[PATCH] Remove nt4-replication based code
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Sep 20 05:49:44 UTC 2017
Hi!
As discussed with gd and metze, here's a patch that removes users of
code that nobody noticed to be broken since 2013.
Review appreciated!
Thanks, Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 92bfbd0586f4d8f70e5da1a8d76fd857727178dd Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 14:33:07 -0700
Subject: [PATCH 1/8] rpcclient: Remove sam_sync related commands
These three commands don't use the netlogon credential chain
correctly. They are missing the netlogon_creds_store after the dcerpc
call, so they destroy the correct use of the netlogon creds.
The only valid server for these calls that I know of would be NT4, and
that should be gone long ago.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpcclient/cmd_netlogon.c | 352 ---------------------------------------
1 file changed, 352 deletions(-)
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 4488ec2e0d9..88576aeb88b 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -483,290 +483,6 @@ static WERROR cmd_netlogon_logon_ctrl(struct rpc_pipe_client *cli,
return werr;
}
-/* Display sam synchronisation information */
-
-static void display_sam_sync(struct netr_DELTA_ENUM_ARRAY *r)
-{
- uint32_t i, j;
-
- for (i=0; i < r->num_deltas; i++) {
-
- union netr_DELTA_UNION u = r->delta_enum[i].delta_union;
- union netr_DELTA_ID_UNION id = r->delta_enum[i].delta_id_union;
-
- switch (r->delta_enum[i].delta_type) {
- case NETR_DELTA_DOMAIN:
- printf("Domain: %s\n",
- u.domain->domain_name.string);
- break;
- case NETR_DELTA_GROUP:
- printf("Group: %s\n",
- u.group->group_name.string);
- break;
- case NETR_DELTA_DELETE_GROUP:
- printf("Delete Group: %d\n",
- id.rid);
- break;
- case NETR_DELTA_RENAME_GROUP:
- printf("Rename Group: %s -> %s\n",
- u.rename_group->OldName.string,
- u.rename_group->NewName.string);
- break;
- case NETR_DELTA_USER:
- printf("Account: %s\n",
- u.user->account_name.string);
- break;
- case NETR_DELTA_DELETE_USER:
- printf("Delete User: %d\n",
- id.rid);
- break;
- case NETR_DELTA_RENAME_USER:
- printf("Rename user: %s -> %s\n",
- u.rename_user->OldName.string,
- u.rename_user->NewName.string);
- break;
- case NETR_DELTA_GROUP_MEMBER:
- for (j=0; j < u.group_member->num_rids; j++) {
- printf("rid 0x%x, attrib 0x%08x\n",
- u.group_member->rids[j],
- u.group_member->attribs[j]);
- }
- break;
- case NETR_DELTA_ALIAS:
- printf("Alias: %s\n",
- u.alias->alias_name.string);
- break;
- case NETR_DELTA_DELETE_ALIAS:
- printf("Delete Alias: %d\n",
- id.rid);
- break;
- case NETR_DELTA_RENAME_ALIAS:
- printf("Rename alias: %s -> %s\n",
- u.rename_alias->OldName.string,
- u.rename_alias->NewName.string);
- break;
- case NETR_DELTA_ALIAS_MEMBER:
- for (j=0; j < u.alias_member->sids.num_sids; j++) {
- fstring sid_str;
- sid_to_fstring(sid_str,
- u.alias_member->sids.sids[j].sid);
- printf("%s\n", sid_str);
- }
- break;
- case NETR_DELTA_POLICY:
- printf("Policy: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_TRUSTED_DOMAIN:
- printf("Trusted Domain: %s\n",
- u.trusted_domain->domain_name.string);
- break;
- case NETR_DELTA_DELETE_TRUST:
- printf("Delete Trust: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_ACCOUNT:
- printf("Account: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_DELETE_ACCOUNT:
- printf("Delete Account: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_SECRET:
- printf("Secret: %s\n",
- id.name);
- break;
- case NETR_DELTA_DELETE_SECRET:
- printf("Delete Secret: %s\n",
- id.name);
- break;
- case NETR_DELTA_DELETE_GROUP2:
- printf("Delete Group2: %s\n",
- u.delete_group->account_name);
- break;
- case NETR_DELTA_DELETE_USER2:
- printf("Delete User2: %s\n",
- u.delete_user->account_name);
- break;
- case NETR_DELTA_MODIFY_COUNT:
- printf("sam sequence update: 0x%016llx\n",
- (unsigned long long) *u.modified_count);
- break;
- default:
- printf("unknown delta type 0x%02x\n",
- r->delta_enum[i].delta_type);
- break;
- }
- }
-}
-
-/* Perform sam synchronisation */
-
-static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx, int argc,
- const char **argv)
-{
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS status;
- const char *logon_server = cli->desthost;
- const char *computername = lp_netbios_name();
- struct netr_Authenticator credential;
- struct netr_Authenticator return_authenticator;
- enum netr_SamDatabaseID database_id = SAM_DATABASE_DOMAIN;
- uint16_t restart_state = 0;
- uint32_t sync_context = 0;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-
- if (argc > 2) {
- fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
- return NT_STATUS_OK;
- }
-
- if (argc == 2) {
- database_id = atoi(argv[1]);
- }
-
- /* Synchronise sam database */
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
- if (rpcclient_netlogon_creds == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- netlogon_creds_client_authenticator(creds, &credential);
-
- status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- restart_state,
- &sync_context,
- &delta_enum_array,
- 0xffff,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
- if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
- TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
- TALLOC_FREE(creds);
-
- if (NT_STATUS_IS_ERR(result)) {
- break;
- }
-
- /* Display results */
-
- display_sam_sync(delta_enum_array);
-
- TALLOC_FREE(delta_enum_array);
-
- } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
-
- return result;
-}
-
-/* Perform sam delta synchronisation */
-
-static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx, int argc,
- const char **argv)
-{
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS status;
- uint32_t tmp;
- const char *logon_server = cli->desthost;
- const char *computername = lp_netbios_name();
- struct netr_Authenticator credential;
- struct netr_Authenticator return_authenticator;
- enum netr_SamDatabaseID database_id = SAM_DATABASE_DOMAIN;
- uint64_t sequence_num;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-
- if (argc != 3) {
- fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
- return NT_STATUS_OK;
- }
-
- database_id = atoi(argv[1]);
- tmp = atoi(argv[2]);
-
- sequence_num = tmp & 0xffff;
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
- if (rpcclient_netlogon_creds == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- netlogon_creds_client_authenticator(creds, &credential);
-
- status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- &sequence_num,
- &delta_enum_array,
- 0xffff,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
- if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
- TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
- TALLOC_FREE(creds);
-
- if (NT_STATUS_IS_ERR(result)) {
- break;
- }
-
- /* Display results */
-
- display_sam_sync(delta_enum_array);
-
- TALLOC_FREE(delta_enum_array);
-
- } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
-
- return result;
-}
-
/* Log on a domain user */
static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
@@ -1158,71 +874,6 @@ static WERROR cmd_netlogon_getdcsitecoverage(struct rpc_pipe_client *cli,
return werr;
}
-static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx, int argc,
- const char **argv)
-{
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS result;
- const char *server_name = cli->desthost;
- struct netr_Authenticator clnt_creds, srv_cred;
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netr_ChangeLogEntry e;
- uint32_t rid = 500;
- struct dcerpc_binding_handle *b = cli->binding_handle;
- struct netlogon_creds_CredentialState *creds = NULL;
-
- if (argc > 2) {
- fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
- return NT_STATUS_OK;
- }
-
- if (argc == 2) {
- sscanf(argv[1], "%d", &rid);
- }
-
- if (rpcclient_netlogon_creds == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- netlogon_creds_client_authenticator(creds, &clnt_creds);
-
- ZERO_STRUCT(e);
-
- e.object_rid = rid;
- e.db_index = SAM_DATABASE_DOMAIN;
- e.delta_type = NETR_DELTA_USER;
-
- status = dcerpc_netr_DatabaseRedo(b, mem_ctx,
- server_name,
- lp_netbios_name(),
- &clnt_creds,
- &srv_cred,
- e,
- 0, /* is calculated automatically */
- &delta_enum_array,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(creds);
- return status;
- }
-
- if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
- TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
- TALLOC_FREE(creds);
-
- return result;
-}
-
static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
@@ -1300,8 +951,6 @@ struct cmd_set netlogon_commands[] = {
{ "dsr_getsitename", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getsitename, &ndr_table_netlogon, NULL, "Get sitename", "" },
{ "dsr_getforesttrustinfo", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getforesttrustinfo, &ndr_table_netlogon, NULL, "Get Forest Trust Info", "" },
{ "logonctrl", RPC_RTYPE_WERROR, NULL, cmd_netlogon_logon_ctrl, &ndr_table_netlogon, NULL, "Logon Control", "" },
- { "samsync", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync, NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "", .use_netlogon_creds = true, },
- { "samdeltas", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas, NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas", "", .use_netlogon_creds = true, },
{ "samlogon", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon, NULL, &ndr_table_netlogon, NULL, "Sam Logon", "", .use_netlogon_creds = true, },
{ "change_trust_pw", RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw, NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password", "", .use_netlogon_creds = true, },
{ "gettrustrid", RPC_RTYPE_WERROR, NULL, cmd_netlogon_gettrustrid, &ndr_table_netlogon, NULL, "Get trust rid", "" },
@@ -1311,7 +960,6 @@ struct cmd_set netlogon_commands[] = {
{ "netrenumtrusteddomains", RPC_RTYPE_NTSTATUS, cmd_netlogon_enumtrusteddomains, NULL, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" },
{ "netrenumtrusteddomainsex", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomainsex, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" },
{ "getdcsitecoverage", RPC_RTYPE_WERROR, NULL, cmd_netlogon_getdcsitecoverage, &ndr_table_netlogon, NULL, "Get the Site-Coverage from a DC", "" },
- { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC", "", .use_netlogon_creds = true, },
{ "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities", "", .use_netlogon_creds = true, },
{ NULL }
--
2.11.0
From efa6b9be6b5763f13612b3ecff4693522170f79a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:02:09 -0700
Subject: [PATCH 2/8] net: Remove rpc samdump
This uses the NT4 replication commands. Samba does not have a server
for this, no tests, and whoever needs to migrate a native domain can
use an old Samba version
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/utils/net_proto.h | 8 --------
source3/utils/net_rpc.c | 24 ----------------------
source3/utils/net_rpc_samsync.c | 45 -----------------------------------------
3 files changed, 77 deletions(-)
diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index f0ae538cbc4..85fe868e076 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -317,14 +317,6 @@ struct rpc_sh_cmd *net_rpc_rights_cmds(struct net_context *c, TALLOC_CTX *mem_ct
/* The following definitions come from utils/net_rpc_samsync.c */
-NTSTATUS rpc_samdump_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
- const char *domain_name,
- struct cli_state *cli,
- struct rpc_pipe_client *pipe_hnd,
- TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv);
int rpc_vampire_usage(struct net_context *c, int argc, const char **argv);
int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv);
int rpc_vampire_ldif(struct net_context *c, int argc, const char **argv);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 80536e5ab5e..51517e6f185 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7438,22 +7438,6 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
return ret;
}
-/* dump sam database via samsync rpc calls */
-static int rpc_samdump(struct net_context *c, int argc, const char **argv) {
- if (c->display_usage) {
- d_printf( "%s\n"
- "net rpc samdump\n"
- " %s\n",
- _("Usage:"),
- _("Dump remote SAM database"));
- return 0;
- }
-
- return run_rpc_command(c, NULL, &ndr_table_netlogon,
- NET_FLAGS_ANONYMOUS,
- rpc_samdump_internals, argc, argv);
-}
-
/* syncronise sam database via samsync rpc calls */
static int rpc_vampire(struct net_context *c, int argc, const char **argv)
{
@@ -8268,14 +8252,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv)
" Shutdown a remote server")
},
{
- "samdump",
- rpc_samdump,
- NET_TRANSPORT_RPC,
- N_("Dump SAM data of remote NT PDC"),
- N_("net rpc samdump\n"
- " Dump SAM data of remote NT PDC")
- },
- {
"vampire",
rpc_vampire,
NET_TRANSPORT_RPC,
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 6377ad44698..32045606e5e 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -107,51 +107,6 @@ static void parse_samsync_partial_replication_objects(TALLOC_CTX *mem_ctx,
}
}
-/* dump sam database via samsync rpc calls */
-NTSTATUS rpc_samdump_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
- const char *domain_name,
- struct cli_state *cli,
- struct rpc_pipe_client *pipe_hnd,
- TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv)
-{
- struct samsync_context *ctx = NULL;
- NTSTATUS status;
-
- status = libnet_samsync_init_context(mem_ctx,
- domain_sid,
- &ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- ctx->mode = NET_SAMSYNC_MODE_DUMP;
- ctx->cli = pipe_hnd;
- ctx->netlogon_creds = c->netlogon_creds;
- ctx->ops = &libnet_samsync_display_ops;
- ctx->domain_name = domain_name;
-
- ctx->force_full_replication = c->opt_force_full_repl ? true : false;
- ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
-
- parse_samsync_partial_replication_objects(ctx, argc, argv,
- &ctx->single_object_replication,
- &ctx->objects,
- &ctx->num_objects);
-
- libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
-
- libnet_samsync(SAM_DATABASE_BUILTIN, ctx);
-
- libnet_samsync(SAM_DATABASE_PRIVS, ctx);
-
- TALLOC_FREE(ctx);
-
- return NT_STATUS_OK;
-}
-
/**
* Basic usage function for 'net rpc vampire'
*
--
