1 | /*
|
---|
2 | Unix SMB/CIFS implementation.
|
---|
3 | dump the remote SAM using rpc samsync operations
|
---|
4 |
|
---|
5 | Copyright (C) Andrew Tridgell 2002
|
---|
6 | Copyright (C) Tim Potter 2001,2002
|
---|
7 | Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
|
---|
8 | Modified by Volker Lendecke 2002
|
---|
9 | Copyright (C) Jeremy Allison 2005.
|
---|
10 |
|
---|
11 | This program is free software; you can redistribute it and/or modify
|
---|
12 | it under the terms of the GNU General Public License as published by
|
---|
13 | the Free Software Foundation; either version 2 of the License, or
|
---|
14 | (at your option) any later version.
|
---|
15 |
|
---|
16 | This program is distributed in the hope that it will be useful,
|
---|
17 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
18 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
19 | GNU General Public License for more details.
|
---|
20 |
|
---|
21 | You should have received a copy of the GNU General Public License
|
---|
22 | along with this program; if not, write to the Free Software
|
---|
23 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
---|
24 | */
|
---|
25 |
|
---|
26 | #include "includes.h"
|
---|
27 | #include "utils/net.h"
|
---|
28 |
|
---|
29 | /* uid's and gid's for writing deltas to ldif */
|
---|
30 | static uint32 ldif_gid = 999;
|
---|
31 | static uint32 ldif_uid = 999;
|
---|
32 | /* Keep track of ldap initialization */
|
---|
33 | static int init_ldap = 1;
|
---|
34 |
|
---|
35 | static void display_group_mem_info(uint32 rid, SAM_GROUP_MEM_INFO *g)
|
---|
36 | {
|
---|
37 | int i;
|
---|
38 | d_printf("Group mem %u: ", rid);
|
---|
39 | for (i=0;i<g->num_members;i++) {
|
---|
40 | d_printf("%u ", g->rids[i]);
|
---|
41 | }
|
---|
42 | d_printf("\n");
|
---|
43 | }
|
---|
44 |
|
---|
45 | static void display_alias_info(uint32 rid, SAM_ALIAS_INFO *a)
|
---|
46 | {
|
---|
47 | d_printf("Alias '%s' ", unistr2_static(&a->uni_als_name));
|
---|
48 | d_printf("desc='%s' rid=%u\n", unistr2_static(&a->uni_als_desc), a->als_rid);
|
---|
49 | }
|
---|
50 |
|
---|
51 | static void display_alias_mem(uint32 rid, SAM_ALIAS_MEM_INFO *a)
|
---|
52 | {
|
---|
53 | int i;
|
---|
54 | d_printf("Alias rid %u: ", rid);
|
---|
55 | for (i=0;i<a->num_members;i++) {
|
---|
56 | d_printf("%s ", sid_string_static(&a->sids[i].sid));
|
---|
57 | }
|
---|
58 | d_printf("\n");
|
---|
59 | }
|
---|
60 |
|
---|
61 | static void display_account_info(uint32 rid, SAM_ACCOUNT_INFO *a)
|
---|
62 | {
|
---|
63 | fstring hex_nt_passwd, hex_lm_passwd;
|
---|
64 | uchar lm_passwd[16], nt_passwd[16];
|
---|
65 | static uchar zero_buf[16];
|
---|
66 |
|
---|
67 | /* Decode hashes from password hash (if they are not NULL) */
|
---|
68 |
|
---|
69 | if (memcmp(a->pass.buf_lm_pwd, zero_buf, 16) != 0) {
|
---|
70 | sam_pwd_hash(a->user_rid, a->pass.buf_lm_pwd, lm_passwd, 0);
|
---|
71 | pdb_sethexpwd(hex_lm_passwd, lm_passwd, a->acb_info);
|
---|
72 | } else {
|
---|
73 | pdb_sethexpwd(hex_lm_passwd, NULL, 0);
|
---|
74 | }
|
---|
75 |
|
---|
76 | if (memcmp(a->pass.buf_nt_pwd, zero_buf, 16) != 0) {
|
---|
77 | sam_pwd_hash(a->user_rid, a->pass.buf_nt_pwd, nt_passwd, 0);
|
---|
78 | pdb_sethexpwd(hex_nt_passwd, nt_passwd, a->acb_info);
|
---|
79 | } else {
|
---|
80 | pdb_sethexpwd(hex_nt_passwd, NULL, 0);
|
---|
81 | }
|
---|
82 |
|
---|
83 | printf("%s:%d:%s:%s:%s:LCT-0\n", unistr2_static(&a->uni_acct_name),
|
---|
84 | a->user_rid, hex_lm_passwd, hex_nt_passwd,
|
---|
85 | pdb_encode_acct_ctrl(a->acb_info, NEW_PW_FORMAT_SPACE_PADDED_LEN));
|
---|
86 | }
|
---|
87 |
|
---|
88 | static time_t uint64s_nt_time_to_unix_abs(const uint64 *src)
|
---|
89 | {
|
---|
90 | NTTIME nttime;
|
---|
91 | nttime = *src;
|
---|
92 | return nt_time_to_unix_abs(&nttime);
|
---|
93 | }
|
---|
94 |
|
---|
95 | static void display_domain_info(SAM_DOMAIN_INFO *a)
|
---|
96 | {
|
---|
97 | time_t u_logout;
|
---|
98 |
|
---|
99 | u_logout = uint64s_nt_time_to_unix_abs(&a->force_logoff);
|
---|
100 |
|
---|
101 | d_printf("Domain name: %s\n", unistr2_static(&a->uni_dom_name));
|
---|
102 |
|
---|
103 | d_printf("Minimal Password Length: %d\n", a->min_pwd_len);
|
---|
104 | d_printf("Password History Length: %d\n", a->pwd_history_len);
|
---|
105 |
|
---|
106 | d_printf("Force Logoff: %d\n", (int)u_logout);
|
---|
107 |
|
---|
108 | d_printf("Max Password Age: %s\n", display_time(a->max_pwd_age));
|
---|
109 | d_printf("Min Password Age: %s\n", display_time(a->min_pwd_age));
|
---|
110 |
|
---|
111 | d_printf("Lockout Time: %s\n", display_time(a->account_lockout.lockout_duration));
|
---|
112 | d_printf("Lockout Reset Time: %s\n", display_time(a->account_lockout.reset_count));
|
---|
113 |
|
---|
114 | d_printf("Bad Attempt Lockout: %d\n", a->account_lockout.bad_attempt_lockout);
|
---|
115 | d_printf("User must logon to change password: %d\n", a->logon_chgpass);
|
---|
116 | }
|
---|
117 |
|
---|
118 | static void display_group_info(uint32 rid, SAM_GROUP_INFO *a)
|
---|
119 | {
|
---|
120 | d_printf("Group '%s' ", unistr2_static(&a->uni_grp_name));
|
---|
121 | d_printf("desc='%s', rid=%u\n", unistr2_static(&a->uni_grp_desc), rid);
|
---|
122 | }
|
---|
123 |
|
---|
124 | static void display_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta)
|
---|
125 | {
|
---|
126 | switch (hdr_delta->type) {
|
---|
127 | case SAM_DELTA_ACCOUNT_INFO:
|
---|
128 | display_account_info(hdr_delta->target_rid, &delta->account_info);
|
---|
129 | break;
|
---|
130 | case SAM_DELTA_GROUP_MEM:
|
---|
131 | display_group_mem_info(hdr_delta->target_rid, &delta->grp_mem_info);
|
---|
132 | break;
|
---|
133 | case SAM_DELTA_ALIAS_INFO:
|
---|
134 | display_alias_info(hdr_delta->target_rid, &delta->alias_info);
|
---|
135 | break;
|
---|
136 | case SAM_DELTA_ALIAS_MEM:
|
---|
137 | display_alias_mem(hdr_delta->target_rid, &delta->als_mem_info);
|
---|
138 | break;
|
---|
139 | case SAM_DELTA_DOMAIN_INFO:
|
---|
140 | display_domain_info(&delta->domain_info);
|
---|
141 | break;
|
---|
142 | case SAM_DELTA_GROUP_INFO:
|
---|
143 | display_group_info(hdr_delta->target_rid, &delta->group_info);
|
---|
144 | break;
|
---|
145 | /* The following types are recognised but not handled */
|
---|
146 | case SAM_DELTA_RENAME_GROUP:
|
---|
147 | d_printf("SAM_DELTA_RENAME_GROUP not handled\n");
|
---|
148 | break;
|
---|
149 | case SAM_DELTA_RENAME_USER:
|
---|
150 | d_printf("SAM_DELTA_RENAME_USER not handled\n");
|
---|
151 | break;
|
---|
152 | case SAM_DELTA_RENAME_ALIAS:
|
---|
153 | d_printf("SAM_DELTA_RENAME_ALIAS not handled\n");
|
---|
154 | break;
|
---|
155 | case SAM_DELTA_POLICY_INFO:
|
---|
156 | d_printf("SAM_DELTA_POLICY_INFO not handled\n");
|
---|
157 | break;
|
---|
158 | case SAM_DELTA_TRUST_DOMS:
|
---|
159 | d_printf("SAM_DELTA_TRUST_DOMS not handled\n");
|
---|
160 | break;
|
---|
161 | case SAM_DELTA_PRIVS_INFO:
|
---|
162 | d_printf("SAM_DELTA_PRIVS_INFO not handled\n");
|
---|
163 | break;
|
---|
164 | case SAM_DELTA_SECRET_INFO:
|
---|
165 | d_printf("SAM_DELTA_SECRET_INFO not handled\n");
|
---|
166 | break;
|
---|
167 | case SAM_DELTA_DELETE_GROUP:
|
---|
168 | d_printf("SAM_DELTA_DELETE_GROUP not handled\n");
|
---|
169 | break;
|
---|
170 | case SAM_DELTA_DELETE_USER:
|
---|
171 | d_printf("SAM_DELTA_DELETE_USER not handled\n");
|
---|
172 | break;
|
---|
173 | case SAM_DELTA_MODIFIED_COUNT:
|
---|
174 | d_printf("SAM_DELTA_MODIFIED_COUNT not handled\n");
|
---|
175 | break;
|
---|
176 | default:
|
---|
177 | d_printf("Unknown delta record type %d\n", hdr_delta->type);
|
---|
178 | break;
|
---|
179 | }
|
---|
180 | }
|
---|
181 |
|
---|
182 | static void dump_database(struct rpc_pipe_client *pipe_hnd, uint32 db_type)
|
---|
183 | {
|
---|
184 | uint32 sync_context = 0;
|
---|
185 | NTSTATUS result;
|
---|
186 | int i;
|
---|
187 | TALLOC_CTX *mem_ctx;
|
---|
188 | SAM_DELTA_HDR *hdr_deltas;
|
---|
189 | SAM_DELTA_CTR *deltas;
|
---|
190 | uint32 num_deltas;
|
---|
191 |
|
---|
192 | if (!(mem_ctx = talloc_init("dump_database"))) {
|
---|
193 | return;
|
---|
194 | }
|
---|
195 |
|
---|
196 | switch( db_type ) {
|
---|
197 | case SAM_DATABASE_DOMAIN:
|
---|
198 | d_printf("Dumping DOMAIN database\n");
|
---|
199 | break;
|
---|
200 | case SAM_DATABASE_BUILTIN:
|
---|
201 | d_printf("Dumping BUILTIN database\n");
|
---|
202 | break;
|
---|
203 | case SAM_DATABASE_PRIVS:
|
---|
204 | d_printf("Dumping PRIVS databases\n");
|
---|
205 | break;
|
---|
206 | default:
|
---|
207 | d_printf("Dumping unknown database type %u\n", db_type );
|
---|
208 | break;
|
---|
209 | }
|
---|
210 |
|
---|
211 | do {
|
---|
212 | result = rpccli_netlogon_sam_sync(pipe_hnd, mem_ctx, db_type,
|
---|
213 | sync_context,
|
---|
214 | &num_deltas, &hdr_deltas, &deltas);
|
---|
215 | if (!NT_STATUS_IS_OK(result))
|
---|
216 | break;
|
---|
217 |
|
---|
218 | for (i = 0; i < num_deltas; i++) {
|
---|
219 | display_sam_entry(&hdr_deltas[i], &deltas[i]);
|
---|
220 | }
|
---|
221 | sync_context += 1;
|
---|
222 | } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
|
---|
223 |
|
---|
224 | talloc_destroy(mem_ctx);
|
---|
225 | }
|
---|
226 |
|
---|
227 | /* dump sam database via samsync rpc calls */
|
---|
228 | NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid,
|
---|
229 | const char *domain_name,
|
---|
230 | struct cli_state *cli,
|
---|
231 | struct rpc_pipe_client *pipe_hnd,
|
---|
232 | TALLOC_CTX *mem_ctx,
|
---|
233 | int argc,
|
---|
234 | const char **argv)
|
---|
235 | {
|
---|
236 | #if 0
|
---|
237 | /* net_rpc.c now always tries to create an schannel pipe.. */
|
---|
238 |
|
---|
239 | NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
|
---|
240 | uchar trust_password[16];
|
---|
241 | uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
---|
242 | uint32 sec_channel_type = 0;
|
---|
243 |
|
---|
244 | if (!secrets_fetch_trust_account_password(domain_name,
|
---|
245 | trust_password,
|
---|
246 | NULL, &sec_channel_type)) {
|
---|
247 | DEBUG(0,("Could not fetch trust account password\n"));
|
---|
248 | goto fail;
|
---|
249 | }
|
---|
250 |
|
---|
251 | nt_status = rpccli_netlogon_setup_creds(pipe_hnd,
|
---|
252 | cli->desthost,
|
---|
253 | domain_name,
|
---|
254 | global_myname(),
|
---|
255 | trust_password,
|
---|
256 | sec_channel_type,
|
---|
257 | &neg_flags);
|
---|
258 |
|
---|
259 | if (!NT_STATUS_IS_OK(nt_status)) {
|
---|
260 | DEBUG(0,("Error connecting to NETLOGON pipe\n"));
|
---|
261 | goto fail;
|
---|
262 | }
|
---|
263 | #endif
|
---|
264 |
|
---|
265 | dump_database(pipe_hnd, SAM_DATABASE_DOMAIN);
|
---|
266 | dump_database(pipe_hnd, SAM_DATABASE_BUILTIN);
|
---|
267 | dump_database(pipe_hnd, SAM_DATABASE_PRIVS);
|
---|
268 |
|
---|
269 | return NT_STATUS_OK;
|
---|
270 | }
|
---|
271 |
|
---|
272 | /* Convert a struct samu_DELTA to a struct samu. */
|
---|
273 | #define STRING_CHANGED (old_string && !new_string) ||\
|
---|
274 | (!old_string && new_string) ||\
|
---|
275 | (old_string && new_string && (strcmp(old_string, new_string) != 0))
