summaryrefslogtreecommitdiff
path: root/source4/libnet
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libnet')
-rw-r--r--source4/libnet/config.mk1
-rw-r--r--source4/libnet/libnet_samsync_ldb.c414
-rw-r--r--source4/libnet/libnet_vampire.h10
3 files changed, 425 insertions, 0 deletions
diff --git a/source4/libnet/config.mk b/source4/libnet/config.mk
index 1f85d81ea2..8d5f5dfccd 100644
--- a/source4/libnet/config.mk
+++ b/source4/libnet/config.mk
@@ -10,6 +10,7 @@ ADD_OBJ_FILES = \
libnet/libnet_join.o \
libnet/libnet_vampire.o \
libnet/libnet_samdump.o \
+ libnet/libnet_samsync_ldb.o \
libnet/libnet_user.o \
libnet/libnet_share.o \
libnet/libnet_lookup.o \
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
new file mode 100644
index 0000000000..cedb1e233e
--- /dev/null
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -0,0 +1,414 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Extract the user/system database from a remote SamSync server
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Andrew Tridgell 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#include "includes.h"
+#include "libnet/libnet.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "dlinklist.h"
+#include "lib/ldb/include/ldb.h"
+
+struct samsync_ldb_secret {
+ struct samsync_ldb_secret *prev, *next;
+ DATA_BLOB secret;
+ char *name;
+ NTTIME mtime;
+};
+
+struct samsync_ldb_trusted_domain {
+ struct samsync_ldb_trusted_domain *prev, *next;
+ struct dom_sid *sid;
+ char *name;
+};
+
+struct samsync_ldb_state {
+ struct dom_sid *dom_sid[3];
+ struct ldb_context *sam_ldb;
+ char *base_dn[3];
+ struct samsync_ldb_secret *secrets;
+ struct samsync_ldb_trusted_domain *trusted_domains;
+};
+
+static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
+ struct samsync_ldb_state *state,
+ struct creds_CredentialState *creds,
+ enum netr_SamDatabaseID database,
+ struct netr_DELTA_ENUM *delta)
+{
+ struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
+ const char *domain_name = domain->domain_name.string;
+ struct ldb_message *msg;
+ int ret;
+
+ if (database == SAM_DATABASE_DOMAIN) {
+ const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
+ struct ldb_message **msgs_domain;
+ int ret_domain;
+ ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+ "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
+ domain_name);
+ if (ret_domain == -1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ if (ret_domain != 1) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
+ state->base_dn[database]
+ = talloc_steal(state, samdb_result_string(msgs_domain[0],
+ "nCName", NULL));
+
+ state->dom_sid[database]
+ = talloc_steal(state,
+ samdb_search_dom_sid(state->sam_ldb, state,
+ state->base_dn[database], "objectSid",
+ "dn=%s", state->base_dn[database]));
+ } else if (database == SAM_DATABASE_BUILTIN) {
+ /* work out the builtin_dn - useful for so many calls its worth
+ fetching here */
+ state->base_dn[database]
+ = talloc_steal(state,
+ samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+ "dn", "objectClass=builtinDomain"));
+ state->dom_sid[database]
+ = dom_sid_parse_talloc(state, SID_BUILTIN);
+ } else {
+ /* PRIVs DB */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = talloc_reference(mem_ctx, state->base_dn[database]);
+ if (!msg->dn) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ samdb_msg_add_string(state->sam_ldb, mem_ctx,
+ msg, "oEMInformation", domain->comment.string);
+
+ samdb_msg_add_uint64(state->sam_ldb, mem_ctx,
+ msg, "forceLogff", domain->force_logoff_time);
+
+ samdb_msg_add_uint(state->sam_ldb, mem_ctx,
+ msg, "minPwdLen", domain->min_password_length);
+
+ samdb_msg_add_int64(state->sam_ldb, mem_ctx,
+ msg, "maxPwdAge", domain->max_password_age);
+
+ samdb_msg_add_int64(state->sam_ldb, mem_ctx,
+ msg, "minPwdAge", domain->min_password_age);
+
+ samdb_msg_add_uint(state->sam_ldb, mem_ctx,
