[PATCH] dump and restore domain trust info

Thu Jan 10 11:35:58 UTC 2019

Hi Philipp,

> While integrating Samba with our backup system, I’ve been adding functionality
> for dumping and undumping the domain member information in a hopefully portable
> way. I think I have now reached a point where I’d like to elicit external
> feedback so I would like you have a look at the attached patchset. Eventually
> we would like for this functionality to be merged.
> 
> After some experiments I settled on extending “net primarytrust dumpinfo” with
> json output and adding a companion “net primarytrust readinfo” for replaying a
> dump obtained this way.

What about using "net primarytrust export" and
"net primarytrust import"? They would always use json and include passwords.

And the import should only work if there's nothing stored yet.

> An example dump as used in the blackbox tests:
> 
>     { "Reserved Flags": "AAAAAAAAAAA=",
>       "Join Time": "KgAAAAAAAAA=",
>       "Computer Name": "LOCALADMEMBER",
>       "Account Name": "LOCALADMEMBER$",
>       "Secure Channel Type": 2,
>       "Trust Flags": 26,
>       "Trust Type": 2,
>       "Trust Attributes": 26,
>       "Supported Encryption Types": 31,
>       "Salt Principal": "aG9zdC9sb2NhbGFkbWVtYmVyLmFkZG9tLnNhbWJhLmV4YW1wbGUuY29tQEFERE9NLlNBTUJBLkVYQU1QTEUuQ09N",
>       "Password Last Change": "NWUTXAAAAAA=",
>       "Password Changes": "AQAAAAAAAAA=",
>       "Password": {
>         "Change Time": "ysIkXAAAAAA=",
>         "Change Server": "ADDC",
>         "Cleartext Blob": "Erzx4o2+ZLrW+kx/dHn+s8Al9i6IYHp5mOLfa7Vi5qB/bZ3hSTyRcSxsguu3A5gE+GAP6mh7cOzDo7njgPUYdzB2qnbi5sVsMznTb3Zgz6ts8R5p+2+W97b2bL4sf445/D/rOkU5pLMAcyG+HbyH9wQ81ng8Ye13nuD+5+i6vXmivG3zqij4veVo6aeob0H6fOOUqzjpzOmHt0w3k3Nl/Efo3KrNsrAtUDpQ+sKxvPNOdqdzCzxWc1esAS8VYxI/T3jPLc11rWcr7y4uJPP0+Dali6XWrnnrZvw3LF25njI2N/7kNPiMK1gner8WaitimG5hMXKu86xWdOYB1rawshF6+Wf2rYNj7bVzNNG2QG2/L/2iLu5N4JqjDSw++39wujr+eR/2S7T/AEpuBjQ=" },
>       "DNS Domain Info": {
>         "Domain NetBios Name": "ADDOMAIN",
>         "Domain DNS Name": "addom.samba.example.com",
>         "Domain Forest Name": "addom.samba.example.com",
>         "Domain SID": "S-1-5-21-42-1337-1701",
>         "Domain GUID": "ec0ef791-e41e-44b7-8990-f05eacb06174" } }

Please also test "Old Password" and "Older Password".
And we need to include "next_change". It's important information we
should not loose.

> Two patches contain the meat of it:
> 
>     s3: net: add json printer to `net primarytrust`
>     s3: net: add primarytrust subcommand `readinfo`
> 
> There’s one patch that fixes some typos, the rest is auxiliary stuff and tests.
> I’ve marked some issues with XXX comments. These mainly concern how flags
> values should be represented.
> 
> CI: https://gitlab.com/samba-team/devel/samba/pipelines/42583194
> I’m sorting out that failure in build_samba right now.
> 
> PS: FWIW, “readinfo” can be used to inject “offline join” blobs generated by
>     djoin.exe. If you’re interested I have a PoC that I can share.

Do you have example data from djoin.exe?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190110/78ef276a/signature.sig>