|
---|
276 |
|
---|
277 | #define STRING_CHANGED_NC(s1,s2) ((s1) && !(s2)) ||\
|
---|
278 | (!(s1) && (s2)) ||\
|
---|
279 | ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
|
---|
280 |
|
---|
281 | static NTSTATUS sam_account_from_delta(struct samu *account, SAM_ACCOUNT_INFO *delta)
|
---|
282 | {
|
---|
283 | const char *old_string, *new_string;
|
---|
284 | time_t unix_time, stored_time;
|
---|
285 | uchar lm_passwd[16], nt_passwd[16];
|
---|
286 | static uchar zero_buf[16];
|
---|
287 |
|
---|
288 | /* Username, fullname, home dir, dir drive, logon script, acct
|
---|
289 | desc, workstations, profile. */
|
---|
290 |
|
---|
291 | if (delta->hdr_acct_name.buffer) {
|
---|
292 | old_string = pdb_get_nt_username(account);
|
---|
293 | new_string = unistr2_static(&delta->uni_acct_name);
|
---|
294 |
|
---|
295 | if (STRING_CHANGED) {
|
---|
296 | pdb_set_nt_username(account, new_string, PDB_CHANGED);
|
---|
297 |
|
---|
298 | }
|
---|
299 |
|
---|
300 | /* Unix username is the same - for sanity */
|
---|
301 | old_string = pdb_get_username( account );
|
---|
302 | if (STRING_CHANGED) {
|
---|
303 | pdb_set_username(account, new_string, PDB_CHANGED);
|
---|
304 | }
|
---|
305 | }
|
---|
306 |
|
---|
307 | if (delta->hdr_full_name.buffer) {
|
---|
308 | old_string = pdb_get_fullname(account);
|
---|
309 | new_string = unistr2_static(&delta->uni_full_name);
|
---|
310 |
|
---|
311 | if (STRING_CHANGED)
|
---|
312 | pdb_set_fullname(account, new_string, PDB_CHANGED);
|
---|
313 | }
|
---|
314 |
|
---|
315 | if (delta->hdr_home_dir.buffer) {
|
---|
316 | old_string = pdb_get_homedir(account);
|
---|
317 | new_string = unistr2_static(&delta->uni_home_dir);
|
---|
318 |
|
---|
319 | if (STRING_CHANGED)
|
---|
320 | pdb_set_homedir(account, new_string, PDB_CHANGED);
|
---|
321 | }
|
---|
322 |
|
---|
323 | if (delta->hdr_dir_drive.buffer) {
|
---|
324 | old_string = pdb_get_dir_drive(account);
|
---|
325 | new_string = unistr2_static(&delta->uni_dir_drive);
|
---|
326 |
|
---|
327 | if (STRING_CHANGED)
|
---|
328 | pdb_set_dir_drive(account, new_string, PDB_CHANGED);
|
---|
329 | }
|
---|
330 |
|
---|
331 | if (delta->hdr_logon_script.buffer) {
|
---|
332 | old_string = pdb_get_logon_script(account);
|
---|
333 | new_string = unistr2_static(&delta->uni_logon_script);
|
---|
334 |
|
---|
335 | if (STRING_CHANGED)
|
---|
336 | pdb_set_logon_script(account, new_string, PDB_CHANGED);
|
---|
337 | }
|
---|
338 |
|
---|
339 | if (delta->hdr_acct_desc.buffer) {
|
---|
340 | old_string = pdb_get_acct_desc(account);
|
---|
341 | new_string = unistr2_static(&delta->uni_acct_desc);
|
---|
342 |
|
---|
343 | if (STRING_CHANGED)
|
---|
344 | pdb_set_acct_desc(account, new_string, PDB_CHANGED);
|
---|
345 | }
|
---|
346 |
|
---|
347 | if (delta->hdr_workstations.buffer) {
|
---|
348 | old_string = pdb_get_workstations(account);
|
---|
349 | new_string = unistr2_static(&delta->uni_workstations);
|
---|
350 |
|
---|
351 | if (STRING_CHANGED)
|
---|
352 | pdb_set_workstations(account, new_string, PDB_CHANGED);
|
---|
353 | }
|
---|
354 |
|
---|
355 | if (delta->hdr_profile.buffer) {
|
---|
356 | old_string = pdb_get_profile_path(account);
|
---|
357 | new_string = unistr2_static(&delta->uni_profile);
|
---|
358 |
|
---|
359 | if (STRING_CHANGED)
|
---|
360 | pdb_set_profile_path(account, new_string, PDB_CHANGED);
|
---|
361 | }
|
---|
362 |
|
---|
363 | if (delta->hdr_parameters.buffer) {
|
---|
364 | DATA_BLOB mung;
|
---|
365 | char *newstr;
|
---|
366 | old_string = pdb_get_munged_dial(account);
|
---|
367 | mung.length = delta->hdr_parameters.uni_str_len;
|
---|
368 | mung.data = (uint8 *) delta->uni_parameters.buffer;
|
---|
369 | newstr = (mung.length == 0) ? NULL : base64_encode_data_blob(mung);
|
---|
370 |
|
---|
371 | if (STRING_CHANGED_NC(old_string, newstr))
|
---|
372 | pdb_set_munged_dial(account, newstr, PDB_CHANGED);
|
---|
373 | SAFE_FREE(newstr);
|
---|
374 | }
|
---|
375 |
|
---|
376 | /* User and group sid */
|
---|
377 | if (pdb_get_user_rid(account) != delta->user_rid)
|
---|
378 | pdb_set_user_sid_from_rid(account, delta->user_rid, PDB_CHANGED);
|
---|
379 | if (pdb_get_group_rid(account) != delta->group_rid)
|
---|
380 | pdb_set_group_sid_from_rid(account, delta->group_rid, PDB_CHANGED);
|
---|
381 |
|
---|
382 | /* Logon and password information */
|
---|
383 | if (!nt_time_is_zero(&delta->logon_time)) {
|
---|
384 | unix_time = nt_time_to_unix(delta->logon_time);
|
---|
385 | stored_time = pdb_get_logon_time(account);
|
---|
386 | if (stored_time != unix_time)
|
---|
387 | pdb_set_logon_time(account, unix_time, PDB_CHANGED);
|
---|
388 | }
|
---|
389 |
|
---|
390 | if (!nt_time_is_zero(&delta->logoff_time)) {
|
---|
391 | unix_time = nt_time_to_unix(delta->logoff_time);
|
---|
392 | stored_time = pdb_get_logoff_time(account);
|
---|
393 | if (stored_time != unix_time)
|
---|
394 | pdb_set_logoff_time(account, unix_time,PDB_CHANGED);
|
---|
395 | }
|
---|
396 |
|
---|
397 | /* Logon Divs */
|
---|
398 | if (pdb_get_logon_divs(account) != delta->logon_divs)
|
---|
399 | pdb_set_logon_divs(account, delta->logon_divs, PDB_CHANGED);
|
---|
400 |
|
---|
401 | /* Max Logon Hours */
|
---|
402 | if (delta->unknown1 != pdb_get_unknown_6(account)) {
|
---|
403 | pdb_set_unknown_6(account, delta->unknown1, PDB_CHANGED);
|
---|
404 | }
|
---|
405 |
|
---|
406 | /* Logon Hours Len */
|
---|
407 | if (delta->buf_logon_hrs.buf_len != pdb_get_hours_len(account)) {
|
---|
408 | pdb_set_hours_len(account, delta->buf_logon_hrs.buf_len, PDB_CHANGED);
|
---|
409 | }
|
---|
410 |
|
---|
411 | /* Logon Hours */
|
---|
412 | if (delta->buf_logon_hrs.buffer) {
|
---|
413 | pstring oldstr, newstr;
|
---|
414 | pdb_sethexhours(oldstr, pdb_get_hours(account));
|
---|
415 | pdb_sethexhours(newstr, delta->buf_logon_hrs.buffer);
|
---|
416 | if (!strequal(oldstr, newstr))
|
---|
417 | pdb_set_hours(account, (const uint8 *)delta->buf_logon_hrs.buffer, PDB_CHANGED);
|
---|
418 | }
|
---|
419 |
|
---|
420 | if (pdb_get_bad_password_count(account) != delta->bad_pwd_count)
|
---|
421 | pdb_set_bad_password_count(account, delta->bad_pwd_count, PDB_CHANGED);
|
---|
422 |
|
---|
423 | if (pdb_get_logon_count(account) != delta->logon_count)
|
---|
424 | pdb_set_logon_count(account, delta->logon_count, PDB_CHANGED);
|
---|
425 |
|
---|
426 | if (!nt_time_is_zero(&delta->pwd_last_set_time)) {
|
---|
427 | unix_time = nt_time_to_unix(delta->pwd_last_set_time);
|
---|
428 | stored_time = pdb_get_pass_last_set_time(account);
|
---|
429 | if (stored_time != unix_time)
|
---|
430 | pdb_set_pass_last_set_time(account, unix_time, PDB_CHANGED);
|
---|
431 | } else {
|
---|
432 | /* no last set time, make it now */
|
---|
433 | pdb_set_pass_last_set_time(account, time(NULL), PDB_CHANGED);
|
---|
434 | }
|
---|
435 |
|
---|
436 | #if 0
|
---|
437 | /* No kickoff time in the delta? */
|
---|
438 | if (!nt_time_is_zero(&delta->kickoff_time)) {
|
---|
439 | unix_time = nt_time_to_unix(&delta->kickoff_time);
|
---|
440 | stored_time = pdb_get_kickoff_time(account);
|
---|
441 | if (stored_time != unix_time)
|
---|
442 | pdb_set_kickoff_time(account, unix_time, PDB_CHANGED);
|
---|
443 | }
|
---|
444 | #endif
|
---|
445 |
|
---|
446 | /* Decode hashes from password hash
|
---|
447 | Note that win2000 may send us all zeros for the hashes if it doesn't
|
---|
448 | think this channel is secure enough - don't set the passwords at all
|
---|
449 | in that case
|
---|
450 | */
|
---|
451 | if (memcmp(delta->pass.buf_lm_pwd, zero_buf, 16) != 0) {
|
---|
452 | sam_pwd_hash(delta->user_rid, delta->pass.buf_lm_pwd, lm_passwd, 0);
|
---|
453 | pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
|
---|
454 | }
|
---|
455 |
|
---|
456 | if (memcmp(delta->pass.buf_nt_pwd, zero_buf, 16) != 0) {
|
---|
457 | sam_pwd_hash(delta->user_rid, delta->pass.buf_nt_pwd, nt_passwd, 0);
|
---|
458 | pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
|
---|
459 | }
|
---|
460 |
|
---|
461 | /* TODO: account expiry time */
|
---|
462 |
|
---|
463 | pdb_set_acct_ctrl(account, delta->acb_info, PDB_CHANGED);
|
---|
464 |
|
---|
465 | pdb_set_domain(account, lp_workgroup(), PDB_CHANGED);
|
---|
466 |
|
---|
467 | return NT_STATUS_OK;
|
---|
468 | }
|
---|
469 |
|
---|
470 | static NTSTATUS fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
|
---|
471 | {
|
---|
472 | NTSTATUS nt_ret = NT_STATUS_UNSUCCESSFUL;
|
---|
473 | fstring account;
|
---|
474 | pstring add_script;
|
---|
475 | struct samu *sam_account=NULL;
|
---|
476 | GROUP_MAP map;
|
---|
477 | struct group *grp;
|
---|
478 | DOM_SID user_sid;
|
---|
479 | DOM_SID group_sid;
|
---|
480 | struct passwd *passwd;
|
---|
481 | fstring sid_string;
|
---|
482 |
|
---|
483 | fstrcpy(account, unistr2_static(&delta->uni_acct_name));
|
---|
484 | d_printf("Creating account: %s\n", account);
|
---|
485 |
|
---|
486 | if ( !(sam_account = samu_new( NULL )) ) {
|
---|
487 | return NT_STATUS_NO_MEMORY;
|
---|
488 | }
|
---|
489 |
|
---|
490 | if (!(passwd = Get_Pwnam(account))) {
|
---|
491 | /* Create appropriate user */
|
---|
492 | if (delta->acb_info & ACB_NORMAL) {
|
---|
493 | pstrcpy(add_script, lp_adduser_script());
|
---|
494 | } else if ( (delta->acb_info & ACB_WSTRUST) ||
|
---|
495 | (delta->acb_info & ACB_SVRTRUST) ||
|
---|
496 | (delta->acb_info & ACB_DOMTRUST) ) {
|
---|
497 | pstrcpy(add_script, lp_addmachine_script());
|
---|
498 | } else {
|
---|
499 | DEBUG(1, ("Unknown user type: %s\n",
|
---|
500 | pdb_encode_acct_ctrl(delta->acb_info, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
|
---|
501 | nt_ret = NT_STATUS_UNSUCCESSFUL;
|
---|
502 | goto done;
|
---|
503 | }
|
---|
504 | if (*add_script) {
|
---|
505 | int add_ret;
|
---|
506 | all_string_sub(add_script, "%u", account,
|
---|
507 | sizeof(account));
|
---|
508 | add_ret = smbrun(add_script,NULL);
|
---|
509 | DEBUG(add_ret ? 0 : 1,("fetch_account: Running the command `%s' "
|
---|
510 | "gave %d\n", add_script, add_ret));
|
---|
511 | if (add_ret == 0) {
|
---|
512 | smb_nscd_flush_user_cache();
|
---|
513 | }
|
---|
514 | }
|
---|
515 |
|
---|
516 | /* try and find the possible unix account again */
|
---|
517 | if ( !(passwd = Get_Pwnam(account)) ) {
|
---|
518 | d_fprintf(stderr, "Could not create posix account info for '%s'\n", account);
|
---|
519 | nt_ret = NT_STATUS_NO_SUCH_USER;
|
---|
520 | goto done;
|
---|
521 | }
|
---|
522 | }
|
---|
523 |
|
---|
524 | sid_copy(&user_sid, get_global_sam_sid());
|
---|
525 | sid_append_rid(&user_sid, delta->user_rid);
|
---|
526 |
|
---|
527 | DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n", sid_to_string(sid_string, &user_sid), account));
|
---|
528 | if (!pdb_getsampwsid(sam_account, &user_sid)) {
|
---|
529 | sam_account_from_delta(sam_account, delta);
|
---|
530 | DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
|
---|
531 | sid_to_string(sid_string, &user_sid), pdb_get_username(sam_account)));
|
---|
532 | if (!NT_STATUS_IS_OK(pdb_add_sam_account(sam_account))) {
