
405 
406 		if (smbadm_strcasecmplist(buf, "n", "no", 0) >= 0)
407 			return (B_FALSE);
408 
409 		if (smbadm_strcasecmplist(buf, "y", "yes", 0) >= 0)
410 			return (B_TRUE);
411 
412 		(void) printf(gettext("Please answer yes or no.\n"));
413 	}
414 }
415 
416 static boolean_t
417 smbadm_join_prompt(const char *domain)
418 {
419 	(void) printf(gettext("After joining %s the smb service will be "
420 	    "restarted automatically.\n"), domain);
421 
422 	return (smbadm_confirm("Would you like to continue?", "no"));
423 }
424 
425 static void
426 smbadm_restart_service(void)
427 {
428 	if (smb_smf_restart_service() != 0) {
429 		(void) fprintf(stderr,
430 		    gettext("Unable to restart smb service. "
431 		    "Run 'svcs -xv smb/server' for more information."));
432 	}
433 }
434 
435 /*
436  * smbadm_join
437  *
438  * Join a domain or workgroup.
439  *
440  * When joining a domain, we may receive the username, password and
441  * domain name in any of the following combinations.  Note that the
442  * password is optional on the command line: if it is not provided,
443  * we will prompt for it later.
444  *
445  *	username+password domain
446  *	domain\username+password
447  *	domain/username+password
448  *	username@domain
449  *
450  * We allow domain\name+password or domain/name+password but not
451  * name+password@domain because @ is a valid password character.
452  *
453  * If the username and domain name are passed as separate command
454  * line arguments, we process them directly.  Otherwise we separate
455  * them and continue as if they were separate command line arguments.
456  */
457 static int
458 smbadm_join(int argc, char **argv)
459 {
460 	char buf[MAXHOSTNAMELEN * 2];
461 	char *domain = NULL;
462 	char *username = NULL;
463 	uint32_t mode = 0;
464 	boolean_t do_prompt = B_TRUE;
465 	char option;
466 
467 	while ((option = getopt(argc, argv, "pu:wy")) != -1) {
468 		if (mode != 0) {
469 			(void) fprintf(stderr, gettext(
470 			    "join options are mutually exclusive\n"));
471 			smbadm_usage(B_FALSE);
472 		}
473 		switch (option) {
474 		case 'p':
475 			mode = SMB_SECMODE_DOMAIN;
476 			/* leave username = NULL */
477 			break;
478 
479 		case 'u':
480 			mode = SMB_SECMODE_DOMAIN;
481 			username = optarg;
482 			break;
483 
484 		case 'w':
485 			mode = SMB_SECMODE_WORKGRP;
486 			break;
487 
488 		case 'y':
489 			do_prompt = B_FALSE;
490 			break;
491 
492 		default:
493 			smbadm_usage(B_FALSE);
494 			break;
495 		}
496 	}
497 
498 	if (optind < argc)
499 		domain = argv[optind];
500 
501 	if (username != NULL && domain == NULL) {
502 		/*
503 		 * The domain was not specified as a separate
504 		 * argument, check for the combination forms.
505 		 */
506 		(void) strlcpy(buf, username, sizeof (buf));
507 		smbadm_extract_domain(buf, &username, &domain);
508 	}
509 
510 	if ((domain == NULL) || (*domain == '\0')) {
511 		(void) fprintf(stderr, gettext("missing %s name\n"),
512 		    (mode == SMB_SECMODE_WORKGRP) ? "workgroup" : "domain");
513 		smbadm_usage(B_FALSE);
514 	}
515 
516 	if (mode == SMB_SECMODE_WORKGRP) {
517 		return (smbadm_join_workgroup(domain, do_prompt));
518 	}
519 	return (smbadm_join_domain(domain, username, do_prompt));
520 }
521 
522 /*
523  * Workgroups comprise a collection of standalone, independently administered
524  * computers that use a common workgroup name.  This is a peer-to-peer model
525  * with no formal membership mechanism.
526  */
527 static int
528 smbadm_join_workgroup(const char *workgroup, boolean_t prompt)
529 {
530 	smb_joininfo_t jdi;
531 	smb_joinres_t jdres;
532 	uint32_t status;
533 
534 	bzero(&jdres, sizeof (jdres));
535 	bzero(&jdi, sizeof (jdi));
536 	jdi.mode = SMB_SECMODE_WORKGRP;
537 	(void) strlcpy(jdi.domain_name, workgroup, sizeof (jdi.domain_name));
538 	(void) strtrim(jdi.domain_name, " \t\n");
539 
540 	if (smb_name_validate_workgroup(jdi.domain_name) != ERROR_SUCCESS) {
541 		(void) fprintf(stderr, gettext("workgroup name is invalid\n"));
542 		smbadm_usage(B_FALSE);
543 	}
544 
545 	if (prompt && !smbadm_join_prompt(jdi.domain_name))
546 		return (0);
547 
548 	if ((status = smb_join(&jdi, &jdres)) != NT_STATUS_SUCCESS) {
549 		(void) fprintf(stderr, gettext("failed to join %s: %s\n"),
550 		    jdi.domain_name, xlate_nt_status(status));
551 		return (1);
552 	}
553 
554 	(void) printf(gettext("Successfully joined %s\n"), jdi.domain_name);
555 	smbadm_restart_service();
556 	return (0);
557 }
558 
559 /*
560  * Domains comprise a centrally administered group of computers and accounts
561  * that share a common security and administration policy and database.
562  * Computers must join a domain and become domain members, which requires
563  * an administrator level account name.
564  *
565  * The '+' character is invalid within a username.  We allow the password
566  * to be appended to the username using '+' as a scripting convenience.
567  */
568 static int
569 smbadm_join_domain(const char *domain, const char *username, boolean_t prompt)
570 {
571 	smb_joininfo_t jdi;
572 	smb_joinres_t jdres;
573 	char *passwd_prompt;
574 	char *p;
575 	int len, rc;
576 
577 	bzero(&jdres, sizeof (jdres));
578 	bzero(&jdi, sizeof (jdi));
579 	jdi.mode = SMB_SECMODE_DOMAIN;
580 	(void) strlcpy(jdi.domain_name, domain, sizeof (jdi.domain_name));
581 	(void) strtrim(jdi.domain_name, " \t\n");
582 
583 	if (smb_name_validate_domain(jdi.domain_name) != ERROR_SUCCESS) {
584 		(void) fprintf(stderr, gettext("domain name is invalid\n"));
585 		smbadm_usage(B_FALSE);
586 	}
587 
588 	if (prompt && !smbadm_join_prompt(jdi.domain_name))
589 		return (0);
590 
591 	/*
592 	 * Note: username is null for "unsecure join"
593 	 * (join using a pre-created computer account)
594 	 * No password either.
