source: branches/samba-3.2.x/source/utils/net_rpc_samsync.c

Last change on this file was 233, checked in by Herwig Bauernfeind, 16 years ago

Update 3.2 branch to 3.2.9
File size: 69.3 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 dump the remote SAM using rpc samsync operations
4
5 Copyright (C) Andrew Tridgell 2002
6 Copyright (C) Tim Potter 2001,2002
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
8 Modified by Volker Lendecke 2002
9 Copyright (C) Jeremy Allison 2005.
10 Copyright (C) Guenther Deschner 2008.
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24*/
25
26#include "includes.h"
27#include "utils/net.h"
28
29/* uid's and gid's for writing deltas to ldif */
30static uint32 ldif_gid = 999;
31static uint32 ldif_uid = 999;
32/* Keep track of ldap initialization */
33static int init_ldap = 1;
34
35static void display_group_mem_info(uint32_t rid,
36 struct netr_DELTA_GROUP_MEMBER *r)
37{
38 int i;
39 d_printf("Group mem %u: ", rid);
40 for (i=0; i< r->num_rids; i++) {
41 d_printf("%u ", r->rids[i]);
42 }
43 d_printf("\n");
44}
45
46static void display_alias_info(uint32_t rid,
47 struct netr_DELTA_ALIAS *r)
48{
49 d_printf("Alias '%s' ", r->alias_name.string);
50 d_printf("desc='%s' rid=%u\n", r->description.string, r->rid);
51}
52
53static void display_alias_mem(uint32_t rid,
54 struct netr_DELTA_ALIAS_MEMBER *r)
55{
56 int i;
57 d_printf("Alias rid %u: ", rid);
58 for (i=0; i< r->sids.num_sids; i++) {
59 d_printf("%s ", sid_string_tos(r->sids.sids[i].sid));
60 }
61 d_printf("\n");
62}
63
64static void display_account_info(uint32_t rid,
65 struct netr_DELTA_USER *r)
66{
67 fstring hex_nt_passwd, hex_lm_passwd;
68 uchar zero_buf[16];
69
70 memset(zero_buf, '\0', sizeof(zero_buf));
71 /* Decode hashes from password hash (if they are not NULL) */
72
73 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
74 pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
75 } else {
76 pdb_sethexpwd(hex_lm_passwd, NULL, 0);
77 }
78
79 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
80 pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
81 } else {
82 pdb_sethexpwd(hex_nt_passwd, NULL, 0);
83 }
84
85 printf("%s:%d:%s:%s:%s:LCT-0\n",
86 r->account_name.string,
87 r->rid, hex_lm_passwd, hex_nt_passwd,
88 pdb_encode_acct_ctrl(r->acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN));
89}
90
91static time_t uint64s_nt_time_to_unix_abs(const uint64 *src)
92{
93 NTTIME nttime;
94 nttime = *src;
95 return nt_time_to_unix_abs(&nttime);
96}
97
98static NTSTATUS pull_netr_AcctLockStr(TALLOC_CTX *mem_ctx,
99 struct lsa_BinaryString *r,
100 struct netr_AcctLockStr **str_p)
101{
102 struct netr_AcctLockStr *str;
103 enum ndr_err_code ndr_err;
104 DATA_BLOB blob;
105
106 if (!mem_ctx || !r || !str_p) {
107 return NT_STATUS_INVALID_PARAMETER;
108 }
109
110 *str_p = NULL;
111
112 str = TALLOC_ZERO_P(mem_ctx, struct netr_AcctLockStr);
113 if (!str) {
114 return NT_STATUS_NO_MEMORY;
115 }
116
117 blob = data_blob_const(r->array, r->length);
118
119 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, str,
120 (ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
121 data_blob_free(&blob);
122
123 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
124 return ndr_map_error2ntstatus(ndr_err);
125 }
126
127 *str_p = str;
128
129 return NT_STATUS_OK;
130}
131
132static void display_domain_info(struct netr_DELTA_DOMAIN *r)
133{
134 time_t u_logout;
135 struct netr_AcctLockStr *lockstr = NULL;
136 NTSTATUS status;
137 TALLOC_CTX *mem_ctx = talloc_tos();
138
139 status = pull_netr_AcctLockStr(mem_ctx, &r->account_lockout,
140 &lockstr);
141 if (!NT_STATUS_IS_OK(status)) {
142 d_printf("failed to pull account lockout string: %s\n",
143 nt_errstr(status));
144 }
145
146 u_logout = uint64s_nt_time_to_unix_abs((const uint64 *)&r->force_logoff_time);
147
148 d_printf("Domain name: %s\n", r->domain_name.string);
149
150 d_printf("Minimal Password Length: %d\n", r->min_password_length);
151 d_printf("Password History Length: %d\n", r->password_history_length);
152
153 d_printf("Force Logoff: %d\n", (int)u_logout);
154
155 d_printf("Max Password Age: %s\n", display_time(r->max_password_age));
156 d_printf("Min Password Age: %s\n", display_time(r->min_password_age));
157
158 if (lockstr) {
159 d_printf("Lockout Time: %s\n", display_time((NTTIME)lockstr->lockout_duration));
160 d_printf("Lockout Reset Time: %s\n", display_time((NTTIME)lockstr->reset_count));
161 d_printf("Bad Attempt Lockout: %d\n", lockstr->bad_attempt_lockout);
162 }
163
164 d_printf("User must logon to change password: %d\n", r->logon_to_chgpass);
165}
166
167static void display_group_info(uint32_t rid, struct netr_DELTA_GROUP *r)
168{
169 d_printf("Group '%s' ", r->group_name.string);
170 d_printf("desc='%s', rid=%u\n", r->description.string, rid);
171}
172
173static void display_sam_entry(struct netr_DELTA_ENUM *r)
174{
175 union netr_DELTA_UNION u = r->delta_union;
176 union netr_DELTA_ID_UNION id = r->delta_id_union;
177
178 switch (r->delta_type) {
179 case NETR_DELTA_DOMAIN:
180 display_domain_info(u.domain);
181 break;
182 case NETR_DELTA_GROUP:
183 display_group_info(id.rid, u.group);
184 break;
185#if 0
186 case NETR_DELTA_DELETE_GROUP:
187 printf("Delete Group: %d\n",
188 u.delete_account.unknown);
189 break;
190 case NETR_DELTA_RENAME_GROUP:
191 printf("Rename Group: %s -> %s\n",
192 u.rename_group->OldName.string,
193 u.rename_group->NewName.string);
194 break;
195#endif
196 case NETR_DELTA_USER:
197 display_account_info(id.rid, u.user);
198 break;
199#if 0
200 case NETR_DELTA_DELETE_USER:
201 printf("Delete User: %d\n",
202 id.rid);
203 break;
204 case NETR_DELTA_RENAME_USER:
205 printf("Rename user: %s -> %s\n",
206 u.rename_user->OldName.string,
207 u.rename_user->NewName.string);
208 break;
209#endif
210 case NETR_DELTA_GROUP_MEMBER:
211 display_group_mem_info(id.rid, u.group_member);
212 break;
213 case NETR_DELTA_ALIAS:
214 display_alias_info(id.rid, u.alias);
215 break;
216#if 0
217 case NETR_DELTA_DELETE_ALIAS:
218 printf("Delete Alias: %d\n",
219 id.rid);
220 break;
221 case NETR_DELTA_RENAME_ALIAS:
222 printf("Rename alias: %s -> %s\n",
223 u.rename_alias->OldName.string,
224 u.rename_alias->NewName.string);
225 break;
226#endif
227 case NETR_DELTA_ALIAS_MEMBER:
228 display_alias_mem(id.rid, u.alias_member);
229 break;
230#if 0
231 case NETR_DELTA_POLICY:
232 printf("Policy\n");
233 break;
234 case NETR_DELTA_TRUSTED_DOMAIN:
235 printf("Trusted Domain: %s\n",
236 u.trusted_domain->domain_name.string);
237 break;
238 case NETR_DELTA_DELETE_TRUST:
239 printf("Delete Trust: %d\n",
240 u.delete_trust.unknown);
241 break;
242 case NETR_DELTA_ACCOUNT:
243 printf("Account\n");
244 break;
245 case NETR_DELTA_DELETE_ACCOUNT:
246 printf("Delete Account: %d\n",
247 u.delete_account.unknown);
248 break;
249 case NETR_DELTA_SECRET:
250 printf("Secret\n");
251 break;
252 case NETR_DELTA_DELETE_SECRET:
253 printf("Delete Secret: %d\n",
254 u.delete_secret.unknown);
255 break;
256 case NETR_DELTA_DELETE_GROUP2:
257 printf("Delete Group2: %s\n",
258 u.delete_group->account_name);
259 break;
260 case NETR_DELTA_DELETE_USER2:
261 printf("Delete User2: %s\n",
262 u.delete_user->account_name);
263 break;
264 case NETR_DELTA_MODIFY_COUNT:
265 printf("sam sequence update: 0x%016llx\n",
266 (unsigned long long) *u.modified_count);
267 break;
268#endif
269 /* The following types are recognised but not handled */
270 case NETR_DELTA_RENAME_GROUP:
271 d_printf("NETR_DELTA_RENAME_GROUP not handled\n");
272 break;
273 case NETR_DELTA_RENAME_USER:
274 d_printf("NETR_DELTA_RENAME_USER not handled\n");
275 break;
276 case NETR_DELTA_RENAME_ALIAS:
277 d_printf("NETR_DELTA_RENAME_ALIAS not handled\n");
278 break;
279 case NETR_DELTA_POLICY:
280 d_printf("NETR_DELTA_POLICY not handled\n");
281 break;
282 case NETR_DELTA_TRUSTED_DOMAIN:
283 d_printf("NETR_DELTA_TRUSTED_DOMAIN not handled\n");
284 break;
285 case NETR_DELTA_ACCOUNT:
286 d_printf("NETR_DELTA_ACCOUNT not handled\n");
287 break;
288 case NETR_DELTA_SECRET:
289 d_printf("NETR_DELTA_SECRET not handled\n");
290 break;
291 case NETR_DELTA_DELETE_GROUP:
292 d_printf("NETR_DELTA_DELETE_GROUP not handled\n");
293 break;
294 case NETR_DELTA_DELETE_USER:
295 d_printf("NETR_DELTA_DELETE_USER not handled\n");
296 break;
297 case NETR_DELTA_MODIFY_COUNT:
298 d_printf("NETR_DELTA_MODIFY_COUNT not handled\n");
299 break;
300 case NETR_DELTA_DELETE_ALIAS:
301 d_printf("NETR_DELTA_DELETE_ALIAS not handled\n");
302 break;
303 case NETR_DELTA_DELETE_TRUST:
304 d_printf("NETR_DELTA_DELETE_TRUST not handled\n");
305 break;
306 case NETR_DELTA_DELETE_ACCOUNT:
307 d_printf("NETR_DELTA_DELETE_ACCOUNT not handled\n");
308 break;
309 case NETR_DELTA_DELETE_SECRET:
310 d_printf("NETR_DELTA_DELETE_SECRET not handled\n");
311 break;
312 case NETR_DELTA_DELETE_GROUP2:
313 d_printf("NETR_DELTA_DELETE_GROUP2 not handled\n");
314 break;
315 case NETR_DELTA_DELETE_USER2:
316 d_printf("NETR_DELTA_DELETE_USER2 not handled\n");
317 break;
318 default:
319 printf("unknown delta type 0x%02x\n",
320 r->delta_type);
321 break;
322 }
323}
324
325static void dump_database(struct rpc_pipe_client *pipe_hnd,
326 enum netr_SamDatabaseID database_id)
327{
328 NTSTATUS result;
329 int i;
330 TALLOC_CTX *mem_ctx;
331 const char *logon_server = pipe_hnd->cli->desthost;
332 const char *computername = global_myname();
333 struct netr_Authenticator credential;
334 struct netr_Authenticator return_authenticator;
335 uint16_t restart_state = 0;
336 uint32_t sync_context = 0;
337 DATA_BLOB session_key;
338
339 ZERO_STRUCT(return_authenticator);