|
---|
533 | DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
|
---|
534 | account));
|
---|
535 | return NT_STATUS_ACCESS_DENIED;
|
---|
536 | }
|
---|
537 | } else {
|
---|
538 | sam_account_from_delta(sam_account, delta);
|
---|
539 | DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
|
---|
540 | sid_to_string(sid_string, &user_sid), pdb_get_username(sam_account)));
|
---|
541 | if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_account))) {
|
---|
542 | DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
|
---|
543 | account));
|
---|
544 | TALLOC_FREE(sam_account);
|
---|
545 | return NT_STATUS_ACCESS_DENIED;
|
---|
546 | }
|
---|
547 | }
|
---|
548 |
|
---|
549 | if (pdb_get_group_sid(sam_account) == NULL) {
|
---|
550 | return NT_STATUS_UNSUCCESSFUL;
|
---|
551 | }
|
---|
552 |
|
---|
553 | group_sid = *pdb_get_group_sid(sam_account);
|
---|
554 |
|
---|
555 | if (!pdb_getgrsid(&map, group_sid)) {
|
---|
556 | DEBUG(0, ("Primary group of %s has no mapping!\n",
|
---|
557 | pdb_get_username(sam_account)));
|
---|
558 | } else {
|
---|
559 | if (map.gid != passwd->pw_gid) {
|
---|
560 | if (!(grp = getgrgid(map.gid))) {
|
---|
561 | DEBUG(0, ("Could not find unix group %lu for user %s (group SID=%s)\n",
|
---|
562 | (unsigned long)map.gid, pdb_get_username(sam_account), sid_string_static(&group_sid)));
|
---|
563 | } else {
|
---|
564 | smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
|
---|
565 | }
|
---|
566 | }
|
---|
567 | }
|
---|
568 |
|
---|
569 | if ( !passwd ) {
|
---|
570 | DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
|
---|
571 | pdb_get_username(sam_account)));
|
---|
572 | }
|
---|
573 |
|
---|
574 | done:
|
---|
575 | TALLOC_FREE(sam_account);
|
---|
576 | return nt_ret;
|
---|
577 | }
|
---|
578 |
|
---|
579 | static NTSTATUS fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta)
|
---|
580 | {
|
---|
581 | fstring name;
|
---|
582 | fstring comment;
|
---|
583 | struct group *grp = NULL;
|
---|
584 | DOM_SID group_sid;
|
---|
585 | fstring sid_string;
|
---|
586 | GROUP_MAP map;
|
---|
587 | BOOL insert = True;
|
---|
588 |
|
---|
589 | unistr2_to_ascii(name, &delta->uni_grp_name, sizeof(name)-1);
|
---|
590 | unistr2_to_ascii(comment, &delta->uni_grp_desc, sizeof(comment)-1);
|
---|
591 |
|
---|
592 | /* add the group to the mapping table */
|
---|
593 | sid_copy(&group_sid, get_global_sam_sid());
|
---|
594 | sid_append_rid(&group_sid, rid);
|
---|
595 | sid_to_string(sid_string, &group_sid);
|
---|
596 |
|
---|
597 | if (pdb_getgrsid(&map, group_sid)) {
|
---|
598 | if ( map.gid != -1 )
|
---|
599 | grp = getgrgid(map.gid);
|
---|
600 | insert = False;
|
---|
601 | }
|
---|
602 |
|
---|
603 | if (grp == NULL) {
|
---|
604 | gid_t gid;
|
---|
605 |
|
---|
606 | /* No group found from mapping, find it from its name. */
|
---|
607 | if ((grp = getgrnam(name)) == NULL) {
|
---|
608 |
|
---|
609 | /* No appropriate group found, create one */
|
---|
610 |
|
---|
611 | d_printf("Creating unix group: '%s'\n", name);
|
---|
612 |
|
---|
613 | if (smb_create_group(name, &gid) != 0)
|
---|
614 | return NT_STATUS_ACCESS_DENIED;
|
---|
615 |
|
---|
616 | if ((grp = getgrnam(name)) == NULL)
|
---|
617 | return NT_STATUS_ACCESS_DENIED;
|
---|
618 | }
|
---|
619 | }
|
---|
620 |
|
---|
621 | map.gid = grp->gr_gid;
|
---|
622 | map.sid = group_sid;
|
---|
623 | map.sid_name_use = SID_NAME_DOM_GRP;
|
---|
624 | fstrcpy(map.nt_name, name);
|
---|
625 | if (delta->hdr_grp_desc.buffer) {
|
---|
626 | fstrcpy(map.comment, comment);
|
---|
627 | } else {
|
---|
628 | fstrcpy(map.comment, "");
|
---|
629 | }
|
---|
630 |
|
---|
631 | if (insert)
|
---|
632 | pdb_add_group_mapping_entry(&map);
|
---|
633 | else
|
---|
634 | pdb_update_group_mapping_entry(&map);
|
---|
635 |
|
---|
636 | return NT_STATUS_OK;
|
---|
637 | }
|
---|
638 |
|
---|
639 | static NTSTATUS fetch_group_mem_info(uint32 rid, SAM_GROUP_MEM_INFO *delta)
|
---|
640 | {
|
---|
641 | int i;
|
---|
642 | TALLOC_CTX *t = NULL;
|
---|
643 | char **nt_members = NULL;
|
---|
644 | char **unix_members;
|
---|
645 | DOM_SID group_sid;
|
---|
646 | GROUP_MAP map;
|
---|
647 | struct group *grp;
|
---|
648 |
|
---|
649 | if (delta->num_members == 0) {
|
---|
650 | return NT_STATUS_OK;
|
---|
651 | }
|
---|
652 |
|
---|
653 | sid_copy(&group_sid, get_global_sam_sid());
|
---|
654 | sid_append_rid(&group_sid, rid);
|
---|
655 |
|
---|
656 | if (!get_domain_group_from_sid(group_sid, &map)) {
|
---|
657 | DEBUG(0, ("Could not find global group %d\n", rid));
|
---|
658 | return NT_STATUS_NO_SUCH_GROUP;
|
---|
659 | }
|
---|
660 |
|
---|
661 | if (!(grp = getgrgid(map.gid))) {
|
---|
662 | DEBUG(0, ("Could not find unix group %lu\n", (unsigned long)map.gid));
|
---|
663 | return NT_STATUS_NO_SUCH_GROUP;
|
---|
664 | }
|
---|
665 |
|
---|
666 | d_printf("Group members of %s: ", grp->gr_name);
|
---|
667 |
|
---|
668 | if (!(t = talloc_init("fetch_group_mem_info"))) {
|
---|
669 | DEBUG(0, ("could not talloc_init\n"));
|
---|
670 | return NT_STATUS_NO_MEMORY;
|
---|
671 | }
|
---|
672 |
|
---|
673 | if (delta->num_members) {
|
---|
674 | if ((nt_members = TALLOC_ZERO_ARRAY(t, char *, delta->num_members)) == NULL) {
|
---|
675 | DEBUG(0, ("talloc failed\n"));
|
---|
676 | talloc_free(t);
|
---|
677 | return NT_STATUS_NO_MEMORY;
|
---|
678 | }
|
---|
679 | } else {
|
---|
680 | nt_members = NULL;
|
---|
681 | }
|
---|
682 |
|
---|
683 | for (i=0; i<delta->num_members; i++) {
|
---|
684 | struct samu *member = NULL;
|
---|
685 | DOM_SID member_sid;
|
---|
686 |
|
---|
687 | if ( !(member = samu_new(t)) ) {
|
---|
688 | talloc_destroy(t);
|
---|
689 | return NT_STATUS_NO_MEMORY;
|
---|
690 | }
|
---|
691 |
|
---|
692 | sid_copy(&member_sid, get_global_sam_sid());
|
---|
693 | sid_append_rid(&member_sid, delta->rids[i]);
|
---|
694 |
|
---|
695 | if (!pdb_getsampwsid(member, &member_sid)) {
|
---|
696 | DEBUG(1, ("Found bogus group member: %d (member_sid=%s group=%s)\n",
|
---|
697 | delta->rids[i], sid_string_static(&member_sid), grp->gr_name));
|
---|
698 | TALLOC_FREE(member);
|
---|
699 | continue;
|
---|
700 | }
|
---|
701 |
|
---|
702 | if (pdb_get_group_rid(member) == rid) {
|
---|
703 | d_printf("%s(primary),", pdb_get_username(member));
|
---|
704 | TALLOC_FREE(member);
|
---|
705 | continue;
|
---|
706 | }
|
---|
707 |
|
---|
708 | d_printf("%s,", pdb_get_username(member));
|
---|
709 | nt_members[i] = talloc_strdup(t, pdb_get_username(member));
|
---|
710 | TALLOC_FREE(member);
|
---|
711 | }
|
---|
712 |
|
---|
713 | d_printf("\n");
|
---|
714 |
|
---|
715 | unix_members = grp->gr_mem;
|
---|
716 |
|
---|
717 | while (*unix_members) {
|
---|
718 | BOOL is_nt_member = False;
|
---|
719 | for (i=0; i<delta->num_members; i++) {
|
---|
720 | if (nt_members[i] == NULL) {
|
---|
721 | /* This was a primary group */
|
---|
722 | continue;
|
---|
723 | }
|
---|
724 |
|
---|
725 | if (strcmp(*unix_members, nt_members[i]) == 0) {
|
---|
726 | is_nt_member = True;
|
---|
727 | break;
|
---|
728 | }
|
---|
729 | }
|
---|
730 | if (!is_nt_member) {
|
---|
731 | /* We look at a unix group member that is not
|
---|
732 | an nt group member. So, remove it. NT is
|
---|
733 | boss here. */
|
---|
734 | smb_delete_user_group(grp->gr_name, *unix_members);
|
---|
735 | }
|
---|
736 | unix_members += 1;
|
---|
737 | }
|
---|
738 |
|
---|
739 | for (i=0; i<delta->num_members; i++) {
|
---|
740 | BOOL is_unix_member = False;
|
---|
741 |
|
---|
742 | if (nt_members[i] == NULL) {
|
---|
743 | /* This was the primary group */
|
---|
744 | continue;
|
---|
745 | }
|
---|
746 |
|
---|
747 | unix_members = grp->gr_mem;
|
---|
748 |
|
---|
749 | while (*unix_members) {
|
---|
750 | if (strcmp(*unix_members, nt_members[i]) == 0) {
|
---|
751 | is_unix_member = True;
|
---|
752 | break;
|
---|
753 | }
|
---|
754 | unix_members += 1;
|
---|
755 | }
|
---|
756 |
|
---|
757 | if (!is_unix_member) {
|
---|
758 | /* We look at a nt group member that is not a
|
---|
759 | unix group member currently. So, add the nt
|
---|
760 | group member. */
|
---|
761 | smb_add_user_group(grp->gr_name, nt_members[i]);
|
---|
762 | }
|
---|
763 | }
|
---|
764 |
|
---|
765 | talloc_destroy(t);
|
---|
766 | return NT_STATUS_OK;
|
---|
767 | }
|
---|
768 |
|
---|
769 | static NTSTATUS fetch_alias_info(uint32 rid, SAM_ALIAS_INFO *delta,
|
---|
770 | DOM_SID dom_sid)
|
---|
771 | {
|
---|
772 | fstring name;
|
---|
773 | fstring comment;
|
---|
774 | struct group *grp = NULL;
|
---|
775 | DOM_SID alias_sid;
|
---|
776 | fstring sid_string;
|
---|
777 | GROUP_MAP map;
|
---|
778 | BOOL insert = True;
|
---|
779 |
|
---|
780 | unistr2_to_ascii(name, &delta->uni_als_name, sizeof(name)-1);
|
---|
781 | unistr2_to_ascii(comment, &delta->uni_als_desc, sizeof(comment)-1);
|
---|
782 |
|
---|
783 | /* Find out whether the group is already mapped */
|
---|
784 | sid_copy(&alias_sid, &dom_sid);
|
---|
785 | sid_append_rid(&alias_sid, rid);
|
---|
786 | sid_to_string(sid_string, &alias_sid);
|
---|
787 |
|
---|
788 | if (pdb_getgrsid(&map, alias_sid)) {
|
---|
789 | grp = getgrgid(map.gid);
|
---|
790 | insert = False;
|
---|
791 | }
|
---|
792 |
|
---|
793 | if (grp == NULL) {
|
---|
794 | gid_t gid;
|
---|
795 |
|
---|
796 | /* No group found from mapping, find it from its name. */
|
---|
797 | if ((grp = getgrnam(name)) == NULL) {
|
---|
798 | /* No appropriate group found, create one */
|
---|
799 | d_printf("Creating unix group: '%s'\n", name);
|
---|
800 | if (smb_create_group(name, &gid) != 0)
|
---|
801 | return NT_STATUS_ACCESS_DENIED;
|
---|
802 | if ((grp = getgrgid(gid)) == NULL)
|
---|
803 | return NT_STATUS_ACCESS_DENIED;
|
---|
804 | }
|
---|
805 | }
|
---|
806 |
|
---|
807 | map.gid = grp->gr_gid;
|
---|
808 | map.sid = alias_sid;
|
---|
809 |
|
---|
810 | if (sid_equal(&dom_sid, &global_sid_Builtin))
|
---|
811 | map.sid_name_use = SID_NAME_WKN_GRP;
|
---|
812 | else
|
---|
813 | map.sid_name_use = SID_NAME_ALIAS;
|
---|
814 |
|
---|
815 | fstrcpy(map.nt_name, name);
|
---|
816 | fstrcpy(map.comment, comment);
|
---|
817 |
|
---|
818 | if (insert)
|
---|
819 | pdb_add_group_mapping_entry(&map);
|
---|
820 | else
|
---|
821 | pdb_update_group_mapping_entry(&map);
|
---|
822 |
|
---|
823 | return NT_STATUS_OK;
|
---|
824 | }
|
---|
825 |
|
---|
826 | static NTSTATUS fetch_alias_mem(uint32 rid, SAM_ALIAS_MEM_INFO *delta, DOM_SID dom_sid)
|
---|
827 | {
|
---|
828 | return NT_STATUS_OK;
|
---|
829 | }
|
---|
830 |
|
---|
831 | static NTSTATUS fetch_domain_info(uint32 rid, SAM_DOMAIN_INFO *delta)
|
---|
832 | {
|
---|
833 | time_t u_max_age, u_min_age, u_logout, u_lockoutreset, u_lockouttime;
|
---|
834 | NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
|
---|
835 | pstring domname;
|
---|
836 |
|
---|
837 | u_max_age = uint64s_nt_time_to_unix_abs(&delta->max_pwd_age);
|
---|
838 | u_min_age = uint64s_nt_time_to_unix_abs(&delta->min_pwd_age);
|
---|
839 | u_logout = uint64s_nt_time_to_unix_abs(&delta->force_logoff);
|
---|