595 	 */
596 	if (username != NULL) {
597 		if ((p = strchr(username, '+')) != NULL) {
598 			++p;
599 
600 			len = (int)(p - username);
601 			if (len > sizeof (jdi.domain_name))
602 				len = sizeof (jdi.domain_name);
603 
604 			(void) strlcpy(jdi.domain_username, username, len);
605 			(void) strlcpy(jdi.domain_passwd, p,
606 			    sizeof (jdi.domain_passwd));
607 		} else {
608 			(void) strlcpy(jdi.domain_username, username,
609 			    sizeof (jdi.domain_username));
610 		}
611 
612 		if (smb_name_validate_account(jdi.domain_username)
613 		    != ERROR_SUCCESS) {
614 			(void) fprintf(stderr,
615 			    gettext("username contains invalid characters\n"));
616 			smbadm_usage(B_FALSE);
617 		}
618 
619 		if (*jdi.domain_passwd == '\0') {
620 			passwd_prompt = gettext("Enter domain password: ");
621 
622 			if ((p = getpassphrase(passwd_prompt)) == NULL) {
623 				(void) fprintf(stderr, gettext(
624 				    "missing password\n"));
625 				smbadm_usage(B_FALSE);
626 			}
627 
628 			(void) strlcpy(jdi.domain_passwd, p,
629 			    sizeof (jdi.domain_passwd));
630 		}
631 	}
632 
633 	(void) printf(gettext("Joining %s ... this may take a minute ...\n"),
634 	    jdi.domain_name);
635 
636 	rc = smb_join(&jdi, &jdres);
637 	if (rc != 0) {
638 		(void) printf(gettext("Cannot call the SMB service. "
639 		    " (error %d: %s) "
640 		    "Please check the service status "
641 		    "(svcs -vx network/smb/server)\n"),
642 		    rc, strerror(rc));
643 		bzero(&jdi, sizeof (jdi));
644 		return (1);
645 	}
646 
647 	switch (jdres.status) {
648 	case NT_STATUS_SUCCESS:
649 		(void) printf(gettext(
650 		    "Successfully joined domain %s using AD server %s\n"),
651 		    jdi.domain_name, jdres.dc_name);
652 		bzero(&jdi, sizeof (jdi));
653 		smbadm_restart_service();
654 		return (0);
655 
656 	case NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND:
657 		/* See: smb_ads_lookup_msdcs */
658 		(void) fprintf(stderr, gettext(
659 		    "failed to find any AD servers for domain: %s\n"),
660 		    jdi.domain_name);
661 		goto common;
662 
663 	case NT_STATUS_BAD_NETWORK_PATH:
664 		/* See: smbrdr_ctx_new / smb_ctx_resolve */
665 		(void) fprintf(stderr, gettext(
666 		    "failed to resolve address of AD server: %s\n"),
667 		    jdres.dc_name);
668 		goto common;
669 
670 	case NT_STATUS_NETWORK_ACCESS_DENIED:
671 		/* See: smbrdr_ctx_new / smb_ctx_get_ssn */
672 		(void) fprintf(stderr, gettext(
673 		    "failed to authenticate with AD server: %s\n"),
674 		    jdres.dc_name);
675 		goto common;
676 
677 	case NT_STATUS_BAD_NETWORK_NAME:
678 		/*
679 		 * See: smbrdr_ctx_new / smb_ctx_get_tree
680 		 * and: ndr_rpc_bind / smb_fh_open
681 		 */
682 		(void) fprintf(stderr, gettext(
683 		    "failed connecting to services on AD server: %s\n"),
684 		    jdres.dc_name);
685 		goto common;
686 
687 	default:
688 		(void) fprintf(stderr, gettext(
689 		    "failed to join domain %s\n"),
690 		    jdi.domain_name);
691 		if (jdres.dc_name[0] != '\0') {
692 			(void) fprintf(stderr, gettext(
693 			    "using AD server: %s\n"),
694 			    jdres.dc_name);
695 		}
696 		/* FALLTHROUGH */
697 	common:
698 		if (jdres.join_err != 0) {
699 			(void) fprintf(stderr, "%s\n",
700 			    smb_ads_strerror(jdres.join_err));
701 		} else if (jdres.status != 0) {
702 			(void) fprintf(stderr, "(%s)\n",
703 			    xlate_nt_status(jdres.status));
704 		}
705 		(void) fprintf(stderr, gettext("Please refer to the "
706 		    "service log for more information.\n"));
707 		bzero(&jdi, sizeof (jdi));
708 		return (1);
709 	}
710 }
711 
712 /*
713  * We want to process the user and domain names as separate strings.
714  * Check for names of the forms below and separate the components as
715  * required.
716  *
717  *	name@domain
718  *	domain\name
719  *	domain/name
720  *
721  * If we encounter any of the forms above in arg, the @, / or \
722  * separator is replaced by \0 and the username and domain pointers
723  * are changed to point to the appropriate components (in arg).
724  *
725  * If none of the separators are encountered, the username and domain
726  * pointers remain unchanged.
727  */
728 static void
729 smbadm_extract_domain(char *arg, char **username, char **domain)
730 {
731 	char *p;
732 
733 	if ((p = strpbrk(arg, "/\\@")) != NULL) {
734 		if (*p == '@') {
735 			*p = '\0';
736 			++p;
737 
738 			if (strchr(arg, '+') != NULL)
739 				return;
740 
741 			*domain = p;
742 			*username = arg;
743 		} else {
744 			*p = '\0';
745 			++p;
746 			*username = p;
747 			*domain = arg;
748 		}
749 	}
750 }
751 
752 /*
753  * smbadm_list
754  *
755  * Displays current security mode and domain/workgroup name.