340
341 if (!(mem_ctx = talloc_init("dump_database"))) {
342 return;
343 }
344
345 switch(database_id) {
346 case SAM_DATABASE_DOMAIN:
347 d_printf("Dumping DOMAIN database\n");
348 break;
349 case SAM_DATABASE_BUILTIN:
350 d_printf("Dumping BUILTIN database\n");
351 break;
352 case SAM_DATABASE_PRIVS:
353 d_printf("Dumping PRIVS databases\n");
354 break;
355 default:
356 d_printf("Dumping unknown database type %u\n",
357 database_id);
358 break;
359 }
360
361 do {
362 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
363
364 netlogon_creds_client_step(pipe_hnd->dc, &credential);
365
366 result = rpccli_netr_DatabaseSync2(pipe_hnd, mem_ctx,
367 logon_server,
368 computername,
369 &credential,
370 &return_authenticator,
371 database_id,
372 restart_state,
373 &sync_context,
374 &delta_enum_array,
375 0xffff);
376
377 /* Check returned credentials. */
378 if (!netlogon_creds_client_check(pipe_hnd->dc,
379 &return_authenticator.cred)) {
380 DEBUG(0,("credentials chain check failed\n"));
381 return;
382 }
383
384 if (NT_STATUS_IS_ERR(result)) {
385 break;
386 }
387
388 session_key = data_blob_const(pipe_hnd->dc->sess_key, 16);
389
390 samsync_fix_delta_array(mem_ctx,
391 &session_key,
392 database_id,
393 delta_enum_array);
394
395 /* Display results */
396 for (i = 0; i < delta_enum_array->num_deltas; i++) {
397 display_sam_entry(&delta_enum_array->delta_enum[i]);
398 }
399
400 TALLOC_FREE(delta_enum_array);
401
402 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
403
404 talloc_destroy(mem_ctx);
405}
406
407/* dump sam database via samsync rpc calls */
408NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid,
409 const char *domain_name,
410 struct cli_state *cli,
411 struct rpc_pipe_client *pipe_hnd,
412 TALLOC_CTX *mem_ctx,
413 int argc,
414 const char **argv)
415{
416#if 0
417 /* net_rpc.c now always tries to create an schannel pipe.. */
418
419 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
420 uchar trust_password[16];
421 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
422 uint32 sec_channel_type = 0;
423
424 if (!secrets_fetch_trust_account_password(domain_name,
425 trust_password,
426 NULL, &sec_channel_type)) {
427 DEBUG(0,("Could not fetch trust account password\n"));
428 goto fail;
429 }
430
431 nt_status = rpccli_netlogon_setup_creds(pipe_hnd,
432 cli->desthost,
433 domain_name,
434 global_myname(),
435 trust_password,
436 sec_channel_type,
437 &neg_flags);
438
439 if (!NT_STATUS_IS_OK(nt_status)) {
440 DEBUG(0,("Error connecting to NETLOGON pipe\n"));
441 goto fail;
442 }
443#endif
444
445 dump_database(pipe_hnd, SAM_DATABASE_DOMAIN);
446 dump_database(pipe_hnd, SAM_DATABASE_BUILTIN);
447 dump_database(pipe_hnd, SAM_DATABASE_PRIVS);
448
449 return NT_STATUS_OK;
450}
451
452/* Convert a struct samu_DELTA to a struct samu. */
453#define STRING_CHANGED (old_string && !new_string) ||\
454 (!old_string && new_string) ||\
455 (old_string && new_string && (strcmp(old_string, new_string) != 0))
456
457#define STRING_CHANGED_NC(s1,s2) ((s1) && !(s2)) ||\
458 (!(s1) && (s2)) ||\
459 ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
460
461static NTSTATUS sam_account_from_delta(struct samu *account,
462 struct netr_DELTA_USER *r)
463{
464 const char *old_string, *new_string;
465 time_t unix_time, stored_time;
466 uchar zero_buf[16];
467
468 memset(zero_buf, '\0', sizeof(zero_buf));
469
470 /* Username, fullname, home dir, dir drive, logon script, acct
471 desc, workstations, profile. */
472
473 if (r->account_name.string) {
474 old_string = pdb_get_nt_username(account);
475 new_string = r->account_name.string;
476
477 if (STRING_CHANGED) {
478 pdb_set_nt_username(account, new_string, PDB_CHANGED);
479 }
480
481 /* Unix username is the same - for sanity */
482 old_string = pdb_get_username( account );
483 if (STRING_CHANGED) {
484 pdb_set_username(account, new_string, PDB_CHANGED);
485 }
486 }
487
488 if (r->full_name.string) {
489 old_string = pdb_get_fullname(account);
490 new_string = r->full_name.string;
491
492 if (STRING_CHANGED)
493 pdb_set_fullname(account, new_string, PDB_CHANGED);
494 }
495
496 if (r->home_directory.string) {
497 old_string = pdb_get_homedir(account);
498 new_string = r->home_directory.string;
499
500 if (STRING_CHANGED)
501 pdb_set_homedir(account, new_string, PDB_CHANGED);
502 }
503
504 if (r->home_drive.string) {
505 old_string = pdb_get_dir_drive(account);
506 new_string = r->home_drive.string;
507
508 if (STRING_CHANGED)
509 pdb_set_dir_drive(account, new_string, PDB_CHANGED);
510 }
511
512 if (r->logon_script.string) {
513 old_string = pdb_get_logon_script(account);
514 new_string = r->logon_script.string;
515
516 if (STRING_CHANGED)
517 pdb_set_logon_script(account, new_string, PDB_CHANGED);
518 }
519
520 if (r->description.string) {
521 old_string = pdb_get_acct_desc(account);
522 new_string = r->description.string;
523
524 if (STRING_CHANGED)
525 pdb_set_acct_desc(account, new_string, PDB_CHANGED);
526 }
527
528 if (r->workstations.string) {
529 old_string = pdb_get_workstations(account);
530 new_string = r->workstations.string;
531
532 if (STRING_CHANGED)
533 pdb_set_workstations(account, new_string, PDB_CHANGED);
534 }
535
536 if (r->profile_path.string) {
537 old_string = pdb_get_profile_path(account);
538 new_string = r->profile_path.string;
539
540 if (STRING_CHANGED)
541 pdb_set_profile_path(account, new_string, PDB_CHANGED);
542 }
543
544 if (r->parameters.string) {
545 DATA_BLOB mung;
546 char *newstr;
547 old_string = pdb_get_munged_dial(account);
548 mung.length = r->parameters.length;
549 mung.data = (uint8 *) r->parameters.string;
550 newstr = (mung.length == 0) ? NULL :
551 base64_encode_data_blob(talloc_tos(), mung);
552
553 if (STRING_CHANGED_NC(old_string, newstr))
554 pdb_set_munged_dial(account, newstr, PDB_CHANGED);
555 TALLOC_FREE(newstr);
556 }
557
558 /* User and group sid */
559 if (pdb_get_user_rid(account) != r->rid)
560 pdb_set_user_sid_from_rid(account, r->rid, PDB_CHANGED);
561 if (pdb_get_group_rid(account) != r->primary_gid)
562 pdb_set_group_sid_from_rid(account, r->primary_gid, PDB_CHANGED);
563
564 /* Logon and password information */
565 if (!nt_time_is_zero(&r->last_logon)) {
566 unix_time = nt_time_to_unix(r->last_logon);
567 stored_time = pdb_get_logon_time(account);
568 if (stored_time != unix_time)
569 pdb_set_logon_time(account, unix_time, PDB_CHANGED);
570 }
571
572 if (!nt_time_is_zero(&r->last_logoff)) {
573 unix_time = nt_time_to_unix(r->last_logoff);
574 stored_time = pdb_get_logoff_time(account);
575 if (stored_time != unix_time)
576 pdb_set_logoff_time(account, unix_time,PDB_CHANGED);
577 }
578
579 /* Logon Divs */
580 if (pdb_get_logon_divs(account) != r->logon_hours.units_per_week)
581 pdb_set_logon_divs(account, r->logon_hours.units_per_week, PDB_CHANGED);
582
583#if 0
584 /* no idea what to do with this one - gd */
585 /* Max Logon Hours */
586 if (delta->unknown1 != pdb_get_unknown_6(account)) {
587 pdb_set_unknown_6(account, delta->unknown1, PDB_CHANGED);
588 }
589#endif
590 /* Logon Hours Len */
591 if (r->logon_hours.units_per_week/8 != pdb_get_hours_len(account)) {
592 pdb_set_hours_len(account, r->logon_hours.units_per_week/8, PDB_CHANGED);
593 }
594
595 /* Logon Hours */
596 if (r->logon_hours.bits) {
597 char oldstr[44], newstr[44];
598 pdb_sethexhours(oldstr, pdb_get_hours(account));
599 pdb_sethexhours(newstr, r->logon_hours.bits);
600 if (!strequal(oldstr, newstr))
601 pdb_set_hours(account, r->logon_hours.bits, PDB_CHANGED);
602 }
603
604 if (pdb_get_bad_password_count(account) != r->bad_password_count)
605 pdb_set_bad_password_count(account, r->bad_password_count, PDB_CHANGED);
606
607 if (pdb_get_logon_count(account) != r->logon_count)
608 pdb_set_logon_count(account, r->logon_count, PDB_CHANGED);
609
610 if (!nt_time_is_zero(&r->last_password_change)) {
611 unix_time = nt_time_to_unix(r->last_password_change);
612 stored_time = pdb_get_pass_last_set_time(account);
613 if (stored_time != unix_time)
614 pdb_set_pass_last_set_time(account, unix_time, PDB_CHANGED);
615 } else {
616 /* no last set time, make it now */
617 pdb_set_pass_last_set_time(account, time(NULL), PDB_CHANGED);
618 }
619
620 if (!nt_time_is_zero(&r->acct_expiry)) {
621 unix_time = nt_time_to_unix(r->acct_expiry);
622 stored_time = pdb_get_kickoff_time(account);
623 if (stored_time != unix_time)
624 pdb_set_kickoff_time(account, unix_time, PDB_CHANGED);
625 }
626
627 /* Decode hashes from password hash
628 Note that win2000 may send us all zeros for the hashes if it doesn't
629 think this channel is secure enough - don't set the passwords at all
630 in that case
631 */
632 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
633 pdb_set_lanman_passwd(account, r->lmpassword.hash, PDB_CHANGED);
634 }
635
636 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
637 pdb_set_nt_passwd(account, r->ntpassword.hash, PDB_CHANGED);
638 }
639
640 /* TODO: account expiry time */
641
642 pdb_set_acct_ctrl(account, r->acct_flags, PDB_CHANGED);
643
644 pdb_set_domain(account, lp_workgroup(), PDB_CHANGED);
645
646 return NT_STATUS_OK;
647}
648
649static NTSTATUS fetch_account_info(uint32_t rid,
650 struct netr_DELTA_USER *r)
651{
652
653 NTSTATUS nt_ret = NT_STATUS_UNSUCCESSFUL;
654 fstring account;
655 char *add_script = NULL;
656 struct samu *sam_account=NULL;
657 GROUP_MAP map;
658 struct group *grp;
659 DOM_SID user_sid;
660 DOM_SID group_sid;
661 struct passwd *passwd;
662 fstring sid_string;
663
664 fstrcpy(account, r->account_name.string);
665 d_printf("Creating account: %s\n", account);
666