840 | u_lockoutreset = uint64s_nt_time_to_unix_abs(&delta->account_lockout.reset_count);
|
---|
841 | u_lockouttime = uint64s_nt_time_to_unix_abs(&delta->account_lockout.lockout_duration);
|
---|
842 |
|
---|
843 | unistr2_to_ascii(domname, &delta->uni_dom_name, sizeof(domname) - 1);
|
---|
844 |
|
---|
845 | /* we don't handle BUILTIN account policies */
|
---|
846 | if (!strequal(domname, get_global_sam_name())) {
|
---|
847 | printf("skipping SAM_DOMAIN_INFO delta for '%s' (is not my domain)\n", domname);
|
---|
848 | return NT_STATUS_OK;
|
---|
849 | }
|
---|
850 |
|
---|
851 |
|
---|
852 | if (!pdb_set_account_policy(AP_PASSWORD_HISTORY, delta->pwd_history_len))
|
---|
853 | return nt_status;
|
---|
854 |
|
---|
855 | if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
|
---|
856 | return nt_status;
|
---|
857 |
|
---|
858 | if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
|
---|
859 | return nt_status;
|
---|
860 |
|
---|
861 | if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
|
---|
862 | return nt_status;
|
---|
863 |
|
---|
864 | if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
|
---|
865 | return nt_status;
|
---|
866 |
|
---|
867 | if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
|
---|
868 | return nt_status;
|
---|
869 |
|
---|
870 | if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
|
---|
871 | return nt_status;
|
---|
872 |
|
---|
873 | if (u_lockouttime != -1)
|
---|
874 | u_lockouttime /= 60;
|
---|
875 |
|
---|
876 | if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
|
---|
877 | return nt_status;
|
---|
878 |
|
---|
879 | if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
|
---|
880 | return nt_status;
|
---|
881 |
|
---|
882 | return NT_STATUS_OK;
|
---|
883 | }
|
---|
884 |
|
---|
885 |
|
---|
886 | static void fetch_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta,
|
---|
887 | DOM_SID dom_sid)
|
---|
888 | {
|
---|
889 | switch(hdr_delta->type) {
|
---|
890 | case SAM_DELTA_ACCOUNT_INFO:
|
---|
891 | fetch_account_info(hdr_delta->target_rid,
|
---|
892 | &delta->account_info);
|
---|
893 | break;
|
---|
894 | case SAM_DELTA_GROUP_INFO:
|
---|
895 | fetch_group_info(hdr_delta->target_rid,
|
---|
896 | &delta->group_info);
|
---|
897 | break;
|
---|
898 | case SAM_DELTA_GROUP_MEM:
|
---|
899 | fetch_group_mem_info(hdr_delta->target_rid,
|
---|
900 | &delta->grp_mem_info);
|
---|
901 | break;
|
---|
902 | case SAM_DELTA_ALIAS_INFO:
|
---|
903 | fetch_alias_info(hdr_delta->target_rid,
|
---|
904 | &delta->alias_info, dom_sid);
|
---|
905 | break;
|
---|
906 | case SAM_DELTA_ALIAS_MEM:
|
---|
907 | fetch_alias_mem(hdr_delta->target_rid,
|
---|
908 | &delta->als_mem_info, dom_sid);
|
---|
909 | break;
|
---|
910 | case SAM_DELTA_DOMAIN_INFO:
|
---|
911 | fetch_domain_info(hdr_delta->target_rid,
|
---|
912 | &delta->domain_info);
|
---|
913 | break;
|
---|
914 | /* The following types are recognised but not handled */
|
---|
915 | case SAM_DELTA_RENAME_GROUP:
|
---|
916 | d_printf("SAM_DELTA_RENAME_GROUP not handled\n");
|
---|
917 | break;
|
---|
918 | case SAM_DELTA_RENAME_USER:
|
---|
919 | d_printf("SAM_DELTA_RENAME_USER not handled\n");
|
---|
920 | break;
|
---|
921 | case SAM_DELTA_RENAME_ALIAS:
|
---|
922 | d_printf("SAM_DELTA_RENAME_ALIAS not handled\n");
|
---|
923 | break;
|
---|
924 | case SAM_DELTA_POLICY_INFO:
|
---|
925 | d_printf("SAM_DELTA_POLICY_INFO not handled\n");
|
---|
926 | break;
|
---|
927 | case SAM_DELTA_TRUST_DOMS:
|
---|
928 | d_printf("SAM_DELTA_TRUST_DOMS not handled\n");
|
---|
929 | break;
|
---|
930 | case SAM_DELTA_PRIVS_INFO:
|
---|
931 | d_printf("SAM_DELTA_PRIVS_INFO not handled\n");
|
---|
932 | break;
|
---|
933 | case SAM_DELTA_SECRET_INFO:
|
---|
934 | d_printf("SAM_DELTA_SECRET_INFO not handled\n");
|
---|
935 | break;
|
---|
936 | case SAM_DELTA_DELETE_GROUP:
|
---|
937 | d_printf("SAM_DELTA_DELETE_GROUP not handled\n");
|
---|
938 | break;
|
---|
939 | case SAM_DELTA_DELETE_USER:
|
---|
940 | d_printf("SAM_DELTA_DELETE_USER not handled\n");
|
---|
941 | break;
|
---|
942 | case SAM_DELTA_MODIFIED_COUNT:
|
---|
943 | d_printf("SAM_DELTA_MODIFIED_COUNT not handled\n");
|
---|
944 | break;
|
---|
945 | default:
|
---|
946 | d_printf("Unknown delta record type %d\n", hdr_delta->type);
|
---|
947 | break;
|
---|
948 | }
|
---|
949 | }
|
---|
950 |
|
---|
951 | static NTSTATUS fetch_database(struct rpc_pipe_client *pipe_hnd, uint32 db_type, DOM_SID dom_sid)
|
---|
952 | {
|
---|
953 | uint32 sync_context = 0;
|
---|
954 | NTSTATUS result;
|
---|
955 | int i;
|
---|
956 | TALLOC_CTX *mem_ctx;
|
---|
957 | SAM_DELTA_HDR *hdr_deltas;
|
---|
958 | SAM_DELTA_CTR *deltas;
|
---|
959 | uint32 num_deltas;
|
---|
960 |
|
---|
961 | if (!(mem_ctx = talloc_init("fetch_database")))
|
---|
962 | return NT_STATUS_NO_MEMORY;
|
---|
963 |
|
---|
964 | switch( db_type ) {
|
---|
965 | case SAM_DATABASE_DOMAIN:
|
---|
966 | d_printf("Fetching DOMAIN database\n");
|
---|
967 | break;
|
---|
968 | case SAM_DATABASE_BUILTIN:
|
---|
969 | d_printf("Fetching BUILTIN database\n");
|
---|
970 | break;
|
---|
971 | case SAM_DATABASE_PRIVS:
|
---|
972 | d_printf("Fetching PRIVS databases\n");
|
---|
973 | break;
|
---|
974 | default:
|
---|
975 | d_printf("Fetching unknown database type %u\n", db_type );
|
---|
976 | break;
|
---|
977 | }
|
---|
978 |
|
---|
979 | do {
|
---|
980 | result = rpccli_netlogon_sam_sync(pipe_hnd, mem_ctx,
|
---|
981 | db_type, sync_context,
|
---|
982 | &num_deltas,
|
---|
983 | &hdr_deltas, &deltas);
|
---|
984 |
|
---|
985 | if (NT_STATUS_IS_OK(result) ||
|
---|
986 | NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
|
---|
987 | for (i = 0; i < num_deltas; i++) {
|
---|
988 | fetch_sam_entry(&hdr_deltas[i], &deltas[i], dom_sid);
|
---|
989 | }
|
---|
990 | } else
|
---|
991 | return result;
|
---|
992 |
|
---|
993 | sync_context += 1;
|
---|
994 | } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
|
---|
995 |
|
---|
996 | talloc_destroy(mem_ctx);
|
---|
997 |
|
---|
998 | return result;
|
---|
999 | }
|
---|
1000 |
|
---|
1001 | static NTSTATUS populate_ldap_for_ldif(fstring sid, const char *suffix, const char
|
---|
1002 | *builtin_sid, FILE *add_fd)
|
---|
1003 | {
|
---|
1004 | const char *user_suffix, *group_suffix, *machine_suffix, *idmap_suffix;
|
---|
1005 | char *user_attr=NULL, *group_attr=NULL;
|
---|
1006 | char *suffix_attr;
|
---|
1007 | int len;
|
---|
1008 |
|
---|
1009 | /* Get the suffix attribute */
|
---|
1010 | suffix_attr = sstring_sub(suffix, '=', ',');
|
---|
1011 | if (suffix_attr == NULL) {
|
---|
1012 | len = strlen(suffix);
|
---|
1013 | suffix_attr = (char*)SMB_MALLOC(len+1);
|
---|
1014 | memcpy(suffix_attr, suffix, len);
|
---|
1015 | suffix_attr[len] = '\0';
|
---|
1016 | }
|
---|
1017 |
|
---|
1018 | /* Write the base */
|
---|
1019 | fprintf(add_fd, "# %s\n", suffix);
|
---|
1020 | fprintf(add_fd, "dn: %s\n", suffix);
|
---|
1021 | fprintf(add_fd, "objectClass: dcObject\n");
|
---|
1022 | fprintf(add_fd, "objectClass: organization\n");
|
---|
1023 | fprintf(add_fd, "o: %s\n", suffix_attr);
|
---|
1024 | fprintf(add_fd, "dc: %s\n", suffix_attr);
|
---|
1025 | fprintf(add_fd, "\n");
|
---|
1026 | fflush(add_fd);
|
---|
1027 |
|
---|
1028 | user_suffix = lp_ldap_user_suffix();
|
---|
1029 | if (user_suffix == NULL) {
|
---|
1030 | SAFE_FREE(suffix_attr);
|
---|
1031 | return NT_STATUS_NO_MEMORY;
|
---|
1032 | }
|
---|
1033 | /* If it exists and is distinct from other containers,
|
---|
1034 | Write the Users entity */
|
---|
1035 | if (*user_suffix && strcmp(user_suffix, suffix)) {
|
---|
1036 | user_attr = sstring_sub(lp_ldap_user_suffix(), '=', ',');
|
---|
1037 | fprintf(add_fd, "# %s\n", user_suffix);
|
---|
1038 | fprintf(add_fd, "dn: %s\n", user_suffix);
|
---|
1039 | fprintf(add_fd, "objectClass: organizationalUnit\n");
|
---|
1040 | fprintf(add_fd, "ou: %s\n", user_attr);
|
---|
1041 | fprintf(add_fd, "\n");
|
---|
1042 | fflush(add_fd);
|
---|
1043 | }
|
---|
1044 |
|
---|
1045 |
|
---|
1046 | group_suffix = lp_ldap_group_suffix();
|
---|
1047 | if (group_suffix == NULL) {
|
---|
1048 | SAFE_FREE(suffix_attr);
|
---|
1049 | SAFE_FREE(user_attr);
|
---|
1050 | return NT_STATUS_NO_MEMORY;
|
---|
1051 | }
|
---|
1052 | /* If it exists and is distinct from other containers,
|
---|
1053 | Write the Groups entity */
|
---|
1054 | if (*group_suffix && strcmp(group_suffix, suffix)) {
|
---|
1055 | group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
|
---|
1056 | fprintf(add_fd, "# %s\n", group_suffix);
|
---|
1057 | fprintf(add_fd, "dn: %s\n", group_suffix);
|
---|
1058 | fprintf(add_fd, "objectClass: organizationalUnit\n");
|
---|
1059 | fprintf(add_fd, "ou: %s\n", group_attr);
|
---|
1060 | fprintf(add_fd, "\n");
|
---|
1061 | fflush(add_fd);
|
---|
1062 | }
|
---|
1063 |
|
---|
1064 | /* If it exists and is distinct from other containers,
|
---|
1065 | Write the Computers entity */
|
---|
1066 | machine_suffix = lp_ldap_machine_suffix();
|
---|
1067 | if (machine_suffix == NULL) {
|
---|
1068 | SAFE_FREE(suffix_attr);
|
---|
1069 | SAFE_FREE(user_attr);
|
---|
1070 | SAFE_FREE(group_attr);
|
---|
1071 | return NT_STATUS_NO_MEMORY;
|
---|
1072 | }
|
---|
1073 | if (*machine_suffix && strcmp(machine_suffix, user_suffix) &&
|
---|
1074 | strcmp(machine_suffix, suffix)) {
|
---|
1075 | char *machine_ou = NULL;
|
---|
1076 | fprintf(add_fd, "# %s\n", machine_suffix);
|
---|
1077 | fprintf(add_fd, "dn: %s\n", machine_suffix);
|
---|
1078 | fprintf(add_fd, "objectClass: organizationalUnit\n");
|
---|
1079 | /* this isn't totally correct as it assumes that
|
---|
1080 | there _must_ be an ou. just fixing memleak now. jmcd */
|
---|
1081 | machine_ou = sstring_sub(lp_ldap_machine_suffix(), '=', ',');
|
---|
1082 | fprintf(add_fd, "ou: %s\n", machine_ou);
|
---|
1083 | SAFE_FREE(machine_ou);
|
---|
1084 | fprintf(add_fd, "\n");
|
---|
1085 | fflush(add_fd);
|
---|
1086 | }
|
---|
1087 |
|
---|
1088 | /* If it exists and is distinct from other containers,
|
---|
1089 | Write the IdMap entity */
|
---|
1090 | idmap_suffix = lp_ldap_idmap_suffix();
|
---|
1091 | if (idmap_suffix == NULL) {
|
---|
1092 | SAFE_FREE(suffix_attr);
|
---|
1093 | SAFE_FREE(user_attr);
|
---|
1094 | SAFE_FREE(group_attr);
|
---|
1095 | return NT_STATUS_NO_MEMORY;
|
---|
1096 | }
|
---|
1097 | if (*idmap_suffix &&
|
---|
1098 | strcmp(idmap_suffix, user_suffix) &&
|
---|
1099 | strcmp(idmap_suffix, suffix)) {
|
---|
1100 | char *s;
|
---|
1101 | fprintf(add_fd, "# %s\n", idmap_suffix);
|
---|
1102 | fprintf(add_fd, "dn: %s\n", idmap_suffix);
|
---|
1103 | fprintf(add_fd, "ObjectClass: organizationalUnit\n");
|
---|
1104 | s = sstring_sub(lp_ldap_idmap_suffix(), '=', ',');
|
---|
1105 | fprintf(add_fd, "ou: %s\n", s);
|
---|
1106 | SAFE_FREE(s);
|
---|
1107 | fprintf(add_fd, "\n");
|
---|
1108 | fflush(add_fd);
|
---|
1109 | }
|
---|
1110 |
|
---|
1111 | /* Write the domain entity */
|
---|
1112 | fprintf(add_fd, "# %s, %s\n", lp_workgroup(), suffix);
|
---|