756  */
757 /*ARGSUSED*/
758 static int
759 smbadm_list(int argc, char **argv)
760 {
761 	char domain[MAXHOSTNAMELEN];
762 	char fqdn[MAXHOSTNAMELEN];
763 	char srvname[MAXHOSTNAMELEN];
764 	char modename[16];
765 	int rc;
766 	smb_inaddr_t srvipaddr;
767 	char ipstr[INET6_ADDRSTRLEN];
768 
769 	rc = smb_config_getstr(SMB_CI_SECURITY, modename, sizeof (modename));
770 	if (rc != SMBD_SMF_OK) {
771 		(void) fprintf(stderr,
772 		    gettext("cannot determine the operational mode\n"));
773 		return (1);
774 	}
775 
776 	if (smb_getdomainname(domain, sizeof (domain)) != 0) {
777 		(void) fprintf(stderr, gettext("failed to get the %s name\n"),
778 		    modename);
779 		return (1);
780 	}
781 
782 	if (strcmp(modename, "workgroup") == 0) {
783 		(void) printf(gettext("[*] [%s]\n"), domain);
784 		return (0);
785 	}
786 
787 	(void) printf(gettext("[*] [%s]\n"), domain);
788 	if ((smb_getfqdomainname(fqdn, sizeof (fqdn)) == 0) && (*fqdn != '\0'))
789 		(void) printf(gettext("[*] [%s]\n"), fqdn);
790 
791 	if ((smb_get_dcinfo(srvname, MAXHOSTNAMELEN, &srvipaddr)
792 	    == NT_STATUS_SUCCESS) && (*srvname != '\0') &&
793 	    (!smb_inet_iszero(&srvipaddr))) {
794 		(void) smb_inet_ntop(&srvipaddr, ipstr,
795 		    SMB_IPSTRLEN(srvipaddr.a_family));
796 		(void) printf(gettext("\t[+%s] [%s]\n"),
797 		    srvname, ipstr);
798 	}
799 
800 	/* Print the local and domain SID. */
801 	smb_domain_show();
802 	return (0);
803 }
804 
805 /*
806  * smbadm_lookup
807  *
808  * Lookup the SID for a given account (user or group)
809  */
810 static int
811 smbadm_lookup(int argc, char **argv)
812 {
813 	int i;
814 
815 	if (argc < 2) {
816 		(void) fprintf(stderr, gettext("missing account name\n"));
817 		smbadm_usage(B_FALSE);
818 	}
819 
820 	for (i = 1; i < argc; i++) {
821 		if (strncmp(argv[i], "S-1-", 4) == 0)
822 			smbadm_lookup_sid(argv[i]);
823 		else
824 			smbadm_lookup_name(argv[i]);
825 	}
826 	return (0);
827 }
828 
829 static void
830 smbadm_lookup_name(char *name)
831 {
832 	lsa_account_t	acct;
833 	int rc;
834 
835 	if ((rc = smb_lookup_name(name, SidTypeUnknown, &acct)) != 0) {
836 		(void) fprintf(stderr, gettext(
837 		    "\t\t%s: lookup name failed, rc=%d\n"),
838 		    name, rc);
839 		return;
840 	}
841 	if (acct.a_status != NT_STATUS_SUCCESS) {
842 		(void) fprintf(stderr, gettext("\t\t%s [%s]\n"),
843 		    name, xlate_nt_status(acct.a_status));
844 		return;
845 	}
846 	(void) printf("\t%s\n", acct.a_sid);
847 }
848 
849 static void
850 smbadm_lookup_sid(char *sidstr)
851 {
852 	lsa_account_t	acct;
853 	int rc;
854 
855 	if ((rc = smb_lookup_sid(sidstr, &acct)) != 0) {
856 		(void) fprintf(stderr, gettext(
857 		    "\t\t%s: lookup SID failed, rc=%d\n"),
858 		    sidstr, rc);
859 		return;
860 	}
861 	if (acct.a_status != NT_STATUS_SUCCESS) {
862 		(void) fprintf(stderr, gettext("\t\t%s [%s]\n"),
863 		    sidstr, xlate_nt_status(acct.a_status));
864 		return;
865 	}
866 	(void) printf("\t%s\\%s\n", acct.a_domain, acct.a_name);
867 }
868 
869 /*
870  * smbadm_group_create
871  *
872  * Creates a local SMB group
873  */
874 static int
875 smbadm_group_create(int argc, char **argv)
876 {
877 	char *gname = NULL;
878 	char *desc = NULL;
879 	char option;
880 	int status;
881 
882 	while ((option = getopt(argc, argv, "d:")) != -1) {
883 		switch (option) {
884 		case 'd':
885 			desc = optarg;
886 			break;
887 
888 		default:
889 			smbadm_usage(B_FALSE);
890 		}
891 	}
892 
893 	gname = argv[optind];
894 	if (optind >= argc || gname == NULL || *gname == '\0') {
895 		(void) fprintf(stderr, gettext("missing group name\n"));
896 		smbadm_usage(B_FALSE);
897 	}
898 
899 	status = smb_lgrp_add(gname, desc);
900 	if (status != SMB_LGRP_SUCCESS) {
901 		(void) fprintf(stderr,
902 		    gettext("failed to create %s (%s)\n"), gname,
903 		    smb_lgrp_strerror(status));
904 	} else {
905 		(void) printf(gettext("%s created\n"), gname);
906 	}
907 
908 	return (status);
909 }
910 
911 /*
912  * smbadm_group_dump_members
913  *
914  * Dump group members details.
915  */
916 static void
917 smbadm_group_dump_members(smb_gsid_t *members, int num)
918 {
919 	char		sidstr[SMB_SID_STRSZ];
920 	lsa_account_t	acct;
921 	int		i;
922 
923 	if (num == 0) {
924 		(void) printf(gettext("\tNo members\n"));
925 		return;
926 	}
927 
928 	(void) printf(gettext("\tMembers:\n"));
929 	for (i = 0; i < num; i++) {
930 		smb_sid_tostr(members[i].gs_sid, sidstr);
931 
932 		if (smb_lookup_sid(sidstr, &acct) == 0) {
933 			if (acct.a_status == NT_STATUS_SUCCESS)
934 				smbadm_group_show_name(acct.a_domain,
935 				    acct.a_name);
936 			else
937 				(void) printf(gettext("\t\t%s [%s]\n"),
938 				    sidstr, xlate_nt_status(acct.a_status));
939 		} else {
940 			(void) printf(gettext("\t\t%s\n"), sidstr);
941 		}
942 	}
943 }
944 
945 static void
946 smbadm_group_show_name(const char *domain, const char *name)
947 {
948 	if (strchr(domain, '.') != NULL)
949 		(void) printf("\t\t%s@%s\n", name, domain);
950 	else
951 		(void) printf("\t\t%s\\%s\n", domain, name);
952 }
953 
954 /*
955  * smbadm_group_dump_privs
956  *
957  * Dump group privilege details.