667 if ( !(sam_account = samu_new( NULL )) ) {
668 return NT_STATUS_NO_MEMORY;
669 }
670
671 if (!(passwd = Get_Pwnam_alloc(sam_account, account))) {
672 /* Create appropriate user */
673 if (r->acct_flags & ACB_NORMAL) {
674 add_script = talloc_strdup(sam_account,
675 lp_adduser_script());
676 } else if ( (r->acct_flags & ACB_WSTRUST) ||
677 (r->acct_flags & ACB_SVRTRUST) ||
678 (r->acct_flags & ACB_DOMTRUST) ) {
679 add_script = talloc_strdup(sam_account,
680 lp_addmachine_script());
681 } else {
682 DEBUG(1, ("Unknown user type: %s\n",
683 pdb_encode_acct_ctrl(r->acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
684 nt_ret = NT_STATUS_UNSUCCESSFUL;
685 goto done;
686 }
687 if (!add_script) {
688 nt_ret = NT_STATUS_NO_MEMORY;
689 goto done;
690 }
691 if (*add_script) {
692 int add_ret;
693 add_script = talloc_all_string_sub(sam_account,
694 add_script,
695 "%u",
696 account);
697 if (!add_script) {
698 nt_ret = NT_STATUS_NO_MEMORY;
699 goto done;
700 }
701 add_ret = smbrun(add_script,NULL);
702 DEBUG(add_ret ? 0 : 1,("fetch_account: Running the command `%s' "
703 "gave %d\n", add_script, add_ret));
704 if (add_ret == 0) {
705 smb_nscd_flush_user_cache();
706 }
707 }
708
709 /* try and find the possible unix account again */
710 if ( !(passwd = Get_Pwnam_alloc(sam_account, account)) ) {
711 d_fprintf(stderr, "Could not create posix account info for '%s'\n", account);
712 nt_ret = NT_STATUS_NO_SUCH_USER;
713 goto done;
714 }
715 }
716
717 sid_copy(&user_sid, get_global_sam_sid());
718 sid_append_rid(&user_sid, r->rid);
719
720 DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n",
721 sid_to_fstring(sid_string, &user_sid), account));
722 if (!pdb_getsampwsid(sam_account, &user_sid)) {
723 sam_account_from_delta(sam_account, r);
724 DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
725 sid_to_fstring(sid_string, &user_sid),
726 pdb_get_username(sam_account)));
727 if (!NT_STATUS_IS_OK(pdb_add_sam_account(sam_account))) {
728 DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
729 account));
730 return NT_STATUS_ACCESS_DENIED;
731 }
732 } else {
733 sam_account_from_delta(sam_account, r);
734 DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
735 sid_to_fstring(sid_string, &user_sid),
736 pdb_get_username(sam_account)));
737 if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_account))) {
738 DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
739 account));
740 TALLOC_FREE(sam_account);
741 return NT_STATUS_ACCESS_DENIED;
742 }
743 }
744
745 if (pdb_get_group_sid(sam_account) == NULL) {
746 return NT_STATUS_UNSUCCESSFUL;
747 }
748
749 group_sid = *pdb_get_group_sid(sam_account);
750
751 if (!pdb_getgrsid(&map, group_sid)) {
752 DEBUG(0, ("Primary group of %s has no mapping!\n",
753 pdb_get_username(sam_account)));
754 } else {
755 if (map.gid != passwd->pw_gid) {
756 if (!(grp = getgrgid(map.gid))) {
757 DEBUG(0, ("Could not find unix group %lu for user %s (group SID=%s)\n",
758 (unsigned long)map.gid, pdb_get_username(sam_account), sid_string_tos(&group_sid)));
759 } else {
760 smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
761 }
762 }
763 }
764
765 if ( !passwd ) {
766 DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
767 pdb_get_username(sam_account)));
768 }
769
770 done:
771 TALLOC_FREE(sam_account);
772 return nt_ret;
773}
774
775static NTSTATUS fetch_group_info(uint32_t rid,
776 struct netr_DELTA_GROUP *r)
777{
778 fstring name;
779 fstring comment;
780 struct group *grp = NULL;
781 DOM_SID group_sid;
782 fstring sid_string;
783 GROUP_MAP map;
784 bool insert = True;
785
786 fstrcpy(name, r->group_name.string);
787 fstrcpy(comment, r->description.string);
788
789 /* add the group to the mapping table */
790 sid_copy(&group_sid, get_global_sam_sid());
791 sid_append_rid(&group_sid, rid);
792 sid_to_fstring(sid_string, &group_sid);
793
794 if (pdb_getgrsid(&map, group_sid)) {
795 if ( map.gid != -1 )
796 grp = getgrgid(map.gid);
797 insert = False;
798 }
799
800 if (grp == NULL) {
801 gid_t gid;
802
803 /* No group found from mapping, find it from its name. */
804 if ((grp = getgrnam(name)) == NULL) {
805
806 /* No appropriate group found, create one */
807
808 d_printf("Creating unix group: '%s'\n", name);
809
810 if (smb_create_group(name, &gid) != 0)
811 return NT_STATUS_ACCESS_DENIED;
812
813 if ((grp = getgrnam(name)) == NULL)
814 return NT_STATUS_ACCESS_DENIED;
815 }
816 }
817
818 map.gid = grp->gr_gid;
819 map.sid = group_sid;
820 map.sid_name_use = SID_NAME_DOM_GRP;
821 fstrcpy(map.nt_name, name);
822 if (r->description.string) {
823 fstrcpy(map.comment, comment);
824 } else {
825 fstrcpy(map.comment, "");
826 }
827
828 if (insert)
829 pdb_add_group_mapping_entry(&map);
830 else
831 pdb_update_group_mapping_entry(&map);
832
833 return NT_STATUS_OK;
834}
835
836static NTSTATUS fetch_group_mem_info(uint32_t rid,
837 struct netr_DELTA_GROUP_MEMBER *r)
838{
839 int i;
840 TALLOC_CTX *t = NULL;
841 char **nt_members = NULL;
842 char **unix_members;
843 DOM_SID group_sid;
844 GROUP_MAP map;
845 struct group *grp;
846
847 if (r->num_rids == 0) {
848 return NT_STATUS_OK;
849 }
850
851 sid_copy(&group_sid, get_global_sam_sid());
852 sid_append_rid(&group_sid, rid);
853
854 if (!get_domain_group_from_sid(group_sid, &map)) {
855 DEBUG(0, ("Could not find global group %d\n", rid));
856 return NT_STATUS_NO_SUCH_GROUP;
857 }
858
859 if (!(grp = getgrgid(map.gid))) {
860 DEBUG(0, ("Could not find unix group %lu\n", (unsigned long)map.gid));
861 return NT_STATUS_NO_SUCH_GROUP;
862 }
863
864 d_printf("Group members of %s: ", grp->gr_name);
865
866 if (!(t = talloc_init("fetch_group_mem_info"))) {
867 DEBUG(0, ("could not talloc_init\n"));
868 return NT_STATUS_NO_MEMORY;
869 }
870
871 if (r->num_rids) {
872 if ((nt_members = TALLOC_ZERO_ARRAY(t, char *, r->num_rids)) == NULL) {
873 DEBUG(0, ("talloc failed\n"));
874 talloc_free(t);
875 return NT_STATUS_NO_MEMORY;
876 }
877 } else {
878 nt_members = NULL;
879 }
880
881 for (i=0; i < r->num_rids; i++) {
882 struct samu *member = NULL;
883 DOM_SID member_sid;
884
885 if ( !(member = samu_new(t)) ) {
886 talloc_destroy(t);
887 return NT_STATUS_NO_MEMORY;
888 }
889
890 sid_copy(&member_sid, get_global_sam_sid());
891 sid_append_rid(&member_sid, r->rids[i]);
892
893 if (!pdb_getsampwsid(member, &member_sid)) {
894 DEBUG(1, ("Found bogus group member: %d (member_sid=%s group=%s)\n",
895 r->rids[i], sid_string_tos(&member_sid), grp->gr_name));
896 TALLOC_FREE(member);
897 continue;
898 }
899
900 if (pdb_get_group_rid(member) == rid) {
901 d_printf("%s(primary),", pdb_get_username(member));
902 TALLOC_FREE(member);
903 continue;
904 }
905
906 d_printf("%s,", pdb_get_username(member));
907 nt_members[i] = talloc_strdup(t, pdb_get_username(member));
908 TALLOC_FREE(member);
909 }
910
911 d_printf("\n");
912
913 unix_members = grp->gr_mem;
914
915 while (*unix_members) {
916 bool is_nt_member = False;
917 for (i=0; i < r->num_rids; i++) {
918 if (nt_members[i] == NULL) {
919 /* This was a primary group */
920 continue;
921 }
922
923 if (strcmp(*unix_members, nt_members[i]) == 0) {
924 is_nt_member = True;
925 break;
926 }
927 }
928 if (!is_nt_member) {
929 /* We look at a unix group member that is not
930 an nt group member. So, remove it. NT is
931 boss here. */
932 smb_delete_user_group(grp->gr_name, *unix_members);
933 }
934 unix_members += 1;
935 }
936
937 for (i=0; i < r->num_rids; i++) {
938 bool is_unix_member = False;
939
940 if (nt_members[i] == NULL) {
941 /* This was the primary group */
942 continue;
943 }
944
945 unix_members = grp->gr_mem;
946
947 while (*unix_members) {
948 if (strcmp(*unix_members, nt_members[i]) == 0) {
949 is_unix_member = True;
950 break;
951 }
952 unix_members += 1;
953 }
954
955 if (!is_unix_member) {
956 /* We look at a nt group member that is not a
957 unix group member currently. So, add the nt
958 group member. */
959 smb_add_user_group(grp->gr_name, nt_members[i]);
960 }
961 }
962
963 talloc_destroy(t);
964 return NT_STATUS_OK;
965}
966
967static NTSTATUS fetch_alias_info(uint32_t rid,
968 struct netr_DELTA_ALIAS *r,
969 DOM_SID dom_sid)
970{
971 fstring name;
972 fstring comment;
973 struct group *grp = NULL;
974 DOM_SID alias_sid;
975 fstring sid_string;
976 GROUP_MAP map;
977 bool insert = True;
978
979 fstrcpy(name, r->alias_name.string);
980 fstrcpy(comment, r->description.string);
981
982 /* Find out whether the group is already mapped */
983 sid_copy(&alias_sid, &dom_sid);
984 sid_append_rid(&alias_sid, rid);
985 sid_to_fstring(sid_string, &alias_sid);
986
987 if (pdb_getgrsid(&map, alias_sid)) {
988 grp = getgrgid(map.gid);
989 insert = False;
990 }
991
992 if (grp == NULL) {
993 gid_t gid;
994
995 /* No group found from mapping, find it from its name. */
996 if ((grp = getgrnam(name)) == NULL) {
997 /* No appropriate group found, create one */
998 d_printf("Creating unix group: '%s'\n", name);
999 if (smb_create_group(name, &gid) != 0)
1000 return NT_STATUS_ACCESS_DENIED;
1001 if ((grp = getgrgid(gid)) == NULL)
1002 return NT_STATUS_ACCESS_DENIED;
1003 }
1004 }
1005
1006 map.gid = grp->gr_gid;
1007 map.sid = alias_sid;
1008
1009 if (sid_equal(&dom_sid, &global_sid_Builtin))
1010 map.sid_name_use = SID_NAME_WKN_GRP;
1011 else
1012 map.sid_name_use = SID_NAME_ALIAS;
1013
1014 fstrcpy(map.nt_name, name);
1015 fstrcpy(map.comment, comment);
1016
1017 if (insert)
1018 pdb_add_group_mapping_entry(&map);
1019 else
1020 pdb_update_group_mapping_entry(&map);
1021
1022 return NT_STATUS_OK;
1023}
1024
1025static NTSTATUS fetch_alias_mem(uint32_t rid,
1026 struct netr_DELTA_ALIAS_MEMBER *r,