2.11.0
From 19d653ff8fb3a31f6219723b9946aec81c65c011 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:03:43 -0700
Subject: [PATCH 3/8] net: Remove rpc vampire from NT4 domains
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/utils/net_rpc_samsync.c | 94 +----------------------------------------
1 file changed, 2 insertions(+), 92 deletions(-)
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 32045606e5e..9b9d97041c3 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -184,85 +184,6 @@ static NTSTATUS rpc_vampire_ds_internals(struct net_context *c,
return status;
}
-/* dump sam database via samsync rpc calls */
-static NTSTATUS rpc_vampire_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
- const char *domain_name,
- struct cli_state *cli,
- struct rpc_pipe_client *pipe_hnd,
- TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv)
-{
- NTSTATUS result;
- struct samsync_context *ctx = NULL;
-
- if (!dom_sid_equal(domain_sid, get_global_sam_sid())) {
- d_printf(_("Cannot import users from %s at this time, "
- "as the current domain:\n\t%s: %s\nconflicts "
- "with the remote domain\n\t%s: %s\n"
- "Perhaps you need to set: \n\n\tsecurity=user\n\t"
- "workgroup=%s\n\n in your smb.conf?\n"),
- domain_name,
- get_global_sam_name(),
- sid_string_dbg(get_global_sam_sid()),
- domain_name,
- sid_string_dbg(domain_sid),
- domain_name);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- result = libnet_samsync_init_context(mem_ctx,
- domain_sid,
- &ctx);
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
-
- ctx->mode = NET_SAMSYNC_MODE_FETCH_PASSDB;
- ctx->cli = pipe_hnd;
- ctx->ops = &libnet_samsync_passdb_ops;
- ctx->domain_name = domain_name;
-
- ctx->force_full_replication = c->opt_force_full_repl ? true : false;
- ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
-
- parse_samsync_partial_replication_objects(ctx, argc, argv,
- &ctx->single_object_replication,
- &ctx->objects,
- &ctx->num_objects);
-
- /* fetch domain */
- result = libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
-
- if (!NT_STATUS_IS_OK(result) && ctx->error_message) {
- d_fprintf(stderr, "%s\n", ctx->error_message);
- goto fail;
- }
-
- if (ctx->result_message) {
- d_fprintf(stdout, "%s\n", ctx->result_message);
- }
-
- /* fetch builtin */
- ctx->domain_sid = dom_sid_dup(mem_ctx, &global_sid_Builtin);
- ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
- result = libnet_samsync(SAM_DATABASE_BUILTIN, ctx);
-
- if (!NT_STATUS_IS_OK(result) && ctx->error_message) {
- d_fprintf(stderr, "%s\n", ctx->error_message);
- goto fail;
- }
-
- if (ctx->result_message) {
- d_fprintf(stdout, "%s\n", ctx->result_message);
- }
-
- fail:
- TALLOC_FREE(ctx);
- return result;
-}
-
int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv)
{
int ret = 0;
@@ -290,11 +211,8 @@ int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv)
}
if (!dc_info.is_ad) {
- printf(_("DC is not running Active Directory\n"));
- ret = run_rpc_command(c, cli, &ndr_table_netlogon,
- 0,
- rpc_vampire_internals, argc, argv);
- return ret;
+ printf(_("DC is not running Active Directory, exiting\n"));
+ return -1;
}
if (!c->opt_force) {
@@ -309,14 +227,6 @@ int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv)
ret = run_rpc_command(c, cli, &ndr_table_drsuapi,
NET_FLAGS_SEAL | NET_FLAGS_TCP,
rpc_vampire_ds_internals, argc, argv);
- if (ret != 0 && dc_info.is_mixed_mode) {
- printf(_("Fallback to NT4 vampire on Mixed-Mode AD "
- "Domain\n"));
- ret = run_rpc_command(c, cli, &ndr_table_netlogon,
- 0,
- rpc_vampire_internals, argc, argv);
- }
-
return ret;
}
--
2.11.0
From 19113fa140c62bda96c2d1836d9bc1f2b25d9e13 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:06:11 -0700
Subject: [PATCH 4/8] net: Remove NT4-based rpc vampire ldif
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/utils/net_proto.h | 1 -
source3/utils/net_rpc.c | 9 -----
source3/utils/net_rpc_samsync.c | 85 -----------------------------------------
3 files changed, 95 deletions(-)
diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index 85fe868e076..293685c18d4 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -319,7 +319,6 @@ struct rpc_sh_cmd *net_rpc_rights_cmds(struct net_context *c, TALLOC_CTX *mem_ct
int rpc_vampire_usage(struct net_context *c, int argc, const char **argv);
int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv);
-int rpc_vampire_ldif(struct net_context *c, int argc, const char **argv);
int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv);
/* The following definitions come from utils/net_rpc_service.c */
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 51517e6f185..8a989d790f2 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7443,15 +7443,6 @@ static int rpc_vampire(struct net_context *c, int argc, const char **argv)
{
struct functable func[] = {
{
- "ldif",
- rpc_vampire_ldif,
- NET_TRANSPORT_RPC,
- N_("Dump remote SAM database to ldif"),
- N_("net rpc vampire ldif\n"
- " Dump remote SAM database to LDIF file or "
- "stdout")
- },
- {
"keytab",
rpc_vampire_keytab,
NET_TRANSPORT_RPC,
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 9b9d97041c3..7cfd0abfde7 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -230,91 +230,6 @@ int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv)
return ret;
}
-static NTSTATUS rpc_vampire_ldif_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
- const char *domain_name,
- struct cli_state *cli,
- struct rpc_pipe_client *pipe_hnd,
- TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv)
-{
- NTSTATUS status;
- struct samsync_context *ctx = NULL;
-
- status = libnet_samsync_init_context(mem_ctx,
- domain_sid,
- &ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (argc >= 1) {
- ctx->output_filename = argv[0];
- }
- if (argc >= 2) {
- parse_samsync_partial_replication_objects(ctx, argc-1, argv+1,
- &ctx->single_object_replication,
- &ctx->objects,
- &ctx->num_objects);
- }
-
- ctx->mode = NET_SAMSYNC_MODE_FETCH_LDIF;
- ctx->cli = pipe_hnd;
- ctx->ops = &libnet_samsync_ldif_ops;
- ctx->domain_name = domain_name;
-
- ctx->force_full_replication = c->opt_force_full_repl ? true : false;
- ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
-
- /* fetch domain */
- status = libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
-
- if (!NT_STATUS_IS_OK(status) && ctx->error_message) {
- d_fprintf(stderr, "%s\n", ctx->error_message);
- goto fail;
- }
-
- if (ctx->result_message) {
- d_fprintf(stdout, "%s\n", ctx->result_message);
- }
-
- /* fetch builtin */
- ctx->domain_sid = dom_sid_dup(mem_ctx, &global_sid_Builtin);
- ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
- status = libnet_samsync(SAM_DATABASE_BUILTIN, ctx);
-
- if (!NT_STATUS_IS_OK(status) && ctx->error_message) {
- d_fprintf(stderr, "%s\n", ctx->error_message);
- goto fail;
- }
-
- if (ctx->result_message) {
- d_fprintf(stdout, "%s\n", ctx->result_message);
- }
-
- fail:
- TALLOC_FREE(ctx);
- return status;
-}
-
-int rpc_vampire_ldif(struct net_context *c, int argc, const char **argv)
-{
- if (c->display_usage) {
- d_printf( "%s\n"
- "net rpc vampire ldif\n"
- " %s\n",
- _("Usage:"),
- _("Dump remote SAM database to LDIF file or "
- "stdout"));
- return 0;
- }
-
- return run_rpc_command(c, NULL, &ndr_table_netlogon, 0,
- rpc_vampire_ldif_internals, argc, argv);
-}
-
-
static NTSTATUS rpc_vampire_keytab_internals(struct net_context *c,
const struct dom_sid *domain_sid,
const char *domain_name,
--
2.11.0
From 1796a74810716a4f91b7d9723b5c7bf52876b682 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:09:05 -0700
Subject: [PATCH 5/8] net: Remove NT4-based vampire keytab
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/utils/net_rpc_samsync.c | 160 ++--------------------------------------
1 file changed, 5 insertions(+), 155 deletions(-)
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 7cfd0abfde7..8b19afabc8d 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -32,81 +32,6 @@
#include "../libcli/security/security.h"
#include "passdb/machine_sid.h"
-static void parse_samsync_partial_replication_objects(TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv,
- bool *do_single_object_replication,
- struct samsync_object **objects,
- uint32_t *num_objects)
-{
- int i;
-
- if (argc > 0) {
- *do_single_object_replication = true;
- }
-
- for (i=0; i<argc; i++) {
-
- struct samsync_object o;
-
- ZERO_STRUCT(o);
-
- if (!strncasecmp_m(argv[i], "user_rid=", strlen("user_rid="))) {
- o.object_identifier.rid = get_int_param(argv[i]);
- o.object_type = NETR_DELTA_USER;
- o.database_id = SAM_DATABASE_DOMAIN;
- }
- if (!strncasecmp_m(argv[i], "group_rid=", strlen("group_rid="))) {
- o.object_identifier.rid = get_int_param(argv[i]);
- o.object_type = NETR_DELTA_GROUP;
- o.database_id = SAM_DATABASE_DOMAIN;
- }
- if (!strncasecmp_m(argv[i], "group_member_rid=", strlen("group_member_rid="))) {
- o.object_identifier.rid = get_int_param(argv[i]);
- o.object_type = NETR_DELTA_GROUP_MEMBER;
- o.database_id = SAM_DATABASE_DOMAIN;
- }
- if (!strncasecmp_m(argv[i], "alias_rid=", strlen("alias_rid="))) {
- o.object_identifier.rid = get_int_param(argv[i]);
- o.object_type = NETR_DELTA_ALIAS;
- o.database_id = SAM_DATABASE_BUILTIN;
- }
- if (!strncasecmp_m(argv[i], "alias_member_rid=", strlen("alias_member_rid="))) {
- o.object_identifier.rid = get_int_param(argv[i]);
- o.object_type = NETR_DELTA_ALIAS_MEMBER;
- o.database_id = SAM_DATABASE_BUILTIN;
- }
- if (!strncasecmp_m(argv[i], "account_sid=", strlen("account_sid="))) {
- const char *sid_str = get_string_param(argv[i]);
- string_to_sid(&o.object_identifier.sid, sid_str);
- o.object_type = NETR_DELTA_ACCOUNT;
- o.database_id = SAM_DATABASE_PRIVS;
- }
- if (!strncasecmp_m(argv[i], "policy_sid=", strlen("policy_sid="))) {
- const char *sid_str = get_string_param(argv[i]);
- string_to_sid(&o.object_identifier.sid, sid_str);
- o.object_type = NETR_DELTA_POLICY;
- o.database_id = SAM_DATABASE_PRIVS;
- }
- if (!strncasecmp_m(argv[i], "trustdom_sid=", strlen("trustdom_sid="))) {
- const char *sid_str = get_string_param(argv[i]);
- string_to_sid(&o.object_identifier.sid, sid_str);
- o.object_type = NETR_DELTA_TRUSTED_DOMAIN;
- o.database_id = SAM_DATABASE_PRIVS;
- }
- if (!strncasecmp_m(argv[i], "secret_name=", strlen("secret_name="))) {
- o.object_identifier.name = get_string_param(argv[i]);
- o.object_type = NETR_DELTA_SECRET;
- o.database_id = SAM_DATABASE_PRIVS;
- }
-
- if (o.object_type > 0) {
- ADD_TO_ARRAY(mem_ctx, struct samsync_object, o,
- objects, num_objects);
- }
- }
-}
-
/**
* Basic usage function for 'net rpc vampire'
*
@@ -230,66 +155,6 @@ int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv)
return ret;
}
-static NTSTATUS rpc_vampire_keytab_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
- const char *domain_name,
- struct cli_state *cli,
- struct rpc_pipe_client *pipe_hnd,
- TALLOC_CTX *mem_ctx,
- int argc,
- const char **argv)
-{
- NTSTATUS status;
- struct samsync_context *ctx = NULL;
-
- status = libnet_samsync_init_context(mem_ctx,
- domain_sid,
- &ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (argc < 1) {
- /* the caller should ensure that a filename is provided */
- return NT_STATUS_INVALID_PARAMETER;
- } else {
- ctx->output_filename = argv[0];
- }
- if (argc >= 2) {
- parse_samsync_partial_replication_objects(ctx, argc-1, argv+1,
- &ctx->single_object_replication,
- &ctx->objects,
- &ctx->num_objects);
- }
-
- ctx->mode = NET_SAMSYNC_MODE_FETCH_KEYTAB;
- ctx->cli = pipe_hnd;
- ctx->ops = &libnet_samsync_keytab_ops;
- ctx->domain_name = domain_name;
- ctx->username = c->opt_user_name;
- ctx->password = c->opt_password;
-
- ctx->force_full_replication = c->opt_force_full_repl ? true : false;
- ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
-
- /* fetch domain */
- status = libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
-
- if (!NT_STATUS_IS_OK(status) && ctx->error_message) {
- d_fprintf(stderr, "%s\n", ctx->error_message);
- goto out;
- }
-
- if (ctx->result_message) {
- d_fprintf(stdout, "%s\n", ctx->result_message);
- }
-
- out:
- TALLOC_FREE(ctx);
-
- return status;
-}
-
static NTSTATUS rpc_vampire_keytab_ds_internals(struct net_context *c,
const struct dom_sid *domain_sid,
const char *domain_name,
@@ -381,27 +246,12 @@ int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv)
}
if (!dc_info.is_ad) {
- printf(_("DC is not running Active Directory\n"));
- ret = run_rpc_command(c, cli, &ndr_table_netlogon,
- 0,
- rpc_vampire_keytab_internals, argc, argv);
- } else {
- ret = run_rpc_command(c, cli, &ndr_table_drsuapi,
- NET_FLAGS_SEAL | NET_FLAGS_TCP,
- rpc_vampire_keytab_ds_internals, argc, argv);
- if (ret != 0 && dc_info.is_mixed_mode) {
- printf(_("Fallback to NT4 vampire on Mixed-Mode AD "
- "Domain\n"));
- ret = run_rpc_command(c, cli, &ndr_table_netlogon,
- 0,
- rpc_vampire_keytab_internals, argc, argv);
- } else {
-#ifndef HAVE_ADS
- printf(_("Vampire requested against AD DC but ADS"
- " support not built in: HAVE_ADS is not defined\n"));
-#endif
- }
+ printf(_("DC is not running Active Directory, exiting\n"));
+ return -1;
}
+ ret = run_rpc_command(c, cli, &ndr_table_drsuapi,
+ NET_FLAGS_SEAL | NET_FLAGS_TCP,
+ rpc_vampire_keytab_ds_internals, argc, argv);
return ret;
}
--
2.11.0
From cf3460ab787c5c80837e09e23d88492de086799e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:14:32 -0700
Subject: [PATCH 6/8] net: Don't depend on libnet_samsync anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/utils/net_rpc_samsync.c | 1 -
source3/utils/wscript_build | 1 -
2 files changed, 2 deletions(-)
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 8b19afabc8d..be2b085d55b 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -27,7 +27,6 @@
#include "utils/net.h"
#include "../librpc/gen_ndr/ndr_netlogon.h"
#include "../librpc/gen_ndr/ndr_drsuapi.h"
-#include "libnet/libnet_samsync.h"
#include "libnet/libnet_dssync.h"
#include "../libcli/security/security.h"
#include "passdb/machine_sid.h"
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index 3c1f9a4773d..8d3378f0f0d 100644
--- a/source3/utils/wscript_build
+++ b/source3/utils/wscript_build
@@ -232,7 +232,6 @@ bld.SAMBA3_BINARY('net',
PASSWD_UTIL
LIBNET
LIBNET_DSSYNC
- LIBNET_SAMSYNC
LIBEVENTLOG
REGFIO
NDR_NTPRINTING
--
2.11.0