958  */
959 static void
960 smbadm_group_dump_privs(smb_privset_t *privs)
961 {
962 	smb_privinfo_t *pinfo;
963 	char *pstatus;
964 	int i;
965 
966 	(void) printf(gettext("\tPrivileges: \n"));
967 
968 	for (i = 0; i < privs->priv_cnt; i++) {
969 		pinfo = smb_priv_getbyvalue(privs->priv[i].luid.lo_part);
970 		if ((pinfo == NULL) || (pinfo->flags & PF_PRESENTABLE) == 0)
971 			continue;
972 
973 		switch (privs->priv[i].attrs) {
974 		case SE_PRIVILEGE_ENABLED:
975 			pstatus = "On";
976 			break;
977 		case SE_PRIVILEGE_DISABLED:
978 			pstatus = "Off";
979 			break;
980 		default:
981 			pstatus = "Unknown";
982 			break;
983 		}
984 		(void) printf(gettext("\t\t%s: %s\n"), pinfo->name, pstatus);
985 	}
986 
987 	if (privs->priv_cnt == 0)
988 		(void) printf(gettext("\t\tNo privileges\n"));
989 }
990 
991 /*
992  * smbadm_group_dump
993  *
994  * Dump group details.
995  */
996 static void
997 smbadm_group_dump(smb_group_t *grp, boolean_t show_mem, boolean_t show_privs)
998 {
999 	char sidstr[SMB_SID_STRSZ];
1000 
1001 	(void) printf(gettext("%s (%s)\n"), grp->sg_name, grp->sg_cmnt);
1002 
1003 	smb_sid_tostr(grp->sg_id.gs_sid, sidstr);
1004 	(void) printf(gettext("\tSID: %s\n"), sidstr);
1005 
1006 	if (show_privs)
1007 		smbadm_group_dump_privs(grp->sg_privs);
1008 
1009 	if (show_mem)
1010 		smbadm_group_dump_members(grp->sg_members, grp->sg_nmembers);
1011 }
1012 
1013 /*
1014  * smbadm_group_show
1015  *
1016  */
1017 static int
1018 smbadm_group_show(int argc, char **argv)
1019 {
1020 	char *gname = NULL;
1021 	boolean_t show_privs;
1022 	boolean_t show_members;
1023 	char option;
1024 	int status;
1025 	smb_group_t grp;
1026 	smb_giter_t gi;
1027 
1028 	show_privs = show_members = B_FALSE;
1029 
1030 	while ((option = getopt(argc, argv, "mp")) != -1) {
1031 		switch (option) {
1032 		case 'm':
1033 			show_members = B_TRUE;
1034 			break;
1035 		case 'p':
1036 			show_privs = B_TRUE;
1037 			break;
1038 
1039 		default:
1040 			smbadm_usage(B_FALSE);
1041 		}
1042 	}
1043 
1044 	gname = argv[optind];
1045 	if (optind >= argc || gname == NULL || *gname == '\0')
1046 		gname = "*";
1047 
1048 	if (strcmp(gname, "*")) {
1049 		status = smb_lgrp_getbyname(gname, &grp);
1050 		if (status == SMB_LGRP_SUCCESS) {
1051 			smbadm_group_dump(&grp, show_members, show_privs);
1052 			smb_lgrp_free(&grp);
1053 		} else {
1054 			(void) fprintf(stderr,
1055 			    gettext("failed to find %s (%s)\n"),
1056 			    gname, smb_lgrp_strerror(status));
1057 		}
1058 		return (status);
1059 	}
1060 
1061 	if ((status = smb_lgrp_iteropen(&gi)) != SMB_LGRP_SUCCESS) {
1062 		(void) fprintf(stderr, gettext("failed to list groups (%s)\n"),
1063 		    smb_lgrp_strerror(status));
1064 		return (status);
1065 	}
1066 
1067 	while ((status = smb_lgrp_iterate(&gi, &grp)) == SMB_LGRP_SUCCESS) {
1068 		smbadm_group_dump(&grp, show_members, show_privs);
1069 		smb_lgrp_free(&grp);
1070 	}
1071 
1072 	smb_lgrp_iterclose(&gi);
1073 
1074 	if ((status != SMB_LGRP_NO_MORE) || smb_lgrp_itererror(&gi)) {
1075 		if (status != SMB_LGRP_NO_MORE)
1076 			smb_syslog(LOG_ERR, "smb_lgrp_iterate: %s",
1077 			    smb_lgrp_strerror(status));
1078 
1079 		(void) fprintf(stderr,
1080 		    gettext("\nAn error occurred while retrieving group data.\n"
1081 		    "Check the system log for more information.\n"));
1082 		return (status);
1083 	}
1084 
1085 	return (0);
1086 }
1087 
1088 /*
1089  * smbadm_group_delete
1090  */
1091 static int
1092 smbadm_group_delete(int argc, char **argv)
1093 {
1094 	char *gname = NULL;
1095 	int status;
1096 
1097 	gname = argv[optind];
1098 	if (optind >= argc || gname == NULL || *gname == '\0') {
1099 		(void) fprintf(stderr, gettext("missing group name\n"));
1100 		smbadm_usage(B_FALSE);
1101 	}
1102 
1103 	status = smb_lgrp_delete(gname);
1104 	if (status != SMB_LGRP_SUCCESS) {
1105 		(void) fprintf(stderr,
1106 		    gettext("failed to delete %s (%s)\n"), gname,
1107 		    smb_lgrp_strerror(status));
1108 	} else {
1109 		(void) printf(gettext("%s deleted\n"), gname);
1110 	}
1111 
1112 	return (status);
1113 }
1114 
1115 /*
1116  * smbadm_group_rename
1117  */
1118 static int
1119 smbadm_group_rename(int argc, char **argv)
1120 {
1121 	char *gname = NULL;
1122 	char *ngname = NULL;
1123 	int status;
1124 
1125 	gname = argv[optind];
1126 	if (optind++ >= argc || gname == NULL || *gname == '\0') {
1127 		(void) fprintf(stderr, gettext("missing group name\n"));
1128 		smbadm_usage(B_FALSE);
1129 	}
1130 
1131 	ngname = argv[optind];
1132 	if (optind >= argc || ngname == NULL || *ngname == '\0') {
1133 		(void) fprintf(stderr, gettext("missing new group name\n"));
1134 		smbadm_usage(B_FALSE);
1135 	}
1136 
1137 	status = smb_lgrp_rename(gname, ngname);
1138 	if (status != SMB_LGRP_SUCCESS) {
1139 		if (status == SMB_LGRP_EXISTS)
1140 			(void) fprintf(stderr,
1141 			    gettext("failed to rename '%s' (%s already "
1142 			    "exists)\n"), gname, ngname);
1143 		else
1144 			(void) fprintf(stderr,
1145 			    gettext("failed to rename '%s' (%s)\n"), gname,
1146 			    smb_lgrp_strerror(status));
1147 	} else {
1148 		(void) printf(gettext("'%s' renamed to '%s'\n"), gname, ngname);
1149 	}
1150 
1151 	return (status);
1152 }
1153 
1154 /*
1155  * smbadm_group_setprop
1156  *
1157  * Set the group properties.