1113 | fprintf(add_fd, "dn: sambaDomainName=%s,%s\n", lp_workgroup(),
|
---|
1114 | suffix);
|
---|
1115 | fprintf(add_fd, "objectClass: sambaDomain\n");
|
---|
1116 | fprintf(add_fd, "objectClass: sambaUnixIdPool\n");
|
---|
1117 | fprintf(add_fd, "sambaDomainName: %s\n", lp_workgroup());
|
---|
1118 | fprintf(add_fd, "sambaSID: %s\n", sid);
|
---|
1119 | fprintf(add_fd, "uidNumber: %d\n", ++ldif_uid);
|
---|
1120 | fprintf(add_fd, "gidNumber: %d\n", ++ldif_gid);
|
---|
1121 | fprintf(add_fd, "\n");
|
---|
1122 | fflush(add_fd);
|
---|
1123 |
|
---|
1124 | /* Write the Domain Admins entity */
|
---|
1125 | fprintf(add_fd, "# Domain Admins, %s, %s\n", group_attr,
|
---|
1126 | suffix);
|
---|
1127 | fprintf(add_fd, "dn: cn=Domain Admins,ou=%s,%s\n", group_attr,
|
---|
1128 | suffix);
|
---|
1129 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1130 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1131 | fprintf(add_fd, "cn: Domain Admins\n");
|
---|
1132 | fprintf(add_fd, "memberUid: Administrator\n");
|
---|
1133 | fprintf(add_fd, "description: Netbios Domain Administrators\n");
|
---|
1134 | fprintf(add_fd, "gidNumber: 512\n");
|
---|
1135 | fprintf(add_fd, "sambaSID: %s-512\n", sid);
|
---|
1136 | fprintf(add_fd, "sambaGroupType: 2\n");
|
---|
1137 | fprintf(add_fd, "displayName: Domain Admins\n");
|
---|
1138 | fprintf(add_fd, "\n");
|
---|
1139 | fflush(add_fd);
|
---|
1140 |
|
---|
1141 | /* Write the Domain Users entity */
|
---|
1142 | fprintf(add_fd, "# Domain Users, %s, %s\n", group_attr,
|
---|
1143 | suffix);
|
---|
1144 | fprintf(add_fd, "dn: cn=Domain Users,ou=%s,%s\n", group_attr,
|
---|
1145 | suffix);
|
---|
1146 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1147 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1148 | fprintf(add_fd, "cn: Domain Users\n");
|
---|
1149 | fprintf(add_fd, "description: Netbios Domain Users\n");
|
---|
1150 | fprintf(add_fd, "gidNumber: 513\n");
|
---|
1151 | fprintf(add_fd, "sambaSID: %s-513\n", sid);
|
---|
1152 | fprintf(add_fd, "sambaGroupType: 2\n");
|
---|
1153 | fprintf(add_fd, "displayName: Domain Users\n");
|
---|
1154 | fprintf(add_fd, "\n");
|
---|
1155 | fflush(add_fd);
|
---|
1156 |
|
---|
1157 | /* Write the Domain Guests entity */
|
---|
1158 | fprintf(add_fd, "# Domain Guests, %s, %s\n", group_attr,
|
---|
1159 | suffix);
|
---|
1160 | fprintf(add_fd, "dn: cn=Domain Guests,ou=%s,%s\n", group_attr,
|
---|
1161 | suffix);
|
---|
1162 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1163 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1164 | fprintf(add_fd, "cn: Domain Guests\n");
|
---|
1165 | fprintf(add_fd, "description: Netbios Domain Guests\n");
|
---|
1166 | fprintf(add_fd, "gidNumber: 514\n");
|
---|
1167 | fprintf(add_fd, "sambaSID: %s-514\n", sid);
|
---|
1168 | fprintf(add_fd, "sambaGroupType: 2\n");
|
---|
1169 | fprintf(add_fd, "displayName: Domain Guests\n");
|
---|
1170 | fprintf(add_fd, "\n");
|
---|
1171 | fflush(add_fd);
|
---|
1172 |
|
---|
1173 | /* Write the Domain Computers entity */
|
---|
1174 | fprintf(add_fd, "# Domain Computers, %s, %s\n", group_attr,
|
---|
1175 | suffix);
|
---|
1176 | fprintf(add_fd, "dn: cn=Domain Computers,ou=%s,%s\n",
|
---|
1177 | group_attr, suffix);
|
---|
1178 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1179 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1180 | fprintf(add_fd, "gidNumber: 515\n");
|
---|
1181 | fprintf(add_fd, "cn: Domain Computers\n");
|
---|
1182 | fprintf(add_fd, "description: Netbios Domain Computers accounts\n");
|
---|
1183 | fprintf(add_fd, "sambaSID: %s-515\n", sid);
|
---|
1184 | fprintf(add_fd, "sambaGroupType: 2\n");
|
---|
1185 | fprintf(add_fd, "displayName: Domain Computers\n");
|
---|
1186 | fprintf(add_fd, "\n");
|
---|
1187 | fflush(add_fd);
|
---|
1188 |
|
---|
1189 | /* Write the Admininistrators Groups entity */
|
---|
1190 | fprintf(add_fd, "# Administrators, %s, %s\n", group_attr,
|
---|
1191 | suffix);
|
---|
1192 | fprintf(add_fd, "dn: cn=Administrators,ou=%s,%s\n", group_attr,
|
---|
1193 | suffix);
|
---|
1194 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1195 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1196 | fprintf(add_fd, "gidNumber: 544\n");
|
---|
1197 | fprintf(add_fd, "cn: Administrators\n");
|
---|
1198 | fprintf(add_fd, "description: Netbios Domain Members can fully administer the computer/sambaDomainName\n");
|
---|
1199 | fprintf(add_fd, "sambaSID: %s-544\n", builtin_sid);
|
---|
1200 | fprintf(add_fd, "sambaGroupType: 5\n");
|
---|
1201 | fprintf(add_fd, "displayName: Administrators\n");
|
---|
1202 | fprintf(add_fd, "\n");
|
---|
1203 |
|
---|
1204 | /* Write the Print Operator entity */
|
---|
1205 | fprintf(add_fd, "# Print Operators, %s, %s\n", group_attr,
|
---|
1206 | suffix);
|
---|
1207 | fprintf(add_fd, "dn: cn=Print Operators,ou=%s,%s\n",
|
---|
1208 | group_attr, suffix);
|
---|
1209 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1210 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1211 | fprintf(add_fd, "gidNumber: 550\n");
|
---|
1212 | fprintf(add_fd, "cn: Print Operators\n");
|
---|
1213 | fprintf(add_fd, "description: Netbios Domain Print Operators\n");
|
---|
1214 | fprintf(add_fd, "sambaSID: %s-550\n", builtin_sid);
|
---|
1215 | fprintf(add_fd, "sambaGroupType: 5\n");
|
---|
1216 | fprintf(add_fd, "displayName: Print Operators\n");
|
---|
1217 | fprintf(add_fd, "\n");
|
---|
1218 | fflush(add_fd);
|
---|
1219 |
|
---|
1220 | /* Write the Backup Operators entity */
|
---|
1221 | fprintf(add_fd, "# Backup Operators, %s, %s\n", group_attr,
|
---|
1222 | suffix);
|
---|
1223 | fprintf(add_fd, "dn: cn=Backup Operators,ou=%s,%s\n",
|
---|
1224 | group_attr, suffix);
|
---|
1225 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1226 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1227 | fprintf(add_fd, "gidNumber: 551\n");
|
---|
1228 | fprintf(add_fd, "cn: Backup Operators\n");
|
---|
1229 | fprintf(add_fd, "description: Netbios Domain Members can bypass file security to back up files\n");
|
---|
1230 | fprintf(add_fd, "sambaSID: %s-551\n", builtin_sid);
|
---|
1231 | fprintf(add_fd, "sambaGroupType: 5\n");
|
---|
1232 | fprintf(add_fd, "displayName: Backup Operators\n");
|
---|
1233 | fprintf(add_fd, "\n");
|
---|
1234 | fflush(add_fd);
|
---|
1235 |
|
---|
1236 | /* Write the Replicators entity */
|
---|
1237 | fprintf(add_fd, "# Replicators, %s, %s\n", group_attr, suffix);
|
---|
1238 | fprintf(add_fd, "dn: cn=Replicators,ou=%s,%s\n", group_attr,
|
---|
1239 | suffix);
|
---|
1240 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1241 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1242 | fprintf(add_fd, "gidNumber: 552\n");
|
---|
1243 | fprintf(add_fd, "cn: Replicators\n");
|
---|
1244 | fprintf(add_fd, "description: Netbios Domain Supports file replication in a sambaDomainName\n");
|
---|
1245 | fprintf(add_fd, "sambaSID: %s-552\n", builtin_sid);
|
---|
1246 | fprintf(add_fd, "sambaGroupType: 5\n");
|
---|
1247 | fprintf(add_fd, "displayName: Replicators\n");
|
---|
1248 | fprintf(add_fd, "\n");
|
---|
1249 | fflush(add_fd);
|
---|
1250 |
|
---|
1251 | /* Deallocate memory, and return */
|
---|
1252 | SAFE_FREE(suffix_attr);
|
---|
1253 | SAFE_FREE(user_attr);
|
---|
1254 | SAFE_FREE(group_attr);
|
---|
1255 | return NT_STATUS_OK;
|
---|
1256 | }
|
---|
1257 |
|
---|
1258 | static NTSTATUS map_populate_groups(GROUPMAP *groupmap, ACCOUNTMAP *accountmap, fstring sid,
|
---|
1259 | const char *suffix, const char *builtin_sid)
|
---|
1260 | {
|
---|
1261 | char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
|
---|
1262 |
|
---|
1263 | /* Map the groups created by populate_ldap_for_ldif */
|
---|
1264 | groupmap[0].rid = 512;
|
---|
1265 | groupmap[0].gidNumber = 512;
|
---|
1266 | pstr_sprintf(groupmap[0].sambaSID, "%s-512", sid);
|
---|
1267 | pstr_sprintf(groupmap[0].group_dn, "cn=Domain Admins,ou=%s,%s",
|
---|
1268 | group_attr, suffix);
|
---|
1269 | accountmap[0].rid = 512;
|
---|
1270 | pstr_sprintf(accountmap[0].cn, "%s", "Domain Admins");
|
---|
1271 |
|
---|
1272 | groupmap[1].rid = 513;
|
---|
1273 | groupmap[1].gidNumber = 513;
|
---|
1274 | pstr_sprintf(groupmap[1].sambaSID, "%s-513", sid);
|
---|
1275 | pstr_sprintf(groupmap[1].group_dn, "cn=Domain Users,ou=%s,%s",
|
---|
1276 | group_attr, suffix);
|
---|
1277 | accountmap[1].rid = 513;
|
---|
1278 | pstr_sprintf(accountmap[1].cn, "%s", "Domain Users");
|
---|
1279 |
|
---|
1280 | groupmap[2].rid = 514;
|
---|
1281 | groupmap[2].gidNumber = 514;
|
---|
1282 | pstr_sprintf(groupmap[2].sambaSID, "%s-514", sid);
|
---|
1283 | pstr_sprintf(groupmap[2].group_dn, "cn=Domain Guests,ou=%s,%s",
|
---|
1284 | group_attr, suffix);
|
---|
1285 | accountmap[2].rid = 514;
|
---|
1286 | pstr_sprintf(accountmap[2].cn, "%s", "Domain Guests");
|
---|
1287 |
|
---|
1288 | groupmap[3].rid = 515;
|
---|
1289 | groupmap[3].gidNumber = 515;
|
---|
1290 | pstr_sprintf(groupmap[3].sambaSID, "%s-515", sid);
|
---|
1291 | pstr_sprintf(groupmap[3].group_dn, "cn=Domain Computers,ou=%s,%s",
|
---|
1292 | group_attr, suffix);
|
---|
1293 | accountmap[3].rid = 515;
|
---|
1294 | pstr_sprintf(accountmap[3].cn, "%s", "Domain Computers");
|
---|
1295 |
|
---|
1296 | groupmap[4].rid = 544;
|
---|
1297 | groupmap[4].gidNumber = 544;
|
---|
1298 | pstr_sprintf(groupmap[4].sambaSID, "%s-544", builtin_sid);
|
---|
1299 | pstr_sprintf(groupmap[4].group_dn, "cn=Administrators,ou=%s,%s",
|
---|
1300 | group_attr, suffix);
|
---|
1301 | accountmap[4].rid = 515;
|
---|
1302 | pstr_sprintf(accountmap[4].cn, "%s", "Administrators");
|
---|
1303 |
|
---|
1304 | groupmap[5].rid = 550;
|
---|
1305 | groupmap[5].gidNumber = 550;
|
---|
1306 | pstr_sprintf(groupmap[5].sambaSID, "%s-550", builtin_sid);
|
---|
1307 | pstr_sprintf(groupmap[5].group_dn, "cn=Print Operators,ou=%s,%s",
|
---|
1308 | group_attr, suffix);
|
---|
1309 | accountmap[5].rid = 550;
|
---|
1310 | pstr_sprintf(accountmap[5].cn, "%s", "Print Operators");
|
---|
1311 |
|
---|
1312 | groupmap[6].rid = 551;
|
---|
1313 | groupmap[6].gidNumber = 551;
|
---|
1314 | pstr_sprintf(groupmap[6].sambaSID, "%s-551", builtin_sid);
|
---|
1315 | pstr_sprintf(groupmap[6].group_dn, "cn=Backup Operators,ou=%s,%s",
|
---|
1316 | group_attr, suffix);
|
---|
1317 | accountmap[6].rid = 551;
|
---|
1318 | pstr_sprintf(accountmap[6].cn, "%s", "Backup Operators");
|
---|
1319 |
|
---|
1320 | groupmap[7].rid = 552;
|
---|
1321 | groupmap[7].gidNumber = 552;
|
---|
1322 | pstr_sprintf(groupmap[7].sambaSID, "%s-552", builtin_sid);
|
---|
1323 | pstr_sprintf(groupmap[7].group_dn, "cn=Replicators,ou=%s,%s",
|
---|
1324 | group_attr, suffix);
|
---|
1325 | accountmap[7].rid = 551;
|
---|
1326 | pstr_sprintf(accountmap[7].cn, "%s", "Replicators");
|
---|
1327 | SAFE_FREE(group_attr);
|
---|
1328 | return NT_STATUS_OK;
|
---|
1329 | }
|
---|
1330 |
|
---|
1331 | /*
|
---|
1332 | * This is a crap routine, but I think it's the quickest way to solve the
|
---|
1333 | * UTF8->base64 problem.