From e9e6ed4f54c7ec2ac405c83b5bd1a8e7f3a3eff6 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:17:38 -0700
Subject: [PATCH 7/8] libnet: Remove libnet_samsync
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/libnet/libnet_samsync.c | 437 ----------
source3/libnet/libnet_samsync.h | 100 ---
source3/libnet/libnet_samsync_display.c | 307 -------
source3/libnet/libnet_samsync_keytab.c | 308 -------
source3/libnet/libnet_samsync_ldif.c | 1378 -------------------------------
source3/libnet/libnet_samsync_passdb.c | 882 --------------------
source3/wscript_build | 13 -
7 files changed, 3425 deletions(-)
delete mode 100644 source3/libnet/libnet_samsync.c
delete mode 100644 source3/libnet/libnet_samsync.h
delete mode 100644 source3/libnet/libnet_samsync_display.c
delete mode 100644 source3/libnet/libnet_samsync_keytab.c
delete mode 100644 source3/libnet/libnet_samsync_ldif.c
delete mode 100644 source3/libnet/libnet_samsync_passdb.c
diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
deleted file mode 100644
index e7e1393fdc8..00000000000
--- a/source3/libnet/libnet_samsync.c
+++ /dev/null
@@ -1,437 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Extract the user/system database from a remote SamSync server
-
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2005
- Copyright (C) Guenther Deschner <gd at samba.org> 2008
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-
-#include "includes.h"
-#include "libnet/libnet_samsync.h"
-#include "../libcli/samsync/samsync.h"
-#include "../libcli/auth/libcli_auth.h"
-#include "rpc_client/rpc_client.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-#include "../librpc/gen_ndr/ndr_netlogon_c.h"
-#include "../libcli/security/security.h"
-#include "messages.h"
-#include "../libcli/auth/netlogon_creds_cli.h"
-
-/**
- * Fix up the delta, dealing with encryption issues so that the final
- * callback need only do the printing or application logic
- */
-
-static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
- struct netlogon_creds_CredentialState *creds,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r)
-{
- NTSTATUS status;
- int i;
-
- for (i = 0; i < r->num_deltas; i++) {
-
- status = samsync_fix_delta(mem_ctx,
- creds,
- database_id,
- &r->delta_enum[i]);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- }
-
- return NT_STATUS_OK;
-}
-
-/**
- * libnet_samsync_init_context
- */
-
-NTSTATUS libnet_samsync_init_context(TALLOC_CTX *mem_ctx,
- const struct dom_sid *domain_sid,
- struct samsync_context **ctx_p)
-{
- struct samsync_context *ctx;
-
- *ctx_p = NULL;
-
- ctx = talloc_zero(mem_ctx, struct samsync_context);
- NT_STATUS_HAVE_NO_MEMORY(ctx);
-
- if (domain_sid) {
- ctx->domain_sid = dom_sid_dup(mem_ctx, domain_sid);
- NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid);
-
- ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
- NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid_str);
- }
-
- ctx->msg_ctx = messaging_init(ctx, samba_tevent_context_init(ctx));
- NT_STATUS_HAVE_NO_MEMORY(ctx->msg_ctx);
-
- *ctx_p = ctx;
-
- return NT_STATUS_OK;
-}
-
-/**
- * samsync_database_str
- */
-
-static const char *samsync_database_str(enum netr_SamDatabaseID database_id)
-{
-
- switch (database_id) {
- case SAM_DATABASE_DOMAIN:
- return "DOMAIN";
- case SAM_DATABASE_BUILTIN:
- return "BUILTIN";
- case SAM_DATABASE_PRIVS:
- return "PRIVS";
- default:
- return "unknown";
- }
-}
-
-/**
- * samsync_debug_str
- */
-
-static const char *samsync_debug_str(TALLOC_CTX *mem_ctx,
- enum net_samsync_mode mode,
- enum netr_SamDatabaseID database_id)
-{
- const char *action = NULL;
-
- switch (mode) {
- case NET_SAMSYNC_MODE_DUMP:
- action = "Dumping (to stdout)";
- break;
- case NET_SAMSYNC_MODE_FETCH_PASSDB:
- action = "Fetching (to passdb)";
- break;
- case NET_SAMSYNC_MODE_FETCH_LDIF:
- action = "Fetching (to ldif)";
- break;
- case NET_SAMSYNC_MODE_FETCH_KEYTAB:
- action = "Fetching (to keytab)";
- break;
- default:
- action = "Unknown";
- break;
- }
-
- return talloc_asprintf(mem_ctx, "%s %s database",
- action, samsync_database_str(database_id));
-}
-
-/**
- * libnet_samsync
- */
-
-static void libnet_init_netr_ChangeLogEntry(struct samsync_object *o,
- struct netr_ChangeLogEntry *e)
-{
- ZERO_STRUCTP(e);
-
- e->db_index = o->database_id;
- e->delta_type = o->object_type;
-
- switch (e->delta_type) {
- case NETR_DELTA_DOMAIN:
- case NETR_DELTA_DELETE_GROUP:
- case NETR_DELTA_RENAME_GROUP:
- case NETR_DELTA_DELETE_USER:
- case NETR_DELTA_RENAME_USER:
- case NETR_DELTA_DELETE_ALIAS:
- case NETR_DELTA_RENAME_ALIAS:
- case NETR_DELTA_DELETE_TRUST:
- case NETR_DELTA_DELETE_ACCOUNT:
- case NETR_DELTA_DELETE_SECRET:
- case NETR_DELTA_DELETE_GROUP2:
- case NETR_DELTA_DELETE_USER2:
- case NETR_DELTA_MODIFY_COUNT:
- break;
- case NETR_DELTA_USER:
- case NETR_DELTA_GROUP:
- case NETR_DELTA_GROUP_MEMBER:
- case NETR_DELTA_ALIAS:
- case NETR_DELTA_ALIAS_MEMBER:
- e->object_rid = o->object_identifier.rid;
- break;
- case NETR_DELTA_SECRET:
- e->object.object_name = o->object_identifier.name;
- e->flags = NETR_CHANGELOG_NAME_INCLUDED;
- break;
- case NETR_DELTA_TRUSTED_DOMAIN:
- case NETR_DELTA_ACCOUNT:
- case NETR_DELTA_POLICY:
- e->object.object_sid = o->object_identifier.sid;
- e->flags = NETR_CHANGELOG_SID_INCLUDED;
- break;
- default:
- break;
- }
-}
-
-/**
- * libnet_samsync_delta
- */
-
-static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t *sequence_num,
- struct samsync_context *ctx,
- struct netr_ChangeLogEntry *e)
-{
- NTSTATUS result, status;
- NTSTATUS callback_status;
- const char *logon_server = ctx->cli->desthost;
- const char *computername = lp_netbios_name();
- struct netr_Authenticator credential;
- struct netr_Authenticator return_authenticator;
- uint16_t restart_state = 0;
- uint32_t sync_context = 0;
- struct dcerpc_binding_handle *b = ctx->cli->binding_handle;
-
- ZERO_STRUCT(return_authenticator);
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
- status = netlogon_creds_cli_lock(ctx->netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- netlogon_creds_client_authenticator(creds, &credential);
-
- if (ctx->single_object_replication &&
- !ctx->force_full_replication) {
- status = dcerpc_netr_DatabaseRedo(b, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- *e,
- 0,
- &delta_enum_array,
- &result);
- } else if (!ctx->force_full_replication &&
- sequence_num && (*sequence_num > 0)) {
- status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- sequence_num,
- &delta_enum_array,
- 0xffff,
- &result);
- } else {
- status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- restart_state,
- &sync_context,
- &delta_enum_array,
- 0xffff,
- &result);
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
- if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- TALLOC_FREE(creds);
- DEBUG(0,("credentials chain check failed\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
- TALLOC_FREE(creds);
- return result;
- }
-
- if (NT_STATUS_IS_ERR(result)) {
- TALLOC_FREE(creds);
- break;
- }
-
- samsync_fix_delta_array(mem_ctx,
- creds,
- database_id,
- delta_enum_array);
- TALLOC_FREE(creds);
-
- /* Process results */
- callback_status = ctx->ops->process_objects(mem_ctx, database_id,
- delta_enum_array,
- sequence_num,
- ctx);
- if (!NT_STATUS_IS_OK(callback_status)) {
- result = callback_status;
- goto out;
- }
-
- TALLOC_FREE(delta_enum_array);
-
- } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
-
- out:
-
- return result;
-}
-
-/**
- * libnet_samsync
- */
-
-NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
- struct samsync_context *ctx)
-{
- NTSTATUS status = NT_STATUS_OK;
- NTSTATUS callback_status;
- TALLOC_CTX *mem_ctx;
- const char *debug_str;
- uint64_t sequence_num = 0;
- int i = 0;
-
- if (!(mem_ctx = talloc_new(ctx))) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!ctx->ops) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (ctx->ops->startup) {
- status = ctx->ops->startup(mem_ctx, ctx,
- database_id, &sequence_num);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
- debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id);
- if (debug_str) {
- d_fprintf(stderr, "%s\n", debug_str);
- }
-
- if (!ctx->single_object_replication) {
- status = libnet_samsync_delta(mem_ctx, database_id,
- &sequence_num, ctx, NULL);
- goto done;
- }
-
- for (i=0; i<ctx->num_objects; i++) {
-
- struct netr_ChangeLogEntry e;
-
- if (ctx->objects[i].database_id != database_id) {
- continue;
- }
-
- libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e);
-
- status = libnet_samsync_delta(mem_ctx, database_id,
- &sequence_num, ctx, &e);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
- done:
-
- if (NT_STATUS_IS_OK(status) && ctx->ops->finish) {
- callback_status = ctx->ops->finish(mem_ctx, ctx,
- database_id, sequence_num);
- if (!NT_STATUS_IS_OK(callback_status)) {
- status = callback_status;
- }
- }
-
- if (NT_STATUS_IS_ERR(status) && !ctx->error_message) {
-
- ctx->error_message = talloc_asprintf(ctx,
- "Failed to fetch %s database: %s",
- samsync_database_str(database_id),
- nt_errstr(status));
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-
- ctx->error_message =
- talloc_asprintf_append(ctx->error_message,
- "\nPerhaps %s is a Windows native mode domain?",
- ctx->domain_name);
- }
- }
-
- talloc_destroy(mem_ctx);
-
- return status;
-}
-
-/**
- * pull_netr_AcctLockStr
- */
-
-NTSTATUS pull_netr_AcctLockStr(TALLOC_CTX *mem_ctx,
- struct lsa_BinaryString *r,
- struct netr_AcctLockStr **str_p)
-{
- struct netr_AcctLockStr *str;
- enum ndr_err_code ndr_err;
- DATA_BLOB blob;
-
- if (!mem_ctx || !r || !str_p) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- *str_p = NULL;
-
- str = talloc_zero(mem_ctx, struct netr_AcctLockStr);
- if (!str) {
- return NT_STATUS_NO_MEMORY;
- }
-
- blob = data_blob_const(r->array, r->length);
-
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, str,
- (ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
-
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return ndr_map_error2ntstatus(ndr_err);
- }
-
- *str_p = str;
-
- return NT_STATUS_OK;
-}
-
diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
deleted file mode 100644
index e1d66ec37f5..00000000000
--- a/source3/libnet/libnet_samsync.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * libnet Support
- * Copyright (C) Guenther Deschner 2008
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "../librpc/gen_ndr/netlogon.h"
-
-enum net_samsync_mode {
- NET_SAMSYNC_MODE_FETCH_PASSDB = 0,
- NET_SAMSYNC_MODE_FETCH_LDIF = 1,
- NET_SAMSYNC_MODE_FETCH_KEYTAB = 2,
- NET_SAMSYNC_MODE_DUMP = 3
-};
-
-struct samsync_context;
-
-struct samsync_ops {
- NTSTATUS (*startup)(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID id,
- uint64_t *sequence_num);
- NTSTATUS (*process_objects)(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID id,
- struct netr_DELTA_ENUM_ARRAY *array,
- uint64_t *sequence_num,
- struct samsync_context *ctx);
- NTSTATUS (*finish)(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID id,
- uint64_t sequence_num);
-};
-
-struct samsync_object {
- uint16_t database_id;
- uint16_t object_type;
- union {
- uint32_t rid;
- const char *name;
- struct dom_sid sid;
- } object_identifier;
-};
-
-struct samsync_context {
- enum net_samsync_mode mode;
- const struct dom_sid *domain_sid;
- const char *domain_sid_str;
- const char *domain_name;
- const char *output_filename;
-
- const char *username;
- const char *password;
-
- char *result_message;
- char *error_message;
-
- bool single_object_replication;
- bool force_full_replication;
- bool clean_old_entries;
-
- uint32_t num_objects;
- struct samsync_object *objects;
-
- struct rpc_pipe_client *cli;
- struct netlogon_creds_cli_context *netlogon_creds;
- struct messaging_context *msg_ctx;
-
- const struct samsync_ops *ops;
-
- void *private_data;
-};
-
-extern const struct samsync_ops libnet_samsync_ldif_ops;
-extern const struct samsync_ops libnet_samsync_keytab_ops;
-extern const struct samsync_ops libnet_samsync_display_ops;
-extern const struct samsync_ops libnet_samsync_passdb_ops;
-
-/* The following definitions come from libnet/libnet_samsync.c */
-
-NTSTATUS libnet_samsync_init_context(TALLOC_CTX *mem_ctx,
- const struct dom_sid *domain_sid,
- struct samsync_context **ctx_p);
-NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
- struct samsync_context *ctx);
-NTSTATUS pull_netr_AcctLockStr(TALLOC_CTX *mem_ctx,
- struct lsa_BinaryString *r,
- struct netr_AcctLockStr **str_p);
diff --git a/source3/libnet/libnet_samsync_display.c b/source3/libnet/libnet_samsync_display.c
deleted file mode 100644
index 040742d72ac..00000000000
--- a/source3/libnet/libnet_samsync_display.c
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- dump the remote SAM using rpc samsync operations
-
- Copyright (C) Andrew Tridgell 2002
- Copyright (C) Tim Potter 2001,2002
- Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2005
- Modified by Volker Lendecke 2002
- Copyright (C) Jeremy Allison 2005.
- Copyright (C) Guenther Deschner 2008.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "libnet/libnet_samsync.h"
-#include "passdb.h"
-
-static void display_group_mem_info(uint32_t rid,
- struct netr_DELTA_GROUP_MEMBER *r)
-{
- int i;
- d_printf("Group mem %u: ", rid);
- for (i=0; i< r->num_rids; i++) {
- d_printf("%u ", r->rids[i]);
- }
- d_printf("\n");
-}
-
-static void display_alias_info(uint32_t rid,
- struct netr_DELTA_ALIAS *r)
-{
- d_printf("Alias '%s' ", r->alias_name.string);
- d_printf("desc='%s' rid=%u\n", r->description.string, r->rid);
-}
-
-static void display_alias_mem(uint32_t rid,
- struct netr_DELTA_ALIAS_MEMBER *r)
-{
- int i;
- d_printf("Alias rid %u: ", rid);
- for (i=0; i< r->sids.num_sids; i++) {
- d_printf("%s ", sid_string_tos(r->sids.sids[i].sid));
- }
- d_printf("\n");
-}
-
-static void display_account_info(uint32_t rid,
- struct netr_DELTA_USER *r)
-{
- fstring hex_nt_passwd, hex_lm_passwd;
-
-
- /* Decode hashes from password hash (if they are not NULL) */
-
- if (!all_zero(r->lmpassword.hash, 16)) {
- pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
- } else {
- pdb_sethexpwd(hex_lm_passwd, NULL, 0);
- }
-
- if (!all_zero(r->ntpassword.hash, 16)) {
- pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
- } else {
- pdb_sethexpwd(hex_nt_passwd, NULL, 0);
- }
-
- printf("%s:%d:%s:%s:%s:LCT-0\n",
- r->account_name.string,
- r->rid, hex_lm_passwd, hex_nt_passwd,
- pdb_encode_acct_ctrl(r->acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN));
-}
-
-static void display_domain_info(struct netr_DELTA_DOMAIN *r)
-{
- time_t u_logout;
- struct netr_AcctLockStr *lockstr = NULL;
- NTSTATUS status;
- TALLOC_CTX *mem_ctx = talloc_tos();
-
- status = pull_netr_AcctLockStr(mem_ctx, &r->account_lockout,
- &lockstr);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf("failed to pull account lockout string: %s\n",
- nt_errstr(status));
- }
-
- u_logout = uint64s_nt_time_to_unix_abs((const uint64_t *)&r->force_logoff_time);
-
- d_printf("Domain name: %s\n", r->domain_name.string);
-
- d_printf("Minimal Password Length: %d\n", r->min_password_length);
- d_printf("Password History Length: %d\n", r->password_history_length);
-
- d_printf("Force Logoff: %d\n", (int)u_logout);
-
- d_printf("Max Password Age: %s\n", display_time(r->max_password_age));
- d_printf("Min Password Age: %s\n", display_time(r->min_password_age));
-
- if (lockstr) {
- d_printf("Lockout Time: %s\n", display_time((NTTIME)lockstr->lockout_duration));
- d_printf("Lockout Reset Time: %s\n", display_time((NTTIME)lockstr->reset_count));
- d_printf("Bad Attempt Lockout: %d\n", lockstr->bad_attempt_lockout);
- }
-
- d_printf("User must logon to change password: %d\n", r->logon_to_chgpass);
-}
-
-static void display_group_info(uint32_t rid, struct netr_DELTA_GROUP *r)
-{
- d_printf("Group '%s' ", r->group_name.string);
- d_printf("desc='%s', rid=%u\n", r->description.string, rid);
-}
-
-static void display_delete_group(uint32_t rid)
-{
- d_printf("Delete Group '%d'\n", rid);
-}
-
-static void display_rename_group(uint32_t rid, struct netr_DELTA_RENAME *r)
-{
- d_printf("Rename Group '%d' ", rid);
- d_printf("Rename Group: %s -> %s\n",
- r->OldName.string, r->NewName.string);
-}
-
-static void display_delete_user(uint32_t rid)
-{
- d_printf("Delete User '%d'\n", rid);
-}
-
-static void display_rename_user(uint32_t rid, struct netr_DELTA_RENAME *r)
-{
- d_printf("Rename User '%d' ", rid);
- d_printf("Rename User: %s -> %s\n",
- r->OldName.string, r->NewName.string);
-}
-
-static void display_delete_alias(uint32_t rid)
-{
- d_printf("Delete Alias '%d'\n", rid);
-}
-
-static void display_rename_alias(uint32_t rid, struct netr_DELTA_RENAME *r)
-{
- d_printf("Rename Alias '%d' ", rid);
- d_printf("Rename Alias: %s -> %s\n",
- r->OldName.string, r->NewName.string);
-}
-
-static NTSTATUS display_sam_entry(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *r,
- struct samsync_context *ctx)
-{
- union netr_DELTA_UNION u = r->delta_union;
- union netr_DELTA_ID_UNION id = r->delta_id_union;
-
- switch (r->delta_type) {
- case NETR_DELTA_DOMAIN:
- display_domain_info(u.domain);
- break;
- case NETR_DELTA_GROUP:
- display_group_info(id.rid, u.group);
- break;
- case NETR_DELTA_DELETE_GROUP:
- display_delete_group(id.rid);
- break;
- case NETR_DELTA_RENAME_GROUP:
- display_rename_group(id.rid, u.rename_group);
- break;
- case NETR_DELTA_USER:
- display_account_info(id.rid, u.user);
- break;
- case NETR_DELTA_DELETE_USER:
- display_delete_user(id.rid);
- break;
- case NETR_DELTA_RENAME_USER:
- display_rename_user(id.rid, u.rename_user);
- break;
- case NETR_DELTA_GROUP_MEMBER:
- display_group_mem_info(id.rid, u.group_member);
- break;
- case NETR_DELTA_ALIAS:
- display_alias_info(id.rid, u.alias);
- break;
- case NETR_DELTA_DELETE_ALIAS:
- display_delete_alias(id.rid);
- break;
- case NETR_DELTA_RENAME_ALIAS:
- display_rename_alias(id.rid, u.rename_alias);
- break;
- case NETR_DELTA_ALIAS_MEMBER:
- display_alias_mem(id.rid, u.alias_member);
- break;
- case NETR_DELTA_POLICY:
- printf("Policy: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_TRUSTED_DOMAIN:
- printf("Trusted Domain: %s\n",
- u.trusted_domain->domain_name.string);
- break;
- case NETR_DELTA_DELETE_TRUST:
- printf("Delete Trust: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_ACCOUNT:
- printf("Account: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_DELETE_ACCOUNT:
- printf("Delete Account: %s\n",
- sid_string_dbg(id.sid));
- break;
- case NETR_DELTA_SECRET:
- printf("Secret: %s\n",
- id.name);
- break;
- case NETR_DELTA_DELETE_SECRET:
- printf("Delete Secret: %s\n",
- id.name);
- break;
- case NETR_DELTA_DELETE_GROUP2:
- printf("Delete Group2: %s\n",
- u.delete_group->account_name);
- break;
- case NETR_DELTA_DELETE_USER2:
- printf("Delete User2: %s\n",
- u.delete_user->account_name);
- break;
- case NETR_DELTA_MODIFY_COUNT:
- printf("sam sequence update: 0x%016llx\n",
- (unsigned long long) *u.modified_count);
- break;
-#if 0
- /* The following types are recognised but not handled */
- case NETR_DELTA_POLICY:
- d_printf("NETR_DELTA_POLICY not handled\n");
- break;
- case NETR_DELTA_TRUSTED_DOMAIN:
- d_printf("NETR_DELTA_TRUSTED_DOMAIN not handled\n");
- break;
- case NETR_DELTA_ACCOUNT:
- d_printf("NETR_DELTA_ACCOUNT not handled\n");
- break;
- case NETR_DELTA_SECRET:
- d_printf("NETR_DELTA_SECRET not handled\n");
- break;
- case NETR_DELTA_MODIFY_COUNT:
- d_printf("NETR_DELTA_MODIFY_COUNT not handled\n");
- break;
- case NETR_DELTA_DELETE_TRUST:
- d_printf("NETR_DELTA_DELETE_TRUST not handled\n");
- break;
- case NETR_DELTA_DELETE_ACCOUNT:
- d_printf("NETR_DELTA_DELETE_ACCOUNT not handled\n");
- break;
- case NETR_DELTA_DELETE_SECRET:
- d_printf("NETR_DELTA_DELETE_SECRET not handled\n");
- break;
- case NETR_DELTA_DELETE_GROUP2:
- d_printf("NETR_DELTA_DELETE_GROUP2 not handled\n");
- break;
- case NETR_DELTA_DELETE_USER2:
- d_printf("NETR_DELTA_DELETE_USER2 not handled\n");
- break;
-#endif
- default:
- printf("unknown delta type 0x%02x\n",
- r->delta_type);
- break;
- }
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS display_sam_entries(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- int i;
-
- for (i = 0; i < r->num_deltas; i++) {
- display_sam_entry(mem_ctx, database_id, &r->delta_enum[i],
- ctx);
- }
-
- return NT_STATUS_OK;
-}
-
-const struct samsync_ops libnet_samsync_display_ops = {
- .process_objects = display_sam_entries,
-};
diff --git a/source3/libnet/libnet_samsync_keytab.c b/source3/libnet/libnet_samsync_keytab.c
deleted file mode 100644
index 5c072b921ad..00000000000
--- a/source3/libnet/libnet_samsync_keytab.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- dump the remote SAM using rpc samsync operations
-
- Copyright (C) Guenther Deschner 2008.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "smb_krb5.h"
-#include "ads.h"
-#include "libnet/libnet_keytab.h"
-#include "libnet/libnet_samsync.h"
-#include "krb5_env.h"
-
-#if defined(HAVE_ADS)
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS keytab_ad_connect(TALLOC_CTX *mem_ctx,
- const char *domain_name,
- const char *dc,
- const char *username,
- const char *password,
- struct libnet_keytab_context *ctx)
-{
- ADS_STATUS ad_status;
- ADS_STRUCT *ads;
-
- ads = ads_init(NULL, domain_name, dc);
- NT_STATUS_HAVE_NO_MEMORY(ads);
-
- if (getenv(KRB5_ENV_CCNAME) == NULL) {
- setenv(KRB5_ENV_CCNAME, "MEMORY:libnet_samsync_keytab", 1);
- }
-
- ads->auth.user_name = SMB_STRDUP(username);
- ads->auth.password = SMB_STRDUP(password);
-
- ad_status = ads_connect_user_creds(ads);
- if (!ADS_ERR_OK(ad_status)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- ctx->ads = ads;
-
- ctx->dns_domain_name = talloc_strdup_upper(mem_ctx, ads->config.realm);
- NT_STATUS_HAVE_NO_MEMORY(ctx->dns_domain_name);
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entry_keytab(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- uint32_t rid,
- struct netr_DELTA_USER *r,
- struct libnet_keytab_context *ctx)
-{
- NTSTATUS status;
- uint32_t kvno = 0;
- DATA_BLOB blob;
-
- if (all_zero(r->ntpassword.hash, 16)) {
- return NT_STATUS_OK;
- }
-
- kvno = ads_get_kvno(ctx->ads, r->account_name.string);
- blob = data_blob_const(r->ntpassword.hash, 16);
-
- status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx,
- kvno,
- r->account_name.string,
- NULL,
- ENCTYPE_ARCFOUR_HMAC,
- blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS init_keytab(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t *sequence_num)
-{
- krb5_error_code ret = 0;
- NTSTATUS status;
- struct libnet_keytab_context *keytab_ctx = NULL;
- struct libnet_keytab_entry *entry;
- uint64_t old_sequence_num = 0;
- const char *principal = NULL;
- struct netr_DsRGetDCNameInfo *info = NULL;
- const char *dc;
-
- ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
- if (ret) {
- return krb5_to_nt_status(ret);
- }
-
- status = dsgetdcname(mem_ctx, ctx->msg_ctx,
- ctx->domain_name, NULL, NULL, 0, &info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- dc = strip_hostname(info->dc_unc);
-
- keytab_ctx->clean_old_entries = ctx->clean_old_entries;
- ctx->private_data = keytab_ctx;
-
- status = keytab_ad_connect(mem_ctx,
- ctx->domain_name,
- dc,
- ctx->username,
- ctx->password,
- keytab_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(keytab_ctx);
- return status;
- }
-
- principal = talloc_asprintf(mem_ctx, "SEQUENCE_NUM@%s",
- keytab_ctx->dns_domain_name);
- NT_STATUS_HAVE_NO_MEMORY(principal);
-
- entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
- mem_ctx);
- if (entry && (entry->password.length == 8)) {
- old_sequence_num = BVAL(entry->password.data, 0);
- }
-
- if (sequence_num) {
- *sequence_num = old_sequence_num;
- }
-
- return status;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- struct libnet_keytab_context *keytab_ctx =
- (struct libnet_keytab_context *)ctx->private_data;
-
- NTSTATUS status = NT_STATUS_OK;
- int i;
-
- for (i = 0; i < r->num_deltas; i++) {
-
- switch (r->delta_enum[i].delta_type) {
- case NETR_DELTA_USER:
- break;
- case NETR_DELTA_DOMAIN:
- if (sequence_num) {
- *sequence_num =
- r->delta_enum[i].delta_union.domain->sequence_num;
- }
- continue;
- case NETR_DELTA_MODIFY_COUNT:
- if (sequence_num) {
- *sequence_num =
- *r->delta_enum[i].delta_union.modified_count;
- }
- continue;
- default:
- continue;
- }
-
- status = fetch_sam_entry_keytab(mem_ctx, database_id,
- r->delta_enum[i].delta_id_union.rid,
- r->delta_enum[i].delta_union.user,
- keytab_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
- }
- out:
- return status;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS close_keytab(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t sequence_num)
-{
- struct libnet_keytab_context *keytab_ctx =
- (struct libnet_keytab_context *)ctx->private_data;
- krb5_error_code ret;
- NTSTATUS status;
- struct libnet_keytab_entry *entry;
- uint64_t old_sequence_num = 0;
- const char *principal = NULL;
-
- principal = talloc_asprintf(mem_ctx, "SEQUENCE_NUM@%s",
- keytab_ctx->dns_domain_name);
- NT_STATUS_HAVE_NO_MEMORY(principal);
-
-
- entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
- mem_ctx);
- if (entry && (entry->password.length == 8)) {
- old_sequence_num = BVAL(entry->password.data, 0);
- }
-
-
- if (sequence_num > old_sequence_num) {
- DATA_BLOB blob;
- blob = data_blob_talloc_zero(mem_ctx, 8);
- SBVAL(blob.data, 0, sequence_num);
-
- status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx,
- 0,
- "SEQUENCE_NUM",
- NULL,
- ENCTYPE_NULL,
- blob);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
- ret = libnet_keytab_add(keytab_ctx);
- if (ret) {
- status = krb5_to_nt_status(ret);
- ctx->error_message = talloc_asprintf(ctx,
- "Failed to add entries to keytab %s: %s",
- keytab_ctx->keytab_name, error_message(ret));
- TALLOC_FREE(keytab_ctx);
- return status;
- }
-
- ctx->result_message = talloc_asprintf(ctx,
- "Vampired %d accounts to keytab %s",
- keytab_ctx->count,
- keytab_ctx->keytab_name);
-
- status = NT_STATUS_OK;
-
- done:
- TALLOC_FREE(keytab_ctx);
-
- return status;
-}
-
-#else
-
-static NTSTATUS init_keytab(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t *sequence_num)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-static NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-static NTSTATUS close_keytab(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t sequence_num)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-#endif /* defined(HAVE_ADS) */
-
-const struct samsync_ops libnet_samsync_keytab_ops = {
- .startup = init_keytab,
- .process_objects = fetch_sam_entries_keytab,
- .finish = close_keytab
-};
diff --git a/source3/libnet/libnet_samsync_ldif.c b/source3/libnet/libnet_samsync_ldif.c
deleted file mode 100644
index 170231636e0..00000000000
--- a/source3/libnet/libnet_samsync_ldif.c
+++ /dev/null
@@ -1,1378 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- dump the remote SAM using rpc samsync operations
-
- Copyright (C) Andrew Tridgell 2002
- Copyright (C) Tim Potter 2001,2002
- Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2005
- Modified by Volker Lendecke 2002
- Copyright (C) Jeremy Allison 2005.
- Copyright (C) Guenther Deschner 2008.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/filesys.h"
-#include "libnet/libnet_samsync.h"
-#include "transfer_file.h"
-#include "passdb.h"
-#include "passdb/pdb_ldap_schema.h"
-#include "lib/util/base64.h"
-
-#ifdef HAVE_LDAP
-
-/* uid's and gid's for writing deltas to ldif */
-static uint32_t ldif_gid = 999;
-static uint32_t ldif_uid = 999;
-
-/* global counters */
-static uint32_t g_index = 0;
-static uint32_t a_index = 0;
-
-/* Structure for mapping accounts to groups */
-/* Array element is the group rid */
-typedef struct _groupmap {
- uint32_t rid;
- uint32_t gidNumber;
- const char *sambaSID;
- const char *group_dn;
-} GROUPMAP;
-
-typedef struct _accountmap {
- uint32_t rid;
- const char *cn;
-} ACCOUNTMAP;
-
-struct samsync_ldif_context {
- GROUPMAP *groupmap;
- ACCOUNTMAP *accountmap;
- bool initialized;
- const char *add_template;
- const char *mod_template;
- char *add_name;
- char *module_name;
- FILE *add_file;
- FILE *mod_file;
- FILE *ldif_file;
- const char *suffix;
- int num_alloced;
-};
-
-/*
- Returns the substring from src between the first occurrence of
- the char "front" and the first occurence of the char "back".
- Mallocs the return string which must be freed. Not for use
- with wide character strings.