1158  */
1159 static int
1160 smbadm_group_setprop(int argc, char **argv)
1161 {
1162 	char *gname = NULL;
1163 	smbadm_prop_t props[SMBADM_NPROP];
1164 	smbadm_prop_handle_t *phandle;
1165 	char option;
1166 	int pcnt = 0;
1167 	int ret;
1168 	int p;
1169 
1170 	bzero(props, SMBADM_NPROP * sizeof (smbadm_prop_t));
1171 
1172 	while ((option = getopt(argc, argv, "p:")) != -1) {
1173 		switch (option) {
1174 		case 'p':
1175 			if (pcnt >= SMBADM_NPROP) {
1176 				(void) fprintf(stderr,
1177 				    gettext("exceeded number of supported"
1178 				    " properties\n"));
1179 				smbadm_usage(B_FALSE);
1180 			}
1181 
1182 			if (smbadm_prop_parse(optarg, &props[pcnt++]) != 0)
1183 				smbadm_usage(B_FALSE);
1184 			break;
1185 
1186 		default:
1187 			smbadm_usage(B_FALSE);
1188 		}
1189 	}
1190 
1191 	if (pcnt == 0) {
1192 		(void) fprintf(stderr,
1193 		    gettext("missing property=value argument\n"));
1194 		smbadm_usage(B_FALSE);
1195 	}
1196 
1197 	gname = argv[optind];
1198 	if (optind >= argc || gname == NULL || *gname == '\0') {
1199 		(void) fprintf(stderr, gettext("missing group name\n"));
1200 		smbadm_usage(B_FALSE);
1201 	}
1202 
1203 	for (p = 0; p < pcnt; p++) {
1204 		phandle = smbadm_prop_gethandle(props[p].p_name);
1205 		if (phandle) {
1206 			if (phandle->p_setfn(gname, &props[p]) != 0)
1207 				ret = 1;
1208 		}
1209 	}
1210 
1211 	return (ret);
1212 }
1213 
1214 /*
1215  * smbadm_group_getprop
1216  *
1217  * Get the group properties.
1218  */
1219 static int
1220 smbadm_group_getprop(int argc, char **argv)
1221 {
1222 	char *gname = NULL;
1223 	smbadm_prop_t props[SMBADM_NPROP];
1224 	smbadm_prop_handle_t *phandle;
1225 	char option;
1226 	int pcnt = 0;
1227 	int ret;
1228 	int p;
1229 
1230 	bzero(props, SMBADM_NPROP * sizeof (smbadm_prop_t));
1231 
1232 	while ((option = getopt(argc, argv, "p:")) != -1) {
1233 		switch (option) {
1234 		case 'p':
1235 			if (pcnt >= SMBADM_NPROP) {
1236 				(void) fprintf(stderr,
1237 				    gettext("exceeded number of supported"
1238 				    " properties\n"));
1239 				smbadm_usage(B_FALSE);
1240 			}
1241 
1242 			if (smbadm_prop_parse(optarg, &props[pcnt++]) != 0)
1243 				smbadm_usage(B_FALSE);
1244 			break;
1245 
1246 		default:
1247 			smbadm_usage(B_FALSE);
1248 		}
1249 	}
1250 
1251 	gname = argv[optind];
1252 	if (optind >= argc || gname == NULL || *gname == '\0') {
1253 		(void) fprintf(stderr, gettext("missing group name\n"));
1254 		smbadm_usage(B_FALSE);
1255 	}
1256 
1257 	if (pcnt == 0) {
1258 		/*
1259 		 * If no property has be specified then get
1260 		 * all the properties.
1261 		 */
1262 		pcnt = SMBADM_NPROP;
1263 		for (p = 0; p < pcnt; p++)
1264 			props[p].p_name = smbadm_ptable[p].p_name;
1265 	}
1266 
1267 	for (p = 0; p < pcnt; p++) {
1268 		phandle = smbadm_prop_gethandle(props[p].p_name);
1269 		if (phandle) {
1270 			if (phandle->p_getfn(gname, &props[p]) != 0)
1271 				ret = 1;
1272 		}
1273 	}
1274 
1275 	return (ret);
1276 }
1277 
1278 /*
1279  * smbadm_group_addmember
1280  *
1281  */
1282 static int
1283 smbadm_group_addmember(int argc, char **argv)
1284 {
1285 	char *gname = NULL;
1286 	char **mname;
1287 	char option;
1288 	int mcnt = 0;
1289 	int ret = 0;
1290 	int i;
1291 
1292 
1293 	mname = (char **)malloc(argc * sizeof (char *));
1294 	if (mname == NULL) {
1295 		warn(gettext("failed to add group member"));
1296 		return (1);
1297 	}
1298 	bzero(mname, argc * sizeof (char *));
1299 
1300 	while ((option = getopt(argc, argv, "m:")) != -1) {
1301 		switch (option) {
1302 		case 'm':
1303 			mname[mcnt++] = optarg;
1304 			break;
1305 
1306 		default:
1307 			free(mname);
1308 			smbadm_usage(B_FALSE);
1309 		}
1310 	}
1311 
1312 	if (mcnt == 0) {
1313 		(void) fprintf(stderr, gettext("missing member name\n"));
1314 		free(mname);
1315 		smbadm_usage(B_FALSE);
1316 	}
1317 
1318 	gname = argv[optind];
1319 	if (optind >= argc || gname == NULL || *gname == 0) {
1320 		(void) fprintf(stderr, gettext("missing group name\n"));
1321 		free(mname);
1322 		smbadm_usage(B_FALSE);
1323 	}
1324 
1325 	for (i = 0; i < mcnt; i++) {
1326 		if (mname[i] == NULL)
1327 			continue;
1328 		ret |= smbadm_group_add_del_member(
1329 		    gname, mname[i], SMBADM_GRP_ADDMEMBER);
1330 	}
1331 
1332 	free(mname);
1333 	return (ret);
1334 }
1335 
1336 /*
1337  * smbadm_group_delmember
1338  */
1339 static int
1340 smbadm_group_delmember(int argc, char **argv)
1341 {
1342 	char *gname = NULL;
1343 	char **mname;
1344 	char option;
1345 	int mcnt = 0;
1346 	int ret = 0;
1347 	int i;
1348 
1349 	mname = (char **)malloc(argc * sizeof (char *));
1350 	if (mname == NULL) {
1351 		warn(gettext("failed to delete group member"));
1352 		return (1);
1353 	}
1354 	bzero(mname, argc * sizeof (char *));
1355 
1356 	while ((option = getopt(argc, argv, "m:")) != -1) {
1357 		switch (option) {
1358 		case 'm':
1359 			mname[mcnt++] = optarg;
1360 			break;
1361 
1362 		default:
