[PATCH] dump and restore domain trust info

Thu Jan 10 15:08:49 UTC 2019

Hi,

thanks for the quick reply.

-<| Quoting Stefan Metzmacher via samba-technical <metze at samba.org>, on Thursday, 2019-01-10 12:35:58 PM |>-
> Hi Philipp,
> 
> > While integrating Samba with our backup system, I’ve been adding functionality
> > for dumping and undumping the domain member information in a hopefully portable
> > way. I think I have now reached a point where I’d like to elicit external
> > feedback so I would like you have a look at the attached patchset. Eventually
> > we would like for this functionality to be merged.
> > 
> > After some experiments I settled on extending “net primarytrust dumpinfo” with
> > json output and adding a companion “net primarytrust readinfo” for replaying a
> > dump obtained this way.
> 
> What about using "net primarytrust export" and
> "net primarytrust import"? They would always use json and include passwords.

“primarytrust dumpinfo” already exists. Should this be renamed to
“… export” or do you propose decoupling the json based import/export
from the existing dumpinfo altogether?

> And the import should only work if there's nothing stored yet.

Is there a way to erase what’s stored?

We could reuse --force for the case that overwriting existing
values is desired. (Currently --force prevents overwriting
passwords only.)

> > An example dump as used in the blackbox tests:
> > 
> >     { "Reserved Flags": "AAAAAAAAAAA=",
> >       "Join Time": "KgAAAAAAAAA=",
> >       "Computer Name": "LOCALADMEMBER",
> >       "Account Name": "LOCALADMEMBER$",
> >       "Secure Channel Type": 2,
> >       "Trust Flags": 26,
> >       "Trust Type": 2,
> >       "Trust Attributes": 26,
> >       "Supported Encryption Types": 31,
> >       "Salt Principal": "aG9zdC9sb2NhbGFkbWVtYmVyLmFkZG9tLnNhbWJhLmV4YW1wbGUuY29tQEFERE9NLlNBTUJBLkVYQU1QTEUuQ09N",
> >       "Password Last Change": "NWUTXAAAAAA=",
> >       "Password Changes": "AQAAAAAAAAA=",
> >       "Password": {
> >         "Change Time": "ysIkXAAAAAA=",
> >         "Change Server": "ADDC",
> >         "Cleartext Blob": "Erzx4o2+ZLrW+kx/dHn+s8Al9i6IYHp5mOLfa7Vi5qB/bZ3hSTyRcSxsguu3A5gE+GAP6mh7cOzDo7njgPUYdzB2qnbi5sVsMznTb3Zgz6ts8R5p+2+W97b2bL4sf445/D/rOkU5pLMAcyG+HbyH9wQ81ng8Ye13nuD+5+i6vXmivG3zqij4veVo6aeob0H6fOOUqzjpzOmHt0w3k3Nl/Efo3KrNsrAtUDpQ+sKxvPNOdqdzCzxWc1esAS8VYxI/T3jPLc11rWcr7y4uJPP0+Dali6XWrnnrZvw3LF25njI2N/7kNPiMK1gner8WaitimG5hMXKu86xWdOYB1rawshF6+Wf2rYNj7bVzNNG2QG2/L/2iLu5N4JqjDSw++39wujr+eR/2S7T/AEpuBjQ=" },
> >       "DNS Domain Info": {
> >         "Domain NetBios Name": "ADDOMAIN",
> >         "Domain DNS Name": "addom.samba.example.com",
> >         "Domain Forest Name": "addom.samba.example.com",
> >         "Domain SID": "S-1-5-21-42-1337-1701",
> >         "Domain GUID": "ec0ef791-e41e-44b7-8990-f05eacb06174" } }
> 
> Please also test "Old Password" and "Older Password".
> And we need to include "next_change". It's important information we
> should not loose.

Will do for v2.

> > Two patches contain the meat of it:
> > 
> >     s3: net: add json printer to `net primarytrust`
> >     s3: net: add primarytrust subcommand `readinfo`
> > 
> > There’s one patch that fixes some typos, the rest is auxiliary stuff and tests.
> > I’ve marked some issues with XXX comments. These mainly concern how flags
> > values should be represented.
> > 
> > CI: https://gitlab.com/samba-team/devel/samba/pipelines/42583194
> > I’m sorting out that failure in build_samba right now.
> > 
> > PS: FWIW, “readinfo” can be used to inject “offline join” blobs generated by
> >     djoin.exe. If you’re interested I have a PoC that I can share.
> 
> Do you have example data from djoin.exe?

Attached is a blob spit out by the binary that ships with Win
2012.

Philipp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190110/394aaedf/signature.sig>