1027 DOM_SID dom_sid)
1028{
1029 return NT_STATUS_OK;
1030}
1031
1032static NTSTATUS fetch_domain_info(uint32_t rid,
1033 struct netr_DELTA_DOMAIN *r)
1034{
1035 time_t u_max_age, u_min_age, u_logout;
1036 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
1037 const char *domname;
1038 struct netr_AcctLockStr *lockstr = NULL;
1039 NTSTATUS status;
1040 TALLOC_CTX *mem_ctx = talloc_tos();
1041
1042 status = pull_netr_AcctLockStr(mem_ctx, &r->account_lockout,
1043 &lockstr);
1044 if (!NT_STATUS_IS_OK(status)) {
1045 d_printf("failed to pull account lockout string: %s\n",
1046 nt_errstr(status));
1047 }
1048
1049 u_max_age = uint64s_nt_time_to_unix_abs((uint64 *)&r->max_password_age);
1050 u_min_age = uint64s_nt_time_to_unix_abs((uint64 *)&r->min_password_age);
1051 u_logout = uint64s_nt_time_to_unix_abs((uint64 *)&r->force_logoff_time);
1052
1053 domname = r->domain_name.string;
1054 if (!domname) {
1055 return NT_STATUS_NO_MEMORY;
1056 }
1057
1058 /* we don't handle BUILTIN account policies */
1059 if (!strequal(domname, get_global_sam_name())) {
1060 printf("skipping SAM_DOMAIN_INFO delta for '%s' (is not my domain)\n", domname);
1061 return NT_STATUS_OK;
1062 }
1063
1064
1065 if (!pdb_set_account_policy(AP_PASSWORD_HISTORY,
1066 r->password_history_length))
1067 return nt_status;
1068
1069 if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN,
1070 r->min_password_length))
1071 return nt_status;
1072
1073 if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
1074 return nt_status;
1075
1076 if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
1077 return nt_status;
1078
1079 if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
1080 return nt_status;
1081
1082 if (lockstr) {
1083 time_t u_lockoutreset, u_lockouttime;
1084
1085 u_lockoutreset = uint64s_nt_time_to_unix_abs(&lockstr->reset_count);
1086 u_lockouttime = uint64s_nt_time_to_unix_abs((uint64_t *)&lockstr->lockout_duration);
1087
1088 if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
1089 lockstr->bad_attempt_lockout))
1090 return nt_status;
1091
1092 if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32_t)u_lockoutreset/60))
1093 return nt_status;
1094
1095 if (u_lockouttime != -1)
1096 u_lockouttime /= 60;
1097
1098 if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32_t)u_lockouttime))
1099 return nt_status;
1100 }
1101
1102 if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1103 r->logon_to_chgpass))
1104 return nt_status;
1105
1106 return NT_STATUS_OK;
1107}
1108
1109static void fetch_sam_entry(struct netr_DELTA_ENUM *r, DOM_SID dom_sid)
1110{
1111 switch(r->delta_type) {
1112 case NETR_DELTA_USER:
1113 fetch_account_info(r->delta_id_union.rid,
1114 r->delta_union.user);
1115 break;
1116 case NETR_DELTA_GROUP:
1117 fetch_group_info(r->delta_id_union.rid,
1118 r->delta_union.group);
1119 break;
1120 case NETR_DELTA_GROUP_MEMBER:
1121 fetch_group_mem_info(r->delta_id_union.rid,
1122 r->delta_union.group_member);
1123 break;
1124 case NETR_DELTA_ALIAS:
1125 fetch_alias_info(r->delta_id_union.rid,
1126 r->delta_union.alias,
1127 dom_sid);
1128 break;
1129 case NETR_DELTA_ALIAS_MEMBER:
1130 fetch_alias_mem(r->delta_id_union.rid,
1131 r->delta_union.alias_member,
1132 dom_sid);
1133 break;
1134 case NETR_DELTA_DOMAIN:
1135 fetch_domain_info(r->delta_id_union.rid,
1136 r->delta_union.domain);
1137 break;
1138 /* The following types are recognised but not handled */
1139 case NETR_DELTA_RENAME_GROUP:
1140 d_printf("NETR_DELTA_RENAME_GROUP not handled\n");
1141 break;
1142 case NETR_DELTA_RENAME_USER:
1143 d_printf("NETR_DELTA_RENAME_USER not handled\n");
1144 break;
1145 case NETR_DELTA_RENAME_ALIAS:
1146 d_printf("NETR_DELTA_RENAME_ALIAS not handled\n");
1147 break;
1148 case NETR_DELTA_POLICY:
1149 d_printf("NETR_DELTA_POLICY not handled\n");
1150 break;
1151 case NETR_DELTA_TRUSTED_DOMAIN:
1152 d_printf("NETR_DELTA_TRUSTED_DOMAIN not handled\n");
1153 break;
1154 case NETR_DELTA_ACCOUNT:
1155 d_printf("NETR_DELTA_ACCOUNT not handled\n");
1156 break;
1157 case NETR_DELTA_SECRET:
1158 d_printf("NETR_DELTA_SECRET not handled\n");
1159 break;
1160 case NETR_DELTA_DELETE_GROUP:
1161 d_printf("NETR_DELTA_DELETE_GROUP not handled\n");
1162 break;
1163 case NETR_DELTA_DELETE_USER:
1164 d_printf("NETR_DELTA_DELETE_USER not handled\n");
1165 break;
1166 case NETR_DELTA_MODIFY_COUNT:
1167 d_printf("NETR_DELTA_MODIFY_COUNT not handled\n");
1168 break;
1169 case NETR_DELTA_DELETE_ALIAS:
1170 d_printf("NETR_DELTA_DELETE_ALIAS not handled\n");
1171 break;
1172 case NETR_DELTA_DELETE_TRUST:
1173 d_printf("NETR_DELTA_DELETE_TRUST not handled\n");
1174 break;
1175 case NETR_DELTA_DELETE_ACCOUNT:
1176 d_printf("NETR_DELTA_DELETE_ACCOUNT not handled\n");
1177 break;
1178 case NETR_DELTA_DELETE_SECRET:
1179 d_printf("NETR_DELTA_DELETE_SECRET not handled\n");
1180 break;
1181 case NETR_DELTA_DELETE_GROUP2:
1182 d_printf("NETR_DELTA_DELETE_GROUP2 not handled\n");
1183 break;
1184 case NETR_DELTA_DELETE_USER2:
1185 d_printf("NETR_DELTA_DELETE_USER2 not handled\n");
1186 break;
1187 default:
1188 d_printf("Unknown delta record type %d\n", r->delta_type);
1189 break;
1190 }
1191}
1192
1193static NTSTATUS fetch_database(struct rpc_pipe_client *pipe_hnd, uint32 db_type, DOM_SID dom_sid)
1194{
1195 NTSTATUS result;
1196 int i;
1197 TALLOC_CTX *mem_ctx;
1198 const char *logon_server = pipe_hnd->cli->desthost;
1199 const char *computername = global_myname();
1200 struct netr_Authenticator credential;
1201 struct netr_Authenticator return_authenticator;
1202 enum netr_SamDatabaseID database_id = db_type;
1203 uint16_t restart_state = 0;
1204 uint32_t sync_context = 0;
1205 DATA_BLOB session_key;
1206
1207 if (!(mem_ctx = talloc_init("fetch_database")))
1208 return NT_STATUS_NO_MEMORY;
1209
1210 switch( db_type ) {
1211 case SAM_DATABASE_DOMAIN:
1212 d_printf("Fetching DOMAIN database\n");
1213 break;
1214 case SAM_DATABASE_BUILTIN:
1215 d_printf("Fetching BUILTIN database\n");
1216 break;
1217 case SAM_DATABASE_PRIVS:
1218 d_printf("Fetching PRIVS databases\n");
1219 break;
1220 default:
1221 d_printf("Fetching unknown database type %u\n", db_type );
1222 break;
1223 }
1224
1225 do {
1226 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1227
1228 netlogon_creds_client_step(pipe_hnd->dc, &credential);
1229
1230 result = rpccli_netr_DatabaseSync2(pipe_hnd, mem_ctx,
1231 logon_server,
1232 computername,
1233 &credential,
1234 &return_authenticator,
1235 database_id,
1236 restart_state,
1237 &sync_context,
1238 &delta_enum_array,
1239 0xffff);
1240
1241 /* Check returned credentials. */
1242 if (!netlogon_creds_client_check(pipe_hnd->dc,
1243 &return_authenticator.cred)) {
1244 DEBUG(0,("credentials chain check failed\n"));
1245 return NT_STATUS_ACCESS_DENIED;
1246 }
1247
1248 if (NT_STATUS_IS_ERR(result)) {
1249 break;
1250 }
1251
1252 session_key = data_blob_const(pipe_hnd->dc->sess_key, 16);
1253
1254 samsync_fix_delta_array(mem_ctx,
1255 &session_key,
1256 database_id,
1257 delta_enum_array);
1258
1259 for (i = 0; i < delta_enum_array->num_deltas; i++) {
1260 fetch_sam_entry(&delta_enum_array->delta_enum[i], dom_sid);
1261 }
1262
1263 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
1264
1265 talloc_destroy(mem_ctx);
1266
1267 return result;
1268}
1269
1270static NTSTATUS populate_ldap_for_ldif(fstring sid, const char *suffix, const char
1271 *builtin_sid, FILE *add_fd)
1272{
1273 const char *user_suffix, *group_suffix, *machine_suffix, *idmap_suffix;
1274 char *user_attr=NULL, *group_attr=NULL;
1275 char *suffix_attr;
1276 int len;
1277
1278 /* Get the suffix attribute */
1279 suffix_attr = sstring_sub(suffix, '=', ',');
1280 if (suffix_attr == NULL) {
1281 len = strlen(suffix);
1282 suffix_attr = (char*)SMB_MALLOC(len+1);
1283 memcpy(suffix_attr, suffix, len);
1284 suffix_attr[len] = '\0';
1285 }
1286
1287 /* Write the base */
1288 fprintf(add_fd, "# %s\n", suffix);
1289 fprintf(add_fd, "dn: %s\n", suffix);
1290 fprintf(add_fd, "objectClass: dcObject\n");
1291 fprintf(add_fd, "objectClass: organization\n");
1292 fprintf(add_fd, "o: %s\n", suffix_attr);
1293 fprintf(add_fd, "dc: %s\n", suffix_attr);
1294 fprintf(add_fd, "\n");
1295 fflush(add_fd);
1296
1297 user_suffix = lp_ldap_user_suffix();
1298 if (user_suffix == NULL) {
1299 SAFE_FREE(suffix_attr);
1300 return NT_STATUS_NO_MEMORY;
1301 }
1302 /* If it exists and is distinct from other containers,
1303 Write the Users entity */
1304 if (*user_suffix && strcmp(user_suffix, suffix)) {
1305 user_attr = sstring_sub(lp_ldap_user_suffix(), '=', ',');
1306 fprintf(add_fd, "# %s\n", user_suffix);
1307 fprintf(add_fd, "dn: %s\n", user_suffix);
1308 fprintf(add_fd, "objectClass: organizationalUnit\n");
1309 fprintf(add_fd, "ou: %s\n", user_attr);
1310 fprintf(add_fd, "\n");
1311 fflush(add_fd);
1312 }
1313
1314
1315 group_suffix = lp_ldap_group_suffix();
1316 if (group_suffix == NULL) {
1317 SAFE_FREE(suffix_attr);
1318 SAFE_FREE(user_attr);
1319 return NT_STATUS_NO_MEMORY;
1320 }
1321 /* If it exists and is distinct from other containers,
1322 Write the Groups entity */
1323 if (*group_suffix && strcmp(group_suffix, suffix)) {
1324 group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
1325 fprintf(add_fd, "# %s\n", group_suffix);
1326 fprintf(add_fd, "dn: %s\n", group_suffix);
1327 fprintf(add_fd, "objectClass: organizationalUnit\n");
1328 fprintf(add_fd, "ou: %s\n", group_attr);
1329 fprintf(add_fd, "\n");
1330 fflush(add_fd);
1331 }
1332
1333 /* If it exists and is distinct from other containers,
1334 Write the Computers entity */
1335 machine_suffix = lp_ldap_machine_suffix();
1336 if (machine_suffix == NULL) {
1337 SAFE_FREE(suffix_attr);
1338 SAFE_FREE(user_attr);
1339 SAFE_FREE(group_attr);
1340 return NT_STATUS_NO_MEMORY;
1341 }
1342 if (*machine_suffix && strcmp(machine_suffix, user_suffix) &&
1343 strcmp(machine_suffix, suffix)) {
1344 char *machine_ou = NULL;
1345 fprintf(add_fd, "# %s\n", machine_suffix);
1346 fprintf(add_fd, "dn: %s\n", machine_suffix);
1347 fprintf(add_fd, "objectClass: organizationalUnit\n");
1348 /* this isn't totally correct as it assumes that
1349 there _must_ be an ou. just fixing memleak now. jmcd */
1350 machine_ou = sstring_sub(lp_ldap_machine_suffix(), '=', ',');
1351 fprintf(add_fd, "ou: %s\n", machine_ou);
1352 SAFE_FREE(machine_ou);
1353 fprintf(add_fd, "\n");
1354 fflush(add_fd);
1355 }
1356
1357 /* If it exists and is distinct from other containers,
1358 Write the IdMap entity */
1359 idmap_suffix = lp_ldap_idmap_suffix();
1360 if (idmap_suffix == NULL) {
1361 SAFE_FREE(suffix_attr);
1362 SAFE_FREE(user_attr);
1363 SAFE_FREE(group_attr);
1364 return NT_STATUS_NO_MEMORY;
1365 }
1366 if (*idmap_suffix &&
1367 strcmp(idmap_suffix, user_suffix) &&
1368 strcmp(idmap_suffix, suffix)) {
1369 char *s;
1370 fprintf(add_fd, "# %s\n", idmap_suffix);
1371 fprintf(add_fd, "dn: %s\n", idmap_suffix);
1372 fprintf(add_fd, "ObjectClass: organizationalUnit\n");
1373 s = sstring_sub(lp_ldap_idmap_suffix(), '=', ',');
1374 fprintf(add_fd, "ou: %s\n", s);
1375 SAFE_FREE(s);
1376 fprintf(add_fd, "\n");
1377 fflush(add_fd);
1378 }
1379
1380 /* Write the domain entity */
1381 fprintf(add_fd, "# %s, %s\n", lp_workgroup(), suffix);
1382 fprintf(add_fd, "dn: sambaDomainName=%s,%s\n", lp_workgroup(),
1383 suffix);
1384 fprintf(add_fd, "objectClass: sambaDomain\n");
1385 fprintf(add_fd, "objectClass: sambaUnixIdPool\n");
1386 fprintf(add_fd, "sambaDomainName: %s\n", lp_workgroup());
1387 fprintf(add_fd, "sambaSID: %s\n", sid);
1388 fprintf(add_fd, "uidNumber: %d\n", ++ldif_uid);
1389 fprintf(add_fd, "gidNumber: %d\n", ++ldif_gid);
1390 fprintf(add_fd, "\n");
1391 fflush(add_fd);
1392
1393 /* Write the Domain Admins entity */
1394 fprintf(add_fd, "# Domain Admins, %s, %s\n", group_attr,
1395 suffix);
1396 fprintf(add_fd, "dn: cn=Domain Admins,ou=%s,%s\n", group_attr,
1397 suffix);
1398 fprintf(add_fd, "objectClass: posixGroup\n");
1399 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1400 fprintf(add_fd, "cn: Domain Admins\n");
1401 fprintf(add_fd, "memberUid: Administrator\n");
1402 fprintf(add_fd, "description: Netbios Domain Administrators\n");
1403 fprintf(add_fd, "gidNumber: 512\n");
1404 fprintf(add_fd, "sambaSID: %s-512\n", sid);
1405 fprintf(add_fd, "sambaGroupType: 2\n");
1406 fprintf(add_fd, "displayName: Domain Admins\n");
1407 fprintf(add_fd, "\n");
1408 fflush(add_fd);
1409
1410 /* Write the Domain Users entity */
1411 fprintf(add_fd, "# Domain Users, %s, %s\n", group_attr,
1412 suffix);
1413 fprintf(add_fd, "dn: cn=Domain Users,ou=%s,%s\n", group_attr,
1414 suffix);
1415 fprintf(add_fd, "objectClass: posixGroup\n");
1416 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1417 fprintf(add_fd, "cn: Domain Users\n");
1418 fprintf(add_fd, "description: Netbios Domain Users\n");
1419 fprintf(add_fd, "gidNumber: 513\n");
1420 fprintf(add_fd, "sambaSID: %s-513\n", sid);
1421 fprintf(add_fd, "sambaGroupType: 2\n");
1422 fprintf(add_fd, "displayName: Domain Users\n");
1423 fprintf(add_fd, "\n");
1424 fflush(add_fd);
1425
1426 /* Write the Domain Guests entity */
1427 fprintf(add_fd, "# Domain Guests, %s, %s\n", group_attr,
1428 suffix);
1429 fprintf(add_fd, "dn: cn=Domain Guests,ou=%s,%s\n", group_attr,
1430 suffix);
1431 fprintf(add_fd, "objectClass: posixGroup\n");
1432 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1433 fprintf(add_fd, "cn: Domain Guests\n");
1434 fprintf(add_fd, "description: Netbios Domain Guests\n");
1435 fprintf(add_fd, "gidNumber: 514\n");
1436 fprintf(add_fd, "sambaSID: %s-514\n", sid);
1437 fprintf(add_fd, "sambaGroupType: 2\n");
1438 fprintf(add_fd, "displayName: Domain Guests\n");
1439 fprintf(add_fd, "\n");
1440 fflush(add_fd);
1441
1442 /* Write the Domain Computers entity */
1443 fprintf(add_fd, "# Domain Computers, %s, %s\n", group_attr,
1444 suffix);
1445 fprintf(add_fd, "dn: cn=Domain Computers,ou=%s,%s\n",
1446 group_attr, suffix);
1447 fprintf(add_fd, "objectClass: posixGroup\n");
1448 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1449 fprintf(add_fd, "gidNumber: 515\n");
1450 fprintf(add_fd, "cn: Domain Computers\n");
1451 fprintf(add_fd, "description: Netbios Domain Computers accounts\n");
1452 fprintf(add_fd, "sambaSID: %s-515\n", sid);
1453 fprintf(add_fd, "sambaGroupType: 2\n");
1454 fprintf(add_fd, "displayName: Domain Computers\n");
1455 fprintf(add_fd, "\n");
1456 fflush(add_fd);
1457
1458 /* Write the Admininistrators Groups entity */
1459 fprintf(add_fd, "# Administrators, %s, %s\n", group_attr,
1460 suffix);
1461 fprintf(add_fd, "dn: cn=Administrators,ou=%s,%s\n", group_attr,
1462 suffix);
1463 fprintf(add_fd, "objectClass: posixGroup\n");
1464 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1465 fprintf(add_fd, "gidNumber: 544\n");
1466 fprintf(add_fd, "cn: Administrators\n");
1467 fprintf(add_fd, "description: Netbios Domain Members can fully administer the computer/sambaDomainName\n");
1468 fprintf(add_fd, "sambaSID: %s-544\n", builtin_sid);
1469 fprintf(add_fd, "sambaGroupType: 5\n");
1470 fprintf(add_fd, "displayName: Administrators\n");
1471 fprintf(add_fd, "\n");
1472
1473 /* Write the Print Operator entity */
1474 fprintf(add_fd, "# Print Operators, %s, %s\n", group_attr,
1475 suffix);
1476 fprintf(add_fd, "dn: cn=Print Operators,ou=%s,%s\n",
1477 group_attr, suffix);
1478 fprintf(add_fd, "objectClass: posixGroup\n");
1479 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1480 fprintf(add_fd, "gidNumber: 550\n");
1481 fprintf(add_fd, "cn: Print Operators\n");
1482 fprintf(add_fd, "description: Netbios Domain Print Operators\n");
1483 fprintf(add_fd, "sambaSID: %s-550\n", builtin_sid);
1484 fprintf(add_fd, "sambaGroupType: 5\n");
1485 fprintf(add_fd, "displayName: Print Operators\n");
1486 fprintf(add_fd, "\n");
1487 fflush(add_fd);
1488
1489 /* Write the Backup Operators entity */
1490 fprintf(add_fd, "# Backup Operators, %s, %s\n", group_attr,
1491 suffix);
1492 fprintf(add_fd, "dn: cn=Backup Operators,ou=%s,%s\n",
1493 group_attr, suffix);
1494 fprintf(add_fd, "objectClass: posixGroup\n");
1495 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1496 fprintf(add_fd, "gidNumber: 551\n");
1497 fprintf(add_fd, "cn: Backup Operators\n");
1498 fprintf(add_fd, "description: Netbios Domain Members can bypass file security to back up files\n");
1499 fprintf(add_fd, "sambaSID: %s-551\n", builtin_sid);
1500 fprintf(add_fd, "sambaGroupType: 5\n");
1501 fprintf(add_fd, "displayName: Backup Operators\n");
1502 fprintf(add_fd, "\n");
1503 fflush(add_fd);
1504
1505 /* Write the Replicators entity */
1506 fprintf(add_fd, "# Replicators, %s, %s\n", group_attr, suffix);
1507 fprintf(add_fd, "dn: cn=Replicators,ou=%s,%s\n", group_attr,
1508 suffix);
1509 fprintf(add_fd, "objectClass: posixGroup\n");
1510 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1511 fprintf(add_fd, "gidNumber: 552\n");
1512 fprintf(add_fd, "cn: Replicators\n");
1513 fprintf(add_fd, "description: Netbios Domain Supports file replication in a sambaDomainName\n");
1514 fprintf(add_fd, "sambaSID: %s-552\n", builtin_sid);
1515 fprintf(add_fd, "sambaGroupType: 5\n");
1516 fprintf(add_fd, "displayName: Replicators\n");
1517 fprintf(add_fd, "\n");
1518 fflush(add_fd);
1519
1520 /* Deallocate memory, and return */
1521 SAFE_FREE(suffix_attr);
1522 SAFE_FREE(user_attr);
1523 SAFE_FREE(group_attr);
1524 return NT_STATUS_OK;
1525}
1526
1527static NTSTATUS map_populate_groups(GROUPMAP *groupmap, ACCOUNTMAP *accountmap, fstring sid,
1528 const char *suffix, const char *builtin_sid)
1529{
1530 char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
1531
1532 /* Map the groups created by populate_ldap_for_ldif */
1533 groupmap[0].rid = 512;
1534 groupmap[0].gidNumber = 512;
1535 snprintf(groupmap[0].sambaSID, sizeof(groupmap[0].sambaSID),
1536 "%s-512", sid);
1537 snprintf(groupmap[0].group_dn, sizeof(groupmap[0].group_dn),
1538 "cn=Domain Admins,ou=%s,%s",
1539 group_attr, suffix);
1540 accountmap[0].rid = 512;
1541 snprintf(accountmap[0].cn, sizeof(accountmap[0].cn),
1542 "%s", "Domain Admins");
1543
1544 groupmap[1].rid = 513;
1545 groupmap[1].gidNumber = 513;
1546 snprintf(groupmap[1].sambaSID, sizeof(groupmap[1].sambaSID),
1547 "%s-513", sid);
1548 snprintf(groupmap[1].group_dn, sizeof(groupmap[1].group_dn),
1549 "cn=Domain Users,ou=%s,%s",
1550 group_attr, suffix);
1551 accountmap[1].rid = 513;
1552 snprintf(accountmap[1].cn, sizeof(accountmap[1].cn),
1553 "%s", "Domain Users");
1554
1555 groupmap[2].rid = 514;
1556 groupmap[2].gidNumber = 514;
1557 snprintf(groupmap[2].sambaSID, sizeof(groupmap[2].sambaSID),
1558 "%s-514", sid);
1559 snprintf(groupmap[2].group_dn, sizeof(groupmap[2].group_dn),
1560 "cn=Domain Guests,ou=%s,%s",
1561 group_attr, suffix);
1562 accountmap[2].rid = 514;
1563 snprintf(accountmap[2].cn, sizeof(accountmap[2].cn),
1564 "%s", "Domain Guests");
1565
1566 groupmap[3].rid = 515;
1567 groupmap[3].gidNumber = 515;
1568 snprintf(groupmap[3].sambaSID, sizeof(groupmap[3].sambaSID),
1569 "%s-515", sid);
1570 snprintf(groupmap[3].group_dn, sizeof(groupmap[3].group_dn),
1571 "cn=Domain Computers,ou=%s,%s",
1572 group_attr, suffix);
1573 accountmap[3].rid = 515;
1574 snprintf(accountmap[3].cn, sizeof(accountmap[3].cn),
1575 "%s", "Domain Computers");
1576
1577 groupmap[4].rid = 544;
1578 groupmap[4].gidNumber = 544;
1579 snprintf(groupmap[4].sambaSID, sizeof(groupmap[4].sambaSID),
1580 "%s-544", builtin_sid);
1581 snprintf(groupmap[4].group_dn, sizeof(groupmap[4].group_dn),
1582 "cn=Administrators,ou=%s,%s",
1583 group_attr, suffix);
1584 accountmap[4].rid = 515;
1585 snprintf(accountmap[4].cn, sizeof(accountmap[4].cn),
1586 "%s", "Administrators");
1587
1588 groupmap[5].rid = 550;
1589 groupmap[5].gidNumber = 550;
1590 snprintf(groupmap[5].sambaSID, sizeof(groupmap[5].sambaSID),
1591 "%s-550", builtin_sid);
1592 snprintf(groupmap[5].group_dn, sizeof(groupmap[5].group_dn),
1593 "cn=Print Operators,ou=%s,%s",
1594 group_attr, suffix);
1595 accountmap[5].rid = 550;
1596 snprintf(accountmap[5].cn, sizeof(accountmap[5].cn),
1597 "%s", "Print Operators");
1598
1599 groupmap[6].rid = 551;
1600 groupmap[6].gidNumber = 551;
1601 snprintf(groupmap[6].sambaSID, sizeof(groupmap[6].sambaSID),
1602 "%s-551", builtin_sid);
1603 snprintf(groupmap[6].group_dn, sizeof(groupmap[6].group_dn),
1604 "cn=Backup Operators,ou=%s,%s",
1605 group_attr, suffix);
1606 accountmap[6].rid = 551;
1607 snprintf(accountmap[6].cn, sizeof(accountmap[6].cn),
1608 "%s", "Backup Operators");
1609
1610 groupmap[7].rid = 552;
1611 groupmap[7].gidNumber = 552;
1612 snprintf(groupmap[7].sambaSID, sizeof(groupmap[7].sambaSID),
1613 "%s-552", builtin_sid);
1614 snprintf(groupmap[7].group_dn, sizeof(groupmap[7].group_dn),
1615 "cn=Replicators,ou=%s,%s",
1616 group_attr, suffix);
1617 accountmap[7].rid = 551;
1618 snprintf(accountmap[7].cn, sizeof(accountmap[7].cn),
1619 "%s", "Replicators");
1620 SAFE_FREE(group_attr);
1621 return NT_STATUS_OK;
1622}
1623
1624/*
1625 * This is a crap routine, but I think it's the quickest way to solve the
1626 * UTF8->base64 problem.
1627 */
1628
1629static int fprintf_attr(FILE *add_fd, const char *attr_name,
1630 const char *fmt, ...)
1631{
1632 va_list ap;
1633 char *value, *p, *base64;
1634 DATA_BLOB base64_blob;
1635 bool do_base64 = False;
1636 int res;
1637
1638 va_start(ap, fmt);
1639 value = talloc_vasprintf(NULL, fmt, ap);
1640 va_end(ap);
1641
1642 SMB_ASSERT(value != NULL);
1643
1644 for (p=value; *p; p++) {
1645 if (*p & 0x80) {
1646 do_base64 = True;
1647 break;
1648 }
1649 }
1650
1651 if (!do_base64) {
1652 bool only_whitespace = True;
1653 for (p=value; *p; p++) {
1654 /*
1655 * I know that this not multibyte safe, but we break
1656 * on the first non-whitespace character anyway.
1657 */
1658 if (!isspace(*p)) {
1659 only_whitespace = False;
1660 break;
1661 }
1662 }
1663 if (only_whitespace) {
1664 do_base64 = True;
1665 }
1666 }
1667
1668 if (!do_base64) {
1669 res = fprintf(add_fd, "%s: %s\n", attr_name, value);
1670 TALLOC_FREE(value);
1671 return res;
1672 }
1673
1674 base64_blob.data = (unsigned char *)value;
1675 base64_blob.length = strlen(value);
1676
1677 base64 = base64_encode_data_blob(value, base64_blob);
1678 SMB_ASSERT(base64 != NULL);
1679
1680 res = fprintf(add_fd, "%s:: %s\n", attr_name, base64);
1681 TALLOC_FREE(value);
1682 return res;
1683}
1684
1685static NTSTATUS fetch_group_info_to_ldif(struct netr_DELTA_GROUP *r, GROUPMAP *groupmap,
1686 FILE *add_fd, fstring sid, char *suffix)
1687{
1688 fstring groupname;
1689 uint32 grouptype = 0, g_rid = 0;
1690 char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
1691
1692 /* Get the group name */
1693 fstrcpy(groupname, r->group_name.string);
1694
1695 /* Set up the group type (always 2 for group info) */
1696 grouptype = 2;
1697
1698 /* These groups are entered by populate_ldap_for_ldif */
1699 if (strcmp(groupname, "Domain Admins") == 0 ||
1700 strcmp(groupname, "Domain Users") == 0 ||
1701 strcmp(groupname, "Domain Guests") == 0 ||
1702 strcmp(groupname, "Domain Computers") == 0 ||
1703 strcmp(groupname, "Administrators") == 0 ||
1704 strcmp(groupname, "Print Operators") == 0 ||
1705 strcmp(groupname, "Backup Operators") == 0 ||
1706 strcmp(groupname, "Replicators") == 0) {
1707 SAFE_FREE(group_attr);
1708 return NT_STATUS_OK;
1709 } else {
1710 /* Increment the gid for the new group */
1711 ldif_gid++;
1712 }
1713
1714 /* Map the group rid, gid, and dn */
1715 g_rid = r->rid;
1716 groupmap->rid = g_rid;
1717 groupmap->gidNumber = ldif_gid;
1718 snprintf(groupmap->sambaSID, sizeof(groupmap->sambaSID),
1719 "%s-%d", sid, g_rid);
1720 snprintf(groupmap->group_dn, sizeof(groupmap->group_dn),
1721 "cn=%s,ou=%s,%s", groupname, group_attr, suffix);
1722
1723 /* Write the data to the temporary add ldif file */
1724 fprintf(add_fd, "# %s, %s, %s\n", groupname, group_attr,
1725 suffix);
1726 fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", groupname, group_attr,
1727 suffix);
1728 fprintf(add_fd, "objectClass: posixGroup\n");
1729 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1730 fprintf_attr(add_fd, "cn", "%s", groupname);
1731 fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
1732 fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
1733 fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
1734 fprintf_attr(add_fd, "displayName", "%s", groupname);
1735 fprintf(add_fd, "\n");
1736 fflush(add_fd);
1737
1738 SAFE_FREE(group_attr);
1739 /* Return */
1740 return NT_STATUS_OK;
1741}
1742
1743static NTSTATUS fetch_account_info_to_ldif(struct netr_DELTA_USER *r,
1744 GROUPMAP *groupmap,
1745 ACCOUNTMAP *accountmap,
1746 FILE *add_fd,
1747 fstring sid, char *suffix,
1748 int alloced)
1749{
1750 fstring username, logonscript, homedrive, homepath = "", homedir = "";
1751 fstring hex_nt_passwd, hex_lm_passwd;
1752 fstring description, profilepath, fullname, sambaSID;
1753 char *flags, *user_rdn;
1754 const char *ou;
1755 const char* nopasswd = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
1756 uchar zero_buf[16];
1757 uint32 rid = 0, group_rid = 0, gidNumber = 0;
1758 time_t unix_time;
1759 int i;
1760
1761 memset(zero_buf, '\0', sizeof(zero_buf));
1762
1763 /* Get the username */
1764 fstrcpy(username, r->account_name.string);
1765
1766 /* Get the rid */
1767 rid = r->rid;
1768
1769 /* Map the rid and username for group member info later */
1770 accountmap->rid = rid;
1771 snprintf(accountmap->cn, sizeof(accountmap->cn), "%s", username);
1772
1773 /* Get the home directory */
1774 if (r->acct_flags & ACB_NORMAL) {
1775 fstrcpy(homedir, r->home_directory.string);
1776 if (!*homedir) {
1777 snprintf(homedir, sizeof(homedir), "/home/%s", username);
1778 } else {
1779 snprintf(homedir, sizeof(homedir), "/nobodyshomedir");
1780 }
1781 ou = lp_ldap_user_suffix();
1782 } else {
1783 ou = lp_ldap_machine_suffix();
1784 snprintf(homedir, sizeof(homedir), "/machinehomedir");
1785 }
1786
1787 /* Get the logon script */
1788 fstrcpy(logonscript, r->logon_script.string);
1789
1790 /* Get the home drive */
1791 fstrcpy(homedrive, r->home_drive.string);
1792
1793 /* Get the home path */
1794 fstrcpy(homepath, r->home_directory.string);
1795
1796 /* Get the description */
1797 fstrcpy(description, r->description.string);
1798
1799 /* Get the display name */
1800 fstrcpy(fullname, r->full_name.string);
1801
1802 /* Get the profile path */
1803 fstrcpy(profilepath, r->profile_path.string);
1804
1805 /* Get lm and nt password data */
1806 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
1807 pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
1808 } else {
1809 pdb_sethexpwd(hex_lm_passwd, NULL, 0);
1810 }
1811 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
1812 pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
1813 } else {
1814 pdb_sethexpwd(hex_nt_passwd, NULL, 0);
1815 }
1816 unix_time = nt_time_to_unix(r->last_password_change);
1817
1818 /* Increment the uid for the new user */
1819 ldif_uid++;
1820
1821 /* Set up group id and sambaSID for the user */
1822 group_rid = r->primary_gid;
1823 for (i=0; i<alloced; i++) {
1824 if (groupmap[i].rid == group_rid) break;
1825 }
1826 if (i == alloced){
1827 DEBUG(1, ("Could not find rid %d in groupmap array\n",
1828 group_rid));
1829 return NT_STATUS_UNSUCCESSFUL;
1830 }
1831 gidNumber = groupmap[i].gidNumber;
1832 snprintf(sambaSID, sizeof(sambaSID), groupmap[i].sambaSID);
1833
1834 /* Set up sambaAcctFlags */
1835 flags = pdb_encode_acct_ctrl(r->acct_flags,
1836 NEW_PW_FORMAT_SPACE_PADDED_LEN);
1837
1838 /* Add the user to the temporary add ldif file */
1839 /* this isn't quite right...we can't assume there's just OU=. jmcd */
1840 user_rdn = sstring_sub(ou, '=', ',');
1841 fprintf(add_fd, "# %s, %s, %s\n", username, user_rdn, suffix);
1842 fprintf_attr(add_fd, "dn", "uid=%s,ou=%s,%s", username, user_rdn,
1843 suffix);
1844 SAFE_FREE(user_rdn);
1845 fprintf(add_fd, "ObjectClass: top\n");
1846 fprintf(add_fd, "objectClass: inetOrgPerson\n");
1847 fprintf(add_fd, "objectClass: posixAccount\n");
1848 fprintf(add_fd, "objectClass: shadowAccount\n");
1849 fprintf(add_fd, "objectClass: sambaSamAccount\n");
1850 fprintf_attr(add_fd, "cn", "%s", username);
1851 fprintf_attr(add_fd, "sn", "%s", username);
1852 fprintf_attr(add_fd, "uid", "%s", username);
1853 fprintf(add_fd, "uidNumber: %d\n", ldif_uid);
1854 fprintf(add_fd, "gidNumber: %d\n", gidNumber);
1855 fprintf_attr(add_fd, "homeDirectory", "%s", homedir);
1856 if (*homepath)
1857 fprintf_attr(add_fd, "sambaHomePath", "%s", homepath);
1858 if (*homedrive)
1859 fprintf_attr(add_fd, "sambaHomeDrive", "%s", homedrive);
1860 if (*logonscript)
1861 fprintf_attr(add_fd, "sambaLogonScript", "%s", logonscript);
1862 fprintf(add_fd, "loginShell: %s\n",
1863 ((r->acct_flags & ACB_NORMAL) ?
