[PATCH] dump and restore domain trust info
Stefan Metzmacher
metze at samba.org
Thu Jan 10 15:32:51 UTC 2019
Hi Philipp,
>>> While integrating Samba with our backup system, I’ve been adding functionality
>>> for dumping and undumping the domain member information in a hopefully portable
>>> way. I think I have now reached a point where I’d like to elicit external
>>> feedback so I would like you have a look at the attached patchset. Eventually
>>> we would like for this functionality to be merged.
>>>
>>> After some experiments I settled on extending “net primarytrust dumpinfo” with
>>> json output and adding a companion “net primarytrust readinfo” for replaying a
>>> dump obtained this way.
>>
>> What about using "net primarytrust export" and
>> "net primarytrust import"? They would always use json and include passwords.
>
> “primarytrust dumpinfo” already exists. Should this be renamed to
> “… export” or do you propose decoupling the json based import/export
> from the existing dumpinfo altogether?
Yes, it's something different. dumpinfo dumps all details, which are stored.
export and import would only handle the cleartext password, but not
the pre-calculated hashes.
>> And the import should only work if there's nothing stored yet.
>
> Is there a way to erase what’s stored?
net ads leave.
> We could reuse --force for the case that overwriting existing
> values is desired. (Currently --force prevents overwriting
> passwords only.)
--force could be used...
>>> An example dump as used in the blackbox tests:
>>>
>>> { "Reserved Flags": "AAAAAAAAAAA=",
>>> "Join Time": "KgAAAAAAAAA=",
>>> "Computer Name": "LOCALADMEMBER",
>>> "Account Name": "LOCALADMEMBER$",
>>> "Secure Channel Type": 2,
>>> "Trust Flags": 26,
>>> "Trust Type": 2,
>>> "Trust Attributes": 26,
>>> "Supported Encryption Types": 31,
>>> "Salt Principal": "aG9zdC9sb2NhbGFkbWVtYmVyLmFkZG9tLnNhbWJhLmV4YW1wbGUuY29tQEFERE9NLlNBTUJBLkVYQU1QTEUuQ09N",
>>> "Password Last Change": "NWUTXAAAAAA=",
>>> "Password Changes": "AQAAAAAAAAA=",
>>> "Password": {
>>> "Change Time": "ysIkXAAAAAA=",
>>> "Change Server": "ADDC",
>>> "Cleartext Blob": "Erzx4o2+ZLrW+kx/dHn+s8Al9i6IYHp5mOLfa7Vi5qB/bZ3hSTyRcSxsguu3A5gE+GAP6mh7cOzDo7njgPUYdzB2qnbi5sVsMznTb3Zgz6ts8R5p+2+W97b2bL4sf445/D/rOkU5pLMAcyG+HbyH9wQ81ng8Ye13nuD+5+i6vXmivG3zqij4veVo6aeob0H6fOOUqzjpzOmHt0w3k3Nl/Efo3KrNsrAtUDpQ+sKxvPNOdqdzCzxWc1esAS8VYxI/T3jPLc11rWcr7y4uJPP0+Dali6XWrnnrZvw3LF25njI2N/7kNPiMK1gner8WaitimG5hMXKu86xWdOYB1rawshF6+Wf2rYNj7bVzNNG2QG2/L/2iLu5N4JqjDSw++39wujr+eR/2S7T/AEpuBjQ=" },
>>> "DNS Domain Info": {
>>> "Domain NetBios Name": "ADDOMAIN",
>>> "Domain DNS Name": "addom.samba.example.com",
>>> "Domain Forest Name": "addom.samba.example.com",
>>> "Domain SID": "S-1-5-21-42-1337-1701",
>>> "Domain GUID": "ec0ef791-e41e-44b7-8990-f05eacb06174" } }
>>
>> Please also test "Old Password" and "Older Password".
>> And we need to include "next_change". It's important information we
>> should not loose.
>
> Will do for v2.
Thanks! I think it would be good to have the timestamps human readable.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190110/c10e828b/signature.sig>
More information about the samba-technical
mailing list