[PATCH v2] dump and restore domain trust info
Philipp Gesang
philipp.gesang at intra2net.com
Thu Jan 17 08:50:10 UTC 2019
-<| Quoting Stefan Metzmacher via samba-technical <metze at samba.org>, on Wednesday, 2019-01-16 05:56:16 PM |>-
> I just briefly looked at the new jason output.
>
> Can we use something like 20040408072012.0Z
> with ldb_timestring() and ldb_string_to_time(),
> but with fragments of seconds
>
> https://tools.ietf.org/html/rfc4517#section-3.3.13 :
> 3.3.13. Generalized Time
>
> A value of the Generalized Time syntax is a character string
> representing a date and time. The LDAP-specific encoding of a value
> of this syntax is a restriction of the format defined in [ISO8601],
> and is described by the following ABNF:
>
> GeneralizedTime = century year month day hour
> [ minute [ second / leap-second ] ]
> [ fraction ]
> g-time-zone
>
> century = 2(%x30-39) ; "00" to "99"
> year = 2(%x30-39) ; "00" to "99"
> month = ( %x30 %x31-39 ) ; "01" (January) to "09"
> / ( %x31 %x30-32 ) ; "10" to "12"
> day = ( %x30 %x31-39 ) ; "01" to "09"
> / ( %x31-32 %x30-39 ) ; "10" to "29"
> / ( %x33 %x30-31 ) ; "30" to "31"
> hour = ( %x30-31 %x30-39 ) / ( %x32 %x30-33 ) ; "00" to "23"
> minute = %x30-35 %x30-39 ; "00" to "59"
>
> second = ( %x30-35 %x30-39 ) ; "00" to "59"
> leap-second = ( %x36 %x30 ) ; "60"
>
> fraction = ( DOT / COMMA ) 1*(%x30-39)
> g-time-zone = %x5A ; "Z"
> / g-differential
> g-differential = ( MINUS / PLUS ) hour [ minute ]
> MINUS = %x2D ; minus sign ("-")
>
> The fraction part is not implement by the ldb functions, but we could
> have something similar (maybe on top) that handles it.
I’ll look into it.
> NTTIME handles more or less what timeval is able to handle.
>
> So json_get_time_t() should be replaced by json_get_timeval() or
> json_get_timespec()
Ok; I’ll probably go with timespec.
> Basically I'd like to be able to restore the secrets_domain_infoB blob
> bit by bit without loosing information.
Sounds reasonable.
(It’d be great if at some point the IDL definitions could be
leveraged to generate the JSON interface.)
> Also make use of helper variables and avoid passing functions as
> arguments of other functions, seed README.Coding. I mean avoid something
> like this:
>
> + ret = json_add_time_t(&jsobj, "Change Time",
> + nt_time_to_unix(next->change_time));
>
> Function calls within if statements should also be avoided:
>
> + if (next->password != NULL &&
> + !json_add_secrets_domain_info1_password(&jsobj,
> + "Password",
> + next->password))
>
> Could be
>
> if (next->password != NULL) {
> ret = json_add_secrets_domain_info1_password(...);
> if () {
> goto failure;
> }
> }
Understood.
> The "Password Changes" field (which used hyper/uint64_t) should be a
> text string instead of a base64 blob is the 64bit.
Ok.
> net_primarytrust_export() still has if (!c->opt_force) { handling.
D’oh!
> I only briefly looked and don't have time for a real deep review
> currently. But many thanks for working on this!
Thanks to you too for the feedback, that was quick!
Philipp
> Am 16.01.19 um 17:15 schrieb Philipp Gesang via samba-technical:
> > Hi,
> >
> > attached is v2 of the primarytrust dump/undump patchset [0]. It
> > implements the suggested changes.
> >
> > CI: https://gitlab.com/samba-team/devel/samba/pipelines/43589034
> >
> > -- 8< ----------------------------------------------------- >8 --
> >
> > Main changes since v1:
> >
> > - Subcommands are named import/export instead of dumpinfo /
> > readinfo; explicitly passing --json is no longer required.
> >
> > - export always includes the passwords, import always accepts
> > passwords.
> >
> > - primarytrust import will abort if domain credentials are
> > present. Passing --force overrides the check.
> >
> > - Include .next_change of the info1 struct in JSON export.
> >
> > - Unit test previous passwords and the contents of next_change.
> >
> > - Timestamps in ISO8601 (includes a workaround for the somewhat
> > aged glibc used by Gitlab CI).
> >
> > -- 8< ----------------------------------------------------- >8 --
> >
> > Review appreciated.
> >
> > Best regards,
> > Philipp
> >
> > [0] Cf. https://lists.samba.org/archive/samba-technical/2019-January/131924.html
> >
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190117/ab420e71/signature.sig>
More information about the samba-technical
mailing list