11.5. Remote Administration with net
The net command was mentioned in Chapter 5, when we discussed Samba's group mapping and user privileges features and again in Chapter 10 as the tool used to join Samba servers to a domain. Its original design mimicked the net.exe command found on Windows hosts. Since the tool's introduction in Samba 3.0.0, it has become the kitchen sink of Samba administration tools and a stable alternative to the more developer oriented rpcclient utility.
There are two roles for net. One is the protocol administration tool used for such things as managing users or groups to remote servers. The other is the local database administration role for manipulating such things as group mapping entries. Our primary concern this section is the first side, the protocol interface to remote administration functions.
net supports three administration protocols identified by the following case-insensitive keywords:
There is a great deal of overlap in subcommands between these three administration methods. For example, all three interfaces return identical results, only differing in order, when enumerating users:
$ net rap user -S windc -U Administrator Password: <enter Administrator's password> Administrator Guest krbtgt IWAM_WIN2K-KDC IUSR_WIN2K-KDC gcarter TsInternetUser lizard $ net rpc user -S windc -U Administrator Password: <enter Administrator's password> Administrator gcarter Guest IUSR_WIN2K-KDC IWAM_WIN2K-KDC krbtgt lizard TsInternetUser $ net ads user -S windc -U Administrator Password: <enter Administrator's password> Administrator Guest IWAM_WIN2K-KDC IUSR_WIN2K-KDC krbtgt gcarter TsInternetUser lizard
If we were to examine the traffic on the network, however, we would see very different search queries.
This brings up the next question: which method is preferable? As a general rule, we recommend using either RPC or ADS, depending on which provides the functionality you desire. As you will soon see, some features are available only in one or the other.
11.5.1. net rpc
The first task discussed here is managing users and groups. net rpc provides two subcommands, user and group, for viewing and manipulating accounts. You can find out more about each subcommand using the help option. The following command demonstrates the available features of the user subcommand. This help listing shows that the user subcommand is available for all three interfaces: RAP, RPC, and ADS:
$ net rpc help user net [<method>] user [misc. options] [targets] List users <...output deleted...> Valid methods: (auto-detected if not specified) ads Active Directory (LDAP/Kerberos) rpc DCE-RPC rap RAP (older systems)
The miscellaneous options for user are composed of information such as the user credentials used in the connection request (-U option) or the log level (--debuglevel option). A valid target is generally a specific server (-S option), workgroup (-w option), or IP address (-I option). The order of command-line arguments prefaced by an option flag does not matter. You can string these options and parameters together to enumerate users on a CIFS server by running this command:
$ net rpc user -S windc -U lizard Password: <enter password for lizard> Administrator gcarter Guest IUSR_WIN2K-KDC IWAM_WIN2K-KDC krbtgt lizard TsInternetUser
If you wish to find out the groups to which a particular user belongs, add the info argument to the user subcommand.
$ net rpc user info lizard -S windc -U lizard Password: <enter password for lizard> Linux Users Domain Admins Printer Admins Domain Users
You may add, delete, and rename users as well. For example, you can create a new user account for jsmith and then rename the account to smitty. Although you do not have to run the net command as root, you do have to specify an account with sufficient rights, such as Administrator, on the target server to change user or group settings.
$ net rpc user add jsmith -S windc -U Administrator Password: <enter password for Administrator> Added user jsmith $ net rpc user rename jsmith smitty -S windc -U Administrator Password: <enter password for Administrator> Renamed user from jsmith to smitty
One of the most tedious jobs that system administrators often have to perform is resetting forgotten passwords for users. The net rpc password command allows you to do this for accounts on any Windows or Samba server from your Unix desktop. As an example, the following command sets the password for the account just created to be LeAv3:. If all goes well, you will be returned immediately to a shell prompt.
$ net rpc password smitty LeAv3: -S windc -U Administrator Password: <enter password for Administrator>
After creating a new user, you can add the account to specific groups using the group subcommand. The following example adds the user smitty to the Domain Admins group on the host windc, which is a domain controller in the BOOKS domain. Note that net rpc group addmem provides feedback only when the operation fails, not when it is completed successfully.
$ net rpc group addmem "Domain Admins" smitty -S windc -U Administrator Password: <enter password for Administrator> $ net rpc group members "Domain Admins" -S windc -U Administrator Password: <enter password for Administrator> BOOKS\Administrator BOOKS\gcarter BOOKS\smitty
Table 11-4 gives a summary of the subcommands available to net rpc user and net rpc group.
In addition, with net you can manage shared resources on a server just as you manage user and group accounts. The share option to net rpc allows you to view existing shares, migrate data, and add or remove resources.
We'll start by enumerating the shares on a particular server. net rpc share doesn't list as many details as smbclient -L, but it does include shares with long names:
$ net rpc share -S windc -U Administrator Password: <enter password for Administrator> public IPC$ print$ NETLOGON CertEnroll ADMIN$ SYSVOL C$ files
You can create new SMB/CIFS shares for existing directories. Assume that the path C:\users has been previously created on the host windc. You can create a file share named UserHome that points to this directory by running this command. No response is displayed unless the command fails.