+ msg, "pwdHistoryLength", domain->password_history_length);
+
+ samdb_msg_add_uint64(state->sam_ldb, mem_ctx,
+ msg, "modifiedCountAtLastProm",
+ domain->sequence_num);
+
+ samdb_msg_add_uint64(state->sam_ldb, mem_ctx,
+ msg, "creationTime", domain->domain_create_time);
+
+ /* TODO: Account lockout, password properties */
+
+ ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
+
+ if (ret) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
+ struct samsync_ldb_state *state,
+ struct creds_CredentialState *creds,
+ enum netr_SamDatabaseID database,
+ struct netr_DELTA_ENUM *delta)
+{
+ uint32_t rid = delta->delta_id_union.rid;
+ struct netr_DELTA_USER *user = delta->delta_union.user;
+ const char *container, *obj_class;
+ char *cn_name;
+ int cn_name_len;
+
+ struct ldb_message *msg;
+ struct ldb_message **msgs;
+ int ret;
+ uint32_t acb;
+ BOOL add = False;
+ const char *attrs[] = { NULL };
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* search for the user, by rid */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ "(&(objectClass=user)(objectSid=%s))",
+ ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
+
+ if (ret == -1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ } else if (ret == 0) {
+ add = True;
+ } else if (ret > 1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ } else {
+ msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
+ }
+
+
+ cn_name = talloc_strdup(mem_ctx, user->account_name.string);
+ NT_STATUS_HAVE_NO_MEMORY(cn_name);
+ cn_name_len = strlen(cn_name);
+
+#define ADD_OR_DEL(type, attrib, field) do {\
+ if (user->field) { \
+ samdb_msg_add_ ## type(state->sam_ldb, mem_ctx, msg, \
+ attrib, user->field); \
+ } else if (!add) { \
+ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, \
+ attrib); \
+ } \
+ } while (0);
+
+ ADD_OR_DEL(string, "samAccountName", account_name.string);
+ ADD_OR_DEL(string, "displayName", full_name.string);
+
+ if (samdb_msg_add_dom_sid(state->sam_ldb, mem_ctx, msg,
+ "objectSid", dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ADD_OR_DEL(uint, "primaryGroupID", primary_gid);
+ ADD_OR_DEL(string, "homeDirectory", home_directory.string);
+ ADD_OR_DEL(string, "homeDrive", home_drive.string);
+ ADD_OR_DEL(string, "scriptPath", logon_script.string);
+ ADD_OR_DEL(string, "description", description.string);
+ ADD_OR_DEL(string, "userWorkstations", workstations.string);
+
+ ADD_OR_DEL(uint64, "lastLogon", last_logon);
+ ADD_OR_DEL(uint64, "lastLogoff", last_logoff);
+
+ /* TODO: Logon hours */
+
+ ADD_OR_DEL(uint, "badPwdCount", bad_password_count);
+ ADD_OR_DEL(uint, "logonCount", logon_count);
+
+ ADD_OR_DEL(uint64, "pwdLastSet", last_password_change);
+ ADD_OR_DEL(uint64, "accountExpires", acct_expiry);
+
+ if (samdb_msg_add_acct_flags(state->sam_ldb, mem_ctx, msg,
+ "userAccountConrol", user->acct_flags) != 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Passwords */
+ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
+ "unicodePwd");
+ if (user->lm_password_present) {
+ samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
+ "lmPwdHash", &user->lmpassword);
+ } else {
+ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
+ "lmPwdHash");
+ }
+ if (user->nt_password_present) {
+ samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
+ "ntPwdHash", &user->ntpassword);
+ } else {
+ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
+ "ntPwdHash");
+ }
+
+ ADD_OR_DEL(string, "comment", comment.string);
+ ADD_OR_DEL(string, "userParameters", parameters.string);
+ ADD_OR_DEL(uint, "countryCode", country_code);
+ ADD_OR_DEL(uint, "codePage", code_page);
+
+ ADD_OR_DEL(string, "profilePath", profile_path.string);
+
+ acb = user->acct_flags;
+ if (acb & (ACB_WSTRUST)) {
+ cn_name[cn_name_len - 1] = '\0';
+ container = "Computers";
+ obj_class = "computer";
+
+ } else if (acb & ACB_SVRTRUST) {
