[PATCH v2] dump and restore domain trust info
Stefan Metzmacher
metze at samba.org
Wed Jan 16 16:56:16 UTC 2019
Hi Philipp,
I just briefly looked at the new jason output.
Can we use something like 20040408072012.0Z
with ldb_timestring() and ldb_string_to_time(),
but with fragments of seconds
https://tools.ietf.org/html/rfc4517#section-3.3.13 :
3.3.13. Generalized Time
A value of the Generalized Time syntax is a character string
representing a date and time. The LDAP-specific encoding of a value
of this syntax is a restriction of the format defined in [ISO8601],
and is described by the following ABNF:
GeneralizedTime = century year month day hour
[ minute [ second / leap-second ] ]
[ fraction ]
g-time-zone
century = 2(%x30-39) ; "00" to "99"
year = 2(%x30-39) ; "00" to "99"
month = ( %x30 %x31-39 ) ; "01" (January) to "09"
/ ( %x31 %x30-32 ) ; "10" to "12"
day = ( %x30 %x31-39 ) ; "01" to "09"
/ ( %x31-32 %x30-39 ) ; "10" to "29"
/ ( %x33 %x30-31 ) ; "30" to "31"
hour = ( %x30-31 %x30-39 ) / ( %x32 %x30-33 ) ; "00" to "23"
minute = %x30-35 %x30-39 ; "00" to "59"
second = ( %x30-35 %x30-39 ) ; "00" to "59"
leap-second = ( %x36 %x30 ) ; "60"
fraction = ( DOT / COMMA ) 1*(%x30-39)
g-time-zone = %x5A ; "Z"
/ g-differential
g-differential = ( MINUS / PLUS ) hour [ minute ]
MINUS = %x2D ; minus sign ("-")
The fraction part is not implement by the ldb functions, but we could
have something similar (maybe on top) that handles it.
NTTIME handles more or less what timeval is able to handle.
So json_get_time_t() should be replaced by json_get_timeval() or
json_get_timespec()
Basically I'd like to be able to restore the secrets_domain_infoB blob
bit by bit without loosing information.
Also make use of helper variables and avoid passing functions as
arguments of other functions, seed README.Coding. I mean avoid something
like this:
+ ret = json_add_time_t(&jsobj, "Change Time",
+ nt_time_to_unix(next->change_time));
Function calls within if statements should also be avoided:
+ if (next->password != NULL &&
+ !json_add_secrets_domain_info1_password(&jsobj,
+ "Password",
+ next->password))
Could be
if (next->password != NULL) {
ret = json_add_secrets_domain_info1_password(...);
if () {
goto failure;
}
}
The "Password Changes" field (which used hyper/uint64_t) should be a
text string instead of a base64 blob is the 64bit.
net_primarytrust_export() still has if (!c->opt_force) { handling.
I only briefly looked and don't have time for a real deep review
currently. But many thanks for working on this!
Thanks!
metze
Am 16.01.19 um 17:15 schrieb Philipp Gesang via samba-technical:
> Hi,
>
> attached is v2 of the primarytrust dump/undump patchset [0]. It
> implements the suggested changes.
>
> CI: https://gitlab.com/samba-team/devel/samba/pipelines/43589034
>
> -- 8< ----------------------------------------------------- >8 --
>
> Main changes since v1:
>
> - Subcommands are named import/export instead of dumpinfo /
> readinfo; explicitly passing --json is no longer required.
>
> - export always includes the passwords, import always accepts
> passwords.
>
> - primarytrust import will abort if domain credentials are
> present. Passing --force overrides the check.
>
> - Include .next_change of the info1 struct in JSON export.
>
> - Unit test previous passwords and the contents of next_change.
>
> - Timestamps in ISO8601 (includes a workaround for the somewhat
> aged glibc used by Gitlab CI).
>
> -- 8< ----------------------------------------------------- >8 --
>
> Review appreciated.
>
> Best regards,
> Philipp
>
> [0] Cf. https://lists.samba.org/archive/samba-technical/2019-January/131924.html
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190116/20546991/signature.sig>
More information about the samba-technical
mailing list