-*/
-static char *sstring_sub(const char *src, char front, char back)
-{
- char *temp1, *temp2, *temp3;
- ptrdiff_t len;
-
- temp1 = strchr(src, front);
- if (temp1 == NULL) return NULL;
- temp2 = strchr(src, back);
- if (temp2 == NULL) return NULL;
- len = temp2 - temp1;
- if (len <= 0) return NULL;
- temp3 = (char*)SMB_MALLOC(len);
- if (temp3 == NULL) {
- DEBUG(1,("Malloc failure in sstring_sub\n"));
- return NULL;
- }
- memcpy(temp3, temp1+1, len-1);
- temp3[len-1] = '\0';
- return temp3;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS populate_ldap_for_ldif(const char *sid,
- const char *suffix,
- const char *builtin_sid,
- FILE *add_fd)
-{
- const char *user_suffix, *group_suffix, *machine_suffix, *idmap_suffix;
- char *user_attr=NULL, *group_attr=NULL;
- char *suffix_attr;
- int len;
-
- /* Get the suffix attribute */
- suffix_attr = sstring_sub(suffix, '=', ',');
- if (suffix_attr == NULL) {
- len = strlen(suffix);
- suffix_attr = (char*)SMB_MALLOC(len+1);
- if (!suffix_attr) {
- return NT_STATUS_NO_MEMORY;
- }
- memcpy(suffix_attr, suffix, len);
- suffix_attr[len] = '\0';
- }
-
- /* Write the base */
- fprintf(add_fd, "# %s\n", suffix);
- fprintf(add_fd, "dn: %s\n", suffix);
- fprintf(add_fd, "objectClass: dcObject\n");
- fprintf(add_fd, "objectClass: organization\n");
- fprintf(add_fd, "o: %s\n", suffix_attr);
- fprintf(add_fd, "dc: %s\n", suffix_attr);
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- user_suffix = lp_ldap_user_suffix(talloc_tos());
- if (user_suffix == NULL) {
- SAFE_FREE(suffix_attr);
- return NT_STATUS_NO_MEMORY;
- }
- /* If it exists and is distinct from other containers,
- Write the Users entity */
- if (*user_suffix && strcmp(user_suffix, suffix)) {
- user_attr = sstring_sub(lp_ldap_user_suffix(talloc_tos()), '=', ',');
- fprintf(add_fd, "# %s\n", user_suffix);
- fprintf(add_fd, "dn: %s\n", user_suffix);
- fprintf(add_fd, "objectClass: organizationalUnit\n");
- fprintf(add_fd, "ou: %s\n", user_attr);
- fprintf(add_fd, "\n");
- fflush(add_fd);
- }
-
-
- group_suffix = lp_ldap_group_suffix(talloc_tos());
- if (group_suffix == NULL) {
- SAFE_FREE(suffix_attr);
- SAFE_FREE(user_attr);
- return NT_STATUS_NO_MEMORY;
- }
- /* If it exists and is distinct from other containers,
- Write the Groups entity */
- if (*group_suffix && strcmp(group_suffix, suffix)) {
- group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ',');
- fprintf(add_fd, "# %s\n", group_suffix);
- fprintf(add_fd, "dn: %s\n", group_suffix);
- fprintf(add_fd, "objectClass: organizationalUnit\n");
- fprintf(add_fd, "ou: %s\n", group_attr);
- fprintf(add_fd, "\n");
- fflush(add_fd);
- }
-
- /* If it exists and is distinct from other containers,
- Write the Computers entity */
- machine_suffix = lp_ldap_machine_suffix(talloc_tos());
- if (machine_suffix == NULL) {
- SAFE_FREE(suffix_attr);
- SAFE_FREE(user_attr);
- SAFE_FREE(group_attr);
- return NT_STATUS_NO_MEMORY;
- }
- if (*machine_suffix && strcmp(machine_suffix, user_suffix) &&
- strcmp(machine_suffix, suffix)) {
- char *machine_ou = NULL;
- fprintf(add_fd, "# %s\n", machine_suffix);
- fprintf(add_fd, "dn: %s\n", machine_suffix);
- fprintf(add_fd, "objectClass: organizationalUnit\n");
- /* this isn't totally correct as it assumes that
- there _must_ be an ou. just fixing memleak now. jmcd */
- machine_ou = sstring_sub(lp_ldap_machine_suffix(talloc_tos()), '=', ',');
- fprintf(add_fd, "ou: %s\n", machine_ou);
- SAFE_FREE(machine_ou);
- fprintf(add_fd, "\n");
- fflush(add_fd);
- }
-
- /* If it exists and is distinct from other containers,
- Write the IdMap entity */
- idmap_suffix = lp_ldap_idmap_suffix(talloc_tos());
- if (idmap_suffix == NULL) {
- SAFE_FREE(suffix_attr);
- SAFE_FREE(user_attr);
- SAFE_FREE(group_attr);
- return NT_STATUS_NO_MEMORY;
- }
- if (*idmap_suffix &&
- strcmp(idmap_suffix, user_suffix) &&
- strcmp(idmap_suffix, suffix)) {
- char *s;
- fprintf(add_fd, "# %s\n", idmap_suffix);
- fprintf(add_fd, "dn: %s\n", idmap_suffix);
- fprintf(add_fd, "ObjectClass: organizationalUnit\n");
- s = sstring_sub(lp_ldap_idmap_suffix(talloc_tos()), '=', ',');
- fprintf(add_fd, "ou: %s\n", s);
- SAFE_FREE(s);
- fprintf(add_fd, "\n");
- fflush(add_fd);
- }
-
- /* Write the domain entity */
- fprintf(add_fd, "# %s, %s\n", lp_workgroup(), suffix);
- fprintf(add_fd, "dn: sambaDomainName=%s,%s\n", lp_workgroup(),
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_DOMINFO);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_IDPOOL);
- fprintf(add_fd, "sambaDomainName: %s\n", lp_workgroup());
- fprintf(add_fd, "sambaSID: %s\n", sid);
- fprintf(add_fd, "uidNumber: %d\n", ++ldif_uid);
- fprintf(add_fd, "gidNumber: %d\n", ++ldif_gid);
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Domain Admins entity */
- fprintf(add_fd, "# Domain Admins, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Domain Admins,ou=%s,%s\n", group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "cn: Domain Admins\n");
- fprintf(add_fd, "memberUid: Administrator\n");
- fprintf(add_fd, "description: Netbios Domain Administrators\n");
- fprintf(add_fd, "gidNumber: 512\n");
- fprintf(add_fd, "sambaSID: %s-512\n", sid);
- fprintf(add_fd, "sambaGroupType: 2\n");
- fprintf(add_fd, "displayName: Domain Admins\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Domain Users entity */
- fprintf(add_fd, "# Domain Users, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Domain Users,ou=%s,%s\n", group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "cn: Domain Users\n");
- fprintf(add_fd, "description: Netbios Domain Users\n");
- fprintf(add_fd, "gidNumber: 513\n");
- fprintf(add_fd, "sambaSID: %s-513\n", sid);
- fprintf(add_fd, "sambaGroupType: 2\n");
- fprintf(add_fd, "displayName: Domain Users\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Domain Guests entity */
- fprintf(add_fd, "# Domain Guests, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Domain Guests,ou=%s,%s\n", group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "cn: Domain Guests\n");
- fprintf(add_fd, "description: Netbios Domain Guests\n");
- fprintf(add_fd, "gidNumber: 514\n");
- fprintf(add_fd, "sambaSID: %s-514\n", sid);
- fprintf(add_fd, "sambaGroupType: 2\n");
- fprintf(add_fd, "displayName: Domain Guests\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Domain Computers entity */
- fprintf(add_fd, "# Domain Computers, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Domain Computers,ou=%s,%s\n",
- group_attr, suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "gidNumber: 515\n");
- fprintf(add_fd, "cn: Domain Computers\n");
- fprintf(add_fd, "description: Netbios Domain Computers accounts\n");
- fprintf(add_fd, "sambaSID: %s-515\n", sid);
- fprintf(add_fd, "sambaGroupType: 2\n");
- fprintf(add_fd, "displayName: Domain Computers\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Admininistrators Groups entity */
- fprintf(add_fd, "# Administrators, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Administrators,ou=%s,%s\n", group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "gidNumber: 544\n");
- fprintf(add_fd, "cn: Administrators\n");
- fprintf(add_fd, "description: Netbios Domain Members can fully administer the computer/sambaDomainName\n");
- fprintf(add_fd, "sambaSID: %s-544\n", builtin_sid);
- fprintf(add_fd, "sambaGroupType: 5\n");
- fprintf(add_fd, "displayName: Administrators\n");
- fprintf(add_fd, "\n");
-
- /* Write the Print Operator entity */
- fprintf(add_fd, "# Print Operators, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Print Operators,ou=%s,%s\n",
- group_attr, suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "gidNumber: 550\n");
- fprintf(add_fd, "cn: Print Operators\n");
- fprintf(add_fd, "description: Netbios Domain Print Operators\n");
- fprintf(add_fd, "sambaSID: %s-550\n", builtin_sid);
- fprintf(add_fd, "sambaGroupType: 5\n");
- fprintf(add_fd, "displayName: Print Operators\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Backup Operators entity */
- fprintf(add_fd, "# Backup Operators, %s, %s\n", group_attr,
- suffix);
- fprintf(add_fd, "dn: cn=Backup Operators,ou=%s,%s\n",
- group_attr, suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "gidNumber: 551\n");
- fprintf(add_fd, "cn: Backup Operators\n");
- fprintf(add_fd, "description: Netbios Domain Members can bypass file security to back up files\n");
- fprintf(add_fd, "sambaSID: %s-551\n", builtin_sid);
- fprintf(add_fd, "sambaGroupType: 5\n");
- fprintf(add_fd, "displayName: Backup Operators\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Write the Replicators entity */
- fprintf(add_fd, "# Replicators, %s, %s\n", group_attr, suffix);
- fprintf(add_fd, "dn: cn=Replicators,ou=%s,%s\n", group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "gidNumber: 552\n");
- fprintf(add_fd, "cn: Replicators\n");
- fprintf(add_fd, "description: Netbios Domain Supports file replication in a sambaDomainName\n");
- fprintf(add_fd, "sambaSID: %s-552\n", builtin_sid);
- fprintf(add_fd, "sambaGroupType: 5\n");
- fprintf(add_fd, "displayName: Replicators\n");
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Deallocate memory, and return */
- SAFE_FREE(suffix_attr);
- SAFE_FREE(user_attr);
- SAFE_FREE(group_attr);
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS map_populate_groups(TALLOC_CTX *mem_ctx,
- GROUPMAP *groupmap,
- ACCOUNTMAP *accountmap,
- const char *sid,
- const char *suffix,
- const char *builtin_sid)
-{
- char *group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ',');
-
- /* Map the groups created by populate_ldap_for_ldif */
- groupmap[0].rid = 512;
- groupmap[0].gidNumber = 512;
- groupmap[0].sambaSID = talloc_asprintf(mem_ctx, "%s-512", sid);
- groupmap[0].group_dn = talloc_asprintf(mem_ctx,
- "cn=Domain Admins,ou=%s,%s", group_attr, suffix);
- if (groupmap[0].sambaSID == NULL || groupmap[0].group_dn == NULL) {
- goto err;
- }
-
- accountmap[0].rid = 512;
- accountmap[0].cn = talloc_strdup(mem_ctx, "Domain Admins");
- if (accountmap[0].cn == NULL) {
- goto err;
- }
-
- groupmap[1].rid = 513;
- groupmap[1].gidNumber = 513;
- groupmap[1].sambaSID = talloc_asprintf(mem_ctx, "%s-513", sid);
- groupmap[1].group_dn = talloc_asprintf(mem_ctx,
- "cn=Domain Users,ou=%s,%s", group_attr, suffix);
- if (groupmap[1].sambaSID == NULL || groupmap[1].group_dn == NULL) {
- goto err;
- }
-
- accountmap[1].rid = 513;
- accountmap[1].cn = talloc_strdup(mem_ctx, "Domain Users");
- if (accountmap[1].cn == NULL) {
- goto err;
- }
-
- groupmap[2].rid = 514;
- groupmap[2].gidNumber = 514;
- groupmap[2].sambaSID = talloc_asprintf(mem_ctx, "%s-514", sid);
- groupmap[2].group_dn = talloc_asprintf(mem_ctx,
- "cn=Domain Guests,ou=%s,%s", group_attr, suffix);
- if (groupmap[2].sambaSID == NULL || groupmap[2].group_dn == NULL) {
- goto err;
- }
-
- accountmap[2].rid = 514;
- accountmap[2].cn = talloc_strdup(mem_ctx, "Domain Guests");
- if (accountmap[2].cn == NULL) {
- goto err;
- }
-
- groupmap[3].rid = 515;
- groupmap[3].gidNumber = 515;
- groupmap[3].sambaSID = talloc_asprintf(mem_ctx, "%s-515", sid);
- groupmap[3].group_dn = talloc_asprintf(mem_ctx,
- "cn=Domain Computers,ou=%s,%s", group_attr, suffix);
- if (groupmap[3].sambaSID == NULL || groupmap[3].group_dn == NULL) {
- goto err;
- }
-
- accountmap[3].rid = 515;
- accountmap[3].cn = talloc_strdup(mem_ctx, "Domain Computers");
- if (accountmap[3].cn == NULL) {
- goto err;
- }
-
- groupmap[4].rid = 544;
- groupmap[4].gidNumber = 544;
- groupmap[4].sambaSID = talloc_asprintf(mem_ctx, "%s-544", builtin_sid);
- groupmap[4].group_dn = talloc_asprintf(mem_ctx,
- "cn=Administrators,ou=%s,%s", group_attr, suffix);
- if (groupmap[4].sambaSID == NULL || groupmap[4].group_dn == NULL) {
- goto err;
- }
-
- accountmap[4].rid = 515;
- accountmap[4].cn = talloc_strdup(mem_ctx, "Administrators");
- if (accountmap[4].cn == NULL) {
- goto err;
- }
-
- groupmap[5].rid = 550;
- groupmap[5].gidNumber = 550;
- groupmap[5].sambaSID = talloc_asprintf(mem_ctx, "%s-550", builtin_sid);
- groupmap[5].group_dn = talloc_asprintf(mem_ctx,
- "cn=Print Operators,ou=%s,%s", group_attr, suffix);
- if (groupmap[5].sambaSID == NULL || groupmap[5].group_dn == NULL) {
- goto err;
- }
-
- accountmap[5].rid = 550;
- accountmap[5].cn = talloc_strdup(mem_ctx, "Print Operators");
- if (accountmap[5].cn == NULL) {
- goto err;
- }
-
- groupmap[6].rid = 551;
- groupmap[6].gidNumber = 551;
- groupmap[6].sambaSID = talloc_asprintf(mem_ctx, "%s-551", builtin_sid);
- groupmap[6].group_dn = talloc_asprintf(mem_ctx,
- "cn=Backup Operators,ou=%s,%s", group_attr, suffix);
- if (groupmap[6].sambaSID == NULL || groupmap[6].group_dn == NULL) {
- goto err;
- }
-
- accountmap[6].rid = 551;
- accountmap[6].cn = talloc_strdup(mem_ctx, "Backup Operators");
- if (accountmap[6].cn == NULL) {
- goto err;
- }
-
- groupmap[7].rid = 552;
- groupmap[7].gidNumber = 552;
- groupmap[7].sambaSID = talloc_asprintf(mem_ctx, "%s-552", builtin_sid);
- groupmap[7].group_dn = talloc_asprintf(mem_ctx,
- "cn=Replicators,ou=%s,%s", group_attr, suffix);
- if (groupmap[7].sambaSID == NULL || groupmap[7].group_dn == NULL) {
- goto err;
- }
-
- accountmap[7].rid = 551;
- accountmap[7].cn = talloc_strdup(mem_ctx, "Replicators");
- if (accountmap[7].cn == NULL) {
- goto err;
- }
-
- SAFE_FREE(group_attr);
-
- return NT_STATUS_OK;
-
- err:
-
- SAFE_FREE(group_attr);
- return NT_STATUS_NO_MEMORY;
-}
-
-/*
- * This is a crap routine, but I think it's the quickest way to solve the
- * UTF8->base64 problem.
- */
-
-static int fprintf_attr(FILE *add_fd, const char *attr_name,
- const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
-
-static int fprintf_attr(FILE *add_fd, const char *attr_name,
- const char *fmt, ...)
-{
- va_list ap;
- char *value, *p, *base64;
- DATA_BLOB base64_blob;
- bool do_base64 = false;
- int res;
-
- va_start(ap, fmt);
- value = talloc_vasprintf(NULL, fmt, ap);
- va_end(ap);
-
- SMB_ASSERT(value != NULL);
-
- for (p=value; *p; p++) {
- if (*p & 0x80) {
- do_base64 = true;
- break;
- }
- }
-
- if (!do_base64) {
- bool only_whitespace = true;
- for (p=value; *p; p++) {
- /*
- * I know that this not multibyte safe, but we break
- * on the first non-whitespace character anyway.