+ if (cn_name[cn_name_len - 1] != '$') {
+ return NT_STATUS_FOOBAR;
+ }
+ cn_name[cn_name_len - 1] = '\0';
+ container = "Domain Controllers";
+ obj_class = "computer";
+ } else {
+ container = "Users";
+ obj_class = "user";
+ }
+ if (add) {
+ samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
+ "objectClass", obj_class);
+ msg->dn = talloc_asprintf(mem_ctx, "CN=%s,CN=%s,%s",
+ cn_name, container, state->base_dn[database]);
+ if (!msg->dn) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = samdb_add(state->sam_ldb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(0,("Failed to create user record %s\n", msg->dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ } else {
+ ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(0,("Failed to modify user record %s\n", msg->dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS samsync_ldb_handle_group(TALLOC_CTX *mem_ctx,
+ struct samsync_ldb_state *state,
+ struct creds_CredentialState *creds,
+ enum netr_SamDatabaseID database,
+ struct netr_DELTA_ENUM *delta)
+{
+ uint32_t rid = delta->delta_id_union.rid;
+ struct netr_DELTA_GROUP *group = delta->delta_union.group;
+ const char *groupname = group->group_name.string;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS libnet_samsync_ldb_fn(TALLOC_CTX *mem_ctx,
+ void *private,
+ struct creds_CredentialState *creds,
+ enum netr_SamDatabaseID database,
+ struct netr_DELTA_ENUM *delta,
+ char **error_string)
+{
+ NTSTATUS nt_status = NT_STATUS_OK;
+ struct samsync_ldb_state *state = private;
+
+ *error_string = NULL;
+ switch (delta->delta_type) {
+ case NETR_DELTA_DOMAIN:
+ {
+ nt_status = samsync_ldb_handle_domain(mem_ctx,
+ state,
+ creds,
+ database,
+ delta);
+ break;
+ }
+ case NETR_DELTA_USER:
+ {
+ nt_status = samsync_ldb_handle_user(mem_ctx,
+ state,
+ creds,
+ database,
+ delta);
+ break;
+ }
+ case NETR_DELTA_GROUP:
+ {
+ nt_status = samsync_ldb_handle_group(mem_ctx,
+ state,
+ creds,
+ database,
+ delta);
+ break;
+ }
+ default:
+ /* Can't dump them all right now */
+ break;
+ }
+ return nt_status;
+}
+
+static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r)
+{
+ NTSTATUS nt_status;
+ struct libnet_SamSync r2;
+ struct samsync_ldb_state *state = talloc(mem_ctx, struct samsync_ldb_state);
+
+ if (!state) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->secrets = NULL;
+ state->trusted_domains = NULL;
+
+ state->sam_ldb = samdb_connect(state);
+
+
+
+ r2.error_string = NULL;
+ r2.delta_fn = libnet_samsync_ldb_fn;
+ r2.fn_ctx = state;
+ r2.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */
+ nt_status = libnet_SamSync_netlogon(ctx, state, &r2);
+ r->error_string = r2.error_string;
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(state);
+ return nt_status;
+ }
+ talloc_free(state);
+ return nt_status;
+}
+
+
+
+static NTSTATUS libnet_samsync_ldb_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r)
+{
+ NTSTATUS nt_status;
+ struct libnet_samsync_ldb r2;
+ r2.level = LIBNET_SAMSYNC_LDB_NETLOGON;
+ r2.error_string = NULL;
+ nt_status = libnet_samsync_ldb(ctx, mem_ctx, &r2);
+ r->error_string = r2.error_string;
+
+ return nt_status;
+}
+
+NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r)
+{
+ switch (r->level) {
+ case LIBNET_SAMSYNC_LDB_GENERIC:
+ return libnet_samsync_ldb_generic(ctx, mem_ctx, r);
+ case LIBNET_SAMSYNC_LDB_NETLOGON:
+ return libnet_samsync_ldb_netlogon(ctx, mem_ctx, r);
+ }
+
+ return NT_STATUS_INVALID_LEVEL;
+}
diff --git a/source4/libnet/libnet_vampire.h b/source4/libnet/libnet_vampire.h
index f5bc2b1501..8a588de48c 100644
--- a/source4/libnet/libnet_vampire.h
+++ b/source4/libnet/libnet_vampire.h
@@ -43,3 +43,13 @@ struct libnet_SamDump {
char *error_string;
};
+enum libnet_samsync_ldb_level {
+ LIBNET_SAMSYNC_LDB_GENERIC,
+ LIBNET_SAMSYNC_LDB_NETLOGON,
+};
+
+struct libnet_samsync_ldb {
+ enum libnet_samsync_ldb_level level;
+ char *error_string;
+};
+