1363 			free(mname);
1364 			smbadm_usage(B_FALSE);
1365 		}
1366 	}
1367 
1368 	if (mcnt == 0) {
1369 		(void) fprintf(stderr, gettext("missing member name\n"));
1370 		free(mname);
1371 		smbadm_usage(B_FALSE);
1372 	}
1373 
1374 	gname = argv[optind];
1375 	if (optind >= argc || gname == NULL || *gname == 0) {
1376 		(void) fprintf(stderr, gettext("missing group name\n"));
1377 		free(mname);
1378 		smbadm_usage(B_FALSE);
1379 	}
1380 
1381 
1382 	for (i = 0; i < mcnt; i++) {
1383 		ret = 0;
1384 		if (mname[i] == NULL)
1385 			continue;
1386 		ret |= smbadm_group_add_del_member(
1387 		    gname, mname[i], SMBADM_GRP_DELMEMBER);
1388 	}
1389 
1390 	free(mname);
1391 	return (ret);
1392 }
1393 
1394 static int
1395 smbadm_group_add_del_member(char *gname, char *mname,
1396     smbadm_grp_action_t act)
1397 {
1398 	lsa_account_t	acct;
1399 	smb_gsid_t msid;
1400 	char *sidstr;
1401 	char *act_str;
1402 	int rc;
1403 
1404 	if (strncmp(mname, "S-1-", 4) == 0) {
1405 		/*
1406 		 * We are given a SID.  Just use it.
1407 		 *
1408 		 * We'd like the real account type if we can get it,
1409 		 * but don't want to error out if we can't get it.
1410 		 * Lacking other info, assume it's a group.
1411 		 */
1412 		sidstr = mname;
1413 		rc = smb_lookup_sid(sidstr, &acct);
1414 		if ((rc != 0) || (acct.a_status != NT_STATUS_SUCCESS))
1415 			acct.a_sidtype = SidTypeGroup;
1416 	} else {
1417 		rc = smb_lookup_name(mname, SidTypeUnknown, &acct);
1418 		if ((rc != 0) || (acct.a_status != NT_STATUS_SUCCESS)) {
1419 			(void) fprintf(stderr,
1420 			    gettext("%s: name lookup failed\n"), mname);
1421 			return (1);
1422 		}
1423 		sidstr = acct.a_sid;
1424 	}
1425 
1426 	msid.gs_type = acct.a_sidtype;
1427 	if ((msid.gs_sid = smb_sid_fromstr(sidstr)) == NULL) {
1428 		(void) fprintf(stderr,
1429 		    gettext("%s: no memory for SID\n"), sidstr);
1430 		return (1);
1431 	}
1432 
1433 	switch (act) {
1434 	case SMBADM_GRP_ADDMEMBER:
1435 		act_str = gettext("add");
1436 		rc = smb_lgrp_add_member(gname,
1437 		    msid.gs_sid, msid.gs_type);
1438 		break;
1439 	case SMBADM_GRP_DELMEMBER:
1440 		act_str = gettext("remove");
1441 		rc = smb_lgrp_del_member(gname,
1442 		    msid.gs_sid, msid.gs_type);
1443 		break;
1444 	default:
1445 		rc = SMB_LGRP_INTERNAL_ERROR;
1446 		break;
1447 	}
1448 
1449 	smb_sid_free(msid.gs_sid);
1450 
1451 	if (rc != SMB_LGRP_SUCCESS) {
1452 		(void) fprintf(stderr,
1453 		    gettext("failed to %s %s (%s)\n"),
1454 		    act_str, mname, smb_lgrp_strerror(rc));
1455 		return (1);
1456 	}
1457 	return (0);
1458 }
1459 
1460 static int
1461 smbadm_user_delete(int argc, char **argv)
1462 {
1463 	int error;
1464 	char *user = NULL;
1465 
1466 	user = argv[optind];
1467 	if (optind >= argc || user == NULL || *user == '\0') {
1468 		(void) fprintf(stderr, gettext("missing user name\n"));
1469 		smbadm_usage(B_FALSE);
1470 	}
1471 
1472 	error = smb_pwd_setcntl(user, SMB_PWC_DELETE);
1473 	if (error == SMB_PWE_SUCCESS)
1474 		(void) printf(gettext("%s has been deleted.\n"), user);
1475 	else
1476 		(void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error));
1477 
1478 	return (error);
1479 }
1480 
1481 static int
1482 smbadm_user_disable(int argc, char **argv)
1483 {
1484 	int error;
1485 	char *user = NULL;
1486 
1487 	user = argv[optind];
1488 	if (optind >= argc || user == NULL || *user == '\0') {
1489 		(void) fprintf(stderr, gettext("missing user name\n"));
1490 		smbadm_usage(B_FALSE);
1491 	}
1492 
1493 	error = smb_pwd_setcntl(user, SMB_PWC_DISABLE);
1494 	if (error == SMB_PWE_SUCCESS)
1495 		(void) printf(gettext("%s is disabled.\n"), user);
1496 	else
1497 		(void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error));
1498 
1499 	return (error);
1500 }
1501 
1502 static int
1503 smbadm_user_enable(int argc, char **argv)
1504 {
1505 	int error;
1506 	char *user = NULL;
1507 
1508 	user = argv[optind];
1509 	if (optind >= argc || user == NULL || *user == '\0') {
1510 		(void) fprintf(stderr, gettext("missing user name\n"));
1511 		smbadm_usage(B_FALSE);
1512 	}
1513 
1514 	error = smb_pwd_setcntl(user, SMB_PWC_ENABLE);
1515 	if (error == SMB_PWE_SUCCESS)
1516 		(void) printf(gettext("%s is enabled.\n"), user);
1517 	else
1518 		(void) fprintf(stderr, "%s\n", smbadm_pwd_strerror(error));
1519 
1520 	return (error);
1521 }
1522 
1523 
1524 int
1525 main(int argc, char **argv)
1526 {
1527 	int ret;
1528 	int i;
1529 
1530 	(void) setlocale(LC_ALL, "");
1531 	(void) textdomain(TEXT_DOMAIN);
1532 
1533 	(void) malloc(0);	/* satisfy libumem dependency */
1534 
1535 	progname = basename(argv[0]);
1536 
1537 	if (is_system_labeled()) {
1538 		(void) fprintf(stderr,
1539 		    gettext("Trusted Extensions not supported\n"));
1540 		return (1);
1541 	}
1542 
1543 	if (argc < 2) {
1544 		(void) fprintf(stderr, gettext("missing command\n"));
1545 		smbadm_usage(B_FALSE);
1546 	}
1547 
1548 	/*
1549 	 * Special case "cmd --help/-?"