- */
- if (!isspace(*p)) {
- only_whitespace = false;
- break;
- }
- }
- if (only_whitespace) {
- do_base64 = true;
- }
- }
-
- if (!do_base64) {
- res = fprintf(add_fd, "%s: %s\n", attr_name, value);
- TALLOC_FREE(value);
- return res;
- }
-
- base64_blob.data = (unsigned char *)value;
- base64_blob.length = strlen(value);
-
- base64 = base64_encode_data_blob(value, base64_blob);
- SMB_ASSERT(base64 != NULL);
-
- res = fprintf(add_fd, "%s:: %s\n", attr_name, base64);
- TALLOC_FREE(value);
- return res;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_group_info_to_ldif(TALLOC_CTX *mem_ctx,
- struct netr_DELTA_GROUP *r,
- GROUPMAP *groupmap,
- FILE *add_fd,
- const char *sid,
- const char *suffix)
-{
- const char *groupname = r->group_name.string;
- uint32_t grouptype = 0, g_rid = 0;
- char *group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ',');
-
- /* Set up the group type (always 2 for group info) */
- grouptype = 2;
-
- /* These groups are entered by populate_ldap_for_ldif */
- if (strcmp(groupname, "Domain Admins") == 0 ||
- strcmp(groupname, "Domain Users") == 0 ||
- strcmp(groupname, "Domain Guests") == 0 ||
- strcmp(groupname, "Domain Computers") == 0 ||
- strcmp(groupname, "Administrators") == 0 ||
- strcmp(groupname, "Print Operators") == 0 ||
- strcmp(groupname, "Backup Operators") == 0 ||
- strcmp(groupname, "Replicators") == 0) {
- SAFE_FREE(group_attr);
- return NT_STATUS_OK;
- } else {
- /* Increment the gid for the new group */
- ldif_gid++;
- }
-
- /* Map the group rid, gid, and dn */
- g_rid = r->rid;
- groupmap->rid = g_rid;
- groupmap->gidNumber = ldif_gid;
- groupmap->sambaSID = talloc_asprintf(mem_ctx, "%s-%d", sid, g_rid);
- groupmap->group_dn = talloc_asprintf(mem_ctx,
- "cn=%s,ou=%s,%s", groupname, group_attr, suffix);
- if (groupmap->sambaSID == NULL || groupmap->group_dn == NULL) {
- SAFE_FREE(group_attr);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Write the data to the temporary add ldif file */
- fprintf(add_fd, "# %s, %s, %s\n", groupname, group_attr,
- suffix);
- fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", groupname, group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf_attr(add_fd, "cn", "%s", groupname);
- fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
- fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
- fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
- fprintf_attr(add_fd, "displayName", "%s", groupname);
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- SAFE_FREE(group_attr);
- /* Return */
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx,
- struct netr_DELTA_USER *r,
- GROUPMAP *groupmap,
- ACCOUNTMAP *accountmap,
- FILE *add_fd,
- const char *sid,
- const char *suffix,
- int alloced)
-{
- fstring username, logonscript, homedrive, homepath = "", homedir = "";
- fstring hex_nt_passwd, hex_lm_passwd;
- fstring description, profilepath, fullname, sambaSID;
- char *flags, *user_rdn;
- const char *ou;
- const char* nopasswd = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
- uint32_t rid = 0, group_rid = 0, gidNumber = 0;
- time_t unix_time;
- int i, ret;
-
- /* Get the username */
- fstrcpy(username, r->account_name.string);
-
- /* Get the rid */
- rid = r->rid;
-
- /* Map the rid and username for group member info later */
- accountmap->rid = rid;
- accountmap->cn = talloc_strdup(mem_ctx, username);
- NT_STATUS_HAVE_NO_MEMORY(accountmap->cn);
-
- /* Get the home directory */
- if (r->acct_flags & ACB_NORMAL) {
- fstrcpy(homedir, r->home_directory.string);
- if (!*homedir) {
- snprintf(homedir, sizeof(homedir), "/home/%s", username);
- } else {
- snprintf(homedir, sizeof(homedir), "/nobodyshomedir");
- }
- ou = lp_ldap_user_suffix(talloc_tos());
- } else {
- ou = lp_ldap_machine_suffix(talloc_tos());
- snprintf(homedir, sizeof(homedir), "/machinehomedir");
- }
-
- /* Get the logon script */
- fstrcpy(logonscript, r->logon_script.string);
-
- /* Get the home drive */
- fstrcpy(homedrive, r->home_drive.string);
-
- /* Get the home path */
- fstrcpy(homepath, r->home_directory.string);
-
- /* Get the description */
- fstrcpy(description, r->description.string);
-
- /* Get the display name */
- fstrcpy(fullname, r->full_name.string);
-
- /* Get the profile path */
- fstrcpy(profilepath, r->profile_path.string);
-
- /* Get lm and nt password data */
- if (!all_zero(r->lmpassword.hash, 16)) {
- pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
- } else {
- pdb_sethexpwd(hex_lm_passwd, NULL, 0);
- }
- if (!all_zero(r->ntpassword.hash, 16)) {
- pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
- } else {
- pdb_sethexpwd(hex_nt_passwd, NULL, 0);
- }
- unix_time = nt_time_to_unix(r->last_password_change);
-
- /* Increment the uid for the new user */
- ldif_uid++;
-
- /* Set up group id and sambaSID for the user */
- group_rid = r->primary_gid;
- for (i=0; i<alloced; i++) {
- if (groupmap[i].rid == group_rid) break;
- }
- if (i == alloced){
- DEBUG(1, ("Could not find rid %d in groupmap array\n",
- group_rid));
- return NT_STATUS_UNSUCCESSFUL;
- }
- gidNumber = groupmap[i].gidNumber;
- ret = snprintf(sambaSID, sizeof(sambaSID), "%s", groupmap[i].sambaSID);
- if (ret < 0 || ret == sizeof(sambaSID)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* Set up sambaAcctFlags */
- flags = pdb_encode_acct_ctrl(r->acct_flags,
- NEW_PW_FORMAT_SPACE_PADDED_LEN);
-
- /* Add the user to the temporary add ldif file */
- /* this isn't quite right...we can't assume there's just OU=. jmcd */
- user_rdn = sstring_sub(ou, '=', ',');
- fprintf(add_fd, "# %s, %s, %s\n", username, user_rdn, suffix);
- fprintf_attr(add_fd, "dn", "uid=%s,ou=%s,%s", username, user_rdn,
- suffix);
- SAFE_FREE(user_rdn);
- fprintf(add_fd, "ObjectClass: top\n");
- fprintf(add_fd, "objectClass: inetOrgPerson\n");
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXACCOUNT);
- fprintf(add_fd, "objectClass: shadowAccount\n");
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_SAMBASAMACCOUNT);
- fprintf_attr(add_fd, "cn", "%s", username);
- fprintf_attr(add_fd, "sn", "%s", username);
- fprintf_attr(add_fd, "uid", "%s", username);
- fprintf(add_fd, "uidNumber: %d\n", ldif_uid);
- fprintf(add_fd, "gidNumber: %d\n", gidNumber);
- fprintf_attr(add_fd, "homeDirectory", "%s", homedir);
- if (*homepath)
- fprintf_attr(add_fd, "sambaHomePath", "%s", homepath);
- if (*homedrive)
- fprintf_attr(add_fd, "sambaHomeDrive", "%s", homedrive);
- if (*logonscript)
- fprintf_attr(add_fd, "sambaLogonScript", "%s", logonscript);
- fprintf(add_fd, "loginShell: %s\n",
- ((r->acct_flags & ACB_NORMAL) ?
- "/bin/bash" : "/bin/false"));
- fprintf(add_fd, "gecos: System User\n");
- if (*description)
- fprintf_attr(add_fd, "description", "%s", description);
- fprintf(add_fd, "sambaSID: %s-%d\n", sid, rid);
- fprintf(add_fd, "sambaPrimaryGroupSID: %s\n", sambaSID);
- if(*fullname)
- fprintf_attr(add_fd, "displayName", "%s", fullname);
- if(*profilepath)
- fprintf_attr(add_fd, "sambaProfilePath", "%s", profilepath);
- if (strcmp(nopasswd, hex_lm_passwd) != 0)
- fprintf(add_fd, "sambaLMPassword: %s\n", hex_lm_passwd);
- if (strcmp(nopasswd, hex_nt_passwd) != 0)
- fprintf(add_fd, "sambaNTPassword: %s\n", hex_nt_passwd);
- fprintf(add_fd, "sambaPwdLastSet: %d\n", (int)unix_time);
- fprintf(add_fd, "sambaAcctFlags: %s\n", flags);
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- /* Return */
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_alias_info_to_ldif(TALLOC_CTX *mem_ctx,
- struct netr_DELTA_ALIAS *r,
- GROUPMAP *groupmap,
- FILE *add_fd,
- const char *sid,
- const char *suffix,
- enum netr_SamDatabaseID database_id)
-{
- fstring aliasname, description;
- uint32_t grouptype = 0, g_rid = 0;
- char *group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ',');
-
- /* Get the alias name */
- fstrcpy(aliasname, r->alias_name.string);
-
- /* Get the alias description */
- fstrcpy(description, r->description.string);
-
- /* Set up the group type */
- switch (database_id) {
- case SAM_DATABASE_DOMAIN:
- grouptype = 4;
- break;
- case SAM_DATABASE_BUILTIN:
- grouptype = 5;
- break;
- default:
- grouptype = 4;
- break;
- }
-
- /*
- These groups are entered by populate_ldap_for_ldif
- Note that populate creates a group called Relicators,
- but NT returns a group called Replicator
- */
- if (strcmp(aliasname, "Domain Admins") == 0 ||
- strcmp(aliasname, "Domain Users") == 0 ||
- strcmp(aliasname, "Domain Guests") == 0 ||
- strcmp(aliasname, "Domain Computers") == 0 ||
- strcmp(aliasname, "Administrators") == 0 ||
- strcmp(aliasname, "Print Operators") == 0 ||
- strcmp(aliasname, "Backup Operators") == 0 ||
- strcmp(aliasname, "Replicator") == 0) {
- SAFE_FREE(group_attr);
- return NT_STATUS_OK;
- } else {
- /* Increment the gid for the new group */
- ldif_gid++;
- }
-
- /* Map the group rid and gid */
- g_rid = r->rid;
- groupmap->gidNumber = ldif_gid;
- groupmap->sambaSID = talloc_asprintf(mem_ctx, "%s-%d", sid, g_rid);
- if (groupmap->sambaSID == NULL) {
- SAFE_FREE(group_attr);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Write the data to the temporary add ldif file */
- fprintf(add_fd, "# %s, %s, %s\n", aliasname, group_attr,
- suffix);
- fprintf_attr(add_fd, "dn", "cn=%s,ou=%s,%s", aliasname, group_attr,
- suffix);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
- fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
- fprintf(add_fd, "cn: %s\n", aliasname);
- fprintf(add_fd, "gidNumber: %d\n", ldif_gid);
- fprintf(add_fd, "sambaSID: %s\n", groupmap->sambaSID);
- fprintf(add_fd, "sambaGroupType: %d\n", grouptype);
- fprintf_attr(add_fd, "displayName", "%s", aliasname);
- if (description[0])
- fprintf_attr(add_fd, "description", "%s", description);
- fprintf(add_fd, "\n");
- fflush(add_fd);
-
- SAFE_FREE(group_attr);
- /* Return */
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_groupmem_info_to_ldif(struct netr_DELTA_GROUP_MEMBER *r,
- uint32_t id_rid,
- GROUPMAP *groupmap,
- ACCOUNTMAP *accountmap,
- FILE *mod_fd, int alloced)
-{
- fstring group_dn;
- uint32_t group_rid = 0, rid = 0;
- int i, j, k;
-
- /* Get the dn for the group */
- if (r->num_rids > 0) {
- group_rid = id_rid;
- for (j=0; j<alloced; j++) {
- if (groupmap[j].rid == group_rid) break;
- }
- if (j == alloced){
- DEBUG(1, ("Could not find rid %d in groupmap array\n",
- group_rid));
- return NT_STATUS_UNSUCCESSFUL;
- }
- snprintf(group_dn, sizeof(group_dn), "%s", groupmap[j].group_dn);
- fprintf(mod_fd, "dn: %s\n", group_dn);
-
- /* Get the cn for each member */
- for (i=0; i < r->num_rids; i++) {
- rid = r->rids[i];
- for (k=0; k<alloced; k++) {
- if (accountmap[k].rid == rid) break;
- }
- if (k == alloced){
- DEBUG(1, ("Could not find rid %d in "
- "accountmap array\n", rid));
- return NT_STATUS_UNSUCCESSFUL;
- }
- fprintf(mod_fd, "memberUid: %s\n", accountmap[k].cn);
- }
- fprintf(mod_fd, "\n");
- }
- fflush(mod_fd);
-
- /* Return */
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS ldif_init_context(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- const char *ldif_filename,
- const char *domain_sid_str,
- struct samsync_ldif_context **ctx)
-{
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- struct samsync_ldif_context *r;
- const char *add_template = "/tmp/add.ldif.XXXXXX";
- const char *mod_template = "/tmp/mod.ldif.XXXXXX";
- const char *builtin_sid = "S-1-5-32";
- mode_t mask;
- int fd;
-
- r = talloc_zero(mem_ctx, struct samsync_ldif_context);
- NT_STATUS_HAVE_NO_MEMORY(r);
-
- /* Get the ldap suffix */
- r->suffix = lp_ldap_suffix(talloc_tos());
-
- /* Get other smb.conf data */
- if (!(lp_workgroup()) || !*(lp_workgroup())) {
- DEBUG(0,("workgroup missing from smb.conf--exiting\n"));
- exit(1);
- }
-
- /* Get the ldap suffix */
- if (!r->suffix || !*r->suffix) {
- DEBUG(0,("ldap suffix missing from smb.conf--exiting\n"));
- exit(1);
- }
-
- if (*ctx && (*ctx)->initialized) {
- return NT_STATUS_OK;
- }
-
- /* Ensure we have an output file */
- if (ldif_filename) {
- r->ldif_file = fopen(ldif_filename, "a");
- } else {
- r->ldif_file = stdout;
- }
-
- if (!r->ldif_file) {
- fprintf(stderr, "Could not open %s\n", ldif_filename);
- DEBUG(1, ("Could not open %s\n", ldif_filename));
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- r->add_template = talloc_strdup(mem_ctx, add_template);
- r->mod_template = talloc_strdup(mem_ctx, mod_template);
- if (!r->add_template || !r->mod_template) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- r->add_name = talloc_strdup(mem_ctx, add_template);
- r->module_name = talloc_strdup(mem_ctx, mod_template);
- if (!r->add_name || !r->module_name) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- mask = umask(S_IRWXO | S_IRWXG);
- fd = mkstemp(r->add_name);
- umask(mask);
- if (fd < 0) {
- DEBUG(1, ("Could not create %s\n", r->add_name));
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- /* Open the add and mod ldif files */
- r->add_file = fdopen(fd, "w");
- if (r->add_file == NULL) {
- DEBUG(1, ("Could not open %s\n", r->add_name));
- close(fd);
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- mask = umask(S_IRWXO | S_IRWXG);
- fd = mkstemp(r->module_name);
- umask(mask);
- if (fd < 0) {
- DEBUG(1, ("Could not create %s\n", r->module_name));
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- r->mod_file = fdopen(fd, "w");
- if (r->mod_file == NULL) {
- DEBUG(1, ("Could not open %s\n", r->module_name));
- close(fd);
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- /* Allocate initial memory for groupmap and accountmap arrays */
- r->groupmap = talloc_zero_array(mem_ctx, GROUPMAP, 8);
- r->accountmap = talloc_zero_array(mem_ctx, ACCOUNTMAP, 8);
- if (r->groupmap == NULL || r->accountmap == NULL) {
- DEBUG(1,("GROUPMAP talloc failed\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- /* Remember how many we malloced */
- r->num_alloced = 8;
-
- /* Initial database population */
- if (database_id == SAM_DATABASE_DOMAIN) {
-
- status = populate_ldap_for_ldif(domain_sid_str,
- r->suffix,
- builtin_sid,
- r->add_file);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- status = map_populate_groups(mem_ctx,
- r->groupmap,
- r->accountmap,
- domain_sid_str,
- r->suffix,
- builtin_sid);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
- r->initialized = true;
-
- *ctx = r;
-
- return NT_STATUS_OK;
- done:
- TALLOC_FREE(r);
- return status;
-}
-
-/****************************************************************
-****************************************************************/
-
-static void ldif_free_context(struct samsync_ldif_context *r)
-{
- if (!r) {
- return;
- }
-
- /* Close and delete the ldif files */
- if (r->add_file) {
- fclose(r->add_file);
- }
-
- if ((r->add_name != NULL) &&
- strcmp(r->add_name, r->add_template) && (unlink(r->add_name))) {
- DEBUG(1,("unlink(%s) failed, error was (%s)\n",
- r->add_name, strerror(errno)));
- }
-
- if (r->mod_file) {
- fclose(r->mod_file);
- }
-
- if ((r->module_name != NULL) &&
- strcmp(r->module_name, r->mod_template) && (unlink(r->module_name))) {
- DEBUG(1,("unlink(%s) failed, error was (%s)\n",
- r->module_name, strerror(errno)));
- }
-
- if (r->ldif_file && (r->ldif_file != stdout)) {
- fclose(r->ldif_file);
- }
-