|
---|
1334 | */
|
---|
1335 |
|
---|
1336 | static int fprintf_attr(FILE *add_fd, const char *attr_name,
|
---|
1337 | const char *fmt, ...)
|
---|
1338 | {
|
---|
1339 | va_list ap;
|
---|
1340 | char *value, *p, *base64;
|
---|
1341 | DATA_BLOB base64_blob;
|
---|
1342 | BOOL do_base64 = False;
|
---|
1343 | int res;
|
---|
1344 |
|
---|
1345 | va_start(ap, fmt);
|
---|
1346 | value = talloc_vasprintf(NULL, fmt, ap);
|
---|
1347 | va_end(ap);
|
---|
1348 |
|
---|
1349 | SMB_ASSERT(value != NULL);
|
---|
1350 |
|
---|
1351 | for (p=value; *p; p++) {
|
---|
1352 | if (*p & 0x80) {
|
---|
1353 | do_base64 = True;
|
---|
1354 | break;
|
---|
1355 | }
|
---|
1356 | }
|
---|
1357 |
|
---|
1358 | if (!do_base64) {
|
---|
1359 | BOOL only_whitespace = True;
|
---|
1360 | for (p=value; *p; p++) {
|
---|
1361 | /*
|
---|
1362 | * I know that this not multibyte safe, but we break
|
---|
1363 | * on the first non-whitespace character anyway.
|
---|
1364 | */
|
---|
1365 | if (!isspace(*p)) {
|
---|
1366 | only_whitespace = False;
|
---|
1367 | break;
|
---|
1368 | }
|
---|
1369 | }
|
---|
1370 | if (only_whitespace) {
|
---|
1371 | do_base64 = True;
|
---|
1372 | }
|
---|
1373 | }
|
---|
1374 |
|
---|
1375 | if (!do_base64) {
|
---|
1376 | res = fprintf(add_fd, "%s: %s\n", attr_name, value);
|
---|
1377 | TALLOC_FREE(value);
|
---|
1378 | return res;
|
---|
1379 | }
|
---|
1380 |
|
---|
1381 | base64_blob.data = (unsigned char *)value;
|
---|
1382 | base64_blob.length = strlen(value);
|
---|
1383 |
|
---|
1384 | base64 = base64_encode_data_blob(base64_blob);
|
---|
1385 | SMB_ASSERT(base64 != NULL);
|
---|
1386 |
|
---|
1387 | res = fprintf(add_fd, "%s:: %s\n", attr_name, base64);
|
---|
1388 | TALLOC_FREE(value);
|
---|
1389 | SAFE_FREE(base64);
|
---|
1390 | return res;
|
---|
1391 | }
|
---|
1392 |
|
---|
1393 | static NTSTATUS fetch_group_info_to_ldif(SAM_DELTA_CTR *delta, GROUPMAP *groupmap,
|
---|
1394 | FILE *add_fd, fstring sid, char *suffix)
|
---|
1395 | {
|
---|
1396 | fstring groupname;
|
---|
1397 | uint32 grouptype = 0, g_rid = 0;
|
---|
1398 | char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
|
---|
1399 |
|
---|
1400 | /* Get the group name */
|
---|
1401 | unistr2_to_ascii(groupname,
|
---|
1402 | &(delta->group_info.uni_grp_name),
|
---|
1403 | sizeof(groupname)-1);
|
---|
1404 |
|
---|
1405 | /* Set up the group type (always 2 for group info) */
|
---|
1406 | grouptype = 2;
|
---|
1407 |
|
---|
1408 | /* These groups are entered by populate_ldap_for_ldif */
|
---|
1409 | if (strcmp(groupname, "Domain Admins") == 0 ||
|
---|
1410 | strcmp(groupname, "Domain Users") == 0 ||
|
---|
1411 | strcmp(groupname, "Domain Guests") == 0 ||
|
---|
1412 | strcmp(groupname, "Domain Computers") == 0 ||
|
---|
1413 | strcmp(groupname, "Administrators") == 0 ||
|
---|
1414 | strcmp(groupname, "Print Operators") == 0 ||
|
---|
1415 | strcmp(groupname, "Backup Operators") == 0 ||
|
---|
1416 | strcmp(groupname, "Replicators") == 0) {
|
---|
1417 | SAFE_FREE(group_attr);
|
---|
1418 | return NT_STATUS_OK;
|
---|
1419 | } else {
|
---|
1420 | /* Increment the gid for the new group */
|
---|
1421 | ldif_gid++;
|
---|
1422 | }
|
---|
1423 |
|
---|
1424 | /* Map the group rid, gid, and dn */
|
---|
1425 | g_rid = delta->group_info.gid.g_rid;
|
---|
1426 | groupmap->rid = g_rid;
|
---|
1427 | groupmap->gidNumber = ldif_gid;
|
---|
1428 | pstr_sprintf(groupmap->sambaSID, "%s-%d", sid, g_rid);
|
---|
1429 | pstr_sprintf(groupmap->group_dn,
|
---|
1430 | "cn=%s,ou=%s,%s", groupname, group_attr, suffix);
|
---|
1431 |
|
---|
1432 | /* Write the data to the temporary add ldif file */
|
---|
1433 | fprintf(add_fd, "# %s, %s, %s\n", groupname, group_attr,
|
---|
1434 | suffix);
|
---|
1435 | fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", groupname, group_attr,
|
---|
1436 | suffix);
|
---|
1437 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1438 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1439 | fprintf_attr(add_fd, "cn", "%s", groupname);
|
---|
1440 | fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
|
---|
1441 | fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
|
---|
1442 | fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
|
---|
1443 | fprintf_attr(add_fd, "displayName", "%s", groupname);
|
---|
1444 | fprintf(add_fd, "\n");
|
---|
1445 | fflush(add_fd);
|
---|
1446 |
|
---|
1447 | SAFE_FREE(group_attr);
|
---|
1448 | /* Return */
|
---|
1449 | return NT_STATUS_OK;
|
---|
1450 | }
|
---|
1451 |
|
---|
1452 | static NTSTATUS fetch_account_info_to_ldif(SAM_DELTA_CTR *delta,
|
---|
1453 | GROUPMAP *groupmap,
|
---|
1454 | ACCOUNTMAP *accountmap,
|
---|
1455 | FILE *add_fd,
|
---|
1456 | fstring sid, char *suffix,
|
---|
1457 | int alloced)
|
---|
1458 | {
|
---|
1459 | fstring username, logonscript, homedrive, homepath = "", homedir = "";
|
---|
1460 | fstring hex_nt_passwd, hex_lm_passwd;
|
---|
1461 | fstring description, profilepath, fullname, sambaSID;
|
---|
1462 | uchar lm_passwd[16], nt_passwd[16];
|
---|
1463 | char *flags, *user_rdn;
|
---|
1464 | const char *ou;
|
---|
1465 | const char* nopasswd = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
|
---|
1466 | static uchar zero_buf[16];
|
---|
1467 | uint32 rid = 0, group_rid = 0, gidNumber = 0;
|
---|
1468 | time_t unix_time;
|
---|
1469 | int i;
|
---|
1470 |
|
---|
1471 | /* Get the username */
|
---|
1472 | unistr2_to_ascii(username,
|
---|
1473 | &(delta->account_info.uni_acct_name),
|
---|
1474 | sizeof(username)-1);
|
---|
1475 |
|
---|
1476 | /* Get the rid */
|
---|
1477 | rid = delta->account_info.user_rid;
|
---|
1478 |
|
---|
1479 | /* Map the rid and username for group member info later */
|
---|
1480 | accountmap->rid = rid;
|
---|
1481 | pstr_sprintf(accountmap->cn, "%s", username);
|
---|
1482 |
|
---|
1483 | /* Get the home directory */
|
---|
1484 | if (delta->account_info.acb_info & ACB_NORMAL) {
|
---|
1485 | unistr2_to_ascii(homedir, &(delta->account_info.uni_home_dir),
|
---|
1486 | sizeof(homedir)-1);
|
---|
1487 | if (!*homedir) {
|
---|
1488 | pstr_sprintf(homedir, "/home/%s", username);
|
---|
1489 | } else {
|
---|
1490 | pstr_sprintf(homedir, "/nobodyshomedir");
|
---|
1491 | }
|
---|
1492 | ou = lp_ldap_user_suffix();
|
---|
1493 | } else {
|
---|
1494 | ou = lp_ldap_machine_suffix();
|
---|
1495 | pstr_sprintf(homedir, "/machinehomedir");
|
---|
1496 | }
|
---|
1497 |
|
---|
1498 | /* Get the logon script */
|
---|
1499 | unistr2_to_ascii(logonscript, &(delta->account_info.uni_logon_script),
|
---|
1500 | sizeof(logonscript)-1);
|
---|
1501 |
|
---|
1502 | /* Get the home drive */
|
---|
1503 | unistr2_to_ascii(homedrive, &(delta->account_info.uni_dir_drive),
|
---|
1504 | sizeof(homedrive)-1);
|
---|
1505 |
|
---|
1506 | /* Get the home path */
|
---|
1507 | unistr2_to_ascii(homepath, &(delta->account_info.uni_home_dir),
|
---|
1508 | sizeof(homepath)-1);
|
---|
1509 |
|
---|
1510 | /* Get the description */
|
---|
1511 | unistr2_to_ascii(description, &(delta->account_info.uni_acct_desc),
|
---|
1512 | sizeof(description)-1);
|
---|
1513 |
|
---|
1514 | /* Get the display name */
|
---|
1515 | unistr2_to_ascii(fullname, &(delta->account_info.uni_full_name),
|
---|
1516 | sizeof(fullname)-1);
|
---|
1517 |
|
---|
1518 | /* Get the profile path */
|
---|
1519 | unistr2_to_ascii(profilepath, &(delta->account_info.uni_profile),
|
---|
1520 | sizeof(profilepath)-1);
|
---|
1521 |
|
---|
1522 | /* Get lm and nt password data */
|
---|
1523 | if (memcmp(delta->account_info.pass.buf_lm_pwd, zero_buf, 16) != 0) {
|
---|
1524 | sam_pwd_hash(delta->account_info.user_rid,
|
---|
1525 | delta->account_info.pass.buf_lm_pwd,
|
---|
1526 | lm_passwd, 0);
|
---|
1527 | pdb_sethexpwd(hex_lm_passwd, lm_passwd,
|
---|
1528 | delta->account_info.acb_info);
|
---|
1529 | } else {
|
---|
1530 | pdb_sethexpwd(hex_lm_passwd, NULL, 0);
|
---|
1531 | }
|
---|
1532 | if (memcmp(delta->account_info.pass.buf_nt_pwd, zero_buf, 16) != 0) {
|
---|
1533 | sam_pwd_hash(delta->account_info.user_rid,
|
---|
1534 | delta->account_info.pass.buf_nt_pwd,
|
---|
1535 | nt_passwd, 0);
|
---|
1536 | pdb_sethexpwd(hex_nt_passwd, nt_passwd,
|
---|
1537 | delta->account_info.acb_info);
|
---|
1538 | } else {
|
---|
1539 | pdb_sethexpwd(hex_nt_passwd, NULL, 0);
|
---|
1540 | }
|
---|
1541 | unix_time = nt_time_to_unix(delta->account_info.pwd_last_set_time);
|
---|
1542 |
|
---|
1543 | /* Increment the uid for the new user */
|
---|
1544 | ldif_uid++;
|
---|
1545 |
|
---|
1546 | /* Set up group id and sambaSID for the user */
|
---|
1547 | group_rid = delta->account_info.group_rid;
|
---|
1548 | for (i=0; i<alloced; i++) {
|
---|
1549 | if (groupmap[i].rid == group_rid) break;
|
---|
1550 | }
|
---|
1551 | if (i == alloced){
|
---|
1552 | DEBUG(1, ("Could not find rid %d in groupmap array\n",
|
---|
1553 | group_rid));
|
---|
1554 | return NT_STATUS_UNSUCCESSFUL;
|
---|
1555 | }
|
---|
1556 | gidNumber = groupmap[i].gidNumber;
|
---|
1557 | pstr_sprintf(sambaSID, groupmap[i].sambaSID);
|
---|
1558 |
|
---|
1559 | /* Set up sambaAcctFlags */
|
---|
1560 | flags = pdb_encode_acct_ctrl(delta->account_info.acb_info,
|
---|
1561 | NEW_PW_FORMAT_SPACE_PADDED_LEN);
|
---|
1562 |
|
---|
1563 | /* Add the user to the temporary add ldif file */
|
---|
1564 | /* this isn't quite right...we can't assume there's just OU=. jmcd */
|
---|
1565 | user_rdn = sstring_sub(ou, '=', ',');
|
---|
1566 | fprintf(add_fd, "# %s, %s, %s\n", username, user_rdn, suffix);
|
---|
1567 | fprintf_attr(add_fd, "dn", "uid=%s,ou=%s,%s", username, user_rdn,
|
---|
1568 | suffix);
|
---|
1569 | SAFE_FREE(user_rdn);
|
---|
1570 | fprintf(add_fd, "ObjectClass: top\n");
|
---|
1571 | fprintf(add_fd, "objectClass: inetOrgPerson\n");
|
---|
1572 | fprintf(add_fd, "objectClass: posixAccount\n");
|
---|
1573 | fprintf(add_fd, "objectClass: shadowAccount\n");
|
---|
1574 | fprintf(add_fd, "objectClass: sambaSamAccount\n");
|
---|
1575 | fprintf_attr(add_fd, "cn", "%s", username);
|
---|
1576 | fprintf_attr(add_fd, "sn", "%s", username);
|
---|
1577 | fprintf_attr(add_fd, "uid", "%s", username);
|
---|
1578 | fprintf(add_fd, "uidNumber: %d\n", ldif_uid);
|
---|
1579 | fprintf(add_fd, "gidNumber: %d\n", gidNumber);
|
---|
1580 | fprintf_attr(add_fd, "homeDirectory", "%s", homedir);
|
---|
1581 | if (*homepath)
|
---|
1582 | fprintf_attr(add_fd, "sambaHomePath", "%s", homepath);
|
---|
1583 | if (*homedrive)
|
---|
1584 | fprintf_attr(add_fd, "sambaHomeDrive", "%s", homedrive);
|
---|
1585 | if (*logonscript)
|
---|
1586 | fprintf_attr(add_fd, "sambaLogonScript", "%s", logonscript);
|
---|
1587 | fprintf(add_fd, "loginShell: %s\n",
|
---|
1588 | ((delta->account_info.acb_info & ACB_NORMAL) ?
