[PATCH] dump and restore domain trust info

Thu Jan 10 15:32:51 UTC 2019

Hi Philipp,

>>> While integrating Samba with our backup system, I’ve been adding functionality
>>> for dumping and undumping the domain member information in a hopefully portable
>>> way. I think I have now reached a point where I’d like to elicit external
>>> feedback so I would like you have a look at the attached patchset. Eventually
>>> we would like for this functionality to be merged.
>>>
>>> After some experiments I settled on extending “net primarytrust dumpinfo” with
>>> json output and adding a companion “net primarytrust readinfo” for replaying a
>>> dump obtained this way.
>>
>> What about using "net primarytrust export" and
>> "net primarytrust import"? They would always use json and include passwords.
> 
> “primarytrust dumpinfo” already exists. Should this be renamed to
> “… export” or do you propose decoupling the json based import/export
> from the existing dumpinfo altogether?

Yes, it's something different. dumpinfo dumps all details, which are stored.

export and import would only handle the cleartext password, but not
the pre-calculated hashes.

>> And the import should only work if there's nothing stored yet.
> 
> Is there a way to erase what’s stored?

net ads leave.

> We could reuse --force for the case that overwriting existing
> values is desired. (Currently --force prevents overwriting
> passwords only.)

--force could be used...

>>> An example dump as used in the blackbox tests:
>>>
>>>     { "Reserved Flags": "AAAAAAAAAAA=",
>>>       "Join Time": "KgAAAAAAAAA=",
>>>       "Computer Name": "LOCALADMEMBER",
>>>       "Account Name": "LOCALADMEMBER$",
>>>       "Secure Channel Type": 2,
>>>       "Trust Flags": 26,
>>>       "Trust Type": 2,
>>>       "Trust Attributes": 26,
>>>       "Supported Encryption Types": 31,
>>>       "Salt Principal": "aG9zdC9sb2NhbGFkbWVtYmVyLmFkZG9tLnNhbWJhLmV4YW1wbGUuY29tQEFERE9NLlNBTUJBLkVYQU1QTEUuQ09N",
>>>       "Password Last Change": "NWUTXAAAAAA=",
>>>       "Password Changes": "AQAAAAAAAAA=",
>>>       "Password": {
>>>         "Change Time": "ysIkXAAAAAA=",
>>>         "Change Server": "ADDC",
>>>         "Cleartext Blob": "Erzx4o2+ZLrW+kx/dHn+s8Al9i6IYHp5mOLfa7Vi5qB/bZ3hSTyRcSxsguu3A5gE+GAP6mh7cOzDo7njgPUYdzB2qnbi5sVsMznTb3Zgz6ts8R5p+2+W97b2bL4sf445/D/rOkU5pLMAcyG+HbyH9wQ81ng8Ye13nuD+5+i6vXmivG3zqij4veVo6aeob0H6fOOUqzjpzOmHt0w3k3Nl/Efo3KrNsrAtUDpQ+sKxvPNOdqdzCzxWc1esAS8VYxI/T3jPLc11rWcr7y4uJPP0+Dali6XWrnnrZvw3LF25njI2N/7kNPiMK1gner8WaitimG5hMXKu86xWdOYB1rawshF6+Wf2rYNj7bVzNNG2QG2/L/2iLu5N4JqjDSw++39wujr+eR/2S7T/AEpuBjQ=" },
>>>       "DNS Domain Info": {
>>>         "Domain NetBios Name": "ADDOMAIN",
>>>         "Domain DNS Name": "addom.samba.example.com",
>>>         "Domain Forest Name": "addom.samba.example.com",
>>>         "Domain SID": "S-1-5-21-42-1337-1701",
>>>         "Domain GUID": "ec0ef791-e41e-44b7-8990-f05eacb06174" } }
>>
>> Please also test "Old Password" and "Older Password".
>> And we need to include "next_change". It's important information we
>> should not loose.
> 
> Will do for v2.

Thanks! I think it would be good to have the timestamps human readable.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190110/c10e828b/signature.sig>