- TALLOC_FREE(r);
-}
-
-/****************************************************************
-****************************************************************/
-
-static void ldif_write_output(enum netr_SamDatabaseID database_id,
- struct samsync_ldif_context *l)
-{
- /* Write ldif data to the user's file */
- if (database_id == SAM_DATABASE_DOMAIN) {
- fprintf(l->ldif_file,
- "# SAM_DATABASE_DOMAIN: ADD ENTITIES\n");
- fprintf(l->ldif_file,
- "# =================================\n\n");
- fflush(l->ldif_file);
- } else if (database_id == SAM_DATABASE_BUILTIN) {
- fprintf(l->ldif_file,
- "# SAM_DATABASE_BUILTIN: ADD ENTITIES\n");
- fprintf(l->ldif_file,
- "# ==================================\n\n");
- fflush(l->ldif_file);
- }
- fseek(l->add_file, 0, SEEK_SET);
- transfer_file(fileno(l->add_file), fileno(l->ldif_file), (size_t) -1);
-
- if (database_id == SAM_DATABASE_DOMAIN) {
- fprintf(l->ldif_file,
- "# SAM_DATABASE_DOMAIN: MODIFY ENTITIES\n");
- fprintf(l->ldif_file,
- "# ====================================\n\n");
- fflush(l->ldif_file);
- } else if (database_id == SAM_DATABASE_BUILTIN) {
- fprintf(l->ldif_file,
- "# SAM_DATABASE_BUILTIN: MODIFY ENTITIES\n");
- fprintf(l->ldif_file,
- "# =====================================\n\n");
- fflush(l->ldif_file);
- }
- fseek(l->mod_file, 0, SEEK_SET);
- transfer_file(fileno(l->mod_file), fileno(l->ldif_file), (size_t) -1);
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entry_ldif(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *r,
- struct samsync_context *ctx,
- uint32_t *a_index_p,
- uint32_t *g_index_p)
-{
- union netr_DELTA_UNION u = r->delta_union;
- union netr_DELTA_ID_UNION id = r->delta_id_union;
- struct samsync_ldif_context *l =
- talloc_get_type_abort(ctx->private_data, struct samsync_ldif_context);
-
- switch (r->delta_type) {
- case NETR_DELTA_DOMAIN:
- break;
-
- case NETR_DELTA_GROUP:
- fetch_group_info_to_ldif(mem_ctx,
- u.group,
- &l->groupmap[*g_index_p],
- l->add_file,
- ctx->domain_sid_str,
- l->suffix);
- (*g_index_p)++;
- break;
-
- case NETR_DELTA_USER:
- fetch_account_info_to_ldif(mem_ctx,
- u.user,
- l->groupmap,
- &l->accountmap[*a_index_p],
- l->add_file,
- ctx->domain_sid_str,
- l->suffix,
- l->num_alloced);
- (*a_index_p)++;
- break;
-
- case NETR_DELTA_ALIAS:
- fetch_alias_info_to_ldif(mem_ctx,
- u.alias,
- &l->groupmap[*g_index_p],
- l->add_file,
- ctx->domain_sid_str,
- l->suffix,
- database_id);
- (*g_index_p)++;
- break;
-
- case NETR_DELTA_GROUP_MEMBER:
- fetch_groupmem_info_to_ldif(u.group_member,
- id.rid,
- l->groupmap,
- l->accountmap,
- l->mod_file,
- l->num_alloced);
- break;
-
- case NETR_DELTA_ALIAS_MEMBER:
- case NETR_DELTA_POLICY:
- case NETR_DELTA_ACCOUNT:
- case NETR_DELTA_TRUSTED_DOMAIN:
- case NETR_DELTA_SECRET:
- case NETR_DELTA_RENAME_GROUP:
- case NETR_DELTA_RENAME_USER:
- case NETR_DELTA_RENAME_ALIAS:
- case NETR_DELTA_DELETE_GROUP:
- case NETR_DELTA_DELETE_USER:
- case NETR_DELTA_MODIFY_COUNT:
- default:
- break;
- } /* end of switch */
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS ldif_realloc_maps(TALLOC_CTX *mem_ctx,
- struct samsync_ldif_context *l,
- uint32_t num_entries)
-{
- /* Re-allocate memory for groupmap and accountmap arrays */
- l->groupmap = talloc_realloc(mem_ctx,
- l->groupmap,
- GROUPMAP,
- num_entries + l->num_alloced);
-
- l->accountmap = talloc_realloc(mem_ctx,
- l->accountmap,
- ACCOUNTMAP,
- num_entries + l->num_alloced);
-
- if (l->groupmap == NULL || l->accountmap == NULL) {
- DEBUG(1,("GROUPMAP talloc failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Initialize the new records */
- memset(&(l->groupmap[l->num_alloced]), 0,
- sizeof(GROUPMAP) * num_entries);
- memset(&(l->accountmap[l->num_alloced]), 0,
- sizeof(ACCOUNTMAP) * num_entries);
-
- /* Remember how many we alloced this time */
- l->num_alloced += num_entries;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS init_ldif(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t *sequence_num)
-{
- NTSTATUS status;
- struct samsync_ldif_context *ldif_ctx =
- (struct samsync_ldif_context *)ctx->private_data;
-
- status = ldif_init_context(mem_ctx,
- database_id,
- ctx->output_filename,
- ctx->domain_sid_str,
- &ldif_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- ctx->private_data = ldif_ctx;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- NTSTATUS status;
- int i;
- struct samsync_ldif_context *ldif_ctx =
- (struct samsync_ldif_context *)ctx->private_data;
-
- status = ldif_realloc_maps(mem_ctx, ldif_ctx, r->num_deltas);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
-
- for (i = 0; i < r->num_deltas; i++) {
- status = fetch_sam_entry_ldif(mem_ctx, database_id,
- &r->delta_enum[i], ctx,
- &a_index, &g_index);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
- }
-
- return NT_STATUS_OK;
-
- failed:
- ldif_free_context(ldif_ctx);
- ctx->private_data = NULL;
-
- return status;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS close_ldif(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t sequence_num)
-{
- struct samsync_ldif_context *ldif_ctx =
- (struct samsync_ldif_context *)ctx->private_data;
-
- /* This was the last query */
- ldif_write_output(database_id, ldif_ctx);
- if (ldif_ctx->ldif_file != stdout) {
- ctx->result_message = talloc_asprintf(ctx,
- "Vampired %d accounts and %d groups to %s",
- a_index, g_index, ctx->output_filename);
- }
-
- ldif_free_context(ldif_ctx);
- ctx->private_data = NULL;
-
- return NT_STATUS_OK;
-}
-
-#else /* HAVE_LDAP */
-
-static NTSTATUS init_ldif(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t *sequence_num)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-static NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-static NTSTATUS close_ldif(TALLOC_CTX *mem_ctx,
- struct samsync_context *ctx,
- enum netr_SamDatabaseID database_id,
- uint64_t sequence_num)
-{
- return NT_STATUS_NOT_SUPPORTED;
-}
-
-#endif
-
-const struct samsync_ops libnet_samsync_ldif_ops = {
- .startup = init_ldif,
- .process_objects = fetch_sam_entries_ldif,
- .finish = close_ldif,
-};
diff --git a/source3/libnet/libnet_samsync_passdb.c b/source3/libnet/libnet_samsync_passdb.c
deleted file mode 100644
index 9ba637e744c..00000000000
--- a/source3/libnet/libnet_samsync_passdb.c
+++ /dev/null
@@ -1,882 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- dump the remote SAM using rpc samsync operations
-
- Copyright (C) Andrew Tridgell 2002
- Copyright (C) Tim Potter 2001,2002
- Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2005
- Modified by Volker Lendecke 2002
- Copyright (C) Jeremy Allison 2005.
- Copyright (C) Guenther Deschner 2008.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/passwd.h"
-#include "libnet/libnet_samsync.h"
-#include "../libcli/security/security.h"
-#include "passdb.h"
-#include "lib/util/base64.h"
-
-/* Convert a struct samu_DELTA to a struct samu. */
-#define STRING_CHANGED (old_string && !new_string) ||\
- (!old_string && new_string) ||\
- (old_string && new_string && (strcmp(old_string, new_string) != 0))
-
-#define STRING_CHANGED_NC(s1,s2) ((s1) && !(s2)) ||\
- (!(s1) && (s2)) ||\
- ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS sam_account_from_delta(struct samu *account,
- struct netr_DELTA_USER *r)
-{
- const char *old_string, *new_string;
- time_t unix_time, stored_time;
-
- /* Username, fullname, home dir, dir drive, logon script, acct
- desc, workstations, profile. */
-
- if (r->account_name.string) {
- old_string = pdb_get_nt_username(account);
- new_string = r->account_name.string;
-
- if (STRING_CHANGED) {
- pdb_set_nt_username(account, new_string, PDB_CHANGED);
- }
-
- /* Unix username is the same - for sanity */
- old_string = pdb_get_username( account );
- if (STRING_CHANGED) {
- pdb_set_username(account, new_string, PDB_CHANGED);
- }
- }
-
- if (r->full_name.string) {
- old_string = pdb_get_fullname(account);
- new_string = r->full_name.string;
-
- if (STRING_CHANGED)
- pdb_set_fullname(account, new_string, PDB_CHANGED);
- }
-
- if (r->home_directory.string) {
- old_string = pdb_get_homedir(account);
- new_string = r->home_directory.string;
-
- if (STRING_CHANGED)
- pdb_set_homedir(account, new_string, PDB_CHANGED);
- }
-
- if (r->home_drive.string) {
- old_string = pdb_get_dir_drive(account);
- new_string = r->home_drive.string;
-
- if (STRING_CHANGED)
- pdb_set_dir_drive(account, new_string, PDB_CHANGED);
- }
-
- if (r->logon_script.string) {
- old_string = pdb_get_logon_script(account);
- new_string = r->logon_script.string;
-
- if (STRING_CHANGED)
- pdb_set_logon_script(account, new_string, PDB_CHANGED);
- }
-
- if (r->description.string) {
- old_string = pdb_get_acct_desc(account);
- new_string = r->description.string;
-
- if (STRING_CHANGED)
- pdb_set_acct_desc(account, new_string, PDB_CHANGED);
- }
-
- if (r->workstations.string) {
- old_string = pdb_get_workstations(account);
- new_string = r->workstations.string;
-
- if (STRING_CHANGED)
- pdb_set_workstations(account, new_string, PDB_CHANGED);
- }
-
- if (r->profile_path.string) {
- old_string = pdb_get_profile_path(account);
- new_string = r->profile_path.string;
-
- if (STRING_CHANGED)
- pdb_set_profile_path(account, new_string, PDB_CHANGED);
- }
-
- if (r->parameters.array) {
- DATA_BLOB mung;
- char *newstr = NULL;
- old_string = pdb_get_munged_dial(account);
- mung.length = r->parameters.length * 2;
- mung.data = (uint8_t *) r->parameters.array;
-
- if (mung.length != 0) {
- newstr = base64_encode_data_blob(talloc_tos(), mung);
- SMB_ASSERT(newstr != NULL);
- }
-
- if (STRING_CHANGED_NC(old_string, newstr))
- pdb_set_munged_dial(account, newstr, PDB_CHANGED);
- TALLOC_FREE(newstr);
- }
-
- /* User and group sid */
- if (pdb_get_user_rid(account) != r->rid)
- pdb_set_user_sid_from_rid(account, r->rid, PDB_CHANGED);
- if (pdb_get_group_rid(account) != r->primary_gid)
- pdb_set_group_sid_from_rid(account, r->primary_gid, PDB_CHANGED);
-
- /* Logon and password information */
- if (!nt_time_is_zero(&r->last_logon)) {
- unix_time = nt_time_to_unix(r->last_logon);
- stored_time = pdb_get_logon_time(account);
- if (stored_time != unix_time)
- pdb_set_logon_time(account, unix_time, PDB_CHANGED);
- }
-
- if (!nt_time_is_zero(&r->last_logoff)) {
- unix_time = nt_time_to_unix(r->last_logoff);
- stored_time = pdb_get_logoff_time(account);
- if (stored_time != unix_time)
- pdb_set_logoff_time(account, unix_time,PDB_CHANGED);
- }
-
- /* Logon Divs */
- if (pdb_get_logon_divs(account) != r->logon_hours.units_per_week)
- pdb_set_logon_divs(account, r->logon_hours.units_per_week, PDB_CHANGED);
-
-#if 0
- /* no idea what to do with this one - gd */
- /* Max Logon Hours */
- if (delta->unknown1 != pdb_get_unknown_6(account)) {
- pdb_set_unknown_6(account, delta->unknown1, PDB_CHANGED);
- }
-#endif
- /* Logon Hours Len */
- if (r->logon_hours.units_per_week/8 != pdb_get_hours_len(account)) {
- pdb_set_hours_len(account, r->logon_hours.units_per_week/8, PDB_CHANGED);
- }
-
- /* Logon Hours */
- if (r->logon_hours.bits) {
- char oldstr[44], newstr[44];
- pdb_sethexhours(oldstr, pdb_get_hours(account));
- pdb_sethexhours(newstr, r->logon_hours.bits);
- if (!strequal(oldstr, newstr))
- pdb_set_hours(account, r->logon_hours.bits,
- pdb_get_hours_len(account), PDB_CHANGED);
- }
-
- if (pdb_get_bad_password_count(account) != r->bad_password_count)
- pdb_set_bad_password_count(account, r->bad_password_count, PDB_CHANGED);
-
- if (pdb_get_logon_count(account) != r->logon_count)
- pdb_set_logon_count(account, r->logon_count, PDB_CHANGED);
-
- if (!nt_time_is_zero(&r->last_password_change)) {
- unix_time = nt_time_to_unix(r->last_password_change);
- stored_time = pdb_get_pass_last_set_time(account);
- if (stored_time != unix_time)
- pdb_set_pass_last_set_time(account, unix_time, PDB_CHANGED);
- } else {
- /* no last set time, make it now */
- pdb_set_pass_last_set_time(account, time(NULL), PDB_CHANGED);
- }
-
- if (!nt_time_is_zero(&r->acct_expiry)) {
- unix_time = nt_time_to_unix(r->acct_expiry);
- stored_time = pdb_get_kickoff_time(account);
- if (stored_time != unix_time)
- pdb_set_kickoff_time(account, unix_time, PDB_CHANGED);
- }
-
- /* Decode hashes from password hash
- Note that win2000 may send us all zeros for the hashes if it doesn't
- think this channel is secure enough - don't set the passwords at all
- in that case
- */
- if (!all_zero(r->lmpassword.hash, 16)) {
- pdb_set_lanman_passwd(account, r->lmpassword.hash, PDB_CHANGED);
- }
-
- if (!all_zero(r->ntpassword.hash, 16)) {
- pdb_set_nt_passwd(account, r->ntpassword.hash, PDB_CHANGED);
- }
-
- /* TODO: account expiry time */
-
- pdb_set_acct_ctrl(account, r->acct_flags, PDB_CHANGED);
-
- pdb_set_domain(account, lp_workgroup(), PDB_CHANGED);
-
- return NT_STATUS_OK;
-}
-
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS smb_create_user(TALLOC_CTX *mem_ctx,
- uint32_t acct_flags,
- const char *account,
- struct passwd **passwd_p)
-{
- struct passwd *passwd;
- char *add_script = NULL;
-
- passwd = Get_Pwnam_alloc(mem_ctx, account);
- if (passwd) {
- *passwd_p = passwd;
- return NT_STATUS_OK;
- }
-
- /* Create appropriate user */
- if (acct_flags & ACB_NORMAL) {
- add_script = lp_add_user_script(mem_ctx);
- } else if ( (acct_flags & ACB_WSTRUST) ||
- (acct_flags & ACB_SVRTRUST) ||
- (acct_flags & ACB_DOMTRUST) ) {
- add_script = lp_add_machine_script(mem_ctx);
- } else {
- DEBUG(1, ("Unknown user type: %s\n",
- pdb_encode_acct_ctrl(acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!add_script) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (*add_script) {
- int add_ret;
- add_script = talloc_all_string_sub(mem_ctx, add_script,
- "%u", account);
- if (!add_script) {
- return NT_STATUS_NO_MEMORY;
- }
- add_ret = smbrun(add_script, NULL, NULL);
- DEBUG(add_ret ? 0 : 1,("fetch_account: Running the command `%s' "
- "gave %d\n", add_script, add_ret));
- if (add_ret == 0) {
- smb_nscd_flush_user_cache();
- }
- }
-
- /* try and find the possible unix account again */
- passwd = Get_Pwnam_alloc(mem_ctx, account);
- if (!passwd) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- *passwd_p = passwd;
-
- return NT_STATUS_OK;
-}
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_account_info(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_USER *r)
-{
-
- NTSTATUS nt_ret = NT_STATUS_UNSUCCESSFUL;
- fstring account;
- struct samu *sam_account=NULL;
- GROUP_MAP *map = NULL;
- struct group *grp;
- struct dom_sid user_sid;
- struct dom_sid group_sid;
- struct passwd *passwd = NULL;
- fstring sid_string;
-
- fstrcpy(account, r->account_name.string);
- d_printf("Creating account: %s\n", account);
-
- if ( !(sam_account = samu_new(mem_ctx)) ) {
- return NT_STATUS_NO_MEMORY;
- }
-
- nt_ret = smb_create_user(sam_account, r->acct_flags, account, &passwd);
- if (!NT_STATUS_IS_OK(nt_ret)) {
- d_fprintf(stderr, "Could not create posix account info for '%s'\n",
- account);
- goto done;
- }
-
- sid_compose(&user_sid, get_global_sam_sid(), r->rid);
-
- DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n",
- sid_to_fstring(sid_string, &user_sid), account));
- if (!pdb_getsampwsid(sam_account, &user_sid)) {
- sam_account_from_delta(sam_account, r);
- DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