|
---|
1589 | "/bin/bash" : "/bin/false"));
|
---|
1590 | fprintf(add_fd, "gecos: System User\n");
|
---|
1591 | if (*description)
|
---|
1592 | fprintf_attr(add_fd, "description", "%s", description);
|
---|
1593 | fprintf(add_fd, "sambaSID: %s-%d\n", sid, rid);
|
---|
1594 | fprintf(add_fd, "sambaPrimaryGroupSID: %s\n", sambaSID);
|
---|
1595 | if(*fullname)
|
---|
1596 | fprintf_attr(add_fd, "displayName", "%s", fullname);
|
---|
1597 | if(*profilepath)
|
---|
1598 | fprintf_attr(add_fd, "sambaProfilePath", "%s", profilepath);
|
---|
1599 | if (strcmp(nopasswd, hex_lm_passwd) != 0)
|
---|
1600 | fprintf(add_fd, "sambaLMPassword: %s\n", hex_lm_passwd);
|
---|
1601 | if (strcmp(nopasswd, hex_nt_passwd) != 0)
|
---|
1602 | fprintf(add_fd, "sambaNTPassword: %s\n", hex_nt_passwd);
|
---|
1603 | fprintf(add_fd, "sambaPwdLastSet: %d\n", (int)unix_time);
|
---|
1604 | fprintf(add_fd, "sambaAcctFlags: %s\n", flags);
|
---|
1605 | fprintf(add_fd, "\n");
|
---|
1606 | fflush(add_fd);
|
---|
1607 |
|
---|
1608 | /* Return */
|
---|
1609 | return NT_STATUS_OK;
|
---|
1610 | }
|
---|
1611 |
|
---|
1612 | static NTSTATUS fetch_alias_info_to_ldif(SAM_DELTA_CTR *delta,
|
---|
1613 | GROUPMAP *groupmap,
|
---|
1614 | FILE *add_fd, fstring sid,
|
---|
1615 | char *suffix,
|
---|
1616 | unsigned db_type)
|
---|
1617 | {
|
---|
1618 | fstring aliasname, description;
|
---|
1619 | uint32 grouptype = 0, g_rid = 0;
|
---|
1620 | char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
|
---|
1621 |
|
---|
1622 | /* Get the alias name */
|
---|
1623 | unistr2_to_ascii(aliasname, &(delta->alias_info.uni_als_name),
|
---|
1624 | sizeof(aliasname)-1);
|
---|
1625 |
|
---|
1626 | /* Get the alias description */
|
---|
1627 | unistr2_to_ascii(description, &(delta->alias_info.uni_als_desc),
|
---|
1628 | sizeof(description)-1);
|
---|
1629 |
|
---|
1630 | /* Set up the group type */
|
---|
1631 | switch (db_type) {
|
---|
1632 | case SAM_DATABASE_DOMAIN:
|
---|
1633 | grouptype = 4;
|
---|
1634 | break;
|
---|
1635 | case SAM_DATABASE_BUILTIN:
|
---|
1636 | grouptype = 5;
|
---|
1637 | break;
|
---|
1638 | default:
|
---|
1639 | grouptype = 4;
|
---|
1640 | break;
|
---|
1641 | }
|
---|
1642 |
|
---|
1643 | /*
|
---|
1644 | These groups are entered by populate_ldap_for_ldif
|
---|
1645 | Note that populate creates a group called Relicators,
|
---|
1646 | but NT returns a group called Replicator
|
---|
1647 | */
|
---|
1648 | if (strcmp(aliasname, "Domain Admins") == 0 ||
|
---|
1649 | strcmp(aliasname, "Domain Users") == 0 ||
|
---|
1650 | strcmp(aliasname, "Domain Guests") == 0 ||
|
---|
1651 | strcmp(aliasname, "Domain Computers") == 0 ||
|
---|
1652 | strcmp(aliasname, "Administrators") == 0 ||
|
---|
1653 | strcmp(aliasname, "Print Operators") == 0 ||
|
---|
1654 | strcmp(aliasname, "Backup Operators") == 0 ||
|
---|
1655 | strcmp(aliasname, "Replicator") == 0) {
|
---|
1656 | SAFE_FREE(group_attr);
|
---|
1657 | return NT_STATUS_OK;
|
---|
1658 | } else {
|
---|
1659 | /* Increment the gid for the new group */
|
---|
1660 | ldif_gid++;
|
---|
1661 | }
|
---|
1662 |
|
---|
1663 | /* Map the group rid and gid */
|
---|
1664 | g_rid = delta->group_info.gid.g_rid;
|
---|
1665 | groupmap->gidNumber = ldif_gid;
|
---|
1666 | pstr_sprintf(groupmap->sambaSID, "%s-%d", sid, g_rid);
|
---|
1667 |
|
---|
1668 | /* Write the data to the temporary add ldif file */
|
---|
1669 | fprintf(add_fd, "# %s, %s, %s\n", aliasname, group_attr,
|
---|
1670 | suffix);
|
---|
1671 | fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", aliasname, group_attr,
|
---|
1672 | suffix);
|
---|
1673 | fprintf(add_fd, "objectClass: posixGroup\n");
|
---|
1674 | fprintf(add_fd, "objectClass: sambaGroupMapping\n");
|
---|
1675 | fprintf(add_fd, "cn: %s\n", aliasname);
|
---|
1676 | fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
|
---|
1677 | fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
|
---|
1678 | fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
|
---|
1679 | fprintf_attr(add_fd, "displayName", "%s", aliasname);
|
---|
1680 | if (description[0])
|
---|
1681 | fprintf_attr(add_fd, "description", "%s", description);
|
---|
1682 | fprintf(add_fd, "\n");
|
---|
1683 | fflush(add_fd);
|
---|
1684 |
|
---|
1685 | SAFE_FREE(group_attr);
|
---|
1686 | /* Return */
|
---|
1687 | return NT_STATUS_OK;
|
---|
1688 | }
|
---|
1689 |
|
---|
1690 | static NTSTATUS fetch_groupmem_info_to_ldif(SAM_DELTA_CTR *delta,
|
---|
1691 | SAM_DELTA_HDR *hdr_delta,
|
---|
1692 | GROUPMAP *groupmap,
|
---|
1693 | ACCOUNTMAP *accountmap,
|
---|
1694 | FILE *mod_fd, int alloced)
|
---|
1695 | {
|
---|
1696 | fstring group_dn;
|
---|
1697 | uint32 group_rid = 0, rid = 0;
|
---|
1698 | int i, j, k;
|
---|
1699 |
|
---|
1700 | /* Get the dn for the group */
|
---|
1701 | if (delta->grp_mem_info.num_members > 0) {
|
---|
1702 | group_rid = hdr_delta->target_rid;
|
---|
1703 | for (j=0; j<alloced; j++) {
|
---|
1704 | if (groupmap[j].rid == group_rid) break;
|
---|
1705 | }
|
---|
1706 | if (j == alloced){
|
---|
1707 | DEBUG(1, ("Could not find rid %d in groupmap array\n",
|
---|
1708 | group_rid));
|
---|
1709 | return NT_STATUS_UNSUCCESSFUL;
|
---|
1710 | }
|
---|
1711 | pstr_sprintf(group_dn, "%s", groupmap[j].group_dn);
|
---|
1712 | fprintf(mod_fd, "dn: %s\n", group_dn);
|
---|
1713 |
|
---|
1714 | /* Get the cn for each member */
|
---|
1715 | for (i=0; i<delta->grp_mem_info.num_members; i++) {
|
---|
1716 | rid = delta->grp_mem_info.rids[i];
|
---|
1717 | for (k=0; k<alloced; k++) {
|
---|
1718 | if (accountmap[k].rid == rid) break;
|
---|
1719 | }
|
---|
1720 | if (k == alloced){
|
---|
1721 | DEBUG(1, ("Could not find rid %d in "
|
---|
1722 | "accountmap array\n", rid));
|
---|
1723 | return NT_STATUS_UNSUCCESSFUL;
|
---|
1724 | }
|
---|
1725 | fprintf(mod_fd, "memberUid: %s\n", accountmap[k].cn);
|
---|
1726 | }
|
---|
1727 | fprintf(mod_fd, "\n");
|
---|
1728 | }
|
---|
1729 | fflush(mod_fd);
|
---|
1730 |
|
---|
1731 | /* Return */
|
---|
1732 | return NT_STATUS_OK;
|
---|
1733 | }
|
---|
1734 |
|
---|
1735 | static NTSTATUS fetch_database_to_ldif(struct rpc_pipe_client *pipe_hnd,
|
---|
1736 | uint32 db_type,
|
---|
1737 | DOM_SID dom_sid,
|
---|
1738 | const char *user_file)
|
---|
1739 | {
|
---|
1740 | char *suffix;
|
---|
1741 | const char *builtin_sid = "S-1-5-32";
|
---|
1742 | char *add_name = NULL, *mod_name = NULL;
|
---|
1743 | const char *add_template = "/tmp/add.ldif.XXXXXX";
|
---|
1744 | const char *mod_template = "/tmp/mod.ldif.XXXXXX";
|
---|
1745 | fstring sid, domainname;
|
---|
1746 | uint32 sync_context = 0;
|
---|
1747 | NTSTATUS ret = NT_STATUS_OK, result;
|
---|
1748 | int k;
|
---|
1749 | TALLOC_CTX *mem_ctx;
|
---|
1750 | SAM_DELTA_HDR *hdr_deltas;
|
---|
1751 | SAM_DELTA_CTR *deltas;
|
---|
1752 | uint32 num_deltas;
|
---|
1753 | FILE *add_file = NULL, *mod_file = NULL, *ldif_file = NULL;
|
---|
1754 | int num_alloced = 0, g_index = 0, a_index = 0;
|
---|
1755 |
|
---|
1756 | /* Set up array for mapping accounts to groups */
|
---|
1757 | /* Array element is the group rid */
|
---|
1758 | GROUPMAP *groupmap = NULL;
|
---|
1759 |
|
---|
1760 | /* Set up array for mapping account rid's to cn's */
|
---|
1761 | /* Array element is the account rid */
|
---|
1762 | ACCOUNTMAP *accountmap = NULL;
|
---|
1763 |
|
---|
1764 | if (!(mem_ctx = talloc_init("fetch_database"))) {
|
---|
1765 | return NT_STATUS_NO_MEMORY;
|
---|
1766 | }
|
---|
1767 |
|
---|
1768 | /* Ensure we have an output file */
|
---|
1769 | if (user_file)
|
---|
1770 | ldif_file = fopen(user_file, "a");
|
---|
1771 | else
|
---|
1772 | ldif_file = stdout;
|
---|
1773 |
|
---|
1774 | if (!ldif_file) {
|
---|
1775 | fprintf(stderr, "Could not open %s\n", user_file);
|
---|
1776 | DEBUG(1, ("Could not open %s\n", user_file));
|
---|
1777 | ret = NT_STATUS_UNSUCCESSFUL;
|
---|
1778 | goto done;
|
---|
1779 | }
|
---|
1780 |
|
---|
1781 | add_name = talloc_strdup(mem_ctx, add_template);
|
---|
1782 | mod_name = talloc_strdup(mem_ctx, mod_template);
|
---|
1783 | if (!add_name || !mod_name) {
|
---|
1784 | ret = NT_STATUS_NO_MEMORY;
|
---|
1785 | goto done;
|
---|
1786 | }
|
---|
1787 |
|
---|
1788 | /* Open the add and mod ldif files */
|
---|
1789 | if (!(add_file = fdopen(smb_mkstemp(add_name),"w"))) {
|
---|
1790 | DEBUG(1, ("Could not open %s\n", add_name));
|
---|
1791 | ret = NT_STATUS_UNSUCCESSFUL;
|
---|
1792 | goto done;
|
---|
1793 | }
|
---|
1794 | if (!(mod_file = fdopen(smb_mkstemp(mod_name),"w"))) {
|
---|
1795 | DEBUG(1, ("Could not open %s\n", mod_name));
|
---|
1796 | ret = NT_STATUS_UNSUCCESSFUL;
|
---|
1797 | goto done;
|
---|
1798 | }
|
---|
1799 |
|
---|
1800 | /* Get the sid */
|
---|
1801 | sid_to_string(sid, &dom_sid);
|
---|
1802 |
|
---|
1803 | /* Get the ldap suffix */
|
---|
1804 | suffix = lp_ldap_suffix();
|
---|
1805 | if (suffix == NULL || strcmp(suffix, "") == 0) {
|
---|
1806 | DEBUG(0,("ldap suffix missing from smb.conf--exiting\n"));
|
---|
1807 | exit(1);
|
---|
1808 | }
|
---|
1809 |
|
---|
1810 | /* Get other smb.conf data */
|
---|
1811 | if (!(lp_workgroup()) || !*(lp_workgroup())) {
|
---|
1812 | DEBUG(0,("workgroup missing from smb.conf--exiting\n"));
|
---|
1813 | exit(1);
|
---|
1814 | }
|
---|
1815 |
|
---|
1816 | /* Allocate initial memory for groupmap and accountmap arrays */
|
---|
1817 | if (init_ldap == 1) {
|
---|
1818 | groupmap = SMB_MALLOC_ARRAY(GROUPMAP, 8);
|
---|
1819 | accountmap = SMB_MALLOC_ARRAY(ACCOUNTMAP, 8);
|
---|
1820 | if (groupmap == NULL || accountmap == NULL) {
|
---|
1821 | DEBUG(1,("GROUPMAP malloc failed\n"));
|
---|
1822 | ret = NT_STATUS_NO_MEMORY;
|
---|
1823 | goto done;
|
---|
1824 | }
|
---|
1825 |
|
---|
1826 | /* Initialize the arrays */
|
---|
1827 | memset(groupmap, 0, sizeof(GROUPMAP)*8);
|
---|
1828 | memset(accountmap, 0, sizeof(ACCOUNTMAP)*8);
|
---|
1829 |
|
---|
1830 | /* Remember how many we malloced */
|
---|
1831 | num_alloced = 8;
|
---|
1832 |
|
---|
1833 | /* Initial database population */
|
---|
1834 | populate_ldap_for_ldif(sid, suffix, builtin_sid, add_file);
|
---|
1835 | map_populate_groups(groupmap, accountmap, sid, suffix,
|
---|
1836 | builtin_sid);
|
---|
1837 |
|
---|
1838 | /* Don't do this again */
|
---|
1839 | init_ldap = 0;
|
---|
1840 | }
|
---|
1841 |
|
---|
1842 | /* Announce what we are doing */
|
---|
1843 | switch( db_type ) {
|
---|
1844 | case SAM_DATABASE_DOMAIN:
|
---|
1845 | d_fprintf(stderr, "Fetching DOMAIN database\n");
|
---|