$ net rpc share add "UserHome=c:\\users" -S windc -U Administrator Password: <enter password for Administrator>
If you enumerate the shares again, you will see the new UserHome share in the output. There is also a complementary delete option to net rpc share. This command only stops the server from sharing the directory. It does not remove any files on the server.
Table 11-5 describes the various net rpc share options.
Like Unix, Windows hosts possess numerous long-running processes that operate in the background to perform specific tasks. You can enumerate the services using the net rpc service list command. The lefthand column presents the service name and the righthand column gives its more friendly display name:
$ net rpc service list -S windc -U Administrator Password: <enter password for Administrator> <...output deleted...> UPS "Uninterruptible Power Supply" UtilMan "Utility Manager" VMTools "VMware Tools Service" W32Time "Windows Time" WinMgmt "Windows Management Instrumentation" WINS "Windows Internet Name Service (WINS)" Wmi "Windows Management Instrumentation Driver Extensions" wuauserv "Automatic Updates" WZCSVC "Wireless Configuration"
The status subcommand provides more detail about the current state of a service:
$ net rpc service status w32time -S windc -U Administrator Password: <enter password for Administrator> w32time service is running. Configuration details: Controls Accepted = 0x1 Service Type = 0x20 Start Type = 0x2 Error Control = 0x1 Tag ID = 0x0 Executable Path = C:\WINNT\System32\services.exe Load Order Group = Dependencies = / Start Name = LocalSystem Display Name = Windows Time
If the need arises, you can stop and start a specific service using its shorter service name. The following commands stop and then restart the w32time service on a Windows host:
$ net rpc service stop w32time -S windc -U Administrator Password: <enter password for Administrator> .............................. w32time service is stop pending. $ net rpc service start w32time -S windc -U Administrator Password: <enter password for Administrator> . Successfully started service: w32time
Sometimes, however, restarting a single service is not enough to restore a host to a working state. In these cases, a reboot is necessary. You can use the shutdown command to reboot a host. The -r flag instructs the host to reboot after the shutdown and the -t option defines the number of seconds to delay the reboot process. You may also specify an informational message using the -C option. Following is an example that reboots a server in 120 seconds and informs any logged-on user of the server maintenance. The client sees the reboot dialog box shown in Figure 11-5.
Figure 11-5. Reboot dialog box issued by net rpc shutdown
$ net rpc shutdown -r -t 120 \ -C "Maintenance reboot required. Please log off" -S dorn -U Administrator Password: <enter password for Administrator> Shutdown of remote machine succeeded
If you change your mind, there is an abortshutdown command that can cancel your previous reboot request.
Table 11-6 finishes this section with a short summary of the commands to manage services using net rpc service.
11.5.2. net ads
The ADS method of the net command shares some of the same functions as the RPC method. For example, you can reset passwords and manage users and groups. The main advantage of net ads over net rpc is the ability in ADS to use Kerberos tickets for authentication and to communicate with Active Directory using LDAP. Using Kerberos removes the need to enter a password every time you run the net command. To observe how this works, first initialize your Krb5 ticket cache using the kinit command:
$ kinit Administrator Password for Administrator@BOOKS.PLAINJOE.ORG: <enter password>
You can now list users in the AD domain by running net ads user:
$ net ads user Administrator Guest IWAM_WIN2K-KDC IUSR_WIN2K-KDC krbtgt gcarter TsInternetUser lizard smitty
Upon examining your ticket cache, you will see that you now possess a service ticket for a DC in your domain. In our example, the machine account windc$ is one of the domain controllers in the books.plainjoe.org AD domain:
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@BOOKS.PLAINJOE.ORG Valid starting Expires Service principal 07/26/06 17:46:58 07/27/06 03:46:35 krbtgt/BOOKS.PLAINJOE.ORG@BOOKS.PLAINJOE.ORG renew until 07/27/06 17:46:58 07/26/06 17:47:21 07/27/06 03:46:35 windc$@BOOKS.PLAINJOE.ORG renew until 07/27/06 17:46:58
Because Active Directory can be searched using LDAP queries, the net ads command provides a simple search interface as an alternative to tools such as ldapsearch. The search command accepts an LDAP search filter, followed by an optional list of attribute names to return. The following example looks up the SID assigned to the user smitty. The sAMAccountName attribute stores the value for user and machine account names, so the LDAP filter matches against it.
$ net ads search "(sAMAccountName=smitty)" objectSID Got 1 replies objectSid: S-1-5-21-4200961138-2496335650-1239021823-1273
This next search returns a list of all machines in the domain, including their operating systems if available, by matching the computer object class value:
# net ads search "(objectclass=computer)" sAMAccountName Got 6 replies operatingSystem: Windows 2000 Professional sAMAccountName: BLITZ$ operatingSystem: Windows XP Professional sAMAccountName: LETTUCE$ operatingSystem: Windows XP Professional sAMAccountName: DORN$ operatingSystem: Windows 2000 Professional sAMAccountName: POLE$ sAMAccountName: zero$ operatingSystem: Windows 2000 Server sAMAccountName: WINDC$
net ads search can be a valuable auditing and debugging tool and is much faster than firing up a graphical LDAP search tool, especially if that approach involves logging onto a Windows client.