[PATCH v3] dump and restore domain trust info

[Denis Cardon]

Hi Philipp,

> I implemented the suggested changes to the last revisions of the
> patchset [0][1].

in an earlier mail of yours, you have been talking about support 
djoin.exe. Actually I am interested in offline join of Linux machines on 
a Windows based domain. If you have some stuff to play with, I am eager 
to take a look at it!

Keep on the good job! Cheers,

Denis

>
> Regarding timestamps, the existing routines to handle Generalized
> Time were insufficient so I added an alternative parser and
> formatter. The parser in particular (hopefully) rejects any
> non-conforming input. With this, NTTIME timestamps retain the
> 100ns precision.
>
> Encoding passwords as strings results in dumps that IMO are
> rather ugly due to the random Unicode code points. Example:
>
>       "Password": {
>         "Change Time": "20190123141424.401118Z",
>         "Change Server": "172.16.3.80",
>         "Cleartext Blob": "憺㬝≠︉㨶稗朋滶Ͼ篩楿永社羚㦚斴懇ㆥ눈⽷딌砝㴜봀⺹낺ꤑ絀㛶ｶⷬ㺅ꖡ봦똢熳℘礕藍㡘ﯽ럤겍⳺类攴㇣搻⿶뤺珝럣Ⰲⱍ櫺㫲뗚ﾢﶚ뛳럮끏㑐꺜ꍞ更滮㑞㕘뇳Ⅴ민絸猉Ԫ랥獵ℭ㈄Ⳍ緶ꈼ빺⇊濲눶灬ꢓ뵽枘ㅵ泪㹒땎묱ㆄ⾒繉㊜놫㝦㸠⽫籽炻㪎⸵뽹ꢰ牼몟㢮똇덨ꩭ眨朱늠덝뎦뤰ꆻ｡㦷멫㓹랜붞껑汛ö旓疽❨⡝ⅈ륗瓊✪" },
>
> The terminal font I use has glyphs for just two of the codepoints
> in the password string above which makes the dumps awkward to
> deal with. Compare the base64 version (different password):
>
>       "Password": {
>         "Change Time": "20190123141424.401118Z",
>         "Change Server": "172.16.3.80",
>         "Cleartext Blob": "Erzx4o2+ZLrW+kx/dHn+s8Al9i6IYHp5mOLfa7Vi5qB/bZ3hSTyRcSxsguu3A5gE+GAP6mh7cOzDo7njgPUYdzB2qnbi5sVsMznTb3Zgz6ts8R5p+2+W97b2bL4sf445/D/rOkU5pLMAcyG+HbyH9wQ81ng8Ye13nuD+5+i6vXmivG3zqij4veVo6aeob0H6fOOUqzjpzOmHt0w3k3Nl/Efo3KrNsrAtUDpQ+sKxvPNOdqdzCzxWc1esAS8VYxI/T3jPLc11rWcr7y4uJPP0+Dali6XWrnnrZvw3LF25njI2N/7kNPiMK1gner8WaitimG5hMXKu86xWdOYB1rawshF6+Wf2rYNj7bVzNNG2QG2/L/2iLu5N4JqjDSw++39wujr+eR/2S7T/AEpuBjQ=" },
>
> Any opinions on this?
>
> Due to the change in timestamp formatting, the patchset now
> depends on the timespec fix I posted earlier [2]. That commit is
> included so it builds when applied on top of a pristine
> samba-team/devel/master.
>
> CI: https://gitlab.com/samba-team/devel/samba/pipelines/44643027
>
> Regards,
> Philipp
>
> -- 8< ----------------------------------------------------- >8 --
>
> Changes v2--v3:
>
> - Serialize passwords as UTF-8 encoded strings instead of base64.
> - Serialize 64 bit integers as strings instead of base64 encoded
>   bytes.
> - Use LDAP Generalized Time to format timestamps.
> - Cosmetic issues wrt. README.Coding.
> - Fix minor issues after the dumpinfo -> export rename.
>
> Changes v1--v2
>
> - Subcommands are named import/export instead of dumpinfo /
>   readinfo; explicitly passing --json is no longer required.
> - export always includes the passwords, import always accepts
>   passwords.
> - primarytrust import will abort if domain credentials are
>   present. Passing --force overrides the check.
> - Include .next_change of the info1 struct in JSON export.
> - Unit test previous passwords and the contents of next_change.
> - Timestamps in ISO8601 (includes a workaround for the somewhat
>   aged glibc used by Gitlab CI).
>
> -- 8< ----------------------------------------------------- >8 --
>
> [0] V1 https://lists.samba.org/archive/samba-technical/2019-January/131924.html
> [1] V2 https://lists.samba.org/archive/samba-technical/2019-January/132023.html
> [2] https://lists.samba.org/archive/samba-technical/2019-January/132066.html
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr