RFC: net cache samlogon list|show|delete

Stefan Metzmacher metze at samba.org
Wed Jun 28 07:11:40 UTC 2017 

Hi Ralph,

>> I'm working on an enhancement to net that will allow the user to work on the
>> samlogon cache (netsamlogon_cache.tdb).
>>
>> I added this as a subcommand to the existing net cache commands. Any better
>> suggestions?
>>
>> Here's what I already have:
>>
>> $ sudo ./bin/net cache samlogon 
>> Invalid command: net cache samlogon 
>> Usage:
>> net cache samlogon list            List samlogon cache
>> net cache samlogon show            Show samlogon cache entry
>> net cache samlogon delete          Delete samlogon cache entry
>>
>> $ sudo ./bin/net cache samlogon list
>> SID                                                Name                                     When cached
>> ----------------------------------------------------------------------------------------------------------------------------
>> S-1-5-21-364438107-531279461-249741216-1000        SLOWSERVER\slow                          Sun Mar 27 12:26:55 PM 2016 CEST
>>
>> $ sudo ./bin/net cache samlogon show S-1-5-21-364438107-531279461-249741216-1000
>> Name: SLOWSERVER\slow
>> SID  0: S-1-5-21-364438107-531279461-249741216-1000
>> SID  1: S-1-5-21-364438107-531279461-249741216-513
> 
> fwiw, this lists all groups of the user... Better example:
> 
> $ sudo ./bin/net cache samlogon show S-1-5-21-364438107-531279461-249741216-1003
> Name: SLOWSERVER\slow
> SID  0: S-1-5-21-364438107-531279461-249741216-1003
> SID  1: S-1-5-21-364438107-531279461-249741216-513
> SID  2: S-1-5-21-364438107-531279461-249741216-1010
> SID  3: S-1-5-21-364438107-531279461-249741216-1011

A mode that dump the whole cache entry with ndr_print
whould be useful, similar to "net primarytrust dumpinfo",
see https://git.samba.org/?p=samba.git;a=commitdiff;h=c7c17d9f503d6037aa

While there we should add more [flag(NDR_SECRET)] to hide secret values
in ndr_print by default, see the attached patch as a start.

metze
-------------- next part --------------
From b1fe9cbabdf723fb4328fdc6ee9091b478bbe724 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 28 Jun 2017 09:09:14 +0200
Subject: [PATCH] more [flag(NDR_SECRET)]...

---
 librpc/idl/netlogon.idl | 12 ++++++------
 librpc/idl/samr.idl     |  6 +++---
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index 9a5159d..7d7a9c1 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -151,7 +151,7 @@ interface netlogon
 	typedef [flag(NDR_PAHEX)] struct {
 		uint16 length;
 		[value(length)] uint16 size;
-		[size_is(length),length_is(length)] uint8 *data;
+		[flag(NDR_SECRET)][size_is(length),length_is(length)] uint8 *data;
 	} netr_ChallengeResponse;
 
 	typedef [flag(NDR_PAHEX)] struct {
@@ -190,11 +190,11 @@ interface netlogon
 	} netr_LogonLevel;
 
 	typedef [public,flag(NDR_PAHEX)] struct {
-		uint8 key[16];
+		[flag(NDR_SECRET)] uint8 key[16];
 	} netr_UserSessionKey;
 
 	typedef [public,flag(NDR_PAHEX)] struct {
-		uint8 key[8];
+		[flag(NDR_SECRET)] uint8 key[8];
 	} netr_LMSessionKey;
 
 	/* Flags for user_flags below */
@@ -421,8 +421,8 @@ interface netlogon
 		uint16 lm_length;
 		[value(lm_length)] uint16 lm_size;
 		uint32 lm_flags;
-		uint8 nt_history[nt_length];
-		uint8 lm_history[lm_length];
+		[flag(NDR_SECRET)] uint8 nt_history[nt_length];
+		[flag(NDR_SECRET)] uint8 lm_history[lm_length];
 	} netr_PasswordHistory;
 
 	typedef struct {
@@ -1440,7 +1440,7 @@ interface netlogon
 	} NL_PASSWORD_VERSION;
 
 	typedef [flag(NDR_PAHEX)] struct {
-		uint8 data[512];
+		[flag(NDR_SECRET)] uint8 data[512];
 		uint32 length;
 	} netr_CryptPassword;
 
diff --git a/librpc/idl/samr.idl b/librpc/idl/samr.idl
index b9d1d34..e707c62 100644
--- a/librpc/idl/samr.idl
+++ b/librpc/idl/samr.idl
@@ -906,7 +906,7 @@ import "misc.idl", "lsa.idl", "security.idl";
 	} samr_UserInfo17;
 
 	typedef [public, flag(NDR_PAHEX)] struct {
-		uint8 hash[16];
+		[flag(NDR_SECRET)] uint8 hash[16];
 	} samr_Password;
 
 	typedef struct {
@@ -997,7 +997,7 @@ import "misc.idl", "lsa.idl", "security.idl";
 	} samr_UserInfo21;
 
 	typedef [public, flag(NDR_PAHEX)] struct {
-		uint8 data[516];
+		[flag(NDR_SECRET)] uint8 data[516];
 	} samr_CryptPassword;
 
 	typedef struct {
@@ -1011,7 +1011,7 @@ import "misc.idl", "lsa.idl", "security.idl";
 	} samr_UserInfo24;
 
 	typedef [flag(NDR_PAHEX)] struct {
-		uint8 data[532];
+		[flag(NDR_SECRET)] uint8 data[532];
 	} samr_CryptPasswordEx;
 
 	typedef struct {
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170628/0d78abeb/signature.sig>

More information about the samba-technical mailing list