[PATCH v2] dump and restore domain trust info

Philipp Gesang philipp.gesang at intra2net.com
Thu Jan 17 08:50:10 UTC 2019 

-<| Quoting Stefan Metzmacher via samba-technical <metze at samba.org>, on Wednesday, 2019-01-16 05:56:16 PM |>-
> I just briefly looked at the new jason output.
>
> Can we use something like 20040408072012.0Z
> with ldb_timestring() and ldb_string_to_time(),
> but with fragments of seconds
> 
> https://tools.ietf.org/html/rfc4517#section-3.3.13 :
> 3.3.13.  Generalized Time
> 
>    A value of the Generalized Time syntax is a character string
>    representing a date and time.  The LDAP-specific encoding of a value
>    of this syntax is a restriction of the format defined in [ISO8601],
>    and is described by the following ABNF:
> 
>       GeneralizedTime = century year month day hour
>                            [ minute [ second / leap-second ] ]
>                            [ fraction ]
>                            g-time-zone
> 
>       century = 2(%x30-39) ; "00" to "99"
>       year    = 2(%x30-39) ; "00" to "99"
>       month   =   ( %x30 %x31-39 ) ; "01" (January) to "09"
>                 / ( %x31 %x30-32 ) ; "10" to "12"
>       day     =   ( %x30 %x31-39 )    ; "01" to "09"
>                 / ( %x31-32 %x30-39 ) ; "10" to "29"
>                 / ( %x33 %x30-31 )    ; "30" to "31"
>       hour    = ( %x30-31 %x30-39 ) / ( %x32 %x30-33 ) ; "00" to "23"
>       minute  = %x30-35 %x30-39                        ; "00" to "59"
> 
>       second      = ( %x30-35 %x30-39 ) ; "00" to "59"
>       leap-second = ( %x36 %x30 )       ; "60"
> 
>       fraction        = ( DOT / COMMA ) 1*(%x30-39)
>       g-time-zone     = %x5A  ; "Z"
>                         / g-differential
>       g-differential  = ( MINUS / PLUS ) hour [ minute ]
>       MINUS           = %x2D  ; minus sign ("-")
> 
> The fraction part is not implement by the ldb functions, but we could
> have something similar (maybe on top) that handles it.

I’ll look into it.

> NTTIME handles more or less what timeval is able to handle.
>
> So json_get_time_t() should be replaced by json_get_timeval() or
> json_get_timespec()

Ok; I’ll probably go with timespec.

> Basically I'd like to be able to restore the secrets_domain_infoB blob
> bit by bit without loosing information.

Sounds reasonable.

(It’d be great if at some point the IDL definitions could be
leveraged to generate the JSON interface.) 

> Also make use of helper variables and avoid passing functions as
> arguments of other functions, seed README.Coding. I mean avoid something
> like this:
> 
> +	ret = json_add_time_t(&jsobj, "Change Time",
> +			      nt_time_to_unix(next->change_time));
> 
> Function calls within if statements should also be avoided:
> 
> +	if (next->password != NULL &&
> +	    !json_add_secrets_domain_info1_password(&jsobj,
> +						    "Password",
> +						    next->password))
> 
> Could be
> 
> if (next->password != NULL) {
> 	ret = json_add_secrets_domain_info1_password(...);
> 	if () {
> 		goto failure;
> 	}
> }

Understood.

> The "Password Changes" field (which used hyper/uint64_t) should be a
> text string instead of a base64 blob is the 64bit.

Ok.

> net_primarytrust_export() still has if (!c->opt_force) { handling.

D’oh!

> I only briefly looked and don't have time for a real deep review
> currently. But many thanks for working on this!

Thanks to you too for the feedback, that was quick!
Philipp

> Am 16.01.19 um 17:15 schrieb Philipp Gesang via samba-technical:
> > Hi,
> > 
> > attached is v2 of the primarytrust dump/undump patchset [0]. It
> > implements the suggested changes.
> > 
> > CI: https://gitlab.com/samba-team/devel/samba/pipelines/43589034
> > 
> > -- 8< ----------------------------------------------------- >8 --
> > 
> > Main changes since v1:
> > 
> > - Subcommands are named import/export instead of dumpinfo /
> >   readinfo; explicitly passing --json is no longer required.
> > 
> > - export always includes the passwords, import always accepts
> >   passwords.
> > 
> > - primarytrust import will abort if domain credentials are
> >   present. Passing --force overrides the check.
> > 
> > - Include .next_change of the info1 struct in JSON export.
> > 
> > - Unit test previous passwords and the contents of next_change.
> > 
> > - Timestamps in ISO8601 (includes a workaround for the somewhat
> >   aged glibc used by Gitlab CI).
> > 
> > -- 8< ----------------------------------------------------- >8 --
> > 
> > Review appreciated.
> > 
> > Best regards,
> > Philipp
> > 
> > [0] Cf. https://lists.samba.org/archive/samba-technical/2019-January/131924.html
> > 
> > 
> 
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190117/ab420e71/signature.sig>

More information about the samba-technical mailing list