1864 "/bin/bash" : "/bin/false"));
1865 fprintf(add_fd, "gecos: System User\n");
1866 if (*description)
1867 fprintf_attr(add_fd, "description", "%s", description);
1868 fprintf(add_fd, "sambaSID: %s-%d\n", sid, rid);
1869 fprintf(add_fd, "sambaPrimaryGroupSID: %s\n", sambaSID);
1870 if(*fullname)
1871 fprintf_attr(add_fd, "displayName", "%s", fullname);
1872 if(*profilepath)
1873 fprintf_attr(add_fd, "sambaProfilePath", "%s", profilepath);
1874 if (strcmp(nopasswd, hex_lm_passwd) != 0)
1875 fprintf(add_fd, "sambaLMPassword: %s\n", hex_lm_passwd);
1876 if (strcmp(nopasswd, hex_nt_passwd) != 0)
1877 fprintf(add_fd, "sambaNTPassword: %s\n", hex_nt_passwd);
1878 fprintf(add_fd, "sambaPwdLastSet: %d\n", (int)unix_time);
1879 fprintf(add_fd, "sambaAcctFlags: %s\n", flags);
1880 fprintf(add_fd, "\n");
1881 fflush(add_fd);
1882
1883 /* Return */
1884 return NT_STATUS_OK;
1885}
1886
1887static NTSTATUS fetch_alias_info_to_ldif(struct netr_DELTA_ALIAS *r,
1888 GROUPMAP *groupmap,
1889 FILE *add_fd, fstring sid,
1890 char *suffix,
1891 unsigned db_type)
1892{
1893 fstring aliasname, description;
1894 uint32 grouptype = 0, g_rid = 0;
1895 char *group_attr = sstring_sub(lp_ldap_group_suffix(), '=', ',');
1896
1897 /* Get the alias name */
1898 fstrcpy(aliasname, r->alias_name.string);
1899
1900 /* Get the alias description */
1901 fstrcpy(description, r->description.string);
1902
1903 /* Set up the group type */
1904 switch (db_type) {
1905 case SAM_DATABASE_DOMAIN:
1906 grouptype = 4;
1907 break;
1908 case SAM_DATABASE_BUILTIN:
1909 grouptype = 5;
1910 break;
1911 default:
1912 grouptype = 4;
1913 break;
1914 }
1915
1916 /*
1917 These groups are entered by populate_ldap_for_ldif
1918 Note that populate creates a group called Relicators,
1919 but NT returns a group called Replicator
1920 */
1921 if (strcmp(aliasname, "Domain Admins") == 0 ||
1922 strcmp(aliasname, "Domain Users") == 0 ||
1923 strcmp(aliasname, "Domain Guests") == 0 ||
1924 strcmp(aliasname, "Domain Computers") == 0 ||
1925 strcmp(aliasname, "Administrators") == 0 ||
1926 strcmp(aliasname, "Print Operators") == 0 ||
1927 strcmp(aliasname, "Backup Operators") == 0 ||
1928 strcmp(aliasname, "Replicator") == 0) {
1929 SAFE_FREE(group_attr);
1930 return NT_STATUS_OK;
1931 } else {
1932 /* Increment the gid for the new group */
1933 ldif_gid++;
1934 }
1935
1936 /* Map the group rid and gid */
1937 g_rid = r->rid;
1938 groupmap->gidNumber = ldif_gid;
1939 snprintf(groupmap->sambaSID, sizeof(groupmap->sambaSID),
1940 "%s-%d", sid, g_rid);
1941
1942 /* Write the data to the temporary add ldif file */
1943 fprintf(add_fd, "# %s, %s, %s\n", aliasname, group_attr,
1944 suffix);
1945 fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", aliasname, group_attr,
1946 suffix);
1947 fprintf(add_fd, "objectClass: posixGroup\n");
1948 fprintf(add_fd, "objectClass: sambaGroupMapping\n");
1949 fprintf(add_fd, "cn: %s\n", aliasname);
1950 fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
1951 fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
1952 fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
1953 fprintf_attr(add_fd, "displayName", "%s", aliasname);
1954 if (description[0])
1955 fprintf_attr(add_fd, "description", "%s", description);
1956 fprintf(add_fd, "\n");
1957 fflush(add_fd);
1958
1959 SAFE_FREE(group_attr);
1960 /* Return */
1961 return NT_STATUS_OK;
1962}
1963
1964static NTSTATUS fetch_groupmem_info_to_ldif(struct netr_DELTA_GROUP_MEMBER *r,
1965 uint32_t id_rid,
1966 GROUPMAP *groupmap,
1967 ACCOUNTMAP *accountmap,
1968 FILE *mod_fd, int alloced)
1969{
1970 fstring group_dn;
1971 uint32 group_rid = 0, rid = 0;
1972 int i, j, k;
1973
1974 /* Get the dn for the group */
1975 if (r->num_rids > 0) {
1976 group_rid = id_rid;
1977 for (j=0; j<alloced; j++) {
1978 if (groupmap[j].rid == group_rid) break;
1979 }
1980 if (j == alloced){
1981 DEBUG(1, ("Could not find rid %d in groupmap array\n",
1982 group_rid));
1983 return NT_STATUS_UNSUCCESSFUL;
1984 }
1985 snprintf(group_dn, sizeof(group_dn), "%s", groupmap[j].group_dn);
1986 fprintf(mod_fd, "dn: %s\n", group_dn);
1987
1988 /* Get the cn for each member */
1989 for (i=0; i < r->num_rids; i++) {
1990 rid = r->rids[i];
1991 for (k=0; k<alloced; k++) {
1992 if (accountmap[k].rid == rid) break;
1993 }
1994 if (k == alloced){
1995 DEBUG(1, ("Could not find rid %d in "
1996 "accountmap array\n", rid));
1997 return NT_STATUS_UNSUCCESSFUL;
1998 }
1999 fprintf(mod_fd, "memberUid: %s\n", accountmap[k].cn);
2000 }
2001 fprintf(mod_fd, "\n");
2002 }
2003 fflush(mod_fd);
2004
2005 /* Return */
2006 return NT_STATUS_OK;
2007}
2008
2009static NTSTATUS fetch_database_to_ldif(struct rpc_pipe_client *pipe_hnd,
2010 uint32 db_type,
2011 DOM_SID dom_sid,
2012 const char *user_file)
2013{
2014 char *suffix;
2015 const char *builtin_sid = "S-1-5-32";
2016 char *add_name = NULL, *mod_filename = NULL;
2017 const char *add_template = "/tmp/add.ldif.XXXXXX";
2018 const char *mod_template = "/tmp/mod.ldif.XXXXXX";
2019 fstring sid, domainname;
2020 NTSTATUS ret = NT_STATUS_OK, result;
2021 int k;
2022 TALLOC_CTX *mem_ctx;
2023 uint32 num_deltas;
2024 FILE *add_file = NULL, *mod_file = NULL, *ldif_file = NULL;
2025 int num_alloced = 0, g_index = 0, a_index = 0;
2026 const char *logon_server = pipe_hnd->cli->desthost;
2027 const char *computername = global_myname();
2028 struct netr_Authenticator credential;
2029 struct netr_Authenticator return_authenticator;
2030 enum netr_SamDatabaseID database_id = db_type;
2031 uint16_t restart_state = 0;
2032 uint32_t sync_context = 0;
2033 DATA_BLOB session_key;
2034
2035 /* Set up array for mapping accounts to groups */
2036 /* Array element is the group rid */
2037 GROUPMAP *groupmap = NULL;
2038
2039 /* Set up array for mapping account rid's to cn's */
2040 /* Array element is the account rid */
2041 ACCOUNTMAP *accountmap = NULL;
2042
2043 if (!(mem_ctx = talloc_init("fetch_database"))) {
2044 return NT_STATUS_NO_MEMORY;
2045 }
2046
2047 /* Ensure we have an output file */
2048 if (user_file)
2049 ldif_file = fopen(user_file, "a");
2050 else
2051 ldif_file = stdout;
2052
2053 if (!ldif_file) {
2054 fprintf(stderr, "Could not open %s\n", user_file);
2055 DEBUG(1, ("Could not open %s\n", user_file));
2056 ret = NT_STATUS_UNSUCCESSFUL;
2057 goto done;
2058 }
2059
2060 add_name = talloc_strdup(mem_ctx, add_template);
2061 mod_filename = talloc_strdup(mem_ctx, mod_template);
2062 if (!add_name || !mod_filename) {
2063 ret = NT_STATUS_NO_MEMORY;
2064 goto done;
2065 }
2066
2067 /* Open the add and mod ldif files */
2068 if (!(add_file = fdopen(smb_mkstemp(add_name),"w"))) {
2069 DEBUG(1, ("Could not open %s\n", add_name));
2070 ret = NT_STATUS_UNSUCCESSFUL;
2071 goto done;
2072 }
2073 if (!(mod_file = fdopen(smb_mkstemp(mod_filename),"w"))) {
2074 DEBUG(1, ("Could not open %s\n", mod_filename));
2075 ret = NT_STATUS_UNSUCCESSFUL;
2076 goto done;
2077 }
2078
2079 /* Get the sid */
2080 sid_to_fstring(sid, &dom_sid);
2081
2082 /* Get the ldap suffix */
2083 suffix = lp_ldap_suffix();
2084 if (suffix == NULL || strcmp(suffix, "") == 0) {
2085 DEBUG(0,("ldap suffix missing from smb.conf--exiting\n"));
2086 exit(1);
2087 }
2088
2089 /* Get other smb.conf data */
2090 if (!(lp_workgroup()) || !*(lp_workgroup())) {
2091 DEBUG(0,("workgroup missing from smb.conf--exiting\n"));
2092 exit(1);
2093 }
2094
2095 /* Allocate initial memory for groupmap and accountmap arrays */
2096 if (init_ldap == 1) {
2097 groupmap = SMB_MALLOC_ARRAY(GROUPMAP, 8);
2098 accountmap = SMB_MALLOC_ARRAY(ACCOUNTMAP, 8);
2099 if (groupmap == NULL || accountmap == NULL) {
2100 DEBUG(1,("GROUPMAP malloc failed\n"));
2101 ret = NT_STATUS_NO_MEMORY;
2102 goto done;
2103 }
2104
2105 /* Initialize the arrays */
2106 memset(groupmap, 0, sizeof(GROUPMAP)*8);
2107 memset(accountmap, 0, sizeof(ACCOUNTMAP)*8);
2108
2109 /* Remember how many we malloced */
2110 num_alloced = 8;
2111
2112 /* Initial database population */
2113 populate_ldap_for_ldif(sid, suffix, builtin_sid, add_file);
2114 map_populate_groups(groupmap, accountmap, sid, suffix,
2115 builtin_sid);
2116
2117 /* Don't do this again */
2118 init_ldap = 0;
2119 }
2120
2121 /* Announce what we are doing */
2122 switch( db_type ) {
2123 case SAM_DATABASE_DOMAIN:
2124 d_fprintf(stderr, "Fetching DOMAIN database\n");
2125 break;