1550 	 */
1551 	if (strcmp(argv[1], "-?") == 0 ||
1552 	    strcmp(argv[1], "--help") == 0 ||
1553 	    strcmp(argv[1], "-h") == 0)
1554 		smbadm_usage(B_TRUE);
1555 
1556 	for (i = 0; i < SMBADM_NCMD; ++i) {
1557 		curcmd = &smbadm_cmdtable[i];
1558 		if (strcasecmp(argv[1], curcmd->name) == 0) {
1559 			if (argc > 2) {
1560 				/* cmd subcmd --help/-? */
1561 				if (strcmp(argv[2], "-?") == 0 ||
1562 				    strcmp(argv[2], "--help") == 0 ||
1563 				    strcmp(argv[2], "-h") == 0)
1564 					smbadm_usage(B_TRUE);
1565 			}
1566 
1567 			if (!smbadm_checkauth(curcmd->auth)) {
1568 				(void) fprintf(stderr,
1569 				    gettext("%s: %s: authorization denied\n"),
1570 				    progname, curcmd->name);
1571 				return (1);
1572 			}
1573 
1574 			if ((ret = smbadm_init()) != 0)
1575 				return (ret);
1576 
1577 			ret = curcmd->func(argc - 1, &argv[1]);
1578 
1579 			smbadm_fini();
1580 			return (ret);
1581 		}
1582 	}
1583 
1584 	curcmd = NULL;
1585 	(void) fprintf(stderr, gettext("unknown subcommand (%s)\n"), argv[1]);
1586 	smbadm_usage(B_FALSE);
1587 	return (2);
1588 }
1589 
1590 static int
1591 smbadm_init(void)
1592 {
1593 	int rc;
1594 
1595 	switch (curcmd->flags & SMBADM_CMDF_TYPEMASK) {
1596 	case SMBADM_CMDF_GROUP:
1597 		if ((rc = smb_lgrp_start()) != SMB_LGRP_SUCCESS) {
1598 			(void) fprintf(stderr,
1599 			    gettext("failed to initialize (%s)\n"),
1600 			    smb_lgrp_strerror(rc));
1601 			return (1);
1602 		}
1603 		break;
1604 
1605 	case SMBADM_CMDF_USER:
1606 		smb_pwd_init(B_FALSE);
1607 		break;
1608 
1609 	default:
1610 		break;
1611 	}
1612 
1613 	return (0);
1614 }
1615 
1616 static void
1617 smbadm_fini(void)
1618 {
1619 	switch (curcmd->flags & SMBADM_CMDF_TYPEMASK) {
1620 	case SMBADM_CMDF_GROUP:
1621 		smb_lgrp_stop();
1622 		break;
1623 
1624 	case SMBADM_CMDF_USER:
1625 		smb_pwd_fini();
1626 		break;
1627 
1628 	default:
1629 		break;
1630 	}
1631 }
1632 
1633 static boolean_t
1634 smbadm_checkauth(const char *auth)
1635 {
1636 	struct passwd *pw;
1637 
1638 	if ((pw = getpwuid(getuid())) == NULL)
1639 		return (B_FALSE);
1640 
1641 	if (chkauthattr(auth, pw->pw_name) == 0)
1642 		return (B_FALSE);
1643 
1644 	return (B_TRUE);
1645 }
1646 
1647 static boolean_t
1648 smbadm_prop_validate(smbadm_prop_t *prop, boolean_t chkval)
1649 {
1650 	smbadm_prop_handle_t *pinfo;
1651 	int i;
1652 
1653 	for (i = 0; i < SMBADM_NPROP; i++) {
1654 		pinfo = &smbadm_ptable[i];
1655 		if (strcmp(pinfo->p_name, prop->p_name) == 0) {
1656 			if (pinfo->p_chkfn && chkval)
1657 				return (pinfo->p_chkfn(prop));
1658 
1659 			return (B_TRUE);
1660 		}
1661 	}
1662 
1663 	(void) fprintf(stderr, gettext("unrecognized property '%s'\n"),
1664 	    prop->p_name);
1665 
1666 	return (B_FALSE);
1667 }
1668 
1669 static int
1670 smbadm_prop_parse(char *arg, smbadm_prop_t *prop)
1671 {
1672 	boolean_t parse_value;
1673 	char *equal;
1674 
1675 	if (arg == NULL)
1676 		return (2);
1677 
1678 	prop->p_name = prop->p_value = NULL;
1679 
1680 	if (strcmp(curcmd->name, "set") == 0)
1681 		parse_value = B_TRUE;
1682 	else
1683 		parse_value = B_FALSE;
1684 
1685 	prop->p_name = arg;
1686 
1687 	if (parse_value) {
1688 		equal = strchr(arg, '=');
1689 		if (equal == NULL)
1690 			return (2);
1691 
1692 		*equal++ = '\0';
1693 		prop->p_value = equal;
1694 	}
1695 
1696 	if (smbadm_prop_validate(prop, parse_value) == B_FALSE)
1697 		return (2);
1698 
1699 	return (0);
1700 }
1701 
1702 static smbadm_prop_handle_t *
1703 smbadm_prop_gethandle(char *pname)
1704 {
1705 	int i;
1706 
1707 	for (i = 0; i < SMBADM_NPROP; i++)
1708 		if (strcmp(pname, smbadm_ptable[i].p_name) == 0)
1709 			return (&smbadm_ptable[i]);
1710 
1711 	return (NULL);
1712 }
1713 
1714 static int
1715 smbadm_setprop_desc(char *gname, smbadm_prop_t *prop)
1716 {
1717 	int status;
1718 
1719 	status = smb_lgrp_setcmnt(gname, prop->p_value);
1720 	if (status != SMB_LGRP_SUCCESS) {
1721 		(void) fprintf(stderr,
1722 		    gettext("failed to modify the group description (%s)\n"),
1723 		    smb_lgrp_strerror(status));
1724 		return (1);
1725 	}
1726 
1727 	(void) printf(gettext("%s: description modified\n"), gname);
1728 	return (0);
1729 }
1730 
1731 static int
1732 smbadm_getprop_desc(char *gname, smbadm_prop_t *prop)
1733 {
1734 	char *cmnt = NULL;
1735 	int status;
1736 
1737 	status = smb_lgrp_getcmnt(gname, &cmnt);
1738 	if (status != SMB_LGRP_SUCCESS) {
1739 		(void) fprintf(stderr,
1740 		    gettext("failed to get the group description (%s)\n"),