- sid_to_fstring(sid_string, &user_sid),
- pdb_get_username(sam_account)));
- if (!NT_STATUS_IS_OK(pdb_add_sam_account(sam_account))) {
- DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
- account));
- return NT_STATUS_ACCESS_DENIED;
- }
- } else {
- sam_account_from_delta(sam_account, r);
- DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
- sid_to_fstring(sid_string, &user_sid),
- pdb_get_username(sam_account)));
- if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_account))) {
- DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
- account));
- TALLOC_FREE(sam_account);
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- if (pdb_get_group_sid(sam_account) == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- group_sid = *pdb_get_group_sid(sam_account);
-
- map = talloc_zero(mem_ctx, GROUP_MAP);
- if (!map) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_getgrsid(map, group_sid)) {
- DEBUG(0, ("Primary group of %s has no mapping!\n",
- pdb_get_username(sam_account)));
- } else {
- if (map->gid != passwd->pw_gid) {
- if (!(grp = getgrgid(map->gid))) {
- DEBUG(0, ("Could not find unix group %lu for user %s (group SID=%s)\n",
- (unsigned long)map->gid, pdb_get_username(sam_account), sid_string_tos(&group_sid)));
- } else {
- smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
- }
- }
- }
-
- if ( !passwd ) {
- DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
- pdb_get_username(sam_account)));
- }
-
- done:
- TALLOC_FREE(sam_account);
- TALLOC_FREE(map);
- return nt_ret;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_group_info(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_GROUP *r)
-{
- struct group *grp = NULL;
- struct dom_sid group_sid;
- fstring sid_string;
- GROUP_MAP *map;
- bool insert = true;
-
- map = talloc_zero(mem_ctx, GROUP_MAP);
- if (!map) {
- return NT_STATUS_NO_MEMORY;
- }
- /* add the group to the mapping table */
- sid_compose(&group_sid, get_global_sam_sid(), rid);
- sid_to_fstring(sid_string, &group_sid);
-
- if (pdb_getgrsid(map, group_sid)) {
- if (map->gid != -1) {
- grp = getgrgid(map->gid);
- }
- insert = false;
- }
-
- map->nt_name = talloc_strdup(map, r->group_name.string);
- if (!map->nt_name) {
- return NT_STATUS_NO_MEMORY;
- }
- map->comment = talloc_strdup(map, r->description.string);
- if (!map->comment) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (grp == NULL) {
- gid_t gid;
-
- /* No group found from mapping, find it from its name. */
- if ((grp = getgrnam(map->nt_name)) == NULL) {
-
- /* No appropriate group found, create one */
-
- d_printf("Creating unix group: '%s'\n", map->nt_name);
-
- if (smb_create_group(map->nt_name, &gid) != 0)
- return NT_STATUS_ACCESS_DENIED;
-
- if ((grp = getgrnam(map->nt_name)) == NULL)
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- map->gid = grp->gr_gid;
- map->sid = group_sid;
- map->sid_name_use = SID_NAME_DOM_GRP;
-
- if (insert) {
- pdb_add_group_mapping_entry(map);
- } else {
- pdb_update_group_mapping_entry(map);
- }
-
- TALLOC_FREE(map);
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_group_mem_info(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_GROUP_MEMBER *r)
-{
- int i;
- char **nt_members = NULL;
- char **unix_members;
- struct dom_sid group_sid;
- GROUP_MAP *map;
- struct group *grp;
-
- if (r->num_rids == 0) {
- return NT_STATUS_OK;
- }
-
- sid_compose(&group_sid, get_global_sam_sid(), rid);
-
- map = talloc_zero(mem_ctx, GROUP_MAP);
- if (!map) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!get_domain_group_from_sid(group_sid, map)) {
- DEBUG(0, ("Could not find global group %d\n", rid));
- TALLOC_FREE(map);
- return NT_STATUS_NO_SUCH_GROUP;
- }
-
- if (!(grp = getgrgid(map->gid))) {
- DEBUG(0, ("Could not find unix group %lu\n",
- (unsigned long)map->gid));
- TALLOC_FREE(map);
- return NT_STATUS_NO_SUCH_GROUP;
- }
-
- TALLOC_FREE(map);
-
- d_printf("Group members of %s: ", grp->gr_name);
-
- if (r->num_rids) {
- if ((nt_members = talloc_zero_array(mem_ctx, char *, r->num_rids)) == NULL) {
- DEBUG(0, ("talloc failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
- } else {
- nt_members = NULL;
- }
-
- for (i=0; i < r->num_rids; i++) {
- struct samu *member = NULL;
- struct dom_sid member_sid;
-
- if ( !(member = samu_new(mem_ctx)) ) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sid_compose(&member_sid, get_global_sam_sid(), r->rids[i]);
-
- if (!pdb_getsampwsid(member, &member_sid)) {
- DEBUG(1, ("Found bogus group member: %d (member_sid=%s group=%s)\n",
- r->rids[i], sid_string_tos(&member_sid), grp->gr_name));
- TALLOC_FREE(member);
- continue;
- }
-
- if (pdb_get_group_rid(member) == rid) {
- d_printf("%s(primary),", pdb_get_username(member));
- TALLOC_FREE(member);
- continue;
- }
-
- d_printf("%s,", pdb_get_username(member));
- nt_members[i] = talloc_strdup(mem_ctx, pdb_get_username(member));
- TALLOC_FREE(member);
- }
-
- d_printf("\n");
-
- unix_members = grp->gr_mem;
-
- while (*unix_members) {
- bool is_nt_member = false;
- for (i=0; i < r->num_rids; i++) {
- if (nt_members[i] == NULL) {
- /* This was a primary group */
- continue;
- }
-
- if (strcmp(*unix_members, nt_members[i]) == 0) {
- is_nt_member = true;
- break;
- }
- }
- if (!is_nt_member) {
- /* We look at a unix group member that is not
- an nt group member. So, remove it. NT is
- boss here. */
- smb_delete_user_group(grp->gr_name, *unix_members);
- }
- unix_members += 1;
- }
-
- for (i=0; i < r->num_rids; i++) {
- bool is_unix_member = false;
-
- if (nt_members[i] == NULL) {
- /* This was the primary group */
- continue;
- }
-
- unix_members = grp->gr_mem;
-
- while (*unix_members) {
- if (strcmp(*unix_members, nt_members[i]) == 0) {
- is_unix_member = true;
- break;
- }
- unix_members += 1;
- }
-
- if (!is_unix_member) {
- /* We look at a nt group member that is not a
- unix group member currently. So, add the nt
- group member. */
- smb_add_user_group(grp->gr_name, nt_members[i]);
- }
- }
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_alias_info(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_ALIAS *r,
- const struct dom_sid *dom_sid)
-{
- struct group *grp = NULL;
- struct dom_sid alias_sid;
- fstring sid_string;
- GROUP_MAP *map;
- bool insert = true;
-
- map = talloc_zero(mem_ctx, GROUP_MAP);
- if (!map) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Find out whether the group is already mapped */
- sid_compose(&alias_sid, dom_sid, rid);
- sid_to_fstring(sid_string, &alias_sid);
-
- if (pdb_getgrsid(map, alias_sid)) {
- grp = getgrgid(map->gid);
- insert = false;
- }
-
- map->nt_name = talloc_strdup(map, r->alias_name.string);
- if (!map->nt_name) {
- return NT_STATUS_NO_MEMORY;
- }
- map->comment = talloc_strdup(map, r->description.string);
- if (!map->comment) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (grp == NULL) {
- gid_t gid;
-
- /* No group found from mapping, find it from its name. */
- if ((grp = getgrnam(map->nt_name)) == NULL) {
- /* No appropriate group found, create one */
- d_printf("Creating unix group: '%s'\n", map->nt_name);
- if (smb_create_group(map->nt_name, &gid) != 0)
- return NT_STATUS_ACCESS_DENIED;
- if ((grp = getgrgid(gid)) == NULL)
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- map->gid = grp->gr_gid;
- map->sid = alias_sid;
-
- if (dom_sid_equal(dom_sid, &global_sid_Builtin)) {
- map->sid_name_use = SID_NAME_WKN_GRP;
- } else {
- map->sid_name_use = SID_NAME_ALIAS;
- }
-
- if (insert) {
- pdb_add_group_mapping_entry(map);
- } else {
- pdb_update_group_mapping_entry(map);
- }
-
- TALLOC_FREE(map);
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_alias_mem(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_ALIAS_MEMBER *r,
- const struct dom_sid *dom_sid)
-{
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_domain_info(TALLOC_CTX *mem_ctx,
- uint32_t rid,
- struct netr_DELTA_DOMAIN *r)
-{
- time_t u_max_age, u_min_age, u_logout;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- const char *domname;
- struct netr_AcctLockStr *lockstr = NULL;
- NTSTATUS status;
-
- status = pull_netr_AcctLockStr(mem_ctx, &r->account_lockout,
- &lockstr);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf("failed to pull account lockout string: %s\n",
- nt_errstr(status));
- }
-
- u_max_age = uint64s_nt_time_to_unix_abs((uint64_t *)&r->max_password_age);
- u_min_age = uint64s_nt_time_to_unix_abs((uint64_t *)&r->min_password_age);
- u_logout = uint64s_nt_time_to_unix_abs((uint64_t *)&r->force_logoff_time);
-
- domname = r->domain_name.string;
- if (!domname) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* we don't handle BUILTIN account policies */
- if (!strequal(domname, get_global_sam_name())) {
- printf("skipping SAM_DOMAIN_INFO delta for '%s' (is not my domain)\n", domname);
- return NT_STATUS_OK;
- }
-
-
- if (!pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY,
- r->password_history_length))
- return nt_status;
-
- if (!pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
- r->min_password_length))
- return nt_status;
-
- if (!pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE,
- (uint32_t)u_max_age))
- return nt_status;
-
- if (!pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE,
- (uint32_t)u_min_age))
- return nt_status;
-
- if (!pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT,
- (uint32_t)u_logout))
- return nt_status;
-
- if (lockstr) {
- time_t u_lockoutreset, u_lockouttime;
-
- u_lockoutreset = uint64s_nt_time_to_unix_abs(&lockstr->reset_count);
- u_lockouttime = uint64s_nt_time_to_unix_abs((uint64_t *)&lockstr->lockout_duration);
-
- if (!pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT,
- lockstr->bad_attempt_lockout))
- return nt_status;
-
- if (!pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME,
- (uint32_t)u_lockoutreset/60))
- return nt_status;
-
- if (u_lockouttime != -1)
- u_lockouttime /= 60;
-
- if (!pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
- (uint32_t)u_lockouttime))
- return nt_status;
- }
-
- if (!pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
- r->logon_to_chgpass))
- return nt_status;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entry(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *r,
- struct samsync_context *ctx)
-{
- NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
-
- switch (r->delta_type) {
- case NETR_DELTA_USER:
- status = fetch_account_info(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.user);
- break;
- case NETR_DELTA_GROUP:
- status = fetch_group_info(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.group);
- break;
- case NETR_DELTA_GROUP_MEMBER:
- status = fetch_group_mem_info(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.group_member);
- break;
- case NETR_DELTA_ALIAS:
- status = fetch_alias_info(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.alias,
- ctx->domain_sid);
- break;
- case NETR_DELTA_ALIAS_MEMBER:
- status = fetch_alias_mem(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.alias_member,
- ctx->domain_sid);
- break;
- case NETR_DELTA_DOMAIN:
- status = fetch_domain_info(mem_ctx,
- r->delta_id_union.rid,
- r->delta_union.domain);
- break;
- /* The following types are recognised but not handled */
- case NETR_DELTA_RENAME_GROUP:
- d_printf("NETR_DELTA_RENAME_GROUP not handled\n");
- break;
- case NETR_DELTA_RENAME_USER:
- d_printf("NETR_DELTA_RENAME_USER not handled\n");
- break;
- case NETR_DELTA_RENAME_ALIAS:
- d_printf("NETR_DELTA_RENAME_ALIAS not handled\n");
- break;
- case NETR_DELTA_POLICY:
- d_printf("NETR_DELTA_POLICY not handled\n");
- break;
- case NETR_DELTA_TRUSTED_DOMAIN:
- d_printf("NETR_DELTA_TRUSTED_DOMAIN not handled\n");
- break;
- case NETR_DELTA_ACCOUNT:
- d_printf("NETR_DELTA_ACCOUNT not handled\n");
- break;
- case NETR_DELTA_SECRET:
- d_printf("NETR_DELTA_SECRET not handled\n");
- break;
- case NETR_DELTA_DELETE_GROUP:
- d_printf("NETR_DELTA_DELETE_GROUP not handled\n");
- break;
- case NETR_DELTA_DELETE_USER:
- d_printf("NETR_DELTA_DELETE_USER not handled\n");
- break;
- case NETR_DELTA_MODIFY_COUNT:
- d_printf("NETR_DELTA_MODIFY_COUNT not handled\n");
- break;
- case NETR_DELTA_DELETE_ALIAS:
- d_printf("NETR_DELTA_DELETE_ALIAS not handled\n");
- break;
- case NETR_DELTA_DELETE_TRUST:
- d_printf("NETR_DELTA_DELETE_TRUST not handled\n");
- break;
- case NETR_DELTA_DELETE_ACCOUNT:
- d_printf("NETR_DELTA_DELETE_ACCOUNT not handled\n");
- break;
- case NETR_DELTA_DELETE_SECRET:
- d_printf("NETR_DELTA_DELETE_SECRET not handled\n");
- break;
- case NETR_DELTA_DELETE_GROUP2:
- d_printf("NETR_DELTA_DELETE_GROUP2 not handled\n");
- break;
- case NETR_DELTA_DELETE_USER2:
- d_printf("NETR_DELTA_DELETE_USER2 not handled\n");
- break;
- default:
- d_printf("Unknown delta record type %d\n", r->delta_type);
- status = NT_STATUS_INVALID_PARAMETER;
- break;
- }
-
- return status;
-}
-
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM_ARRAY *r,
- uint64_t *sequence_num,
- struct samsync_context *ctx)
-{
- int i;
-
- for (i = 0; i < r->num_deltas; i++) {
- fetch_sam_entry(mem_ctx, database_id, &r->delta_enum[i], ctx);
- }
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-const struct samsync_ops libnet_samsync_passdb_ops = {
- .process_objects = fetch_sam_entries,
-};
diff --git a/source3/wscript_build b/source3/wscript_build
index 7cf757b93d6..3f7fdff8dd3 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -874,19 +874,6 @@ bld.SAMBA3_SUBSYSTEM('LIBNET_DSSYNC',
RPC_NDR_DRSUAPI
''')
-bld.SAMBA3_SUBSYSTEM('LIBNET_SAMSYNC',
- source='''
- libnet/libnet_samsync.c
- libnet/libnet_samsync_ldif.c
- libnet/libnet_samsync_passdb.c
- libnet/libnet_samsync_display.c
- libnet/libnet_samsync_keytab.c
- ''',
- deps='''
- LIBNET
- LIBCLI_SAMSYNC
- ''')
-
bld.SAMBA3_SUBSYSTEM('LIBEVENTLOG',
source='lib/eventlog/eventlog.c',
deps='NDR_EVENTLOG tdb')
--
2.11.0
From c33c7e870bd0f83ecd117714778102c01c17e23d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 19 Sep 2017 15:26:55 -0700
Subject: [PATCH 8/8] WHATSNEW: Mention code removal from "net" and "rpcclient"
Signed-off-by: Volker Lendecke <vl at samba.org>
---
WHATSNEW.txt | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 428c2919f1a..2f2f2f61c98 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -41,6 +41,28 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
+NT4-style replication based net commands removed
+================================================
+
+The following commands and sub-commands have been removed from the
+"net" utility:
+
+net rpc samdump
+net rpc vampire ldif
+
+Also, replicating from a real NT4 domain with "net rpc vampire" and
+"net rpc vampire keytab" has been removed.
+
+The NT4-based commands were accidentially broken in 2013, and nobody
+noticed the breakage. So instead of fixing them including tests (which
+would have meant writing a server for the protocols, which we don't
+have) we decided to remove them.
+
+For the same reason, the "samsync", "samdeltas" and "database_redo"
+commands have been removed from rpcclient.
+
+"net rpc vampire keytab" from Active Directory domains continues to be
+supported.
KNOWN ISSUES
============
--
2.11.0
More information about the samba-technical
mailing list