2126 case SAM_DATABASE_BUILTIN:
2127 d_fprintf(stderr, "Fetching BUILTIN database\n");
2128 break;
2129 case SAM_DATABASE_PRIVS:
2130 d_fprintf(stderr, "Fetching PRIVS databases\n");
2131 break;
2132 default:
2133 d_fprintf(stderr,
2134 "Fetching unknown database type %u\n",
2135 db_type );
2136 break;
2137 }
2138
2139 do {
2140 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
2141
2142 netlogon_creds_client_step(pipe_hnd->dc, &credential);
2143
2144 result = rpccli_netr_DatabaseSync2(pipe_hnd, mem_ctx,
2145 logon_server,
2146 computername,
2147 &credential,
2148 &return_authenticator,
2149 database_id,
2150 restart_state,
2151 &sync_context,
2152 &delta_enum_array,
2153 0xffff);
2154
2155 /* Check returned credentials. */
2156 if (!netlogon_creds_client_check(pipe_hnd->dc,
2157 &return_authenticator.cred)) {
2158 DEBUG(0,("credentials chain check failed\n"));
2159 return NT_STATUS_ACCESS_DENIED;
2160 }
2161
2162 if (NT_STATUS_IS_ERR(result)) {
2163 break;
2164 }
2165
2166 session_key = data_blob_const(pipe_hnd->dc->sess_key, 16);
2167
2168 samsync_fix_delta_array(mem_ctx,
2169 &session_key,
2170 database_id,
2171 delta_enum_array);
2172
2173 num_deltas = delta_enum_array->num_deltas;
2174
2175 /* Re-allocate memory for groupmap and accountmap arrays */
2176 groupmap = SMB_REALLOC_ARRAY(groupmap, GROUPMAP,
2177 num_deltas+num_alloced);
2178 accountmap = SMB_REALLOC_ARRAY(accountmap, ACCOUNTMAP,
2179 num_deltas+num_alloced);
2180 if (groupmap == NULL || accountmap == NULL) {
2181 DEBUG(1,("GROUPMAP malloc failed\n"));
2182 ret = NT_STATUS_NO_MEMORY;
2183 goto done;
2184 }
2185
2186 /* Initialize the new records */
2187 memset(&groupmap[num_alloced], 0,
2188 sizeof(GROUPMAP)*num_deltas);
2189 memset(&accountmap[num_alloced], 0,
2190 sizeof(ACCOUNTMAP)*num_deltas);
2191
2192 /* Remember how many we alloced this time */
2193 num_alloced += num_deltas;
2194
2195 /* Loop through the deltas */
2196 for (k=0; k<num_deltas; k++) {
2197
2198 union netr_DELTA_UNION u =
2199 delta_enum_array->delta_enum[k].delta_union;
2200 union netr_DELTA_ID_UNION id =
2201 delta_enum_array->delta_enum[k].delta_id_union;
2202
2203 switch(delta_enum_array->delta_enum[k].delta_type) {
2204 case NETR_DELTA_DOMAIN:
2205 /* Is this case needed? */
2206 fstrcpy(domainname,
2207 u.domain->domain_name.string);
2208 break;
2209
2210 case NETR_DELTA_GROUP:
2211 fetch_group_info_to_ldif(
2212 u.group,
2213 &groupmap[g_index],
2214 add_file, sid, suffix);
2215 g_index++;
2216 break;
2217
2218 case NETR_DELTA_USER:
2219 fetch_account_info_to_ldif(
2220 u.user, groupmap,
2221 &accountmap[a_index], add_file,
2222 sid, suffix, num_alloced);
2223 a_index++;
2224 break;
2225
2226 case NETR_DELTA_ALIAS:
2227 fetch_alias_info_to_ldif(
2228 u.alias, &groupmap[g_index],
2229 add_file, sid, suffix, db_type);
2230 g_index++;
2231 break;
2232
2233 case NETR_DELTA_GROUP_MEMBER:
2234 fetch_groupmem_info_to_ldif(
2235 u.group_member, id.rid,
2236 groupmap, accountmap,
2237 mod_file, num_alloced);
2238 break;
2239
2240 case NETR_DELTA_ALIAS_MEMBER:
2241 case NETR_DELTA_POLICY:
2242 case NETR_DELTA_ACCOUNT:
2243 case NETR_DELTA_TRUSTED_DOMAIN:
2244 case NETR_DELTA_SECRET:
2245 case NETR_DELTA_RENAME_GROUP:
2246 case NETR_DELTA_RENAME_USER:
2247 case NETR_DELTA_RENAME_ALIAS:
2248 case NETR_DELTA_DELETE_GROUP:
2249 case NETR_DELTA_DELETE_USER:
2250 case NETR_DELTA_MODIFY_COUNT:
2251 default:
2252 break;
2253 } /* end of switch */
2254 } /* end of for loop */
2255
2256 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
2257
2258 /* Write ldif data to the user's file */
2259 if (db_type == SAM_DATABASE_DOMAIN) {
2260 fprintf(ldif_file,
2261 "# SAM_DATABASE_DOMAIN: ADD ENTITIES\n");
2262 fprintf(ldif_file,
2263 "# =================================\n\n");
2264 fflush(ldif_file);
2265 } else if (db_type == SAM_DATABASE_BUILTIN) {
2266 fprintf(ldif_file,
2267 "# SAM_DATABASE_BUILTIN: ADD ENTITIES\n");
2268 fprintf(ldif_file,
2269 "# ==================================\n\n");
2270 fflush(ldif_file);
2271 }
2272 fseek(add_file, 0, SEEK_SET);
2273 transfer_file(fileno(add_file), fileno(ldif_file), (size_t) -1);
2274
2275 if (db_type == SAM_DATABASE_DOMAIN) {
2276 fprintf(ldif_file,
2277 "# SAM_DATABASE_DOMAIN: MODIFY ENTITIES\n");
2278 fprintf(ldif_file,
2279 "# ====================================\n\n");
2280 fflush(ldif_file);
2281 } else if (db_type == SAM_DATABASE_BUILTIN) {
2282 fprintf(ldif_file,
2283 "# SAM_DATABASE_BUILTIN: MODIFY ENTITIES\n");
2284 fprintf(ldif_file,
2285 "# =====================================\n\n");
2286 fflush(ldif_file);
2287 }
2288 fseek(mod_file, 0, SEEK_SET);
2289 transfer_file(fileno(mod_file), fileno(ldif_file), (size_t) -1);
2290
2291
2292 done:
2293 /* Close and delete the ldif files */
2294 if (add_file) {
2295 fclose(add_file);
2296 }
2297
2298 if ((add_name != NULL) &&
2299 strcmp(add_name, add_template) && (unlink(add_name))) {
2300 DEBUG(1,("unlink(%s) failed, error was (%s)\n",
2301 add_name, strerror(errno)));
2302 }
2303
2304 if (mod_file) {
2305 fclose(mod_file);
2306 }
2307
2308 if ((mod_filename != NULL) &&
2309 strcmp(mod_filename, mod_template) && (unlink(mod_filename))) {
2310 DEBUG(1,("unlink(%s) failed, error was (%s)\n",
2311 mod_filename, strerror(errno)));
2312 }
2313
2314 if (ldif_file && (ldif_file != stdout)) {
2315 fclose(ldif_file);
2316 }
2317
2318 /* Deallocate memory for the mapping arrays */
2319 SAFE_FREE(groupmap);
2320 SAFE_FREE(accountmap);
2321
2322 /* Return */
2323 talloc_destroy(mem_ctx);
2324 return ret;
2325}
2326
2327/**
2328 * Basic usage function for 'net rpc vampire'
2329 * @param argc Standard main() style argc
2330 * @param argc Standard main() style argv. Initial components are already
2331 * stripped
2332 **/
2333
2334int rpc_vampire_usage(int argc, const char **argv)
2335{
2336 d_printf("net rpc vampire [ldif [<ldif-filename>] [options]\n"
2337 "\t to pull accounts from a remote PDC where we are a BDC\n"
2338 "\t\t no args puts accounts in local passdb from smb.conf\n"
2339 "\t\t ldif - put accounts in ldif format (file defaults to "
2340 "/tmp/tmp.ldif\n");
2341
2342 net_common_flags_usage(argc, argv);
2343 return -1;
2344}
2345
2346
2347/* dump sam database via samsync rpc calls */
2348NTSTATUS rpc_vampire_internals(const DOM_SID *domain_sid,
2349 const char *domain_name,
2350 struct cli_state *cli,
2351 struct rpc_pipe_client *pipe_hnd,
2352 TALLOC_CTX *mem_ctx,
2353 int argc,
2354 const char **argv)
2355{
2356 NTSTATUS result;
2357 fstring my_dom_sid_str;
2358 fstring rem_dom_sid_str;
2359
2360 if (!sid_equal(domain_sid, get_global_sam_sid())) {
2361 d_printf("Cannot import users from %s at this time, "
2362 "as the current domain:\n\t%s: %s\nconflicts "
2363 "with the remote domain\n\t%s: %s\n"
2364 "Perhaps you need to set: \n\n\tsecurity=user\n\t"
2365 "workgroup=%s\n\n in your smb.conf?\n",
2366 domain_name,
2367 get_global_sam_name(),
2368 sid_to_fstring(my_dom_sid_str,
2369 get_global_sam_sid()),
2370 domain_name, sid_to_fstring(rem_dom_sid_str,
2371 domain_sid),
2372 domain_name);
2373 return NT_STATUS_UNSUCCESSFUL;
2374 }
2375
2376 if (argc >= 1 && (strcmp(argv[0], "ldif") == 0)) {
2377 result = fetch_database_to_ldif(pipe_hnd, SAM_DATABASE_DOMAIN,
2378 *domain_sid, argv[1]);
2379 } else {
2380 result = fetch_database(pipe_hnd, SAM_DATABASE_DOMAIN,
2381 *domain_sid);
2382 }
2383
2384 if (!NT_STATUS_IS_OK(result)) {
2385 d_fprintf(stderr, "Failed to fetch domain database: %s\n",
2386 nt_errstr(result));
2387 if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED))
2388 d_fprintf(stderr, "Perhaps %s is a Windows 2000 "
2389 "native mode domain?\n", domain_name);
2390 goto fail;
2391 }
2392
2393 if (argc >= 1 && (strcmp(argv[0], "ldif") == 0)) {
2394 result = fetch_database_to_ldif(pipe_hnd, SAM_DATABASE_BUILTIN,
2395 global_sid_Builtin, argv[1]);
2396 } else {
2397 result = fetch_database(pipe_hnd, SAM_DATABASE_BUILTIN,
2398 global_sid_Builtin);
2399 }
2400
2401 if (!NT_STATUS_IS_OK(result)) {
2402 d_fprintf(stderr, "Failed to fetch builtin database: %s\n",
2403 nt_errstr(result));
2404 goto fail;
2405 }
2406
2407 /* Currently we crash on PRIVS somewhere in unmarshalling */
2408 /* Dump_database(cli, SAM_DATABASE_PRIVS, &ret_creds); */
2409
2410 fail:
2411 return result;
2412}
Note: See TracBrowser for help on using the repository browser.