1846 | break;
|
---|
1847 | case SAM_DATABASE_BUILTIN:
|
---|
1848 | d_fprintf(stderr, "Fetching BUILTIN database\n");
|
---|
1849 | break;
|
---|
1850 | case SAM_DATABASE_PRIVS:
|
---|
1851 | d_fprintf(stderr, "Fetching PRIVS databases\n");
|
---|
1852 | break;
|
---|
1853 | default:
|
---|
1854 | d_fprintf(stderr,
|
---|
1855 | "Fetching unknown database type %u\n",
|
---|
1856 | db_type );
|
---|
1857 | break;
|
---|
1858 | }
|
---|
1859 |
|
---|
1860 | do {
|
---|
1861 | result = rpccli_netlogon_sam_sync(pipe_hnd, mem_ctx,
|
---|
1862 | db_type, sync_context,
|
---|
1863 | &num_deltas, &hdr_deltas,
|
---|
1864 | &deltas);
|
---|
1865 | if (!NT_STATUS_IS_OK(result) &&
|
---|
1866 | !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
|
---|
1867 | ret = NT_STATUS_OK;
|
---|
1868 | goto done; /* is this correct? jmcd */
|
---|
1869 | }
|
---|
1870 |
|
---|
1871 | /* Re-allocate memory for groupmap and accountmap arrays */
|
---|
1872 | groupmap = SMB_REALLOC_ARRAY(groupmap, GROUPMAP,
|
---|
1873 | num_deltas+num_alloced);
|
---|
1874 | accountmap = SMB_REALLOC_ARRAY(accountmap, ACCOUNTMAP,
|
---|
1875 | num_deltas+num_alloced);
|
---|
1876 | if (groupmap == NULL || accountmap == NULL) {
|
---|
1877 | DEBUG(1,("GROUPMAP malloc failed\n"));
|
---|
1878 | ret = NT_STATUS_NO_MEMORY;
|
---|
1879 | goto done;
|
---|
1880 | }
|
---|
1881 |
|
---|
1882 | /* Initialize the new records */
|
---|
1883 | memset(&groupmap[num_alloced], 0,
|
---|
1884 | sizeof(GROUPMAP)*num_deltas);
|
---|
1885 | memset(&accountmap[num_alloced], 0,
|
---|
1886 | sizeof(ACCOUNTMAP)*num_deltas);
|
---|
1887 |
|
---|
1888 | /* Remember how many we alloced this time */
|
---|
1889 | num_alloced += num_deltas;
|
---|
1890 |
|
---|
1891 | /* Loop through the deltas */
|
---|
1892 | for (k=0; k<num_deltas; k++) {
|
---|
1893 | switch(hdr_deltas[k].type) {
|
---|
1894 | case SAM_DELTA_DOMAIN_INFO:
|
---|
1895 | /* Is this case needed? */
|
---|
1896 | unistr2_to_ascii(
|
---|
1897 | domainname,
|
---|
1898 | &deltas[k].domain_info.uni_dom_name,
|
---|
1899 | sizeof(domainname)-1);
|
---|
1900 | break;
|
---|
1901 |
|
---|
1902 | case SAM_DELTA_GROUP_INFO:
|
---|
1903 | fetch_group_info_to_ldif(
|
---|
1904 | &deltas[k], &groupmap[g_index],
|
---|
1905 | add_file, sid, suffix);
|
---|
1906 | g_index++;
|
---|
1907 | break;
|
---|
1908 |
|
---|
1909 | case SAM_DELTA_ACCOUNT_INFO:
|
---|
1910 | fetch_account_info_to_ldif(
|
---|
1911 | &deltas[k], groupmap,
|
---|
1912 | &accountmap[a_index], add_file,
|
---|
1913 | sid, suffix, num_alloced);
|
---|
1914 | a_index++;
|
---|
1915 | break;
|
---|
1916 |
|
---|
1917 | case SAM_DELTA_ALIAS_INFO:
|
---|
1918 | fetch_alias_info_to_ldif(
|
---|
1919 | &deltas[k], &groupmap[g_index],
|
---|
1920 | add_file, sid, suffix, db_type);
|
---|
1921 | g_index++;
|
---|
1922 | break;
|
---|
1923 |
|
---|
1924 | case SAM_DELTA_GROUP_MEM:
|
---|
1925 | fetch_groupmem_info_to_ldif(
|
---|
1926 | &deltas[k], &hdr_deltas[k],
|
---|
1927 | groupmap, accountmap,
|
---|
1928 | mod_file, num_alloced);
|
---|
1929 | break;
|
---|
1930 |
|
---|
1931 | case SAM_DELTA_ALIAS_MEM:
|
---|
1932 | break;
|
---|
1933 | case SAM_DELTA_POLICY_INFO:
|
---|
1934 | break;
|
---|
1935 | case SAM_DELTA_PRIVS_INFO:
|
---|
1936 | break;
|
---|
1937 | case SAM_DELTA_TRUST_DOMS:
|
---|
1938 | /* Implemented but broken */
|
---|
1939 | break;
|
---|
1940 | case SAM_DELTA_SECRET_INFO:
|
---|
1941 | /* Implemented but broken */
|
---|
1942 | break;
|
---|
1943 | case SAM_DELTA_RENAME_GROUP:
|
---|
1944 | /* Not yet implemented */
|
---|
1945 | break;
|
---|
1946 | case SAM_DELTA_RENAME_USER:
|
---|
1947 | /* Not yet implemented */
|
---|
1948 | break;
|
---|
1949 | case SAM_DELTA_RENAME_ALIAS:
|
---|
1950 | /* Not yet implemented */
|
---|
1951 | break;
|
---|
1952 | case SAM_DELTA_DELETE_GROUP:
|
---|
1953 | /* Not yet implemented */
|
---|
1954 | break;
|
---|
1955 | case SAM_DELTA_DELETE_USER:
|
---|
1956 | /* Not yet implemented */
|
---|
1957 | break;
|
---|
1958 | case SAM_DELTA_MODIFIED_COUNT:
|
---|
1959 | break;
|
---|
1960 | default:
|
---|
1961 | break;
|
---|
1962 | } /* end of switch */
|
---|
1963 | } /* end of for loop */
|
---|
1964 |
|
---|
1965 | /* Increment sync_context */
|
---|
1966 | sync_context += 1;
|
---|
1967 |
|
---|
1968 | } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
|
---|
1969 |
|
---|
1970 | /* Write ldif data to the user's file */
|
---|
1971 | if (db_type == SAM_DATABASE_DOMAIN) {
|
---|
1972 | fprintf(ldif_file,
|
---|
1973 | "# SAM_DATABASE_DOMAIN: ADD ENTITIES\n");
|
---|
1974 | fprintf(ldif_file,
|
---|
1975 | "# =================================\n\n");
|
---|
1976 | fflush(ldif_file);
|
---|
1977 | } else if (db_type == SAM_DATABASE_BUILTIN) {
|
---|
1978 | fprintf(ldif_file,
|
---|
1979 | "# SAM_DATABASE_BUILTIN: ADD ENTITIES\n");
|
---|
1980 | fprintf(ldif_file,
|
---|
1981 | "# ==================================\n\n");
|
---|
1982 | fflush(ldif_file);
|
---|
1983 | }
|
---|
1984 | fseek(add_file, 0, SEEK_SET);
|
---|
1985 | transfer_file(fileno(add_file), fileno(ldif_file), (size_t) -1);
|
---|
1986 |
|
---|
1987 | if (db_type == SAM_DATABASE_DOMAIN) {
|
---|
1988 | fprintf(ldif_file,
|
---|
1989 | "# SAM_DATABASE_DOMAIN: MODIFY ENTITIES\n");
|
---|
1990 | fprintf(ldif_file,
|
---|
1991 | "# ====================================\n\n");
|
---|
1992 | fflush(ldif_file);
|
---|
1993 | } else if (db_type == SAM_DATABASE_BUILTIN) {
|
---|
1994 | fprintf(ldif_file,
|
---|
1995 | "# SAM_DATABASE_BUILTIN: MODIFY ENTITIES\n");
|
---|
1996 | fprintf(ldif_file,
|
---|
1997 | "# =====================================\n\n");
|
---|
1998 | fflush(ldif_file);
|
---|
1999 | }
|
---|
2000 | fseek(mod_file, 0, SEEK_SET);
|
---|
2001 | transfer_file(fileno(mod_file), fileno(ldif_file), (size_t) -1);
|
---|
2002 |
|
---|
2003 |
|
---|
2004 | done:
|
---|
2005 | /* Close and delete the ldif files */
|
---|
2006 | if (add_file) {
|
---|
2007 | fclose(add_file);
|
---|
2008 | }
|
---|
2009 |
|
---|
2010 | if ((add_name != NULL) &&
|
---|
2011 | strcmp(add_name, add_template) && (unlink(add_name))) {
|
---|
2012 | DEBUG(1,("unlink(%s) failed, error was (%s)\n",
|
---|
2013 | add_name, strerror(errno)));
|
---|
2014 | }
|
---|
2015 |
|
---|
2016 | if (mod_file) {
|
---|
2017 | fclose(mod_file);
|
---|
2018 | }
|
---|
2019 |
|
---|
2020 | if ((mod_name != NULL) &&
|
---|
2021 | strcmp(mod_name, mod_template) && (unlink(mod_name))) {
|
---|
2022 | DEBUG(1,("unlink(%s) failed, error was (%s)\n",
|
---|
2023 | mod_name, strerror(errno)));
|
---|
2024 | }
|
---|
2025 |
|
---|
2026 | if (ldif_file && (ldif_file != stdout)) {
|
---|
2027 | fclose(ldif_file);
|
---|
2028 | }
|
---|
2029 |
|
---|
2030 | /* Deallocate memory for the mapping arrays */
|
---|
2031 | SAFE_FREE(groupmap);
|
---|
2032 | SAFE_FREE(accountmap);
|
---|
2033 |
|
---|
2034 | /* Return */
|
---|
2035 | talloc_destroy(mem_ctx);
|
---|
2036 | return ret;
|
---|
2037 | }
|
---|
2038 |
|
---|
2039 | /**
|
---|
2040 | * Basic usage function for 'net rpc vampire'
|
---|
2041 | * @param argc Standard main() style argc
|
---|
2042 | * @param argc Standard main() style argv. Initial components are already
|
---|
2043 | * stripped
|
---|
2044 | **/
|
---|
2045 |
|
---|
2046 | int rpc_vampire_usage(int argc, const char **argv)
|
---|
2047 | {
|
---|
2048 | d_printf("net rpc vampire [ldif [<ldif-filename>] [options]\n"
|
---|
2049 | "\t to pull accounts from a remote PDC where we are a BDC\n"
|
---|
2050 | "\t\t no args puts accounts in local passdb from smb.conf\n"
|
---|
2051 | "\t\t ldif - put accounts in ldif format (file defaults to "
|
---|
2052 | "/tmp/tmp.ldif\n");
|
---|
2053 |
|
---|
2054 | net_common_flags_usage(argc, argv);
|
---|
2055 | return -1;
|
---|
2056 | }
|
---|
2057 |
|
---|
2058 |
|
---|
2059 | /* dump sam database via samsync rpc calls */
|
---|
2060 | NTSTATUS rpc_vampire_internals(const DOM_SID *domain_sid,
|
---|
2061 | const char *domain_name,
|
---|
2062 | struct cli_state *cli,
|
---|
2063 | struct rpc_pipe_client *pipe_hnd,
|
---|
2064 | TALLOC_CTX *mem_ctx,
|
---|
2065 | int argc,
|
---|
2066 | const char **argv)
|
---|
2067 | {
|
---|
2068 | NTSTATUS result;
|
---|
2069 | fstring my_dom_sid_str;
|
---|
2070 | fstring rem_dom_sid_str;
|
---|
2071 |
|
---|
2072 | if (!sid_equal(domain_sid, get_global_sam_sid())) {
|
---|
2073 | d_printf("Cannot import users from %s at this time, "
|
---|
2074 | "as the current domain:\n\t%s: %s\nconflicts "
|
---|
2075 | "with the remote domain\n\t%s: %s\n"
|
---|
2076 | "Perhaps you need to set: \n\n\tsecurity=user\n\t"
|
---|
2077 | "workgroup=%s\n\n in your smb.conf?\n",
|
---|
2078 | domain_name,
|
---|
2079 | get_global_sam_name(),
|
---|
2080 | sid_to_string(my_dom_sid_str,
|
---|
2081 | get_global_sam_sid()),
|
---|
2082 | domain_name, sid_to_string(rem_dom_sid_str,
|
---|
2083 | domain_sid),
|
---|
2084 | domain_name);
|
---|
2085 | return NT_STATUS_UNSUCCESSFUL;
|
---|
2086 | }
|
---|
2087 |
|
---|
2088 | if (argc >= 1 && (strcmp(argv[0], "ldif") == 0)) {
|
---|
2089 | result = fetch_database_to_ldif(pipe_hnd, SAM_DATABASE_DOMAIN,
|
---|
2090 | *domain_sid, argv[1]);
|
---|
2091 | } else {
|
---|
2092 | result = fetch_database(pipe_hnd, SAM_DATABASE_DOMAIN,
|
---|
2093 | *domain_sid);
|
---|
2094 | }
|
---|
2095 |
|
---|
2096 | if (!NT_STATUS_IS_OK(result)) {
|
---|
2097 | d_fprintf(stderr, "Failed to fetch domain database: %s\n",
|
---|
2098 | nt_errstr(result));
|
---|
2099 | if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED))
|
---|
2100 | d_fprintf(stderr, "Perhaps %s is a Windows 2000 "
|
---|
2101 | "native mode domain?\n", domain_name);
|
---|
2102 | goto fail;
|
---|
2103 | }
|
---|
2104 |
|
---|
2105 | if (argc >= 1 && (strcmp(argv[0], "ldif") == 0)) {
|
---|
2106 | result = fetch_database_to_ldif(pipe_hnd, SAM_DATABASE_BUILTIN,
|
---|
2107 | global_sid_Builtin, argv[1]);
|
---|
2108 | } else {
|
---|
2109 | result = fetch_database(pipe_hnd, SAM_DATABASE_BUILTIN,
|
---|
2110 | global_sid_Builtin);
|
---|
2111 | }
|
---|
2112 |
|
---|
2113 | if (!NT_STATUS_IS_OK(result)) {
|
---|
2114 | d_fprintf(stderr, "Failed to fetch builtin database: %s\n",
|
---|
2115 | nt_errstr(result));
|
---|
2116 | goto fail;
|
---|
2117 | }
|
---|
2118 |
|
---|
2119 | /* Currently we crash on PRIVS somewhere in unmarshalling */
|
---|
2120 | /* Dump_database(cli, SAM_DATABASE_PRIVS, &ret_creds); */
|
---|
2121 |
|
---|
2122 | fail:
|
---|
2123 | return result;
|
---|
2124 | }
|
---|