1741 		    smb_lgrp_strerror(status));
1742 		return (1);
1743 	}
1744 
1745 	(void) printf(gettext("\t%s: %s\n"), prop->p_name, cmnt);
1746 	free(cmnt);
1747 	return (0);
1748 }
1749 
1750 static int
1751 smbadm_group_setpriv(char *gname, uint8_t priv_id, smbadm_prop_t *prop)
1752 {
1753 	boolean_t enable;
1754 	int status;
1755 	int ret;
1756 
1757 	if (strcasecmp(prop->p_value, "on") == 0) {
1758 		(void) printf(gettext("Enabling %s privilege "), prop->p_name);
1759 		enable = B_TRUE;
1760 	} else {
1761 		(void) printf(gettext("Disabling %s privilege "), prop->p_name);
1762 		enable = B_FALSE;
1763 	}
1764 
1765 	status = smb_lgrp_setpriv(gname, priv_id, enable);
1766 	if (status == SMB_LGRP_SUCCESS) {
1767 		(void) printf(gettext("succeeded\n"));
1768 		ret = 0;
1769 	} else {
1770 		(void) printf(gettext("failed: %s\n"),
1771 		    smb_lgrp_strerror(status));
1772 		ret = 1;
1773 	}
1774 
1775 	return (ret);
1776 }
1777 
1778 static int
1779 smbadm_group_getpriv(char *gname, uint8_t priv_id, smbadm_prop_t *prop)
1780 {
1781 	boolean_t enable;
1782 	int status;
1783 
1784 	status = smb_lgrp_getpriv(gname, priv_id, &enable);
1785 	if (status != SMB_LGRP_SUCCESS) {
1786 		(void) fprintf(stderr, gettext("failed to get %s (%s)\n"),
1787 		    prop->p_name, smb_lgrp_strerror(status));
1788 		return (1);
1789 	}
1790 
1791 	(void) printf(gettext("\t%s: %s\n"), prop->p_name,
1792 	    (enable) ? "On" : "Off");
1793 
1794 	return (0);
1795 }
1796 
1797 static int
1798 smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop)
1799 {
1800 	return (smbadm_group_setpriv(gname, SE_TAKE_OWNERSHIP_LUID, prop));
1801 }
1802 
1803 static int
1804 smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop)
1805 {
1806 	return (smbadm_group_getpriv(gname, SE_TAKE_OWNERSHIP_LUID, prop));
1807 }
1808 
1809 static int
1810 smbadm_setprop_backup(char *gname, smbadm_prop_t *prop)
1811 {
1812 	return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop));
1813 }
1814 
1815 static int
1816 smbadm_getprop_backup(char *gname, smbadm_prop_t *prop)
1817 {
1818 	return (smbadm_group_getpriv(gname, SE_BACKUP_LUID, prop));
1819 }
1820 
1821 static int
1822 smbadm_setprop_restore(char *gname, smbadm_prop_t *prop)
1823 {
1824 	return (smbadm_group_setpriv(gname, SE_RESTORE_LUID, prop));
1825 }
1826 
1827 static int
1828 smbadm_getprop_restore(char *gname, smbadm_prop_t *prop)
1829 {
1830 	return (smbadm_group_getpriv(gname, SE_RESTORE_LUID, prop));
1831 }
1832 
1833 static boolean_t
1834 smbadm_chkprop_priv(smbadm_prop_t *prop)
1835 {
1836 	if (prop->p_value == NULL || *prop->p_value == '\0') {
1837 		(void) fprintf(stderr,
1838 		    gettext("missing value for '%s'\n"), prop->p_name);
1839 		return (B_FALSE);
1840 	}
1841 
1842 	if (strcasecmp(prop->p_value, "on") == 0)
1843 		return (B_TRUE);
1844 
1845 	if (strcasecmp(prop->p_value, "off") == 0)
1846 		return (B_TRUE);
1847 
1848 	(void) fprintf(stderr,
1849 	    gettext("%s: unrecognized value for '%s' property\n"),
1850 	    prop->p_value, prop->p_name);
1851 
1852 	return (B_FALSE);
1853 }
1854 
1855 static const char *
1856 smbadm_pwd_strerror(int error)
1857 {
1858 	switch (error) {
1859 	case SMB_PWE_SUCCESS:
1860 		return (gettext("Success."));
1861 
1862 	case SMB_PWE_USER_UNKNOWN:
1863 		return (gettext("User does not exist."));
1864 
1865 	case SMB_PWE_USER_DISABLE:
1866 		return (gettext("User is disabled."));
1867 
1868 	case SMB_PWE_CLOSE_FAILED:
1869 	case SMB_PWE_OPEN_FAILED:
1870 	case SMB_PWE_WRITE_FAILED:
1871 	case SMB_PWE_UPDATE_FAILED:
1872 		return (gettext("Unexpected failure. "
1873 		    "SMB password database unchanged."));
1874 
1875 	case SMB_PWE_STAT_FAILED:
1876 		return (gettext("stat of SMB password file failed."));
1877 
1878 	case SMB_PWE_BUSY:
1879 		return (gettext("SMB password database busy. "
1880 		    "Try again later."));
1881 
1882 	case SMB_PWE_DENIED:
1883 		return (gettext("Operation not permitted."));
1884 
1885 	case SMB_PWE_SYSTEM_ERROR:
1886 		return (gettext("System error."));
1887 
1888 	default:
1889 		break;
1890 	}
1891 
1892 	return (gettext("Unknown error code."));
1893 }
1894 
1895 /*
1896  * Enable libumem debugging by default on DEBUG builds.
1897  */
1898 #ifdef DEBUG
1899 const char *
1900 _umem_debug_init(void)
1901 {
1902 	return ("default,verbose"); /* $UMEM_DEBUG setting */
1903 }
1904 
1905 const char *
1906 _umem_logging_init(void)
1907 {
1908 	return ("fail,contents"); /* $UMEM_LOGGING setting */
1909 }
1910 #endif
1911